CN114238992A - Threat vulnerability mining method based on big information security data and information security system - Google Patents
Threat vulnerability mining method based on big information security data and information security system Download PDFInfo
- Publication number
- CN114238992A CN114238992A CN202111588594.9A CN202111588594A CN114238992A CN 114238992 A CN114238992 A CN 114238992A CN 202111588594 A CN202111588594 A CN 202111588594A CN 114238992 A CN114238992 A CN 114238992A
- Authority
- CN
- China
- Prior art keywords
- threat
- protection
- penetration
- vulnerability
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The application discloses a threat vulnerability decision method based on big data of information security and an information security system, chain information is formed according to various historical threat behavior information arrangement, a threat information chain expressed by the penetration relation between behavior track nodes in a historical threat behavior model is considered, and threat penetration vulnerability decision is carried out according to the threat information chain, so that the condition that vulnerability decision errors exist due to the fact that threat penetration vulnerability decision is carried out only by considering trigger activities of threat behaviors in the traditional scheme can be improved, the decision accuracy of threat penetration vulnerability between threat protection activities and sensitive service request activities is improved, and the effectiveness of subsequent security protection reinforcement is improved.
Description
Technical Field
The application relates to the technical field of big data, in particular to a threat vulnerability mining method based on big data of information security and an information security system.
Background
With the development of big data technology, data and data protection are crucial considerations for cloud platforms. By information security threat is meant the source and means of a particular type of attack, often referred to as a new or newly discovered incident, which may compromise the entire organization of the system or cloud platform. Therefore, the threat vulnerability decision test is very important for ensuring the continuous system security. The vulnerability testing is to identify the penetration relationship of the threat vulnerability and perform security protection and reinforcement according to the threat penetration on the existing basis, so as to improve the information security protection performance.
In the traditional technical scheme, the threat penetration vulnerability decision is usually carried out only by considering the triggering activity of the threat behavior, so that the decision accuracy influences the effectiveness of security protection reinforcement.
Disclosure of Invention
The application provides a threat vulnerability mining method based on big data of information security and an information security system.
In a first aspect, an embodiment of the present application provides a threat vulnerability decision method based on big data of information security, which is applied to an information security system, and includes:
searching traversal threat protection activities and traversal sensitive service request activities of a core subscription service interface in a real-time protection list;
analyzing a target threat protection fingerprint corresponding to the traversal threat protection activity and a target sensitive service request fingerprint corresponding to the traversal sensitive service request activity, wherein the threat protection fingerprint represents chain link points mapped by the threat protection activity in a threat intelligence chain, the sensitive service request fingerprint represents chain link points mapped by the sensitive service request activity in the threat intelligence chain, the threat intelligence chain takes threat penetration tracks in a historical threat behavior model and behavior track nodes in multiple historical threat behavior intelligence as chain nodes, and takes penetration relations among the behavior track nodes as chain node relations;
performing threat penetration vulnerability decision according to the target threat protection fingerprint, the target sensitive service request fingerprint and the threat intelligence chain, and outputting target threat penetration vulnerability information, wherein the target threat penetration vulnerability information represents a threat penetration routing relationship between the traversal threat protection activity and the traversal sensitive service request activity;
and carrying out safety protection and reinforcement on the core subscription service interface according to the target threat penetration vulnerability information.
Based on the scheme, chain information formed by sorting multiple historical threat behavior information is considered, a threat information chain expressed by the penetration relation between behavior track nodes in a historical threat behavior model is considered, and threat penetration vulnerability decision is carried out according to the threat information chain, so that the situation that vulnerability decision errors exist due to the fact that only threat behavior triggering activities are considered to carry out threat penetration vulnerability decision in the traditional scheme can be improved, the decision accuracy of threat penetration vulnerabilities between threat protection activities and sensitive service request activities is improved, and the effectiveness of subsequent security protection reinforcement is improved.
Drawings
Fig. 1 is a schematic flowchart illustrating steps of a threat vulnerability decision method based on big information security data according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments obtained by a person of ordinary skill in the art without any inventive step based on the embodiments in the present application are within the scope of protection of the present application.
Step S101, searching traversal threat protection activities and traversal sensitive service request activities of the core subscription service interface in the real-time protection list.
In an embodiment, in the current security protection and reinforcement process, when a threat penetration routing relationship between a specific threat protection activity and a sensitive service request activity needs to be analyzed for a core subscription service interface, information representing traversal threat protection activities and traversal sensitive service request activities (for example, activity field data, persistent item sessions, and the like of the traversal threat protection activities and the traversal sensitive service request activities) may be loaded through a data loading request, and an information security system determines the traversal threat protection activities and the traversal sensitive service request activities in the vulnerability decision process according to the data loading request.
For example, a threat prevention activity a, a threat prevention activity B, a sensitive service request activity a, and a sensitive service request activity B may be obtained from the data loading request, the information security system determines the threat prevention activity a and the threat prevention activity B as traversal threat prevention activities, and determines the sensitive service request activity a and the sensitive service request activity B as traversal sensitive service request activities, thereby deciding a threat penetration routing relationship between the threat prevention activity a and the sensitive service request activity a, and a threat penetration routing relationship between the threat prevention activity B and the sensitive service request activity a, and between the threat prevention activity B and the sensitive service request activity B.
And step S102, analyzing the target threat protection fingerprint corresponding to the traversal threat protection activity and the target sensitive business request fingerprint corresponding to the traversal sensitive business request activity.
The threat protection fingerprint represents chain link points mapped by threat protection activities in a threat intelligence chain, the sensitive service request fingerprint represents chain nodes mapped by sensitive service request activities in the threat intelligence chain, the threat intelligence chain takes threat penetration tracks in a historical threat behavior model and behavior track nodes in various historical threat behavior intelligence as chain nodes, and takes penetration relations among the behavior track nodes as chain node relations. Compared with the method for carrying out threat penetration vulnerability decision by considering only the trigger activity of the threat behavior in the related technology, the method carries out the threat penetration vulnerability decision by considering the threat information chain expressed by the penetration relation between the behavior track nodes in the historical threat behavior model according to the chain information formed by arranging various historical threat behavior information.
In one embodiment, the information security system may be configured with a threat intelligence chain in advance, where the threat intelligence chain is composed of behavior trace nodes and node penetration relationships in association information of threat protection activities and sensitive service request activities.
For example, the threat intelligence chain is a chain network constructed by a large number of threat intelligence sub-chains, wherein the chain network comprises threat protection activities and sensitive service request activities, threat protection activities and threat protection activities, threat protection activities and threat sources, sensitive service request activities and sensitive service request activities, sensitive service request activities and threat sources and other types of relations, and the information security system acquires and stores each threat penetration unit to construct the threat intelligence chain.
And S103, performing threat penetration vulnerability decision according to the target threat protection fingerprint, the target sensitive service request fingerprint and the threat information chain, and outputting target threat penetration vulnerability information.
And the target threat penetration vulnerability information represents a threat penetration routing relation between traversal threat protection activities and traversal sensitive service request activities. The threat intelligence chain in the embodiment of the application is composed of a threat penetration unit of threat protection activities and historical threat behavior intelligence related to the threat protection activities or target sensitive service request activities.
The information security system determines corresponding chain nodes in a threat intelligence chain according to the target threat protection fingerprint and the target sensitive service request fingerprint, further determines threat penetration unit combinations of threat protection activities related to traversal threat protection activities and traversal sensitive service request activities and historical threat behavior intelligence, and carries out threat penetration vulnerability decision according to information obtained from the threat intelligence chain, and further obtains target threat penetration vulnerability information.
FOR example, the information security system determines that the heat value of a certain threat penetration BUG BUG FOR A1-A2 between the threat protection activity a and the sensitive service request activity B is 90, determines that the sensitive service request activity B is the penetration sensitive service request activity of the threat protection activity a, and a certain threat penetration BUG BUG FOR A1-A2 exists between the two activities, and determines that the sensitive service request activity A is not the penetration sensitive service request activity of the threat protection activity a, and a certain threat penetration BUG BUG FOR A1-A2 does not exist between the two activities if the heat value of a certain threat penetration BUG BUG FOR A1-A2 exists between the threat protection activity a and the sensitive service request activity A is 5. The user can conduct further research of the threat penetration unit of the threat protection activity according to the decision information of the information security system.
And step S104, carrying out security protection and reinforcement on the core subscription service interface according to the target threat penetration vulnerability information.
Based on the scheme, chain information formed by sorting multiple historical threat behavior information is considered, a threat information chain expressed by the penetration relation between behavior track nodes in a historical threat behavior model is considered, and threat penetration vulnerability decision is carried out according to the threat information chain, so that the situation that vulnerability decision errors exist due to the fact that only threat behavior triggering activities are considered to carry out threat penetration vulnerability decision in the traditional scheme can be improved, the decision accuracy of threat penetration vulnerabilities between threat protection activities and sensitive service request activities is improved, and the effectiveness of subsequent security protection reinforcement is improved.
The method for determining a threat vulnerability based on big information security data, provided by another independent embodiment of the present application, is described below, and includes the following steps.
Step S201, search the traversal threat protection activity and the traversal sensitive service request activity of the core subscription service interface in the real-time protection list.
Step S202, analyzing the target threat protection fingerprint corresponding to the traversal threat protection activity and the target sensitive business request fingerprint corresponding to the traversal sensitive business request activity.
For details of step S201 to step S202, reference may be made to step S101 to step S102, which are not repeated herein.
Step S203, independent information characteristic extraction is carried out on the threat information subchain in the threat information chain, and independent threat information characteristics are output.
The threat information subchain is composed of a first behavior track node, a second behavior track node and a node penetration relation, and the independent threat information characteristics represent chain nodes and subchain relation vectors in the threat information chain in a coding vector distribution mode.
The independent threat intelligence feature is a feature vector obtained by coding and extracting the behavior track nodes and the penetration relationship between the behavior track nodes in the threat intelligence chain, so that the threat penetration vulnerability decision network can identify the features in the threat intelligence chain.
Wherein, the information security system outputs feature vectors protectA [0.2, 0.5, -0.9, …, 0.7] and requestA [0.7, 0.5, -0.9, …, 0.7] for representing the chain node protectA and requestA by performing independent information feature extraction on the threat information subchain [ protectA, protect-permeate, requestA ], [ protectA, protect-protect, protectB ] in the threat information chain.
And step S204, loading the target threat protection fingerprint, the target sensitive service request fingerprint and the independent threat information characteristics to a threat penetration vulnerability decision network, and outputting target threat penetration vulnerability information.
The information security system can take the target threat protection fingerprint, the target sensitive service request fingerprint and the independent threat information characteristics as data to be loaded according to a threat penetration vulnerability decision network converged by training, and output the generated target threat penetration vulnerability information. The threat penetration vulnerability decision network can determine the heat value of the threat penetration routing relationship between each traversal threat protection activity and each traversal sensitive service request activity according to the data to be loaded.
In one embodiment, the threat penetration vulnerability decision network includes a variable decision structure, a variable clustering structure, a variable optimization structure and a decision structure, and step S204 further includes the following steps:
step S204a, loading the target threat protection fingerprint and the target sensitive service request fingerprint into a variable decision structure, and outputting a threat protection fingerprint variable corresponding to the target threat protection fingerprint and a sensitive service request fingerprint variable corresponding to the target sensitive service request fingerprint.
And the variable decision structure of the threat penetration vulnerability decision network is used for extracting independent information characteristics of the loaded target threat protection fingerprint and the target sensitive service request fingerprint to generate corresponding characteristic vectors, so that the threat penetration vulnerability decision network can analyze and traverse the threat protection activity and the traversal sensitive service request activity, and extract corresponding information from a threat information chain according to the fingerprints to make decisions.
Step S204b, loading the threat protection fingerprint variables and the sensitive service request fingerprint variables into a variable clustering structure for variable clustering, and outputting first threat penetration vulnerability variables.
The threat penetration vulnerability decision network extracts independent information characteristics of characteristic information of a group of threat protection activities and sensitive service request activities through variable clustering to obtain vulnerability vector distribution FOR representing a certain threat penetration vulnerability BUG FOR A1-A2, namely, a pair of threat protection fingerprint variables and sensitive service request fingerprint variables are subjected to independent information characteristic extraction to obtain a first threat penetration vulnerability variable.
Step S204c, loading the first threat penetration vulnerability variable and the independent threat intelligence characteristic to a variable optimization structure for variable optimization, and outputting a second threat penetration vulnerability variable.
For example, historical threat behavior information related to a threat protection activity sensitive service request activity is integrated according to a threat information chain, and further a threat protection activity sensitive service request activity threat penetration vulnerability decision is performed according to the threat information chain, so that an independent threat information characteristic corresponding to the threat information chain needs to be loaded to a threat penetration vulnerability decision network, so that the threat penetration vulnerability decision network optimizes a first threat penetration vulnerability variable according to the threat information chain, and outputs a second threat penetration vulnerability variable with higher precision.
For example, a variable optimization structure of the threat penetration vulnerability decision network may be constructed by at least two layers of FCNNs, and the information security system processes data to be loaded through the multiple layers of FCNNs and outputs a second threat penetration vulnerability variable.
Step S204d, loading the second threat penetration vulnerability variable to a decision structure, and outputting target threat penetration vulnerability information.
The final network parameter layer in the threat penetration vulnerability decision network is a decision structure, and the decision structure is used FOR carrying out independent intelligence feature extraction on a second threat penetration vulnerability variable generated by a variable optimization structure to obtain a final heat value, namely carrying out independent intelligence feature extraction on the second threat penetration vulnerability variable to obtain an evaluation value representing a certain threat penetration vulnerability BUG A1-A2 heat value, FOR example, FOR the threat penetration vulnerability decision of traversal threat protection activity a, traversal threat protection activity B, traversal sensitive service request activity A and sensitive service request activity B, the final threat penetration decision network outputs a certain threat penetration BUG FOR A1-A2 heat value indicated by traversal protection activity a and traversal sensitive service request activity A, a certain threat penetration vulnerability FOR A1-A2 heat value indicated by traversal protection activity a and traversal sensitive service request activity B, a heat value of the first threat penetration vulnerability leak FOR A1-A2 heat value indicated by traversal protection activity a and traversal sensitive service request activity B, a heat value of the second threat penetration vulnerability decision network is obtained by the decision network, And traversing the thermal force values of the certain threat penetration BUG BUG FOR A1-A2 indicated by the traversing threat prevention activity B and the traversing sensitive business request activity A and the certain threat penetration BUG BUG FOR A1-A2 indicated by the traversing threat prevention activity B and the traversing sensitive business request activity B, so that the traversing threat prevention activity and the traversing sensitive business request activity which have a threat penetration relationship with each other can be determined according to the output thermal force values of the decision structure.
By the design, the independent threat information characteristic of the low dimension is obtained by extracting the independent information characteristic of the threat information chain, the decision of the link characteristic between chain nodes is not needed, and the decision speed of the threat penetration vulnerability is improved. Independent threat information characteristics are obtained according to a threat penetration vulnerability decision network, and threat penetration vulnerability variables are optimized according to historical threat behavior information in a threat information chain, so that the accuracy of target threat penetration vulnerability information is improved.
On the premise of the historical threat behavior model, relevant historical threat behavior information can be introduced according to a threat information chain to carry out threat penetration unit decision analysis of threat protection activities, and compared with a mode of carrying out a certain threat penetration vulnerability decision only according to a persistent session log such as a sensitive service request persistent item, the deficiency of historical threat behavior data can be supplemented. Therefore, the threat penetration vulnerability decision network can optimize the threat penetration vulnerability variable according to historical threat behavior information in a threat information chain and by combining with the sensitive service request continuous items and other continuous item session logs, and the decision accuracy is improved.
The method for determining a threat vulnerability based on big information security data, provided by another independent embodiment of the present application, is described below, and includes the following steps.
Step S301, search the traversal threat protection activity and the traversal sensitive service request activity of the core subscription service interface in the real-time protection list.
For details of step S301, reference may be made to step S101, which is not repeated herein.
Step S302, independent intelligence feature extraction is carried out on the traversal threat protection activity and the target persistent item session log corresponding to the traversal sensitive service request activity to obtain target persistent item session features.
The target persistent item session log comprises a target threat protection persistent item traversing threat protection activities and a target sensitive service request persistent item traversing sensitive service request activities, and the target persistent item session features comprise threat protection persistent item members corresponding to the target threat protection persistent item and sensitive service request persistent item members corresponding to the target sensitive service request persistent item.
In one embodiment, the information security system obtains a target persistent item session log traversing threat protection activities and traversing sensitive service request activities, wherein the persistent item session log comprises sensitive service request persistent items (such as threat protection persistent items) of the threat protection activities and sensitive service request persistent items of the sensitive service request activities, and performs independent intelligence feature extraction on the target persistent item session log to obtain target persistent item session features.
And step S303, when the traversing threat protection activity or traversing sensitive service request activity does not exist in the threat intelligence chain, obtaining threat protection transaction data.
The threat protection transaction data comprises a threat penetration track and historical threat behavior intelligence corresponding to traversal threat protection activities, or a threat penetration track and historical threat behavior intelligence corresponding to traversal sensitive service request activities.
In one embodiment, if a threat penetration routing relationship between a threat prevention activity and a known sensitive service request activity needs to be studied, or if a target threat prevention activity has a threat penetration vulnerability with a newly updated sensitive service request activity, the traversal threat prevention activity or the traversal sensitive service request activity may not exist in a threat intelligence chain, and the relevant threat prevention transaction data, such as a threat penetration unit combination of the known threat prevention activity related to the traversal threat prevention activity or the traversal sensitive service request activity, relevant historical threat behavior intelligence, and an indicated persistent session log, needs to be loaded.
Step S304, adjusting the threat intelligence chain according to the threat protection transaction data.
And if the information security system analyzes that the traversal threat protection activity or the traversal sensitive service request activity does not exist in the existing threat intelligence chain, adjusting the threat intelligence chain according to the threat protection transaction data.
For example, the information security system performs threat penetration vulnerability decision according to the updated threat intelligence chain, or learns the threat intelligence chain again when threat protection transaction data is more, and performs threat penetration vulnerability decision according to the learned threat intelligence chain.
Step S305, analyzing the target threat protection fingerprint corresponding to the traversal threat protection activity and the target sensitive service request fingerprint corresponding to the traversal sensitive service request activity.
And S306, extracting independent information characteristics of the threat information subchains in the threat information chain and outputting the independent threat information characteristics.
For details of steps S305 to S306, reference may be made to steps S202 to S203, which are not repeated herein.
And S307, performing threat penetration vulnerability decision according to the target threat protection fingerprint, the target sensitive service request fingerprint, the threat intelligence chain and the target persistent item session characteristics, and outputting target threat penetration vulnerability information.
In one embodiment, the information security system outputs a first threat penetration vulnerability variable representing a threat penetration routing relationship between traversal threat prevention activities and traversal sensitive business request activities according to a variable decision structure and a variable clustering structure of a threat penetration vulnerability decision network, therefore, the first threat penetration loophole variable, the independent threat intelligence characteristic and the target continuous item session characteristic are loaded to the variable optimization structure, the three kinds of information to be loaded are integrated through the variable optimization structure, namely according to threat intelligence chain and sensitive service request continuous item of threat protection activity and sensitive service request activity, optimizing and updating the first threat penetration vulnerability variable, outputting a second threat penetration vulnerability variable, and obtaining target threat penetration vulnerability information according to a second threat penetration vulnerability variable integrating independent threat intelligence characteristics, threat protection duration items and sensitive service request activity sensitive service request duration items.
In the embodiment, on the basis of introducing historical threat behavior information in a threat information chain, a session log of a persistent item such as a traditional sensitive service request persistent item is combined to serve as data to be loaded, the two kinds of information are integrated to optimize a threat penetration vulnerability variable, and the decision accuracy is improved.
The following describes a deep learning decision-based threat penetration processing method provided by an independent embodiment of the present application, which includes the following steps.
Step S401, a threat intelligence chain is obtained, the threat intelligence chain takes the behavior track nodes in the reference data cluster as chain nodes, and takes the penetration relationship between the behavior track nodes as the chain intelligence of the chain node relationship, and the reference data cluster comprises the reference threat penetration track and various historical threat behavior intelligence.
And the threat intelligence chain takes threat penetration tracks in the historical threat behavior model and behavior track nodes in various historical threat behavior intelligence as chain nodes and takes penetration relations among the behavior track nodes as chain node relations. For example, the reference data cluster in the storage server may be stored in the information security system in the form of a threat intelligence subchain, and the information security system constructs a threat intelligence chain according to the obtained threat intelligence subchain. Wherein, the threat intelligence chain of the training phase can be used in the application phase.
Step S402, loading independent threat intelligence characteristics, reference threat protection fingerprints and reference sensitive service request fingerprints corresponding to the threat intelligence chain to a threat penetration vulnerability decision network, and outputting threat penetration vulnerability decision information.
The reference threat protection fingerprint represents a chain link point mapped by a reference threat protection activity in a threat intelligence chain, the reference sensitive service request fingerprint represents a chain link point mapped by a reference sensitive service request activity in the threat intelligence chain, the reference persistent item session log comprises a threat protection persistent item of the threat protection activity and a sensitive service request persistent item of the sensitive service request activity, and the threat penetration vulnerability decision information is a threat penetration track with a threat penetration routing relationship.
In one embodiment, the threat penetration vulnerability decision network makes a decision on a threat penetration routing relationship between each reference threat protection activity and each sensitive service request activity according to data to be loaded (independent threat intelligence characteristics, reference threat protection fingerprints, and reference sensitive service request fingerprints), and outputs threat penetration vulnerability decision information indicating a heat value of the threat penetration routing relationship between the corresponding reference threat protection activity and the reference sensitive service request activity.
Step S403, performing network weight adjustment on the threat penetration vulnerability decision network according to threat penetration vulnerability decision information and reference threat penetration vulnerability information, and outputting a target threat penetration vulnerability decision network so as to perform threat penetration vulnerability decision according to the target threat penetration vulnerability decision network.
The reference threat penetration vulnerability information represents a threat penetration routing relationship between the reference threat protection activity and the reference sensitive service request activity.
In one embodiment, if a reference data cluster is a threat penetration unit combination of reference threat protection activities, and each threat penetration unit combination of reference threat protection activities carries reference threat penetration vulnerability information, the reference threat penetration vulnerability information indicates whether a threat penetration routing relationship and/or a type of threat penetration routing relationship exists between the indicated threat penetration unit combinations of reference threat protection activities. For example, for a threat protection activity a-penetration sensitive service request activity a serving as a positive reference data cluster, the indicated reference threat penetration vulnerability information is 1, that is, the confidence coefficient of the threat penetration routing relationship is 1; for the threat protection activity a-penetration sensitive service request activity b as a negative reference data cluster, the indicated reference threat penetration vulnerability information is 0, that is, the confidence coefficient of the threat penetration routing relationship is 0.
The information security system calculates error parameter values of each network weight adjustment process by acquiring threat penetration vulnerability decision information of a threat penetration vulnerability decision network in each network weight adjustment process, and optimizes a network parameter layer according to the error parameter values until the error parameter values are converged.
Based on the scheme, the historical threat behavior intelligence, the sensitive service request activity and the like are constructed in a threat penetration mode through a threat intelligence chain, network weight adjustment can be carried out on the threat penetration vulnerability decision network according to the historical threat behavior intelligence without making a link characteristic decision among chain nodes, network weight adjustment precision and efficiency can be improved, and reliability of the threat penetration vulnerability decision is improved.
The process of integrating historical threat behavior intelligence from different sources according to the threat intelligence chain for training is disclosed, and in the conception of one embodiment, the sensitive service request continuous item of the session log of the threat protection activity and the sensitive service request activity continuous item can be introduced on the basis of the threat intelligence chain, so that the decision effect is further ensured. For example, another independent embodiment of the present application provides a threat vulnerability decision method based on big data of information security, which includes the following steps.
Step S501, according to threat intelligence type labels, determining the block clustering modes of a plurality of reference network reference data clusters, wherein the block clustering modes corresponding to different threat intelligence type labels are different.
To address a variety of different threat intelligence class labels, multiple clumping patterns of reference threat penetration training data and reference threat penetration test data may be introduced to test network performance.
In the conception of the embodiment, a plurality of threat intelligence class labels and a blocking mode of a reference network reference data cluster corresponding to each threat intelligence class label are preset in an information security system, and the information security system respectively blocks reference threat penetration test data and reference threat penetration training data for each threat intelligence class label according to the blocking mode.
And step S502, clustering the reference threat penetration tracks according to the clustering mode, and outputting reference threat penetration training data and reference threat penetration test data corresponding to each threat intelligence class label.
In one embodiment, step S502 includes the following steps:
step S502a, when the threat intelligence class label is analyzed to be a worm threat intelligence label, clustering the reference threat penetration tracks into first reference threat penetration training data and first reference threat penetration test data, wherein reference threat protection activities and reference sensitive service request activities in the first reference threat penetration test data are associated with the first reference threat penetration training data.
For the worm threat intelligence label, threat protection activity and sensitive service request activity during decision making exist in a threat intelligence chain, so that the information security system can determine all reference threat penetration tracks in a database as reference threat penetration training data, and then randomly extract the reference threat penetration tracks from the database according to a certain proportion parameter (for example, the reference threat penetration testing data: the reference threat penetration training data is 1:10) to determine the reference threat penetration testing data.
Step S502b, when the threat intelligence class label is analyzed to be a Trojan threat intelligence label, clustering the reference threat penetration tracks into second reference threat penetration training data and second reference threat penetration test data, wherein the reference sensitive service request activity in the second reference threat penetration test data is associated with the second reference threat penetration training data.
Step S502c, when the threat intelligence class label is analyzed to be a hacker invasion threat intelligence label, clustering the reference threat penetration tracks into third reference threat penetration training data and third reference threat penetration test data, wherein the reference threat protection activity in the third reference threat penetration test data is related to the third reference threat penetration training data.
In an embodiment, the information security system performs clustering of reference data clusters according to a database, outputs a positive reference data cluster in the reference threat penetration test data and the reference threat penetration training data, and then constructs a negative reference data cluster to perfect the reference threat penetration test data and the reference threat penetration training data, wherein the step S502 further includes the following steps:
and step S502d, clustering the reference threat penetration trajectory according to the clustering mode, and outputting a positive reference data cluster in the reference threat penetration training data and the reference threat penetration test data.
In the embodiment concept, the information security system groups threat penetration tracks in the database into reference threat penetration training data and reference threat penetration test data according to the mode, outputs only positive reference data clusters in the reference threat penetration training data and the reference threat penetration test data, and carries out negative reference data cluster construction according to the positive reference data clusters in the reference threat penetration training data and the reference threat penetration test data.
Step S502e, respectively constructing a threat penetration unit by the threat protection activity in the positive reference data cluster and the sensitive service request activity, and outputting the threat penetration unit cluster.
The information security system carries out threat penetration analysis on n sensitive service request activities and m threat protection activities in the database, and outputs n x m threat penetration units, namely threat penetration unit clusters, wherein the threat penetration units comprise positive reference data clusters. For example, for a database containing threat prevention activity a, threat prevention activity B, sensitive service request activity a, sensitive service request activity B, and sensitive service request activity C, the information security system processes and outputs a threat penetration unit cluster, i.e., threat prevention activity a-sensitive service request activity a, threat prevention activity a-sensitive service request activity B, threat prevention activity a-sensitive service request activity C, threat prevention activity B-sensitive service request activity a, threat prevention activity B-sensitive service request activity B, and threat prevention activity B-sensitive service request activity C.
Step S502f, screening out target threat penetration units from the threat penetration unit cluster according to the preset configuration characteristic information of the positive reference data cluster.
In one embodiment, preset configuration characteristic information of a positive reference data cluster (for example, the ratio of the positive reference data cluster to the negative reference data cluster is 1:10) is preset in an information security system, a target threat penetration unit is screened from a threat penetration unit cluster according to the preset configuration characteristic information of the positive reference data cluster, and then the negative reference data cluster is determined according to the target threat penetration unit.
Step S502g, the positive reference data cluster and the repeated data in the target threat penetration unit are cleaned, and the negative reference data cluster in the reference threat penetration training data and the reference threat penetration test data is output.
The threat penetration unit cluster obtained by analyzing the information security system may include a repeated penetration relationship combination of threat protection activity-sensitive service request activity and all positive reference data clusters, so that the target threat penetration unit randomly searched by the information security system may have the positive reference data cluster and the repeated data, and the information security system outputs the negative reference data cluster in the reference threat penetration training data and the reference threat penetration test data by cleaning the positive reference data cluster and the repeated data in the target threat penetration unit.
It is noted that, in other possible embodiments, after the threat penetration unit cluster is generated, the information security system first washes the positive reference data cluster and the duplicate data therein, and then randomly extracts the negative reference data cluster from the remaining threat penetration units according to the preset configuration feature information of the positive reference data cluster.
For example, the information security system firstly carries out blocking on the directional relation combination of threat protection activities and sensitive service request activities according to three threat intelligence class labels, outputs reference threat penetration training data and reference threat penetration test data of different scenes, and then carries out construction of a negative reference data cluster according to a positive reference data cluster in each reference threat penetration training data and reference threat penetration test data. For example, the information security system performs model training on each threat intelligence class label in turn according to a preset sequence.
Step S503, a threat intelligence chain is obtained, the threat intelligence chain takes the behavior track nodes in the reference data cluster as chain nodes, and takes the penetration relationship between the behavior track nodes as the chain intelligence of the chain node relationship, and the reference data cluster comprises the reference threat penetration track and various historical threat behavior intelligence.
One embodiment contemplates that the threat penetration trajectory included in the threat intelligence chain is a positive reference data cluster in the reference threat penetration training data. For details of step S503, reference may be made to step S401, which is not repeated herein.
Step S504, independent intelligence feature extraction is carried out on the threat intelligence subchain in the threat intelligence chain, and independent threat intelligence features are output.
The threat information subchain is composed of a first behavior track node, a second behavior track node and a node penetration relation, and the independent threat information characteristics represent chain nodes and subchain relation vectors in the threat information chain in a coding vector distribution mode. And the information security system extracts independent information characteristics of the threat information subchains indicated by the reference data cluster in the threat information chain and outputs the independent threat information characteristics.
And step S505, carrying out independent intelligence characteristic extraction on the reference continuous item session logs corresponding to the reference threat protection activities and the reference sensitive service request activities to obtain reference continuous item session characteristics.
The reference continuous item session log comprises a reference threat protection continuous item of reference threat protection activity and a reference sensitive service request continuous item of reference sensitive service request activity, and the reference continuous item session features comprise threat protection continuous item members corresponding to the reference threat protection continuous item and sensitive service request continuous item members corresponding to the reference sensitive service request continuous item.
In one embodiment, the information security system obtains a reference persistence item session log of a reference threat protection activity and a reference sensitive service request activity, wherein the persistence item session log includes a sensitive service request persistence item (such as a threat protection persistence item) of the threat protection activity and a sensitive service request persistence item of the sensitive service request activity, and performs independent intelligence feature extraction on the reference persistence item session log to obtain a reference persistence item session feature.
Step S506, loading the independent threat intelligence characteristics, the reference threat protection fingerprints, the reference sensitive service request fingerprints and the reference persistent item session characteristics to a threat penetration vulnerability decision network, and outputting threat penetration vulnerability decision information.
In the concept of one embodiment, the threat penetration vulnerability decision network comprises a variable decision structure (variable decision structure), a variable clustering structure (variable clustering structure), a variable optimization structure and a decision structure, wherein the variable decision structure is used for performing independent intelligence feature extraction on a loaded reference threat protection fingerprint and a reference sensitive service request fingerprint to generate corresponding feature vectors (including threat protection fingerprint variables and sensitive service request fingerprint variables); the variable clustering structure is used FOR extracting independent information characteristics of characteristic information of a pair of threat protection activities and sensitive service request activities through variable clustering to obtain vulnerability vector distribution FOR representing a certain threat penetration vulnerability BUG FOR A1-A2, namely extracting independent information characteristics of a pair of threat protection fingerprint variables and sensitive service request fingerprint variables to obtain first reference information characteristics; the information security system outputs a first reference intelligence characteristic representing a threat penetration routing relation between a reference threat protection activity and a reference sensitive service request activity according to a variable decision structure and a variable clustering structure of the threat penetration vulnerability decision network, thereby loading the first reference intelligence characteristic, the independent threat intelligence characteristic and the reference continuous item session characteristic to the variable optimization structure, integrating the three kinds of information to be loaded through the variable optimization structure, namely according to threat intelligence chain and sensitive service request continuous item of threat protection activity and sensitive service request activity, optimizing and updating the first reference threat penetration vulnerability variable, outputting a second reference intelligence characteristic, and further obtaining threat penetration vulnerability decision information according to a second reference intelligence characteristic integrating the independent threat intelligence characteristic, the threat protection persistent item and the sensitive service request activity persistent item.
And step S507, carrying out network weight adjustment on the threat penetration vulnerability decision network according to threat penetration vulnerability decision information and reference threat penetration vulnerability information of target reference threat penetration training data, wherein the target reference threat penetration training data is reference threat penetration training data corresponding to the current threat intelligence class label.
The reference threat penetration vulnerability information represents a threat penetration routing relationship between the reference threat protection activity and the reference sensitive service request activity.
Step S508, network training performance testing is carried out on the threat penetration vulnerability decision network according to threat penetration vulnerability decision information and reference threat penetration vulnerability information of target reference threat penetration testing data, and the target reference threat penetration testing data are reference threat penetration testing data corresponding to the current threat intelligence class label.
An embodiment contemplates that after training of the information security system is completed, a network training performance test is performed on each threat intelligence class label based on the reference threat penetration test data to test network decision performance.
In the embodiment concept, on the basis of the feature vector of the threat intelligence chain, the feature vector of the continuous item session log of the threat protection activity and the sensitive service request activity is introduced, and meanwhile, for different types of threat intelligence class labels, the performance of the threat penetration vulnerability decision network is improved according to the blocking mode of the reference threat penetration training data.
In an independently conceived embodiment, for step S104, the present application further provides a data processing method based on deep learning vulnerability decision, including the following steps.
Step W101: generating a security protection upgrading process for the core subscription service interface in the traversal sensitive service request activity according to the target threat penetration loophole information, and acquiring a loading protection upgrading firmware data set and a past protection upgrading firmware data set related to the security protection upgrading process of the core subscription service interface; the load protection upgrade firmware dataset corresponds to a plurality of load protection upgrade firmware, the past protection upgrade firmware dataset corresponds to a plurality of past protection upgrade firmware, the load protection upgrade firmware and the past protection upgrade firmware correspond to a plurality of protection upgrade data packets, and the protection upgrade data packets correspond to threat penetration vulnerability categories or threat penetration vulnerability paths.
When the safety protection upgrading process corresponding to the information safety system and the core subscription service interface determines that the target combination protection upgrading firmware has the key evaluation index, a loading protection upgrading firmware data set comprising a plurality of loading protection upgrading firmware and a past protection upgrading firmware data set comprising a plurality of past protection upgrading firmware can be obtained first. The combined protection upgrade firmware may include a plurality of threat penetration vulnerability classes and threat penetration vulnerability paths configured for the plurality of threat penetration vulnerability classes.
In an embodiment, the information security system may pre-construct a load protection upgrade firmware data set and a past protection upgrade firmware data set, and store the constructed load protection upgrade firmware data set and the past protection upgrade firmware data set.
The load protection upgrade firmware data set generally includes a plurality of load protection upgrade firmware, for example, 300 load protection upgrade firmware, where the load protection upgrade firmware is a basic protection upgrade firmware of a target combination protection upgrade firmware that is finally required to be generated and has a key evaluation index, and therefore, the load protection upgrade firmware may be subjected to corresponding subsequent processing to obtain the target combination protection upgrade firmware having the key evaluation index. The loading protection upgrade firmware generally comprises a plurality of protection upgrade data packets, and the included protection upgrade data packets can correspond to threat penetration vulnerability categories or threat penetration vulnerability paths in a security protection upgrade process; it is worth to be noted that, the number of protection upgrade data packets included in the loading protection upgrade firmware, the protection upgrade characteristics corresponding to the protection upgrade data packets, and the data packet relationship of the protection upgrade data packets generally depend on the protection upgrade requirements set by the security protection upgrade process; for example, assuming that the protection upgrade requirement of the security protection upgrade process is to allow each protection upgrade evaluation protection upgrade firmware to include three threat penetration vulnerability categories, and each threat penetration vulnerability category may be configured with two threat penetration vulnerability paths, the constructed loading protection upgrade firmware may be represented as [ L1, K11, K12, L2, K21, K22, L3, K31, K32], where L1, L2, and L3 respectively represent the three threat penetration vulnerability categories included in the loading protection upgrade firmware, K11 and K12 respectively represent two threat penetration vulnerability paths configured for the threat penetration vulnerability category corresponding to L1, K21 and K22 respectively represent two threat penetration vulnerability paths configured for the threat penetration vulnerability category corresponding to L2, and K31 and K32 respectively represent two threat penetration vulnerability paths configured for the threat penetration vulnerability category corresponding to L3.
The past protection upgrade firmware data set generally includes a plurality of past protection upgrade firmware, for example, 5000 past protection upgrade firmware, where the past protection upgrade firmware is used to verify the loading protection upgrade firmware and an evaluation index of the target loading protection upgrade firmware obtained by performing feature update on the loading protection upgrade firmware. Past protection upgrade firmware also typically includes a plurality of protection upgrade data packets, and the included protection upgrade data packets may correspond to a threat penetration vulnerability category or a threat penetration vulnerability path in a security protection upgrade process; since the past protection upgrade firmware is also constructed according to the protection upgrade requirement set by the security protection upgrade process, the protection upgrade index of the past protection upgrade firmware and the protection upgrade index of the loaded protection upgrade firmware should be the same.
Step W102: for each loading protection upgrade firmware in the loading protection upgrade firmware data set, determining respective corresponding effective evaluation values of a plurality of protection upgrade data packets in the loading protection upgrade firmware and protection upgrade weights of the loading protection upgrade firmware according to the loading protection upgrade firmware and multi-round test information of past protection upgrade firmware in the past protection upgrade firmware data set; the effective evaluation value corresponding to the protection upgrading data packet is used for representing the effective condition of the threat penetration vulnerability category or the threat penetration vulnerability path corresponding to the protection upgrading data packet in the protection upgrading evaluation; the protection upgrade weight represents influence state information of the protection upgrade firmware in the protection upgrade evaluation participated by the protection upgrade weight.
After the information security system obtains the loading protection upgrade firmware data set and the past protection upgrade firmware data set, for each loading protection upgrade firmware in the loading protection upgrade firmware data set, the effective evaluation values corresponding to a plurality of protection upgrade data packets included in the loading protection upgrade firmware can be evaluated according to the past protection upgrade firmware data set, and the protection upgrade weight of the loading protection upgrade firmware can be evaluated. The effective evaluation value corresponding to the protection upgrade data packet can represent the magnitude of the credible value of the threat penetration vulnerability category or the threat penetration vulnerability path corresponding to the protection upgrade data packet in the protection upgrade evaluation, and the protection upgrade weight can represent the influence state information of the protection upgrade firmware in the protection upgrade evaluation participated by the protection upgrade firmware.
For example, for each loading protection upgrade firmware in the loading protection upgrade firmware data set, the information security system may perform protection upgrade evaluation according to the loading protection upgrade firmware and each past protection upgrade firmware in the past protection upgrade firmware data set, and further correspondingly determine a corresponding effective evaluation value for each protection upgrade data packet in the loading protection upgrade firmware according to a corresponding threat penetration vulnerability class or effective condition of a threat penetration vulnerability path for each protection upgrade data packet in the loading protection upgrade firmware in each protection upgrade evaluation; for example, assuming that the average value of the number of the trusted tags obtained in each protection upgrade evaluation by a certain protection upgrade operation in the loading protection upgrade firmware is 100, it may be determined that the effective evaluation value of the protection upgrade data packet corresponding to the protection upgrade operation in the loading protection upgrade firmware is 100. In addition, the information security system can also determine the protection upgrade weight of the loading protection upgrade firmware according to the protection upgrade evaluation result (protection upgrade valid or protection upgrade invalid) obtained by the loading protection upgrade firmware in each protection upgrade evaluation; for example, the information security system may calculate the reliability of the loading protection upgrade firmware according to the protection upgrade evaluation result obtained by the loading protection upgrade firmware in each protection upgrade evaluation, and use the reliability as the protection upgrade weight of the loading protection upgrade firmware.
Loading a plurality of protection upgrading data packets in the loading protection upgrading firmware to a plurality of protection upgrading data packet sets according to upgrading nodes corresponding to the protection upgrading data packets in the loading protection upgrading firmware, wherein the protection upgrading data packet sets comprise a plurality of protection upgrading data packets, and the upgrading nodes corresponding to the protection upgrading data packets in the protection upgrading data packet sets are consistent. Then, for each protection upgrade data packet set, according to the effective evaluation value corresponding strategy corresponding to the upgrade node corresponding to the protection upgrade data packet in the protection upgrade data packet set, determining the effective evaluation value corresponding to each protection upgrade data packet in the protection upgrade data packet set according to the credible value of the threat penetration vulnerability category or the threat penetration vulnerability path corresponding to each protection upgrade data packet in the protection upgrade data packet set in the protection upgrade evaluation process of the protection upgrade firmware loaded and the past protection upgrade firmware in the past protection upgrade firmware data set.
For example, the information security system may perform blocking on each protection upgrade data packet included in the loading protection upgrade firmware, and load the protection upgrade data packets belonging to the same upgrade node into the same protection upgrade data packet set; for example, assuming that the protection upgrade firmware is loaded as [ L1, K11, K12, L2, K21, K22, L3, K31, K32], where the threat penetration bug category corresponding to L1 and the threat penetration bug paths corresponding to K11 and K12 all belong to dynamic penetration bug paths, the threat penetration bug category corresponding to L2 and the threat penetration bug path corresponding to K21 belong to static penetration bug paths, the threat penetration bug path corresponding to K22 belongs to cyclic penetration bug paths, the threat penetration bug category corresponding to L3 and the threat penetration bug path corresponding to K31 belong to non-cyclic penetration bug paths, and the threat penetration bug path corresponding to K32 belongs to auxiliary penetration bug paths, L1, K11, and K12 may be loaded into the first upgrade protection data packet set, L2, and K21 may be loaded into the second upgrade protection data packet set, and K22 may be loaded into the third upgrade protection data packet set, l3 and K31 are loaded into the fourth protection upgrade data packet set, and K32 is loaded into the fifth protection upgrade data packet set.
Furthermore, for each protection upgrade data packet set, the information security system may determine, according to the policy corresponding to the effective evaluation value corresponding to the upgrade node corresponding to the protection upgrade data packet in the protection upgrade data packet set, the effective evaluation value corresponding to each protection upgrade data packet according to the threat penetration vulnerability class or the effective condition of the threat penetration vulnerability path corresponding to each protection upgrade data packet in the protection upgrade evaluation. For example, assuming that a threat penetration vulnerability category of the dynamic penetration vulnerability path or a policy corresponding to an effective evaluation value corresponding to the threat penetration vulnerability path is that an effective evaluation value is determined according to the number of the trusted tags obtained by the dynamic penetration vulnerability path to the target threat penetration vulnerability category, for the first protection upgrade data packet set, the information security system may determine an effective evaluation value corresponding to L1 according to the number of the trusted tags obtained by the threat penetration vulnerability category corresponding to L1 in each protection upgrade evaluation participated in by the loading protection upgrade firmware, for example, calculating an average value of the number of the trusted tags obtained by the threat penetration vulnerability category corresponding to L1 in each protection upgrade evaluation participated in by the loading protection upgrade firmware, and taking the average value as the effective evaluation value corresponding to L1; for K11 and K12 in the first set of protection upgrade packets, the information security system can also calculate the respective valid evaluation values of K11 and K12 in a similar manner.
In the embodiment, for the purpose of subsequently evaluating each protection upgrade data packet included in the loading protection upgrade firmware in the same dimension, it is convenient to globally consider each protection upgrade data packet in the loading protection upgrade firmware when performing feature update on the loading protection upgrade firmware, it is not necessary to individually evaluate the protection upgrade data packets corresponding to different upgrade nodes, and conversion processing can be performed according to the obtained effective evaluation values corresponding to the protection upgrade data packets under different upgrade nodes, so that the effective evaluation values corresponding to the protection upgrade data packets under different upgrade nodes are all in the same dimension, thereby facilitating unified evaluation of each protection upgrade data packet in the loading protection upgrade firmware.
For example, the effective evaluation value corresponding to the protection upgrade data packet calculated in the above manner may be used as a basic effective evaluation value corresponding to the protection upgrade data packet; and then, for each protection upgrading data packet set, respectively converting the respective basic effective evaluation value of each protection upgrading data packet in the protection upgrading data packet set into the respective standard effective evaluation value of each protection upgrading data packet according to the preset conversion template corresponding to the upgrading node corresponding to the protection upgrading data packet in the protection upgrading data packet set.
For example, for a protection upgrade data packet set including a protection upgrade data packet corresponding to a threat penetration vulnerability category or a threat penetration vulnerability path of a dynamic penetration vulnerability path, a respective basic effective evaluation value of each protection upgrade data packet in the protection upgrade data packet set may be converted into a respective standard effective evaluation value of each protection upgrade data packet according to a preset conversion template corresponding to the dynamic penetration vulnerability path. For example, if the preset conversion template corresponding to the dynamic vulnerability penetration path is multiplied by 3 for the basic effective evaluation value, for each protection upgrade data packet in the protection upgrade data packet set, the preset conversion template may be multiplied by 3 on the basis of the basic effective evaluation value corresponding to the protection upgrade data packet, and the standard effective evaluation value corresponding to the protection upgrade data packet may be output.
In one embodiment, the information security system may select any upgrade node as a candidate upgrade node, where a preset conversion template corresponding to the candidate upgrade node directly uses a basic effective evaluation value corresponding to a protection upgrade data packet as a standard effective evaluation value corresponding to the protection upgrade data packet; and correspondingly determining the corresponding preset conversion templates of other upgrading nodes according to the relationship between the threat penetration vulnerability category or the credible value of the threat penetration vulnerability path of other upgrading nodes and the threat penetration vulnerability category or the credible value of the threat penetration vulnerability path of the candidate upgrading node.
Therefore, the effective evaluation values corresponding to the protection upgrading data packets under different upgrading nodes are converted to the same dimension through conversion processing of the effective evaluation values corresponding to the protection upgrading data packets under different upgrading nodes; when the feature of the loading protection upgrade firmware is updated according to the effective evaluation value corresponding to each protection upgrade data packet in the loading protection upgrade firmware, the upgrade nodes corresponding to the protection upgrade data packets in the loading protection upgrade firmware do not need to be distinguished, and each protection upgrade data packet in the loading protection upgrade firmware can be evaluated in a unified manner to determine the protection upgrade data packet which needs to be adjusted in the loading protection upgrade firmware.
Step W103: for the loading protection upgrade firmware in the loading protection upgrade firmware data set, optimizing a protection upgrade data packet in the loading protection upgrade firmware according to respective corresponding effective evaluation values of a plurality of protection upgrade data packets in the loading protection upgrade firmware, and outputting a target loading protection upgrade firmware; determining a protection upgrade weight of the target loading protection upgrade firmware according to the target loading protection upgrade firmware and multi-round test information of past protection upgrade firmware in the past protection upgrade firmware data set; and determining the target combination protection upgrade firmware according to the protection upgrade weights corresponding to the load protection upgrade firmware and the target load protection upgrade firmware respectively.
After determining the respective corresponding effective evaluation value and the protection upgrade weight of each protection upgrade data packet included in each loading protection upgrade firmware in the loading protection upgrade firmware data set, the information security system can further optimize the protection upgrade data packet in the loading protection upgrade firmware according to the respective corresponding effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware, perform feature update on the loading protection upgrade firmware, and output the corresponding target loading protection upgrade firmware; then, performing protection upgrade evaluation according to the target loading protection upgrade firmware and each past protection upgrade firmware in the past protection upgrade firmware data set, thereby determining the protection upgrade weight of the target loading protection upgrade firmware; and then, determining the target combination protection upgrade firmware with stronger evaluation index according to the protection upgrade weights corresponding to the load protection upgrade firmware and the target load protection upgrade firmware respectively.
In an embodiment, the information security system may select a part of the loading protection upgrade firmware with a larger evaluation index from the loading protection upgrade firmware data set, and then perform feature update on the loading protection upgrade firmware with the larger evaluation index, so as to determine a target combination protection upgrade firmware that can be pushed according to subsequent content according to the loading protection upgrade firmware with the larger evaluation index.
For example, the information security system may select a plurality of traversal load protection upgrade firmware from the load protection upgrade firmware dataset according to a protection upgrade weight corresponding to each load protection upgrade firmware in the load protection upgrade firmware dataset. Furthermore, for each traversal loading protection upgrade firmware, optimizing the protection upgrade data packets in the traversal loading protection upgrade firmware according to respective corresponding effective evaluation values of a plurality of protection upgrade data packets in the traversal loading protection upgrade firmware, and outputting corresponding target loading protection upgrade firmware; determining a protection upgrade weight of the target loading protection upgrade firmware according to the target loading protection upgrade firmware and multi-round test information of past protection upgrade firmware in a past protection upgrade firmware data set; and finally, determining the target combined protection upgrade firmware according to the protection upgrade weights corresponding to the traversal loading protection upgrade firmware and the target loading protection upgrade firmware respectively.
For example, after the information security system determines the protection upgrade weight corresponding to each loading protection upgrade firmware in the loading protection upgrade firmware data set, the loading protection upgrade firmware with the protection upgrade weight larger than the preset protection upgrade weight threshold value can be selected from the loading protection upgrade firmware data set to serve as the traversal loading protection upgrade firmware; or, the information security system may also sort each loading protection upgrade firmware in the loading protection upgrade firmware data set according to the sequence of the protection upgrade weights from large to small, and then select a plurality of loading protection upgrade firmware with the top sorting as the traversal loading protection upgrade firmware.
Furthermore, the information security system can optimize the protection upgrade data packets in the traversal loading protection upgrade firmware according to the respective corresponding effective evaluation value of each protection upgrade data packet in the traversal loading protection upgrade firmware, realize the feature update of the traversal loading protection upgrade firmware, and output the corresponding target loading protection upgrade firmware. And performing protection upgrade evaluation according to the target loading protection upgrade firmware and each past protection upgrade firmware in the past protection upgrade firmware data set, and determining the protection upgrade weight of the target loading protection upgrade firmware according to the protection upgrade evaluation result. And finally, selecting the combined protection upgrading firmware with higher protection upgrading weight from the traversal loading protection upgrading firmware and the target loading protection upgrading firmware as the target combined protection upgrading firmware.
Therefore, according to the protection upgrade evaluation result corresponding to each loading protection upgrade firmware in the loading protection upgrade firmware data set, the loading protection upgrade firmware with higher protection upgrade weight is selected from the loading protection upgrade firmware to serve as a basis for feature update, on one hand, the decision efficiency of the target combination protection upgrade firmware can be improved, and unnecessary processes are reduced.
In addition, the information security system may also perform feature update on each loading protection upgrade firmware in the loading protection upgrade firmware data set, output a target loading protection upgrade firmware corresponding to each loading protection upgrade firmware, and correspondingly determine a protection upgrade weight corresponding to each target loading protection upgrade firmware. Furthermore, the information security system can comprehensively evaluate the protection upgrade weight corresponding to each loading protection upgrade firmware in the loading protection upgrade firmware data set and the protection upgrade weight corresponding to each target loading protection upgrade firmware, so that the combined protection upgrade firmware with higher adaptation is selected from each loading protection upgrade firmware and each target loading protection upgrade firmware to be used as the target combined protection upgrade firmware.
In the concept of the embodiment, the information security system updates the characteristics of the loading protection upgrade firmware according to the respective effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware, so that the target loading protection upgrade firmware with a larger evaluation index can be obtained. Different forms of the normalization operation of the valid evaluation value corresponding to the protection upgrade data packet and the normalization operation of the valid evaluation value corresponding to the protection upgrade data packet are distinguished, and a feature update mode for loading the protection upgrade firmware is described correspondingly.
When the valid evaluation value corresponding to the protection upgrade data packet is not standardized (i.e., the valid evaluation value corresponding to the protection upgrade data packet is determined directly according to the valid evaluation value corresponding policy corresponding to the upgrade node in step W102), the information security system may perform joint optimization on the loaded protection upgrade firmware in the following manner: for each protection upgrade data packet set in the loading protection upgrade firmware, determining an effective evaluation difference value between a protection upgrade data packet with the largest effective evaluation value and a protection upgrade data packet with the smallest effective evaluation value in the protection upgrade data packet set as an effective evaluation difference value corresponding to the protection upgrade data packet set; then, determining a protection upgrade data packet set with the maximum effective evaluation difference corresponding to the loading protection upgrade firmware as a target protection upgrade data packet set of the loading protection upgrade firmware; analyzing whether the upgrade reading position of each protection upgrade data packet in the target protection upgrade data packet set in the loading protection upgrade firmware is associated, if so, determining the joint optimization position of the loading protection upgrade firmware according to the upgrade reading positions of the protection upgrade data packet with the largest effective evaluation value and the protection upgrade data packet with the smallest effective evaluation value in the target protection upgrade data packet set in the loading protection upgrade firmware; and then, performing joint optimization on the loading protection upgrade firmware according to the joint optimization position of the loading protection upgrade firmware, and outputting optimized loading protection upgrade firmware, wherein the joint optimization is used for performing joint optimization on related extension packets on part of protection upgrade data packets in the two protection upgrade firmware.
Taking the loading protection upgrade firmware as [ L1, L11, L12, L2, L21, L22, L3, L31, L32], where the respective effective evaluation values of each protection upgrade data packet are [100, 150, 300, 150, 110, 40, 35, 20, 10], and L1, L11, and L12 belong to a first protection upgrade data packet set, L2, L21, and L22 belong to a second protection upgrade data packet set, L3, and L31 belong to a third protection upgrade data packet set, and L32 belongs to a fourth protection upgrade data packet set as an example, a joint optimization mode of the loading protection upgrade firmware is introduced.
For example, for each of the first to fourth protection-upgrade data packet sets, a quotient of a maximum effective evaluation value and a minimum effective evaluation value may be calculated as an effective evaluation difference corresponding to the protection-upgrade data packet set; the effective evaluation difference value corresponding to the first protection upgrade data packet set obtained by the calculation method is 3, the effective evaluation difference value corresponding to the second protection upgrade data packet set is 3.75, the effective evaluation difference value corresponding to the third protection upgrade data packet set is 1.75, and the effective evaluation difference value corresponding to the fourth protection upgrade data packet set is 1 (since the fourth protection upgrade data packet set only includes one protection upgrade data packet, the corresponding effective evaluation difference value can be determined to be 1). The effective evaluation difference value corresponding to the second protection upgrading data packet set is the largest, so that the second protection upgrading data packet set can be determined to be used as a target protection upgrading data packet set.
Further, whether an upgrade reading position of each protection upgrade data packet in the target protection upgrade data packet set in the loading protection upgrade firmware is associated or not is analyzed; and if so, determining a joint optimization position according to the upgrade reading positions of the protection upgrade data packet with the maximum effective evaluation value and the protection upgrade data packet with the minimum effective evaluation value in the target protection upgrade data packet set in the loading protection upgrade firmware. When the loading protection upgrade firmware needs to be subjected to joint optimization, the protection upgrade data packet which needs to be adjusted in the loading protection upgrade firmware can be determined according to the joint optimization position of the loading protection upgrade firmware.
The joint optimization refers to joint optimization of related extension packets performed on part of protection upgrade data packets in two protection upgrade firmware, and the implementation manner of the joint optimization is described below by taking joint optimization of the first loading protection upgrade firmware and the second loading protection upgrade firmware as an example.
When joint optimization is performed on the first loading protection upgrade firmware and the second loading protection upgrade firmware, a joint optimization position of the loading protection upgrade firmware with higher protection upgrade weight in the first loading protection upgrade firmware and the second loading protection upgrade firmware can be determined and used as a target joint optimization position; for example, if the protection upgrade weight of the first load protection upgrade firmware is greater than the protection upgrade weight of the second load protection upgrade firmware, the joint optimization position of the first load protection upgrade firmware may be used as the target joint optimization position. And taking a protection upgrade data packet with a logic relationship corresponding to the target joint optimization position and the target joint optimization position in the first loading protection upgrade firmware as a first traversal joint protection upgrade data packet, and taking a protection upgrade data packet with a logic relationship corresponding to the target joint optimization position and the target joint optimization position in the second loading protection upgrade firmware as a second traversal joint protection upgrade data packet. And then, expanding a first traversal joint protection upgrade data packet in the first loading protection upgrade firmware according to a second traversal joint protection upgrade data packet to obtain a first optimized loading protection upgrade firmware, and expanding a second traversal joint protection upgrade data packet in the second loading protection upgrade firmware according to the first traversal joint protection upgrade data packet to obtain a second optimized loading protection upgrade firmware.
For example, assume that the first load protection upgrade firmware is [ L1, L11, L12, L2, L21, L22, L3, L31, L32], the second load protection upgrade firmware is [ L4, L41, L42, L5, L51, L52, L6, L61, L62], and the protection upgrade weight of the first load protection upgrade firmware is greater than that of the second load protection upgrade firmware. Then, the joint optimization position (e.g. the fifth bit) of the first load protection upgrade firmware may be used as the target joint optimization position, and further, it may be determined that the first traversal joint protection upgrade data packet in the first load protection upgrade firmware includes [ L21, L22, L3, L31, L32], it may be determined that the second traversal joint protection upgrade data packet in the second load protection upgrade firmware includes [ L51, L52, L6, L61, L62], and a link optimization of the first traversal joint protection upgrade data packet in the first load protection upgrade firmware and the second traversal joint protection upgrade data packet in the second load protection upgrade firmware may result in the first optimized load protection upgrade firmware [ L1, L11, L12, L2, L51, L52 ], and the second optimized load protection upgrade [ L52, and L52 ].
It should be noted that, the above joint optimization method is only used as a reference, and the information security system may also optimize only a preset number of protection upgrade data packets in the first loading protection upgrade firmware and the second loading protection upgrade firmware, for example, based on the target joint optimization position, select three protection upgrade data packets from the first loading protection upgrade firmware and the second loading protection upgrade firmware as traversal joint protection upgrade data packets; alternatively, the information security system may use the protection upgrade data packet corresponding to the target joint optimization position and before the target joint optimization position in the first load protection upgrade firmware and the second load protection upgrade firmware as the traversal joint protection upgrade data packet. The information security system is not limited in the way of traversing the joint protection upgrade data packet.
Compared with the mode of directly randomly selecting the joint optimization position in the loading protection upgrade firmware and traversing the joint protection upgrade data packets in the related technology, when the embodiment performs joint optimization on the loading protection upgrade firmware, the joint optimization position and the traversal joint protection upgrade data packet according to the respective effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware are selected, so that the joint optimization is more targeted, that is, the optimized loading protection upgrade firmware obtained through the joint optimization tends to have stronger evaluation indexes, and the decision effect of determining the target combined protection upgrade firmware can be improved.
When the valid evaluation value corresponding to the protection upgrade data packet is not standardized, the information security system may perform migration optimization on the loaded protection upgrade firmware in the following manner: for each protection upgrading data packet set in the loading protection upgrading firmware, configuring a corresponding optimization tendency value for each protection upgrading data packet in the protection upgrading data packet set according to the corresponding effective evaluation value of each protection upgrading data packet in the protection upgrading data packet set, wherein the optimization tendency value is in negative correlation with the effective evaluation value; then, according to the respective corresponding optimization tendency values of all protection upgrading data packets in the loading protection upgrading firmware, carrying out migration optimization on the loading protection upgrading firmware, and outputting target migration loading protection upgrading firmware; the migration optimization is used for migrating and changing part of protection upgrading data packages in the protection upgrading firmware into other protection upgrading data packages.
Still taking the loading protection upgrade firmware as [ L1, L11, L12, L2, L21, L22, L3, L31, L32], where the respective effective evaluation values of each protection upgrade data packet are [100, 150, 300, 150, 110, 40, 35, 20, 10], and L1, L11, and L12 belong to a first protection upgrade data packet set, L2, L21, and L22 belong to a second protection upgrade data packet set, L3, and L31 belong to a third protection upgrade data packet set, and L32 belong to a fourth protection upgrade data packet set as examples, a migration optimization mode of the loading protection upgrade firmware is introduced.
For example, for each protection upgrade data packet set in the first to fourth protection upgrade data packet sets, configuring a corresponding optimization tendency value for each protection upgrade data packet in the protection upgrade data packet set according to a respective effective evaluation value of each protection upgrade data packet; for example, for the first protection upgrade data packet set, where the effective evaluation value corresponding to L1 is 100, the effective evaluation value corresponding to L11 is 150, and the effective evaluation value corresponding to L12 is 300, according to the principle of negative association between the effective evaluation value and the optimization tendency value, an optimization tendency value 0.3 may be configured for L1, an optimization tendency value 0.2 may be configured for L11, and an optimization tendency value 0.1 may be configured for L12; for other protection upgrade data packet sets, corresponding optimization tendency values may also be configured for the protection upgrade data packet sets in a similar manner, and finally, the respective corresponding optimization tendency values [0.3, 0.2, 0.1, 0.05, 0.08, 0.3, 0.2, 0.25, 0.2] of each protection upgrade data packet in the loading protection upgrade firmware may be obtained.
And then, according to the respective corresponding optimization tendency values of the protection upgrading data packets in the loading protection upgrading firmware, determining the protection upgrading data packet of which the corresponding optimization tendency value is larger than the target heat value as the protection upgrading data packet to be converted. For a protection upgrade data packet to be converted in the loading protection upgrade firmware, selecting a different protection upgrade data packet from the traversal protection upgrade data packets to expand the protection upgrade data packet to be converted, for example, assuming that the protection upgrade data packet to be converted corresponds to a threat penetration vulnerability class, selecting any threat penetration vulnerability class from other traversal threat penetration vulnerability classes, and expanding the protection upgrade data packet to be converted according to the protection upgrade data packet corresponding to the threat penetration vulnerability class; for another example, assuming that the protection upgrade data packet to be converted corresponds to a threat penetration vulnerability path, any threat penetration vulnerability path may be selected from other traversal threat penetration vulnerability paths, and the protection upgrade data packet to be converted is extended according to the protection upgrade data packet corresponding to the threat penetration vulnerability path.
Compared with the method of randomly configuring an optimization tendency value for each protection upgrade data packet in the loading protection upgrade firmware and performing migration optimization on the loading protection upgrade firmware according to the configured optimization tendency value in the related art, when the loading protection upgrade firmware is subjected to migration optimization in the embodiment, a corresponding optimization tendency value is configured for each protection upgrade data packet in the loading protection upgrade firmware according to a respective effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware, so that the migration optimization is more targeted, that is, the protection upgrade data packet with a higher effective evaluation value in the loading protection upgrade firmware is more prone to be reserved, and the protection upgrade data packet with a lower effective evaluation value in the loading protection upgrade firmware is replaced, thereby being more beneficial to enabling the target migration protection upgrade firmware obtained through migration optimization to have a stronger evaluation index, therefore, the decision reliability of the target combination protection upgrading firmware is improved.
When the effective evaluation value corresponding to the protection upgrade data packet is standardized (i.e., after the basic effective evaluation value corresponding to the protection upgrade data packet is determined according to the effective evaluation value corresponding policy corresponding to the upgrade node in step W102, the normative effective evaluation value corresponding to the protection upgrade data packet is determined according to the preset conversion template corresponding to the protection upgrade evaluation attribute), the information security system may perform joint optimization on the loaded protection upgrade firmware in the following manner: and determining an upgrade reading position of a protection upgrade data packet corresponding to the minimum standard effective evaluation value in the loading protection upgrade firmware as a joint optimization position of the loading protection upgrade firmware, performing joint optimization on the loading protection upgrade firmware according to the joint optimization position of the loading protection upgrade firmware, and outputting optimized loading protection upgrade firmware, wherein the joint optimization is consistent with the above-mentioned technical scheme of joint optimization and is also used for performing joint optimization on a part of protection upgrade data packets in two protection upgrade firmware by related extension packets.
Because the standardized operation is performed on the respective basic effective evaluation value of each protection upgrading data packet in the loading protection upgrading firmware, that is, the respective effective evaluation value of each protection upgrading data packet in the loading protection upgrading firmware is converted to the same level, the respective standard effective evaluation value of each protection upgrading data packet in the loading protection upgrading firmware can be directly and uniformly considered when the loading protection upgrading firmware is subjected to joint optimization. At this time, the upgrade reading position of the protection upgrade data packet in the loading protection upgrade firmware, where the corresponding standard effective evaluation value is the minimum, in the loading protection upgrade firmware can be directly determined as the joint optimization position of the loading protection upgrade firmware; furthermore, according to the joint optimization position of the loading protection upgrade firmware, determining a traversal joint protection upgrade data packet in the loading protection upgrade firmware, and when joint optimization is performed on the loading protection upgrade firmware and another loading protection upgrade firmware (the protection upgrade weight of the loading protection upgrade firmware is lower), migrating the traversal joint protection upgrade data packet in the loading protection upgrade firmware and the traversal joint protection upgrade data packet determined according to the joint optimization position in the other loading protection upgrade firmware, so as to obtain the optimized loading protection upgrade firmware.
It is worth mentioning that, reference may be made to the foregoing description for specific technical means for jointly optimizing the load protection upgrade firmware according to the joint optimization location of the load protection upgrade firmware.
Compared with the mode of directly randomly selecting the joint optimization position in the loading protection upgrade firmware and traversing the joint protection upgrade data packets in the related technology, when the loading protection upgrade firmware is subjected to joint optimization in the embodiment, the joint optimization position and the traversal joint protection upgrade data packet according to the respective effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware are selected, so that the joint optimization is more targeted, that is, the optimized loading protection upgrade firmware obtained through the joint optimization tends to have stronger evaluation indexes, and thus, the efficiency of determining the target combined protection upgrade firmware can be correspondingly improved. In addition, the joint optimization position for loading the protection upgrading firmware is determined according to the standard effective evaluation value obtained by standardized operation, the determination process of the joint optimization position can be simplified, and the decision reliability of the joint optimization position is improved.
When the valid evaluation value corresponding to the protection upgrade data packet is subjected to standardized operation, the information security system can perform migration optimization on the loading protection upgrade firmware in the following manner: configuring a corresponding optimization tendency value for each protection upgrading data packet in the loading protection upgrading firmware according to the respective corresponding standard effective evaluation value of each protection upgrading data packet in the loading protection upgrading firmware, wherein the optimization tendency value is in negative correlation with the standard effective evaluation value; and then, according to the respective optimization tendency value of each protection upgrade data packet in the loading protection upgrade firmware, performing migration optimization on the loading protection upgrade firmware, and outputting target migration loading upgrade firmware, wherein the migration optimization has the same meaning as the migration optimization mentioned above, and is also used for migrating and changing part of the protection upgrade data packets in the protection upgrade firmware into other protection upgrade data packets.
Because the standardized operation is performed on the respective basic effective evaluation value of each protection upgrading data packet in the loading protection upgrading firmware, that is, the respective effective evaluation value of each protection upgrading data packet in the loading protection upgrading firmware is converted to the same level, the respective standard effective evaluation value of each protection upgrading data packet in the loading protection upgrading firmware can be directly and uniformly considered when the loading protection upgrading firmware is migrated and optimized. At this time, according to the principle of negative association between the standard effective evaluation value and the optimization tendency value, and according to the respective corresponding standard effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware, the respective corresponding optimization tendency value of each protection upgrade data packet in the loading protection upgrade firmware can be correspondingly configured; and then, taking the protection upgrade data packets with the optimization tendency values larger than the target heat value corresponding to the loading protection upgrade firmware as protection upgrade data packets to be converted, and selecting any protection upgrade data packet from the traversal protection upgrade data packets to expand the protection upgrade data packets to be converted.
It should be noted that, according to the respective optimization trend values corresponding to the protection upgrade data packets in the loading protection upgrade firmware, reference may be made to the description of the above embodiment for a technical means for performing migration optimization on the loading protection upgrade firmware.
Compared with the method of randomly configuring an optimization tendency value for each protection upgrade data packet in the loading protection upgrade firmware and performing migration optimization on the loading protection upgrade firmware according to the configured optimization tendency value in the related art, when the loading protection upgrade firmware is subjected to migration optimization in the embodiment, a corresponding optimization tendency value is configured for each protection upgrade data packet in the loading protection upgrade firmware according to a respective effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware, so that the migration optimization is more targeted, that is, the protection upgrade data packet with a higher effective evaluation value in the loading protection upgrade firmware is more prone to be reserved, and the protection upgrade data packet with a lower effective evaluation value in the loading protection upgrade firmware is replaced, thereby being more beneficial to enabling the target migration protection upgrade firmware obtained through migration optimization to have a stronger evaluation index, the efficiency of determining the targeted combination guard to upgrade firmware may be correspondingly improved. In addition, the optimization tendency value corresponding to each protection upgrading data packet in the loading protection upgrading firmware is directly determined according to the standard effective evaluation value obtained by the standardized operation, the configuration process of the optimization tendency value can be simplified, and the configuration efficiency of the optimization tendency value is improved.
The above-described feature update process for the loading protection upgrade firmware only performs one feature update (joint optimization or migration optimization) on the loading protection upgrade firmware, and in practical applications, the feature update process performed by the information security system for the loading protection upgrade firmware may also be formed by combining multiple feature update modes.
In one embodiment, the information security system may perform joint optimization and then migration optimization on the load protection upgrade firmware. For example, after the information security system performs joint optimization on the loading protection upgrade firmware according to the joint optimization position of the loading protection upgrade firmware to obtain the optimized loading protection upgrade firmware, the effective evaluation values corresponding to a plurality of protection upgrade data packets in the optimized loading protection upgrade firmware and the protection upgrade weights of the cross-combined protection upgrade firmware can be determined according to the optimized loading protection upgrade firmware and the multi-round test information of the past protection upgrade firmware in the past protection upgrade firmware data set; then, according to respective corresponding effective evaluation values of a plurality of protection upgrading data packets in the optimized loading protection upgrading firmware, carrying out migration optimization on the optimized loading protection upgrading firmware, and outputting a target migration loading protection upgrading firmware; determining a protection upgrading weight of the target migration loading protection upgrading firmware according to the target migration loading protection upgrading firmware and the multi-round test information of the past protection upgrading firmware in the past protection upgrading firmware data set; finally, the target combination protection upgrade firmware can be determined according to the protection upgrade weights corresponding to the loading protection upgrade firmware, the optimized loading protection upgrade firmware and the target migration loading protection upgrade firmware.
For example, assume that the information security system performs joint optimization on the load protection upgrade firmware M and the load protection upgrade firmware K, and outputs the optimized load protection upgrade firmware C and the optimized load protection upgrade firmware D. At this time, the information security system needs to perform protection upgrade evaluation according to the optimized loading protection upgrade firmware C and each past protection upgrade firmware in the past protection upgrade firmware data set, determine a respective effective evaluation value of each protection upgrade data packet in the optimized loading protection upgrade firmware C according to a respective threat penetration vulnerability class or a trusted value of a threat penetration vulnerability path of each protection upgrade data packet in the optimized loading protection upgrade firmware C in each protection upgrade evaluation, and determine a protection upgrade weight of the optimized loading protection upgrade firmware C according to a protection upgrade evaluation result of the optimized loading protection upgrade firmware C in each protection upgrade evaluation; for the optimized loading protection upgrade firmware D, the information security system also needs to determine the respective corresponding effective evaluation value of each protection upgrade data packet in the optimized loading protection upgrade firmware D and the protection upgrade weight of the optimized loading protection upgrade firmware D in the same manner.
Then, the information security system can respectively perform migration optimization on the optimized loading protection upgrade firmware C and the optimized loading protection upgrade firmware D, that is, the information security system can configure a corresponding optimization tendency value for each protection upgrade data packet in the optimized loading protection upgrade firmware C according to the respective effective evaluation value of each protection upgrade data packet in the optimized loading protection upgrade firmware C, perform migration optimization on the optimized loading protection upgrade firmware C according to the respective optimization tendency value of each protection upgrade data packet in the optimized loading protection upgrade firmware C, and output a corresponding target migration loading protection upgrade firmware E; for the optimized loading protection upgrade firmware D, the information security system may also perform migration optimization on the optimized loading protection upgrade firmware D in the same manner, and output the corresponding target migration loading protection upgrade firmware L.
Then, the information security system can perform protection upgrade evaluation according to the target migration loading protection upgrade firmware E and each past protection upgrade firmware in the past protection upgrade firmware data set, and determine the protection upgrade weight of the target migration loading protection upgrade firmware E according to the protection upgrade evaluation result of the target migration loading protection upgrade firmware E in each protection upgrade evaluation; and performing protection upgrade evaluation according to the target migration loading protection upgrade firmware L and each past protection upgrade firmware in the past protection upgrade firmware data set, and determining the protection upgrade weight of the target migration loading protection upgrade firmware L according to the protection upgrade evaluation result of the target migration loading protection upgrade firmware L in each protection upgrade evaluation.
Therefore, the information security system can select the combined protection upgrade firmware with higher protection upgrade weight from the loading protection upgrade firmware M, the loading protection upgrade firmware K, the optimized loading protection upgrade firmware C, the optimized loading protection upgrade firmware D, the target migration loading protection upgrade firmware E and the target migration loading protection upgrade firmware L according to the corresponding protection upgrade weights of the loading protection upgrade firmware M, the loading protection upgrade firmware K, the optimized loading protection upgrade firmware C, the optimized loading protection upgrade firmware D, the target migration loading protection upgrade firmware E and the target migration loading protection upgrade firmware L respectively to serve as the target combined protection upgrade firmware.
In another embodiment, the information security system may perform migration optimization and then joint optimization on the load protection upgrade firmware. For example, the information security system performs migration optimization on the loading protection upgrade firmware according to the respective optimization tendency values of the protection upgrade data packets in the loading protection upgrade firmware, and after the target migration loading protection upgrade firmware is output, determines respective effective evaluation values of a plurality of protection upgrade data packets in the target migration loading upgrade firmware and protection upgrade weights of the target migration loading upgrade firmware according to the target migration loading upgrade firmware and the multi-round test information of the past protection upgrade firmware in the past protection upgrade firmware data set; then, performing joint optimization on the target migration loading protection upgrade firmware according to respective corresponding effective evaluation values of a plurality of protection upgrade data packets in the target migration loading protection upgrade firmware, outputting optimized loading protection upgrade firmware, and determining protection upgrade weights of the optimized loading protection upgrade firmware according to the optimized loading protection upgrade firmware and multi-round test information of past protection upgrade firmware in a past protection upgrade firmware data set; finally, the target combination protection upgrade firmware can be determined according to the protection upgrade weights corresponding to the loading protection upgrade firmware, the target migration loading protection upgrade firmware and the optimized loading protection upgrade firmware.
For example, it is assumed that the information security system performs conversion processing on the load protection upgrade firmware M and the load protection upgrade firmware K, and outputs the target migration load protection upgrade firmware G and the target migration load protection upgrade firmware L. At this time, the information security system needs to perform protection upgrade evaluation according to the target migration loading protection upgrade firmware G and each past protection upgrade firmware in the past protection upgrade firmware data set, determine a corresponding effective evaluation value of each protection upgrade data packet in the target migration loading protection upgrade firmware G according to the size of a trust value of each protection upgrade data packet in the target migration loading upgrade firmware G in each protection upgrade evaluation or a threat penetration leak path, and determine a protection upgrade weight of the target migration loading protection upgrade firmware G according to a protection upgrade evaluation result of the target migration loading protection upgrade firmware G in each protection upgrade evaluation; for the target migration loading protection upgrade firmware L, the information security system also needs to determine the respective corresponding effective evaluation value of each protection upgrade data packet in the target migration loading protection upgrade firmware L and the protection upgrade weight of the target migration loading protection upgrade firmware L in the same manner.
Then, the information security system can perform joint optimization on the target migration loading protection upgrade firmware G and the target migration loading protection upgrade firmware L, and by taking the example that the protection upgrade weight of the target migration loading protection upgrade firmware G is greater than that of the target migration loading protection upgrade firmware L, the information security system can determine a target joint optimization position according to the joint optimization according to the effective evaluation value corresponding to each protection upgrade data packet in the target migration loading protection upgrade firmware G; and then, according to the target joint optimization position, determining a traversal joint protection upgrade data packet in the target migration loading protection upgrade firmware G and a traversal joint protection upgrade data packet in the target migration loading protection upgrade firmware L, performing migration processing on the traversal joint protection upgrade data packets in the target migration loading protection upgrade firmware G and the target migration loading protection upgrade firmware L, and outputting an optimized loading protection upgrade firmware I and an optimized loading protection upgrade firmware J.
Furthermore, the information security system can perform protection upgrade evaluation according to the optimized loading protection upgrade firmware I and each past protection upgrade firmware in the past protection upgrade firmware data set, and determine the protection upgrade weight of the optimized loading protection upgrade firmware I according to the protection upgrade evaluation result of the optimized loading protection upgrade firmware I in each protection upgrade evaluation; and performing protection upgrade evaluation according to the optimized loading protection upgrade firmware J and each past protection upgrade firmware in the past protection upgrade firmware data set, and determining the protection upgrade weight of the optimized loading protection upgrade firmware J according to the protection upgrade evaluation result of the optimized loading protection upgrade firmware J in each protection upgrade evaluation.
Finally, the information security system can select the combined protection upgrade firmware with higher protection upgrade weight from the loading protection upgrade firmware M, the loading protection upgrade firmware K, the target migration loading protection upgrade firmware G, the target migration loading protection upgrade firmware L, the optimized loading protection upgrade firmware I and the optimized loading protection upgrade firmware J according to the corresponding protection upgrade weights of the loading protection upgrade firmware M, the loading protection upgrade firmware K, the target migration loading protection upgrade firmware I and the optimized loading protection upgrade firmware J respectively, and the combined protection upgrade firmware with higher protection upgrade weight is used as the target combined protection upgrade firmware.
When the target combination protection upgrade firmware is specifically determined, the information security system can determine the target to-be-determined combination protection upgrade firmware according to the protection upgrade weights corresponding to the loading protection upgrade firmware and the target loading protection upgrade firmware respectively; then, analyzing whether the target undetermined combined protection upgrade firmware is matched with a preset condition; if so, taking the target pending combination protection upgrade firmware as the target combination protection upgrade firmware; if not, the target pending combined protection upgrade firmware is required to be used as a new loading protection upgrade firmware, and then the step W102 and the step W103 are executed for the loading protection upgrade firmware until the obtained target pending combined protection upgrade firmware matches the preset condition.
For example, after the information security system performs feature update on the loading protection upgrade firmware to obtain a corresponding target loading protection upgrade firmware, and determines the protection upgrade weight of the target loading protection upgrade firmware, the information security system may use, as the target to-be-determined combined protection upgrade firmware, the combined protection upgrade firmware having a higher protection upgrade weight in the loading protection upgrade firmware and the target loading protection upgrade firmware. At this time, the information security system can analyze whether the target pending combined protection upgrade firmware matches a preset condition; if so, the evaluation index of the target undetermined combined protection upgrade firmware is large enough, and the target undetermined combined protection upgrade firmware can be used as the final target combined protection upgrade firmware; if not, the evaluation index of the target undetermined combined protection upgrade firmware is not large enough, at this time, the target undetermined combined protection upgrade firmware needs to be used as the loading protection upgrade firmware again, the steps W102 and W103 are executed in a returning mode, iterative processing is carried out, and the target undetermined combined protection upgrade firmware with better evaluation index is output.
In the above embodiment, the randomly constructed loading protection upgrade firmware is subjected to feature update to obtain a target combination protection upgrade firmware with a stronger evaluation index; and when the characteristics of the loading protection upgrade firmware are updated, the corresponding effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware is comprehensively considered, the protection upgrade data packet to be adjusted in the loading protection upgrade firmware is determined according to the corresponding effective evaluation value of each protection upgrade data packet in the loading protection upgrade firmware, and then the protection upgrade data packet is adjusted to obtain the target loading protection upgrade firmware. The effective evaluation value corresponding to the protection upgrade data packet in the loading protection upgrade firmware is determined according to the effective condition of the threat penetration vulnerability category or the threat penetration vulnerability path corresponding to the protection upgrade data packet in the protection upgrade evaluation involving the loading protection upgrade firmware, so that the effective evaluation value corresponding to the protection upgrade data packet in the loading protection upgrade firmware can correspondingly reflect the influence of the protection upgrade data packet on the global evaluation index of the loading protection upgrade firmware, and the loading protection upgrade firmware is subjected to feature update by combining the effective evaluation value corresponding to the protection upgrade data packet in the loading protection upgrade firmware, so that the feature update is more targeted, the optimization is more inclined to the direction of enhancing the evaluation index, the target combination protection upgrade firmware with the key evaluation index is obtained, and the protection upgrade performance is improved.
According to the same inventive concept, the information security system 100 may have a relatively large difference due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 112 (e.g., one or more processors) and a memory 111. Wherein the memory 111 may be a transient storage or a persistent storage. The program stored in memory 111 may include one or more modules, each of which may include a sequence of instructions that operate on information security system 100. Further, the central processor 112 may be configured to communicate with the memory 111 to execute a series of instructional operations on the information security system 100 in the memory 111.
Information security system 100 may also include one or more power supplies, one or more communication units 113, one or more input-output interfaces, and/or one or more operating systems, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, LreeBSDTM, and the like.
In addition, a storage medium is provided in an embodiment of the present application, and the storage medium is used for storing a computer program, and the computer program is used for executing the method provided in the embodiment.
The embodiment of the present application also provides a computer program product including instructions, which when run on a computer, causes the computer to execute the method provided by the above embodiment.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as Read-only Memory (ROM), RAM, magnetic disk, or optical disk.
It should be noted that, in the present specification, all the embodiments are described in a progressive manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and units described as separate components may or may not be physically separate, and components displayed as units may or may not be physical units, that is, may correspond to one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A threat vulnerability decision method based on big information security data is applied to an information security system and is characterized by comprising the following steps:
searching traversal threat protection activities and traversal sensitive service request activities of a core subscription service interface in a real-time protection list;
analyzing a target threat protection fingerprint corresponding to the traversal threat protection activity and a target sensitive service request fingerprint corresponding to the traversal sensitive service request activity, wherein the threat protection fingerprint represents chain link points mapped by the threat protection activity in a threat intelligence chain, the sensitive service request fingerprint represents chain link points mapped by the sensitive service request activity in the threat intelligence chain, the threat intelligence chain is chain node according to a threat penetration track in a historical threat behavior model and behavior track nodes in various historical threat behavior intelligence, and chain node relation is according to penetration relation among the behavior track nodes;
performing threat penetration vulnerability decision according to the target threat protection fingerprint, the target sensitive service request fingerprint and the threat intelligence chain, and outputting target threat penetration vulnerability information, wherein the target threat penetration vulnerability information represents a threat penetration routing relationship between the traversal threat protection activity and the traversal sensitive service request activity;
and carrying out safety protection and reinforcement on the core subscription service interface according to the target threat penetration vulnerability information.
2. The information security big data-based threat vulnerability decision method according to claim 1, wherein the performing a threat penetration vulnerability decision according to the target threat protection fingerprint, the target sensitive service request fingerprint and the threat intelligence chain and outputting target threat penetration vulnerability information comprises:
independent information characteristic extraction is carried out on a threat information subchain in the threat information chain, independent threat information characteristics are output, the threat information subchain is composed of a first behavior track node, a second behavior track node and a node penetration relation, and the independent threat information characteristics represent link points and subchain relation vectors in the threat information chain in a coding vector distribution mode;
loading the target threat protection fingerprint, the target sensitive service request fingerprint and the independent threat intelligence characteristic to a threat penetration vulnerability decision network, and outputting target threat penetration vulnerability information;
the threat penetration vulnerability decision network comprises a variable decision structure, a variable clustering structure, a variable optimization structure and a decision structure;
the step of loading the target threat protection fingerprint, the target sensitive service request fingerprint and the independent threat intelligence characteristic to a threat penetration vulnerability decision network and outputting the target threat penetration vulnerability information comprises the following steps:
loading the target threat protection fingerprint and the target sensitive service request fingerprint to the variable decision structure, and outputting a threat protection fingerprint variable corresponding to the target threat protection fingerprint and a sensitive service request fingerprint variable corresponding to the target sensitive service request fingerprint;
loading the threat protection fingerprint variable and the sensitive service request fingerprint variable to the variable clustering structure for variable clustering, and outputting a first threat penetration vulnerability variable;
loading the first threat penetration vulnerability variable and the independent threat intelligence characteristic to the variable optimization structure for variable optimization, and outputting a second threat penetration vulnerability variable;
and loading the second threat penetration vulnerability variable to the decision structure, and outputting the target threat penetration vulnerability information.
3. The information security big data-based threat vulnerability decision method according to claim 1, wherein after the search real-time protection list core-subscribed service interfaces traversal threat protection activity and traversal sensitive service request activity, the method comprises:
performing independent intelligence feature extraction on the traversal threat protection activity and a target persistent item session log corresponding to the traversal sensitive service request activity to obtain a target persistent item session feature, wherein the target persistent item session log comprises a target threat protection persistent item of the traversal threat protection activity and a target sensitive service request persistent item of the traversal sensitive service request activity, and the target persistent item session feature comprises a threat protection persistent item member corresponding to the target threat protection persistent item and a sensitive service request persistent item member corresponding to the target sensitive service request persistent item;
the method for carrying out threat penetration vulnerability decision according to the target threat protection fingerprint, the target sensitive service request fingerprint and the threat intelligence chain and outputting target threat penetration vulnerability information comprises the following steps:
and carrying out threat penetration vulnerability decision according to the target threat protection fingerprint, the target sensitive service request fingerprint, the threat intelligence chain and the target persistent item session characteristics, and outputting the target threat penetration vulnerability information.
4. The information security big data-based threat vulnerability decision method according to any one of claims 1-3, wherein after the search for traversal threat protection activities of core subscription service interfaces and traversal sensitive service request activities in a real-time protection list, the method further comprises:
when analyzing that the traversal threat protection activity or the traversal sensitive service request activity does not exist in the threat intelligence chain, acquiring threat protection transaction data, wherein the threat protection transaction data comprises a threat penetration track and historical threat behavior intelligence corresponding to the traversal threat protection activity, or a threat penetration track and historical threat behavior intelligence corresponding to the traversal sensitive service request activity;
and adjusting the threat intelligence chain according to the threat protection transaction data.
5. The method for threat vulnerability decision based on information security big data according to any one of claims 1-3, wherein the method further comprises:
acquiring a threat intelligence chain, wherein the threat intelligence chain is chain node according to behavior track nodes in a reference data cluster, and chain intelligence is chain node relation according to the penetration relation among the behavior track nodes, and the reference data cluster comprises a reference threat penetration track and a plurality of historical threat behavior intelligence;
loading independent threat intelligence characteristics, a reference threat protection fingerprint and a reference sensitive service request fingerprint corresponding to the threat intelligence chain to a threat penetration vulnerability decision network, and outputting threat penetration vulnerability decision information, wherein the reference threat protection fingerprint represents a chain link point of a reference threat protection activity mapped in the threat intelligence chain, the reference sensitive service request fingerprint represents a chain link point of a reference sensitive service request activity mapped in the threat intelligence chain, a reference persistent item session log comprises a threat protection persistent item of the threat protection activity and a sensitive service request persistent item of the sensitive service request activity, and the threat penetration vulnerability decision information is a threat penetration track with a threat penetration routing relationship;
and adjusting the network weight of the threat penetration vulnerability decision network according to the threat penetration vulnerability decision information and reference threat penetration vulnerability information, wherein the reference threat penetration vulnerability information represents a threat penetration routing relationship between the reference threat protection activity and the reference sensitive service request activity.
6. The big information security data-based threat vulnerability decision method according to claim 5, wherein after obtaining the threat intelligence chain, the method comprises:
and extracting independent information characteristics of the threat information subchains in the threat information chain, and outputting the independent threat information characteristics, wherein the threat information subchains are composed of first behavior track nodes, second behavior track nodes and node penetration relations, and the independent threat information characteristics represent chain nodes and subchain relation vectors in the threat information chain in a coding vector distribution mode.
7. The threat vulnerability decision method based on information security big data according to claim 5, wherein before loading independent threat intelligence features, reference threat protection fingerprints and reference sensitive service request fingerprints corresponding to the threat intelligence chains into a threat penetration vulnerability decision network and outputting threat penetration vulnerability decision information, the method further comprises:
performing independent intelligence feature extraction on the reference threat protection activity and a reference persistent item session log corresponding to the reference sensitive service request activity to obtain a reference persistent item session feature, wherein the reference persistent item session log comprises a reference threat protection persistent item of the reference threat protection activity and a reference sensitive service request persistent item of the reference sensitive service request activity, and the reference persistent item session feature comprises a threat protection persistent item member corresponding to the reference threat protection persistent item and a sensitive service request persistent item member corresponding to the reference sensitive service request persistent item;
loading the independent threat intelligence characteristics, the reference threat protection fingerprints and the reference sensitive service request fingerprints corresponding to the threat intelligence chain to a threat penetration vulnerability decision network, and outputting threat penetration vulnerability decision information, wherein the method comprises the following steps:
and loading the independent threat intelligence characteristics, the reference threat protection fingerprints, the reference sensitive service request fingerprints and the reference persistent item session characteristics to the threat penetration vulnerability decision network, and outputting the threat penetration vulnerability decision information.
8. The threat vulnerability decision method based on cyber-security big data according to any one of claims 5-7, wherein before the obtaining threat intelligence chain, the method further comprises:
determining the clustering modes of a plurality of reference network reference data clusters according to threat intelligence category labels, wherein the clustering modes corresponding to different threat intelligence category labels are different;
clustering the reference threat penetration tracks according to the clustering mode, and outputting reference threat penetration training data and reference threat penetration test data corresponding to each threat intelligence class label;
the network weight adjustment of the threat penetration vulnerability decision network according to the threat penetration vulnerability decision information and the reference threat penetration vulnerability information comprises the following steps:
performing network weight adjustment on the threat penetration vulnerability decision network according to the threat penetration vulnerability decision information and the reference threat penetration vulnerability information of target reference threat penetration training data, wherein the target reference threat penetration training data is reference threat penetration training data corresponding to a current threat intelligence class label;
the method further comprises the following steps:
performing network training performance test on the threat penetration vulnerability decision network according to the threat penetration vulnerability decision information and the reference threat penetration vulnerability information of target reference threat penetration test data, wherein the target reference threat penetration test data is the reference threat penetration test data corresponding to the current threat intelligence class label;
wherein, the clustering the reference threat penetration trajectory according to the clustering mode, and outputting reference threat penetration training data and reference threat penetration test data corresponding to each threat intelligence class label, comprises:
when the threat intelligence class label is analyzed to be a worm threat intelligence label, clustering the reference threat penetration trajectory into first reference threat penetration training data and first reference threat penetration test data, wherein reference threat protection activity and reference sensitive service request activity in the first reference threat penetration test data are related to the first reference threat penetration training data;
when the threat intelligence class label is analyzed to be a Trojan threat intelligence label, clustering the reference threat penetration trajectory into second reference threat penetration training data and second reference threat penetration test data, wherein reference sensitive service request activities in the second reference threat penetration test data are related to the second reference threat penetration training data;
when the threat intelligence class label is analyzed to be a hacker invasion threat intelligence label, clustering the reference threat penetration tracks into third reference threat penetration training data and third reference threat penetration test data, wherein reference threat protection activity in the third reference threat penetration test data is related to the third reference threat penetration training data;
wherein, the clustering the reference threat penetration trajectory according to the clustering mode, and outputting reference threat penetration training data and reference threat penetration test data corresponding to each threat intelligence class label, comprises:
clustering the reference threat penetration trajectory according to the clustering mode, and outputting a positive reference data cluster in the reference threat penetration training data and the reference threat penetration test data;
respectively constructing threat penetration units by threat protection activities in the positive reference data cluster and sensitive service request activities, and outputting threat penetration unit clusters;
screening out target threat penetration units from the threat penetration unit cluster according to preset configuration characteristic information of a positive reference data cluster;
and cleaning the positive reference data cluster and the repeated data in the target threat penetration unit, and outputting the negative reference data cluster in the reference threat penetration training data and the reference threat penetration test data.
9. The information security big data-based threat vulnerability decision method according to any one of claims 1-8, wherein the step of performing security protection reinforcement on the core subscription service interface according to the target threat penetration vulnerability information comprises:
generating a security protection upgrading process for the core subscription service interface in the traversal sensitive service request activity according to the target threat penetration loophole information, and acquiring a loading protection upgrading firmware dataset related to the security protection upgrading process of the core subscription service interface and a past protection upgrading firmware dataset according to the target threat penetration loophole information; the load protection upgrade firmware dataset corresponds to a plurality of load protection upgrade firmware, the past protection upgrade firmware dataset corresponds to a plurality of past protection upgrade firmware, the load protection upgrade firmware and the past protection upgrade firmware correspond to a plurality of protection upgrade data packets, the protection upgrade data packets correspond to a threat penetration vulnerability category or a threat penetration vulnerability path;
for each loading protection upgrade firmware in the loading protection upgrade firmware data set, determining respective corresponding effective evaluation values of a plurality of protection upgrade data packets in the loading protection upgrade firmware and protection upgrade weights of the loading protection upgrade firmware according to the loading protection upgrade firmware and multi-round test information of past protection upgrade firmware in the past protection upgrade firmware data set; the effective evaluation value corresponding to the protection upgrading data packet is used for representing the effective condition of the threat penetration vulnerability category or the threat penetration vulnerability path corresponding to the protection upgrading data packet in the protection upgrading evaluation; the protection upgrading weight represents influence state information of the protection upgrading firmware in the protection upgrading evaluation participated by the protection upgrading weight;
for the loading protection upgrade firmware in the loading protection upgrade firmware data set, optimizing a protection upgrade data packet in the loading protection upgrade firmware according to respective corresponding effective evaluation values of a plurality of protection upgrade data packets in the loading protection upgrade firmware, and outputting a target loading protection upgrade firmware;
determining a protection upgrade weight of the target loading protection upgrade firmware according to the target loading protection upgrade firmware and multi-round test information of past protection upgrade firmware in the past protection upgrade firmware data set;
and determining a target combination protection upgrading firmware according to the protection upgrading weights corresponding to the loading protection upgrading firmware and the target loading protection upgrading firmware, and performing safety protection reinforcement on the core subscription service interface according to the target combination protection upgrading firmware.
10. An information security system, comprising:
a processor;
a memory having stored therein a computer program that, when executed, implements the information security big data-based threat vulnerability decision method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111588594.9A CN114238992A (en) | 2021-12-23 | 2021-12-23 | Threat vulnerability mining method based on big information security data and information security system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111588594.9A CN114238992A (en) | 2021-12-23 | 2021-12-23 | Threat vulnerability mining method based on big information security data and information security system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114238992A true CN114238992A (en) | 2022-03-25 |
Family
ID=80761851
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111588594.9A Withdrawn CN114238992A (en) | 2021-12-23 | 2021-12-23 | Threat vulnerability mining method based on big information security data and information security system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114238992A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697143A (en) * | 2022-06-02 | 2022-07-01 | 苏州英博特力信息科技有限公司 | Information processing method based on fingerprint attendance system and fingerprint attendance service system |
-
2021
- 2021-12-23 CN CN202111588594.9A patent/CN114238992A/en not_active Withdrawn
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114697143A (en) * | 2022-06-02 | 2022-07-01 | 苏州英博特力信息科技有限公司 | Information processing method based on fingerprint attendance system and fingerprint attendance service system |
| CN114697143B (en) * | 2022-06-02 | 2022-08-23 | 苏州英博特力信息科技有限公司 | Information processing method based on fingerprint attendance system and fingerprint attendance service system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alsaheel et al. | {ATLAS}: A sequence-based learning approach for attack investigation | |
| Zeng et al. | Survey of attack graph analysis methods from the perspective of data and knowledge processing | |
| US9071636B2 (en) | Predictive scoring management system for application behavior | |
| CN114730339A (en) | Detecting unknown malicious content in a computer system | |
| CN112269316B (en) | High-robustness threat hunting system and method based on graph neural network | |
| US11106801B1 (en) | Utilizing orchestration and augmented vulnerability triage for software security testing | |
| US20120143844A1 (en) | Multi-level coverage for crawling selection | |
| Wang et al. | A novel local search algorithm with configuration checking and scoring mechanism for the set k‐covering problem | |
| Wei et al. | Deephunter: A graph neural network based approach for robust cyber threat hunting | |
| Aminanto et al. | Wi-Fi intrusion detection using weighted-feature selection for neural networks classifier | |
| Yang et al. | A novel similarity measure of link prediction in multi‐layer social networks based on reliable paths | |
| CN110704846A (en) | Intelligent human-in-loop security vulnerability discovery method | |
| Abawajy et al. | Hybrid consensus pruning of ensemble classifiers for big data malware detection | |
| Kavallieratos et al. | Attack path analysis for cyber physical systems | |
| Casas-Roma et al. | Anonymizing graphs: measuring quality for clustering | |
| CN113343073A (en) | Big data and artificial intelligence based information fraud identification method and big data system | |
| CN115065545A (en) | Big data threat perception-based security protection construction method and AI (Artificial Intelligence) protection system | |
| CN113592034B (en) | Content push method and AI (Artificial Intelligence) management and control system based on big data visualization mining processing | |
| CN114584361A (en) | Security vulnerability analysis method based on deep learning and big data and cloud computing system | |
| CN114201199B (en) | Protection upgrading method based on big data of information security and information security system | |
| Kaiser et al. | Cyber threat intelligence enabled automated attack incident response | |
| CN114238992A (en) | Threat vulnerability mining method based on big information security data and information security system | |
| CN110889493A (en) | Method and device for adding disturbance aiming at relational network | |
| CN113722711A (en) | Data adding method based on big data security vulnerability mining and artificial intelligence system | |
| CN114978765B (en) | Big data processing method for information attack defense and AI attack defense system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220325 |
|
| WW01 | Invention patent application withdrawn after publication |