CN116049832A - Asset vulnerability assessment method, device and equipment, medium and product - Google Patents

Asset vulnerability assessment method, device and equipment, medium and product Download PDF

Info

Publication number
CN116049832A
CN116049832A CN202211698902.8A CN202211698902A CN116049832A CN 116049832 A CN116049832 A CN 116049832A CN 202211698902 A CN202211698902 A CN 202211698902A CN 116049832 A CN116049832 A CN 116049832A
Authority
CN
China
Prior art keywords
asset
vulnerability
risk value
risk
target asset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211698902.8A
Other languages
Chinese (zh)
Inventor
田波
杨世旭
武靖莹
聂昆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202211698902.8A priority Critical patent/CN116049832A/en
Publication of CN116049832A publication Critical patent/CN116049832A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides an asset vulnerability assessment method, device and equipment, medium and product, and aims to improve the authenticity of asset vulnerability assessment. The method comprises the following steps: extracting a plurality of vulnerability factors from asset information of a target asset, and determining risk values of the vulnerability factors; determining a first initial risk value according to the risk values and the distribution rates of the vulnerability factors; determining a second initial risk value according to the historical security event information and the risk values of the vulnerability factors associated with the target asset; determining a third initial risk value according to a first target model and risk values of a plurality of vulnerability factors, wherein the first target model is trained based on historical asset information of a target asset; determining a first target asset risk value of the target asset according to the first initial risk value, the second initial risk value and the third initial risk value; and evaluating the vulnerability of the target asset according to the first target asset risk value.

Description

Asset vulnerability assessment method, device and equipment, medium and product
Technical Field
The present disclosure relates to the field of network security applications, and in particular, to a method, an apparatus, a device, a medium, and a product for evaluating vulnerability of an asset.
Background
Asset vulnerability assessment is the most basic security identification means in asset security management. However, the existing asset vulnerability assessment method with single dimension and based on rules cannot accurately and effectively assess the asset vulnerability, and is difficult to form asset portraits of auxiliary decisions in actual attack and defense situations.
Disclosure of Invention
In view of the foregoing, embodiments of the present application provide an asset vulnerability assessment method, apparatus, device, medium, and article to overcome or at least partially solve the foregoing.
In a first aspect of embodiments of the present application, there is provided an asset vulnerability assessment method, the method comprising:
extracting a plurality of vulnerability factors from asset information of a target asset, and determining risk values of the vulnerability factors;
determining a first initial risk value according to the risk values and the distribution rates of the vulnerability factors;
determining a second initial risk value based on the historical security event information associated with the target asset and the risk values of the plurality of vulnerability factors;
determining a third initial risk value according to a first target model and the risk values of the vulnerability factors, wherein the first target model is trained based on historical asset information of the target asset;
Determining a first target asset risk value for the target asset according to the first initial risk value, the second initial risk value, and the third initial risk value;
and evaluating the vulnerability of the target asset according to the first target asset risk value.
Optionally, the determining a first initial risk value according to the risk values and the distribution rates of the vulnerability factors includes:
determining influence parameters corresponding to the vulnerability factors according to the risk values and the distribution rates of the vulnerability factors, wherein the influence parameters are used for describing the influence degree of the security event generated after the vulnerability factors are utilized on the target asset;
determining a first variance value of an influence parameter of the plurality of vulnerability factors and a second variance value of a distribution rate of the plurality of vulnerability factors;
and determining the sum of the first variance value and the second variance value as the first initial risk value.
Optionally, the determining a second initial risk value according to the historical security event information associated with the target asset and the risk values of the plurality of vulnerability factors includes:
according to the historical security event information associated with the target asset, determining the influence degree and the influence range of a plurality of historical security events associated with the target asset on each invaded asset, and determining the protection degree of the plurality of invaded assets;
Determining a plurality of loss influence values of the target asset according to influence degrees, influence ranges and protection degrees corresponding to the associated plurality of historical security events and risk values of the plurality of vulnerability factors, wherein the loss influence values are used for describing the influence degree of the vulnerability factors on the target asset when the same security event as the plurality of historical security events occurs after the vulnerability factors are utilized;
the second initial risk value is determined based on the asset operational profile parameter and a maximum of the plurality of loss impact values.
Optionally, before determining the third initial risk value according to the first target model and the risk values of the plurality of vulnerability factors, the method further comprises:
extracting risk values of a plurality of historical vulnerability factors from the historical asset information of the target asset, and acquiring risk realism values corresponding to the historical vulnerability factors, wherein the risk realism values are used for describing the vulnerability degree of the historical target asset corresponding to the historical vulnerability factors;
performing iterative training of a model according to the historical risk values and risk reality values corresponding to the historical risk values to obtain the first target model;
Said determining a third initial risk value from the first target model and the risk values of the plurality of vulnerability factors, comprising:
and inputting the risk values of the vulnerability factors into the first target model to obtain the third initial risk value.
Optionally, the determining a first target asset risk value of the target asset according to the first initial risk value, the second initial risk value, and the third initial risk value includes:
estimating the relevant distribution positions of security events occurring after the vulnerability factors are utilized, and determining a plurality of hidden factors according to the relevant distribution positions;
mapping the hidden factors into a plurality of non-characteristic parameters according to a set mapping table;
respectively carrying out balance calibration on the first initial risk value, the second initial risk value and the third initial risk value through the plurality of non-characteristic parameters to obtain a plurality of calibration values;
and acquiring a plurality of first calibration values with value differences within a set range from the plurality of calibration values, and determining an intermediate value from the plurality of first calibration values as the first target asset risk value.
Optionally, the evaluating the vulnerability of the target asset according to the first target asset risk value includes:
Adjusting the first target asset risk value according to the network scene information of the target asset to obtain a second target asset risk value, wherein the network scene information comprises at least one of network topology complexity, network connectivity, protocol restriction rate and port opening rate;
adjusting the risk value of the second target asset according to the service scene information of the target asset to obtain a third target asset risk value, wherein the service scene information comprises at least one of source code risk rate, service quality defect rate and operation abnormality rate;
and evaluating the vulnerability of the target asset according to the third target asset risk value.
In a second aspect of embodiments of the present application, there is provided an asset vulnerability assessment apparatus, the apparatus comprising:
the first processing module is used for extracting a plurality of vulnerability factors from asset information of a target asset and determining risk values of the vulnerability factors;
the second processing module is used for determining a first initial risk value according to the risk values and the distribution rates of the vulnerability factors;
a third processing module configured to determine a second initial risk value based on historical security event information associated with the target asset and the risk values of the plurality of vulnerability factors;
A fourth processing module, configured to determine a third initial risk value according to a first target model and risk values of the plurality of vulnerability factors, where the first target model is trained based on historical asset information of the target asset;
a fifth processing module configured to determine a first target asset risk value for the target asset according to the first initial risk value, the second initial risk value, and the third initial risk value;
and the vulnerability assessment module is used for assessing the vulnerability of the target asset according to the first target asset risk value.
In a third aspect of the embodiments of the present application, there is provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method for evaluating vulnerability of assets according to the first aspect when executing the program.
In a fourth aspect of embodiments of the present application, there is provided a computer readable storage medium having stored thereon a computer program/instruction which, when executed by a processor, implements the steps of the asset vulnerability assessment method of the first aspect.
In a fifth aspect of embodiments of the present application, there is provided a computer program product comprising computer programs/instructions which, when executed by a processor, implement the steps of the asset vulnerability assessment method of the first aspect.
Embodiments of the present application include the following advantages: based on the plurality of vulnerability dimensions, a plurality of vulnerability factors are extracted from the asset information of the target asset, and based on the plurality of vulnerability factors, three types of algorithm models are utilized for collaborative calculation, so that the authenticity of the obtained asset risk value is improved, and the asset risk value can accurately reflect the vulnerability of the target asset.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments of the present application will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an implementation of a method of asset vulnerability assessment of an embodiment of the present application;
FIG. 2 is a schematic diagram of a step of determining a first initial risk value according to an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating a step of determining a second initial risk value according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a training step of a first object model according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an asset vulnerability assessment apparatus according to an embodiment of the present application;
fig. 6 is a schematic diagram of an electronic device in an embodiment of the application.
Detailed Description
In order that the above-recited objects, features and advantages of the present application will become more readily apparent, a more particular description of the invention briefly described above will be rendered by reference to specific embodiments that are illustrated in the appended drawings.
The rapid development of digital economy promotes digital industrialization, 5G-based application scenes and industrial ecology rapidly rise in various industries, and the scale of cloud network assets is becoming huge.
Asset vulnerability assessment is the most basic security identification means in asset security management. In the safety protection and safety analysis equipment/software, the existing single and rule-based asset vulnerability assessment method cannot accurately and effectively assess the asset vulnerability, and is difficult to form an asset representation of auxiliary decisions in the actual attack and defense situation. It is important to research the asset vulnerability assessment method which meets the unified architecture, integrates logic, breaks data islands and realizes the unified management of safety data.
In the game of attack and defense countermeasure, weak gaps and unknown weaknesses in a safety environment are borne in the large-scale asset, and the method adopts multi-algorithm model cooperation to comprehensively evaluate the vulnerability of the asset by using the framework and logic of a unified evaluation method, so that an asset safety identification scheme taking scene driving and data driving as cores is realized.
The asset vulnerability assessment method provided by the embodiment of the application is described in detail below through some embodiments and application scenarios thereof with reference to the accompanying drawings.
In a first aspect, referring to fig. 1, a flowchart of an implementation of a method for evaluating vulnerability of assets according to an embodiment of the application is shown, where the method may include the following steps:
step S11: a plurality of vulnerability factors are extracted from asset information of a target asset, and risk values of the vulnerability factors are determined.
In the implementation, asset business information, asset vulnerability information, asset baseline violation information, asset exposure surface information and other asset information of the target asset can be analyzed and extracted to obtain all asset vulnerabilities and asset baseline violations of the target asset, wherein all asset vulnerabilities and asset baseline violations are vulnerability factors which can influence the vulnerability of the target asset. And then, according to the information such as the types, distribution positions and the like of the vulnerabilities and the asset baseline violations, the risk degree of each vulnerability factor can be estimated, and the risk degree is described through the risk value of the vulnerability factor, for example, the greater the risk value of the vulnerability factor is, the greater the risk degree of the vulnerability factor is, so that the standardized extraction of the vulnerability influence factors of multiple data sources is realized, and the unified management of the related data of the asset safety is realized.
As one possible implementation, asset information may be consolidated using a Data Warehouse (DW) and analyzed in the following manner to extract vulnerability factors and determine risk values for the vulnerability factors.
Based on the asset business information, the business bearing condition of the target asset is identified, such as information service type asset, data resource type asset, communication network type asset and the like, and the risk value of the vulnerability factor is analyzed based on the influence degree of the information acquisition, transmission, storage, processing, exchange, destruction and other services in the business bearing link on the target asset when the services are attacked. It will be appreciated that the vulnerability factors associated with the core services in the service bearer links should have a greater risk value (i.e. risk level).
Aiming at the asset vulnerability information, performing association matching on asset IP, asset category and extracted asset vulnerability information, and analyzing the vulnerability category and asset service attribute to locate the type of the vulnerability in the network structure, system software, middleware and application system, so as to determine the distribution position of the vulnerability and the hidden factors mentioned below. It will be appreciated that the greater the impact range of vulnerability factors distributed at lower layers (e.g., network layers), which will affect all upper layers, the greater the risk value (i.e., the risk level) should be.
And aiming at the asset baseline information, carrying out association matching on the asset IP, the asset port and the asset host ID with the baseline information, constructing an asset baseline model to judge the compliance rate of the target asset, and extracting the configurations such as system environment security configuration, system communication operation configuration, access control configuration, system maintenance configuration, password protection configuration and the like from the two aspects of configuration quality defect and configuration security defect to obtain the baseline violation type of the target asset.
For the information of the exposed surface of the asset, the association matching is carried out between the information of the exposed surface and the information of the asset through the IP of the asset, the ports of the asset and the service protocol of the asset, and the network condition of the target asset is drawn from the dimensions of the network connectivity of the asset, the access control list (Access Control List, ACL) strategy of the asset, the routing strategy of the asset and the like, so that the dangerous degree of the vulnerability factor and the safety (namely the vulnerability) of the whole target asset are analyzed, for example, the more complex the routing strategy of the asset is, the greater the dangerous degree of the associated vulnerability factor is, and the lower the safety of the whole target asset is.
By way of example, after analyzing and sorting the asset information of the target asset in the above manner, the following may be obtained:
Asset extranet IP:106.61.163.247;
asset intranet IP:10.251.25.138;
asset private network IP:192.168.10.10;
the asset service ports total 3: 8080. 8443, 22;
asset applications total 3: tomcat, nginx, sftp;
the firewall policy of the asset host is 1: the iptables-I INPUT-p tcp-m multiport-dport 20,21,22,8443-j ACCEPT;
asset vulnerabilities total 3: CNVD-2022-54473 (risk level: high risk), CNVD-2022-66585 (risk level: high risk), CNVD-2022-74082 (risk level: high risk)
Asset baseline violations total 1: OS-LINUX-grant violations.
In addition, the network connection relation of the asset information can be arranged in a mode of drawing an asset network topological graph, and the data are subjected to duplication removal processing, so that the target asset can be finally obtained to have 112 intranet connection numbers, 25 private network connection numbers and 4 vulnerability factors (namely 3 asset vulnerabilities and 1 baseline violation). By combining information such as the type, the distribution position and the like of the vulnerability factors, determining the risk degree of the vulnerability factors, and obtaining risk values of 4 vulnerability factors according to a mapping relation between the risk degree and the risk values of the vulnerability factors, wherein the risk values of the vulnerability factors are as shown in W= [4.5,2,3,1.6].
In the above embodiment, data extraction is performed from a plurality of vulnerability dimensions such as vulnerabilities, baselines, exposed surfaces and the like, not only is verification and hazard assessment performed on vulnerabilities of the asset performed, but also deep compliance detection is performed in combination with the baseline condition, and non-compliance configuration is subjected to association analysis, and finally, vulnerability of the exposed surfaces (namely, network condition of the target asset itself) is converged, so that risk values of a plurality of vulnerability factors are comprehensively analyzed, and the vulnerability of the target asset is truly restored from the view of an attacker later.
Step S12: and determining a first initial risk value according to the risk values and the distribution rates of the vulnerability factors.
In implementations, the distribution rate of the vulnerability factors over the asset may be determined based on the distribution locations of the vulnerability factors over the asset. For example, the target assets may be divided into low-to-high vulnerability levels from the network layer, session layer, system layer, component layer, to the application layer, with higher vulnerability levels having a greater distribution rate of vulnerability factors. Performing fitting calculation on the risk value and the distribution rate of the vulnerability factors, so as to perform preliminary evaluation on the vulnerability of the whole target asset from the angle of the influence range of the vulnerability factors, and obtaining a first initial risk value
As a possible implementation, as shown in fig. 2, the first initial risk value may be determined by:
step S21: determining influence parameters corresponding to the vulnerability factors according to the risk values and the distribution rates of the vulnerability factors, wherein the influence parameters are used for describing the influence degree of the security event generated after the vulnerability factors are utilized on the target asset;
step S22: determining a first variance value of an influence parameter of the plurality of vulnerability factors and a second variance value of a distribution rate of the plurality of vulnerability factors;
step S23: and determining the sum of the first variance value and the second variance value as the first initial risk value.
In this embodiment, according to the transmission characteristics of the data, the vulnerability factor with a lower vulnerability level affects all the layers thereon, so the vulnerability factor with a lower vulnerability level (i.e. a lower distribution rate) should have a larger influence range, i.e. the influence degree (influence parameter value) of the security event occurring after the vulnerability factor is utilized on the target asset is also larger. For ease of calculation, the impact parameter P corresponding to the vulnerability factor may be equal to the risk value w\the distribution rate Q of the vulnerability factor. In the case of the risk value w= [4.5,2,3,1.6] of the vulnerability factor, the influence parameter p= [5,5,5,8] can be obtained in the distribution rate q= [0.9,0.4,0.6,0.2] of the vulnerability factor. In order to remove noise interference and reduce the deviation degree of the data, the variance value (i.e., a first variance value) of the influence parameters of the 4 vulnerability factors and the variance value (i.e., a second variance value) of the distribution rate of the 4 vulnerability factors may be calculated, and the first variance value and the second variance value may be summed to obtain a first initial risk value.
Step S13: and determining a second initial risk value according to the historical security event information associated with the target asset and the risk values of the vulnerability factors.
In the implementation, the historical security event information of the target asset (or the asset of the same type) can be obtained, so that the damage condition of the asset when the historical security event occurs is combined with the risk degree of the vulnerability factor existing in the target asset currently, the influence degree of the target asset when the vulnerability factor is utilized and the security event similar to the historical security event occurs is estimated, and the whole vulnerability of the target asset is estimated according to the influence degree, so that a second initial risk value is obtained.
As a possible implementation, as shown in fig. 3, the second initial risk value may be determined by:
step S31: according to the historical security event information associated with the target asset, determining the influence degree and the influence range of a plurality of historical security events associated with the target asset on each invaded asset, and determining the protection degree of the plurality of invaded assets;
step S32: determining a plurality of loss influence values of the target asset according to influence degrees, influence ranges and protection degrees corresponding to the associated plurality of historical security events and risk values of the plurality of vulnerability factors, wherein the loss influence values are used for describing the influence degree of the vulnerability factors on the target asset when the same security event as the plurality of historical security events occurs after the vulnerability factors are utilized;
Step S33: the second initial risk value is determined based on the asset operational profile parameter and a maximum of the plurality of loss impact values.
In the implementation, a set function K (V, D, C) can be constructed according to the historical security event information associated with the target asset, wherein V is a variable set of security events (namely intrusion behaviors) and represents the influence degree of each historical security event on each intruded asset; d is a scope of intrusion of the security event, and represents the influence scope of each historical security event on each intruded asset; c is a constraint group of risk propagation and represents the protection degree of related assets when a security event occurs. The security event may be, among other things, a technology failure event, an unauthorized behavior event, a functional impairment event, a supply chain failure event, etc.
Taking the example of the target asset being associated with 4 historical security events, the aggregate function that may result in the 4 historical security events at this time includes: v1=5, d1=0.2, c1=0.5; v2=5, d2=0.2, c2=0.4; v3=5, d3=0.7, c3=0.2; v4=8, d4=0.2, c4=0.5. Wherein, the larger the variables V and D of the historical security event are, the larger the influence degree and the influence range are, and the larger the constraint D of the risk propagation is, the lower the protection degree of the related asset is, namely, the related asset is more influenced when the similar security event occurs.
The set function K (V, D, C) is input into a pre-constructed knowledge base to obtain a risk knowledge parameter M, wherein the risk knowledge parameter M represents a parameter value comprehensively obtained based on each dimension of the set function and used for describing the comprehensive influence degree of a historical security event on an asset, and the loss influence value can be obtained by combining an influence factor of the asset distribution position and a loss influence value of the asset historical state at the moment, for example, a loss influence value g corresponding to a certain vulnerability factor=a risk value w of the vulnerability factor of the risk knowledge parameter M. The product of the set asset operational profile parameters (e.g., 42) and the maximum of the plurality of loss impact values may then be determined as a second initial risk value to evaluate the vulnerability of the target asset based on the knowledge recommendation algorithm evaluation in combination with historical security events occurring due to the associated vulnerability factors.
Step S14: and determining a third initial risk value according to a first target model and the risk values of the vulnerability factors, wherein the first target model is trained based on historical asset information of the target asset.
In the implementation, the first target model may be a sparse parameter model constructed through a Lasso regression cost function, and the characteristics that the Lasso regression cost function can perform variable screening and complexity adjustment while fitting the generalized linear model are used, and the risk values of the vulnerability factors are input into the first target model for fitting, so that excessive fitting of the risk values of the vulnerability factors can be avoided, the error value is reduced, and the obtained third initial risk value can more truly reflect the whole vulnerability of the target asset.
As a possible implementation manner, as shown in fig. 4, the first target model may be obtained through the following training:
step S41: extracting risk values of a plurality of historical vulnerability factors from the historical asset information of the target asset, and acquiring risk realism values corresponding to the historical vulnerability factors, wherein the risk realism values are used for describing the vulnerability degree of the historical target asset corresponding to the historical vulnerability factors;
step S42: and performing iterative training of the model according to the plurality of historical risk values and risk reality values corresponding to the plurality of historical risk values to obtain the first target model.
In this embodiment, model training may be based on the risk values of the historical vulnerability factors, as well as the overall vulnerability (i.e., risk realism values) of the corresponding historical target assets. For example, a sparse parametric model f (w) =Σ (λ (Φ (w) 1 )+φ(w 2 )+φ(w n ))),W=[w1w2w3```wn]Represents the risk value of the vulnerability factor, phi () represents the lasso regression cost function, lambda represents the regression coefficient. Fragile historyThe risk value of the sex factor is input into the sparse parameter model for iterative training, and the sparse parameter model reaching training iteration times is determined as a first target model by adjusting the value of the regression coefficient (for example, adjusting to 0.5) so that the output of the sparse parameter model is close to the risk reality value corresponding to the historical vulnerability factor.
Step S15: and determining a first target asset risk value of the target asset according to the first initial risk value, the second initial risk value and the third initial risk value.
In the embodiment, the initial risk values determined by different dimension and different algorithm models are comprehensively analyzed to obtain the first target asset risk value representing the overall vulnerability of the target asset, so that the diversity of the scoring basis is expanded, the vulnerability calculation errors caused by the abnormal defects existing in the single dimension or algorithm model are avoided, and the authenticity of vulnerability assessment is improved.
As a possible implementation manner, estimating relevant distribution positions of security events occurring after vulnerability factors are utilized, and determining a plurality of hidden factors according to the relevant distribution positions; mapping the hidden factors into a plurality of non-characteristic parameters according to a set mapping table; respectively carrying out balance calibration on the first initial risk value, the second initial risk value and the third initial risk value through the plurality of non-characteristic parameters to obtain a plurality of calibration values; and acquiring a plurality of first calibration values with value differences within a set range from the plurality of calibration values, and determining an intermediate value from the plurality of first calibration values as the first target asset risk value.
In a specific implementation, the relevant distribution position of the security event occurring after the vulnerability factor is utilized may be the vulnerability level, the hidden factor may be an influence object (such as a device manufacturer, a supply time, a CPU utilization rate, etc.) of the vulnerability factor in the vulnerability level, and the risk values are balanced and calibrated by introducing the hidden factor, so that three risk values are as close as possible. Taking the hidden factor CPU utilization as an example, when the CPU utilization is 95%, the mapped non-characteristic parameter is-5, wherein the higher the CPU utilization is, the smaller the non-characteristic parameter is.
According to the non-characteristic parameters of the different introduced hidden factors, and the first initial risk value, the second initial risk value and the third initial risk value, a plurality of calibration values are determined, wherein the calibration values are equal to the squares of the differences between the initial risk values (such as the first initial risk value, the second initial risk value or the third initial risk value) and any non-characteristic parameters.
Taking two hidden factors as an example, six calibration values 10, 25, 27, 26, 41 and 60 are obtained, three first calibration values 25, 27 and 26 with the closest values are selected, and the intermediate value 27 of the three first calibration values is determined as a first target asset risk value.
It can be appreciated that by introducing the hidden factor, the probability of the distribution of risks (i.e. the vulnerability factor is utilized to generate the security event) is calculated, so as to balance and calibrate the initial risk values estimated by different algorithm models, reduce the deviation of the data, and further improve the accuracy.
Step S16: and evaluating the vulnerability of the target asset according to the first target asset risk value.
In specific implementation, the association relationship between the first target asset risk value and the vulnerability of the target asset can be determined through multiple tests and analyses, and corresponding safety maintenance operation is performed on the target asset according to the vulnerability of the target asset.
For example, when the risk value of the first target asset is set to be 0-30, the vulnerability of the target asset is judged to be low-risk, and the target asset is difficult to break at the moment and can not be reinforced; when the risk value of the first target asset is 30-60, judging that the vulnerability of the target asset is medium risk, wherein the attack difficulty of the target asset is common at the moment, and network policy reinforcement is needed; when the risk value of the first target asset is 60-90, judging that the vulnerability of the target asset is high-risk, wherein the attack difficulty of the target asset is easier at the moment, and network strategy reinforcement and host reinforcement are needed; when the risk value of the first target asset is 90-100, the vulnerability of the target asset is judged to be serious, and at the moment, the difficulty of breaking the target asset is extremely low, network strategy reinforcement and host reinforcement are needed, and security design planning is conducted again.
As a possible implementation manner, the first target asset risk value is adjusted according to network scene information of the target asset, so as to obtain a second target asset risk value, wherein the network scene information comprises at least one of network topology complexity, network connectivity, protocol limiting rate and port opening rate;
adjusting the risk value of the second target asset according to the service scene information of the target asset to obtain a third target asset risk value, wherein the service scene information comprises at least one of source code risk rate, service quality defect rate and operation abnormality rate;
and evaluating the vulnerability of the target asset according to the third target asset risk value.
It should be noted that, considering that when the target asset is in different network scenarios, the vulnerability of the target asset will change along with the change, so that the network scenario enhancement can be performed on the risk value of the target asset through a network policy, a firewall policy, a host policy, and the like, and meanwhile, the vulnerability of the target asset will be affected when different services are provided by the target asset, so that the service scenario enhancement can be performed on the risk value of the target asset based on the service scenario types such as the own service, the supply chain service, the open source service, and the like.
In the implementation, the network topology complexity, the network connectivity, the protocol restriction rate and the port opening rate of the target asset are obtained, and the first target asset risk value is increased or decreased according to the association relation between the parameters and the vulnerability of the target asset (for example, the vulnerability of the target asset is larger as the network topology complexity is larger, and the target asset risk value is also larger), so as to obtain the second target asset risk value. The second target model may be trained by a lasso regression cost function and historical network scenario information, and then the network scenario information and the first target asset risk value may be input to the second target model to obtain the second target asset risk value.
After the second target asset risk value is obtained, the source code risk rate, the service quality defect rate and the operation abnormality rate of the target asset are obtained, and the second target asset risk value is increased or decreased according to the association relation between the parameters and the vulnerability of the target asset (for example, the greater the source code risk rate is, the greater the vulnerability of the target asset is, and the greater the target asset risk value is), so as to obtain a third target asset risk value. The third target model may be trained by a lasso regression cost function and historical service scenario information, and then the service scenario information and the second target asset risk value may be input to the second target model to obtain the third target asset risk value.
In the above embodiment, the present application provides an asset vulnerability assessment method based on model collaborative verification, by converging asset vulnerability information, extracting data from multiple vulnerability dimensions such as vulnerabilities, baselines, exposed surfaces, etc., and performing collaborative calculation and assessment to obtain risk values by using three algorithm models, and performing enhanced assessment by using a network scene and a service difference scene, so as to perform real assessment on asset vulnerability, and obtain the asset vulnerability closest to the real state.
For the purposes of simplicity of explanation, the methodologies are shown as a series of acts, but one of ordinary skill in the art will recognize that the embodiments are not limited by the order of acts described, as some acts may, in accordance with the embodiments, occur in other orders or concurrently. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments and that the acts referred to are not necessarily required by the embodiments of the present application.
In a second aspect, fig. 5 is a schematic structural diagram of an asset vulnerability assessment apparatus according to an embodiment of the present application, the apparatus includes:
The first processing module is used for extracting a plurality of vulnerability factors from asset information of a target asset and determining risk values of the vulnerability factors;
the second processing module is used for determining a first initial risk value according to the risk values and the distribution rates of the vulnerability factors;
a third processing module configured to determine a second initial risk value based on historical security event information associated with the target asset and the risk values of the plurality of vulnerability factors;
a fourth processing module, configured to determine a third initial risk value according to a first target model and risk values of the plurality of vulnerability factors, where the first target model is trained based on historical asset information of the target asset;
a fifth processing module configured to determine a first target asset risk value for the target asset according to the first initial risk value, the second initial risk value, and the third initial risk value;
and the vulnerability assessment module is used for assessing the vulnerability of the target asset according to the first target asset risk value.
According to the technical scheme, based on the plurality of vulnerability dimensions, the plurality of vulnerability factors are extracted from the asset information of the target asset, and based on the plurality of vulnerability factors, three types of algorithm models are utilized for collaborative calculation, so that the authenticity of the obtained asset risk value is improved, and the vulnerability of the target asset can be accurately reflected by the asset risk value.
Optionally, the second processing module includes:
the first processing submodule is used for determining influence parameters corresponding to the vulnerability factors according to the risk values and the distribution rates of the vulnerability factors, wherein the influence parameters are used for describing the influence degree of the security event generated after the vulnerability factors are utilized on the target asset;
a second processing sub-module for determining a first variance value of an influence parameter of the plurality of vulnerability factors and a second variance value of a distribution rate of the plurality of vulnerability factors;
and the third processing submodule is used for determining the sum of the first variance value and the second variance value as the first initial risk value.
Optionally, the third processing module includes:
a fourth processing sub-module, configured to determine, according to the historical security event information associated with the target asset, an influence degree and an influence range of a plurality of historical security events associated with the target asset on each of the invaded assets, and determine protection degrees of the plurality of invaded assets;
a fifth processing sub-module, configured to determine a plurality of loss impact values of the target asset according to impact levels, impact ranges, and protection levels corresponding to the associated plurality of historical security events, and risk values of the plurality of vulnerability factors, where the loss impact values are used to describe impact levels on the target asset when security events identical to the plurality of historical security events occur after the vulnerability factors are utilized;
And a sixth processing sub-module configured to determine the second initial risk value according to the asset operational profile parameter and a maximum value of the plurality of loss impact values.
Optionally, before determining the third initial risk value according to the first target model and the risk values of the plurality of vulnerability factors, the apparatus further comprises:
the information extraction module is used for extracting risk values of a plurality of historical vulnerability factors from the historical asset information of the target asset, and acquiring risk realism values corresponding to the historical vulnerability factors, wherein the risk realism values are used for describing the vulnerability degree of the historical target asset corresponding to the historical vulnerability factors;
the model training module is used for carrying out iterative training on the model according to the plurality of historical risk values and risk reality values corresponding to the plurality of historical risk values to obtain the first target model;
the fourth processing module includes:
and a seventh processing sub-module, configured to input risk values of the plurality of vulnerability factors to the first target model, and obtain the third initial risk value.
Optionally, the fifth processing module includes:
an eighth processing sub-module, configured to estimate a relevant distribution position of a security event occurring after the vulnerability factor is utilized, and determine a plurality of hidden factors according to the relevant distribution position;
A ninth processing sub-module, configured to map the plurality of hidden factors into a plurality of non-characteristic parameters according to a set mapping table;
a tenth processing sub-module, configured to perform balance calibration on the first initial risk value, the second initial risk value, and the third initial risk value through the plurality of non-characteristic parameters, to obtain a plurality of calibration values;
and the eleventh processing submodule is used for acquiring a plurality of first calibration values with value differences within a set range from the plurality of calibration values, and determining an intermediate value from the plurality of first calibration values as the first target asset risk value.
Optionally, the vulnerability assessment module comprises:
the first evaluation sub-module is used for adjusting the first target asset risk value according to the network scene information of the target asset to obtain a second target asset risk value, wherein the network scene information comprises at least one of network topology complexity, network connectivity, protocol limiting rate and port opening rate;
the second evaluation sub-module is used for adjusting the second target asset risk value according to service scene information of the target asset to obtain a third target asset risk value, wherein the service scene information comprises at least one of source code risk rate, service quality defect rate and operation abnormality rate;
And the third evaluation sub-module is used for evaluating the vulnerability of the target asset according to the third target asset risk value.
It should be noted that, the device embodiment is similar to the method embodiment, so the description is simpler, and the relevant places refer to the method embodiment.
The embodiment of the application also provides an electronic device, and referring to fig. 6, fig. 6 is a schematic diagram of the electronic device according to the embodiment of the application. As shown in fig. 6, the electronic device 100 includes: the system comprises a memory 110 and a processor 120, wherein the memory 110 is in communication connection with the processor 120 through a bus, and a computer program is stored in the memory 110 and can run on the processor 120, so that the steps in the asset vulnerability assessment method disclosed by the embodiment of the application are realized.
Embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program/instruction which, when executed by a processor, implements the asset vulnerability assessment method as disclosed in embodiments of the present application.
Embodiments of the present application also provide a computer program product comprising a computer program/instruction which, when executed by a processor, implements the asset vulnerability assessment method as disclosed in embodiments of the present application.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, the present embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, systems, devices, storage media, and program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present embodiments have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the present application.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.
The above detailed description of the method, the device, the equipment, the medium and the product for evaluating the vulnerability of the assets provided by the application, the specific examples are applied to the description of the principles and the implementation modes of the application, and the description of the examples is only used for helping to understand the method and the core idea of the application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. A method of evaluating vulnerability of an asset, the method comprising:
extracting a plurality of vulnerability factors from asset information of a target asset, and determining risk values of the vulnerability factors;
determining a first initial risk value according to the risk values and the distribution rates of the vulnerability factors;
determining a second initial risk value based on the historical security event information associated with the target asset and the risk values of the plurality of vulnerability factors;
determining a third initial risk value according to a first target model and the risk values of the vulnerability factors, wherein the first target model is trained based on historical asset information of the target asset;
determining a first target asset risk value for the target asset according to the first initial risk value, the second initial risk value, and the third initial risk value;
and evaluating the vulnerability of the target asset according to the first target asset risk value.
2. The method of claim 1, wherein determining a first initial risk value from the risk values and the distribution rates of the plurality of vulnerability factors comprises:
determining influence parameters corresponding to the vulnerability factors according to the risk values and the distribution rates of the vulnerability factors, wherein the influence parameters are used for describing the influence degree of the security event generated after the vulnerability factors are utilized on the target asset;
Determining a first variance value of an influence parameter of the plurality of vulnerability factors and a second variance value of a distribution rate of the plurality of vulnerability factors;
and determining the sum of the first variance value and the second variance value as the first initial risk value.
3. The method of claim 1, wherein the determining a second initial risk value based on the historical security event information associated with the target asset and the risk values of the plurality of vulnerability factors comprises:
according to the historical security event information associated with the target asset, determining the influence degree and the influence range of a plurality of historical security events associated with the target asset on each invaded asset, and determining the protection degree of the plurality of invaded assets;
determining a plurality of loss influence values of the target asset according to influence degrees, influence ranges and protection degrees corresponding to the associated plurality of historical security events and risk values of the plurality of vulnerability factors, wherein the loss influence values are used for describing the influence degree of the vulnerability factors on the target asset when the same security event as the plurality of historical security events occurs after the vulnerability factors are utilized;
the second initial risk value is determined based on the asset operational profile parameter and a maximum of the plurality of loss impact values.
4. The method of claim 1, wherein prior to determining a third initial risk value from the first target model and the risk values of the plurality of vulnerability factors, the method further comprises:
extracting risk values of a plurality of historical vulnerability factors from the historical asset information of the target asset, and acquiring risk realism values corresponding to the historical vulnerability factors, wherein the risk realism values are used for describing the vulnerability degree of the historical target asset corresponding to the historical vulnerability factors;
performing iterative training of a model according to the historical risk values and risk reality values corresponding to the historical risk values to obtain the first target model;
said determining a third initial risk value from the first target model and the risk values of the plurality of vulnerability factors, comprising:
and inputting the risk values of the vulnerability factors into the first target model to obtain the third initial risk value.
5. The method of claim 1, wherein the determining a first target asset risk value for the target asset based on the first initial risk value, the second initial risk value, and the third initial risk value comprises:
Estimating the relevant distribution positions of security events occurring after the vulnerability factors are utilized, and determining a plurality of hidden factors according to the relevant distribution positions;
mapping the hidden factors into a plurality of non-characteristic parameters according to a set mapping table;
respectively carrying out balance calibration on the first initial risk value, the second initial risk value and the third initial risk value through the plurality of non-characteristic parameters to obtain a plurality of calibration values;
and acquiring a plurality of first calibration values with value differences within a set range from the plurality of calibration values, and determining an intermediate value from the plurality of first calibration values as the first target asset risk value.
6. The method of any of claims 1-5, wherein evaluating vulnerability of the target asset based on the first target asset risk value comprises:
adjusting the first target asset risk value according to the network scene information of the target asset to obtain a second target asset risk value, wherein the network scene information comprises at least one of network topology complexity, network connectivity, protocol restriction rate and port opening rate;
adjusting the risk value of the second target asset according to the service scene information of the target asset to obtain a third target asset risk value, wherein the service scene information comprises at least one of source code risk rate, service quality defect rate and operation abnormality rate;
And evaluating the vulnerability of the target asset according to the third target asset risk value.
7. An asset vulnerability assessment apparatus, the apparatus comprising:
the first processing module is used for extracting a plurality of vulnerability factors from asset information of a target asset and determining risk values of the vulnerability factors;
the second processing module is used for determining a first initial risk value according to the risk values and the distribution rates of the vulnerability factors;
a third processing module configured to determine a second initial risk value based on historical security event information associated with the target asset and the risk values of the plurality of vulnerability factors;
a fourth processing module, configured to determine a third initial risk value according to a first target model and risk values of the plurality of vulnerability factors, where the first target model is trained based on historical asset information of the target asset;
a fifth processing module configured to determine a first target asset risk value for the target asset according to the first initial risk value, the second initial risk value, and the third initial risk value;
and the vulnerability assessment module is used for assessing the vulnerability of the target asset according to the first target asset risk value.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory, wherein the processor executes the computer program to implement the asset vulnerability assessment method of any one of claims 1-6.
9. A computer readable storage medium having stored thereon a computer program/instruction which when executed by a processor implements the asset vulnerability assessment method of any one of claims 1 to 6.
10. A computer program product comprising computer program/instructions which, when executed by a processor, implements the asset vulnerability assessment method of any one of claims 1 to 6.
CN202211698902.8A 2022-12-28 2022-12-28 Asset vulnerability assessment method, device and equipment, medium and product Pending CN116049832A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211698902.8A CN116049832A (en) 2022-12-28 2022-12-28 Asset vulnerability assessment method, device and equipment, medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211698902.8A CN116049832A (en) 2022-12-28 2022-12-28 Asset vulnerability assessment method, device and equipment, medium and product

Publications (1)

Publication Number Publication Date
CN116049832A true CN116049832A (en) 2023-05-02

Family

ID=86119264

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211698902.8A Pending CN116049832A (en) 2022-12-28 2022-12-28 Asset vulnerability assessment method, device and equipment, medium and product

Country Status (1)

Country Link
CN (1) CN116049832A (en)

Similar Documents

Publication Publication Date Title
US11637853B2 (en) Operational network risk mitigation system and method
DeSmit et al. An approach to cyber-physical vulnerability assessment for intelligent manufacturing systems
Kotenko et al. Attack modeling and security evaluation in SIEM systems
Kotenko et al. A cyber attack modeling and impact assessment framework
Jbair et al. Threat modelling for industrial cyber physical systems in the era of smart manufacturing
Kotenko et al. Common framework for attack modeling and security evaluation in SIEM systems
CN108833416B (en) SCADA system information security risk assessment method and system
US8095984B2 (en) Systems and methods of associating security vulnerabilities and assets
EP2462716B1 (en) System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy
CN111680863A (en) Network environment safety condition evaluation method based on analytic hierarchy process
Nweke et al. A review of asset-centric threat modelling approaches
CN111669365B (en) Network security test method and device
US20210092143A1 (en) Cyber Resilience Chaos Stress Testing
CN110365708B (en) Switchboard data anomaly detection method based on vector autoregressive model
Zalewski et al. Threat modeling for security assessment in cyberphysical systems
Haji et al. A hybrid model for information security risk assessment
CN114579427A (en) Fuzzing a software system
CN113326508A (en) Method and device for evaluating platform security risk
CN108108624A (en) Information security method for evaluating quality and device based on products & services
Sen et al. On using contextual correlation to detect multi-stage cyber attacks in smart grids
Ami et al. Seven phrase penetration testing model
Abuabed et al. STRIDE threat model-based framework for assessing the vulnerabilities of modern vehicles
CN116049832A (en) Asset vulnerability assessment method, device and equipment, medium and product
Suhartana et al. Modeling of risk factors in determining network security level
Shakibazad A framework to create a virtual cyber battlefield for cyber maneuvers and impact assessment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination