CN105227529B - A kind of method, apparatus and system assessed for Cyberthreat - Google Patents
A kind of method, apparatus and system assessed for Cyberthreat Download PDFInfo
- Publication number
- CN105227529B CN105227529B CN201410301325.3A CN201410301325A CN105227529B CN 105227529 B CN105227529 B CN 105227529B CN 201410301325 A CN201410301325 A CN 201410301325A CN 105227529 B CN105227529 B CN 105227529B
- Authority
- CN
- China
- Prior art keywords
- cyberthreat
- network
- event
- new
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses a kind of methods assessed for Cyberthreat, including:Monitoring is threatening the pre- Cyberthreat event for dividing network and the pre- importance rate for dividing network apparatus in networks, when monitor it is described threatening the pre- state of Cyberthreat event for dividing network and at least one of the importance rate of the network equipment to change when, the pre- Cyberthreat event for dividing network is being threatened to impend assessment to described, obtain the pre- threat parameter for dividing network, the pre- threat parameter for dividing network is used to describe the pre- division network currently by the urgency level for threatening the pre- Cyberthreat event for dividing network to threaten, show the pre- threat parameter for dividing network.The method assessed for Cyberthreat that the embodiment of the present invention also provides, can dynamically react current Cyberthreat situation in real time.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of to be directed to method, the dress that Cyberthreat is assessed
It sets and system.
Background technology
With the development of network technology and popularizing for hacker attack technology, the threat of network faces is increasing.Although net
Network equipment can all dispose the safety protection facilities such as fire wall, intruding detection system, but have some Cyberthreat events and hide
Cross safety protection facility menace network.The Cyberthreat event of safety protection facility is escaped for these, user can not send out in time
It is existing, it can not timely be handled, very high so as to cause the Cyberthreat degree of user, there are great security risk, networks
Threat event be exactly influence the event of network security, such as:Refuse service, worm outburst, server infiltration, Brute Force etc. all
Belong to Cyberthreat event.
Scanning can be timed to the protective equipment in network by risk evaluating system in the prior art, then basis
Scanning result makes risk evaluation result, and risk evaluation result is showed user.It can not dynamically reflect network in real time
Current threat situation.
Invention content
To solve dynamically reflect that the current threat situation of network, the embodiment of the present invention carry in real time in the prior art
For a kind of method assessed for Cyberthreat, current Cyberthreat situation can be dynamically reacted in real time.The present invention
Embodiment additionally provides corresponding apparatus and system.
The embodiment of the present invention provides a kind of method assessed for Cyberthreat, including:
Monitoring threatening it is pre- divide network Cyberthreat event and it is described it is pre- divide network apparatus in networks it is important
Property grade;
When the weight for monitoring the state and the network equipment for threatening the pre- Cyberthreat event for dividing network
When at least one of the property wanted grade changes, the pre- Cyberthreat event for dividing network is being threatened to impend to described
Assessment obtains the pre- threat parameter for dividing network, and the pre- threat parameter for dividing network is for describing the pre- division
Network is currently by the urgency level for threatening the pre- Cyberthreat event for dividing network to threaten;
Show the pre- threat parameter for dividing network.
With reference to first aspect, in the first possible implementation, described when monitoring described threatening pre- division
When the state of the Cyberthreat event of network and at least one of the importance rate of the network equipment change, to institute
It states and the pre- Cyberthreat event for dividing network is being threatened to impend assessment, obtain the threat parameter of the pre- division network,
Including:
New Cyberthreat event is increased when being threatened described in monitoring in the pre- Cyberthreat event for dividing network
When, parse destination address entrained in the new Cyberthreat event and source address;
When the destination address has the corresponding purpose network equipment, by the new Cyberthreat event and the purpose
The corresponding purpose network equipment in address establishes correspondence;
In the destination address without the corresponding purpose network equipment, but when having corresponding purpose network equipment region, by institute
It states new Cyberthreat event and establishes correspondence with the purpose network equipment region belonging to the destination address;
In the destination address without corresponding purpose network equipment region, but the source address has corresponding source network device
When, new Cyberthreat event source network device corresponding with the source address is established into correspondence;
It, will be described new in the source address without corresponding source network device, but when having corresponding source network device region
Cyberthreat event establishes correspondence with the source network device region belonging to the source address;
When the source address is without corresponding source network device region, by the new Cyberthreat event and preassign
Region establish correspondence;
There is the network equipment of correspondence according to the new Cyberthreat event and with the new Cyberthreat event
Or the importance rate in network equipment region, threatening the pre- Cyberthreat event for dividing network to impend and comment to described
Estimate, obtains the pre- threat parameter for dividing network.
The first possible realization method with reference to first aspect, it is described to parse in second of possible realization method
Entrained destination address and when source address in the new Cyberthreat event, the method further includes:
Parse the event level of the new Cyberthreat event;
The network for having correspondence according to the new Cyberthreat event and with the new Cyberthreat event
The importance rate in equipment or network equipment region is threatening the pre- Cyberthreat event for dividing network to impend to described
Assessment obtains the pre- threat parameter for dividing network, including:
By the network equipment corresponding with the new Cyberthreat event or the importance rate in network equipment region, described
The product extraction of square root rounding of the processing state of the event level of new Cyberthreat event and the new Cyberthreat event, obtains
To the event threat level ETL of the new Cyberthreat event;
According to the event threat level ETL of the new Cyberthreat event and in addition to the new Cyberthreat event
Threat event ETL, calculate the equipment threat level ATL of the network equipment, the equipment threat level is and the net
The maximum ETL of the corresponding Cyberthreat event of network equipment;
According to the ATL of the network equipment, the pre- Cyberthreat grade for dividing network is calculated;
The displaying pre- threat parameter for dividing network, including:
Show the pre- Cyberthreat grade for dividing network.
Second of possible realization method with reference to first aspect, in the third possible realization method, the calculating institute
After the equipment threat level ATL for stating the network equipment, the method further includes:
According to the ATL of the network equipment and the first preset formula, the equipment Threat of the network equipment is calculated;
After the Cyberthreat grade for calculating the pre- division network, the method further includes:
According to the Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula, calculate
The pre- Cyberthreat degree for dividing network;
When the Cyberthreat grade of the displaying pre- division network, the method further includes:
Show the pre- Cyberthreat degree for dividing network.
The third possible realization method with reference to first aspect, in the 4th kind of possible realization method, when described pre- stroke
When subnetwork is the pre- division network of multi-layer, the ATL according to the network equipment calculates the pre- net for dividing network
Network threat level, including:
According to the ATL of the network equipment, the Cyberthreat grade of each level in the multi-layer is calculated separately;
It is described according to the Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula,
The pre- Cyberthreat degree for dividing network is calculated, including:
According to the Cyberthreat grade of each level, the equipment threat level, equipment Threat and preset correspondence
Second formula of each level, calculates the Cyberthreat degree of each level;
The displaying pre- threat parameter for dividing network, including:
Show the Cyberthreat grade and Cyberthreat degree of each level in the multi-layer.
Second aspect of the present invention provides a kind of device assessed for Cyberthreat, including:
Monitoring unit is threatening net in the pre- Cyberthreat event for dividing network and the pre- division network for monitoring
The importance rate of network equipment;
Assessment unit, for monitoring the Cyberthreat event for threatening pre- division network when the monitoring unit
State and at least one of the importance rate of network equipment when changing, threatening pre- division net to described
The Cyberthreat event of network impends assessment, obtains the pre- threat parameter for dividing network, the pre- prestige for dividing network
Side of body parameter is used to describe the pre- network that divides and is currently threatening the pre- Cyberthreat event for dividing network to threaten by described
Urgency level;
Display unit, the pre- threat parameter for dividing network for showing that the assessment unit evaluates.
In conjunction with second aspect, in the first possible implementation, the assessment unit includes:
Parsing subunit, for monitoring the Cyberthreat thing for threatening pre- division network when the monitoring unit
When increasing new Cyberthreat event in part, destination address entrained in the new Cyberthreat event and source are parsed
Address;
Correspondence establishes subelement, and the destination address for being parsed in the parsing subunit has corresponding mesh
The network equipment when, by new Cyberthreat event purpose network equipment foundation corresponding with the destination address it is corresponding close
System;
The correspondence establishes subelement, and the destination address for being parsed in the parsing subunit is without correspondence
The purpose network equipment, but when having corresponding purpose network equipment region, by the new Cyberthreat event and the purpose
Correspondence is established in purpose network equipment region belonging to address;
The correspondence establishes subelement, and the destination address for being parsed in the parsing subunit is without correspondence
Purpose network equipment region will but when the source address that parses of the parsing subunit has corresponding source network device
New Cyberthreat event source network device corresponding with the source address establishes correspondence;
The correspondence establishes subelement, and the source address for being parsed in the parsing subunit is without corresponding
Source network device, but when having corresponding source network device region, belonging to the new Cyberthreat event and the source address
Source network device region establish correspondence;
The correspondence establishes subelement, and the source address for being parsed in the parsing subunit is without corresponding
When source network device region, the new Cyberthreat event and preassigned region are established into correspondence;
Subelement is assessed, for establishing subelement foundation according to the new Cyberthreat event and the correspondence
There are the network equipment of correspondence or the importance rate in network equipment region with new Cyberthreat event, to described just in prestige
The pre- Cyberthreat event for dividing network of the side of body impends assessment, obtains the threat parameter of the pre- division network.
The first possible realization method in conjunction with second aspect, in second of possible realization method,
The parsing subunit, be additionally operable in parsing the new Cyberthreat event entrained destination address and
When source address, the event level of the new Cyberthreat event is parsed;
The assessment subelement, including:
First computation subunit, for by the correspondence establish subelement foundation with the new Cyberthreat thing
The new network that the corresponding network equipment of part or the importance rate in network equipment region, the parsing subunit parse
The product extraction of square root rounding of the processing state of the event level of threat event and the new Cyberthreat event, obtains described new
Cyberthreat event event threat level ETL;
Second computation subunit, the new Cyberthreat thing for being calculated according to first computation subunit
The ETL of the event threat level ETL of part and the threat event in addition to the new Cyberthreat event, calculate the network and set
Standby equipment threat level ATL, the equipment threat level are the maximum of Cyberthreat event corresponding with the network equipment
ETL;
Third computation subunit, the ATL of the network equipment for being calculated according to second computation subunit,
Calculate the pre- Cyberthreat grade for dividing network;
The display unit, for showing the calculated pre- network prestige for dividing network of the third computation subunit
Coerce grade.
In conjunction with second of possible realization method of second aspect, in the third possible realization method,
Second computation subunit is additionally operable to after the equipment threat level ATL for calculating the network equipment, according to
The ATL of the network equipment and the first preset formula, calculate the equipment Threat of the network equipment;
The third computation subunit is additionally operable to after calculating the pre- Cyberthreat grade for dividing network, according to
The Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula calculate the pre- division net
The Cyberthreat degree of network;
The display unit is additionally operable to when showing the pre- Cyberthreat grade for dividing network, described pre- stroke of displaying
The Cyberthreat degree of subnetwork.
The third possible realization method in conjunction with second aspect, in the 4th kind of possible realization method, when described pre- stroke
When subnetwork is the pre- division network of multi-layer,
The third computation subunit calculates separately each layer in the multi-layer for the ATL according to the network equipment
Grade Cyberthreat grade, and according to the Cyberthreat grade of each level, the equipment threat level, equipment Threat and
Second formula of each level of preset correspondence, calculates the Cyberthreat degree of each level;
The display unit, the net for showing each level in the calculated multi-layer of the third computation subunit
Network threat level and Cyberthreat degree.
Third aspect present invention provides a kind of system assessed for Cyberthreat, including:It the network equipment and is directed to
The device that Cyberthreat is assessed, the network equipment and the device assessed for Cyberthreat communicate to connect, described
Any one in the device provided by above-mentioned second aspect for the device that Cyberthreat is assessed.
The embodiment of the present invention is threatening the pre- Cyberthreat event for dividing network and the pre- division network using monitoring
The importance rate of the middle network equipment;When the state and institute for monitoring the Cyberthreat event for threatening pre- division network
When at least one of the importance rate for stating the network equipment changes, the pre- network prestige for dividing network is being threatened to described
Side of body event impends assessment, obtains the pre- threat parameter for dividing network, and the pre- threat parameter for dividing network is used for
The pre- division network is described currently by the urgency level for threatening the pre- Cyberthreat event for dividing network to threaten;Exhibition
Show the pre- threat parameter for dividing network.With in the prior art, it can not dynamically reflect the current threat feelings of network in real time
Condition is compared, the method provided in an embodiment of the present invention assessed for Cyberthreat, when the net for threatening pre- division network
When network threatens the state of event or the importance rate of the network equipment to change, all Cyberthreat can be assessed and be opened up
Show, can dynamically react current Cyberthreat situation in real time.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is an embodiment schematic diagram of the method assessed for Cyberthreat in the embodiment of the present invention;
Fig. 2 is another embodiment schematic diagram for the method assessed for Cyberthreat in the embodiment of the present invention;
Fig. 3 is another embodiment schematic diagram for the method assessed for Cyberthreat in the embodiment of the present invention;
Fig. 4 is an embodiment schematic diagram of the device assessed for Cyberthreat in the embodiment of the present invention;
Fig. 5 is another embodiment schematic diagram for the device assessed for Cyberthreat in the embodiment of the present invention;
Fig. 6 is another embodiment schematic diagram for the device assessed for Cyberthreat in the embodiment of the present invention;
Fig. 7 is another embodiment schematic diagram for the device assessed for Cyberthreat in the embodiment of the present invention;
Fig. 8 is an embodiment schematic diagram of the system assessed for Cyberthreat in the embodiment of the present invention.
Specific implementation mode
The embodiment of the present invention provides the embodiment of the present invention and provides a kind of method assessed for Cyberthreat, Ke Yishi
When dynamically react current Cyberthreat situation.The embodiment of the present invention also provides corresponding devices and system.Individually below
It is described in detail.
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The every other embodiment that member is obtained without making creative work should all belong to the model that the present invention protects
It encloses.
Refering to fig. 1, an embodiment of the method provided in an embodiment of the present invention assessed for Cyberthreat includes:
101, monitoring is threatening the pre- Cyberthreat event for dividing network and described pre- is dividing network apparatus in networks
Importance rate.
Such as:Refusal service, worm outburst, server infiltration, Brute Force etc. belong to Cyberthreat event.
Pre- divide in network can only there are one the network equipments, it is possibility to have multiple network equipments, when the network equipment have it is more
When a, which can be hierarchical, such as:For the network of a large and medium-sized enterprise, can have multiple
Level from the individual network equipment to network equipment group, then arrives network equipment region, then arrives the whole network of the enterprise.
Pre- divide in network has one or more network equipment, the importance rate of the network equipment to be different, and network is set
Standby importance rate can be configured by administrative staff according to particular condition in use, when the importance rate quilt of the network equipment
When administrative staff are turned up or turn down, the assessment result of Cyberthreat can be all influenced, so in the importance etc. of the network equipment
When grade changes, the pre- threat situation for dividing network is reappraised.
102, when the state and the network equipment for monitoring the Cyberthreat event for threatening pre- division network
At least one of importance rate when changing, threatening the pre- Cyberthreat event for dividing network to carry out to described
Threat assessment, obtains the pre- threat parameter for dividing network, and the pre- threat parameter for dividing network is described pre- for describing
Network is divided currently by the urgency level for threatening the pre- Cyberthreat event for dividing network to threaten.
It refers to monitoring new network prestige to threaten the state of the pre- Cyberthreat event for dividing network to change
Side of body event increases, alternatively, monitoring that Cyberthreat event that is getting before but not eliminating is eliminated.
Before monitoring new Cyberthreat event increase, it can also obtain new Cyberthreat event and increase, obtain
The mode of the pre- Cyberthreat event for dividing network of new threat can receive the network equipment to send, and can also be actively to arrive
It is obtained at the network equipment.
When division network has multiple levels in advance, each level can all have the threat parameter of corresponding network.
103, the pre- threat parameter for dividing network is shown.
The embodiment of the present invention is threatening the pre- Cyberthreat event for dividing network and the pre- division network using monitoring
The importance rate of the middle network equipment;When the state and institute for monitoring the Cyberthreat event for threatening pre- division network
When at least one of the importance rate for stating the network equipment changes, the pre- network prestige for dividing network is being threatened to described
Side of body event impends assessment, obtains the pre- threat parameter for dividing network, and the pre- threat parameter for dividing network is used for
The pre- division network is described currently by the urgency level for threatening the pre- Cyberthreat event for dividing network to threaten;Exhibition
Show the pre- threat parameter for dividing network.With vulnerability scanning in the prior art, it can not dynamically reflect that network is current in real time
Threat situation compare, the method provided in an embodiment of the present invention assessed for Cyberthreat, when threatening pre- division
When the state of Cyberthreat event or the importance rate of the network equipment of network change, Cyberthreat can all be carried out
It assesses and shows, can dynamically react current Cyberthreat situation in real time.
Optionally, on the basis of above-mentioned Fig. 1 corresponding embodiments, it is provided in an embodiment of the present invention for Cyberthreat into
It is described when monitoring described threatening the pre- Cyberthreat for dividing network in first alternative embodiment of the method for row assessment
When at least one of the importance rate of the state of event and the network equipment changes, pre- stroke is being threatened to described
The Cyberthreat event of subnetwork impends assessment, obtains the pre- threat parameter for dividing network, including:
New Cyberthreat event is increased when being threatened described in monitoring in the pre- Cyberthreat event for dividing network
When, parse destination address entrained in the new Cyberthreat event and source address;
When the destination address has the corresponding purpose network equipment, by the new Cyberthreat event and the purpose
The corresponding purpose network equipment in address establishes correspondence;
In the destination address without the corresponding purpose network equipment, but when having corresponding purpose network equipment region, by institute
It states new Cyberthreat event and establishes correspondence with the purpose network equipment region belonging to the destination address;
In the destination address without corresponding purpose network equipment region, but the source address has corresponding source network device
When, new Cyberthreat event source network device corresponding with the source address is established into correspondence;
It, will be described new in the source address without corresponding source network device, but when having corresponding source network device region
Cyberthreat event establishes correspondence with the source network device region belonging to the source address;
When the source address is without corresponding source network device region, by the new Cyberthreat event and preassign
Region establish correspondence;
There is the network equipment of correspondence according to the new Cyberthreat event and with the new Cyberthreat event
Or the importance rate in network equipment region, threatening the pre- Cyberthreat event for dividing network to impend and comment to described
Estimate, obtains the pre- threat parameter for dividing network.
The process of the embodiment of the present invention can be understood that process described in Fig. 2 is refering to Fig. 2:
S200, destination address entrained in the new Cyberthreat event and source address are parsed.
S205, it checks whether destination address has the corresponding purpose network equipment, step S210 is executed when being, is when no,
Execute step S215.
Check whether destination address has the process of the corresponding purpose network equipment that can be:In network appliance address and network
It is searched in the mapping table of equipment, after finding the network appliance address to match with the destination address, you can determine the purpose
There is the corresponding purpose network equipment in address.It, can if not finding the network appliance address to match with the destination address
To determine that the destination address does not have the corresponding purpose network equipment.
S210, when the destination address has the corresponding purpose network equipment, by new the Cyberthreat event and institute
It states the corresponding purpose network equipment of destination address and establishes correspondence.
The new Cyberthreat event purpose network equipment corresponding with the destination address, which is established correspondence, is
Refer to the new Cyberthreat event and threatens the purpose network equipment.
S215, when the destination address is without the corresponding purpose network equipment, check destination address whether have corresponding mesh
Network equipment region execute step S225 if not if it is step S220 is executed.
Check whether destination address has corresponding purpose network equipment region to refer to whether the destination address falls in the purpose
In the address range in network equipment region, if fallen in the address range in purpose network equipment region, this can be determined
Destination address has corresponding purpose network equipment region, can if declined in the address range in purpose network equipment region
To determine the destination address without corresponding purpose network equipment region.
S220, the purpose network equipment region belonging to the new Cyberthreat event and the destination address is established pair
It should be related to.
By new Cyberthreat event pass corresponding with the region foundation of the destination address corresponding purpose network equipment
System refers to that the new Cyberthreat event threatens the purpose network equipment region.
S225, in the destination address without corresponding purpose network equipment region, check whether source address has corresponding source
The network equipment executes step S230 when being, step S235 is executed when no.
It is with checking source address no that have the process of corresponding source network device can be in network appliance address and the network equipment
Mapping table in search, after finding the network appliance address to match with the source address, you can determine that the source address has pair
The source network device answered.If not finding the network appliance address to match with the source address, with can determining the source
Location does not have corresponding source network device.
S230, new Cyberthreat event source network device corresponding with the source address is established into correspondence.
It refers to this that new Cyberthreat event source network device corresponding with the source address, which is established correspondence,
New Cyberthreat event is sent out by the source network device, and the possible source network device is that the network initially threatened is set
It is standby.
S235, when the source address is without corresponding source network device, check source address whether there is corresponding source network to set
Preparation area domain executes step S240 when being, step S245 is executed when no.
Check whether source address has corresponding source network device region to refer to whether the source address falls in the source network device
In the address range in region, if fallen in the address range in source network device region, it can determine that the source address has pair
The source network device region answered, if declined in the address range in source network device region, can determine the source address without
Corresponding source network device region.
S240, by the new Cyberthreat event it is corresponding with the source network device region foundation belonging to the source address close
System.
Correspondence is established in new Cyberthreat event source network device corresponding with the source address region is
Refer to the new Cyberthreat event to be sent out by the source network device region, the possible source network device region is initially by prestige
The network equipment region of the side of body.
S245, when the source address is without corresponding source network device region, by the new Cyberthreat event with it is pre-
First correspondence is established in specified region.
Preassigned region can be for assessing the region where the NM server of Cyberthreat.
New Cyberthreat event and the network equipment or the foundation pair of network equipment region are only described in the embodiment of the present invention
The process that should be related to, in fact, original Cyberthreat event is when the original Cyberthreat event is initially acquired
Just it has been established the correspondence with the network equipment or network equipment region.
After the above S200 establishes correspondence to S245, so that it may with according to the new Cyberthreat event and with it is described
New Cyberthreat event has the network equipment of correspondence or the importance rate in network equipment region, is threatening described
The pre- Cyberthreat event for dividing network impends assessment, obtains the threat parameter of the pre- division network.
Optionally, provided in an embodiment of the present invention to be directed to Cyberthreat on the basis of above-mentioned first alternative embodiment
It is described to parse mesh entrained in the new Cyberthreat event in second alternative embodiment of the method assessed
Address and when source address, the method can also include:
Parse the event level of the new Cyberthreat event;
The network for having correspondence according to the new Cyberthreat event and with the new Cyberthreat event
The importance rate in equipment or network equipment region is threatening the pre- Cyberthreat event for dividing network to impend to described
Assessment obtains the pre- threat parameter for dividing network, may include:
By the network equipment corresponding with the new Cyberthreat event or the importance rate in network equipment region, described
The product extraction of square root rounding of the processing state of the event level of new Cyberthreat event and the new Cyberthreat event, obtains
To the event threat level ETL of the new Cyberthreat event;
According to the event threat level ETL of the new Cyberthreat event and in addition to the new Cyberthreat event
Threat event ETL, calculate the equipment threat level ATL of the network equipment, the equipment threat level is and the net
The maximum ETL of the corresponding Cyberthreat event of network equipment;
According to the ATL of the network equipment, the pre- Cyberthreat grade for dividing network is calculated;
It is described to show the pre- threat parameter for dividing network, may include:
Show the pre- Cyberthreat grade for dividing network.
In the embodiment of the present invention, the event threat level (ETL, Event Threat Level) of new Cyberthreat event
Calculating process can be understood refering to following formula:
ETL=Round (SQRT (EP* (EL*AV)), 0)
Wherein, AV (Asset Value) indicates the network equipment or the importance rate in network equipment region, such as:It can be with
It is divided into 5 grades:Very high, high, medium, low and very low, corresponding weights are 5,4,3,2,1.
EL (Event Level) indicates the event level of Cyberthreat event, such as:5 grades can be divided into:It is very high, high, in
Deng, low and very low, one weighting coefficient of every grade of correspondence, it is defaulted as 5,4,3,2,1.
EP (Event Process) is event handling attribute, and 1 is unresolved, and 0 is to have solved.
ETL is equal to the product extraction of square root rounding of EP* (EL*AV).
In the embodiment of the present invention, ATL=Max (ETLn), the pre- Cyberthreat grade=Max (ATLn) for dividing network.
Optionally, provided in an embodiment of the present invention to be directed to Cyberthreat on the basis of above-mentioned second alternative embodiment
In the third alternative embodiment for the method assessed, after the equipment threat level ATL for calculating the network equipment,
The method can also include:
According to the ATL of the network equipment and the first preset formula, the equipment Threat of the network equipment is calculated;
After the Cyberthreat grade for calculating the pre- division network, the method can also include:
According to the Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula, calculate
The pre- Cyberthreat degree for dividing network;
When the Cyberthreat grade of the displaying pre- division network, the method can also include:
Show the pre- Cyberthreat degree for dividing network.
In the embodiment of the present invention, equipment Threat ATS (Asset Threat Severity)=network of the network equipment is set
The corresponding threat a reference value of standby threat level+network equipment threatens number weighted value, can be expressed as with the first formula:
ATS=20* (ATL-1)+min (20, (∑ (0.1(5-i)*ECi)*TWF)
Wherein, i is event level, 1<=i<=5, ECi are the event frequency that event level is i, TWF (Threat
Weight Factor) be threat weighting coefficient, 0<=TWF<=10
Formula is unfolded for example:
Equipment Threat=80+min (the 20, (1*EC5+0.1 for the network equipment that highest threat level is 51*EC4+0.12*
EC3+0.13*EC2+0.14*EC1)*10)
Equipment Threat=60+min (the 20, (1*EC5+0.1 for the network equipment that highest threat level is 41*EC4+0.12*
EC3+0.13*EC2+0.14*EC1)*10)。
Second formula of the pre- Cyberthreat degree for dividing network can be expressed as:
Cyberthreat degree=20* (Cyberthreat grade -1)+((Cyberthreat grade-ATL (the j)) * of ∑ 0.1 (ATS (i) -
20*(ATL(j)-1))))/n。
1<=j<=n, n are network equipment number.
In the pre- network hierarchy for dividing network of displaying, the pre- Cyberthreat degree for dividing network is shown, such as:It is pre- to divide net
The network hierarchy of network be 5 grades, Cyberthreat degree be 85, then can show simultaneously network hierarchy be 5 grades, Cyberthreat degree be 85 this two
A threat parameter.
Optionally, provided in an embodiment of the present invention to be directed to Cyberthreat on the basis of above-mentioned third alternative embodiment
In 4th alternative embodiment of the method assessed, when the pre- pre- division network for dividing network as multi-layer, institute
The ATL according to the network equipment is stated, the pre- Cyberthreat grade for dividing network is calculated, may include:
According to the ATL of the network equipment, the Cyberthreat grade of each level in the multi-layer is calculated separately;
It is described according to the Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula,
The pre- Cyberthreat degree for dividing network is calculated, may include:
According to the Cyberthreat grade of each level, the equipment threat level, equipment Threat and preset correspondence
Second formula of each level, calculates the Cyberthreat degree of each level;
It is described to show the pre- threat parameter for dividing network, may include:
Show the Cyberthreat grade and Cyberthreat degree of each level in the multi-layer.
Refering to Fig. 3, the process that the present invention assesses Cyberthreat when dividing network in advance and there are multiple levels is introduced, with
For one enterprise network, which is divided into 4 levels, respectively network equipment level, network equipment group level, the network equipment
Region level and entire enterprise network level.
After the equipment threat level ATL of the network equipment of the first level is calculated, it can be calculated separately according to ATL:
Threat level (the AGTL of network equipment group:Asset Group Threat Level) by the network equipment group
The equipment highest threat level decision of the network equipment, i.e. AGTL=Max (ATLn).
Threat level (the ZTL in network equipment region:Zone Threat Level) by the network equipment in network equipment region
Equipment highest threat level determine, i.e. ZTL=Max (ATLn).
Threat level (the GTL of entire enterprise network:Global Threat Level) by the network equipment in entire enterprise network
The decision of equipment highest threat level, i.e. GTL=Max (ATLn).
It is corresponding, further according to the formula of Cyberthreat degree, the Cyberthreat degree of corresponding level can be calculated separately out.
The Threat of network equipment group is:
AGTS=20* (AGTL-1)+(∑ 0.1 (AGTL-ATL (j)) * (ATS (j) -20* (ATL (j) -1))))/n
The Threat in network equipment region is:
ZTS=20* (ZTL-1)+(∑ 0.1 (ZTL-ATL (j)) * (ATS (j) -20* (ATL (j) -1)))/n
Entirely the Threat of enterprise network is:
GTS=20* (GTL-1)+(∑ 0.1 (GTL-ATL (j)) * (ATS (j) -20* (ATL (j) -1)))/n
Wherein:1<=j<=n, n are network equipment number.Such as:
Network equipment group has 2 network equipments, and the threat level of the network equipment 1 is 5, Threat 90, the network equipment 2
Threat level is 3, Threat 60, then the Threat formula in region is unfolded as follows:
The threat level AGTL=Max (5,3)=5 of group
AGTS=20* (5-1)+((+0.1 (5-3) * (60-20* (3-1)) of 0.1 (5-5) * (90-20* (5-1)))/2)
=80+ ((1*10+0.01*20)/2)
=85.1
Then, it may be determined that the threat level of the network equipment group is 5, and the Threat of group is 85.1.
In the embodiment of the present invention, it can be layered the real-time Cyberthreat situation of level display by network topological diagram, in this way, net
Network administrator can understand the safe condition of entire enterprise network and the safe condition of each level in time, and facilitate pipe
Reason person focuses threat condition of the high-risk event to the network equipment.
Optionally, in the corresponding embodiments of above-mentioned Fig. 1 or first to fourth alternative embodiment any embodiment base
On plinth, in the 5th alternative embodiment provided in an embodiment of the present invention, the method can also include:
By the threat parameter of the current network, threat assessment report is generated.
In the embodiment of the present invention, after refreshing in threat assessment fructufy, administrator can by hand or periodically generate threat
Assessment report achieves analysis convenient for doing.
Refering to Fig. 4, an a kind of embodiment of the device 20 assessed for Cyberthreat provided in an embodiment of the present invention
Including:
Monitoring unit 201 is threatening the pre- Cyberthreat event for dividing network and the pre- division network for monitoring
The importance rate of the middle network equipment;
Assessment unit 202, for monitoring the network prestige for threatening pre- division network when the monitoring unit 201
When at least one of the importance rate of the state of side of body event and the network equipment changes, to it is described threatening it is pre-
The Cyberthreat event for dividing network impends assessment, obtains the threat parameter of the pre- division network, the pre- division net
The threat parameter of network is used to describe the pre- network that divides and is currently threatening the pre- Cyberthreat event for dividing network by described
The urgency level of threat;
Display unit 203, the pre- threat parameter for dividing network for showing that the assessment unit 202 evaluates.
In the embodiment of the present invention, monitoring unit 201, which monitors, is threatening the pre- Cyberthreat event of network and described of dividing
The pre- importance rate for dividing network apparatus in networks;Assessment unit 202 when the monitoring unit 201 monitor it is described just in prestige
The pre- state of Cyberthreat event for dividing network of the side of body and at least one of the importance rate of the network equipment become
It when change, is threatening the pre- Cyberthreat event for dividing network to impend assessment to described, is obtaining the pre- division network
Parameter, the pre- threat parameter for dividing network is threatened currently to threaten pre- stroke by described for describing the pre- division network
The urgency level that the Cyberthreat event of subnetwork threatens;Display unit 203 shows that the assessment unit 202 evaluates described
The pre- threat parameter for dividing network.With vulnerability scanning in the prior art, it can not dynamically reflect the current threat of network in real time
Situation is compared, the device provided in an embodiment of the present invention assessed for Cyberthreat, when threatening the pre- network that divides
When the state of Cyberthreat event or the importance rate of the network equipment change, Cyberthreat can all be assessed simultaneously
Displaying, can dynamically react current Cyberthreat situation in real time.
Optionally, on the basis of above-mentioned Fig. 4 corresponding embodiments, refering to Fig. 5, offer provided in an embodiment of the present invention
A kind of to be directed in first alternative embodiment of the device 20 that Cyberthreat is assessed, the assessment unit 202 includes:
Parsing subunit 2021, for monitoring the net for threatening pre- division network when the monitoring unit 201
When increasing new Cyberthreat event in network threat event, purpose entrained in the new Cyberthreat event is parsed
Address and source address;
Correspondence establishes subelement 2022, and the destination address for being parsed in the parsing subunit 2021 has
When the corresponding purpose network equipment, the new Cyberthreat event purpose network equipment corresponding with the destination address is built
Vertical correspondence;
The correspondence establishes subelement 2022, in the destination that the parsing subunit 2021 parses
Location is without the corresponding purpose network equipment, but when having corresponding purpose network equipment region, by the new Cyberthreat event with
Correspondence is established in purpose network equipment region belonging to the destination address;
The correspondence establishes subelement 2022, in the destination that the parsing subunit 2021 parses
Location is without corresponding purpose network equipment region, but the source address that the parsing subunit parses has corresponding source network to set
When standby, new Cyberthreat event source network device corresponding with the source address is established into correspondence;
The correspondence establishes subelement 2022, the source address for being parsed in the parsing subunit 2021
Without corresponding source network device, but when having corresponding source network device region, by the new Cyberthreat event and the source
Correspondence is established in source network device region belonging to address;
The correspondence establishes subelement 2022, the source address for being parsed in the parsing subunit 2021
When without corresponding source network device region, the new Cyberthreat event and preassigned region are established into correspondence;
Subelement 2023 is assessed, for establishing subelement according to the new Cyberthreat event and the correspondence
2022 establish have the network equipment of correspondence or the importance rate in network equipment region with new Cyberthreat event, it is right
It is described that the pre- Cyberthreat event for dividing network is being threatened to impend assessment, it obtains the pre- threat for dividing network and joins
Number.
Optionally, on the basis of above-mentioned Fig. 5 corresponding embodiments, refering to Fig. 6, offer provided in an embodiment of the present invention
It is a kind of to be directed in second alternative embodiment of the device 20 that Cyberthreat is assessed,
The parsing subunit 2021 is additionally operable to entrained destination in parsing the new Cyberthreat event
When location and source address, the event level of the new Cyberthreat event is parsed;
The assessment subelement 2023, including:
First computation subunit 20231, for the correspondence established that subelement 2022 establishes with it is described new
The institute that the corresponding network equipment of Cyberthreat event or the importance rate in network equipment region, the parsing subunit parse
The product extraction of square root rounding of the event level of new Cyberthreat event and the processing state of the new Cyberthreat event is stated,
Obtain the event threat level ETL of the new Cyberthreat event;
Second computation subunit 20232 is described new for being calculated according to first computation subunit 20231
The ETL of the event threat level ETL of Cyberthreat event and the threat event in addition to the new Cyberthreat event are calculated
The equipment threat level ATL of the network equipment, the equipment threat level are Cyberthreat corresponding with the network equipment
The maximum ETL of event;
Third computation subunit 20233, the network for being calculated according to second computation subunit 20232
The ATL of equipment calculates the pre- Cyberthreat grade for dividing network;
The display unit 203, for showing the calculated pre- division network of the third computation subunit 20233
Cyberthreat grade.
Optionally, on the basis of above-mentioned Fig. 6 corresponding second alternative embodiment, offer provided in an embodiment of the present invention
A kind of device 20 assessed for Cyberthreat third alternative embodiment in,
Second computation subunit 20232, be additionally operable to the equipment threat level ATL for calculating the network equipment it
Afterwards, according to the ATL of the network equipment and the first preset formula, the equipment Threat of the network equipment is calculated;
The third computation subunit 20233 is additionally operable to after calculating the pre- Cyberthreat grade for dividing network,
According to the Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula, described pre- stroke is calculated
The Cyberthreat degree of subnetwork;
The display unit 203 is additionally operable to when showing the pre- Cyberthreat grade for dividing network, displaying described the
Three computation subunits, the 20233 calculated pre- Cyberthreat degree for dividing network.
Optionally, on the basis of above-mentioned Fig. 6 corresponding third alternative embodiments, offer provided in an embodiment of the present invention
A kind of device 20 assessed for Cyberthreat the 4th alternative embodiment in, when pre- the divisions network is multilayer
When the pre- division network of grade,
The third computation subunit 20233 calculates separately the multi-layer for the ATL according to the network equipment
In each level Cyberthreat grade, and according to the Cyberthreat grade of each level, the equipment threat level, equipment prestige
Second formula of stress and each level of preset correspondence, calculates the Cyberthreat degree of each level;
The display unit 203, it is each in the calculated multi-layer of the third computation subunit 20233 for showing
The Cyberthreat grade and Cyberthreat degree of level.
Fig. 7 is the structural schematic diagram for the device 20 that the embodiment of the present invention is assessed for Cyberthreat.For network prestige
It coerces the device 20 assessed and may include input equipment 210, output equipment 220, processor 230 and memory 240.
Memory 240 may include read-only memory and random access memory, and provide instruction sum number to processor 230
According to.The a part of of memory 240 can also include nonvolatile RAM (NVRAM).
Memory 240 stores following element, executable modules or data structures either their subset or
Their superset:
Operational order:Including various operational orders, for realizing various operations.
Operating system:Including various system programs, for realizing various basic businesses and the hardware based task of processing.
In embodiments of the present invention, operational order (operational order that processor 230 is stored by calling memory 240
It is storable in operating system), execute following operation:
Monitoring threatening it is pre- divide network Cyberthreat event and it is described it is pre- divide network apparatus in networks it is important
Property grade;
When the weight for monitoring the state and the network equipment for threatening the pre- Cyberthreat event for dividing network
When at least one of the property wanted grade changes, the pre- Cyberthreat event for dividing network is being threatened to impend to described
Assessment obtains the pre- threat parameter for dividing network, and the pre- threat parameter for dividing network is for describing the pre- division
Network is currently by the urgency level for threatening the pre- Cyberthreat event for dividing network to threaten;
The pre- threat parameter for dividing network is shown by output equipment 220.
In the embodiment of the present invention, the pre- network for dividing network ought be being threatened for the device 20 that Cyberthreat is assessed
When the state of threat event or the importance rate of the network equipment change, all Cyberthreat can be assessed and be opened up
Show, can dynamically react current Cyberthreat situation in real time.
The operation for the device 20 that the control of processor 230 is assessed for Cyberthreat, processor 230 can also be known as
CPU (Central Processing Unit, central processing unit).Memory 240 may include read-only memory and deposit at random
Access to memory, and provide instruction and data to processor 230.The a part of of memory 240 can also include non-volatile random
Access memory (NVRAM).In specific application, the various components for the device 20 assessed for Cyberthreat pass through bus
System 250 is coupled, and wherein bus system 250 can also include power bus, control always in addition to including data/address bus
Line and status signal bus in addition etc..But for the sake of clear explanation, various buses are all designated as bus system 250 in figure.
The method that the embodiments of the present invention disclose can be applied in processor 230, or be realized by processor 230.
Processor 230 may be a kind of IC chip, the processing capacity with signal.During realization, the above method it is each
Step can be completed by the integrated logic circuit of the hardware in processor 230 or the instruction of software form.Above-mentioned processing
Device 230 can be general processor, digital signal processor (DSP), application-specific integrated circuit (ASIC), ready-made programmable gate array
(FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.May be implemented or
Person executes disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor can be microprocessor or
Person's processor can also be any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be straight
Connect and be presented as that hardware decoding processor executes completion, or in decoding processor hardware and software module combination executed
At.Software module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically-erasable can
In the storage medium of this fields such as programmable memory, register maturation.The storage medium is located at memory 240, and processor 230 is read
Information in access to memory 240, in conjunction with the step of its hardware completion above method.
Optionally, processor 230 specifically may be used:When in the Cyberthreat event for threatening pre- division network described in monitoring
When increasing new Cyberthreat event, with parsing destination address entrained in the new Cyberthreat event and source
Location;
When the destination address has the corresponding purpose network equipment, by the new Cyberthreat event and the purpose
The corresponding purpose network equipment in address establishes correspondence;
In the destination address without the corresponding purpose network equipment, but when having corresponding purpose network equipment region, by institute
It states new Cyberthreat event and establishes correspondence with the purpose network equipment region belonging to the destination address;
In the destination address without corresponding purpose network equipment region, but the source address has corresponding source network device
When, new Cyberthreat event source network device corresponding with the source address is established into correspondence;
It, will be described new in the source address without corresponding source network device, but when having corresponding source network device region
Cyberthreat event establishes correspondence with the source network device region belonging to the source address;
When the source address is without corresponding source network device region, by the new Cyberthreat event and preassign
Region establish correspondence;
There is the network equipment of correspondence according to the new Cyberthreat event and with the new Cyberthreat event
Or the importance rate in network equipment region, threatening the pre- Cyberthreat event for dividing network to impend and comment to described
Estimate, obtains the pre- threat parameter for dividing network.
Optionally, processor 230 can be with:Parse in the new Cyberthreat event entrained destination address and
When source address, the event level of the new Cyberthreat event is parsed;
Processor 230 specifically may be used:By the network equipment corresponding with the new Cyberthreat event or network equipment region
Importance rate, the event level of the new Cyberthreat event and the processing state of the new Cyberthreat event
Product extraction of square root rounding, obtains the event threat level ETL of the new Cyberthreat event;
According to the event threat level ETL of the new Cyberthreat event and in addition to the new Cyberthreat event
Threat event ETL, calculate the equipment threat level ATL of the network equipment, the equipment threat level is and the net
The maximum ETL of the corresponding Cyberthreat event of network equipment;
According to the ATL of the network equipment, the pre- Cyberthreat grade for dividing network is calculated;
The output equipment 220 specifically may be used:Show the pre- Cyberthreat grade for dividing network.
Optionally, processor 230 can be with:After the equipment threat level ATL for calculating the network equipment, according to institute
The ATL of the network equipment and the first preset formula are stated, the equipment Threat of the network equipment is calculated;
After calculating the pre- Cyberthreat grade for dividing network, according to the Cyberthreat grade, the equipment
Threat level, equipment Threat and the second preset formula calculate the pre- Cyberthreat degree for dividing network;
The output equipment 220 can also be when showing the pre- Cyberthreat grade for dividing network, described pre- stroke of displaying
The Cyberthreat degree of subnetwork.
Optionally, processor 230 specifically can be with:When the pre- pre- division network for dividing network as multi-layer, according to
The ATL of the network equipment calculates separately the Cyberthreat grade of each level in the multi-layer;According to the net of each level
Second formula of network threat level, the equipment threat level, equipment Threat and each level of preset correspondence calculates each
The Cyberthreat degree of level;
The output equipment 220 can specifically show the Cyberthreat grade and Cyberthreat of each level in the multi-layer
Degree.
Refering to Fig. 8, an embodiment of the system provided in an embodiment of the present invention assessed for Cyberthreat includes:Net
Network equipment 30 and the device 20 assessed for Cyberthreat, the network equipment can have multiple, and the network equipment can
To be divided in the pre- division network of different levels;
By the pre- division network there are four for level in the embodiment of the present invention, the pre- division network of the first level is net
Network equipment 30, the pre- division network of the second level are comprising 3 network equipments 30, include two in the pre- division network of third level
The pre- division network of a second level, the pre- division network of the 4th level includes the pre- division network of two third levels, described
It is communicated to connect with each network equipment 30 for the device 20 that Cyberthreat is assessed;
The device 20 assessed for Cyberthreat is threatening the pre- Cyberthreat for dividing network for monitoring
Event and the pre- importance rate for dividing network apparatus in networks;When monitoring described to threaten the pre- net for dividing network
When network threatens the state of event and at least one of the importance rate of the network equipment to change, to described just in prestige
The pre- Cyberthreat event for dividing network of the side of body impends assessment, obtains the threat parameter of the pre- division network, described pre- stroke
The threat parameter of subnetwork is used to describe the pre- network that divides and is currently threatening the pre- Cyberthreat for dividing network by described
The urgency level that event threatens;Show the pre- threat parameter for dividing network.
In the embodiment of the present invention, the threat parameter of the pre- division network of each level can be shown.
The system provided in an embodiment of the present invention assessed for Cyberthreat, when the net for threatening pre- division network
When network threatens the state of event or the importance rate of the network equipment to change, all Cyberthreat can be assessed and be opened up
Show, can dynamically react current Cyberthreat situation in real time.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
It is completed with instructing relevant hardware (such as processor) by program, which can be stored in a computer-readable storage
In medium, storage medium may include:ROM, RAM, disk or CD etc..
It is provided for the embodiments of the invention the method, apparatus assessed for Cyberthreat and system progress above
It is discussed in detail, principle and implementation of the present invention are described for specific case used herein, above example
Explanation be merely used to help understand the present invention method and its core concept;Meanwhile for those of ordinary skill in the art,
According to the thought of the present invention, there will be changes in the specific implementation manner and application range, in conclusion in this specification
Appearance should not be construed as limiting the invention.
Claims (9)
1. a kind of method assessed for Cyberthreat, which is characterized in that including:
Monitoring is threatening the pre- Cyberthreat event for dividing network and the pre- importance etc. for dividing network apparatus in networks
Grade;
When monitoring to increase new Cyberthreat event in the Cyberthreat event for threatening pre- division network, solution
Destination address entrained in the new Cyberthreat event and source address is precipitated;
When the destination address has the corresponding purpose network equipment, by the new Cyberthreat event and the destination address
The corresponding purpose network equipment establishes correspondence;
It, will be described new in the destination address without the corresponding purpose network equipment, but when having corresponding purpose network equipment region
Cyberthreat event and the destination address belonging to purpose network equipment region establish correspondence;
In the destination address without corresponding purpose network equipment region, but when the source address has corresponding source network device,
New Cyberthreat event source network device corresponding with the source address is established into correspondence;
In the source address without corresponding source network device, but when having corresponding source network device region, by the new network
Threat event establishes correspondence with the source network device region belonging to the source address;
When the source address is without corresponding source network device region, by the new Cyberthreat event and preassigned area
Correspondence is established in domain;
There are the network equipment or net of correspondence according to the new Cyberthreat event and with the new Cyberthreat event
The importance rate of network equipment region is threatening the pre- Cyberthreat event for dividing network to impend assessment, is obtaining to described
To the pre- threat parameter for dividing network, the pre- threat parameter for dividing network is used to describe the pre- division network current
By the urgency level for threatening the pre- Cyberthreat event for dividing network to threaten;
Show the pre- threat parameter for dividing network.
2. according to the method described in claim 1, it is characterized in that, described parse is taken in the new Cyberthreat event
When the destination address and source address of band, the method further includes:
Parse the event level of the new Cyberthreat event;
The network equipment for having correspondence according to the new Cyberthreat event and with the new Cyberthreat event
Or the importance rate in network equipment region, threatening the pre- Cyberthreat event for dividing network to impend and comment to described
Estimate, obtains the pre- threat parameter for dividing network, including:
By the network equipment corresponding with the new Cyberthreat event or the importance rate in network equipment region, described new
The product extraction of square root rounding of the processing state of the event level of Cyberthreat event and the new Cyberthreat event, obtains institute
State the event threat level ETL of new Cyberthreat event;
According to the event threat level ETL of the new Cyberthreat event and the prestige in addition to the new Cyberthreat event
The ETL of side of body event, calculates the equipment threat level ATL of the network equipment, and the equipment threat level is to be set with the network
The maximum ETL of standby corresponding Cyberthreat event;
According to the ATL of the network equipment, the pre- Cyberthreat grade for dividing network is calculated;
The displaying pre- threat parameter for dividing network, including:
Show the pre- Cyberthreat grade for dividing network.
3. according to the method described in claim 2, it is characterized in that, the equipment threat level for calculating the network equipment
After ATL, the method further includes:
According to the ATL of the network equipment and the first preset formula, the equipment Threat of the network equipment is calculated;
After the Cyberthreat grade for calculating the pre- division network, the method further includes:
According to the Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula, described in calculating
The pre- Cyberthreat degree for dividing network;
When the Cyberthreat grade of the displaying pre- division network, the method further includes:
Show the pre- Cyberthreat degree for dividing network.
4. according to the method described in claim 3, it is characterized in that, when the pre- network that divides is the pre- division network of multi-layer
When, the ATL according to the network equipment calculates the pre- Cyberthreat grade for dividing network, including:
According to the ATL of the network equipment, the Cyberthreat grade of each level in the multi-layer is calculated separately;
It is described according to the Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula, calculate
The pre- Cyberthreat degree for dividing network, including:
According to the Cyberthreat grade of each level, the equipment threat level, equipment Threat and each layer of preset correspondence
Second formula of grade, calculates the Cyberthreat degree of each level;
The displaying pre- threat parameter for dividing network, including:
Show the Cyberthreat grade and Cyberthreat degree of each level in the multi-layer.
5. a kind of device assessed for Cyberthreat, which is characterized in that including:
Monitoring unit is threatening network in the pre- Cyberthreat event for dividing network and the pre- division network to set for monitoring
Standby importance rate;
Assessment unit, for monitoring the shape for threatening the pre- Cyberthreat event for dividing network when the monitoring unit
When at least one of the importance rate of state and the network equipment changes, pre- network is divided to described threatening
Cyberthreat event impends assessment, obtains the pre- threat parameter for dividing network, the pre- threat ginseng for dividing network
Number is currently threatening the urgent of the pre- Cyberthreat event threat for dividing network for describing the pre- division network by described
Degree;
Display unit, the pre- threat parameter for dividing network for showing that the assessment unit evaluates;
Wherein, the assessment unit includes:
Parsing subunit, for monitoring described threatening in the pre- Cyberthreat event for dividing network when the monitoring unit
When increasing new Cyberthreat event, with parsing destination address entrained in the new Cyberthreat event and source
Location;
Correspondence establishes subelement, and the destination address for being parsed in the parsing subunit has corresponding purpose net
When network equipment, the new Cyberthreat event purpose network equipment corresponding with the destination address is established into correspondence;
The correspondence establishes subelement, and the destination address for being parsed in the parsing subunit is without corresponding mesh
The network equipment, but when having corresponding purpose network equipment region, by the new Cyberthreat event and the destination address
Correspondence is established in affiliated purpose network equipment region;
The correspondence establishes subelement, and the destination address for being parsed in the parsing subunit is without corresponding mesh
Network equipment region will be described but when the source address that parses of the parsing subunit has corresponding source network device
New Cyberthreat event source network device corresponding with the source address establishes correspondence;
The correspondence establishes subelement, and the source address for being parsed in the parsing subunit is without corresponding source net
Network equipment, but when having corresponding source network device region, by the source belonging to the new Cyberthreat event and the source address
Correspondence is established in network equipment region;
The correspondence establishes subelement, and the source address for being parsed in the parsing subunit is without corresponding source net
When network equipment region, the new Cyberthreat event and preassigned region are established into correspondence;
Assess subelement, for according to the new Cyberthreat event and the correspondence establish subelement foundation with it is new
Cyberthreat event have the network equipment of correspondence or the importance rate in network equipment region, to it is described threatening it is pre-
The Cyberthreat event for dividing network impends assessment, obtains the threat parameter of the pre- division network.
6. device according to claim 5, which is characterized in that
The parsing subunit, with being additionally operable to entrained destination address in parsing the new Cyberthreat event and source
When location, the event level of the new Cyberthreat event is parsed;
The assessment subelement, including:
First computation subunit, for by the correspondence establish subelement foundation with the new Cyberthreat event pair
The new Cyberthreat that the importance rate of the network equipment or network equipment region answered, the parsing subunit parse
The product extraction of square root rounding of the processing state of the event level of event and the new Cyberthreat event, obtains the new net
Network threatens the event threat level ETL of event;
Second computation subunit, the new Cyberthreat event for being calculated according to first computation subunit
The ETL of event threat level ETL and the threat event in addition to the new Cyberthreat event, calculate the network equipment
Equipment threat level ATL, the equipment threat level are the maximum ETL of Cyberthreat event corresponding with the network equipment;
Third computation subunit, the ATL of the network equipment for being calculated according to second computation subunit are calculated
The pre- Cyberthreat grade for dividing network;
The display unit, for showing the calculated pre- Cyberthreat etc. for dividing network of the third computation subunit
Grade.
7. device according to claim 6, which is characterized in that
Second computation subunit is additionally operable to after the equipment threat level ATL for calculating the network equipment, according to described
The ATL of the network equipment and the first preset formula, calculate the equipment Threat of the network equipment;
The third computation subunit is additionally operable to after calculating the pre- Cyberthreat grade for dividing network, according to described
Cyberthreat grade, the equipment threat level, equipment Threat and the second preset formula calculate the pre- division network
Cyberthreat degree;
The display unit is additionally operable to, when showing the pre- Cyberthreat grade for dividing network, show the pre- division net
The Cyberthreat degree of network.
8. device according to claim 7, which is characterized in that when the pre- network that divides is the pre- division network of multi-layer
When,
The third computation subunit calculates separately each level in the multi-layer for the ATL according to the network equipment
Cyberthreat grade, and according to the Cyberthreat grade of each level, the equipment threat level, equipment Threat and preset
Each level of correspondence second formula, calculate the Cyberthreat degree of each level;
The display unit, the network prestige for showing each level in the calculated multi-layer of the third computation subunit
Coerce grade and Cyberthreat degree.
9. a kind of system assessed for Cyberthreat, which is characterized in that including:The network equipment and for Cyberthreat into
The device of row assessment, the network equipment and the device assessed for Cyberthreat communicate to connect, described to be directed to network prestige
It is any devices of the claims 5-8 to coerce the device assessed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410301325.3A CN105227529B (en) | 2014-06-27 | 2014-06-27 | A kind of method, apparatus and system assessed for Cyberthreat |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410301325.3A CN105227529B (en) | 2014-06-27 | 2014-06-27 | A kind of method, apparatus and system assessed for Cyberthreat |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105227529A CN105227529A (en) | 2016-01-06 |
CN105227529B true CN105227529B (en) | 2018-10-19 |
Family
ID=54996213
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410301325.3A Active CN105227529B (en) | 2014-06-27 | 2014-06-27 | A kind of method, apparatus and system assessed for Cyberthreat |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105227529B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107147520B (en) * | 2017-05-07 | 2019-12-27 | 杨娟 | Network mining method for terrorist organization |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102185847A (en) * | 2011-04-22 | 2011-09-14 | 南京邮电大学 | Malicious code network attack evaluation method based on entropy method |
CN103716177A (en) * | 2013-11-18 | 2014-04-09 | 国家电网公司 | Security risk assessment method and apparatus |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8769608B2 (en) * | 2011-02-16 | 2014-07-01 | The Boeing Company | Airport security system |
-
2014
- 2014-06-27 CN CN201410301325.3A patent/CN105227529B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102185847A (en) * | 2011-04-22 | 2011-09-14 | 南京邮电大学 | Malicious code network attack evaluation method based on entropy method |
CN103716177A (en) * | 2013-11-18 | 2014-04-09 | 国家电网公司 | Security risk assessment method and apparatus |
Also Published As
Publication number | Publication date |
---|---|
CN105227529A (en) | 2016-01-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11790090B2 (en) | Systems and methods for cybersecurity risk assessment | |
John et al. | A risk assessment approach to improve the resilience of a seaport system using Bayesian networks | |
Noyan et al. | A stochastic optimization model for designing last mile relief networks | |
Baroud et al. | Stochastic measures of network resilience: Applications to waterway commodity flows | |
Ledwoch et al. | The moderating impact of supply network topology on the effectiveness of risk management | |
Batta et al. | Public facility location using dispersion, population, and equity criteria | |
JP6977871B2 (en) | Security assessment system, security assessment method and program | |
CN106713333A (en) | Information system risk assessment method and apparatus | |
Thapalia et al. | Single source single-commodity stochastic network design | |
Soltani-Sobh et al. | Reliability based pre-positioning of recovery centers for resilient transportation infrastructure | |
Galbusera et al. | A Boolean networks approach to modeling and resilience analysis of interdependent critical infrastructures | |
Nocera et al. | A ground-up approach to estimate the likelihood of business interruption | |
CN104320271B (en) | A kind of network equipment safety evaluation method and device | |
CN110399722A (en) | A kind of virus family generation method, device, server and storage medium | |
Zhang et al. | Protection issues for supply systems involving random attacks | |
Kondakci | A causal model for information security risk assessment | |
CN110493043A (en) | A kind of distribution Situation Awareness call method and device | |
CN105227529B (en) | A kind of method, apparatus and system assessed for Cyberthreat | |
Wang et al. | Approach to integrate fuzzy fault tree with Bayesian network | |
CN110659399B (en) | Method and device for displaying emergency evolution diagram | |
CN109918914A (en) | The information system attack defending ability integration assessment system and method for stratification | |
WO2011019731A3 (en) | Systems and methods for gererating leads in a network by predicting properties of external nodes | |
Ragmani et al. | An improved scheduling strategy in cloud computing using fuzzy logic | |
Tran et al. | An approach to select cost-effective risk countermeasures | |
Constantinou et al. | Open source software: How can design metrics facilitate architecture recovery? |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |