CN117014184A - Asset management method applied to network security monitoring system - Google Patents
Asset management method applied to network security monitoring system Download PDFInfo
- Publication number
- CN117014184A CN117014184A CN202310797197.5A CN202310797197A CN117014184A CN 117014184 A CN117014184 A CN 117014184A CN 202310797197 A CN202310797197 A CN 202310797197A CN 117014184 A CN117014184 A CN 117014184A
- Authority
- CN
- China
- Prior art keywords
- asset
- enterprise
- value
- vulnerability
- level
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 22
- 238000007726 management method Methods 0.000 title claims abstract description 20
- 230000003993 interaction Effects 0.000 claims abstract description 29
- 238000004891 communication Methods 0.000 claims description 20
- 238000012423 maintenance Methods 0.000 claims description 10
- 238000000034 method Methods 0.000 claims description 7
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 5
- 230000008520 organization Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an asset management method applied to a network security monitoring system, which relates to the technical field of data processing and comprises the steps of determining an original asset range boundary according to an enterprise internal network topology structure; analyzing the network flow between the internal network topology structure of the enterprise and the external network topology structure of the enterprise to obtain flow information; extending the original asset range boundary through the interaction degree to obtain a target asset range boundary; identifying and classifying the assets within the target asset range boundary, and determining the value of each asset according to the tags; constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files; the security measures policy is selected based on the level and vulnerability level of the asset profile. The accuracy of the asset range is guaranteed, so that the reliability of asset identification is improved, and the adaptability of safety monitoring is improved.
Description
Technical Field
The application relates to the technical field of data processing, in particular to an asset management method applied to a network security monitoring system.
Background
A network security monitoring system is a system for monitoring network security status and responding to security events in real time. Asset management is an important task in network security monitoring systems, the main purpose of which is to determine and classify and manage all assets in the network, including hardware and software assets. This may better protect the safety and stability of the system.
In the prior art, the network topology of an enterprise is often used as an asset identification range, and the network topology of external contact is not considered, so that the asset range is inaccurate, and the asset identification is not identified. And inaccurate judgment of the value and vulnerability of the assets results in poor adaptability of the security measure policy.
Therefore, how to improve the accuracy of the asset range and the adaptability of the safety protection is a technical problem to be solved at present.
Disclosure of Invention
The application provides an asset management method applied to a network security monitoring system, which is used for solving the technical problems of inaccurate asset range, poor security protection adaptability and low asset management efficiency in the prior art.
The method comprises the following steps:
acquiring an enterprise internal network topology structure, and determining an original asset range boundary according to the enterprise internal network topology structure;
acquiring an enterprise external network topology structure, and analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure to obtain traffic information;
determining the interaction degree of nodes in the enterprise internal network topology structure and nodes in the enterprise external network topology structure through the flow information, so as to extend the original asset range boundary and obtain a target asset range boundary;
identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels;
constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files;
and selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy.
In some embodiments of the present application, analyzing network traffic between an internal network topology of an enterprise and an external network topology of the enterprise to obtain traffic information includes:
respectively constructing an internal node list and an external node list by scanning the internal network topology structure of the enterprise and the external network topology structure of the enterprise, wherein the internal node list comprises all nodes in the internal network topology structure of the enterprise, and the external node list comprises all nodes in the external network topology structure of the enterprise;
analyzing the source, the destination and the flow direction of a network data packet between an enterprise internal network topological structure and an enterprise external network topological structure, and correlating nodes in an internal node list and an external node list to obtain a first correlation node list;
acquiring at least one of an access log, a security log, a system log, an application program log and a network equipment log between the nodes in the internal node list and the external node list, and associating the nodes in the internal node list and the external node list to obtain a second association node list;
and constructing node trend graphs in the internal node list and the external node list through the first associated node list and the second associated node list, and determining the flow of each node as flow information.
In some embodiments of the present application, determining, according to the traffic information, a degree of interaction between a node in an internal network topology of an enterprise and a node in an external network topology of the enterprise includes:
calculating the flow ratio and the communication mode similarity of each internal node and each external node related to the internal node in the node trend graph;
wherein N is the similarity of communication modes, N is the number of calibration modes of the communication modes, alpha i For the weight corresponding to the ith calibration mode, Q i K is the sum of the maximum similarity of all calibration modes;
determining the interaction degree of the nodes based on the traffic proportion and the communication mode similarity;
wherein M is the interaction degree, beta is the conversion coefficient, T is the flow ratio, exp is the exponential function, and k is the preset constant.
In some embodiments of the present application, extending the original asset range boundary to obtain a target asset range boundary includes:
and determining external nodes, of which the interaction degree exceeds an interaction degree threshold, of the nodes in the internal network topology structure of the enterprise and the nodes in the external network topology structure of the enterprise as extension points according to the flow information, and extending the original asset range boundary according to the extension points and the node trend of the node trend graph so as to obtain the target asset range boundary.
In some embodiments of the present application, identifying and classifying assets within a target asset range boundary to construct a tag for each asset, comprising:
identifying the assets within the range boundary of the target asset to obtain all the assets, and generating identity tags for all the assets;
classifying the assets in multi-attribute categories, acquiring the weights of each attribute category of the assets of the enterprise, determining the multi-attribute weights of the assets, and generating category labels;
performing functional classification on the assets according to different functions of the assets, determining functional weights, and generating functional weight labels;
the tag structure group (identity tag, category tag, functional tag) of the asset is established by the identity tag, category tag and functional tag.
In some embodiments of the application, determining the value of each asset from the tag includes:
acquiring the data information value, productivity value, business influence value and maintenance value of the asset;
determining asset value based on the data information value, productivity value, business impact value, maintenance value, category label and function label of the asset;
wherein L is asset value, gamma 1 Weight corresponding to data information value, W 1 Value of data information, exp represents an exponential function, Z 1 Is multi-attribute weight, k 1 For a first predetermined constant, gamma 2 Weight corresponding to productivity value, W 2 For productivity value, Z 2 To be the functional weight, k 2 For a second predetermined constant, gamma 3 To weight the business impact value, W 3 To influence the value of business, Z 01 For multiple attribute weight threshold, Z 02 For the functional weight threshold, k 3 For a third predetermined constant, gamma 4 To maintain the weight corresponding to the value, W 4 For maintenance value.
In some embodiments of the application, and determining the vulnerability of each level of the asset profile, comprises:
calculating the vulnerability degree of each asset in each level asset archive;
wherein J is the vulnerability degree, n is the vulnerability number in the asset, delta i Is the hazard weight of the ith vulnerability, Y i For the influence of the ith vulnerability, P i For the disclosure degree of the ith loophole, D min Delta is i Y i P i Minimum value of [ a ]]Is a rounding symbol;
the vulnerability level of each level asset profile is derived from the vulnerability level of each asset in each level asset profile.
In some embodiments of the application, the security measure policy is selected based on the level and vulnerability level of the asset profile, comprising:
if the level and the vulnerability degree of the asset file accord with the preset matching relation, adopting a corresponding preset safety measure strategy;
if the level and the vulnerability degree of the asset file do not accord with the preset matching relation and the matching deviation distance exceeds the matching deviation distance threshold, selecting a safety measure strategy based on the difference of the matching deviation distance and the matching deviation distance threshold;
the preset matching relation between the levels of the asset file and the vulnerability level is that different levels correspond to different calibrated vulnerability levels, and the matching deviation distance is that the vulnerability level is larger than the calibrated vulnerability level.
In some embodiments of the present application, after safeguarding the corresponding asset in accordance with the security policy, the method further comprises:
the update frequency of the corresponding asset is determined by the vulnerability level of the asset.
By applying the technical scheme, the internal network topology structure of the enterprise is obtained, and the boundary of the original asset range is determined according to the internal network topology structure of the enterprise; acquiring an enterprise external network topology structure, and analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure to obtain traffic information; determining the interaction degree of nodes in the enterprise internal network topology structure and nodes in the enterprise external network topology structure through the flow information, so as to extend the original asset range boundary and obtain a target asset range boundary; identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels; constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files; and selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy. According to the application, the boundary of the original asset range is extended through the internal network topology structure and the external network topology structure of the enterprise, so that the accuracy of the asset range is ensured, and the reliability of asset identification is improved. The security measure strategy is selected according to the level and the vulnerability degree of the asset file, so that the adaptability of security protection is ensured, the security of the asset is improved, and the efficiency of asset management is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an asset management method applied to a network security monitoring system according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The embodiment of the application provides an asset management method applied to a network security monitoring system, as shown in fig. 1, comprising the following steps:
step S101, acquiring an internal network topology structure of an enterprise, and determining an original asset range boundary according to the internal network topology structure of the enterprise.
In this embodiment, the original asset range boundary is the boundary of the internal network.
Step S102, obtaining an enterprise external network topology structure, analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure, and obtaining traffic information.
In this embodiment, the asset partition of an enterprise is not only related to its internal network topology, but also to the network topology of its cooperating enterprise. The external network topology of the enterprise is the network topology with which the cooperative enterprise is in contact.
In some embodiments of the present application, analyzing network traffic between an internal network topology of an enterprise and an external network topology of the enterprise to obtain traffic information includes:
respectively constructing an internal node list and an external node list by scanning the internal network topology structure of the enterprise and the external network topology structure of the enterprise, wherein the internal node list comprises all nodes in the internal network topology structure of the enterprise, and the external node list comprises all nodes in the external network topology structure of the enterprise;
analyzing the source, the destination and the flow direction of a network data packet between an enterprise internal network topological structure and an enterprise external network topological structure, and correlating nodes in an internal node list and an external node list to obtain a first correlation node list;
acquiring at least one of an access log, a security log, a system log, an application program log and a network equipment log between the nodes in the internal node list and the external node list, and associating the nodes in the internal node list and the external node list to obtain a second association node list;
and constructing node trend graphs in the internal node list and the external node list through the first associated node list and the second associated node list, and determining the flow of each node as flow information.
In this embodiment, at least one of an access log, a security log, a system log, an application log, and a network device log between nodes in both the internal node list and the external node list is acquired.
Access Logs (Access Logs): events of accessing network resources including access time, source IP address, destination IP address, access method, etc. are recorded.
Security Logs (Security Logs): security events and attack actions such as login failures, denial of service attacks, malware attacks, etc. are recorded.
System log (System Logs): events and error information during system operation, such as system start-up, service start-up, system crash, etc., are recorded.
Application Logs): events and information during the running of the application are recorded, such as database access logs, web application logs, email logs, etc.
Network equipment log (Network Device Logs): events and information during the operation of the network device, such as router logs, switch logs, firewall logs, etc., are recorded.
The logs can represent interaction between the internal node and the external node to a certain extent, and the types of the logs which are in contact with the internal node and the external node can be represented, so the logs belong to the protection scope of the application.
In this embodiment, the network data packet is analyzed by using a network traffic monitoring tool, such as Wireshark, tcpdump, to obtain the first association node list. And obtaining a second association node list through the log, and obtaining the required relationship between the internal and external nodes by taking account of two factors of the network data packet and the log.
In this embodiment, the node trend graphs in the internal node list and the external node list are constructed through the first association node list and the second association node list. The node trend graph is constructed by combining the contents of the first association node list and the second association node list, so that the node trend graph can be understood as a flow between the internal node and the external node, and the flow information of the nodes is displayed.
Step S103, determining the interaction degree of the nodes in the enterprise internal network topology structure and the nodes in the enterprise external network topology structure through the flow information, and extending the original asset range boundary to obtain the target asset range boundary.
In this embodiment, the nodes in the previous step are screened according to the interaction degree, and range boundary extension is performed according to the screened nodes, and the target asset range boundary is the asset range to be identified.
In some embodiments of the present application, determining, according to the traffic information, a degree of interaction between a node in an internal network topology of an enterprise and a node in an external network topology of the enterprise includes:
calculating the flow ratio and the communication mode similarity of each internal node and each external node related to the internal node in the node trend graph;
wherein N is the similarity of communication modes, N is the number of calibration modes of the communication modes, alpha i For the weight corresponding to the ith calibration mode, Q i K is the sum of the maximum similarity of all calibration modes;
determining the interaction degree of the nodes based on the traffic proportion and the communication mode similarity;
wherein M is the interaction degree, beta is the conversion coefficient, T is the flow ratio, exp is the exponential function, and k is the preset constant.
In this embodiment, the flow ratio between the internal and external nodes may reflect the interaction degree between the two nodes. The higher the scale, the more frequently interactions between two nodes are represented, and the higher the degree of correlation. The communication mode may also reflect the degree of interaction between nodes to some extent. The degree of correlation between two nodes may be high if the communication modes between them are the same.
In this embodiment, the calibration mode of the communication mode includes a communication protocol, a communication port, a communication direction, and the like. K is the maximum degree of similarity for all calibration modesAnd, refer to alpha i Q i The sum of the maximum similarity, namely the communication modes of the two are identical.
In the present embodiment of the present application,representing a correction of the degree of interaction +.>The value range is between 0.1 and 0.15.
In some embodiments of the present application, extending the original asset range boundary to obtain a target asset range boundary includes:
and determining external nodes, of which the interaction degree exceeds an interaction degree threshold, of the nodes in the internal network topology structure of the enterprise and the nodes in the external network topology structure of the enterprise as extension points according to the flow information, and extending the original asset range boundary according to the extension points and the node trend of the node trend graph so as to obtain the target asset range boundary.
In this embodiment, undesirable nodes are removed, and the original asset range boundary extension is performed based on the nodes that meet the requirements.
The scheme has the beneficial effects that:
all external nodes with interaction are determined through data comprising analysis and log analysis, and the interaction degree with the external nodes is determined according to the flow proportion and the communication mode similarity, so that the original asset range boundary is extended. The accuracy of the asset range is improved, a good foundation is laid for the next asset identification, and the reliability of asset identification is guaranteed.
And step S104, identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels.
In this embodiment, each asset is identified, the identified assets are classified, a tag is constructed, and the asset value is determined. All assets present in the network are identified by means of network scanning, manual inspection, etc.
In some embodiments of the present application, identifying and classifying assets within a target asset range boundary to construct a tag for each asset, comprising:
identifying the assets within the range boundary of the target asset to obtain all the assets, and generating identity tags for all the assets;
classifying the assets in multi-attribute categories, acquiring the weights of each attribute category of the assets of the enterprise, determining the multi-attribute weights of the assets, and generating category labels;
performing functional classification on the assets according to different functions of the assets, determining functional weights, and generating functional weight labels;
the tag structure group (identity tag, category tag, functional tag) of the asset is established by the identity tag, category tag and functional tag.
In this embodiment, the multi-attribute category classification is performed on the asset, and the weight of each attribute category of the asset of the enterprise is obtained, so as to determine the multi-attribute weight of the asset. For example, the asset is classified one by one according to the location of the asset, the department's attribution, and the asset technology type (multi-attribute). The category 1 of the location of the asset where the asset is located, the department attribution 1, the asset technology type 1, etc. of a certain asset are obtained, and are called each attribute category. The attribute category weight refers to 10 types of asset technology types, namely, asset technology types 1-10 are given different weights to each type, and the total weight sum is 1. The multi-attribute weight is the sum of weights corresponding to the position category 1, the department attribution 1 and the asset technology type 1.
In this embodiment, the different functions of the asset perform the function classification on the asset and determine the function weight. The functions of the asset comprise functions of calculation, storage, transmission and the like, and different functions correspond to different weights.
In this embodiment, the tag structure group (identity tag, category tag, function tag) of the asset is used to identify the identity information of the asset, the category tag is used to determine the multi-attribute weight of the asset, and the function tag is used to determine the function weight of the asset.
In some embodiments of the application, determining the value of each asset from the tag includes:
acquiring the data information value, productivity value, business influence value and maintenance value of the asset;
determining asset value based on the data information value, productivity value, business impact value, maintenance value, category label and function label of the asset;
wherein L is asset value, gamma 1 Weight corresponding to data information value, W 1 Value of data information, exp represents an exponential function, Z 1 Is multi-attribute weight, k 1 For a first predetermined constant, gamma 2 Weight corresponding to productivity value, W 2 For productivity value, Z 2 To be the functional weight, k 2 For a second predetermined constant, gamma 3 To weight the business impact value, W 3 To influence the value of business, Z 01 For multiple attribute weight threshold, Z 02 For the functional weight threshold, k 3 For a third predetermined constant, gamma 4 To maintain the weight corresponding to the value, W 4 For maintenance value.
In this embodiment, the evaluation of asset value is mainly affected by the following four aspects.
The value of the data information, the data and information contained in the asset may help the organization make decisions, improve efficiency and competitiveness, and thus the value of the asset may be determined by evaluating the value of such data and information.
The productivity value, the asset may provide productivity and capacity to an organization, e.g., a server may provide computing power, a storage device may provide storage space, and thus the value may be determined by evaluating the productivity and capacity of the asset.
The value of an asset may be determined by evaluating its impact on business continuity and security, as it has an important impact on the business continuity and security of an organization, such as core applications and databases.
Maintaining value, assets require periodic maintenance and updating, and these costs can also be one of the reference factors in determining asset value.
In this embodiment, the asset types are different, the multi-attribute weights are different, and different effects are generated on the data information value. Different asset functionality weights can affect productivity value. And the influence value on the service is jointly influenced by the multi-attribute weight and the functional weight.
Step S105, constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level asset file.
In this embodiment, the value of each asset is in a different range, and there are corresponding asset files of different levels. The higher the level of the asset profile, the more important the asset. The asset profile can be viewed as a division of many similarly valued assets into an area, facilitating subsequent computing and security. The vulnerability level of each level of an asset profile is herein the vulnerability level of the asset profile and is not specific to the asset.
In some embodiments of the application, and determining the vulnerability of each level of the asset profile, comprises:
calculating the vulnerability degree of each asset in each level asset archive;
wherein J is the vulnerability degree, n is the vulnerability number in the asset, delta i Is the hazard weight of the ith vulnerability, Y i For the influence of the ith vulnerability, P i For the disclosure degree of the ith loophole, D min Delta is i Y i P i Minimum value of [ a ]]Is a rounding symbol;
the vulnerability level of each level asset profile is derived from the vulnerability level of each asset in each level asset profile.
In this embodiment, the comprehensive vulnerability level corresponding to each archive is determined by the vulnerability level of each asset.
And step S106, selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy.
In this embodiment, the security measure policy is selected according to the level and vulnerability level of the asset file, and the higher the level and the higher the vulnerability level, the higher the security measure policy, i.e., the security protection level, is required.
In some embodiments of the application, the security measure policy is selected based on the level and vulnerability level of the asset profile, comprising:
if the level and the vulnerability degree of the asset file accord with the preset matching relation, adopting a corresponding preset safety measure strategy;
if the level and the vulnerability degree of the asset file do not accord with the preset matching relation and the matching deviation distance exceeds the matching deviation distance threshold, selecting a safety measure strategy based on the difference of the matching deviation distance and the matching deviation distance threshold;
the preset matching relation between the levels of the asset file and the vulnerability level is that different levels correspond to different calibrated vulnerability levels, and the matching deviation distance is that the vulnerability level is larger than the calibrated vulnerability level.
In this embodiment, each asset profile level corresponds to a range of nominal vulnerability levels. When the vulnerability degree is greater than the corresponding calibration vulnerability degree of the level, the matching deviation distance exists.
In this embodiment, the security measure policy is selected based on the difference between the match offset distance and the match offset distance threshold, and the security measure policy is enhanced based on the difference.
The beneficial effect of above-mentioned scheme:
the value of each asset is determined by identifying the constructed tag structure array of the asset, so that the asset files are classified, the asset is integrated into the asset files, and different security protection strategies are selected according to the vulnerability degree and the level of the asset files. The adaptability and the precision of safety monitoring are improved, and the property can be ensured to stably run for a long time.
In some embodiments of the present application, after safeguarding the corresponding asset in accordance with the security policy, the method further comprises:
the update frequency of the corresponding asset is determined by the vulnerability level of the asset.
In this embodiment, determining the update frequency of the corresponding asset according to the vulnerability level of the asset refers to setting the update frequency of the asset according to the vulnerability level of the asset, wherein the update refers to operations such as checking the asset for a specified period, deleting the failed asset, or updating the changed asset. The vulnerability level of each asset corresponds to an update frequency of the asset. The higher the vulnerability level, the more frequently the asset is updated and vice versa.
By applying the technical scheme, the internal network topology structure of the enterprise is obtained, and the boundary of the original asset range is determined according to the internal network topology structure of the enterprise; acquiring an enterprise external network topology structure, and analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure to obtain traffic information; determining the interaction degree of nodes in the enterprise internal network topology structure and nodes in the enterprise external network topology structure through the flow information, so as to extend the original asset range boundary and obtain a target asset range boundary; identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels; constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files; and selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy. According to the application, the boundary of the original asset range is extended through the internal network topology structure and the external network topology structure of the enterprise, so that the accuracy of the asset range is ensured, and the reliability of asset identification is improved. The security measure strategy is selected according to the level and the vulnerability degree of the asset file, so that the adaptability of security protection is ensured, the security of the asset is improved, and the efficiency of asset management is improved.
From the above description of the embodiments, it will be clear to those skilled in the art that the present application may be implemented in hardware, or may be implemented by means of software plus necessary general hardware platforms. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective implementation scenario of the present application.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be appreciated by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not drive the essence of the corresponding technical solutions to depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (9)
1. An asset management method for use in a network security monitoring system, the method comprising:
acquiring an enterprise internal network topology structure, and determining an original asset range boundary according to the enterprise internal network topology structure;
acquiring an enterprise external network topology structure, and analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure to obtain traffic information;
determining the interaction degree of nodes in the enterprise internal network topology structure and nodes in the enterprise external network topology structure through the flow information, so as to extend the original asset range boundary and obtain a target asset range boundary;
identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels;
constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files;
and selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy.
2. The asset management method for network security monitoring system of claim 1, wherein analyzing network traffic between the internal network topology of the enterprise and the external network topology of the enterprise to obtain traffic information comprises:
respectively constructing an internal node list and an external node list by scanning the internal network topology structure of the enterprise and the external network topology structure of the enterprise, wherein the internal node list comprises all nodes in the internal network topology structure of the enterprise, and the external node list comprises all nodes in the external network topology structure of the enterprise;
analyzing the source, the destination and the flow direction of a network data packet between an enterprise internal network topological structure and an enterprise external network topological structure, and correlating nodes in an internal node list and an external node list to obtain a first correlation node list;
acquiring at least one of an access log, a security log, a system log, an application program log and a network equipment log between the nodes in the internal node list and the external node list, and associating the nodes in the internal node list and the external node list to obtain a second association node list;
and constructing node trend graphs in the internal node list and the external node list through the first associated node list and the second associated node list, and determining the flow of each node as flow information.
3. The asset management method applied to the network security monitoring system as claimed in claim 2, wherein determining the interaction degree of the node in the internal network topology of the enterprise and the node in the external network topology of the enterprise through the traffic information comprises:
calculating the flow ratio and the communication mode similarity of each internal node and each external node related to the internal node in the node trend graph;
wherein N is the similarity of communication modes, N is the number of calibration modes of the communication modes, alpha i For the weight corresponding to the ith calibration mode, Q i K is the sum of the maximum similarity of all calibration modes;
determining the interaction degree of the nodes based on the traffic proportion and the communication mode similarity;
wherein M is the interaction degree, beta is the conversion coefficient, T is the flow ratio, exp is the exponential function, and k is the preset constant.
4. The asset management method for a network security monitoring system of claim 3, whereby the original asset range boundary is extended to obtain a target asset range boundary, comprising:
and determining external nodes, of which the interaction degree exceeds an interaction degree threshold, of the nodes in the internal network topology structure of the enterprise and the nodes in the external network topology structure of the enterprise as extension points according to the flow information, and extending the original asset range boundary according to the extension points and the node trend of the node trend graph so as to obtain the target asset range boundary.
5. The asset management method for a network security monitoring system of claim 1, wherein identifying and classifying assets within a target asset range boundary to construct a tag for each asset comprises:
identifying the assets within the range boundary of the target asset to obtain all the assets, and generating identity tags for all the assets;
classifying the assets in multi-attribute categories, acquiring the weights of each attribute category of the assets of the enterprise, determining the multi-attribute weights of the assets, and generating category labels;
performing functional classification on the assets according to different functions of the assets, determining functional weights, and generating functional weight labels;
the tag structure group (identity tag, category tag, functional tag) of the asset is established by the identity tag, category tag and functional tag.
6. The asset management method for use with a network security monitoring system of claim 5, wherein determining the value of each asset based on the tag comprises:
acquiring the data information value, productivity value, business influence value and maintenance value of the asset;
determining asset value based on the data information value, productivity value, business impact value, maintenance value, category label and function label of the asset;
wherein L is asset value, gamma 1 Weight corresponding to data information value, W 1 Value of data information, exp represents an exponential function, Z 1 Is multi-attribute weight, k 1 For a first predetermined constant, gamma 2 Weight corresponding to productivity value, W 2 For productivity value, Z 2 To be the functional weight, k 2 For a second predetermined constant, gamma 3 To weight the business impact value, W 3 To influence the value of business, Z 01 For multiple attribute weight threshold, Z 02 For the functional weight threshold, k 3 For a third predetermined constant, gamma 4 To maintain the weight corresponding to the value, W 4 For maintenance value.
7. The asset management method for a network security monitoring system of claim 1, wherein determining the vulnerability level of each level asset profile comprises:
calculating the vulnerability degree of each asset in each level asset archive;
wherein J is the vulnerability degree, n is the vulnerability number in the asset, delta i Is the hazard weight of the ith vulnerability, Y i For the influence of the ith vulnerability, P i For the disclosure degree of the ith loophole, D min Delta is i Y i P i Minimum value of [ a ]]Is a rounding symbol;
the vulnerability level of each level asset profile is derived from the vulnerability level of each asset in each level asset profile.
8. The asset management method for network security monitoring systems of claim 7, wherein selecting the security measure policy based on the level and vulnerability level of the asset profile comprises:
if the level and the vulnerability degree of the asset file accord with the preset matching relation, adopting a corresponding preset safety measure strategy;
if the level and the vulnerability degree of the asset file do not accord with the preset matching relation and the matching deviation distance exceeds the matching deviation distance threshold, selecting a safety measure strategy based on the difference of the matching deviation distance and the matching deviation distance threshold;
the preset matching relation between the levels of the asset file and the vulnerability level is that different levels correspond to different calibrated vulnerability levels, and the matching deviation distance is that the vulnerability level is larger than the calibrated vulnerability level.
9. The asset management method for a network security monitoring system of claim 7, wherein after safeguarding the corresponding asset in accordance with a security policy, the method further comprises:
the update frequency of the corresponding asset is determined by the vulnerability level of the asset.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310797197.5A CN117014184A (en) | 2023-06-28 | 2023-06-28 | Asset management method applied to network security monitoring system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310797197.5A CN117014184A (en) | 2023-06-28 | 2023-06-28 | Asset management method applied to network security monitoring system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117014184A true CN117014184A (en) | 2023-11-07 |
Family
ID=88568162
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310797197.5A Pending CN117014184A (en) | 2023-06-28 | 2023-06-28 | Asset management method applied to network security monitoring system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117014184A (en) |
-
2023
- 2023-06-28 CN CN202310797197.5A patent/CN117014184A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11637853B2 (en) | Operational network risk mitigation system and method | |
US10140453B1 (en) | Vulnerability management using taxonomy-based normalization | |
EP1768045A2 (en) | Application of cut-sets to network interdependency security risk assessment | |
US9021595B2 (en) | Asset risk analysis | |
US8539018B2 (en) | Analysis of IT resource performance to business organization | |
CN111565205A (en) | Network attack identification method and device, computer equipment and storage medium | |
US11240119B2 (en) | Network operation | |
CN111866027A (en) | Asset safety assessment method and system based on intelligence analysis | |
US11876674B1 (en) | Network segmentation | |
CN112560046A (en) | Method and device for evaluating service data security index | |
CN115378712A (en) | Threat information sharing method based on government affair block chain base | |
CN117014184A (en) | Asset management method applied to network security monitoring system | |
KR102594207B1 (en) | Security compliance automation method | |
CN117391214A (en) | Model training method and device and related equipment | |
CN114168610A (en) | Distributed storage and query method and system based on line sequence division | |
CN110995465A (en) | Communication point panoramic view information operation and maintenance method and system | |
CN117294530B (en) | Industrial Internet identification analysis secondary node data security management method and system | |
CN117176476B (en) | Network security assessment method and system based on node weight | |
US20240015165A1 (en) | Method for verifying security technology deployment efficacy across a computer network | |
US20230388313A1 (en) | Automatic User Group Manager | |
US20240015164A1 (en) | Method for verifying security technology deployment efficacy across a computer network | |
CN114816964B (en) | Risk model construction method, risk detection device and computer equipment | |
CN116721704B (en) | Method and system for updating hierarchical protection biological information database | |
US11968222B2 (en) | Supply chain attack detection | |
CN113032774B (en) | Training method, device and equipment of anomaly detection model and computer storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |