CN111581643A - Penetration attack evaluation method and device, electronic equipment and readable storage medium - Google Patents

Penetration attack evaluation method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN111581643A
CN111581643A CN202010379590.9A CN202010379590A CN111581643A CN 111581643 A CN111581643 A CN 111581643A CN 202010379590 A CN202010379590 A CN 202010379590A CN 111581643 A CN111581643 A CN 111581643A
Authority
CN
China
Prior art keywords
attack
penetration
behavior
determining
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010379590.9A
Other languages
Chinese (zh)
Other versions
CN111581643B (en
Inventor
刘婉娇
吕博良
叶红
旷亚和
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202010379590.9A priority Critical patent/CN111581643B/en
Publication of CN111581643A publication Critical patent/CN111581643A/en
Application granted granted Critical
Publication of CN111581643B publication Critical patent/CN111581643B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a penetration attack evaluation method and device, an electronic device and a readable storage medium. The penetration attack comprises at least one attack behavior, and the penetration attack evaluation method comprises the following steps: acquiring attack information aiming at each attack behavior in at least one attack behavior; determining attack tactics and attack technologies of various attack behaviors according to the attack information of various attack behaviors; and determining the threat level of penetration attack by adopting a preset rating model according to the attack tactics and the attack technology of each attack behavior.

Description

Penetration attack evaluation method and device, electronic equipment and readable storage medium
Technical Field
The present disclosure relates to the field of information technology, and more particularly, to a penetration attack evaluation method and apparatus, an electronic device, and a readable storage medium.
Background
With the development of network technology, hackers launch penetration attacks to maliciously attack enterprise servers and come out endlessly. The malicious attack can cause serious consequences such as leakage of sensitive information of the enterprise, misuse of server resources, capital loss of the enterprise, and influence on reputation of the enterprise. If the enterprise business is an important industry related to energy, the penetration attack may endanger the national security.
In the course of implementing the disclosed concept, the inventors found that there are at least the following problems in the prior art: the threat level of the penetration attack cannot be effectively evaluated in the related art, which results in that operation and maintenance personnel in an enterprise cannot take effective control measures against the penetration attack. Thus bringing immeasurable losses to the enterprise.
Disclosure of Invention
In view of the above, the present disclosure provides a penetration attack evaluation method and apparatus, an electronic device, and a readable storage medium, which can effectively evaluate penetration attacks.
One aspect of the present disclosure provides a penetration attack evaluation method, wherein a penetration attack includes at least one attack behavior; the penetration attack evaluation method comprises the following steps: acquiring attack information aiming at each attack behavior in at least one attack behavior; determining attack tactics and attack technologies of various attack behaviors according to the attack information of various attack behaviors; and determining the threat level of penetration attack by adopting a preset rating model according to the attack tactics and the attack technology of each attack behavior.
According to an embodiment of the present disclosure, the acquiring attack information for each of the at least one attack behavior includes: acquiring logs recorded by at least one monitoring device to obtain at least one log; extracting a plurality of attack-related information from the at least one log, the plurality of attack-related information including attack information for the at least one attack behavior; and combining the attack related information aiming at each attack behavior in the plurality of attack related information to obtain the attack information aiming at each attack behavior.
According to an embodiment of the present disclosure, the determining the threat level of the penetration attack by using the predetermined rating model includes: determining an evaluation score aiming at each attack behavior by adopting a scoring submodel according to the attack tactics and the attack technology of each attack behavior to obtain at least one evaluation score; and determining the threat level of the penetrated attack by adopting a rating submodel according to the at least one evaluation score.
According to an embodiment of the present disclosure, the determining the evaluation score for each attack behavior by using the score submodel includes: determining the evaluation sub-scores of each attack behavior in multiple dimensions by adopting a scoring sub-model according to the attack tactics and the attack technology of each attack behavior to obtain multiple evaluation sub-scores; and determining an evaluation score for each attack behavior as a sum of the plurality of evaluation sub-scores. Wherein the plurality of dimensions includes at least two of: attack subversion, attack persistence, attack complexity, attack novelty, attack concealment, and attack repairability.
According to an embodiment of the present disclosure, the determining the threat level of the penetration attack by using the rating submodel includes: determining an average score of the at least one evaluation score to obtain a threat score for the penetration attack; and determining the threat level corresponding to the threat score aiming at the penetration attack as the threat level of the penetration attack according to the corresponding relation between the preset threat score and the threat level.
According to the embodiment of the present disclosure, the penetration attack is plural; the penetration attack evaluation method further comprises the following steps: counting attack technologies of at least one attack behavior included in each penetration attack in the plurality of penetration attacks to obtain the attack technologies aiming at each penetration attack; determining that two penetration attacks aiming at the attack technologies comprising the same attack technology in the plurality of penetration attacks have an association relation according to the attack technology aiming at each penetration attack in the plurality of penetration attacks; constructing a plurality of nodes aiming at a plurality of penetration attacks, and constructing an edge between two nodes aiming at two penetration attacks with an incidence relation to obtain a knowledge graph; and clustering the plurality of penetration attacks according to the knowledge graph to obtain at least two attack groups. Wherein each attack group of the at least two attack groups corresponds to an attack team.
According to an embodiment of the present disclosure, the clustering the plurality of penetration attacks to obtain at least two attack groups includes: extracting feature vectors of nodes aiming at each penetration attack from the knowledge graph by adopting a node vector conversion algorithm to obtain a plurality of feature vectors; and clustering the plurality of penetration attacks by adopting a preset clustering algorithm according to the plurality of feature vectors to obtain at least two attack groups.
According to an embodiment of the present disclosure, the constructing a plurality of nodes for a plurality of penetration attacks, and constructing an edge between two nodes for two penetration attacks having an association relationship, to obtain a knowledge graph includes: constructing a plurality of nodes aiming at a plurality of penetration attacks, and constructing an edge between two nodes aiming at two penetration attacks with incidence relation; and according to the number of the same attack technologies aimed at by the two penetration attacks with the incidence relation, distributing the weight to the edge between any two penetration attack nodes to obtain the knowledge graph.
According to the embodiment of the disclosure, the attack tactics of each attack behavior are determined according to the attack purpose of each attack behavior; the attack tactics of the attack behaviors comprise any one of the following: initial entry, code execution, persistence, privilege elevation, defense bypass, credential acquisition, internal probing, lateral movement, information collection, data theft, command control, and attack impact.
Another aspect of the present disclosure provides a penetration attack evaluation apparatus, in which a penetration attack includes at least one attack behavior, the apparatus including: the information acquisition module is used for acquiring attack information aiming at each attack behavior in at least one attack behavior; the attack behavior determining module is used for determining attack tactics and attack technologies of various attack behaviors according to the attack information of various attack behaviors; and the threat level determining module is used for determining the threat level of the penetration attack by adopting a preset rating model according to the attack tactics and the attack technology of each attack behavior.
Another aspect of the present disclosure provides an electronic device, including: one or more processors; and a storage device for storing one or more programs, wherein when the one or more programs are executed by the one or more processors, the one or more processors are caused to perform the above-described penetration attack evaluation method.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for performing the penetration attack evaluation method as described above when executed by a processor.
Another aspect of the present disclosure provides a computer program comprising computer executable instructions for implementing the penetration attack evaluation method as described above when executed.
According to the embodiment of the disclosure, the technical problem that the penetration attack cannot be effectively controlled due to the fact that the threat level of the penetration attack cannot be effectively evaluated can be at least partially avoided. According to the embodiment of the disclosure, attack tactics and attack technologies are obtained by analyzing attack information of attack behaviors, and the threat level of penetration attack is determined by a set predetermined rating model, so that more valuable decision support can be provided for operation and maintenance personnel, and effective control on penetration attack is realized.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario of a penetration attack evaluation method and apparatus, an electronic device, and a readable storage medium according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a penetration attack evaluation method according to an embodiment of the disclosure;
FIG. 3 schematically shows a flowchart for obtaining attack information for various attack behaviors, according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a flow chart for determining a threat level of a penetration attack using a predetermined rating model according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart for determining an evaluation score for each aggressive behavior using a scoring submodel, in accordance with an embodiment of the disclosure;
FIG. 6 schematically illustrates a flow chart for determining a threat level of a penetration attack using a rating submodel according to an embodiment of the disclosure;
FIG. 7 schematically illustrates a flow diagram of a penetration attack evaluation method according to another embodiment of the present disclosure;
FIG. 8 schematically illustrates a flow chart for clustering a plurality of penetration attacks into at least two attack groups, according to an embodiment of the disclosure;
FIG. 9 schematically illustrates a flow diagram for constructing nodes and an edge-derived knowledge graph between nodes, according to an embodiment of the disclosure;
FIG. 10 schematically illustrates a structural diagram of a constructed knowledge-graph according to an embodiment of the present disclosure;
fig. 11 schematically shows a block diagram of the structure of a penetration attack evaluation apparatus according to an embodiment of the present disclosure; and
fig. 12 schematically shows a block diagram of an electronic device adapted to perform a penetration attack evaluation method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Embodiments of the present disclosure provide a penetration attack evaluation method, where a penetration attack includes at least one attack behavior. The method first obtains attack information for each attack behavior of at least one attack behavior. And then determining attack tactics and attack techniques of each attack behavior according to the attack information of each attack behavior. And finally, determining the threat level of penetration attack by adopting a preset rating model according to the attack tactics and the attack technology of each attack behavior.
Fig. 1 schematically illustrates an application scenario of a penetration attack evaluation method and apparatus, an electronic device, and a readable storage medium according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of an application scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, an application scenario 100 according to this embodiment may include, for example, a monitoring device 110 and an electronic device 120.
The monitoring device 110 may include, for example, a server, a firewall, a device integrated with a WAF (Web application protection system), a device integrated with a security protection system, etc. (by way of example only). The monitoring device 110 may receive, for example, a message sent by another device outside the application scenario, monitor the received message, and generate an operation log or an alarm log according to a monitoring result.
The electronic device 120 may be, for example, a server, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like, having processing functionality. The electronic device 120 is configured to extract attack information related to a penetration attack from the operation log or the alarm log 11 generated by the monitoring device 110, and score the penetration attack by analyzing the attack information.
According to the embodiment of the present disclosure, in order to facilitate the electronic device 120 to score the penetration attack, a predetermined rating model may be preset in the electronic device 120, for example. Alternatively, as shown in fig. 1, the application scenario 100 may further include, for example, a database server 130, the database server 130 stores a predetermined rating model therein, and the electronic device 120 may obtain the predetermined rating model through communication with the database server 130.
It should be noted that the penetration attack evaluation method according to the embodiment of the present disclosure may be generally executed by the electronic device 120. Accordingly, the penetration attack evaluation apparatus provided by the embodiment of the present disclosure may be generally disposed in the electronic device 120.
It should be understood that the number and types of monitoring devices, electronic devices, and database servers in FIG. 1 are merely illustrative. There may be any number and type of monitoring devices, electronic devices, and database servers, as desired for an implementation.
The penetration attack evaluation method according to the embodiment of the present disclosure will be described in detail below with reference to fig. 2 to 10.
Fig. 2 schematically shows a flow chart of a penetration attack evaluation method according to an embodiment of the present disclosure.
As shown in fig. 2, the penetration attack evaluation method of this embodiment may include, for example, operations S210 to S230. Wherein the penetration attack may comprise at least one attack behavior.
In operation S210, attack information for each of at least one attack behavior is acquired.
According to an embodiment of the present disclosure, the operation S210 may obtain attack information from a log for a penetration attack, which is generated by the monitoring device according to the monitoring result, for example. The attack information of each attack may include, for example, device information of an attack device that initiates the attack to the monitoring device 110, specific behavior information and account information of the attack, and the like. The account information may reflect, for example, a login operation performed on the monitoring device to some extent, and the attack may attempt to access the monitoring device through the login operation, so as to steal sensitive information.
In an embodiment, it is considered that attack information of a plurality of attack behaviors may be recorded in a log obtained by monitoring by the monitoring device, or a plurality of attack information of the same attack behavior may be stored in logs of different monitoring devices. Therefore, the operation S210 can obtain attack information of each attack behavior through the flow described in fig. 3, for example.
Fig. 3 schematically shows a flowchart for obtaining attack information for each attack behavior according to an embodiment of the present disclosure.
As shown in fig. 3, the operation of acquiring attack information for each attack behavior may include, for example, operations S311 to S313.
In operation S311, logs recorded by at least one monitoring device are obtained, and at least one log is obtained.
According to the embodiment of the present disclosure, the at least one monitoring device may be, for example, various devices (e.g., network devices such as firewalls, servers, security protection devices, and the like), data warehouses, SOC (security operation center) systems, UEBA systems (user entity behavior analysis systems), EDR systems (terminal security response systems), and the like arranged in an enterprise intranet. In an embodiment, the at least one monitoring device is any device in an intranet for which a penetration attack is targeted. The log recorded by the monitoring device may be, for example, a log recorded by the monitoring device according to the monitoring result, or may be directly the monitoring result.
In operation S312, a plurality of attack-related information including attack information for at least one attack behavior is extracted from the at least one log.
According to an embodiment of the present disclosure, the operation S312 may, for example, first identify each log obtained in the operation S311. Specifically, the fields in the log may be identified to obtain a plurality of pieces of information. Attack information for the attack behavior is then extracted from the plurality of information. The attack information for the attack behavior may include, for example, device information, behavior information, and account information.
In an embodiment, the device information may be, for example, a device number, a MAC address, an IP address, and the like of the device that initiates the attack behavior.
In an embodiment, the behavior information may include, for example, information extracted from a log of the monitoring device. For example, the information may be information extracted from specific logs such as a server operation log, a firewall flow log, an IPS (intrusion prevention system) alarm log, a WAF (Web application protection system, also referred to as a website application level intrusion prevention system) alarm log, and an internal security protection system alarm log. The behavior information can reflect the influence of the attack behavior on the monitoring equipment to a certain extent. For example, the behavior information may reflect that an attack behavior causes the monitoring device to generate alarm information, so that the traffic of the monitoring device is greatly increased, or the monitoring device performs a specific operation, and the like. In an embodiment, the behavior information may further include, for example, an IP address of an access device to which the attack behavior is directed, and the like. Considering that an attack generally causes the monitoring device to generate alarm information, the behavior information may also include alarm details and an alarm timestamp, for example.
In one embodiment, the account information may include, for example, login information such as a login account number, a login password, and the like.
In operation S313, attack-related information for each attack behavior among the plurality of attack-related information is merged to obtain attack information for each attack behavior.
According to the embodiment of the disclosure, it is considered that the log monitored by one monitoring device may include attack information of a plurality of attack behaviors. Therefore, it is necessary to combine the attack-related information for the same attack behavior among the plurality of attack-related information extracted in operation S312 to obtain the attack information for the same attack behavior. If the log obtained by monitoring of one monitoring device only includes the attack information of one attack behavior, a plurality of attack-related information can be merged and consolidated into one attack information through the merging operation.
According to embodiments of the present disclosure, it is considered that attack-related information for each attack behavior may be monitored by a plurality of monitoring devices. Therefore, it is necessary to combine the attack-related information for the same attack behavior among the plurality of attack-related information extracted in operation S312 to obtain the attack information for the same attack behavior. When merging, if two different monitoring devices monitor and obtain the same attack related information of the same attack behavior, before merging the attack related information, the deduplication operation can be performed.
According to the embodiment of the disclosure, when the same attack-related information is extracted from logs of different monitoring devices, the attack-related information for the different monitoring devices may have different formats. Therefore, when the attack related information is combined, the format of the attack related information can be subjected to unified processing, so that the format difference caused by the multivariate information is eliminated, and the threat level of the attack behavior can be evaluated conveniently in the follow-up process. For example, the format of the IP address may be unified as: xx.xx.xx.xx, unifying the format of the device number as: and XX-XX-XX-XX-XX, unifying the formats of the alarm details in the behavior information as follows: XXX (). For example, the IP address and the device number may be integrated as device information.
In one embodiment, it is considered that the behavior information corresponds to the attack behavior one to one, and the device information corresponds to the device that initiated the attack behavior one to one. Therefore, when integrating the attack-related information, for example, the multiple attack-related information may be divided into at least one group of attack-related information according to the device information, where each group of attack-related information is for the same device initiating the attack behavior. And then integrating the attack related information aiming at the same attack behavior according to the behavior information to obtain the attack information. For example, attack information of a certain attack behavior in a penetration attack launched by a certain device launching the attack behavior may be as shown in table 1 below.
TABLE 1
Figure BDA0002480409950000091
In operation S220, attack tactics and attack techniques of each attack behavior are determined according to the attack information of each attack behavior.
According to the embodiment of the present disclosure, in order to determine the attack tactics and the attack technology of the attack behavior according to the attack information, the embodiment of the present disclosure may divide the attack tactics into 12 types according to the attack purpose of the attack behavior in advance, where the 12 types of attack tactics may be, for example: initial entry, code execution, persistence, privilege elevation, defense bypass, credential acquisition, internal probing, lateral movement, information collection, data theft, command control, and attack impact.
The details of the alarm in the behavior information can reflect the attack technology to a certain extent, and the technology adopted for achieving the attack purpose is generally fixed. The operation S220 may first determine an attack technique according to the alarm details in the attack information. Attack tactics are then determined from the attack techniques. For example, if the determined attack technique is a hardware addition technique, the determined attack tactic may be an initial entry.
In order to determine the attack tactics according to the attack technology, the embodiment of the present disclosure may maintain a correspondence table between the attack tactics and the attack technology in advance. In one embodiment, the correspondence table may be as shown in table 2.
TABLE 2
Figure BDA0002480409950000101
In one embodiment, the operation S220 may include, for example: and firstly, determining a regular expression of the alarm details in the attack information aiming at each attack behavior. And then, according to the regular expression, performing accurate matching of the attack technology (for example, matching with the corresponding relation between the attack technology and the alarm details) and determining the matched attack technology in a manual marking mode. The corresponding attack tactics are then determined based on the matched attack technique and the aforementioned table 2. Finally, matching labels of the attack technology and the attack tactics are marked on the attack information to obtain the attack information shown in the following table 3. Wherein, the class.exe () is only an example of the details of the alarm to facilitate understanding of the present disclosure, and the present disclosure does not limit this.
TABLE 3
Figure BDA0002480409950000102
In operation S230, a threat level of the penetration attack is determined using a predetermined rating model according to attack tactics and attack techniques of each attack behavior.
According to an embodiment of the present disclosure, the predetermined model may determine a severity of an influence by each of at least one attack behavior included in the penetration attack, for example, according to attack tactics and attack techniques. The greater the severity of the impact of the at least one aggressive action, the higher the threat level of the determined penetration attack. Alternatively, the threat level of the penetration attack is determined to be higher if more of the at least one aggressive behavior has a greater impact.
According to an embodiment of the disclosure, the operation S230 may also score each attack behavior according to attack tactics and attack techniques of each attack behavior, for example. And finally, determining the threat level of the penetration attack according to the score value of at least one attack behavior included in the penetration attack.
FIG. 4 schematically illustrates a flow chart for determining a threat level for a penetration attack using a predetermined rating model according to an embodiment of the disclosure.
As shown in fig. 4, the operation of determining the threat level of the penetration attack using the predetermined rating model may include, for example, operations S431 to S432.
In operation S431, an evaluation score for each attack behavior is determined using a score submodel according to the attack tactics and the attack technique of each attack behavior, and at least one evaluation score is obtained.
In operation S432, a threat level of the penetration attack is determined using the rating submodel according to the at least one evaluation score.
According to the embodiment of the present disclosure, the operations S431 to S432 may determine the evaluation score for each attack behavior according to the difficulty level of the attack technique and the attack tactics, for example. If the generation difficulty and the execution difficulty of the attack technology and the attack tactics are large, the determined evaluation score is higher. After obtaining the at least one evaluation score, determining the threat level of the penetration attack according to the sum of the at least one evaluation score. The higher the sum, the higher the threat level.
According to an embodiment of the present disclosure, operation S431 may, for example, first determine at least one attack behavior included in each penetration attack. The attack behavior with the same device information in the attack information can be classified as the attack behavior included in a penetration attack. And then determining the evaluation score of each attack behavior in at least one attack behavior included in the penetration attack.
According to the embodiment of the disclosure, in order to improve the accuracy of the finally determined threat level of the penetration attack, each attack behavior may be scored from multiple dimensions according to an attack technique. And finally, determining the threat level of the penetration attack according to the grading result of at least one attack behavior.
Fig. 5 schematically illustrates a flow chart for determining an evaluation score for each aggressive behavior using a scoring submodel according to an embodiment of the disclosure.
As shown in fig. 5, the operation of determining the evaluation score for each attack behavior using the score submodel may include, for example, operations S5311 to S5312.
In operation S5311, according to the attack tactics and the attack techniques of each attack behavior, the evaluation sub-scores of each attack behavior in multiple dimensions are determined by using the score sub-model, so as to obtain multiple evaluation sub-scores.
In operation S5312, an evaluation score for each attack behavior is determined as a sum of a plurality of evaluation sub-scores.
According to an embodiment of the present disclosure, the plurality of dimensions may include, for example, at least two of: attack subversion, attack persistence, attack complexity, attack novelty, attack concealment, and attack repairability.
Operation S5311 may, for example, first determine behavior of an attack behavior in multiple dimensions according to an attack technique. And then determining the evaluation sub-scores of the attack behaviors in each dimension according to the performance conditions. According to the embodiment of the disclosure, in order to determine the evaluation sub-scores according to the performance of the attack behaviors in multiple dimensions, an evaluation sub-score comparison table may be maintained in advance. The evaluation sub-score comparison table includes a mapping relation between the performance of each dimension and the evaluation sub-score.
In one embodiment, the evaluation sub-score comparison table is shown in table 4. Therefore, after the performance condition of the attack behavior in each dimension of the multiple dimensions is determined, the evaluation sub-score of each attack behavior in each dimension can be obtained by inquiring according to the evaluation sub-score comparison table. The behavior of the attack behavior in the attack destructive dimension may include the following four cases: severe, general, mild and no damage (corresponding to none in table 4). The behavior of the attack behavior in the attack persistence dimension may include, for example, the following four cases: the attack is easy and stable, the attack needs a pre-set requirement, the attack is one-time behavior and non-attack persistence (corresponding to none in table 4). The behavior of the attack behavior in the attack complexity dimension may include, for example, the following four cases: complex, general, simple and very simple (corresponding to none in table 4). The behavior of the attack behavior in the attack novelty dimension may include, for example, the following four cases: novelty, general novelty, common attack and no novelty (corresponding to none in table 4). The behavior of the attack behavior in the attack hiding dimension may include, for example, the following four cases: extremely covert, covert general, overt and non-covert (corresponding to none in table 4). The behavior of the attack behavior in the attack repairability dimension may include, for example, the following four cases: difficult, general, easy and without difficulty (corresponding to none in table 4).
TABLE 4
Figure BDA0002480409950000121
Figure BDA0002480409950000131
In one embodiment, if the attack tactics of a certain attack is code execution and the attack technology of the certain attack is PowerShell, considering that the attack technology can be used to execute a number of operations, the number of operations can include: Start-Process cmdlets, which may be used to run executable files, and Invoke-Command cmdlets, which may be used to run commands locally or on remote computers. Since the attack technology enables the device which initiates the attack behavior to run the executable file without touching the disk, the attack destructiveness is slight, and the evaluation sub-score AD corresponding to the attack destructiveness dimension of the certain attack behavior is 3. Since the administrator authority is needed to connect to the remote system using PowerShell, the attack needs to be able to go unnoticed by the administrator, i.e. the attack has a pre-requirement, so the evaluation sub-score AR of the certain attack behavior in the attack persistence dimension is 2. Since the PowerShell technology is the most common technology and the operation is not a cumbersome step, the evaluation sub-score AC of the certain attack behavior in the attack complexity dimension is 2, and the evaluation sub-score AN of the certain attack behavior in the attack novelty dimension is 1. Since the attack concealment of the Power Shell attack technology is also affected by the system policy, the loading or execution related to the PowerShell-specific assembly (e.g., system. Since modification of the attack behavior by using the PowerShell attack technique is easy, the PowerShell execution policy can be set to execute only the signed script, so that the evaluation sub-score AF of the certain attack behavior in the attack repairability dimension is 1. By integrating the evaluation sub-scores of the 6 dimensions, the evaluation score TG of the certain attack behavior may be determined to be 3+2+2+1+0+1 or 9 in operation S5312.
According to the embodiment of the present disclosure, in order to facilitate subsequent operations, after obtaining the evaluation score for each attack behavior, the evaluation score may be added to the attack information, for example, so as to obtain the attack information as shown in table 5.
TABLE 5
Figure BDA0002480409950000141
In summary, the penetration attack evaluation method of the embodiment of the disclosure is equivalent to a rating method established based on the view angle of an attacker. Particularly, the attack purpose and the adopted attack technology of the attacker are generalized from the perspective of the attacker, and the threat level determined on the basis can reflect the scale and the technical level of the attacker and the threat of the penetration attack initiated by the attacker to the enterprise. Furthermore, the attack level of the penetration attack initiated by an attacker can be scientifically measured by the unified standard through quantifying the threat level from six dimensions of attack destructiveness, attack persistence and the like.
According to the embodiment of the disclosure, after the evaluation scores of all the attack behaviors are obtained, the determined threat level is prevented from being inaccurate due to the fact that the evaluation score difference of at least one attack behavior included in the penetration attack is large. An average of the at least one rating score may be considered when employing the rating submodel and a threat level may be determined based on the average.
FIG. 6 schematically illustrates a flow chart for determining a threat level for a penetration attack using a rating submodel according to an embodiment of the disclosure.
As shown in fig. 6, the operation of determining the threat level of the penetration attack using the rating submodel may include, for example, operations S6321 to S6322.
In operation S6321, an average score of the at least one evaluation score is determined, resulting in a threat score for the penetration attack.
In operation S6322, a threat level corresponding to the threat score for the penetration attack is determined as a threat level of the penetration attack according to a predetermined correspondence between the threat score and the threat level.
The operations S6321 to S6322 may first calculate an average value of the at least one evaluation score, and use the average value as the threat score against the penetration attack. And then determining the threat level of the penetration attack according to the corresponding relation between the threat score and the threat level. The corresponding relationship may be, for example: the higher the threat score, the higher the threat level. Accordingly, this embodiment may also maintain a correspondence of threat scores to threat levels, for example.
In one embodiment, the threat level of the penetration attack may also be used to reflect the threat level of the attacker who initiated the penetration attack, for example. In this case, in order to improve the accuracy of the determined threat level of the attacker, the threat scores of a plurality of penetration attacks launched by each attacker can be comprehensively considered. Specifically, an average or sum of threat scores for a plurality of penetration attacks launched by each attacker may be determined, resulting in a threat score for each attacker. And then determining the threat level of each attacker according to the corresponding relation between the threat score aiming at the attacker and the threat level. The correspondence between the threat score and the threat level for the attacker may be shown in table 6, for example.
TABLE 6
Figure BDA0002480409950000151
Through this determination of the threat level of an attacker, the attacker can be divided into six categories: amateur hackers, senior hackers, black-producing organizations, cyber crime parties, cyber terrorism organizations, and national/regional actors.
According to the embodiment of the present disclosure, when the attack information obtained through operation S210 includes information about attack behaviors for a plurality of penetration attacks, in order to improve the processing efficiency of the operation and maintenance personnel on the penetration attacks, for example, the penetration attacks may be clustered, so that the penetration attacks having an association relationship are clustered into one attack group. When the operation and maintenance personnel process and control the penetration attacks, the penetration attacks belonging to the same attack group can be processed and controlled in a similar mode.
Fig. 7 schematically shows a flowchart of a penetration attack evaluation method according to another embodiment of the present disclosure.
As shown in fig. 7, the penetration attack evaluation method of this embodiment includes operations S740 to S770. It is to be understood that the penetration attack evaluation method of this embodiment also includes operations S210 to S230 in fig. 2, and here, in order to avoid redundancy, the operations S210 to S230 are not embodied in fig. 7. Here, operations S740 to S770 may be performed at any timing after operation S220.
In operation S740, the attack techniques of at least one attack behavior included in each penetration attack among the plurality of penetration attacks are counted, and an attack technique for each penetration attack is obtained.
According to an embodiment of the present disclosure, the operation S740 may, for example, classify an attack behavior with the same device information in the attack information as an attack behavior included in a penetration attack. Then, the attack techniques of at least one attack behavior included in each penetration attack determined by operation S220 are counted, so that a set of attack techniques for each penetration attack is counted.
In operation S750, it is determined that two penetration attacks, which are targeted by the plurality of penetration attacks and include the same attack technique, have an association relationship according to the attack technique targeted for each of the plurality of penetration attacks.
After the attack techniques aiming at each penetration attack are obtained through statistics, the attack techniques aiming at every two penetration attacks in the multiple penetration attacks are compared, and whether the two groups of attack techniques aiming at every two penetration attacks comprise the same attack techniques or not is determined. And if the two groups of attack technologies of certain two penetration attacks comprise the same attack technology, determining that the certain two penetration attacks have an association relation.
In operation S760, a plurality of nodes for the penetration attack are constructed, and an edge between two nodes for two penetration attacks having an association relationship is constructed to obtain a knowledge graph.
The operation S760 may first construct a triple, which may be, for example, a triple composed of an entity-association-entity, where two entities in the triple correspond to two penetration attacks having an association relationship. Wherein the entities in the triplets may be represented, for example, by the device number of the device that originated the corresponding penetration attack. And after the triples are obtained, constructing the knowledge graph according to the triples. In the constructed knowledge graph, the entity in the triple is taken as a node (the node aims at one penetration attack), and the association relation between two entities is taken as an edge (namely, the edge between two nodes which are aimed at by two penetration attacks with association relations).
According to the embodiment of the disclosure, in order to facilitate subsequent processing, while the entity-association-entity triplet is obtained, for example, the entity-attribute value triplet may be further constructed, and the device number of the device initiating the penetration attack, the attack tactics, and the attack technology are mapped into the triplet. Wherein the entity is represented by the device number of the device which initiates the penetration attack, the attribute is represented by the field name of the attack tactics, and the attribute value is represented by the field name of the attack technology and the threat score of the penetration attack.
In operation S770, the plurality of penetration attacks are clustered according to the knowledge-graph to obtain at least two attack groups. Each of the at least two attack groups corresponds to an attack team.
According to an embodiment of the present disclosure, the operation S770 may be, for example, extracting a feature vector for each point according to a connection relationship between entities in the knowledge graph. The multiple penetration attacks are then clustered according to the similarity of the feature vectors for each point.
This clustering process will be described in detail below in conjunction with fig. 8.
FIG. 8 schematically illustrates a flow chart for clustering a plurality of penetration attacks into at least two attack groups according to an embodiment of the disclosure.
As shown in fig. 8, the operation of clustering a plurality of penetration attacks to obtain at least two attack groups may include, for example, operations S871 to S872.
In operation S871, a node vector conversion algorithm is used to extract feature vectors of nodes for each penetration attack from the knowledge graph, so as to obtain a plurality of feature vectors.
According to the embodiment of the present disclosure, the operation S871 may be, for example, mapping the device number of the initiator of the penetration attack corresponding to the node to obtain a low-dimensional space vector by using a node2vec conversion method. Specifically, for example, from a certain node in the knowledge graph, Random walk (Random walk) method may be used to generate sequence data for the certain node. And then, taking the device number of the certain node as a characteristic, and obtaining an attack vector aiming at the node by using a skip-gram model.
According to the embodiment of the disclosure, for each node in the knowledge graph, the feature vector for each node is obtained by sequentially adopting the method described above, that is, a plurality of feature vectors can be obtained.
In operation S872, a plurality of penetration attacks are clustered using a predetermined clustering algorithm according to the plurality of feature vectors to obtain at least two attack groups.
According to the embodiment of the present disclosure, after obtaining the plurality of feature vectors, a neighbor propagation Clustering algorithm or a DBSCAN (sensitive-Based Spatial Clustering of Applications with Noise) Clustering algorithm may be adopted to cluster the plurality of penetration attacks, for example. For example, taking the DBSCAN clustering algorithm as an example, a neighborhood distance e and a minimum node number minPts may be set for each node in the plurality of nodes, and all nodes adjacent to each node are traversed to find out a set of all core nodes satisfying the neighborhood distance e. And for each core node, finding out all nodes with reachable density, generating a cluster, and clustering the nodes meeting the minimum number of the nodes in the cluster into one class. Correspondingly, the penetration attacks corresponding to the nodes clustered into one class are clustered into an attack group.
In consideration of the commonality of penetration attacks clustered into an attack group, the attackers who launch each penetration attack in an attack group can be divided into an attack team. Therefore, each of the at least two attack groups obtained in operation S872 corresponds to one attack team.
According to the embodiment of the disclosure, it is considered that for two penetration attacks having an association relationship, it is possible that the same number of attack techniques between some two penetration attacks is more, and the same number of attacks between the other two penetration attacks is less. The relationship between two penetration attacks is therefore divided between tight and loose. In order to better cluster the penetration attacks, when the knowledge graph is constructed, for example, the weight may be given to the edge between two nodes according to the closeness degree of the association relationship between the two penetration attacks targeted by the two nodes.
FIG. 9 schematically illustrates a flow diagram for constructing nodes and an edge-derived knowledge graph between nodes according to an embodiment of the disclosure. FIG. 10 schematically shows a structural diagram of a constructed knowledge-graph according to an embodiment of the present disclosure.
As shown in fig. 9, the operation of constructing the nodes and the edges between the nodes to obtain the knowledge graph may include, for example, operations S961 to S962.
In operation S961, a plurality of nodes for a plurality of penetration attacks are constructed, and an edge between two nodes for which two penetration attacks having an association relationship are directed is constructed.
In operation S962, according to the number of the same attack techniques targeted by two penetration attacks having an association relationship, a weight is assigned to an edge between any two penetration attack nodes, so as to obtain a knowledge graph.
According to the embodiment of the present disclosure, as shown in fig. 10, if the number of the plurality of penetration attacks is six, six nodes including nodes 1 to 6 are constructed by using the six device numbers initiating the six penetration attacks as nodes, respectively. And then establishing a connected edge between two nodes corresponding to the two penetration attacks with the incidence relation. And finally, distributing weight to the edge between the two nodes corresponding to the two penetration attacks according to the number of the same attack technologies between the two penetration attacks with the incidence relation. For example, as shown in fig. 10, the penetration attack corresponding to the node 1 has the same attack technique a, attack technique B, and attack technique C as the penetration attack corresponding to the node 2. The penetration attack corresponding to node2 has the same attack technique H as the penetration attack corresponding to node 4. The edge between node 1 and node2 may be assigned a greater weight and the edge between node2 and node 4 may be assigned a lesser weight. It is to be understood that, in fig. 10, the number of edges connecting any two nodes is only one, and the reason why a plurality of edges are shown between any two nodes in fig. 10 is to reflect the size of the weight assigned to the edge between any two nodes visually. Similarly, the weight of the edge between node 4 and node 6 is greater than the weight of the edge between node 4 and node 5. It is to be understood that the embodiment of the present disclosure does not limit the specific magnitude of the assigned weight, as long as the relative magnitude of the weight is assigned according to the closeness of the association relationship.
Accordingly, when the feature vector of the node for each penetration attack is obtained through operation S871 in fig. 8, sequence data for a certain node may be generated using a Bias Random walk method, starting from the certain node in the knowledge graph. The process of generating feature vectors from the sequence data is similar to that described above and will not be described further herein.
The penetration attack evaluation method breaks through the limitation of attack activity analysis of a single attacker, and the attack processes of the attackers are connected into a network through the knowledge maps, so that the scope of attack analysis can be expanded transversely, and the excavation depth can be deepened longitudinally. Therefore, the group information can be obtained, and more targeted risk protection and threat evaluation are facilitated.
In summary, the penetration attack evaluation method can establish a threat level rating standard based on a penetration attack process, and describe attack tactics and attack technologies of various attack behaviors in the penetration attack process in a unified mode; and then, scientifically quantifying the attack ability of the attack behavior from multiple dimensions to generate a final threat level evaluation result. And moreover, by combining the knowledge graph, the group relationship between attackers can be mined and divided. Compared with the prior art, the method can fill the gap of the application field of penetration attack threat rating and threat rating.
Fig. 11 schematically shows a block diagram of the structure of the penetration attack evaluation apparatus according to the embodiment of the present disclosure.
As shown in fig. 11, the infiltration attack evaluation apparatus 1100 of the embodiment of the present disclosure may include, for example, an information acquisition module 1110, an attack behavior determination module 1120, and a threat level determination module 1130. Wherein the penetration attack comprises at least one attack behavior.
The information obtaining module 1110 is configured to obtain attack information for each of at least one attack behavior. The information obtaining module 1110 may be configured to perform operation S210 described in fig. 2, for example, and is not described herein again.
The attack behavior determination module 1120 is configured to determine attack tactics and attack techniques of each attack behavior according to the attack information of each attack behavior. The attack behavior determination module 1120 may be configured to perform operation S220 described in fig. 2, for example, and is not described herein again.
The threat level determination module 1130 is configured to determine a threat level of the penetration attack using a predetermined rating model according to attack tactics and attack techniques of each attack behavior. The threat level determination module 1130 may be configured to perform operation S230 described in fig. 2, for example, and will not be described herein again.
According to an embodiment of the present disclosure, the information obtaining module 1110 may include, for example, an obtaining sub-module, an extracting sub-module, and a combining sub-module. The obtaining submodule is used for obtaining logs recorded by at least one monitoring device to obtain at least one log. The extraction submodule is used for extracting a plurality of pieces of attack-related information from at least one log, wherein the attack-related information comprises attack information aiming at the at least one attack behavior. The merging submodule is used for merging the attack related information aiming at each attack behavior in the plurality of attack related information to obtain the attack information aiming at each attack behavior. In an embodiment, the obtaining submodule, the extracting submodule, and the merging submodule may be respectively configured to perform operations S311 to S313 described in fig. 3, which is not described herein again.
The threat level determination module 1130 may include, for example, a score determination submodule and a level determination submodule in accordance with an embodiment of the present disclosure. And the score determining submodule is used for determining the evaluation score aiming at each attack behavior by adopting the score submodel according to the attack tactics and the attack technology of each attack behavior to obtain at least one evaluation score. And the grade determining submodule is used for determining the threat grade of the penetration attack by adopting the rating submodel according to at least one evaluation score. In an embodiment, the score determining submodule and the level determining submodule may be configured to perform operations S431 to S432 described in fig. 4, respectively, for example, and are not described herein again.
According to an embodiment of the present disclosure, the score determination submodule may include, for example, a first determination unit and a second determination unit. The first determining unit is used for determining the evaluation sub-scores of the attack behaviors in multiple dimensions by adopting the grading sub-model according to the attack tactics and the attack technology of the attack behaviors to obtain multiple evaluation sub-scores. The second determination unit is used for determining the evaluation score of each attack behavior as the sum of the evaluation sub-scores. Wherein the plurality of dimensions includes at least two of: attack subversion, attack persistence, attack complexity, attack novelty, attack concealment, and attack repairability. In an embodiment, the first determining unit and the second determining unit may be configured to perform operations S5311 to S5312 described in fig. 5, respectively, for example, and are not described herein again.
According to an embodiment of the present disclosure, the rank determination submodule may include, for example, a third determination unit and a fourth determination unit. The third determining unit is used for determining an average score of the at least one evaluation score to obtain a threat score aiming at the penetration attack. The fourth determining unit is used for determining the threat level corresponding to the threat score aiming at the penetration attack as the threat level of the penetration attack according to the corresponding relation between the preset threat score and the threat level. In an embodiment, the third determining unit and the fourth determining unit may be, for example, respectively configured to perform operations S6321 to S6322 described in fig. 6, and are not described herein again.
According to an embodiment of the present disclosure, the apparatus 1100 for evaluating a penetration attack may include, for example, a statistical module, a relationship determination module, a map construction module, and a clustering module. The statistical module is used for counting at least one attack technology of attack behavior included by each penetration attack in the plurality of penetration attacks to obtain the attack technology aiming at each penetration attack. The relationship determination module is used for determining that the attack technologies aimed at in the multiple penetration attacks comprise two penetration attacks of the same attack technology and have an association relationship according to the attack technologies aimed at in the multiple penetration attacks. The map building module is used for building a plurality of nodes aiming at a plurality of penetration attacks and building an edge between two nodes aiming at two penetration attacks with incidence relation to obtain a knowledge map. The clustering module is used for clustering a plurality of penetration attacks according to the knowledge graph to obtain at least two attack groups. Wherein each attack group of the at least two attack groups corresponds to an attack team. In an embodiment, the statistics module, the relationship determination module, the graph construction module, and the clustering module may be respectively configured to perform operations S740 to S770 described in fig. 7, for example, and are not described herein again.
According to an embodiment of the present disclosure, the clustering module may include, for example, a vector extraction sub-module and a clustering sub-module. And the vector extraction submodule is used for extracting the characteristic vectors of the nodes aiming at each penetration attack from the knowledge graph by adopting a node vector conversion algorithm to obtain a plurality of characteristic vectors. And the clustering submodule is used for clustering the penetration attacks by adopting a preset clustering algorithm according to the characteristic vectors to obtain at least two attack groups. In an embodiment, the vector extraction sub-module and the clustering sub-module may be respectively configured to perform operations S871 to S872 described in fig. 8, which are not described herein again.
According to an embodiment of the present disclosure, the atlas construction module may include, for example, a construction sub-module and a weight assignment sub-module. The construction submodule is used for constructing a plurality of nodes aiming at a plurality of penetration attacks and constructing an edge between two nodes aiming at two penetration attacks with incidence relations. And the weight distribution submodule is used for distributing the weight to the edge between any two nodes of the penetration attack according to the number of the same attack technologies aimed at by the two penetration attacks with the incidence relation to obtain the knowledge graph. In an embodiment, the construction submodule and the weight assignment submodule may be, for example, respectively configured to perform operations S961 to S962 described in fig. 9, and are not described herein again.
According to the embodiment of the disclosure, the attack tactics of each attack behavior are determined according to the attack purpose of each attack behavior; the attack tactics of each attack behavior include any one of: initial entry, code execution, persistence, privilege elevation, defense bypass, credential acquisition, internal probing, lateral movement, information collection, data theft, command control, and attack impact.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
Fig. 12 schematically shows a block diagram of an electronic device adapted to perform a penetration attack evaluation method according to an embodiment of the present disclosure.
As shown in fig. 12, an electronic apparatus 1200 according to an embodiment of the present disclosure includes a processor 1201, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1202 or a program loaded from a storage section 1208 into a Random Access Memory (RAM) 1203. The processor 1201 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1201 may also include on-board memory for caching purposes. The processor 1201 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM1203, various programs and data necessary for the operation of the electronic apparatus 1200 are stored. The processor 1201, the ROM 1202, and the RAM1203 are connected to each other by a bus 1204. The processor 1201 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1202 and/or the RAM 1203. Note that the programs may also be stored in one or more memories other than the ROM 1202 and the RAM 1203. The processor 1201 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 1200 may also include input/output (I/O) interface 1205, according to an embodiment of the disclosure, input/output (I/O) interface 1205 also connected to bus 1204. The electronic device 1200 may also include one or more of the following components connected to the I/O interface 1205: an input section 1206 including a keyboard, a mouse, and the like; an output portion 1207 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 1208 including a hard disk and the like; and a communication section 1209 including a network interface card such as a LAN card, a modem, or the like. The communication section 1209 performs communication processing via a network such as the internet. A driver 1210 is also connected to the I/O interface 1205 as needed. A removable medium 1211, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like, is mounted on the drive 1210 as necessary, so that a computer program read out therefrom is mounted into the storage section 1208 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 1209, and/or installed from the removable medium 1211. The computer program, when executed by the processor 1201, performs the above-described functions defined in the electronic device of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 1202 and/or the RAM1203 and/or one or more memories other than the ROM 1202 and the RAM1203 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (12)

1. A penetration attack evaluation method, wherein the penetration attack comprises at least one attack behavior; the method comprises the following steps:
acquiring attack information aiming at each attack behavior in the at least one attack behavior;
determining attack tactics and attack technologies of the attack behaviors according to the attack information of the attack behaviors; and
and determining the threat level of the penetration attack by adopting a preset rating model according to the attack tactics and the attack technology of each attack behavior.
2. The method of claim 1, wherein the obtaining attack information for each of the at least one attack behavior comprises:
acquiring logs recorded by at least one monitoring device to obtain at least one log;
extracting a plurality of attack-related information from the at least one log, the plurality of attack-related information including attack information for the at least one attack behavior; and
and combining the attack related information aiming at each attack behavior in the plurality of attack related information to obtain the attack information aiming at each attack behavior.
3. The method of claim 1 or 2, wherein said determining a threat level of the penetration attack using a predetermined rating model comprises:
determining the evaluation scores aiming at the attack behaviors by adopting a scoring submodel according to the attack tactics and the attack technologies of the attack behaviors to obtain at least one evaluation score; and
and determining the threat level of the penetration attack by adopting a rating submodel according to the at least one evaluation score.
4. The method of claim 3, wherein said determining an evaluation score for the respective aggressive behavior using a scoring submodel comprises:
determining the evaluation sub-scores of the attack behaviors in multiple dimensions by adopting a scoring sub-model according to the attack tactics and the attack technology of the attack behaviors to obtain multiple evaluation sub-scores; and
determining an evaluation score for each of the attack behaviors as a sum of the evaluation sub-scores,
wherein the plurality of dimensions includes at least two of: attack subversion, attack persistence, attack complexity, attack novelty, attack concealment, and attack repairability.
5. The method of claim 3, wherein said employing a rating submodel to determine a threat level of the penetration attack comprises:
determining an average score of the at least one evaluation score resulting in a threat score for the penetration attack; and
and determining the threat level corresponding to the threat score aiming at the penetration attack as the threat level of the penetration attack according to the corresponding relation between the preset threat score and the threat level.
6. The method of claim 1 or 2, wherein the penetration attack is plural; the method further comprises the following steps:
counting attack technologies of at least one attack behavior included in each penetration attack in the plurality of penetration attacks to obtain the attack technologies aiming at each penetration attack;
determining that two penetration attacks aiming at attack technologies comprising the same attack technology in the plurality of penetration attacks have an association relation according to the attack technology aiming at each penetration attack in the plurality of penetration attacks;
constructing a plurality of nodes aiming at the plurality of penetration attacks, and constructing an edge between two nodes aiming at two penetration attacks with an incidence relation to obtain a knowledge graph; and
clustering the plurality of penetration attacks according to the knowledge graph to obtain at least two attack groups,
wherein each attack group of the at least two attack groups corresponds to an attack team.
7. The method of claim 6, wherein said clustering said plurality of penetration attacks into at least two attack groups comprises:
extracting feature vectors of the nodes aiming at each penetration attack from the knowledge graph by adopting a node vector conversion algorithm to obtain a plurality of feature vectors; and
and clustering the plurality of penetration attacks by adopting a preset clustering algorithm according to the plurality of feature vectors to obtain the at least two attack groups.
8. The method of claim 6, wherein the constructing a plurality of nodes for the plurality of penetration attacks, the constructing an edge between two nodes for two penetration attacks having an associative relationship, and the obtaining a knowledge-graph comprises:
constructing a plurality of nodes aiming at the plurality of penetration attacks, and constructing an edge between two nodes aiming at two penetration attacks with incidence relation; and
and according to the number of the same attack technologies aimed at by the two penetration attacks with the incidence relation, distributing weight to the edge between any two penetration attack nodes to obtain the knowledge graph.
9. The method of claim 1 or 2, wherein:
the attack tactics of each attack behavior are determined according to the attack purpose of each attack behavior;
the attack tactics of each attack behavior comprise any one of the following: initial entry, code execution, persistence, privilege elevation, defense bypass, credential acquisition, internal probing, lateral movement, information collection, data theft, command control, and attack impact.
10. A penetration attack evaluation apparatus, wherein the penetration attack includes at least one attack behavior; the device comprises:
the information acquisition module is used for acquiring attack information aiming at each attack behavior in the at least one attack behavior;
the attack behavior determining module is used for determining attack tactics and attack technologies of all attack behaviors according to the attack information of all attack behaviors; and
and the threat level determining module is used for determining the threat level of the penetration attack by adopting a preset rating model according to the attack tactics and the attack technology of each attack behavior.
11. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the penetration attack evaluation method of any one of claims 1-9.
12. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the penetration attack evaluation method of any one of claims 1 to 9.
CN202010379590.9A 2020-05-07 2020-05-07 Penetration attack evaluation method and device, electronic device and readable storage medium Active CN111581643B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010379590.9A CN111581643B (en) 2020-05-07 2020-05-07 Penetration attack evaluation method and device, electronic device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010379590.9A CN111581643B (en) 2020-05-07 2020-05-07 Penetration attack evaluation method and device, electronic device and readable storage medium

Publications (2)

Publication Number Publication Date
CN111581643A true CN111581643A (en) 2020-08-25
CN111581643B CN111581643B (en) 2024-02-02

Family

ID=72124754

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010379590.9A Active CN111581643B (en) 2020-05-07 2020-05-07 Penetration attack evaluation method and device, electronic device and readable storage medium

Country Status (1)

Country Link
CN (1) CN111581643B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333195A (en) * 2020-11-10 2021-02-05 西安电子科技大学 APT attack scene reduction detection method and system based on multi-source log correlation analysis
CN112351021A (en) * 2020-10-30 2021-02-09 杭州安恒信息技术股份有限公司 Asset risk detection method and device, readable storage medium and computer equipment
CN113364802A (en) * 2021-06-25 2021-09-07 中国电子科技集团公司第十五研究所 Method and device for studying and judging security alarm threat
WO2022088633A1 (en) * 2020-10-28 2022-05-05 北京奇虎科技有限公司 Lateral penetration protection method and apparatus, device and storage medium
CN116319021A (en) * 2023-03-23 2023-06-23 长扬科技(北京)股份有限公司 Lateral movement detection method and device, electronic equipment and storage medium
EP4250152A4 (en) * 2020-11-20 2024-05-01 Panasonic Ip Corp America Vehicle attack event continuity determination method, vehicle attack event continuity determination device, and program

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810014A (en) * 2018-06-29 2018-11-13 北京奇虎科技有限公司 Attack alarm method and device
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN109347798A (en) * 2018-09-12 2019-02-15 东软集团股份有限公司 Generation method, device, equipment and the storage medium of network security knowledge map
CN110417772A (en) * 2019-07-25 2019-11-05 浙江大华技术股份有限公司 The analysis method and device of attack, storage medium, electronic device
CN110650140A (en) * 2019-09-25 2020-01-03 杭州安恒信息技术股份有限公司 Attack behavior monitoring method and device based on kmeans
US20200042700A1 (en) * 2018-07-31 2020-02-06 Nec Laboratories America, Inc. Automated threat alert triage via data provenance

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108810014A (en) * 2018-06-29 2018-11-13 北京奇虎科技有限公司 Attack alarm method and device
US20200042700A1 (en) * 2018-07-31 2020-02-06 Nec Laboratories America, Inc. Automated threat alert triage via data provenance
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN109347798A (en) * 2018-09-12 2019-02-15 东软集团股份有限公司 Generation method, device, equipment and the storage medium of network security knowledge map
CN110417772A (en) * 2019-07-25 2019-11-05 浙江大华技术股份有限公司 The analysis method and device of attack, storage medium, electronic device
CN110650140A (en) * 2019-09-25 2020-01-03 杭州安恒信息技术股份有限公司 Attack behavior monitoring method and device based on kmeans

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022088633A1 (en) * 2020-10-28 2022-05-05 北京奇虎科技有限公司 Lateral penetration protection method and apparatus, device and storage medium
CN112351021A (en) * 2020-10-30 2021-02-09 杭州安恒信息技术股份有限公司 Asset risk detection method and device, readable storage medium and computer equipment
CN112333195A (en) * 2020-11-10 2021-02-05 西安电子科技大学 APT attack scene reduction detection method and system based on multi-source log correlation analysis
CN112333195B (en) * 2020-11-10 2021-11-30 西安电子科技大学 APT attack scene reduction detection method and system based on multi-source log correlation analysis
EP4250152A4 (en) * 2020-11-20 2024-05-01 Panasonic Ip Corp America Vehicle attack event continuity determination method, vehicle attack event continuity determination device, and program
CN113364802A (en) * 2021-06-25 2021-09-07 中国电子科技集团公司第十五研究所 Method and device for studying and judging security alarm threat
CN116319021A (en) * 2023-03-23 2023-06-23 长扬科技(北京)股份有限公司 Lateral movement detection method and device, electronic equipment and storage medium
CN116319021B (en) * 2023-03-23 2023-09-29 长扬科技(北京)股份有限公司 Lateral movement detection method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN111581643B (en) 2024-02-02

Similar Documents

Publication Publication Date Title
CN111581643B (en) Penetration attack evaluation method and device, electronic device and readable storage medium
US11025674B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US11212306B2 (en) Graph database analysis for network anomaly detection systems
Sudhakar et al. An emerging threat Fileless malware: a survey and research challenges
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
US10587640B2 (en) System and method for attribution of actors to indicators of threats to a computer system and prediction of future threat actions
CN106375331B (en) Attack organization mining method and device
EP3287927B1 (en) Non-transitory computer-readable recording medium storing cyber attack analysis support program, cyber attack analysis support method, and cyber attack analysis support device
CN112019521B (en) Asset scoring method and device, computer equipment and storage medium
Han et al. APTMalInsight: Identify and cognize APT malware based on system call information and ontology knowledge framework
US20160226893A1 (en) Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof
US20230362200A1 (en) Dynamic cybersecurity scoring and operational risk reduction assessment
Gaurav et al. A novel approach for DDoS attacks detection in COVID-19 scenario for small entrepreneurs
US20210243223A1 (en) Aggregation and flow propagation of elements of cyber-risk in an enterprise
US11042637B1 (en) Measuring code sharing of software modules based on fingerprinting of assembly code
CN116566674A (en) Automated penetration test method, system, electronic equipment and storage medium
US9729505B2 (en) Security threat analysis
CN113609493A (en) Phishing website identification method, device, equipment and medium
US11570198B2 (en) Detecting and quantifying vulnerabilities in a network system
CN111563254A (en) Threat risk processing method and apparatus for product, computer system and medium
Meriah et al. A survey of quantitative security risk analysis models for computer systems
Raulerson et al. A framework to facilitate cyber defense situational awareness modeled in an emulated virtual machine testbed
CN116723052B (en) Network attack response method and device, computer equipment and storage medium
Anand et al. Mitigating Cyber-Security Risks using Cyber-Analytics
US20220092183A1 (en) Logical identification of malicious threats across a plurality of end-point devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant