CN102739649B

CN102739649B - Method and device for determining network threat level

Info

Publication number: CN102739649B
Application number: CN201210167091.9A
Authority: CN
Inventors: 鲍旭华; 赵粮
Original assignee: Beijing NSFocus Information Security Technology Co Ltd
Current assignee: Nsfocus Technologies Group Co Ltd
Priority date: 2012-05-25
Filing date: 2012-05-25
Publication date: 2014-11-26
Anticipated expiration: 2032-05-25
Also published as: CN102739649A

Abstract

The invention provides a method and a device for determining network threat level. The method comprises the following steps: acquiring network threat information; and determining the network threat level according to the formula shown in the specification based on network threat information. The device comprises an acquisition module and a processing module. According to the invention, for vulnerabilities occurring in the whole Internet environment, according to the disclosure time, acquisition time and vulnerability coefficients of vulnerability information, the network threat level of the current vulnerability is quantitatively analyzed and determined, so that the accuracy of network threat level judgment can be improved, the changes of the vulnerability based network threat level with time can be analyzed, the severity degree and changes of a network threat can be timely and intuitively understood, and then corresponding safety measures are taken.

Description

Determine method and the device of Cyberthreat degree

Technical field

The present invention relates to network safety filed, relate in particular to a kind of method and device of definite Cyberthreat degree.

Background technology

In open shared internet environment, information security issue is on the rise, and the loss producing is therefrom difficult to estimate, wherein it is evident that most Cyberthreat.

In prior art, conventionally in single piece of information system or specific network range, for specific Cyberthreat, analyze Cyberthreat degree, user be difficult to timely, intuitively understand Cyberthreat degree and variation, and take corresponding safety measure, need a kind of quantitative analysis method that whole Internet is threatened badly.

Summary of the invention

The invention provides a kind of method and apparatus of definite Cyberthreat degree, to improve the accuracy to the Cyberthreat degree judgement of the leak in internet environment, accurately to select counter-measure.

On the one hand, the invention provides a kind of method, comprising:

Obtain Cyberthreat information, described Cyberthreat information comprises: the exposure time of vulnerability information, time of receipt and leak coefficient, the exposure time representation leak of described vulnerability information found time first in forum information or instrument sample, described time of receipt represents the time that leak is included by public leak and exposure, and described leak coefficient represents the order of severity of described vulnerability information;

According to described Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine Cyberthreat degree;

Wherein, t represents the time; D _vrepresent described leak coefficient; t _v1represent the described exposure time; t _v2represent described time of receipt; T _vrepresent that described vulnerability information spreads the needed time, if known t _v1and t _v2one of, T _vit is a preset value; If known t _v1and t _v2both, t _vthe estimation discovery time that represents leak, if known t _v1, t _v=t _v1-β * T _v; If known t _v2, t _v=t _v2-(alpha-beta) * T _v; α, β is the positive number of alpha+beta <1 of satisfying condition.

On the other hand, the present invention also provides a kind of device, comprising:

Acquisition module, be used for obtaining Cyberthreat information, described Cyberthreat information comprises: the exposure time of vulnerability information, time of receipt and leak coefficient, the exposure time representation leak of described vulnerability information found time first in forum information or instrument sample, described time of receipt represents the time that leak is included by public leak and exposure, and described leak coefficient represents the order of severity of described vulnerability information;

Processing module, for according to described Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine Cyberthreat degree;

The method and apparatus of definite Cyberthreat degree provided by the invention, for the leak occurring in whole internet environment, according to the exposure time of vulnerability information, time of receipt and leak coefficient, the Cyberthreat degree based on current leak is determined in quantitative analysis, can improve the accuracy to the judgement of Cyberthreat degree, and analyze Cyberthreat degree based on leak situation over time, with in time, understand intuitively the order of severity and the variation of Cyberthreat, and take corresponding safety measure.

Accompanying drawing explanation

Fig. 1 is the flow chart of an embodiment of method of definite Cyberthreat degree provided by the invention;

Fig. 2 is the curve synoptic diagram figure of Cyberthreat degree of the method for the definite Cyberthreat degree shown in Fig. 1;

Fig. 3 is the flow chart of another embodiment of method of definite Cyberthreat degree provided by the invention;

Fig. 4 is a kind of curve synoptic diagram of patch threat index of the method for the definite Cyberthreat degree shown in Fig. 3;

Fig. 5 is the another kind of curve synoptic diagram of patch threat index of the method for the definite Cyberthreat degree shown in Fig. 3;

Fig. 6 is the curve synoptic diagram of Cyberthreat degree of the method for the definite Cyberthreat degree shown in Fig. 3;

Fig. 7 is the flow chart of another embodiment of method of definite Cyberthreat degree provided by the invention;

Fig. 8 is the curve synoptic diagram of instrument threat index of the method for the definite Cyberthreat degree shown in Fig. 7;

Fig. 9 is the curve synoptic diagram of Cyberthreat degree of the method for the definite Cyberthreat degree shown in Fig. 7;

Figure 10 is the flow chart of another embodiment of method of definite Cyberthreat degree provided by the invention;

Figure 11 is the curve synoptic diagram of event threat index of the method for the definite Cyberthreat degree shown in Figure 10;

Figure 12 is the curve synoptic diagram of Cyberthreat degree of the method for the definite Cyberthreat degree shown in Figure 10;

Figure 13 is the structural representation of the device of definite Cyberthreat degree provided by the invention.

Embodiment

Below in conjunction with accompanying drawing and embodiment, the present invention will be further described.

Fig. 1 is the flow chart of an embodiment of method of definite Cyberthreat degree provided by the invention, the present embodiment is determining applicable to the Cyberthreat degree in internet environment specifically, form with software and/or hardware realizes, for example can be implemented by the device of determining Cyberthreat degree, the concrete steps of the method for definite Cyberthreat degree of the present embodiment are as follows:

S100: obtain Cyberthreat information.

Cyberthreat information comprises: the exposure time of vulnerability information, time of receipt and leak coefficient.The exposure time representation leak of vulnerability information found time first in forum information or instrument sample; Time of receipt represents the time that leak is included by public leak and exposure (Common Vulnerabilities & Exposures, is abbreviated as CVE); Leak coefficient represents the order of severity of described vulnerability information, the numerical value that adopts CVSS (Common Vulnerability Scoring System, is abbreviated as CVSS) to announce.

Wherein, the channel that obtains Cyberthreat information is diversified.For instance, can be that leak list, the security bulletin of manufacturer's announcement, the news report of relevant great security incident etc. that authoritative institution announces do not enumerate at this.

The leak here refers to the defect existing on the specific implementation of hardware, software, agreement or System Security Policy, thereby can make assailant in undelegated situation, access or destruction system.Embodiments of the invention, by exposure time, time of receipt and the leak coefficient of vulnerability information, can be analyzed Cyberthreat degree over time based on this, therefore, can determine more accurately threaten degree.

S110: according to described Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine Cyberthreat degree.

As a kind of feasible execution mode, can be according to the exposure time t of the vulnerability information of collecting _v1time of receipt t with vulnerability information _v2, determine that vulnerability information spreads needed time T _vestimation discovery time t with leak _v;

If known t _v1and t _v2one of, T _vit is a preset value; If known t _v1and t _v2both,

If known t _v1, t _v=t _v1-β * T _v; If known t _v2, t _v=t _v2-(alpha-beta) * T _v; α wherein, β is the positive number of alpha+beta <1 of satisfying condition.

Further, can basis:

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine Cyberthreat degree;

Wherein, t represents the time; D _vrepresent leak coefficient, the numerical value that adopts CVSS to announce.

At this, implement under scene, as shown in Figure 2, x axle represents time t to the Cyberthreat degree curve synoptic diagram obtaining, and y axle represents Cyberthreat degree f _v(t).Explanation is not in the situation that considering other factors, along with leak is found from t _vconstantly start, its information constantly spreads, and by increasing assailant, is understood, and threatens also and constantly rises; Until issued from t by authoritative institution or manufacturer _v+ T _vconstantly start, become public information, threaten and also will continue to remain on high point.

In above-described embodiment, for the leak in the Internet, the leak list of announcing from authoritative institution,, the news of the security bulletin that manufacturer announces, relevant great security incident reports and public network obtains the exposure time of vulnerability information, the time of receipt of vulnerability information and leak coefficient, is determined Cyberthreat degree.Information source can be verified, can not produce deviation because of the conversion of attacking ways.And there is generality, the whole the Internet overall situation is had to directive significance.And by quantitative analysis, go out Cyberthreat degree based on leak situation over time, thereby ensure that user can timely, intuitively understand the order of severity and the variation of Cyberthreat, the influence degree of judgement leak to self, selects counter-measure.

As the feasible execution mode of another kind, when Dang You mechanism or harpoon are issued unofficial patch to described leak, illustrate that this leak is more serious, while now calculating leak threat index, can be announced by CVSS the order of severity D of leak _vmust be multiplied by again a default weighting parameters k.Therefore, under this enforcement scene, can basis:

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ k D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ {kD}_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine Cyberthreat degree;

Wherein, t represents the time; D _vrepresent leak coefficient, the numerical value that adopts CVSS to announce; Whether k is default weighting parameters, can issue and determine according to unofficial patch, for being greater than 1 numerical value.For instance, unofficial patch issue, k can elect 1.5 as, or k can also determine according to real needs or actual conditions, also can choose based on experience value.

T _vrepresent that vulnerability information spreads the needed time, if known t _v1and t _v2one of, T _vit is a preset value; If known t _v1and t _v2both, t _v1for the exposure time of described vulnerability information, t _v2time of receipt for described vulnerability information;

T _vthe estimation discovery time that represents leak, if known t _v1, t _v=t _v1-β * T _v; If known t _v2, t _v=t _v2-(alpha-beta) * T _v; α, β is the positive number of the default alpha+beta <1 that satisfies condition.

In above-described embodiment, after the Internet leak occurs, Dang You mechanism or harpoon have been issued unofficial patch to this leak, illustrate that the threaten degree of this leak increases, now by the leak order of severity D that CVSS is announced _vafter being multiplied by a default weighting parameters k, determine again Cyberthreat degree.By the threaten degree of the quantitative current particular vulnerability of calculating, thereby ensure that user can judge the influence degree of leak to self, select counter-measure.

The method of definite Cyberthreat degree that the present embodiment provides, for the leak occurring in internet environment, according to the exposure time of vulnerability information, time of receipt and leak coefficient, determine the threaten degree of current leak, can improve the accuracy to the Cyberthreat degree judgement of the current leak in internet environment, and analyze Cyberthreat degree based on leak situation over time, with in time, understand intuitively the order of severity and the variation of Cyberthreat, accurately to select counter-measure.Meanwhile, information source of the present invention is mainly leak list, the security bulletin of manufacturer's announcement and the news report of relevant great security incident that authoritative institution announces, and has generality, and the whole the Internet overall situation is had to directive significance.

Optionally, above-mentioned Cyberthreat information also comprises following any one or more combination: the issuing time of patch information, attack tool and the issuing time of attack.

Wherein, above-mentioned patch information comprises unofficial patch issuing time and formal patch issuing time, above-mentioned unofficial patch issuing time is illustrated in the formal patch issue time that patch or third party's patch are issued first temporarily before, and above-mentioned formal patch issuing time represents the time that formal patch is issued first.The channel that obtains of patch information is various.For instance, can be authoritative release mechanism or tissue issue, manufacturer's announcement, software or system house's issue or research institution's issue etc., at this, do not enumerate.Above-mentioned interim patch refers to for current leak, interim for special program or the code of repairing current leak by the producer of the leaky software of tool or the system issue for endanger emergent.Above-mentioned third party's patch refers to program or the code for the current leak of special reparation by the user of non-software or system and producer's issue.And above-mentioned formal patch refers to and generally can repair program or the code of current leak completely by the producer issue of the leaky software of tool or system, this patch is strong to the repair ability of current leak, generally can effectively control the harm that current leak brings.

In network, there is for the first time the time of download version in the attack signature that above-mentioned attack tool issuing time represents every kind of attack tool for the first time found time or attack tool.The channel that obtains of attack tool issuing time is various.For instance, can be authoritative release mechanism or tissue issue, manufacturer's announcement, software or system house's issue, research institution's issue or the Internet community or forum etc., at this, do not enumerate.Above-mentioned attack tool refers to the program software that is specifically designed to network attack or system attack.

Above-mentioned attack issuing time represents that verifiable attack starts the earliest time occurring.The channel that obtains of above-mentioned attack issuing time is various.For instance, can be that the bulletin of authoritative institution's announcement, manufacturer, the news report of relevant great security incident etc. do not enumerate at this.Above-mentioned attack refers to by network or other technologies means; utilize configuration defect, agreement defect, the bugs of information system or use force to attack Information System Implementation is attacked, and cause that information system is abnormal or current operation causes the information security events of potential hazard to information system.

Accordingly, can obtain patch threat index f according to above-mentioned patch information _p(t), and/or, according to the issuing time of above-mentioned attack tool, obtain above-mentioned attack tool threat index f _t(t), and/or, according to the issuing time of above-mentioned attack, obtain above-mentioned attack threat index f _e(t);

According to above-mentioned f _p(t), above-mentioned f _tand above-mentioned f (t) _e(t) any at least one and above-mentioned f in _v(t) product is determined above-mentioned Cyberthreat degree.

Following Fig. 3 ~ Fig. 5, Fig. 7 ~ Fig. 8, Figure 10 ~ embodiment illustrated in fig. 11 providing are respectively obtained patch threat index f _p(t), obtain described attack tool threat index f _tand obtain described attack threat index f (t) _e(t) feasible execution mode.

Fig. 3 is the flow chart of the another embodiment of method of definite Cyberthreat degree provided by the invention, and on the basis of above-described embodiment, the method for definite Cyberthreat degree of the present embodiment comprises the following steps:

S200: obtain patch information.

Patch information comprises: unofficial patch issuing time and formal patch issuing time.Unofficial patch issuing time, before being illustrated in formal patch issue, the time that interim patch or third party's patch are issued first; Formal patch issuing time, represents the time that formal patch is issued first.The channel that obtains of patch information is various.For instance, can be authoritative release mechanism or tissue issue, manufacturer's announcement, software or system house's issue or research institution's issue etc., at this, do not enumerate.

S210: obtain patch threat index according to described patch information.

As a kind of embodiment, use t _p0the issuing time first that represents unofficial patch; Use t _p1the issuing time first that represents formal patch.According to the patch issue situation for described leak, Ruo You mechanism or organize and first issued unofficial patch, has issued again formal patch and t afterwards _p1-t _p0≤ T _p, T _prepresenting that patch produces the required time cycle of governance role from occurring, is preset value.Can basis:

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p 0} \\ e^{- \frac{D_{p 0} \times (t - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}} & t_{p 0} < t < t_{p 1} \\ e^{- \frac{D_{p 1} \times (t - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}}, & t_{p 1} \leq t < t_{p 0} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p 0} + T_{p} \end{matrix}

Determine patch threat index;

Wherein, f _p(t) represent patch threat index; T represents the time; D _p0the governance role parameter that represents unofficial patch, is preset as 0.5; D _p1the governance role parameter that represents formal patch, is preset as 1.

At this, implement under scene, as shown in Figure 4, x axle represents time t to the curve synoptic diagram of the patch threat index obtaining, and y axle represents patch threat index f _p(t).Illustrate in the situation of not considering other factors, after an interim patch issue, from t _p0constantly start, certain customers' selection is installed, and can make whole threat gradually decline, and still, due to publication channel and the mounting means problem of interim patch, spreading speed often more formal patch wants slow; And after the issue of formal patch from t _p1constantly start, along with user generally installs, whole threat can decline at faster speed.Yet, in reality, exist certain customers due to business or IT maintenance, corresponding patch is not installed all the time, so finally can exist certain remnants to threaten.

As a kind of embodiment, according to the patch issue situation for described leak, if only issued unofficial patch or unofficial patch and formal patch, all issued, but t _p1-t _p0>T _p, T _prepresenting that patch produces the required time cycle of governance role from occurring, is preset value, now gets t _p=t _p0, the governance role parameter D of patch _pvalue is 0.5; If only issued formal patch, now get t _p=t _p1, the governance role parameter D of patch _pvalue is 1.Can basis:

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p} \\ e^{- \frac{D_{p} \times (t - t_{p})}{T_{p}}}, & t_{p} < t < t_{p} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p} + T_{p} \end{matrix}

Determine patch threat index;

Wherein, f _p(t) represent patch threat index; T represents the time.

At this, implement under scene, as shown in Figure 5, x axle represents time t to the curve synoptic diagram of the patch threat index obtaining, and y axle represents patch threat index f _p(t).Illustrate in the situation of not considering other factors to only have in the situation of a patch issue, from t _pconstantly start, along with user generally installs, whole threat can constantly decline; But, in reality, exist certain customers due to business or IT maintenance, corresponding patch is not installed all the time, so finally still can exist certain remnants to threaten.

S220: determine Cyberthreat degree according to described patch threat index.

As a kind of embodiment, on the basis of above-described embodiment, in the present embodiment, with f (t), represent Cyberthreat degree, so can be according to f (t)=f _v(t) * f _p(t) determine Cyberthreat degree.

Under this implements scene, the curve synoptic diagram of the Cyberthreat degree obtaining as shown in Figure 6, shown after discovery leak, when mechanism, tissue or manufacturer have provided for the patch of this leak, and the variation of the Cyberthreat degree of current leak.Leak is found rear threat and constantly rises, after Dang You mechanism, tissue or manufacturer's issue patch, reason due to deployment cycle, threaten still and can rise a stage by inertia, until reach a natural flex point, start to decline, to most of user installation patch, threat can maintain a lower level, but can have certain residual risk all the time.

In above-described embodiment, for the leak in the Internet, from authoritative institution and public network, obtain unofficial patch issuing time and formal patch issuing time, calculate and obtain patch threat index, and then from leak itself and two aspects of patch, determine Cyberthreat degree and situation over time thereof, thereby ensure that user can judge the influence degree of leak to self, accurately select counter-measure.And information source is reliable, and there is generality, so and definite Cyberthreat degree has directive significance to the whole the Internet overall situation.

Fig. 7 is the flow chart of the another embodiment of method of definite Cyberthreat degree provided by the invention, and on the basis of above-described embodiment, the method for definite Cyberthreat degree of the present embodiment comprises the following steps:

S300: obtain attack tool issuing time.

Attack tool issuing time, the attack signature that represents every kind of attack tool is the found time for the first time, or the time of download version appears in attack tool for the first time in network.Wherein, the channel that obtains of described attack tool issuing time is various.For instance, can be authoritative release mechanism or tissue issue, manufacturer's announcement, software or system house's issue, research institution's issue or the Internet community or forum etc., at this, do not enumerate.

S310: determine instrument threat index according to described attack tool issuing time.

For the attack tool of same leak, may have multiplely, as a kind of embodiment, use t _tkthe issuing time that represents k kind attack tool.

D _tkthe order of severity that represents k kind attack tool is preset value.The order of severity of attack tool is determined by two combined factors conventionally: the destructiveness (high, medium and low) of the ease for use of attack tool (difficult, in, easily) and attack tool.The order of severity preset value of attack tool is as shown in table 1.

Table 1

T _trepresenting that attack tool produces the required time cycle of damaging effect, is preset value.

Can basis:

f_{tk} (t) = \{\begin{matrix} 0 & t \leq t_{tk} \\ D_{tk} \times e^{- \frac{16 \times {(t - t_{k} - \frac{T_{t}}{2})}^{2}}{{T_{t}}^{2}}}, & t_{tk} < t < t_{tk} + T_{t} \\ 0 & t &GreaterEqual; t_{tk} + T_{t} \end{matrix}

Determine the threat index of attack tool;

Can basis:

determine the whole attack tool threat indexes for this leak;

Wherein, f _t(t) represent the whole attack tool threat indexes for this leak; T represents the time.

At this, implement under scene, as shown in Figure 8, x axle represents time t to the curve synoptic diagram of the instrument threat index obtaining, y axle representational tool threat index f _t(t).Illustrate in the situation of not considering other factors, when the several attack tool for same leak spreads in network, at least from t _k1constantly start, along with the range of scatter of these instruments constantly increases, user is more and more, and the overall threat of generation is also increasing; When its impact acquires a certain degree, security firm can release corresponding detection or safeguard procedures, and this threat is progressively declined.

S320: determine Cyberthreat degree according to described instrument threat index.

As a kind of embodiment, on the basis of above-described embodiment, with f (t), represent Cyberthreat degree, can be according to f (t)=f _v(t) * f _t(t) determine Cyberthreat degree.The determined Cyberthreat degree of this embodiment refers to, after starting a leak, any patch and any attack for this leak do not occur, the Cyberthreat degree while only there is the attack tool for this leak.

As a kind of embodiment, on the basis of above-described embodiment, with f (t), represent Cyberthreat degree, can be according to f (t)=f _v(t) * f _p(t) * f _t(t) determine Cyberthreat degree.

At this, implement under scene, the curve synoptic diagram of the Cyberthreat degree obtaining as shown in Figure 9, has shown in the situation of appearance for the attack tool of this leak the variation of Cyberthreat degree.Leak is found rear threat and constantly rises, and after Dang You mechanism, tissue or manufacturer's issue patch, due to deployment cycle, threatens still and can rise a stage by inertia, until reach a natural flex point, starts to decline; When there being attack tool to start spread in network and use, now the patch of certain customers is disposed and is not yet completed, caused the rise cycle threatening, until have mechanism, tissue or manufacturer's issue to detect and preventive means, threatened and finally start decline and tend towards stability.

In above-described embodiment, for the leak in the Internet, according to the attack tool issuing time for this leak, determine patch threat index, and then from leak itself, patch and three aspects of attack tool, determine Cyberthreat degree and situation over time thereof, thereby ensure that user can judge the influence degree of leak to self, accurately select suitable counter-measure.And information source is reliable and have generality, so and definite Cyberthreat degree has directive significance to the whole the Internet overall situation.

Figure 10 is the flow chart of the another embodiment of method of definite Cyberthreat degree provided by the invention, and on the basis of above-described embodiment, the method for definite Cyberthreat degree of the present embodiment comprises the following steps:

S400: obtain attack issuing time.

Attack issuing time, represents that verifiable attack starts the earliest time occurring.The channel that obtains of described attack issuing time is various.For instance, can be that the bulletin of authoritative institution's announcement, manufacturer, the news report of relevant great security incident etc. do not enumerate at this.

S410: determine event threat index according to described attack issuing time.

For the attack of same leak, may have a plurality ofly, as a kind of embodiment, use t _eithe issuing time that represents i attack.

D _eithe order of severity that represents i attack is preset value.The order of severity of attack is determined by two combined factors: the destructiveness (high, medium and low) of the coverage of event (large, medium and small) and event.The order of severity preset value of attack is as shown in table 2.

Table 2

T _erepresenting that attack produces the required time cycle of damaging effect, is preset value.

Can basis

f_{ei} (t) = \{\begin{matrix} 0 & t \leq t_{ei} - \frac{T_{e}}{2} \\ D_{ei} \times e^{- \frac{16 \times {(t - t_{ei})}^{2}}{{T_{e}}^{2}}}, & t_{ei} - \frac{T_{e}}{2} < t < t_{ei} + \frac{T_{e}}{2} \\ 0 & t &GreaterEqual; t_{ei} + \frac{T_{e}}{2} \end{matrix}

Determine the threat index of i attack;

Can basis determine whole attack threat indexes;

Wherein, t represents the time.

At this, implement under scene, as shown in figure 11, x axle represents time t to the curve synoptic diagram of the event threat index obtaining, y axle presentation of events threat index f _e(t).Illustrate in the situation of not considering other factors, when several attacks with significant impact for same leak occur, represent to exist some impacts of the unknown before, special-purpose attack tool for example, the focus of attention of hacker's tissue, politics opposition etc., threat now has reached a peak value.This means need to be to threat condition trace back for the previous period, and the concern that event outburst causes itself can make to threaten the cycle that enters a relative decline with reply.

S420: determine Cyberthreat degree according to described event threat index.

As a kind of embodiment, on the basis of above-described embodiment, with f (t), represent Cyberthreat degree, so can be according to f (t)=f _v(t) * f _e(t) determine Cyberthreat degree.The determined Cyberthreat degree of this embodiment refers to, after starting a leak, any patch and any attack tool for this leak do not occur, the Cyberthreat degree while only there is the attack for this leak.

As a kind of embodiment, on the basis of above-described embodiment, with f (t), represent Cyberthreat degree, so can be according to f (t)=f _v(t) * f _e(t) * f _p(t) determine Cyberthreat degree.The determined Cyberthreat degree of this embodiment refers to, after starting a leak, any attack tool for this leak does not occur, the Cyberthreat degree while only having occurred for the patch issue of this leak and attack.

As a kind of embodiment, on the basis of above-described embodiment, with f (t), represent Cyberthreat degree, so can be according to f (t)=f _v(t) * f _e(t) * f _t(t) determine Cyberthreat degree.The determined Cyberthreat degree of this embodiment refers to, after starting a leak, any patch for this leak does not occur, the Cyberthreat degree while only having occurred for the attack of this leak and attack tool.

As a kind of embodiment, on the basis of above-described embodiment, with f (t), represent Cyberthreat degree, so can be according to f (t)=f _v(t) * f _p(t) * f _t(t) * f _e(t), determine Cyberthreat degree.

At this, implement under scene, the curve synoptic diagram of the Cyberthreat degree obtaining as shown in figure 12, has shown in the situation of appearance for the attack of this leak the variation of Cyberthreat degree.Leak is found rear threat and constantly rises, and after Dang You mechanism, tissue or manufacturer's issue patch, due to deployment cycle, threatens still and can rise a stage by inertia, until reach a natural flex point, starts to decline; Have attack tool to start in network, spread and use, now the patch of certain customers is disposed and is not yet completed, and has caused the rise cycle threatening, until have mechanism, tissue or manufacturer's issue to detect and preventive means, threatens and finally starts to decline.When there being hacker some website to be concentrated after the event of attacking, show that preparation, information, the personnel arrangement for the attack tool of this leak continued certain hour.And after attack, by object of attack, started to strengthen protection, and there are mechanism, tissue or manufacturer to release new scheme and measure etc. factor, can cause threatening from peak value starting to decline.

In above-described embodiment, for the leak in the Internet, according to the attack issuing time for this leak, calculate acquisition event threat index, and then from leak itself, patch, attack tool and four aspects of attack, determine to obtain Cyberthreat degree and situation over time thereof, thereby ensure that user can judge the influence degree of leak to self, accurately select suitable counter-measure.And information source is reliable, can not produce deviation because of the conversion of attacking ways; And there is generality, the whole the Internet overall situation is had to directive significance.

It should be noted that in above-described embodiment and calculate the related time, all adopt the UNIX time well-known to those skilled in the art.

Figure 13 is the structural representation of the device of definite Cyberthreat degree provided by the invention, and as shown in figure 13, this device comprises: acquisition module 10 and processing module 11.

Acquisition module 10, be used for obtaining Cyberthreat information, described Cyberthreat information comprises: the exposure time of vulnerability information, time of receipt and leak coefficient, the exposure time representation leak of described vulnerability information found time first in forum information or instrument sample, described time of receipt represents the time that leak is included by public leak and exposure, and described leak coefficient represents the order of severity of described vulnerability information.

Processing module 11, for according to described Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine Cyberthreat degree;

Wherein, t represents the time; D _vrepresent described leak coefficient; t _v1represent the described exposure time; t _v2represent described time of receipt; T _vrepresent that described vulnerability information spreads the needed time, if known t _v1and t _v2one of, T _vit is a preset value; If known t _v1and t _v2both,

T _vthe estimation discovery time that represents leak, if known t _v1, t _v=t _v1-β * T _v; If known t _v2, t _v=t _v2-(alpha-beta) * T _v; α, β is the positive number of alpha+beta <1 of satisfying condition.

Optionally, the Cyberthreat information that acquisition module 10 obtains also comprises following any one or more combination: the issuing time of patch information, attack tool and the issuing time of attack; Wherein, patch information comprises unofficial patch issuing time and formal patch issuing time, unofficial patch issuing time is illustrated in the formal patch issue time that patch or third party's patch are issued first temporarily before, formal patch issuing time represents the time that formal patch is issued first, there is the time of download version in the attack signature that attack tool issuing time represents every kind of attack tool for the first time found time or attack tool, attack issuing time represents that verifiable attack starts the earliest time occurring for the first time in network.

Optionally, processing module 11 specifically can be used for: according to patch information, obtain patch threat index f _p(t), and/or, according to the issuing time of attack tool, obtain described attack tool threat index f _t(t), and/or, according to the issuing time of attack, obtain described attack threat index f _e(t); According to f _p(t), f _tand f (t) _e(t) any at least one and f in _v(t) product is determined Cyberthreat degree.

Optionally, processing module 11 specifically can be used for:

According to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ {kD}_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ k D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine described Cyberthreat degree;

Wherein, t represents the time; D _vrepresent described leak coefficient; K represents default weighting parameters, and described k is determined by the issue of described unofficial patch; T _vrepresent that vulnerability information spreads the needed time, if known t _v1and t _v2one of, T _vit is a preset value; If known t _v1and t _v2both, t _v1for the exposure time of described vulnerability information, t _v2time of receipt for described vulnerability information; t _vthe estimation discovery time that represents leak, if known t _v1, t _v=t _v1-β * T _v; If known t _v2, t _v=t _v2-(alpha-beta) * T _v; α, β is the positive number of the default alpha+beta <1 that satisfies condition;

And/or processing module 11 specifically can be used for:

According to

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p 0} \\ e^{- \frac{D_{p 0} \times (t - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}} & t_{p 0} < t < t_{p 1} \\ e^{- \frac{D_{p 1} \times (t - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}}, & t_{p 1} \leq t < t_{p 0} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p 0} + T_{p} \end{matrix}

Determine patch threat index;

Wherein, f _p(t) represent patch threat index; T represents the time; D _p0the governance role parameter that represents unofficial patch, is preset as 0.5; D _p1the governance role parameter that represents formal patch, is preset as 1; T _prepresenting that patch produces the required time cycle of governance role from occurring, is preset value; t _p0the issuing time first that represents unofficial patch; t _p1the issuing time first that represents formal patch; And t _p1-t _p0≤ T _p;

Or processing module 11 specifically can be used for: according to

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p} \\ e^{- \frac{D_{p} \times (t - t_{p})}{T_{p}}}, & t_{p} < t < t_{p} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p} + T_{p} \end{matrix}

Determine patch threat index;

Wherein, f _p(t) represent patch threat index; T represents the time; T _prepresenting that patch produces the required time cycle of governance role from occurring, is preset value; D _pthe governance role parameter that represents patch; If only issued unofficial patch or unofficial patch, all issued with formal patch, but t _p1-t _p0>T _p, t _p=t _p0, D _p=0.5; If only issued formal patch, t _p=t _p1, D _p=1;

And/or processing module 11 specifically can be used for:

According to determine attack tool threat index;

Wherein, f _t(t) represent whole instrument threat indexes; T represents the time; f _tk(t) represent the threat index of k kind attack tool;

f_{tk} (t) = \{\begin{matrix} 0 & t \leq t_{tk} \\ D_{tk} \times e^{- \frac{16 \times {(t - t_{k} - \frac{T_{t}}{2})}^{2}}{{T_{t}}^{2}}}, & t_{tk} < t < t_{tk} + T_{t} \\ 0 & t &GreaterEqual; t_{tk} + T_{t} \end{matrix};

T _tkthe issuing time that represents k kind attack tool; D _tkthe order of severity that represents k kind attack tool is preset value; T _trepresenting that attack tool produces the required time cycle of damaging effect, is preset value;

And/or processing module 11 specifically can be used for:

According to determine attack threat index;

Wherein, f _e(t) represent whole attack threat indexes; T represents the time; f _ei(t) represent the threat index of i attack;

f_{ei} (t) = \{\begin{matrix} 0 & t \leq t_{ei} - \frac{T_{e}}{2} \\ D_{ei} \times e^{- \frac{16 \times {(t - t_{ei})}^{2}}{{T_{e}}^{2}}}, & t_{ei} - \frac{T_{e}}{2} < t < t_{ei} + \frac{T_{e}}{2} \\ 0 & t &GreaterEqual; t_{ei} + \frac{T_{e}}{2} \end{matrix};

T _eithe issuing time that represents i attack; D _eithe order of severity that represents i attack is preset value; T _erepresenting that attack produces the required time cycle of damaging effect, is preset value.

The device embodiment of definite Cyberthreat degree provided by the invention, corresponding with the embodiment of the method for definite Cyberthreat degree provided by the invention, actuating equipment for the method for definite Cyberthreat degree provided by the invention, the operation that in its concrete structure and structure, each several part is carried out can, referring to embodiment of the method, not repeat them here.

The device of definite Cyberthreat degree provided by the invention, for the leak occurring in whole internet environment, according to the exposure time of vulnerability information, time of receipt and leak coefficient, the Cyberthreat degree of current leak is determined in quantitative analysis, can improve the accuracy to the judgement of Cyberthreat degree, and analyze Cyberthreat degree based on leak situation over time, with in time, understand intuitively the order of severity and the variation of Cyberthreat, and take corresponding safety measure.

One of ordinary skill in the art will appreciate that: all or part of step that realizes above-mentioned each embodiment of the method can complete by the relevant hardware of program command.Aforesaid program can be stored in a computer read/write memory medium.This program, when carrying out, is carried out the step that comprises above-mentioned each embodiment of the method; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.

Finally it should be noted that: each embodiment, only in order to technical scheme of the present invention to be described, is not intended to limit above; Although the present invention is had been described in detail with reference to aforementioned each embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or some or all of technical characterictic is wherein equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims

1. a method for definite Cyberthreat degree, is characterized in that, comprising:

According to described Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine Cyberthreat degree;

2. method according to claim 1, is characterized in that, described Cyberthreat information also comprises following any one or more combination: the issuing time of patch information, attack tool and the issuing time of attack, wherein, described patch information comprises unofficial patch issuing time and formal patch issuing time, described unofficial patch issuing time is illustrated in the formal patch issue time that patch or third party's patch are issued first temporarily before, described formal patch issuing time represents the time that formal patch is issued first, in network, there is for the first time the time of download version in the attack signature that described attack tool issuing time represents every kind of attack tool for the first time found time or attack tool, described attack issuing time represents that verifiable attack starts the earliest time occurring.

3. method according to claim 2, is characterized in that, comprising:

According to described Cyberthreat information, and according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine described Cyberthreat degree;

Wherein, t represents the time; D _vrepresent described leak coefficient; K represents default weighting parameters, and described k is determined by the issue of described unofficial patch, for being greater than 1 numerical value; T _vrepresent that vulnerability information spreads the needed time, if known t _v1and t _v2one of, T _vit is a preset value; If known t _v1and t _v2both, t _v1for the exposure time of described vulnerability information, t _v2time of receipt for described vulnerability information; t _vthe estimation discovery time that represents leak, if known t _v1, t _v=t _v1-β * T _v; If known t _v2, t _v=t _v2-(alpha-beta) * T _v; α, β is the positive number of the default alpha+beta <1 that satisfies condition.

4. according to the method in claim 2 or 3, it is characterized in that, comprising:

According to described patch information, obtain patch threat index f _p(t), and/or, according to the issuing time of described attack tool, obtain described attack tool threat index f _t(t), and/or, according to the issuing time of described attack, obtain described attack threat index f _e(t);

According to described f _p(t), described f _tand described f (t) _e(t) any at least one and described f in _v(t) product is determined described Cyberthreat degree.

5. method according to claim 4, is characterized in that, described patch threat index basis

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p 0} \\ e^{- \frac{D_{p 0} \times (t - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}} & t_{p 0} < t < t_{p 1} \\ e^{- \frac{D_{p 1} \times (t - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}}, & t_{p 1} \leq t < t_{p 0} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p 0} + T_{p} \end{matrix}

Determine;

Or, described patch threat index basis

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p} \\ e^{- \frac{D_{p} \times (t - t_{p})}{T_{p}}}, & t_{p} < t < t_{p} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p} + T_{p} \end{matrix}

Determine;

And/or,

Described attack tool threat index basis determine;

f_{tk} (t) = \{\begin{matrix} 0 & t < t_{tk} \\ D_{tk} \times e^{- \frac{16 \times {(t - t_{tk})}^{2}}{{T_{t}}^{2}}}, & t_{tk} < t < t_{tk} + T_{t} \\ 0 & t &GreaterEqual; t_{tk} + T_{t} \end{matrix};

And/or,

Described attack threat index basis determine;

f_{ei} (t) = \{\begin{matrix} 0 & t \leq t_{ei} - \frac{T_{e}}{2} \\ D_{ei} \times e^{- \frac{16 \times {(t - t_{ei})}^{2}}{{T_{e}}^{2}}}, & t_{ei} - \frac{T_{e}}{2} < t < t_{ei} + \frac{T_{e}}{2} \\ 0 & t &GreaterEqual; t_{ei} + \frac{T_{e}}{2} \end{matrix};

6. a device for definite Cyberthreat degree, is characterized in that, comprising:

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine Cyberthreat degree;

7. device according to claim 6, is characterized in that, the Cyberthreat information that described acquisition module obtains also comprises following any one or more combination: the issuing time of patch information, attack tool and the issuing time of attack, wherein, described patch information comprises unofficial patch issuing time and formal patch issuing time, described unofficial patch issuing time is illustrated in the formal patch issue time that patch or third party's patch are issued first temporarily before, described formal patch issuing time represents the time that formal patch is issued first, in network, there is for the first time the time of download version in the attack signature that described attack tool issuing time represents every kind of attack tool for the first time found time or attack tool, described attack issuing time represents that verifiable attack starts the earliest time occurring.

8. device according to claim 7, is characterized in that, described processing module specifically for: according to described patch information, obtain patch threat index f _p(t), and/or, according to the issuing time of described attack tool, obtain described attack tool threat index f _t(t), and/or, according to the issuing time of described attack, obtain described attack threat index f _e(t); According to described f _p(t), described f _tand described f (t) _e(t) any at least one and described f in _v(t) product is determined described Cyberthreat degree.

9. device according to claim 8, is characterized in that, described processing module specifically for: according to

f_{v} (t) = \{\begin{matrix} 0 & t \leq t_{v} \\ D_{v} \times e^{- \frac{T_{v}}{t - t_{v}}}, & t_{v} < t < t_{v} + T_{v} \\ D_{v} \times e^{- 1} & t &GreaterEqual; t_{v} + T_{v} \end{matrix}

Determine described Cyberthreat degree;

Wherein, t represents the time; D _vrepresent described leak coefficient; K represents default weighting parameters, and described k is determined by the issue of described unofficial patch, for being greater than 1 numerical value; T _vrepresent that vulnerability information spreads the needed time, if known t _v1and t _v2one of, T _vit is a preset value; If known t _v1and t _v2both, t _v1for the exposure time of described vulnerability information, t _v2time of receipt for described vulnerability information; t _vthe estimation discovery time that represents leak, if known t _v1, t _v=t _v1-β * T _v; If known t _v2, t _v=t _v2-(alpha-beta) * T _v; α, β is the positive number of the default alpha+beta <1 that satisfies condition;

And/or, processing module specifically for:

According to

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p 0} \\ e^{- \frac{D_{p 0} \times (t - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}} & t_{p 0} < t < t_{p 1} \\ e^{- \frac{D_{p 1} \times (t - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}{D_{p 1} \times (T_{p} + t_{p 0} - t_{p 1}) + D_{p 0} \times (t_{p 1} - t_{p 0})}}, & t_{p 1} \leq t < t_{p 0} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p 0} + T_{p} \end{matrix}

Determine described patch threat index;

Or, processing module specifically for: according to

f_{p} (t) = \{\begin{matrix} 1 & t \leq t_{p} \\ e^{- \frac{D_{p} \times (t - t_{p})}{T_{p}}}, & t_{p} < t < t_{p} + T_{p} \\ e^{- 1} & t &GreaterEqual; t_{p} + T_{p} \end{matrix}

Determine described patch threat index;

And/or, processing module specifically for:

According to determine described attack tool threat index;

f_{tk} (t) = \{\begin{matrix} 0 & t < t_{tk} \\ D_{tk} \times e^{- \frac{16 \times {(t - t_{tk})}^{2}}{{T_{t}}^{2}}}, & t_{tk} < t < t_{tk} + T_{t} \\ 0 & t &GreaterEqual; t_{tk} + T_{t} \end{matrix};

And/or, processing module specifically for:

According to determine described attack threat index;

f_{ei} (t) = \{\begin{matrix} 0 & t \leq t_{ei} - \frac{T_{e}}{2} \\ D_{ei} \times e^{- \frac{16 \times {(t - t_{ei})}^{2}}{{T_{e}}^{2}}}, & t_{ei} - \frac{T_{e}}{2} < t < t_{ei} + \frac{T_{e}}{2} \\ 0 & t &GreaterEqual; t_{ei} + \frac{T_{e}}{2} \end{matrix};