CN114095261B - Attack asset marking method, device, medium and equipment - Google Patents

Attack asset marking method, device, medium and equipment Download PDF

Info

Publication number
CN114095261B
CN114095261B CN202111399106.XA CN202111399106A CN114095261B CN 114095261 B CN114095261 B CN 114095261B CN 202111399106 A CN202111399106 A CN 202111399106A CN 114095261 B CN114095261 B CN 114095261B
Authority
CN
China
Prior art keywords
attack
type
asset
network resource
resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111399106.XA
Other languages
Chinese (zh)
Other versions
CN114095261A (en
Inventor
孙建鹏
张宇娜
李娟�
叶建伟
范敦球
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202111399106.XA priority Critical patent/CN114095261B/en
Publication of CN114095261A publication Critical patent/CN114095261A/en
Application granted granted Critical
Publication of CN114095261B publication Critical patent/CN114095261B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present disclosure relates to an attack asset tagging method, apparatus, medium, and device. According to the scheme provided by the embodiment of the disclosure, the type of each attack behavior and the corresponding type of each resource corresponding to the attack asset are extracted from the network threat information, the failure time of the attack asset is judged based on the extracted type of each attack behavior and each type of resource, and the attack asset is marked as a non-attack asset according to the determined failure time. The failure time of the attack asset is judged by utilizing the type of each attack behavior corresponding to the attack asset, the threat and the sustainability of the attack asset used for implementing each attack behavior are considered, the failure time of the attack asset is judged by utilizing each resource type corresponding to the attack asset, the control degree of the attack asset as a corresponding resource type attacked party is considered, and the accuracy of the attack asset marking can be effectively improved relative to the failure of the attack asset in a timing mode.

Description

Attack asset marking method, device, medium and equipment
Technical Field
The disclosure relates to the technical field of network security, and in particular relates to an attack asset marking method, an attack asset marking device, an attack asset marking medium and attack asset marking equipment.
Background
This section is intended to provide a background or context to the embodiments of the disclosure recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
Cyber threat intelligence may be understood as information related to cyber space threats extracted from cyber security data, may include threat sources, attack intents, attack laws, and attack targets information, and may include knowledge or the like that may be used to address threats or to address hazards.
An attack asset may be understood as a network resource used by an attacker to implement an attack, such as a server resource for implementing various functions of a trigger, a command and control (C2, command and Control) host, a master server, a sub-control server, etc.
The network threat information may include attack asset information, and the network resources used for implementing the attack may be marked, where network resources used by an attacker to implement the attack may be analyzed based on the attack asset information. The network threat intelligence is typically identified with a domain name or internet address (IP) to identify the offending asset.
At present, network threat information can be obtained in real time rapidly according to network traffic, security device logs and terminal logs. Network security is a constantly competing process, however, in that an attacker wishes to hide himself sufficiently, and a defender wishes to be able to locate an attacker quickly, so network attack is time-efficient. If it is determined that the network resource marked as an attack asset no longer has a network threat, then it should not continue to be considered as an attack asset at this time, nor should it continue to be marked as an attack asset in the corresponding network threat intelligence.
At present, the failure processing can be performed on the attack assets marked in the network threat information in a mode of marking the network resources marked as the attack assets in the network threat information as non-attack assets at regular intervals. But this approach is less accurate, which can lead to situations where an offending asset tagging error is often generated. For example, in the event that an attacker has diverted an attack asset or the attack asset is returned to the normal user's hand, the attack asset is not marked as a non-attack asset in time; as another example, an attacker is still conducting a network attack using an attack asset, which has been marked as a non-attack asset.
Disclosure of Invention
The embodiment of the disclosure provides an attack asset marking method, an attack asset marking device, a medium and attack asset marking equipment, which are used for solving the problem of high attack asset marking error rate.
In a first aspect, the present disclosure provides an attack asset tagging method, the method comprising:
extracting the type of each attack behavior corresponding to the designated network resource marked as the attack asset and the type of each resource from the network threat information;
determining the failure time of the appointed network resource marked as an attack asset according to the obtained threat coefficients respectively corresponding to each type of the extracted attack behaviors and the control coefficients respectively corresponding to each type of the extracted resources;
marking the appointed network resource as a non-attack asset in the network threat information according to the determined failure time;
the threat coefficient corresponding to the type of the attack behavior is determined according to the harmfulness of the type of the attack behavior, and the control coefficient corresponding to the type of the resource is determined according to the control degree of an attacked party when the network resource of the type is used as an attack asset.
Optionally, determining the failure time of the designated network resource marked as the attack asset according to the obtained threat coefficient corresponding to each type of the extracted attack behavior and the control coefficient corresponding to each type of the extracted resource, including:
determining an attenuation real-time value corresponding to the appointed network resource by utilizing a pre-established effectiveness attenuation model according to a pre-determined attenuation initial value corresponding to the appointed network resource, an extracted threat coefficient corresponding to each type of attack behavior, an extracted control coefficient corresponding to each type of resource, the initial time and the current time of the appointed network resource marked as the attack asset;
and determining the time when the attenuation real-time value is not larger than a specified value as the failure time when the specified network resource is marked as the attack asset.
Optionally, the attenuation initial value is determined according to the number of the attack behaviors corresponding to the designated network resource, the type of each attack behavior and the duration time of each attack behavior.
Optionally, determining, according to the attenuation initial value corresponding to the specified network resource, the threat coefficient corresponding to each extracted type of attack behavior, the control coefficient corresponding to each extracted type of resource, the starting time and the current time of the specified network resource marked as the attack asset, by using the pre-established validity attenuation model, the attenuation real value corresponding to the specified network resource includes:
according to the threat coefficients respectively corresponding to the extracted types of each attack behavior, determining the malicious coefficients corresponding to the appointed network resources by utilizing a pre-established malicious coefficient determination model;
and determining the attenuation real-time value corresponding to the specified network resource by utilizing a pre-established effectiveness attenuation model according to the pre-determined attenuation initial value corresponding to the specified network resource, the malicious coefficient, the extracted control coefficient corresponding to each asset type, the starting time and the current time of the specified network resource marked as the attack asset.
In a second aspect, the present disclosure also provides an attack asset tagging apparatus, the apparatus comprising:
the extraction module is used for extracting the type of each attack behavior corresponding to the designated network resource marked as the attack asset and the type of each resource from the network threat information;
the judging module is used for determining the failure time of the appointed network resource marked as the attack asset according to the obtained threat coefficients respectively corresponding to each type of the extracted attack behaviors and the control coefficients respectively corresponding to each type of the extracted resources;
the marking module is used for marking the appointed network resource as a non-attack asset in the network threat information according to the determined failure time;
the threat coefficient corresponding to the type of the attack behavior is determined according to the harmfulness of the type of the attack behavior, and the control coefficient corresponding to the type of the resource is determined according to the control degree of an attacked party when the network resource of the type is used as an attack asset.
Optionally, the judging module is specifically configured to determine, according to a predetermined attenuation initial value corresponding to the specified network resource, an extracted threat coefficient corresponding to each type of attack behavior, an extracted control coefficient corresponding to each type of resource, a starting time and a current time of the specified network resource marked as an attack asset, and by using a pre-established validity attenuation model, an attenuation real value corresponding to the specified network resource; and determining the time when the attenuation real-time value is not larger than a specified value as the failure time when the specified network resource is marked as the attack asset.
Optionally, the attenuation initial value is determined according to the number of the attack behaviors corresponding to the designated network resource, the type of each attack behavior and the duration time of each attack behavior.
Optionally, the judging module is further specifically configured to determine, according to the threat coefficients respectively corresponding to the extracted types of each attack behavior, a malicious coefficient corresponding to the specified network resource by using a pre-established malicious coefficient determining model; and determining the attenuation real-time value corresponding to the specified network resource by utilizing a pre-established effectiveness attenuation model according to the pre-determined attenuation initial value corresponding to the specified network resource, the malicious coefficient, the extracted control coefficient corresponding to each asset type, the starting time and the current time of the specified network resource marked as the attack asset.
In a third aspect, the present disclosure also provides a non-volatile computer storage medium storing an executable program that is executed by a processor to implement the method as described above.
In a fourth aspect, the present disclosure further provides an attack asset tagging apparatus, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
the memory is used for storing a computer program;
the processor, when executing the program stored on the memory, implements the method steps described above.
According to the scheme provided by the embodiment of the disclosure, the type of each attack behavior and the corresponding type of each resource corresponding to the attack asset can be extracted from the network threat information, the failure time of the attack asset can be judged based on the extracted type of each attack behavior and each type of resource, and the attack asset is marked as a non-attack asset according to the determined failure time. The failure time of the attack asset is judged by utilizing the type of each attack behavior corresponding to the attack asset, the threat and the sustainability of the attack asset used for implementing each attack behavior are considered, the failure time of the attack asset is judged by utilizing each resource type corresponding to the attack asset, the control degree of the attack asset as a corresponding resource type attacked party is considered, and the accuracy of the attack asset marking can be effectively improved relative to the failure of the attack asset in a timing mode.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
FIG. 1 is a flow chart of an attack asset tagging method provided by an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of types of attack and resource types provided by embodiments of the present disclosure;
FIG. 3 is a schematic diagram of an attack asset tagging apparatus according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an attack asset tagging apparatus according to an embodiment of the present disclosure.
Detailed Description
For the purpose of promoting an understanding of the principles and advantages of the disclosure, reference will now be made in detail to the drawings, in which it is apparent that the embodiments described are only some, but not all embodiments of the disclosure. Based on the embodiments in this disclosure, all other embodiments that a person of ordinary skill in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
It should be noted that, as used herein, reference to "a plurality of" or "a plurality of" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein.
Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Based on the finding that the dependency degree of different attack behaviors on attack assets of different resource types is different, the method and the device for detecting the attack asset based on the network threat are capable of judging the validity of the attack asset based on the network threat information of different dimensions according to experience, and improving the accuracy of the attack asset marking.
Based on the above description, the embodiment of the disclosure provides an attack asset marking method, and the step flow of the method may be as shown in fig. 1, including:
step 101, extracting the type of each attack behavior corresponding to the designated network resource marked as the attack asset and each resource type from the network threat information.
In this step, network threat intelligence of different dimensions may be extracted, and the type of each attack behavior and each resource type corresponding to the specified network resource marked as an attack asset are obtained.
It is understood that a network resource may be used to implement at least one attack or may be of at least one resource type.
A schematic diagram of two dimensions in the cyber threat intelligence, types of attack and resource types may be shown in fig. 2. In fig. 2, the types of partly possible attacks are illustrated, as well as the partly possible resource types, which together can be used to determine the time to failure of an attack asset.
In the attack behavior type illustrated in fig. 2, a botnet (controlled machine) may be understood as a manner that an attacker threatens the security of a plurality of user computers by using a special Trojan horse virus, controls each computer, and then forms all the infected computers into a "robot" network capable of enabling the attacker to remotely manage, so as to perform network attack;
the C2 host can be understood as that an attacker carries out network attack in a mode of issuing instructions to the host controlled by the attacker;
fraudulent websites can be understood as websites for inputting user names and password information by a decoy user to steal the user information or money, or network attacks for stealing the user information or money through a network with high decoy property;
the agent may be understood as a network attack that implements offer attacks using the springboard machine;
DDoS can be understood as distributed denial of service attacks that can result in normal service interruption;
the system vulnerability exploitation can be understood as a network attack on a host of a user by utilizing the system vulnerability;
the WEB vulnerability exploitation can be understood as a network attack on a host or service of a user by utilizing the WEB vulnerability;
brute force cracking can be understood as a network attack that uses an exhaustive approach to attempt to log in to a user login system, thereby guessing the correct username and password.
Of the resource types illustrated in fig. 2, network resources are identified by IP.
Where reserved IP is understood to mean that the internet agency for agency membership (IANA) reserves a portion of the address within the IP address range as a private IP address space or an IP address dedicated for special use such as an internal local area network, which may further include unassigned IP, assigned non-routed IP, and routed non-used IP:
unassigned IP may be understood as such IP in a regional IP address assignment facility (e.g., an apic) that has not been assigned to a particular facility;
an assigned non-route may be understood as such IP has been assigned to a particular organization, but has not yet appeared in the network routing information;
the routed unused may be understood as such IP has been assigned to a specific organization and appears in the network routing information, but has not been used in the network;
CDNs can be understood as such IPs are used in CDN business scenarios, CDNs can be understood as content delivery networks, which are network overlays optimized for speeding up network access;
a mobile network may be understood as a base station IP used by such an IP as a 2G/3G/4G/5G network;
WLAN hotspots may be understood as such IP being used by commercial WIFI providers as the outlet IP for commercial WIFI;
satellite communication may be understood as the use of such IP by satellite communication mechanisms;
home broadband may be understood as the use of such IP by a normal home, typically covering multiple cells;
a data center, which refers to a specific network of devices that cooperate globally to deliver, accelerate, present, calculate, store data information over the internet infrastructure, is understood to be such that IP is used in the data center by IDC companies or operators;
a switching center may be understood as such IP being used by operators in an internet switching center, which may be understood as a centralized switching platform established between different telecom operators for connecting the respective networks;
school units may understand that such IP is used by schools;
organization organizations may understand that such IP is used by non-operator organizations that own AS numbers;
infrastructure can be understood as such IP appears in the internet as an interface IP of a network router;
a private outlet may be understood as such an IP is typically a network outlet IP for multiple branches of a large enterprise.
Of course, the resource types of the network resources are not limited to the limited types shown in fig. 2, but may also include other types, for example, an Anycast and an enterprise private line, etc.
Among other things, anycast can be understood as such IP being applied to a particular Internet Anycast technology (e.g., google 8.8.8.8). An enterprise private line may be understood as a long-term allocation of such IP to use by an enterprise, with coverage being the area in which the enterprise is located.
Step 102, determining the failure time of the designated network resource marked as the attack asset according to the obtained threat coefficients respectively corresponding to each type of the extracted attack behaviors and the control coefficients respectively corresponding to each type of the extracted resources.
In this embodiment, after extracting each type of attack behavior and each type of resource corresponding to the specified network resource, the failure time of the specified network resource marked as an attack asset may be determined according to the threat coefficient respectively corresponding to each type of attack behavior extracted and the control coefficient respectively corresponding to each type of resource extracted.
Of course, in addition to determining the time to failure that a given network resource is marked as an offending asset based on the threat coefficients and control coefficients, the degree of decay that a given network resource is marked as an offending asset may also be determined based on the threat coefficients and control coefficients.
It is understood that the closer to the failure time the specified network resource is marked as an attack asset, the stronger the attenuation degree of the specified network resource is marked as an attack asset, and the lower the malicious degree of the specified network resource. Conversely, the weaker the attenuation level of the designated network resource marked as an attack asset, the higher the level of maliciousness of the designated network resource.
In one possible implementation, the time to failure for a given network resource to be marked as an attack asset may be determined, but is not limited to, by:
determining an attenuation real-time value corresponding to the appointed network resource by utilizing a pre-established effectiveness attenuation model according to a pre-determined attenuation initial value corresponding to the appointed network resource, an extracted threat coefficient corresponding to each type of attack behavior, an extracted control coefficient corresponding to each type of resource, the initial time and the current time of the appointed network resource marked as the attack asset;
and determining the time when the attenuation real-time value is not larger than a specified value as the failure time when the specified network resource is marked as the attack asset.
The initial value of the attenuation corresponding to the specified network resource is understood to be a predetermined value. In one possible implementation, the decay initial value corresponding to the specified network resource may be determined, but is not limited to, based on the number of attacks corresponding to the specified network resource, the type of each attack, and the duration of each attack. In one possible implementation, the greater the decay initial value may be set, the slower the decay rate of the designated network resource as an attack asset.
The threat coefficients corresponding to the type of attack may be determined based on the harmfulness (which may be understood as threat and sustainability) of the type of attack.
The threat coefficients respectively corresponding to the types of the extracted attack behaviors can be obtained by querying a threat coefficient list corresponding to each type of attack behavior acquired in advance.
In one possible implementation manner, when the threat coefficient list corresponding to each type of attack behavior is obtained, the harmfulness of each type of attack behavior of the threat coefficients can be obtained according to the requirement, and the threat coefficients corresponding to each type of attack behavior are determined according to the value range of the threat coefficients.
Taking a threat coefficient list of eight types of attack behaviors, namely botnet (controlled machine), C2 host, fraudulent website, agent, DDoS, system vulnerability exploitation, WEB vulnerability exploitation and brute force cracking, as an example, the hazard sequencing results of the various types of attack behaviors can be as follows:
c2 host > = botnet (controlled) > = system exploit > = WEB exploit > = rogue website > fullest hacking > DDoS > proxy.
The threat coefficient corresponding to each type of attack behavior may be, but not limited to, as shown in table 1, for example, the greater the value of the threat coefficient is set to be a positive integer between 1 and 10, the greater the hazard of the corresponding type of attack behavior. At this time, it can be understood that the greater the threat coefficient corresponding to each extracted type of attack behavior, the slower the attenuation speed of the designated network resource as the attack asset.
It should be noted that the threat coefficients given in table 1 are only an illustration, and specific values may be set as desired.
TABLE 1
Figure GDA0004189725320000101
Figure GDA0004189725320000111
It should be further noted that the types of attack are not limited to the eight types listed in table 1, but may include any type of attack known at present. And with development, new types of attack may also appear in the future, which is not limited by the embodiment.
The control coefficient corresponding to the resource type can be determined according to the control degree of an attacked party when the network resource of the type is used as an attack asset.
The control coefficients respectively corresponding to each extracted resource type can be obtained by querying a control coefficient list corresponding to each resource type acquired in advance.
In one possible implementation manner, when the control coefficient list corresponding to each resource type is obtained, when each type of network resource of the control coefficient is obtained as an attack asset according to the need, the control degrees of attacked parties are ordered, and the control coefficient corresponding to each resource type is determined according to the value range of the control coefficient.
Taking the control coefficients corresponding to ten types of network resources, such as a mobile network, a WLAN hotspot, satellite communication, a home broadband, a data center, a switching center, a school unit, an organization, a basic setting and a dedicated outlet, as an example, when each type of network resource is used as an attack asset, the control degree ordering result of the attacked party can be as follows:
data center > = dedicated outlet > = infrastructure > organization > = school unit > home broadband > satellite communication > = WLAN network > = switching center > = mobile network.
Taking the example that the value range of the control coefficient is set to be a positive integer between 1 and 5, the larger the value is, the higher the control degree of the attacked party is when the corresponding type of network resource is taken as the attack asset, the control coefficient corresponding to each type of network resource can be, but not limited to, as shown in table 2. At this time, it can be understood that the greater the control coefficient corresponding to each extracted resource type, the slower the attenuation speed of the designated network resource as the attack asset.
It should be noted that the control coefficients given in table 2 are only an illustration, and specific values may be set as needed.
TABLE 2
Resource type Control coefficient
Mobile network 1
WLAN hotspots 1
Satellite communication 1
Household broadband 2
Data center 5
Switching center 1
School unit 3
Organization mechanism 3
Infrastructure of 5
Special outlet 5
It should be further noted that the resource types are not limited to the ten listed in table 2, but may include any of the currently known resource types. And as development progresses, new resource types may also appear in the future, which is not limited by this embodiment.
Further, in one possible implementation manner, the step may include:
according to the threat coefficients respectively corresponding to the extracted types of each attack behavior, determining the malicious coefficients corresponding to the appointed network resources by utilizing a pre-established malicious coefficient determination model;
and determining the attenuation real-time value corresponding to the specified network resource by utilizing a pre-established effectiveness attenuation model according to the pre-determined attenuation initial value corresponding to the specified network resource, the malicious coefficient, the extracted control coefficient corresponding to each asset type, the starting time and the current time of the specified network resource marked as the attack asset.
That is, in this embodiment, a malicious coefficient corresponding to a specified network resource may be further determined by a specified manner according to the threat coefficients respectively corresponding to the extracted types of each attack behavior, and further, the attenuation real-time value corresponding to the specified network resource may be determined based on the malicious coefficient.
Further, in one possible implementation, the malicious factor determination model may be, but is not limited to, as follows:
Figure GDA0004189725320000131
wherein E represents a malicious coefficient corresponding to a specified network resource marked as an attack asset;
l 1 the threat coefficient with the largest value in the threat coefficients respectively corresponding to the n types of attack behaviors corresponding to the extracted appointed network resource is represented;
l 2 ......l n and representing each threat coefficient except the threat coefficient with the largest value in threat coefficients respectively corresponding to n types of attack behaviors corresponding to the extracted appointed network resource.
Further, in one possible implementation, the effectiveness decay model may be, but is not limited to, as follows:
Figure GDA0004189725320000132
wherein T is r A decay real-time value representing a current time of a specified network resource marked as an attack asset;
T o a decay initial value representing a specified network resource marked as an attack asset;
e represents a malicious coefficient corresponding to the designated network resource marked as an attack asset;
min{A 1 ...A m the control coefficient A corresponding to m resource types corresponding to the extracted appointed network resource 1 ...A m The control coefficient with the smallest value;
t r representing the current time;
t 0 indicating the start time at which the specified network resource was marked as an attack asset.
And step 103, marking the appointed network resource as a non-attack asset in the network threat information according to the determined failure time.
After determining the failure time of the designated network resource as the attack asset, the designated network resource can be marked as a non-attack asset in the network threat information when the determined failure time arrives.
According to the scheme provided by the embodiment of the application, the effectiveness of the attack asset can be automatically attenuated, the situation that the network resource marked as the attack asset does not have network threat any more and is recovered to be normal is avoided as much as possible, the attack asset is still marked as the attack asset, the situation that the attack asset is mismarked as a non-attack asset is avoided as much as possible, and the marking accuracy of the attack asset is improved.
In addition, after the stages of official definition, standard proposal and batch production of the information data, the network threat information is brought into a new stage of using the information data subdivision scene. In the subdivision scenario used, higher demands are placed on the quality of the informative data. And more information application scenes can be better supported only on the basis of high-quality information data. According to the scheme provided by the embodiment of the application, the use quality of the network threat information can be improved, the use scene of the network threat information is enhanced, and the network threat information has universality.
Corresponding to the provided method, the following apparatus is further provided.
An embodiment of the present disclosure provides an attack asset marking apparatus, which may have a structure as shown in fig. 3, including:
the extracting module 11 is configured to extract, from the cyber threat information, a type of each attack behavior corresponding to a specified cyber resource marked as an attack asset and a type of each resource;
the judging module 12 is configured to determine a failure time of the designated network resource marked as an attack asset according to the obtained threat coefficient corresponding to each type of the extracted attack behavior and the control coefficient corresponding to each type of the extracted resource;
the marking module 13 is configured to mark the specified network resource as a non-attack asset in the network threat information according to the determined failure time;
the threat coefficient corresponding to the type of the attack behavior is determined according to the harmfulness of the type of the attack behavior, and the control coefficient corresponding to the type of the resource is determined according to the control degree of an attacked party when the network resource of the type is used as an attack asset.
Optionally, the determining module 12 is specifically configured to determine, according to a predetermined attenuation initial value corresponding to the specified network resource, an extracted threat coefficient corresponding to each type of attack behavior, an extracted control coefficient corresponding to each type of resource, a starting time and a current time when the specified network resource is marked as an attack asset, and by using a pre-established validity attenuation model, an attenuation real value corresponding to the specified network resource; and determining the time when the attenuation real-time value is not larger than a specified value as the failure time when the specified network resource is marked as the attack asset.
Optionally, the attenuation initial value is determined according to the number of the attack behaviors corresponding to the designated network resource, the type of each attack behavior and the duration time of each attack behavior.
Optionally, the judging module 12 is further specifically configured to determine, according to the threat coefficients respectively corresponding to the extracted types of each attack behavior, a malicious coefficient corresponding to the specified network resource by using a pre-established malicious coefficient determining model; and determining the attenuation real-time value corresponding to the specified network resource by utilizing a pre-established effectiveness attenuation model according to the pre-determined attenuation initial value corresponding to the specified network resource, the malicious coefficient, the extracted control coefficient corresponding to each asset type, the starting time and the current time of the specified network resource marked as the attack asset.
The functions of the functional units of each device provided by the embodiments of the present disclosure may be implemented by the steps of the corresponding methods, so that the possible working processes and beneficial effects of the functional units of each device provided by the embodiments of the present disclosure are not repeated herein.
Based on the same inventive concept, the disclosed embodiments provide the following devices and mediums.
An embodiment of the present disclosure provides an attack asset marking device, which may be configured as shown in fig. 4, and includes a processor 21, a communication interface 22, a memory 23, and a communication bus 24, where the processor 21, the communication interface 22, and the memory 23 complete communication with each other through the communication bus 24;
the memory 23 is used for storing a computer program;
the processor 21 is configured to implement the steps described in the above method embodiments of the present disclosure when executing the program stored in the memory.
Alternatively, the processor 21 may include a Central Processing Unit (CPU), an application specific integrated circuit (ASIC, application Specific Integrated Circuit), one or more integrated circuits for controlling program execution, a hardware circuit developed using a field programmable gate array (FPGA, field Programmable Gate Array), and a baseband processor.
Alternatively, the processor 21 may comprise at least one processing core.
Alternatively, the Memory 23 may include a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), and a disk Memory. The memory 23 is used for storing data required for the operation of the at least one processor 21. The number of memories 23 may be one or more.
The embodiments of the present disclosure also provide a non-volatile computer storage medium storing an executable program, which when executed by a processor, implements the method provided by the above-described method embodiments of the present disclosure.
In a possible implementation, a computer storage medium may include: a universal serial bus flash disk (USB, universal Serial Bus Flash Drive), a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or the like, which can store program codes.
In the disclosed embodiments, it should be understood that the disclosed apparatus and methods may be implemented in other ways. For example, the above-described embodiments of the apparatus are merely illustrative, e.g., the elements or division of elements is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., various elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, indirect coupling or communication connection of devices or units, electrical or otherwise.
The functional units in the embodiments of the present disclosure may be integrated in one processing unit, or the various units may be separate physical modules.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the technical solutions of the embodiments of the present disclosure may be embodied in the form of a software product stored in a storage medium, including several instructions to cause a computer device, which may be, for example, a personal computer, a server, or a network device, or a processor (processor), to perform all or part of the steps of the methods described in the various embodiments of the present disclosure. And the aforementioned storage medium includes: universal serial bus flash disk (Universal Serial Bus Flash Drive), removable hard disk, ROM, RAM, magnetic or optical disk, or other various media capable of storing program code.
It will be apparent to those skilled in the art that embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present disclosure have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the disclosure.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present disclosure without departing from the spirit or scope of the disclosure. Thus, the present disclosure is intended to include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (8)

1. A method of offensive asset tagging, the method comprising:
extracting the type of each attack behavior corresponding to the designated network resource marked as the attack asset and the type of each resource from the network threat information;
according to the obtained threat coefficients respectively corresponding to each type of the extracted attack behaviors and the extracted control coefficients respectively corresponding to each type of the resources, determining the failure time of the designated network resources marked as attack assets comprises the following steps: determining an attenuation real-time value corresponding to the appointed network resource by utilizing a pre-established effectiveness attenuation model according to a pre-determined attenuation initial value corresponding to the appointed network resource, an extracted threat coefficient corresponding to each type of attack behavior, an extracted control coefficient corresponding to each type of resource, the initial time and the current time of the appointed network resource marked as the attack asset; determining the time when the attenuation real-time value is not greater than a specified value as the failure time when the specified network resource is marked as an attack asset;
marking the appointed network resource as a non-attack asset in the network threat information according to the determined failure time;
the threat coefficient corresponding to the type of the attack behavior is determined according to the harmfulness of the type of the attack behavior, and the control coefficient corresponding to the type of the resource is determined according to the control degree of an attacked party when the network resource of the type is used as an attack asset.
2. The method of claim 1, wherein the decay initial value is determined based on a number of attacks corresponding to the specified network resource, a type of each attack, and a duration of each attack.
3. The method of claim 1, wherein determining the attenuation real-time value corresponding to the specified network resource using a pre-established validity attenuation model based on the pre-determined attenuation initial value corresponding to the specified network resource, the extracted threat coefficient corresponding to each type of attack activity, the extracted control coefficient corresponding to each type of resource, the starting time and the current time when the specified network resource is marked as an attack asset, comprises:
according to the threat coefficients respectively corresponding to the extracted types of each attack behavior, determining the malicious coefficients corresponding to the appointed network resources by utilizing a pre-established malicious coefficient determination model;
and determining the attenuation real-time value corresponding to the specified network resource by utilizing a pre-established effectiveness attenuation model according to the pre-determined attenuation initial value corresponding to the specified network resource, the malicious coefficient, the extracted control coefficient corresponding to each asset type, the starting time and the current time of the specified network resource marked as the attack asset.
4. An attack asset tagging apparatus, the apparatus comprising:
the extraction module is used for extracting the type of each attack behavior corresponding to the designated network resource marked as the attack asset and the type of each resource from the network threat information;
the judging module is used for determining the failure time of the appointed network resource marked as the attack asset according to the obtained threat coefficients respectively corresponding to each type of the extracted attack behaviors and the control coefficients respectively corresponding to each type of the extracted resources;
the judging module is specifically configured to determine, according to a pre-determined attenuation initial value corresponding to the specified network resource, an extracted threat coefficient corresponding to each type of attack behavior, an extracted control coefficient corresponding to each type of resource, a starting time and a current time of the specified network resource marked as an attack asset, and by using a pre-established validity attenuation model, an attenuation real value corresponding to the specified network resource; determining the time when the attenuation real-time value is not greater than a specified value as the failure time when the specified network resource is marked as an attack asset;
the marking module is used for marking the appointed network resource as a non-attack asset in the network threat information according to the determined failure time;
the threat coefficient corresponding to the type of the attack behavior is determined according to the harmfulness of the type of the attack behavior, and the control coefficient corresponding to the type of the resource is determined according to the control degree of an attacked party when the network resource of the type is used as an attack asset.
5. The apparatus of claim 4, wherein the decay initial value is determined based on a number of attacks corresponding to the specified network resource, a type of each attack, and a duration of each attack.
6. The apparatus of claim 4, wherein the judging module is further specifically configured to determine a malicious coefficient corresponding to the specified network resource according to the threat coefficient respectively corresponding to each type of the extracted attack behavior by using a pre-established malicious coefficient determination model; and determining the attenuation real-time value corresponding to the specified network resource by utilizing a pre-established effectiveness attenuation model according to the pre-determined attenuation initial value corresponding to the specified network resource, the malicious coefficient, the extracted control coefficient corresponding to each asset type, the starting time and the current time of the specified network resource marked as the attack asset.
7. A non-transitory computer storage medium storing an executable program that is executed by a processor to implement the method of any one of claims 1-3.
8. An attack asset tagging device comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface, the memory complete communication with each other through the communication bus;
the memory is used for storing a computer program;
the processor is configured to implement the method steps of any one of claims 1 to 3 when executing the program stored on the memory.
CN202111399106.XA 2021-11-24 2021-11-24 Attack asset marking method, device, medium and equipment Active CN114095261B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111399106.XA CN114095261B (en) 2021-11-24 2021-11-24 Attack asset marking method, device, medium and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111399106.XA CN114095261B (en) 2021-11-24 2021-11-24 Attack asset marking method, device, medium and equipment

Publications (2)

Publication Number Publication Date
CN114095261A CN114095261A (en) 2022-02-25
CN114095261B true CN114095261B (en) 2023-06-09

Family

ID=80303654

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111399106.XA Active CN114095261B (en) 2021-11-24 2021-11-24 Attack asset marking method, device, medium and equipment

Country Status (1)

Country Link
CN (1) CN114095261B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7552480B1 (en) * 2002-04-23 2009-06-23 Citibank, N.A. Method and system of assessing risk using a one-dimensional risk assessment model
CN104723895A (en) * 2013-12-19 2015-06-24 福特全球技术公司 Vehicle and battery degradation accumulation methods
CN105915556A (en) * 2016-06-29 2016-08-31 北京奇虎科技有限公司 Method and equipment for determining attack surfaces of terminals
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN111063320A (en) * 2019-12-04 2020-04-24 深圳市华星光电半导体显示技术有限公司 Display panel aging compensation method, device and system and display device
CN113408948A (en) * 2021-07-15 2021-09-17 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100017419A1 (en) * 2008-07-15 2010-01-21 Fat Spaniel Technologies, Inc. Systems and Methods for Distributed Asset Management Having Tagging Capabilities
US8595194B2 (en) * 2009-09-15 2013-11-26 At&T Intellectual Property I, L.P. Forward decay temporal data analysis
US20150154705A1 (en) * 2012-11-15 2015-06-04 Aniket Parikh Investment instrument
US10296748B2 (en) * 2016-02-25 2019-05-21 Sas Institute Inc. Simulated attack generator for testing a cybersecurity system
US10372910B2 (en) * 2016-06-20 2019-08-06 Jask Labs Inc. Method for predicting and characterizing cyber attacks
US10559180B2 (en) * 2017-09-27 2020-02-11 Johnson Controls Technology Company Building risk analysis system with dynamic modification of asset-threat weights
DE112018004325T5 (en) * 2017-09-27 2020-05-14 Johnson Controls Technology Company SYSTEMS AND METHODS FOR RISK ANALYSIS

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7552480B1 (en) * 2002-04-23 2009-06-23 Citibank, N.A. Method and system of assessing risk using a one-dimensional risk assessment model
CN104723895A (en) * 2013-12-19 2015-06-24 福特全球技术公司 Vehicle and battery degradation accumulation methods
CN105915556A (en) * 2016-06-29 2016-08-31 北京奇虎科技有限公司 Method and equipment for determining attack surfaces of terminals
CN110719291A (en) * 2019-10-16 2020-01-21 杭州安恒信息技术股份有限公司 Network threat identification method and identification system based on threat information
CN111063320A (en) * 2019-12-04 2020-04-24 深圳市华星光电半导体显示技术有限公司 Display panel aging compensation method, device and system and display device
CN113408948A (en) * 2021-07-15 2021-09-17 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
直流LED灯寿命测试系统的巡检单元设计;王锐仁;袁菊明;李国平;施梦婷;李文杰;;电脑编程技巧与维护(03);第55-56、81页 *

Also Published As

Publication number Publication date
CN114095261A (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN107612895B (en) Internet anti-attack method and authentication server
US10785254B2 (en) Network attack defense method, apparatus, and system
US10826872B2 (en) Security policy for browser extensions
EP3100192B1 (en) Automated penetration testing device, method and system
CN105282126B (en) Login authentication method, terminal and server
CN105939326B (en) Method and device for processing message
CN110784361A (en) Virtualized cloud honey network deployment method, device, system and computer-readable storage medium
CN105429953B (en) A kind of methods, devices and systems for accessing website
US20210075790A1 (en) Attacker detection via fingerprinting cookie mechanism
CN106034104A (en) Verification method, verification device and verification system for network application accessing
CN106878250B (en) Cross-application single-state login method and device
CN109088909B (en) Service gray level publishing method and device based on merchant type
CN102073822A (en) Method and system for preventing user information from leaking
CN110866243A (en) Login authority verification method, device, server and storage medium
CN103428211A (en) Network authentication system on basis of switchboards and authentication method for network authentication system
Prakash et al. Cloud computing security analysis: Challenges and possible solutions
CN105357008A (en) Identity verification method and device
CN114143096A (en) Security policy configuration method, device, equipment, storage medium and program product
CN114285626B (en) Honeypot attack chain construction method and honeypot system
CN103841091B (en) safety login method, device and system
CN106375259B (en) Same-user account identification method and device
CN108512805A (en) A kind of network security defence method and network security defence installation
CN114095261B (en) Attack asset marking method, device, medium and equipment
CN107172038B (en) Information processing method, platform, assembly and system for providing security service
CN112822163A (en) Data traffic generation method, device and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant