CN112738107A - Network security evaluation method, device, equipment and storage medium - Google Patents

Network security evaluation method, device, equipment and storage medium Download PDF

Info

Publication number
CN112738107A
CN112738107A CN202011608309.0A CN202011608309A CN112738107A CN 112738107 A CN112738107 A CN 112738107A CN 202011608309 A CN202011608309 A CN 202011608309A CN 112738107 A CN112738107 A CN 112738107A
Authority
CN
China
Prior art keywords
internet protocol
security
protocol address
event
safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011608309.0A
Other languages
Chinese (zh)
Other versions
CN112738107B (en
Inventor
邓拓
龚济才
马少林
吕慧
梁彧
田野
傅强
王杰
杨满智
蔡琳
金红
陈晓光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Eversec Beijing Technology Co Ltd
Original Assignee
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eversec Beijing Technology Co Ltd filed Critical Eversec Beijing Technology Co Ltd
Priority to CN202011608309.0A priority Critical patent/CN112738107B/en
Publication of CN112738107A publication Critical patent/CN112738107A/en
Application granted granted Critical
Publication of CN112738107B publication Critical patent/CN112738107B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method, a device, equipment and a storage medium for evaluating network security, wherein the method comprises the following steps: acquiring security event data of at least one internet protocol address within first preset time; determining safety quantitative data of at least one internet protocol address under each safety event according to the safety event data of at least one internet protocol address and the maximum occurrence frequency of each safety event of at least one internet protocol address in a first preset time; determining a security weight value of at least one internet protocol address under each security event according to the security event data and the industry information of at least one internet protocol address; the safety score of at least one internet protocol address is determined according to the safety quantitative data and the safety weight value of the at least one internet protocol address under each safety event, so that the accurate evaluation of the network safety is realized, and meanwhile, the corresponding safety weight value is determined according to the safety event, so that the method can adapt to the continuously changing network safety requirements.

Description

Network security evaluation method, device, equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of networks, in particular to a method, a device, equipment and a storage medium for evaluating network security.
Background
With the rapid development of information technology, networks have become important support platforms for enterprise production, operation and management; however, the frequent occurrence of various security events (such as stiff wood wriggling, malicious programs, and the like) causes serious losses to enterprises and the society, so that the quantitative evaluation of the enterprise network security and the realization of the timely early warning of the security events have important significance.
The existing network security assessment method generally sets fixed preset weights for various security events, calculates health indexes of the various security events, and further obtains network security indexes of enterprises or regions through weighting again; different types of security events have great difference on the influence of enterprises belonging to different industries, under the condition, the existing network security assessment method cannot realize accurate assessment of network security, novel security events continuously emerge along with time development, and the existing network security assessment method cannot adapt to continuously changing network security requirements.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for evaluating network security, which are used for realizing accurate evaluation of the network security.
In a first aspect, an embodiment of the present invention provides a method for evaluating network security, including:
acquiring security event data of at least one internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event;
determining the maximum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to the historical safety event data of the at least one internet protocol address;
according to the security event data of the at least one internet protocol address and the maximum occurrence frequency of each security event of the at least one internet protocol address in the first preset time, determining the security quantitative data of the at least one internet protocol address under each security event;
acquiring industry information corresponding to the at least one internet protocol address according to the mapping relation among the internet protocol addresses, enterprise names and the industry information, and determining the safety weight value of the at least one internet protocol address under each safety event according to the safety event data and the industry information of the at least one internet protocol address;
and determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event.
In a second aspect, an embodiment of the present invention provides an apparatus for evaluating network security, including:
the security event data acquisition module is used for acquiring security event data of at least one internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event;
a maximum occurrence frequency determining module, configured to determine, according to historical security event data of the at least one internet protocol address, a maximum occurrence frequency of each security event within the first preset time of the at least one internet protocol address;
a security quantitative data obtaining module, configured to determine, according to security event data of the at least one internet protocol address, and the maximum occurrence number of each security event of the at least one internet protocol address within the first preset time, security quantitative data of the at least one internet protocol address under each security event;
the first security weight value determining module is used for acquiring industry information corresponding to the at least one internet protocol address according to a mapping relation among the internet protocol addresses, enterprise names and the industry information, and determining a security weight value of the at least one internet protocol address under each security event according to security event data and the industry information of the at least one internet protocol address;
and the security score determining module is used for determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for evaluating network security according to any embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for evaluating network security according to any embodiment of the present invention.
According to the technical scheme disclosed by the embodiment of the invention, the safety event data of at least one internet protocol address in a first preset time is acquired; determining the maximum occurrence frequency of each safety event of at least one internet protocol address in a first preset time according to historical safety event data of at least one internet protocol address; determining safety quantitative data of at least one internet protocol address under each safety event according to the safety event data of at least one internet protocol address and the maximum occurrence frequency of each safety event of at least one internet protocol address in a first preset time; meanwhile, according to the mapping relation among the Internet protocol addresses, the enterprise names and the industry information, industry information corresponding to at least one Internet protocol address is obtained, and according to the safety event data and the industry information of at least one Internet protocol address, the safety weight value of at least one Internet protocol address under each safety event is determined; and finally, determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event, thereby realizing accurate evaluation of network security, and simultaneously determining the corresponding security weight value according to the security event, thereby being suitable for the continuously changing network security requirements.
Drawings
Fig. 1 is a flowchart of a method for evaluating network security according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for evaluating network security according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for evaluating network security according to a third embodiment of the present invention;
fig. 4 is a flowchart of an evaluation method for network security according to a fourth embodiment of the present invention;
fig. 5 is a block diagram of a network security evaluation apparatus according to a fifth embodiment of the present invention;
fig. 6 is a block diagram of an electronic device according to a sixth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of an evaluation method for network security according to an embodiment of the present invention, where the method is applicable to implement evaluation of network security by obtaining a security score corresponding to an internet protocol address, and the method can be executed by an evaluation apparatus for network security according to a fifth embodiment of the present invention, where the apparatus can be implemented by software and/or hardware and is integrated on an electronic device, and the method specifically includes the following steps:
s110, acquiring security event data of at least one Internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event.
The first preset time is a time period for acquiring corresponding security event data, which is set for an internet protocol address needing security evaluation, for example, one day, namely, various security event data corresponding to each internet protocol address in one day are acquired; the Internet Protocol (IP) address, i.e. the logical address of each network in the Internet, is used to identify the identity information of each network. In the embodiment of the present invention, each IP address in the first preset time may correspond to multiple security events, or may correspond to only a single security event, and the occurrence frequency of each security event may be multiple times or only one time; the safety event data comprises the type of the safety event matched with each IP address in a first preset time and the occurrence frequency of each type of safety event; the security event refers to a network abnormal condition that may seriously affect the network security, including an attack behavior and a network vulnerability in the network. By acquiring the security event data corresponding to each IP address within the preset time and analyzing the acquired security event data, the network security score corresponding to each IP address can be accurately acquired, and meanwhile, by comprehensively considering the network security score corresponding to each IP address, the evaluation of the network security of the industry or the region to which each IP address belongs can be realized.
Optionally, in the embodiment of the present invention, the security event includes a dead wood worm, a two-defense event, a distributed denial of service attack, a domain name generation algorithm attack, and/or a security vulnerability. The botnet is a general name of botnets, trojans and worms, and the botnets are used for enabling a large number of hosts to infect botnet program viruses by adopting one or more propagation means, so that attackers can control a plurality of infected hosts; the Trojan horse is a malicious code with special functions hidden in a normal program, and has special functions of destroying and deleting files, sending passwords, recording keyboards and the like; a worm, which is a computer virus that continuously obtains some or all control rights on a computer for propagation through security vulnerabilities existing in a network; the two-prevention event refers to network attack aiming at antivirus software and a firewall, which can damage a protection system of a network and seriously affect the network security; distributed Denial of Service (DDOS) attacks, which means that multiple attackers at different locations attack the current network at the same time, or multiple machines at different locations controlled by one attacker attack the current network at the same time, making it difficult for users to guard against; domain name Generation Algorithm (DGA) attack, which means that an attacker generates a C & C Domain name by using random characters to evade Domain name blacklist detection, so that a traditional protection means based on the Domain name blacklist is invalid; the security hole refers to a defect existing in a specific implementation of hardware, software or a protocol or a system security policy, so that an attacker can access or destroy a system under an unauthorized condition, and network security is seriously affected. The security events are all network attacks and attack modes commonly used by attackers, each corresponding security event comprises a plurality of specific implementation modes, the influence of different security events on different types of networks is different, and the influence of the same security event on different types of networks can be greatly different; in the embodiment of the invention, the comprehensive evaluation of all types of security events occurring in the network can be realized to obtain the network security score corresponding to the current IP address, and the type of the security event is not limited.
S120, determining the maximum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to historical safety event data of the at least one internet protocol address.
Specifically, the historical security event data refers to historical data of various security events corresponding to each IP address, and includes a corresponding relationship between a plurality of groups of security event types and occurrence times; acquiring historical security event data, including acquiring the types of historical security events of a preset number and the corresponding occurrence times of each security event, and the types of the historical security events and the corresponding occurrence times of each security event in a set time period; specifically, the number of times of each security event is counted in a first preset time, and the counted number is used as a security event data, and the number of the first preset times included in the set time period is the number of the security event data corresponding to each security event. After the historical safety event data are obtained, analyzing all the historical safety event data to determine the maximum occurrence frequency of each safety event in the historical safety event data within a first preset time; or randomly selecting a certain amount of historical safety event data from all the obtained historical safety event data, for example, 5 safety event data, and determining the maximum occurrence frequency of each safety event only from the selected 5 historical safety event data; the industry to which the corresponding enterprise belongs can also be determined according to a certain amount of randomly selected historical security event data, and the maximum occurrence frequency of the same security event corresponding to each IP address in the same industry is selected from all the historical security event data so as to obtain the more accurate maximum occurrence frequency corresponding to each security event.
Optionally, in this embodiment of the present invention, the determining, according to the historical security event data of the at least one internet protocol address, the maximum occurrence number of each security event of the at least one internet protocol address in the first preset time includes: and determining the maximum occurrence frequency and the minimum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to the historical safety event data of the at least one internet protocol address. Specifically, the minimum occurrence frequency of each security event is obtained while determining the maximum occurrence frequency of each security event within a first preset time of each IP address according to the current historical security event data, and the minimum occurrence frequency may be zero due to differences in the types of the security events corresponding to each IP address.
S130, determining safety quantitative data of the at least one Internet protocol address under each safety event according to the safety event data of the at least one Internet protocol address and the maximum occurrence frequency of each safety event of the at least one Internet protocol address in the first preset time.
Specifically, because the occurrence frequency of each security event may have a large difference within the first preset time, if the obtained security event data within the first preset time is directly adopted to perform the calculation of the security score, the occurrence frequency of a certain type of security event may be too large, so that the influence of other security event data on the final calculation result may be ignored, and further the influence of all security events cannot be comprehensively considered in the final security score result; therefore, the ratio of the security event data of each IP address to the maximum occurrence frequency of each security event within the first preset time is used as the security quantitative data corresponding to each security event, that is, the occurrence frequency of each security event is converted into a numerical value between 0 and 1, thereby avoiding that the security scoring result cannot be accurately evaluated due to the occurrence of extreme values such as the occurrence frequency of a certain type of security event is too high.
Optionally, in this embodiment of the present invention, the determining, according to the security event data of the at least one internet protocol address and the maximum occurrence number of each of the security events of the at least one internet protocol address in the first preset time, security quantized data of the at least one internet protocol address under each of the security events includes: according to the security event data of the at least one internet protocol address and the at least one internet protocol address within the first preset time,and determining the safety quantitative data of the at least one internet protocol address under each safety event according to the maximum occurrence frequency and the minimum occurrence frequency of each safety event. Specifically, the safety quantitative data of each IP address under each safety event is obtained, and the maximum occurrence frequency and the minimum occurrence frequency of each safety event can be calculated within a first preset time, that is, the minimum occurrence frequency of each safety event is subtracted from the safety event data and the maximum occurrence frequency of each safety event, and the ratio of the two is used as the final safety quantitative data; taking a security event of an IP address as an example, the security quantitative data corresponding to the current security event may be obtained based on the following formula, where p ═ (X-X)min)/(Xmax-Xmin) Wherein p is the safety quantitative data corresponding to the current safety event, X is the occurrence frequency of the current safety event, and X is the number of occurrences of the current safety eventminThe minimum occurrence frequency of the current safety event history within the first preset time, XmaxThe historical maximum occurrence frequency of the current safety event in a first preset time is set; in addition, in the embodiment of the invention, the finally obtained security score of each IP address is a numerical value from 0 to 100, so that the security quantized data can be multiplied by 100 to obtain the security score within a preset range; by quantizing the original security event data, the influence of all security event data corresponding to each IP address can be comprehensively considered, and the inaccuracy of final security score calculation caused by the overlarge occurrence frequency of a certain security event is avoided.
S140, acquiring industry information corresponding to the at least one Internet protocol address according to the mapping relation among the Internet protocol addresses, the enterprise names and the industry information, and determining a security weight value of the at least one Internet protocol address under each security event according to the security event data and the industry information of the at least one Internet protocol address.
The security weight value is a numerical value representing the degree of influence of each security event on the enterprise corresponding to the current IP address, and the security score corresponding to each security event can be obtained by setting the corresponding security weight value for each security event, so that quantitative evaluation on the security events is realized. Specifically, because the influence of the same type of security event on enterprises in different industries is greatly different, when setting a security weight value for each security event, the industry information of the enterprise corresponding to the current IP address must be considered, so as to assign an accurate security weight value to each security event under each IP address; the safety event data and the industry information of each IP address can be used for setting an integral safety weight value for each safety event, and a plurality of sub-safety weight values can be correspondingly set by comprehensively considering the industry influence coefficient, the grade and the judgment accuracy of the safety event. In addition, the security weight value of each security event can be adjusted in time according to the change of the network security situation, for example, the baton creep attack frequently occurs at a certain stage, so the security weight value of the security event at the current stage can be properly adjusted to adapt to the continuously changing network security situation.
Optionally, in this embodiment of the present invention, determining, according to the security event data of the at least one IP address and the industry information, a security weight value of the at least one IP address under each security event includes: establishing an assignment model of an initial security weight value based on a random forest algorithm, acquiring existing security event data and industry information, and marking a finished correct security weight value to serve as a training sample; training the constructed initial random forest assignment model by using the obtained training sample to obtain a trained random forest assignment model; inputting the acquired safety event data and industry information of each IP address within a first preset time into a random forest assignment model, and acquiring a safety weight value of each IP address under each safety event; in addition, after the current safety weight value is obtained, the currently obtained safety event data and industry information within the first preset time and the corresponding safety weight value are added into the original training sample as a new training sample, and the current random forest model is trained again to realize automatic updating of the safety weight value, so that more accurate obtaining of the safety weight value is realized. The random forest is a classifier composed of a plurality of decision trees, the finally output event category is determined by output voting of each decision tree, a safety weight assignment model is established through a random forest algorithm, a large amount of safety event data can be simultaneously input, the importance of each safety event can be evaluated, and accurate assignment of the safety weight value is achieved. Determining a security weight value of at least one internet protocol address under each security event according to the security event data and the industry information of at least one IP address, and further comprising: pre-establishing a comparison table of IP addresses, safety event data, industry information and safety weight values; after the security event data and the industry information of each IP address within the first preset time are obtained, searching is carried out in a pre-established comparison table, and a matched security weight value is obtained. By obtaining the security weight values corresponding to the security events of the IP addresses, more accurate security scores can be obtained, and the accuracy of network security evaluation is improved.
S150, determining the security score of at least one Internet protocol address according to the security quantitative data and the security weight value of the at least one Internet protocol address under each security event.
Specifically, after the safety quantized data and the safety weight value of each IP address under each safety event are obtained, the safety quantized data of each safety event is multiplied by the corresponding safety weight value to obtain weighted safety quantized data, the weighted safety quantized data corresponding to each safety event under the same IP address are correspondingly added, and finally the summed weighted safety quantized data of each IP address is subtracted by the total safety score to obtain the safety score corresponding to each IP address; comparing the security score with a preset threshold value to realize the evaluation of the network security corresponding to each IP address; optionally, when the security score corresponding to the current IP address is lower than the preset security threshold, the warning information is sent in a short message and/or mail manner. Taking an IP address as an example, the security score can be obtained based on the following formula:
Figure BDA0002874072930000111
wherein z is the security score of the current IP address, 100 is the highest security score corresponding to no security event occurring in the current IP address, i is 1,2 … k, is the type of the security event, k is the type number of the security event corresponding to the current IP address, piSafety quantized data corresponding to the ith safety event, niThe safety weight value is corresponding to the ith safety event; in addition, a correction value term can be added on the basis of the formula so as to correct the situation of overlarge calculation deviation. Optionally, in the embodiment of the present invention, after obtaining the security score of each IP address, obtaining a security weight value corresponding to each IP address, determining IP addresses belonging to the same industry, multiplying the security scores of the IP addresses belonging to the same industry by the corresponding security weight values, and adding the weighted security scores to obtain the security score of the industry; optionally, after obtaining the security score of each IP address, the method further includes: and acquiring the security weight value corresponding to each IP address, determining the IP addresses belonging to the same region, multiplying the security scores of the IP addresses belonging to the same region by the corresponding security weight values, and adding the weighted security scores to acquire the security score of the region. And performing weighted summation again on the obtained security scores of the IP addresses to obtain the security score of a certain industry or a certain area so as to realize evaluation on the network security in a wider range.
According to the technical scheme disclosed by the embodiment of the invention, the safety event data of at least one internet protocol address in a first preset time is acquired; determining the maximum occurrence frequency of each safety event of at least one internet protocol address in a first preset time according to historical safety event data of at least one internet protocol address; determining safety quantitative data of at least one internet protocol address under each safety event according to the safety event data of at least one internet protocol address and the maximum occurrence frequency of each safety event of at least one internet protocol address in a first preset time; meanwhile, according to the mapping relation among the Internet protocol addresses, the enterprise names and the industry information, industry information corresponding to at least one Internet protocol address is obtained, and according to the safety event data and the industry information of at least one Internet protocol address, the safety weight value of at least one Internet protocol address under each safety event is determined; and finally, determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event, thereby realizing accurate evaluation of network security, and simultaneously determining the corresponding security weight value according to the security event, thereby being suitable for the continuously changing network security requirements.
Example two
Fig. 2 is a flowchart of another network security evaluation method according to a second embodiment of the present invention, which is embodied on the basis of the second embodiment, in which a security weight value of an internet protocol address is determined according to an industry influence coefficient and a hazard coefficient of the internet protocol address at each security event, and the method specifically includes:
s210, acquiring security event data of at least one Internet protocol address within a first preset time; wherein the security event data comprises a number of occurrences of a security event.
S220, determining the maximum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to historical safety event data of the at least one internet protocol address.
S230, according to the security event data of the at least one Internet protocol address and the maximum occurrence frequency of each security event of the at least one Internet protocol address in the first preset time, determining the security quantitative data of the at least one Internet protocol address under each security event.
S240, determining an industry influence coefficient of the at least one Internet protocol address under each safety event according to the safety event data and the industry information of the at least one Internet protocol address.
The industry influence coefficient is used for expressing the influence degree of various safety events under each IP address on the industry to which each IP address belongs; specifically, the influence of different security events on the network security of the IP addresses belonging to different industries is greatly different, for example, an asset vulnerability event has a very serious influence on the network security of the IP addresses of the financial industry, so a large security weight value must be given; therefore, when determining the security weight value of the security event in the current IP address, the influence of each security event on the industry where each IP address is located must be considered to obtain a more accurate security weight value. Optionally, in an embodiment of the present invention, the determining, according to the security event data and the industry information of the at least one internet protocol address, an industry impact coefficient of the at least one internet protocol address under each security event includes: and acquiring an industry influence coefficient of the at least one internet protocol address under each safety event through a first random forest model trained in advance according to the safety event data and the industry information of the at least one internet protocol address. Specifically, a first random forest model trained in advance is obtained, safety event data and industry information of all IP addresses are used as input, and industry influence coefficients of all IP addresses under all safety events are obtained through output, wherein the first random forest model is constructed based on a random forest algorithm and is obtained through training by adopting pre-labeled training samples. In addition, a comparison relation table of the industry information, the safety event and the industry influence coefficient can be established in advance in a comparison table searching mode, and when the safety event data and the industry information are obtained, searching is carried out in the comparison table so as to obtain the corresponding industry influence coefficient. By acquiring the industry influence coefficient of each IP address under each safety event, more accurate safety weight value acquisition can be realized.
S250, obtaining the hazard degree of each safety event type according to the corresponding relation between the safety event type and the hazard degree, and obtaining the hazard degree coefficient of the at least one Internet protocol address under each safety event according to the hazard degree of each safety event type and the safety event data of the at least one Internet protocol address.
The harm degree coefficient is used for representing the influence degree of the same type of security event on the network security, taking worm virus as an example, the harm degree coefficient comprises a plurality of implementation modes, and the influence of the network security caused by different implementation modes is different; therefore, for the same type of safety event, the safety event can be divided into a preset number of hazard levels, different hazard degree coefficients are given, and the accuracy of the safety weight value can be further improved. Optionally, the obtaining a hazard degree coefficient of at least one IP address under each security event includes: and establishing a comparison relation table of the type of the safety event, the hazard degree and the hazard degree coefficient, and searching in the comparison relation table according to the type of the safety event in the safety event data after the safety event data of each IP address is obtained so as to obtain the corresponding hazard degree coefficient.
S260, determining a safety weight value of the at least one Internet protocol address according to the industry influence coefficient and the hazard coefficient of the at least one Internet protocol address under each safety event.
Specifically, after an industry influence coefficient and a hazard degree coefficient of each IP address under each security event are obtained, the industry influence coefficient and the corresponding hazard degree coefficient are multiplied to obtain a security weight value corresponding to each security event under each IP address. Optionally, after determining the security weight value of at least one internet protocol address, the method further includes: and determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event. The safety weight value of each IP address is obtained by comprehensively considering the industry influence coefficient and the hazard coefficient of each IP address under each safety event, so that the accuracy of the safety weight value can be further improved, and the accuracy of network safety evaluation is further improved.
S270, determining a security score of at least one Internet protocol address according to the security quantitative data and the security weight value of the at least one Internet protocol address under each security event.
According to the technical scheme disclosed in the embodiment of the invention, the industry influence coefficient of at least one internet protocol address under each safety event is determined according to the safety event data and the industry information of at least one internet protocol address, the hazard degree of each safety event type is obtained according to the corresponding relation between the safety event type and the hazard degree, and the hazard degree coefficient of at least one internet protocol address under each safety event is obtained according to the hazard degree of each safety event type and the safety event data of at least one internet protocol address; and the safety weight value of at least one internet protocol address is determined according to the industry influence coefficient and the hazard coefficient of the at least one internet protocol address under each safety event, so that more accurate safety weight value acquisition is realized.
EXAMPLE III
Fig. 3 is a flowchart of another network security evaluation method according to a third embodiment of the present invention, which is embodied on the basis of the first embodiment, and in this embodiment, a security weight value of an ip address is determined according to an industry influence coefficient of the ip address under each security event and an ip type influence coefficient of the ip address, where the method specifically includes:
s310, acquiring security event data of at least one internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event.
S320, determining the maximum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to the historical safety event data of the at least one internet protocol address.
S330, determining safety quantitative data of the at least one Internet protocol address under each safety event according to the safety event data of the at least one Internet protocol address and the maximum occurrence frequency of each safety event of the at least one Internet protocol address in the first preset time.
S340, determining an industry influence coefficient of the at least one Internet protocol address under each safety event according to the safety event data and the industry information of the at least one Internet protocol address.
S350, acquiring the Internet protocol type influence coefficient of the at least one Internet protocol address according to the corresponding relation among the Internet protocol address, the Internet protocol type and the Internet protocol type influence coefficient.
The type influence coefficient is used for expressing the influence degree of each security event on the network security of the current IP address; specifically, different IP types are greatly different in the degree of influence of different security events, so that the influence of the IP types needs to be considered when determining the security weight value; optionally, obtaining an IP type impact coefficient of at least one IP address includes: pre-establishing a comparison relation table of the IP address, the IP type and the IP type influence coefficient, and searching in the comparison relation table according to the IP address contained in the security event data after the security event data is obtained so as to obtain the matched IP type influence coefficient; the IP address types comprise open WEB key IP, undeveloped WEB key IP, open WEB key IP and unopened WEB non-key IP, and different IP type influence coefficients are set for different types of IP addresses; by considering the influence of the IP type influence coefficient when determining the security weight value, the accuracy of the security weight value can be further improved.
S360, determining a security weight value of the at least one Internet protocol address according to the industry influence coefficient of the at least one Internet protocol address under each security event and the Internet protocol type influence coefficient of the at least one Internet protocol address.
Specifically, when the security weight value is determined, the industry influence coefficient and the IP type influence coefficient are considered, and the industry influence coefficient and the IP type influence coefficient corresponding to each security event under the same IP address are multiplied to obtain the security weight value corresponding to the next security event under the current IP address. Optionally, in this embodiment of the present invention, after obtaining the ip type impact coefficient of the at least one ip address, the method further includes: and determining a safety weight value of the at least one internet protocol address according to the industry influence coefficient and the hazard coefficient of the at least one internet protocol address under each safety event and the internet protocol type influence coefficient of the at least one internet protocol address. Namely, when the safety weight value is determined, the industry influence coefficient and the hazard degree coefficient under each safety event and the IP type influence coefficient are comprehensively considered, so that the accuracy of the safety weight value can be further improved.
S370, determining a security score of at least one Internet protocol address according to the security quantitative data and the security weight value of the at least one Internet protocol address under each security event.
According to the technical scheme disclosed in the embodiment of the invention, the industry influence coefficient of at least one internet protocol address under each security event is determined according to the security event data and the industry information of at least one internet protocol address, the internet protocol type influence coefficient of at least one internet protocol address is obtained according to the corresponding relation among the internet protocol address, the internet protocol type and the internet protocol type influence coefficient, and the security weight value of at least one internet protocol address is determined according to the industry influence coefficient of at least one internet protocol address under each security event and the internet protocol type influence coefficient of at least one internet protocol address, so that more accurate security weight value obtaining is realized.
Example four
Fig. 4 is a flowchart of another network security evaluation method according to a fourth embodiment of the present invention, which is embodied on the basis of the first embodiment, and in this embodiment, a security weight value of an internet protocol address is determined according to an industry influence coefficient and an event accuracy coefficient of the internet protocol address at each security event, where the method specifically includes:
s410, acquiring security event data of at least one internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event.
S420, determining the maximum occurrence frequency of each security event of the at least one Internet protocol address in the first preset time according to historical security event data of the at least one Internet protocol address.
S430, determining security quantitative data of the at least one Internet protocol address under each security event according to the security event data of the at least one Internet protocol address and the maximum occurrence frequency of each security event of the at least one Internet protocol address in the first preset time.
S440, determining an industry influence coefficient of the at least one Internet protocol address under each security event according to the security event data and the industry information of the at least one Internet protocol address.
S450, obtaining the event accuracy of each security event type according to the corresponding relation between the security event type and the event accuracy, and obtaining the event accuracy coefficient of the at least one Internet protocol address under each security event according to the event accuracy of each security event type and the security event data of the at least one Internet protocol address.
Event accuracy, which refers to accuracy of security event judgment, for the judgment of a security event, various elements, such as a Packet header and bytes, in a traffic data Packet are mainly detected by a Deep Packet Inspection (DPI) technology, and when some traffic data features are found to be matched with a certain security event, it is judged that current traffic data is the security event, but this judgment mode cannot realize completely accurate security event judgment, that is, there is a misjudgment condition; therefore, the impact of the accuracy of the security event needs to be considered when determining the security weight value. Specifically, historical security event data within a period of time can be acquired, and the number of correctly judged security events can be acquired to determine the average accuracy of the judgment of the security events, so as to serve as the time accuracy coefficient of the next corresponding security event of each IP address.
Optionally, in this embodiment of the present invention, the obtaining, according to the event accuracy of each security event type and the security event data of the at least one internet protocol address, an event accuracy coefficient of the at least one internet protocol address under each security event includes: and according to the event accuracy of each safety event type and the safety event data of the at least one internet protocol address, acquiring an event accuracy coefficient of the at least one internet protocol address under each safety event through a second random forest model which is trained in advance. The second random forest model is a classification model which is constructed based on a random algorithm and used for judging the type accuracy of the security event; and taking the accuracy of each safety event and the safety event data of each IP address as the input of a second random forest model to obtain the event accuracy coefficient under each corresponding safety event.
S460, determining a security weight value of the at least one Internet protocol address according to the industry influence coefficient and the event accuracy coefficient of the at least one Internet protocol address under each security event.
Specifically, the industry influence coefficient and the event accuracy of each safety event are considered, and a safety weight value is determined; namely, the industry influence coefficient and the time accuracy coefficient of each IP address under each safety event are multiplied to obtain the safety weight value under each safety event. Optionally, in this embodiment of the present invention, after obtaining the event accuracy coefficient of the at least one ip address under each security event, the method further includes: and determining a safety weight value of the at least one internet protocol address according to the industry influence coefficient, the hazard coefficient and the event accuracy coefficient of the at least one internet protocol address under each safety event. Namely, three coefficients of an industry influence coefficient, a hazard degree coefficient and an event accuracy coefficient under a safety event are considered to determine a safety weight value so as to further improve the accuracy of the safety weight.
Optionally, in this embodiment of the present invention, after obtaining the event accuracy coefficient of the at least one ip address under each security event, the method further includes: and determining a safety weight value of the at least one internet protocol address according to an industry influence coefficient, a hazard coefficient and an event accuracy coefficient of the at least one internet protocol address under each safety event and an internet protocol type influence coefficient of the at least one internet protocol address. The method comprises the following steps of determining a safety weight value under a safety event by using four coefficients, namely an industry influence coefficient, a hazard degree coefficient and an event accuracy coefficient under each safety event and an internet protocol type influence coefficient of each IP address, so as to obtain a more accurate safety weight value; specifically, taking a security event under an IP address as an example, the security weight value may be obtained based on the following formula, where N is L × K × J × N, where N is the security weight value corresponding to the current security event, L is the industry influence coefficient of the current IP address under the security event, K is the hazard degree coefficient of the current IP address under the security event, J is the event accuracy coefficient of the current IP address under the security event, and N is the IP type influence coefficient of the current IP address.
S470, determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event.
According to the technical scheme disclosed in the embodiment of the invention, the industry influence coefficient of at least one internet protocol address under each security event is determined according to the security event data and the industry information of at least one internet protocol address; meanwhile, according to the corresponding relation between the security event type and the event accuracy, the event accuracy of each security event type is obtained, and according to the event accuracy of each security event type and the security event data of at least one internet protocol address, an event accuracy coefficient of at least one internet protocol address under each security event is obtained; and finally, determining the safety weight value of at least one internet protocol address according to the industry influence coefficient and the event accuracy coefficient of the at least one internet protocol address under each safety event, thereby realizing more accurate acquisition of the safety weight value.
EXAMPLE five
Fig. 5 is a block diagram of a network security evaluation apparatus according to a fifth embodiment of the present invention, where the apparatus specifically includes: a security event data acquisition module 510, a maximum occurrence number determination module 520, a security quantitative data acquisition module 530, a first security weight value determination module 540, and a security score determination module 550;
a security event data obtaining module 510, configured to obtain security event data of at least one internet protocol address within a first preset time; wherein the security event data comprises a number of occurrences of a security event;
a maximum occurrence number determining module 520, configured to determine, according to historical security event data of the at least one ip address, a maximum occurrence number of each security event of the at least one ip address within the first preset time;
a security quantized data obtaining module 530, configured to determine, according to the security event data of the at least one internet protocol address, and the maximum occurrence number of each security event of the at least one internet protocol address within the first preset time, security quantized data of the at least one internet protocol address under each security event;
a first security weight value determining module 540, configured to obtain industry information corresponding to the at least one internet protocol address according to a mapping relationship between an internet protocol address, an enterprise name, and industry information, and determine a security weight value of the at least one internet protocol address under each security event according to security event data and industry information of the at least one internet protocol address;
a security score determining module 550, configured to determine a security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event.
According to the technical scheme disclosed by the embodiment of the invention, the safety event data of at least one internet protocol address in a first preset time is acquired; determining the maximum occurrence frequency of each safety event of at least one internet protocol address in a first preset time according to historical safety event data of at least one internet protocol address; determining safety quantitative data of at least one internet protocol address under each safety event according to the safety event data of at least one internet protocol address and the maximum occurrence frequency of each safety event of at least one internet protocol address in a first preset time; meanwhile, according to the mapping relation among the Internet protocol addresses, the enterprise names and the industry information, industry information corresponding to at least one Internet protocol address is obtained, and according to the safety event data and the industry information of at least one Internet protocol address, the safety weight value of at least one Internet protocol address under each safety event is determined; and finally, determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event, thereby realizing accurate evaluation of network security, and simultaneously determining the corresponding security weight value according to the security event, thereby being suitable for the continuously changing network security requirements.
Optionally, on the basis of the foregoing technical solution, the first security weight value determining module 540 includes:
the industry influence coefficient determining unit is used for determining the industry influence coefficient of the at least one internet protocol address under each safety event according to the safety event data and the industry information of the at least one internet protocol address;
a hazard degree coefficient obtaining unit, configured to obtain a hazard degree of each security event type according to a corresponding relationship between the security event type and the hazard degree, and obtain a hazard degree coefficient of the at least one internet protocol address under each security event according to the hazard degree of each security event type and security event data of the at least one internet protocol address;
and the safety weight value determining unit is used for determining the safety weight value of the at least one internet protocol address according to the industry influence coefficient and the hazard coefficient of the at least one internet protocol address under each safety event.
Optionally, on the basis of the above technical solution, the device for evaluating network security further includes:
the influence coefficient acquisition module is used for acquiring the internet protocol type influence coefficient of the at least one internet protocol address according to the corresponding relation among the internet protocol address, the internet protocol type and the internet protocol type influence coefficient;
a second security weight value determining module, configured to determine a security weight value of the at least one internet protocol address according to an industry influence coefficient of the at least one internet protocol address under each security event and an internet protocol type influence coefficient of the at least one internet protocol address; or determining a security weight value of the at least one internet protocol address according to the industry influence coefficient and the hazard coefficient of the at least one internet protocol address under each security event and the internet protocol type influence coefficient of the at least one internet protocol address.
Optionally, on the basis of the above technical solution, the device for evaluating network security further includes:
an event accuracy coefficient determining module, configured to obtain event accuracy of each security event type according to a corresponding relationship between the security event type and the event accuracy, and obtain an event accuracy coefficient of the at least one internet protocol address under each security event according to the event accuracy of each security event type and the security event data of the at least one internet protocol address;
a third security weight value determining module, configured to determine a security weight value of the at least one internet protocol address according to an industry influence coefficient and an event accuracy coefficient of the at least one internet protocol address under each security event; or determining a safety weight value of the at least one internet protocol address according to an industry influence coefficient, a hazard degree coefficient and an event accuracy coefficient of the at least one internet protocol address under each safety event; or determining a safety weight value of the at least one internet protocol address according to an industry influence coefficient, a hazard degree coefficient and an event accuracy coefficient of the at least one internet protocol address under each safety event and an internet protocol type influence coefficient of the at least one internet protocol address.
Optionally, on the basis of the above technical solution, the industry influence coefficient determining unit is specifically configured to obtain, according to the security event data and the industry information of the at least one internet protocol address, an industry influence coefficient of the at least one internet protocol address under each security event through a first random forest model trained in advance.
Optionally, on the basis of the above technical solution, the event accuracy coefficient determining module is specifically configured to obtain, according to the event accuracy of each security event type and the security event data of the at least one internet protocol address, the event accuracy coefficient of the at least one internet protocol address under each security event through a second random forest model trained in advance.
Optionally, on the basis of the foregoing technical solution, the maximum occurrence number determining module 520 is specifically configured to determine, according to historical security event data of the at least one internet protocol address, the maximum occurrence number and the minimum occurrence number of each security event of the at least one internet protocol address within the first preset time.
Optionally, on the basis of the foregoing technical solution, the security quantized data obtaining module 530 is specifically configured to determine, according to the security event data of the at least one internet protocol address, and the maximum occurrence number and the minimum occurrence number of each security event of the at least one internet protocol address in the first preset time, the security quantized data of the at least one internet protocol address under each security event.
Optionally, on the basis of the above technical solution, the security event includes a dead wood worm, a dual-defense event, a distributed denial of service attack, a domain name generation algorithm attack, and/or a security vulnerability.
The device can execute the network security evaluation method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details not described in detail in this embodiment, reference may be made to the method provided in any embodiment of the present invention.
EXAMPLE six
Fig. 6 is a schematic structural diagram of an electronic device according to a sixth embodiment of the present invention. FIG. 6 illustrates a block diagram of an exemplary electronic device 12 suitable for use in implementing embodiments of the present invention. The electronic device 12 shown in fig. 6 is only an example and should not bring any limitation to the function and the scope of use of the embodiment of the present invention.
As shown in FIG. 6, electronic device 12 is embodied in the form of a general purpose computing device. The components of electronic device 12 may include, but are not limited to: one or more processors or processing units 16, a memory 28, and a bus 18 that couples various system components including the memory 28 and the processing unit 16.
Bus 18 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Electronic device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by electronic device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)30 and/or cache memory 32. The electronic device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 6, and commonly referred to as a "hard drive"). Although not shown in FIG. 6, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Electronic device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with electronic device 12, and/or with any devices (e.g., network card, modem, etc.) that enable electronic device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, the electronic device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet) via the network adapter 20. As shown, the network adapter 20 communicates with other modules of the electronic device 12 via the bus 18. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with electronic device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing by executing programs stored in the memory 28, for example, to implement the evaluation method of network security provided by any embodiment of the present invention. Namely: acquiring security event data of at least one internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event; determining the maximum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to the historical safety event data of the at least one internet protocol address; according to the security event data of the at least one internet protocol address and the maximum occurrence frequency of each security event of the at least one internet protocol address in the first preset time, determining the security quantitative data of the at least one internet protocol address under each security event; acquiring industry information corresponding to the at least one internet protocol address according to the mapping relation among the internet protocol addresses, enterprise names and the industry information, and determining the safety weight value of the at least one internet protocol address under each safety event according to the safety event data and the industry information of the at least one internet protocol address; and determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event.
EXAMPLE seven
The seventh embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method for evaluating network security according to any embodiment of the present invention; the method comprises the following steps:
acquiring security event data of at least one internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event;
determining the maximum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to the historical safety event data of the at least one internet protocol address;
according to the security event data of the at least one internet protocol address and the maximum occurrence frequency of each security event of the at least one internet protocol address in the first preset time, determining the security quantitative data of the at least one internet protocol address under each security event;
acquiring industry information corresponding to the at least one internet protocol address according to the mapping relation among the internet protocol addresses, enterprise names and the industry information, and determining the safety weight value of the at least one internet protocol address under each safety event according to the safety event data and the industry information of the at least one internet protocol address;
and determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A method for evaluating network security is characterized by comprising the following steps:
acquiring security event data of at least one internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event;
determining the maximum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to the historical safety event data of the at least one internet protocol address;
according to the security event data of the at least one internet protocol address and the maximum occurrence frequency of each security event of the at least one internet protocol address in the first preset time, determining the security quantitative data of the at least one internet protocol address under each security event;
acquiring industry information corresponding to the at least one internet protocol address according to the mapping relation among the internet protocol addresses, enterprise names and the industry information, and determining the safety weight value of the at least one internet protocol address under each safety event according to the safety event data and the industry information of the at least one internet protocol address;
and determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event.
2. The method of claim 1, wherein determining a security weight value for the at least one internet protocol address under each of the security events based on the security event data and industry information for the at least one internet protocol address comprises:
determining an industry influence coefficient of the at least one internet protocol address under each safety event according to the safety event data and the industry information of the at least one internet protocol address;
according to the corresponding relation between the security event types and the hazard degree, acquiring the hazard degree of each security event type, and according to the hazard degree of each security event type and the security event data of the at least one internet protocol address, acquiring a hazard degree coefficient of the at least one internet protocol address under each security event;
and determining a safety weight value of the at least one internet protocol address according to the industry influence coefficient and the hazard coefficient of the at least one internet protocol address under each safety event.
3. The method of claim 2, further comprising, after determining an industry impact factor for the at least one internet protocol address at each of the security events based on the security event data and industry information for the at least one internet protocol address:
acquiring an internet protocol type influence coefficient of the at least one internet protocol address according to the corresponding relation among the internet protocol address, the internet protocol type and the internet protocol type influence coefficient;
determining a security weight value of the at least one internet protocol address according to an industry influence coefficient of the at least one internet protocol address under each security event and an internet protocol type influence coefficient of the at least one internet protocol address;
or determining a security weight value of the at least one internet protocol address according to the industry influence coefficient and the hazard coefficient of the at least one internet protocol address under each security event and the internet protocol type influence coefficient of the at least one internet protocol address.
4. The method of claim 3, wherein after determining the industry impact factor for the at least one internet protocol address at each of the security events based on the security event data and industry information for the at least one internet protocol address, further comprising:
according to the corresponding relation between the security event type and the event accuracy, acquiring the event accuracy of each security event type, and according to the event accuracy of each security event type and the security event data of the at least one internet protocol address, acquiring an event accuracy coefficient of the at least one internet protocol address under each security event;
determining a security weight value of the at least one internet protocol address according to an industry influence coefficient and an event accuracy coefficient of the at least one internet protocol address under each security event;
or determining a safety weight value of the at least one internet protocol address according to an industry influence coefficient, a hazard degree coefficient and an event accuracy coefficient of the at least one internet protocol address under each safety event;
or determining a safety weight value of the at least one internet protocol address according to an industry influence coefficient, a hazard degree coefficient and an event accuracy coefficient of the at least one internet protocol address under each safety event and an internet protocol type influence coefficient of the at least one internet protocol address.
5. The method of claim 4, wherein determining an industry impact factor for the at least one internet protocol address at each of the security events based on the security event data and industry information for the at least one internet protocol address comprises:
according to the safety event data and the industry information of the at least one internet protocol address, obtaining an industry influence coefficient of the at least one internet protocol address under each safety event through a first random forest model which is trained in advance;
or the obtaining of the event accuracy factor of the at least one ip address under each security event according to the event accuracy of each security event type and the security event data of the at least one ip address includes:
and according to the event accuracy of each safety event type and the safety event data of the at least one internet protocol address, acquiring an event accuracy coefficient of the at least one internet protocol address under each safety event through a second random forest model which is trained in advance.
6. The method of claim 1, wherein determining a maximum number of occurrences of each of the security events for the at least one ip address within the first predetermined time based on historical security event data for the at least one ip address comprises:
determining the maximum occurrence frequency and the minimum occurrence frequency of each safety event of the at least one internet protocol address in the first preset time according to historical safety event data of the at least one internet protocol address;
the determining, according to the security event data of the at least one ip address and the maximum occurrence number of each of the security events of the at least one ip address within the first preset time, security quantitative data of the at least one ip address under each of the security events includes:
and determining the safety quantitative data of the at least one internet protocol address under each safety event according to the safety event data of the at least one internet protocol address and the maximum occurrence number and the minimum occurrence number of each safety event of the at least one internet protocol address in the first preset time.
7. The method of any of claims 1-6, wherein the security event comprises a deadlock, a two-defense event, a distributed denial of service attack, a domain name generation algorithm attack, and/or a security breach.
8. An evaluation apparatus for network security, comprising:
the security event data acquisition module is used for acquiring security event data of at least one internet protocol address within first preset time; wherein the security event data comprises a number of occurrences of a security event;
a maximum occurrence frequency determining module, configured to determine, according to historical security event data of the at least one internet protocol address, a maximum occurrence frequency of each security event within the first preset time of the at least one internet protocol address;
a security quantitative data obtaining module, configured to determine, according to security event data of the at least one internet protocol address, and the maximum occurrence number of each security event of the at least one internet protocol address within the first preset time, security quantitative data of the at least one internet protocol address under each security event;
the first security weight value determining module is used for acquiring industry information corresponding to the at least one internet protocol address according to a mapping relation among the internet protocol addresses, enterprise names and the industry information, and determining a security weight value of the at least one internet protocol address under each security event according to security event data and the industry information of the at least one internet protocol address;
and the security score determining module is used for determining the security score of at least one internet protocol address according to the security quantitative data and the security weight value of the at least one internet protocol address under each security event.
9. An electronic device, characterized in that the electronic device comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method for evaluating network security as recited in any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of evaluating network security according to any one of claims 1 to 7.
CN202011608309.0A 2020-12-30 2020-12-30 Network security evaluation method, device, equipment and storage medium Active CN112738107B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011608309.0A CN112738107B (en) 2020-12-30 2020-12-30 Network security evaluation method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011608309.0A CN112738107B (en) 2020-12-30 2020-12-30 Network security evaluation method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112738107A true CN112738107A (en) 2021-04-30
CN112738107B CN112738107B (en) 2022-08-05

Family

ID=75610920

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011608309.0A Active CN112738107B (en) 2020-12-30 2020-12-30 Network security evaluation method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112738107B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113364742A (en) * 2021-05-17 2021-09-07 北京邮电大学 Quantitative elastic calculation method and device for network security threat
CN115150202A (en) * 2022-09-02 2022-10-04 北京云科安信科技有限公司 Method for collecting Internet IT information assets and detecting attack surface
CN115497295A (en) * 2022-09-21 2022-12-20 联通智网科技股份有限公司 Safety early warning method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104579782A (en) * 2015-01-12 2015-04-29 国家电网公司 Hotspot security event identification method and system
CN108632081A (en) * 2018-03-26 2018-10-09 中国科学院计算机网络信息中心 Network Situation appraisal procedure, device and storage medium
CN110008311A (en) * 2019-04-04 2019-07-12 北京邮电大学 A kind of product information security risk monitoring method based on semantic analysis
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation
CN111786950A (en) * 2020-05-28 2020-10-16 中国平安财产保险股份有限公司 Situation awareness-based network security monitoring method, device, equipment and medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104579782A (en) * 2015-01-12 2015-04-29 国家电网公司 Hotspot security event identification method and system
CN108632081A (en) * 2018-03-26 2018-10-09 中国科学院计算机网络信息中心 Network Situation appraisal procedure, device and storage medium
CN110008311A (en) * 2019-04-04 2019-07-12 北京邮电大学 A kind of product information security risk monitoring method based on semantic analysis
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation
CN111786950A (en) * 2020-05-28 2020-10-16 中国平安财产保险股份有限公司 Situation awareness-based network security monitoring method, device, equipment and medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
吴国强: "网络安全事件关联分析与态势评测技术研究", 《信息安全与技术》 *
赵鹏宇等: "大规模网络安全态势评估系统", 《计算机工程与应用》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113364742A (en) * 2021-05-17 2021-09-07 北京邮电大学 Quantitative elastic calculation method and device for network security threat
CN113364742B (en) * 2021-05-17 2022-10-11 北京邮电大学 Quantitative elastic calculation method and device for network security threat
CN115150202A (en) * 2022-09-02 2022-10-04 北京云科安信科技有限公司 Method for collecting Internet IT information assets and detecting attack surface
CN115150202B (en) * 2022-09-02 2022-11-25 北京云科安信科技有限公司 Internet IT information asset collection and attack detection method
CN115497295A (en) * 2022-09-21 2022-12-20 联通智网科技股份有限公司 Safety early warning method and device

Also Published As

Publication number Publication date
CN112738107B (en) 2022-08-05

Similar Documents

Publication Publication Date Title
US11405359B2 (en) Network firewall for mitigating against persistent low volume attacks
RU2668710C1 (en) Computing device and method for detecting malicious domain names in network traffic
CN112738107B (en) Network security evaluation method, device, equipment and storage medium
US8549645B2 (en) System and method for detection of denial of service attacks
US10735439B2 (en) System and method for attack sequence matching
US9311476B2 (en) Methods, systems, and media for masquerade attack detection by monitoring computer user behavior
US8239948B1 (en) Selecting malware signatures to reduce false-positive detections
JP2018530066A (en) Security incident detection due to unreliable security events
US20120174227A1 (en) System and Method for Detecting Unknown Malware
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
US10979446B1 (en) Automated vulnerability chaining
US10757029B2 (en) Network traffic pattern based machine readable instruction identification
US20100083375A1 (en) Detection accuracy tuning for security
CN112784281A (en) Safety assessment method, device, equipment and storage medium for industrial internet
CN117478433B (en) Network and information security dynamic early warning system
CN116938600B (en) Threat event analysis method, electronic device and storage medium
US20190190947A1 (en) Predictive crowdsourcing-based endpoint protection system
US20230156019A1 (en) Method and system for scoring severity of cyber attacks
CN111131166A (en) User behavior prejudging method and related equipment
US20230185915A1 (en) Detecting microsoft windows installer malware using text classification models
CN113055362B (en) Method, device, equipment and storage medium for preventing abnormal behaviors
Kim et al. Adaptive pattern mining model for early detection of botnet‐propagation scale
Baich et al. Machine Learning for IoT based networks intrusion detection: a comparative study
EP1751651B1 (en) Method and systems for computer security
JP6857627B2 (en) White list management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant