CN115428398A - Server threat assessment method and related product - Google Patents
Server threat assessment method and related product Download PDFInfo
- Publication number
- CN115428398A CN115428398A CN202080099493.2A CN202080099493A CN115428398A CN 115428398 A CN115428398 A CN 115428398A CN 202080099493 A CN202080099493 A CN 202080099493A CN 115428398 A CN115428398 A CN 115428398A
- Authority
- CN
- China
- Prior art keywords
- alarm
- server
- threat
- score
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000004364 calculation method Methods 0.000 claims description 32
- 238000004891 communication Methods 0.000 claims description 28
- 238000004590 computer program Methods 0.000 claims description 16
- 238000010586 diagram Methods 0.000 description 7
- 239000000243 solution Substances 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000001514 detection method Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- AMGQUBHHOARCQH-UHFFFAOYSA-N indium;oxotin Chemical compound [In].[Sn]=O AMGQUBHHOARCQH-UHFFFAOYSA-N 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000005236 sound signal Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
- Alarm Systems (AREA)
Abstract
A server threat assessment method and related products are applied to a server, and the server threat assessment method comprises the following steps: determining at least one alarm (101) from the acquired traffic data; -performing a first classification (102) of the at least one alarm; calculating a first threat score (103) of each category alarm to the server under the first category alarm according to a first preset formula; calculating to obtain a second threat score (104) of the traffic data to the server according to the first threat score and a second preset formula; presenting the first threat score and the second threat score (105). The method can accurately detect and quantify the current threat situation of the server, and improves the intelligence and the accuracy of the server threat assessment method.
Description
The application relates to the field of computers, in particular to a server threat assessment method and a related product.
The threat of the network host refers to the security threat suffered by the system for providing service for the user. The network host threat is most commonly an attack from DoS (denial of service attack). DoS attacks typically consume system bandwidth or resources by using a large number of legitimate or forged requests to occupy a large number of network and device resources to defeat the purpose of the network and system. DoS attacks are currently one of the most powerful and difficult attacks to defend. Besides DoS attacks, the security of the server itself and data resources on the server is threatened by acquiring the authority of the server through attacking services provided by a host, for example, wherein the most common methods are SQL injection, malicious file uploading, other vulnerability attacks, and the like.
Most of the existing systems which take threat situation reports as server scores directly use malicious scores in alarm logs, or maximum values in multiple alarms, or total values as indexes of server threats; although server threats can be described, evaluating by a maximum or total value case lacks discrimination between malicious categories because the degree of threat for different categories is different and the impact of critical logs on the threat outcome may be ignored if computed systematically.
Disclosure of Invention
The embodiment of the application provides a server threat assessment method and a related product, which can accurately detect and quantify the current threat situation of a server, and improve the intelligence and the accuracy of the server threat assessment method.
In a first aspect, a server threat assessment method according to an embodiment of the present application is applied to a server, and includes:
determining at least one alarm according to the acquired flow data;
performing first category division on the at least one alarm;
calculating a first threat score of each category alarm to the server under the first category alarm according to a first preset formula;
calculating to obtain a second threat score of the traffic data to the server according to the first threat score and a second preset formula;
displaying the first threat score and the second threat score.
In a second aspect, an embodiment of the present application provides a server threat assessment apparatus, applied to a server, where the apparatus includes: a processing unit and a communication unit, wherein,
the processing unit is used for determining at least one alarm according to the acquired flow data, performing first category division on the at least one alarm, calculating a first threat score of each category of alarm on the server under the first category of alarm according to a first preset formula, and calculating a second threat score of the flow data on the server according to the first threat score and a second preset formula;
the communication unit is used for displaying the first threat score and the second threat score.
In a third aspect, an embodiment of the present application provides a server, including a processor, a memory, a communication interface, and one or more programs, where the one or more programs are stored in the memory and configured to be executed by the processor, and the program includes instructions for executing the steps in the first aspect of the embodiment of the present application.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program for electronic data exchange, where the computer program enables a computer to perform some or all of the steps described in the first aspect of the embodiment of the present application.
In a fifth aspect, embodiments of the present application provide a computer program product, where the computer program product includes a non-transitory computer-readable storage medium storing a computer program, where the computer program is operable to cause a computer to perform some or all of the steps as described in the first aspect of the embodiments of the present application. The computer program product may be a software installation package.
It can be seen that, in the embodiment of the present application, a server first determines at least one alarm according to acquired traffic data, performs first class division on the at least one alarm, then calculates a first threat score of each class alarm on the server according to a first preset formula, then calculates a second threat score of the traffic data on the server according to the first threat score and a second preset formula, and finally displays the first threat score and the second threat score. Therefore, the server respectively calculates threat scores of different types of alarms aiming at the different types of alarms, and further combines results in a weighting mode, so that the safety of the server can be more accurately evaluated, the types of alarms with less alarm information amount are not easy to ignore, the server threat degree can be more visually described through the threat scores, and the accuracy and the intelligence of the application are improved.
Reference will now be made in brief to the drawings that are needed in describing embodiments or prior art.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1A is a schematic structural diagram of a server according to an embodiment of the present application;
FIG. 1B is a schematic diagram of an architecture for implementing a server threat assessment method according to an embodiment of the present application;
FIG. 1C is a schematic flowchart of a server threat assessment method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart diagram illustrating another server threat assessment method disclosed in an embodiment of the present application;
fig. 3 is a schematic structural diagram of another server disclosed in the embodiment of the present application;
fig. 4 is a schematic structural diagram of a server threat assessment apparatus according to an embodiment of the present application.
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," and the like in the description and claims of the present application and in the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
The following describes embodiments of the present application in detail.
Referring to fig. 1A, fig. 1A is a schematic structural diagram of a server according to an embodiment of the present disclosure, and the server 100 may include a control circuit, which may include a storage and processing circuit 110. The storage and processing circuitry 110 may be memory, such as hard disk drive memory, non-volatile memory (e.g., flash memory or other electronically programmable read-only memory used to form a solid state drive, etc.), volatile memory (e.g., static or dynamic random access memory, etc.), etc., and embodiments of the present application are not limited thereto. Processing circuitry in storage and processing circuitry 110 may be used to control the operation of server 100. The processing circuitry may be implemented based on one or more microprocessors, microcontrollers, baseband processors, power management units, audio codec chips, application specific integrated circuits, display driver integrated circuits, and the like.
The storage and processing circuitry 110 may be used to run software in the server 100, such as an internet browsing application, a Voice Over Internet Protocol (VOIP) telephone call application, an email application, a media playing application, operating system functions, and so forth. Such software may be used to perform control operations such as camera-based image capture, ambient light measurement based on an ambient light sensor, proximity sensor measurement based on a proximity sensor, information display functionality based on status indicators such as status indicator lights of light emitting diodes, touch event detection based on touch sensors, functionality associated with displaying information on multiple (e.g., layered) displays, operations associated with performing wireless communication functions, operations associated with collecting and generating audio signals, control operations associated with collecting and processing button press event data, and other functions in the server 100, for example, and without limitation.
The server 100 may also include input-output circuitry 150. The input-output circuit 150 is operable to cause the server 100 to effect input and output of data, i.e., to allow the server 100 to receive data from external devices and also to allow the server 100 to output data from the server 100 to external devices. The input-output circuit 150 may further include a sensor 170. The sensors 170 may include ambient light sensors, proximity sensors based on light and capacitance, touch sensors (e.g., based on optical touch sensors and/or capacitive touch sensors, where the touch sensors may be part of a touch display screen or used independently as a touch sensor structure), acceleration sensors, gravity sensors, and other sensors, among others.
Input-output circuitry 150 may also include one or more displays, such as display 130. Display 130 may include one or a combination of liquid crystal displays, organic light emitting diode displays, electronic ink displays, plasma displays, displays using other display technologies. Display 130 may include an array of touch sensors (i.e., display 130 may be a touch display screen). The touch sensor may be a capacitive touch sensor formed by a transparent touch sensor electrode (e.g., an Indium Tin Oxide (ITO) electrode) array, or may be a touch sensor formed using other touch technologies, such as acoustic wave touch, pressure sensitive touch, resistive touch, optical touch, and the like, and embodiments of the present application are not limited thereto.
The audio component 140 may be used to provide audio input and output functionality for the server 100. The audio components 140 in the server 100 may include speakers, microphones, buzzers, tone generators, and other components for generating and detecting sound.
The communication circuit 120 may be used to provide the server 100 with the ability to communicate with external devices. The communication circuit 120 may include analog and digital input-output interface circuits, and wireless communication circuits based on radio frequency signals and/or optical signals. The wireless communication circuitry in communication circuitry 120 may include radio-frequency transceiver circuitry, power amplifier circuitry, low noise amplifiers, switches, filters, and antennas. For example, the wireless communication circuitry in communication circuitry 120 may include circuitry to support Near Field Communication (NFC) by transmitting and receiving near field coupled electromagnetic signals. For example, the communication circuit 120 may include a near field communication antenna and a near field communication transceiver. The communications circuitry 120 may also include a cellular telephone transceiver and antenna, a wireless local area network transceiver circuitry and antenna, and so forth.
The server 100 may further include a battery, power management circuitry, and other input-output units 160. The input-output unit 160 may include buttons, joysticks, click wheels, scroll wheels, touch pads, keypads, keyboards, cameras, light emitting diodes and other status indicators, and the like.
A user may input commands through the input-output circuitry 150 to control operation of the server 100 and may use output data of the input-output circuitry 150 to enable receipt of status information and other outputs from the server 100.
Based on this, please refer to fig. 1B, where fig. 1B provides a system architecture for implementing the method according to the embodiment of the present application, and the method according to the embodiment of the present application may be applied to a server, where the server may be disposed in an Internet Data Center (IDC for short), and traffic Data accessed by an electronic device or a browser (i.e., other host) is transmitted to an IDC room, and the traffic Data is mirrored at a core switch, and one of the traffic Data is processed by a service host, and the other is subjected to bypass analysis by a traffic analysis system.
Based on the system framework shown in fig. 1B, the following method can be implemented, and the method is applied to a server, and specifically as follows:
determining at least one alarm according to the acquired flow data;
performing first category division on the at least one alarm;
calculating a first threat score of each category alarm to the server under the first category alarm according to a first preset formula;
calculating to obtain a second threat score of the traffic data to the server according to the first threat score and a second preset formula;
displaying the first threat score and the second threat score.
It can be seen that, in the embodiment of the present application, a server first determines at least one alarm according to acquired traffic data, performs first class division on the at least one alarm, then calculates a first threat score of each class alarm on the server under the first class alarm according to a first preset formula, then calculates a second threat score of the traffic data on the server according to the first threat score and a second preset formula, and finally displays the first threat score and the second threat score. Therefore, the server respectively calculates threat scores of different types of alarms aiming at the different types of alarms, and further merges results in a weighting mode, so that the safety of the server can be more accurately evaluated, the types of alarms with less alarm information amount are not easy to ignore, the host threat degree can be more visually described through the threat scores, and the accuracy and the intelligence of the application are improved.
Referring to fig. 1C, fig. 1C is a schematic flowchart of a server threat assessment method according to an embodiment of the present disclosure, where the server threat assessment method described in this embodiment is applied to a server shown in fig. 1A or a system architecture shown in fig. 1B, and the server threat assessment method includes:
101. at least one alarm is determined according to the acquired flow data.
In one possible example, the determining at least one alarm according to the acquired traffic data includes: loading a preset information library; receiving flow data from a terminal; analyzing the flow data to obtain a plurality of data characteristics; and matching the data characteristics with the preset information library to determine at least one alarm.
The preset intelligence library can help people to find threats and carry out corresponding knowledge of treatment, and safety circles always use the threats and the corresponding knowledge, and comprise a vulnerability library, a fingerprint library, an IP credit library, a URL credit library and the like.
And the data in the preset information library can be updated in a preset period.
The data characteristics can be data identification, and matching is carried out in an intelligence library according to different identifications.
102. And performing first category division on the at least one alarm.
The first category may be malicious website access, malicious IP access, and the like.
The malicious website access means that the host actively accesses the malicious website, possibly a website containing viruses, downloads viruses and trojan files, possibly some phishing websites and the like, and matches and alarms by using a URL information library.
The malicious IP accesses, and some external IP accesses known or discovered behaviors of the target host with malicious behaviors. Because malicious IP has ever exhibited malicious behavior, it is likely that the same type of attack will be launched again. And matching the alarm by using the IP reputation library.
And the malicious website detection and the malicious IP detection are realized based on the preset information library matching.
103. And calculating a first threat score of each type of alarm to the server under the first type of alarm according to a first preset formula.
Wherein, the threat score expresses the threat degree of the current server, namely an index for comprehensively evaluating various threats suffered by the server, and the higher the threat score is, the higher the possibility that the server is attacked, invaded or even controlled is.
In one possible example, the calculating a first threat score for each category alarm of the first category alarms to the server according to a first preset formula includes: analyzing each type of alarm under the first type of alarm to obtain at least one piece of alarm information under each type of alarm, wherein the at least one piece of alarm information comprises an alarm type, a threat degree corresponding to each alarm type and access times within a time range; and substituting the at least one piece of alarm information into the first preset calculation formula to obtain the first threat score.
For example, the malicious website threat calculation is taken as an example for explanation: the malicious website detection mode is generated by matching a preset information library, and the information which can be acquired comprises malicious website classification, malicious degree (score) and access times within a time range. As described aboveThe information is a main factor influencing server threats, and the threats of different malicious website types to the server are different, for example, the threats classified into Trojan horses and pornographic websites are different. Endowing different basic weights (weight) to malicious websites of different classifications according to a preset database i )。
In a specific implementation, the first preset calculation formula is as follows:
p i : probability of occurrence for each alarm type; λ: hyper-parameters; score: the threat degree of a certain type in the alarm information is obtained; weight i : weights for different alarm types under the same alarm type; SCORE MalWebsite : the server is scored for threats for certain alarms.
Wherein, in p i An operation of negation is introduced, if the probability of a certain type is larger, 1-p i The smaller.
The lambda can achieve the aim of balancing by adjusting the size of the parameter when the difference magnitude of the occurrence times is large.
Where j represents the time period between t1 and t 2.
Wherein i represents different alarm types under the same alarm category.
Optionally, before substituting the at least one alarm message into the first preset calculation formula to obtain the first threat score, the method further includes:
acquiring the number of each alarm type in the time range; calculating the proportion of the number of each alarm type in a preset information library to obtain the probability p of each alarm type i 。
Optionally, the ratio of the number of each alarm type in the preset information base is calculated to obtain the occurrence rate of each alarm typeProbability p i Previously, the method further comprises: detecting whether the number of each alarm type is less than a preset number; if yes, determining the target alarm types less than the preset number; acquiring the preset quantity of the target alarm types in a preset information library; and updating the preset number to the number of the target alarm types.
For example, p i The probability of each malicious website can be calculated by using the malicious classification quantity in the actual alarm data, but the malicious access quantity is often small, the difference between the calculated probability value and the true value is large under the condition that the samples are small, the assumption is made here boldly, the probability of alarm is large under the assumption that the more the malicious type data quantity in the preset information library is, the larger the malicious website quantity in the information library is, the malicious distribution which can represent most of the situations can be better, and the actual alarm situation is also matched with the distribution of the information library.
Optionally, before the substituting the at least one alarm message into the first preset calculation formula to obtain the first threat score, the method further includes: acquiring the number of each alarm type in the time range; and determining the hyper-parameter corresponding to each alarm type according to the magnitude of the phase difference of the quantity of each alarm type.
And the magnitude of the phase difference of the quantity of each alarm type corresponds to the hyper-parameter one by one.
Therefore, in the example, the classification is more accurate by independently setting the weight value for the alarm type, the situation that the occurrence frequency difference of malicious events of different types is extremely large is balanced by the probability of non-events and the hyper-parameters through the theory that the actual alarm quantity is insufficient to cause deviation to the calculation result by assuming that the intelligence quantity in the intelligence library is in direct proportion to the alarm quantity in the threat degree calculation process, and further through converting the theory that the occurrence frequency of events with large probability is large, so that the accuracy and the intelligence of the application are improved.
104. And calculating to obtain a second threat score of the traffic data to the server according to the first threat score and a second preset formula.
In one possible example, the calculating a second threat score of the traffic data to the server according to the first threat score and a second preset formula includes: normalizing the first threat SCORE to obtain at least one target value SCORE l (ii) a Inquiring the preset information base to obtain the weight corresponding to the at least one target value; and substituting the weight and at least one target numerical value into the second preset calculation formula to obtain a second threat score of the flow data to the server.
The normalization process may be to process the data and limit the processed data within a certain range. Such as typically limited to the interval 0,1 or [ -1,1].
The corresponding relationship between the target value and the weight may be one-to-one, one-to-many, or many-to-many, and is not limited herein.
In a specific implementation, the second preset calculation formula is:
weight l : weights for different kinds of alarms; SCORE l : calculating the normalized value of the threat degree for different alarm types by a single server; SCORE total : scoring a second threat for the server.
As can be seen, in this example, the server visually describes the degree of the current server threat according to the second threat score, and does not play a role in judging whether the server is invaded or suspected to be invaded.
105, displaying the first threat score and the second threat score.
It can be seen that, in the embodiment of the present application, a server first determines at least one alarm according to acquired traffic data, performs first class division on the at least one alarm, then calculates a first threat score of each class alarm on the server according to a first preset formula, then calculates a second threat score of the traffic data on the server according to the first threat score and a second preset formula, and finally displays the first threat score and the second threat score. Therefore, the server respectively calculates threat scores of different types of alarms aiming at the different types of alarms, and further combines results in a weighting mode, so that the safety of the server can be more accurately evaluated, the types of alarms with less alarm information amount are not easy to ignore, the server threat degree can be more visually described through the threat scores, and the accuracy and the intelligence of the application are improved.
In accordance with the above, referring to fig. 2, fig. 2 is a schematic flow chart of another server threat assessment method provided in an embodiment of the present application, where the server threat assessment method described in this embodiment is applied to the server shown in fig. 1A or the system architecture shown in fig. 1B, and the method may include the following steps:
201. at least one alarm is determined according to the acquired flow data.
202. And performing first category division on the at least one alarm.
203. Analyzing each type of alarm under the first type of alarm to obtain at least one piece of alarm information under each type of alarm, wherein the at least one piece of alarm information comprises an alarm type, a threat degree corresponding to each alarm type and access times within a time range.
204. And substituting the at least one piece of alarm information into the first preset calculation formula to obtain the first threat score.
205. And carrying out normalization processing on the first threat score to obtain at least one target numerical value.
206. And querying the preset information base to obtain the weight corresponding to the at least one target value.
207. And substituting the weight and at least one target numerical value into the second preset calculation formula to obtain a second threat score of the flow data to the server.
208. Displaying the first threat score and the second threat score.
The above steps 201 to 208 may refer to the server threat assessment method shown in fig. 1C, and are not described herein again.
It can be seen that, in the embodiment of the present application, a server first determines at least one alarm according to acquired traffic data, performs first class division on the at least one alarm, then calculates a first threat score of each class alarm on the server according to a first preset formula, then calculates a second threat score of the traffic data on the server according to the first threat score and a second preset formula, and finally displays the first threat score and the second threat score. Therefore, the server respectively calculates threat scores of different types of alarms aiming at the different types of alarms, results are further combined in a weighting mode, the safety of the server can be more accurately evaluated, the types of alarms with less alarm information amount are not easy to ignore, the server threat degree can be more visually described through the threat scores, and the accuracy and the intelligence of the application are improved.
In addition, the classification is more accurate by independently setting the weight value for the alarm type, the situation that the occurrence frequency difference of malicious events of different types is very large is balanced by solving the probability of non-events and the hyperparameter through the theory that the occurrence frequency of events with large probability is more through converting the theory that the actual alarm quantity is insufficient and the calculation result is deviated by assuming that the intelligence quantity in an intelligence library is in direct proportion to the alarm quantity in the calculation process of the threat degree, and the accuracy and the intelligence of the application are improved.
The following is a device for implementing the server threat assessment method, specifically as follows:
in accordance with the above, please refer to fig. 3, in which fig. 3 is a server according to an embodiment of the present application, including:
determining at least one alarm according to the acquired flow data;
performing first category division on the at least one alarm;
calculating a first threat score of each category alarm to the server under the first category alarm according to a first preset formula;
calculating to obtain a second threat score of the traffic data to the server according to the first threat score and a second preset formula;
displaying the first threat score and the second threat score.
It can be seen that, in the embodiment of the present application, a server first determines at least one alarm according to acquired traffic data, performs first class division on the at least one alarm, then calculates a first threat score of each class alarm on the server under the first class alarm according to a first preset formula, then calculates a second threat score of the traffic data on the server according to the first threat score and a second preset formula, and finally displays the first threat score and the second threat score. Therefore, the server respectively calculates threat scores of different types of alarms aiming at the different types of alarms, and further combines results in a weighting mode, so that the safety of the server can be more accurately evaluated, the types of alarms with less alarm information amount are not easy to ignore, the server threat degree can be more visually described through the threat scores, and the accuracy and the intelligence of the application are improved.
In one possible example, in said calculating a first threat score for each category of alarm to said server under said first category of alarms according to a first preset formula, said program comprises instructions for: analyzing each type of alarm under the first type of alarm to obtain at least one piece of alarm information under each type of alarm, wherein the at least one piece of alarm information comprises an alarm type, a threat degree corresponding to each alarm type and access times within a time range; and substituting the at least one piece of alarm information into the first preset calculation formula to obtain the first threat score.
In one possible example the first predetermined calculation formula is:
p i : probability of occurrence for each alarm type;
λ: hyper-parameters;
score: the threat degree of a certain type in the alarm information is obtained;
weight i : weights for different alarm types under the same alarm type;
SCORE MalWebsite : the server is scored for threats for certain alarms.
In one possible example, before said substituting said at least one alert message into said first predetermined calculation formula resulting in said first threat score, said program comprises instructions for: acquiring the number of each alarm type in the time range; calculating the proportion of the number of each alarm type in a preset information library to obtain the probability p of each alarm type i 。
In a possible example, the calculating the proportion of the quantity of each alarm type in the preset intelligence library obtains the probability p of each alarm type i Previously, the program further comprises instructions for performing the steps of: detecting whether the number of each alarm type is less than a preset number; if yes, determining the target alarm types less than the preset number; acquiring the preset number of the target alarm types in a preset information library; and updating the preset number to the number of the target alarm types.
In one possible example, before said substituting said at least one alert message into said first predetermined calculation formula resulting in said first threat score, said program further comprises instructions for: acquiring the number of each alarm type in the time range; and determining the hyper-parameter corresponding to each alarm type according to the magnitude of the phase difference of the quantity of each alarm type.
In one possible example, in the calculating a second threat score for the traffic data to the server according to the first threat score and a second predetermined formula, the program further includes instructions for: normalizing the first threat SCORE to obtain at least one target value SCORE l (ii) a Inquiring the preset information base to obtain the weight corresponding to the at least one target value; and substituting the weight and at least one target numerical value into the second preset calculation formula to obtain a second threat score of the flow data to the server.
In one possible example, the second preset calculation formula is:
weight l : weights for different kinds of alarms;
SCORE l : calculating the normalized value of the threat degree for different alarm types by a single server;
SCORE total : scoring a second threat for the server.
In one possible example, where determining at least one alert convenience based on the acquired traffic data is performed, the program includes instructions for: loading a preset information library; receiving flow data from a terminal; analyzing the flow data to obtain a plurality of data characteristics; and matching the data characteristics with the preset information library to determine at least one alarm.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a server threat assessment apparatus according to the present embodiment. The server threat assessment apparatus is applied to a server shown in fig. 1A or a system architecture shown in fig. 1B, and is applied to a cache agent repository, and the apparatus comprises: a processing unit 401 and a communication unit 402, wherein,
the processing unit 401 is configured to determine at least one alarm according to the acquired traffic data, perform first class division on the at least one alarm, calculate a first threat score of each class of alarm on the server according to a first preset formula under the first class of alarm, and calculate a second threat score of the traffic data on the server according to the first threat score and a second preset formula;
the communication unit 402 is configured to display the first threat score and the second threat score.
It can be seen that, in the embodiment of the present application, a server first determines at least one alarm according to acquired traffic data, performs first class division on the at least one alarm, then calculates a first threat score of each class alarm on the server according to a first preset formula, then calculates a second threat score of the traffic data on the server according to the first threat score and a second preset formula, and finally displays the first threat score and the second threat score. Therefore, the server respectively calculates threat scores of different types of alarms aiming at the different types of alarms, and further merges results in a weighting mode, so that the safety of the server can be more accurately evaluated, the types of alarms with less alarm information amount are not easy to ignore, the host threat degree can be more visually described through the threat scores, and the accuracy and the intelligence of the application are improved.
In the aspect of calculating the first threat score of each category alarm to the server under the first category alarm according to the first preset formula, the processing unit 401 is specifically configured to:
analyzing each type of alarm under the first type of alarm to obtain at least one piece of alarm information under each type of alarm, wherein the at least one piece of alarm information comprises an alarm type, a threat degree corresponding to each alarm type and access times within a time range;
and substituting the at least one piece of alarm information into the first preset calculation formula to obtain the first threat score.
Among other things, processing unit 401 may be used to enable electronic device to perform steps 101-104, etc., described above, and/or other processes for the techniques described herein.
It should be noted that all relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
In case an integrated unit is employed, the electronic device may comprise a processing module, a storage module and a communication module. The processing module may be configured to control and manage actions of the electronic device, and for example, may be configured to support the electronic device to execute the steps executed by the processing unit 401 and the communication unit 402. The memory module may be used to support the electronic device in executing stored program codes and data, etc. The communication module can be used for supporting the communication between the electronic equipment and other equipment.
The processing module may be a processor or a controller. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. A processor may also be a combination of computing functions, e.g., a combination of one or more microprocessors, a Digital Signal Processing (DSP) and a microprocessor, or the like. The storage module may be a memory. The communication module may specifically be a radio frequency circuit, a bluetooth chip, a Wi-Fi chip, or other devices that interact with other electronic devices.
Embodiments of the present application also provide a computer storage medium, wherein the computer storage medium stores a computer program for electronic data exchange, and the computer program enables a computer to execute part or all of the steps of any one of the server threat assessment methods as described in the above method embodiments.
Embodiments of the present application also provide a computer program product comprising a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform some or all of the steps of any of the server threat assessment methods as recited in the above method embodiments.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be through some interfaces, indirect coupling or communication connection between devices or units, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may be implemented in the form of a software program module.
The integrated units, if implemented in the form of software program modules and sold or used as stand-alone products, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a memory, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned memory comprises: various media that can store program codes, such as a usb disk, a read-only memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable memory, which may include: flash disk, ROM, RAM, magnetic or optical disk, and the like.
The foregoing detailed description of the embodiments of the present application has been presented to illustrate the principles and implementations of the present application, and the above description of the embodiments is only provided to help understand the method and the core concept of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (20)
- A server threat assessment method is applied to a server and comprises the following steps:determining at least one alarm according to the acquired flow data;performing first category division on the at least one alarm;calculating a first threat score of each category alarm to the server under the first category alarm according to a first preset formula;calculating to obtain a second threat score of the traffic data to the server according to the first threat score and a second preset formula;displaying the first threat score and the second threat score.
- The method of claim 1, wherein said calculating a first threat score for each category of alarms to the server under the first category of alarms according to a first preset formula comprises:analyzing each type of alarm under the first type of alarm to obtain at least one piece of alarm information under each type of alarm, wherein the at least one piece of alarm information comprises an alarm type, a threat degree corresponding to each alarm type and access times within a time range;and substituting the at least one piece of alarm information into the first preset calculation formula to obtain the first threat score.
- The method according to claim 1 or 2, wherein the first predetermined calculation formula is:
p i : probability of occurrence for each alarm type;λ: hyper-parameters;score: the threat degree of a certain type in the alarm information is obtained;weight i : weights for different alarm types under the same alarm type;SCORE MalWebsite : the server is scored for threats for certain alarms. - The method of claim 2, wherein before said substituting said at least one alert message into said first predetermined calculation formula to obtain said first threat score, said method further comprises:acquiring the number of each alarm type in the time range;calculating the proportion of the number of each alarm type in a preset information library to obtain the probability p of each alarm type i 。
- The method according to claim 4, wherein the calculating the ratio of the number of each alarm type to the predetermined intelligence base obtains the probability p of each alarm type i Previously, the method further comprises:detecting whether the number of each alarm type is less than a preset number;if yes, determining the target alarm types less than the preset number;acquiring the preset number of the target alarm types in a preset information library;and updating the preset number to the number of the target alarm types.
- The method of claim 2, wherein before said substituting said at least one alert message into said first predetermined calculation formula to obtain said first threat score, said method further comprises:acquiring the number of each alarm type in the time range;and determining the hyper-parameter corresponding to each alarm type according to the magnitude of the phase difference of the quantity of each alarm type.
- The method of claim 1, wherein calculating a second threat score for the traffic data to the server according to the first threat score and a second predetermined formula comprises:normalizing the first threat SCORE to obtain at least one target value SCORE l ;Inquiring the preset information base to obtain the weight corresponding to the at least one target value;and substituting the weight and at least one target value into the second preset calculation formula to obtain a second threat score of the traffic data to the server.
- The method according to claim 1 or 7, wherein the second predetermined calculation formula is:
weight l : weights for different kinds of alarms;SCORE l : calculating the normalized value of the threat degree for different alarm types by a single server;SCORE total : scoring a second threat for the server. - The method of claim 1, wherein determining at least one alarm based on the acquired traffic data comprises:loading a preset information library;receiving flow data from a terminal;analyzing the flow data to obtain a plurality of data characteristics;and matching the data characteristics with the preset information library to determine at least one alarm.
- A server threat assessment apparatus, for application to a server, the apparatus comprising: a processing unit and a communication unit, wherein,the processing unit is used for determining at least one alarm according to the acquired flow data, performing first category division on the at least one alarm, calculating a first threat score of each category alarm to the server under the first category alarm according to a first preset formula, and calculating a second threat score of the flow data to the server according to the first threat score and a second preset formula;the communication unit is used for displaying the first threat score and the second threat score.
- The apparatus according to claim 10, wherein in said calculating a first threat score for the server for each category of alarm under the first category of alarms according to a first preset formula, the processing unit is specifically configured to:analyzing each type of alarm under the first type of alarm to obtain at least one piece of alarm information under each type of alarm, wherein the at least one piece of alarm information comprises an alarm type, a threat degree corresponding to each alarm type and access times within a time range;and substituting the at least one piece of alarm information into the first preset calculation formula to obtain the first threat score.
- The apparatus according to claim 10 or 11, wherein the first predetermined calculation formula is:
p i : probability of occurrence for each alarm type;λ: hyper-parameters;score: the threat degree of a certain type in the alarm information is obtained;weight i : for different alarms in the same alarm categoryA weight of the type;SCORE MalWebsite : the server is scored for threats for certain alarms. - The apparatus according to claim 11, wherein before the substituting the at least one alarm information into the first preset calculation formula to obtain the first threat score, the processing unit is further specifically configured to:acquiring the number of each alarm type in the time range;calculating the proportion of the number of each alarm type in a preset information base to obtain the probability p of each alarm type i 。
- The apparatus according to claim 13, wherein the calculating the ratio of the number of each alarm type to the predetermined intelligence library obtains the probability p of each alarm type i Before, the processing unit is further specifically configured to:detecting whether the number of each alarm type is less than a preset number;if yes, determining the target alarm types less than the preset number;acquiring the preset number of the target alarm types in a preset information library;and updating the preset number to the number of the target alarm types.
- The apparatus according to claim 11, wherein before the substituting the at least one alarm information into the first preset calculation formula to obtain the first threat score, the processing unit is further specifically configured to:acquiring the number of each alarm type in the time range;and determining the hyper-parameter corresponding to each alarm type according to the magnitude of the phase difference of the quantity of each alarm type.
- The apparatus according to claim 10, wherein, in the aspect that a second threat score of the traffic data to the server is calculated according to the first threat score and a second preset formula, the processing unit is further specifically configured to:normalizing the first threat SCORE to obtain at least one target value SCORE l ;Inquiring the preset information base to obtain the weight corresponding to the at least one target value;and substituting the weight and at least one target numerical value into the second preset calculation formula to obtain a second threat score of the flow data to the server.
- The apparatus according to claim 10 or 16, wherein the second predetermined calculation formula is:
weight l : weights for different kinds of alarms;SCORE l : calculating the normalized value of the threat degree for different alarm types by a single server;SCORE total : scoring a second threat for the server. - A server, comprising a processor, memory, a communication interface, and one or more programs stored in the memory and configured to be executed by the processor, the programs comprising instructions for performing the steps in the method of any of claims 1-9.
- A computer-readable storage medium, characterized in that a computer program for electronic data exchange is stored, wherein the computer program causes a computer to perform the method according to any one of claims 1-9.
- A computer program product, characterized in that the computer program product comprises a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform the method according to any one of claims 1-9.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2020/099962 WO2022000430A1 (en) | 2020-07-02 | 2020-07-02 | Server threat assessment method, and related product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115428398A true CN115428398A (en) | 2022-12-02 |
Family
ID=79317247
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202080099493.2A Pending CN115428398A (en) | 2020-07-02 | 2020-07-02 | Server threat assessment method and related product |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115428398A (en) |
| WO (1) | WO2022000430A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022152B (en) * | 2022-06-02 | 2024-04-23 | 北京天融信网络安全技术有限公司 | Method and device for judging threat degree of event and electronic equipment |
| CN115314415B (en) * | 2022-07-08 | 2023-09-26 | 北京天融信网络安全技术有限公司 | Network security situation prediction method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2015258248A1 (en) * | 2009-01-20 | 2015-12-10 | Lempco Industries, Inc. | Computer implemented method and apparatus for establishing and executing a dynamic equity instrument |
| CN110417721A (en) * | 2019-03-07 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Safety risk estimating method, device, equipment and computer readable storage medium |
| CN110535702A (en) * | 2019-08-30 | 2019-12-03 | 北京神州绿盟信息安全科技股份有限公司 | A kind of alarm information processing method and device |
| US20190378005A1 (en) * | 2018-06-08 | 2019-12-12 | Technip France | Continuous learning of simulation trained deep neural network model |
| CN110855497A (en) * | 2019-11-19 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Alarm sequencing method and device based on big data environment |
| CN111245793A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for analyzing abnormity of network data |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108040057B (en) * | 2014-12-17 | 2021-08-06 | 江西武大扬帆科技有限公司 | Working method of SDN system suitable for guaranteeing network security and network communication quality |
| EP3593508A4 (en) * | 2017-03-10 | 2020-02-26 | Visa International Service Association | Identifying malicious network devices |
-
2020
- 2020-07-02 WO PCT/CN2020/099962 patent/WO2022000430A1/en active Application Filing
- 2020-07-02 CN CN202080099493.2A patent/CN115428398A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| AU2015258248A1 (en) * | 2009-01-20 | 2015-12-10 | Lempco Industries, Inc. | Computer implemented method and apparatus for establishing and executing a dynamic equity instrument |
| US20190378005A1 (en) * | 2018-06-08 | 2019-12-12 | Technip France | Continuous learning of simulation trained deep neural network model |
| CN110417721A (en) * | 2019-03-07 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Safety risk estimating method, device, equipment and computer readable storage medium |
| CN110535702A (en) * | 2019-08-30 | 2019-12-03 | 北京神州绿盟信息安全科技股份有限公司 | A kind of alarm information processing method and device |
| CN110855497A (en) * | 2019-11-19 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Alarm sequencing method and device based on big data environment |
| CN111245793A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for analyzing abnormity of network data |
Non-Patent Citations (1)
| Title |
|---|
| 吕博良;: "互联网金融应用攻击行为监控体系及模型研究", 中国金融电脑, no. 11, 7 November 2018 (2018-11-07) * |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022000430A1 (en) | 2022-01-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110399720B (en) | File detection method and related device | |
| WO2015058616A1 (en) | Recognition method and device for malicious website | |
| CN106126562B (en) | A kind of pop-up hold-up interception method and terminal | |
| KR102433425B1 (en) | Multi-signal analysis to identify damaged areas | |
| EP2974204B1 (en) | Automatic fraudulent digital certificate detection | |
| CN103220302A (en) | Malicious website access defending method and related device | |
| CN109690548B (en) | Computing device protection based on device attributes and device risk factors | |
| CN115428398A (en) | Server threat assessment method and related product | |
| Alzubaidi | Recent advances in android mobile malware detection: A systematic literature review | |
| CN110730164A (en) | Safety early warning method, related equipment and computer readable storage medium | |
| CN109726555B (en) | Virus detection processing method, virus prompting method and related equipment | |
| CN110796552A (en) | Risk prompting method and device | |
| CN110826837A (en) | Method and device for evaluating real-time risk of website assets and storage medium | |
| CN113940033A (en) | User identification method and related product | |
| WO2021223177A1 (en) | Abnormal file detection method and related product | |
| CN109359453B (en) | Unlocking method and related product | |
| CN109450853B (en) | Malicious website determination method and device, terminal and server | |
| CN116028157A (en) | Risk identification method and device and electronic equipment | |
| US20210266341A1 (en) | Automated actions in a security platform | |
| CN110442361B (en) | Gray release method and device and electronic equipment | |
| CN108989350B (en) | Method, device and equipment for detecting denial of service vulnerability | |
| CN109902484B (en) | Processing method of associated application and terminal | |
| CN112615884B (en) | Detection method and device of network security system, electronic equipment and storage medium | |
| CN113366477A (en) | Malicious fast application detection method and terminal | |
| CN113648659B (en) | Method and related device for determining user liveness |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |