CN107194259A - A kind of leak severity comprehensive estimation method and system based on attack process - Google Patents
A kind of leak severity comprehensive estimation method and system based on attack process Download PDFInfo
- Publication number
- CN107194259A CN107194259A CN201710243627.3A CN201710243627A CN107194259A CN 107194259 A CN107194259 A CN 107194259A CN 201710243627 A CN201710243627 A CN 201710243627A CN 107194259 A CN107194259 A CN 107194259A
- Authority
- CN
- China
- Prior art keywords
- attribute
- grade
- attack
- pitching pile
- mapping relations
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The invention discloses a kind of leak severity comprehensive estimation method based on attack process and system, the realization of wherein method includes:Off-line training and online evaluation part, off-line training part includes:Mapping relations between definition pitching pile characteristic set and pitching pile attribute, and the assessment of pitching pile attribute are regular;Pitching pile attribute is gathered, the grade of pitching pile attribute is obtained using the assessment rule of pitching pile attribute, and then according to the mapping relations between pitching pile characteristic set and pitching pile attribute, obtain the grade of pitching pile characteristic set;Training obtains attribute processing model;Online evaluation part includes:For pitching pile attribute, the grade that model obtains pitching pile characteristic set is handled using attribute, the grade of monitoring characteristic set is directly obtained for monitoring attributes, carry out the leak severity that comprehensive assessment obtains attack process.The present invention carries out comprehensive assessment to the leak severity of attack process, excludes the influence of human factor, and obtained leak severity accuracy is very high.
Description
Technical field
The invention belongs to leak research field, integrated more particularly, to a kind of leak severity based on attack process
Appraisal procedure and system.
Background technology
In face of increasingly complicated computer system and miscellaneous security breaches, computer system management person needs timely
Security evaluation is carried out to leak, and timely carried out repairing leak according to the order of severity of security evaluation so that
To reduce loss.In order to be able to carry out objective and accurate assessment to leak, each safe business men and release mechanism are all to security breaches
Menace level done and studied to a certain degree, the security breaches appraisal procedure and evaluation criteria of oneself are then proposed one after another.It is this
Inconsistency also produces such situation:For same leak, the assessment result waited until using different appraisal procedures is possible to
Differ.Therefore this inconsistent real hazard degree for also causing computer management person to be very difficult to make a decision leak.
To understand the inconsistency of various safety estimation systems, NIAC proposes an open universal vulnerability assessment system
Unite CVSS (common vulnerability scoring system).Its main purpose is the severity for evaluating leak,
It shows the order of severity of leak using the numeral between 0-10.Numerical score is higher, then represents the serious journey of this leak
Degree is bigger, while for the inconsistent problem of the vulnerability assessment system before solving, it provides a kind of succinct unified leak
Assessment mode, so as to be conducive to carrying out risk assessment to leak in a short time, is minimized loss.
Existing improvement CVSS assessment mode has following several:CVSS vulnerability assessments are improved based on increase additional attribute accurate
True property, CVSS vulnerability assessments are predicted based on vulnerability information is announced, and CVSS assessments are improved based on other factors are considered.Based on increasing
Plus the mode of additional attribute is come to improve CVSS vulnerability assessment accuracys be to propose that the extra characteristic attribute of increase is as soft in increased leak
Program dependency graph of part improves the CVSS vulnerability assessment degrees of accuracy with surface-pathlength accessibility etc. is attacked.But merely just consider
The structure chart of leak software, but in face of other attacks such as ROP attacks, it is possible to cause assessment result mistake occur, this
The method of kind does not account for the interference of human factor, therefore there is certain subjectivity.Other method is a large amount of based on excavating
The vulnerability information of announcement improves the result of CVSS vulnerability assessments, collects the leakage announced on each website on a large scale first
Hole information, the information of these leaks is excavated by the algorithm of machine learning, and it is regarded into leak attribute.Pass through these attributes
Go to carry out CVSS vulnerability assessments, the severity that must be springed a leak again.This method is although it is contemplated that based on objective under big data
As a result assessment, it is intended to go to exclude the interference of human factor, but this method is merely able to provide the value of a prediction, it is impossible to
React the true severity springed a leak.Although improving CVSS appraisal procedures for being favorably improved based on other factors are considered
CVSS is assessed, but there is also many uncertain problems, such as considers economic factor, these data be all difficult obtain or
It is difficult measurement to be, therefore these factors can not go to assess in evaluation process, cause vulnerability assessment inaccurate.
In summary, the scheme of existing improvement CVSS assessment mode can not all meet simultaneously vulnerability assessment accuracy and
Objectivity.Most of method is all attempting to improve the accuracy of CVSS vulnerability assessments, but seldom considers to go to exclude people
Interference for factor is so as to improve the objectivity of CVSS vulnerability assessments.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of leak based on attack process is tight
Severe comprehensive estimation method and system, carry out comprehensive assessment its object is to the leak severity to attack process, effectively solve
The participation for human factor of having determined and cause leak severity assess it is inaccurate the problem of.
To achieve the above object, according to one aspect of the present invention, there is provided a kind of leak based on attack process is serious
Comprehensive estimation method, including off-line training and online evaluation part are spent,
Off-line training part includes:
(1) define the mapping relations between pitching pile characteristic set and pitching pile attribute, and pitching pile attribute assessment rule;
(2) pitching pile attribute is gathered, the grade of pitching pile attribute is obtained using the assessment rule of pitching pile attribute, and then according to pitching pile
Mapping relations between characteristic set and pitching pile attribute, obtain the grade of pitching pile characteristic set;
(3) to all pitching pile attribute repeat steps (2), training obtains attribute processing model;
Online evaluation part includes:
(T1) attribute of attack process is gathered, the attribute of attack process includes pitching pile attribute and monitoring attributes;
(T2) for pitching pile attribute, the pitching pile characteristic set grade in attack process is obtained using attribute processing model;It is right
In monitoring attributes, the monitoring characteristic set grade in attack process is directly obtained by system;
(T3) grade and the grade of monitoring characteristic set to pitching pile characteristic set carries out comprehensive assessment and obtains attack process
Leak severity.
Further, pitching pile characteristic set includes:Vector of attack, attack complexity, certification, privacy and integrality, institute
It is availability to state monitoring characteristic set.
Further, the specific implementation of comprehensive assessment is:
P=(m × a1×a2×a3+n×(1-(1-a4)×(1-a5)×(1-a6))-k)×f
Wherein, P is the leak severity of attack process, a1Represent the grade of vector of attack, a2Expression attack complexity etc.
Level, a3Represent the grade of certification, a4Represent the grade of privacy, a5Represent the grade of integrality, a6Represent the grade of availability, m
For the first preset value, n is the second preset value, and k is the 3rd preset value, and f is assessment parameter.
Further, the specific implementation of step (S1) is:
(S11) mapping relations between AU attributes and AU characteristic sets are defined, AU={ Op, Sp }, wherein Op represents system
Cryptogam path parameter, Sp represents the cryptogam path parameter of leak software, extracts the path of the attribute related to AU
Parameter;
(S12) AU attribute evaluation rule:AU is defined as Three Estate:High, neutralization is low;
(S13) mapping relations of AV characteristic sets and AV attributes are defined:AV={ N, A, L, P }, wherein N, which are represented, remotely to be attacked
Type is hit, A represents local network attack type, and L represents local attack type, and P represents physical attacks type;
(S14) AV attribute evaluation rule:AV is defined as four grades:Long-range attack grade, local network attack grade, this
Grade, physical attacks grade are attacked in ground;
(S15) mapping relations of AC characteristic sets and AC attributes are defined:AC={ Sc, DSC }, it is soft that wherein Sc represents leak
The configuration of part, DSC represents different dangerous systems and called;
(S16) AC attribute evaluation rule:AC is defined as Three Estate:It is high, medium and low;
(S17) mapping relations of C characteristic sets and C attributes are defined:C=t | t ∈ ({ r } ∩ (Fp1-Fp2)) or t ∈
({ r } ∩ (Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user respectively, and it is category that r, which is represented,
Contain read right in property, it is the authority having in attribute that t, which is represented,;
(S18) C attribute evaluation rule:C is defined as Three Estate:High and low, nothing;
(S19) mapping relations of I characteristic sets and I attributes are defined:C=t | t ∈ ({ w } ∩ (Fp1-Fp2)) or t ∈
({ w } ∩ (Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user respectively, and it is category that w, which is represented,
Contain write permission in property, it is the authority having in attribute that t, which is represented,;
(S20) I attribute evaluation rule:I is defined as Three Estate:High and low, nothing.
It is another aspect of this invention to provide that there is provided a kind of leak severity integrated estimation system based on attack process,
Including off-line training module and online evaluation module,
Off-line training module includes:
First training module, for defining the mapping relations between pitching pile characteristic set and pitching pile attribute, and pitching pile category
Property assessment rule;
Second training module, for gathering pitching pile attribute, using pitching pile attribute assessment rule obtain pitching pile attribute etc.
Level, and then according to the mapping relations between pitching pile characteristic set and pitching pile attribute, obtain the grade of pitching pile characteristic set;
3rd training module, for repeating the second module to all pitching pile attributes, training obtains attribute processing mould
Type;
Online evaluation module includes:
First evaluation module, the attribute for gathering attack process, the attribute of attack process includes pitching pile attribute and monitoring
Attribute;
Second evaluation module, for for pitching pile attribute, the pitching pile obtained using attribute processing model in attack process to be special
Levy set class;For monitoring attributes, the monitoring characteristic set grade in attack process is directly obtained by system;
3rd evaluation module, the grade for the grade to pitching pile characteristic set and monitoring characteristic set carries out comprehensive assessment
Obtain the leak severity of attack process.
Further, pitching pile characteristic set includes:Vector of attack, attack complexity, certification, privacy and integrality, institute
It is availability to state monitoring characteristic set.
Further, the specific implementation of comprehensive assessment is:
P=(m × a1×a2×a3+n×(1-(1-a4)×(1-a5)×(1-a6))-k)×f
Wherein, P is the leak severity of attack process, a1Represent the grade of vector of attack, a2Expression attack complexity etc.
Level, a3Represent the grade of certification, a4Represent the grade of privacy, a5Represent the grade of integrality, a6Represent the grade of availability, m
For the first preset value, n is the second preset value, and k is the 3rd preset value, and f is assessment parameter.
Further, the first training module includes:
AU mapping relations modules, for defining the mapping relations between AU attributes and AU characteristic sets, AU={ Op, Sp },
Wherein Op represents the cryptogam path parameter of system, and Sp represents the cryptogam path parameter of leak software, extracts and AU phases
The path parameter of the attribute of pass;
AU assesses rule module, the attribute evaluation rule for AU:AU is defined as Three Estate:High, neutralization is low;
AV mapping relations modules, the mapping relations for defining AV characteristic sets and AV attributes:AV={ N, A, L, P }, its
Middle N represents long-range attack type, and A represents local network attack type, and L represents local attack type, and P represents physics and attacked
Hit type;
AV assesses rule module, the attribute evaluation rule for AV:AV is defined as four grades:Long-range attack grade, office
Domain net attack grade, local attack grade, physical attacks grade;
AC mapping relations modules, the mapping relations for defining AC characteristic sets and AC attributes:AC={ Sc, DSC }, wherein
Sc represents the configuration of leak software, and DSC represents different dangerous systems and called;
AC assesses rule module, the attribute evaluation rule for AC:AC is defined as Three Estate:It is high, medium and low;
C mapping relations modules, the mapping relations for defining C characteristic sets and C attributes:C=t | t ∈ ({ r } ∩ (Fp1-
Fp2)) ort ∈ ({ r } ∩ (Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user, r respectively
It is to contain read right in attribute to represent, and it is the authority having in attribute that t, which is represented,;
C assesses rule module, the attribute evaluation rule for C:C is defined as Three Estate:High and low, nothing;
I mapping relations modules, the mapping relations for defining I characteristic sets and I attributes:C=t | t ∈ ({ w } ∩ (Fp1-
Fp2)) or t ∈ ({ w } ∩ (Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user respectively,
It is to contain write permission in attribute that w, which is represented, and it is the authority having in attribute that t, which is represented,;
I assesses rule module, the attribute evaluation rule for I:I is defined as Three Estate:High and low, nothing.
In general, by the contemplated above technical scheme of the present invention compared with prior art, it can obtain down and show
Beneficial effect:Training attribute processing model, then in attack process, gathers the attribute of attack process first, for pitching pile attribute,
The grade that model obtains pitching pile characteristic set is handled using attribute, obtains monitoring characteristic set for monitoring attributes automatic decision
Grade, it is tight to the grade of pitching pile characteristic set and the leak that the grade progress comprehensive assessment of monitoring characteristic set obtains attack process
Severe, whole process all without artificial participation, excludes the influence of human factor, resulting leak severity accuracy is very
It is high.
Brief description of the drawings
Fig. 1 is a kind of flow chart of the leak severity comprehensive estimation method based on attack process;
Fig. 2 is the flow chart of online evaluation part.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples
The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and
It is not used in the restriction present invention.As long as in addition, technical characteristic involved in each embodiment of invention described below
Not constituting conflict each other can just be mutually combined.
As shown in figure 1, a kind of leak severity comprehensive estimation method based on attack process, including off-line training and online
Evaluation part,
Wherein, off-line training part includes:
(1) mapping relations between defined feature set and attribute, and the assessment of attribute are regular, set up attribute model;
Including:
(1-1) extracts the feature of attack and the influence to system or software by the description of CVSS models
Feature, and these common characteristics are entered into row set division, these characteristic sets mainly include:Vector of attack (AV), attack is complicated
Spend (AC), certification (AU), privacy (C), integrality (I), availability (A).Wherein vector of attack (AV), attacks complexity
(AC) what, certification (AU), privacy (C) and integrality (I) reflected is the pitching pile characteristic set of attack, and availability (A) is anti-
What is reflected is the monitoring characteristic set to system or software.Attacked in addition, being divided using set primarily to more obviously characterizing
Hit the feature of behavior;
Mapping relations between the set of (1-2) defined feature and attribute, each characteristic set reflects the one of leak
Individual feature, if attribute is related to characteristic set, this attribute can for react leak feature, attribute here is all
It is that the system that can capture correlation from attacker or system in attack process is called;
The assessment rule of (1-3) defined attribute, in order to more intuitively show that attribute reflects each spy springed a leak
The order of severity levied, we define herein attribute assessment rule, using attribute evaluation rule attribute is estimated into
And the grade of characteristic set is obtained, the grade of general features set is divided into Three Estate:Height, in, it is low.
(2) pitching pile attribute is gathered, the grade of pitching pile attribute is obtained using the assessment rule of pitching pile attribute, and then according to pitching pile
Mapping relations between characteristic set and pitching pile attribute, obtain the grade of pitching pile characteristic set;
Specifically, defining the mapping relations of AU characteristic sets and AU attributes:AU={ Op, Sp }, wherein Op represents system
Cryptogam path parameter, Sp represents the cryptogam path parameter of leak software, Op mainly reflect attacker in order to
Can authentication operation system and attempt to access system password file, Sp reflects attacker and carried out for certification leak software
The cryptogam of leak software is accessed, the attribute related to AU has here:write、read、open、chown、fchown.Extract
The path parameter of the attribute related to AU, when the path parameter of the attribute related to AU belongs to Op or Sp, then the feature of the attribute
Collection is combined into AU.
AU attribute evaluation rule:AU is defined as Three Estate:High, neutralization is low.Our major concerns is to recognize herein
The number of times of card.In the case that the path parameter extracted in the attribute of capture belongs to Op or Sp, if certification number of times is more than or equal to
2, then AU grade is height;If during certification number of times is for 1, AU grade;If certification number of times is for 0, AU grade
It is low.
Define the mapping relations of AV characteristic sets and AV attributes:AV={ N, A, L, P }, wherein N represent long-range attack class
Type, A represents local network attack type, and L represents local attack type, and P represents physical attacks type.These four modes point
The type feature of attack pattern is not reflected, and the attribute related to AV has here:Socket, connect, accept, hub_
port_connect_change and usb_probe_interface.The attribute status related to AV is extracted, by these
Attribute status carrys out the feature of distinguishing attack mode.
AV attribute evaluation rule:AV is defined as four grades:Long-range attack grade, local network attack grade, is locally attacked
Hit grade, physical attacks grade.If judging attribute connect successes, illustrate that attack can be long-range attack therefore sentence
Break as long-range attack type.If connect states are unsuccessful, while judging the host address and local host in server
Whether address belongs to the same network segment, then illustrates it is local network attack grade if belonging to the same network segment, otherwise just
It is to belong to local attack grade.If it is significant to note that capturing hub_port_conneet_change and usb_
Probe_interface is then to belong to physical attacks grade.
Define the mapping relations of AC characteristic sets and AC attributes:AC={ Sc, DSC }, wherein Sc represent leak software
Configuration, DSC represents different dangerous systems and called.Whether Sc key reactions attacker attempts to change matching somebody with somebody for leak software
File is put, so as to indirectly react the complexity of attack.It is different that DSC is mainly how many of calculating result in attack process
The number called of dangerous system.Reflect the complexity of attack by the judgement of these numbers.Here the category related to AC
Property has:Setregid, umount, mkdir, umount2, ioctl, dup, dup2,
Lock, kill, iopl, clone, modifyldtadjtimex, socketcall,
Open, link, symlink, setresuid, setreuid, setuid, fork,
Setfsuid, setgroups, setgid, setfsgid, setfsgid,
Setresgid, chmod.Here the attribute related generally to is that dangerous system is called, and is listed by counting above-mentioned
Attribute obtain DSC value.
AC attribute evaluation rule:AC is defined as Three Estate:It is high, medium and low.If the parameter extracted from above-mentioned attribute
Path is identical with Sc, then during grade is determined as, is otherwise determined as low.The grade if DSC number is more than 5 and is less than 10 simultaneously
In being determined as.If DSC number is more than 10, it is determined as height.If DSC number is less than 5, it is determined as low.
Define the mapping relations of C characteristic sets and C attributes:C=t | t ∈ ({ r } ∩ (Fp1-Fp2)) or t ∈ ({ r } ∩
(Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user respectively, and r, which is represented, to be contained in attribute
There is a read right, it is the authority having in attribute that t, which is represented,.This formula is indicated:One user does not have this file in itself
Read right, but he obtains the read right of this file by certain mode or method, so as to result in privacy
Destruction.Here the attribute related to C has:
Chmod, fchmodchown, fchown, lchown, setresuid, setreuid, setuid, setfsuid, this
The attribute of important file path is also related to outside:/ bin ,/boot ,/dev ,/etc ,/lib ,/proc ,/root ,/srv ,/
sys。
C attribute evaluation rule:C is defined as Three Estate:High and low, nothing.If the parameter road extracted from above-mentioned attribute
Footpath is identical with above-mentioned path file attribute, then grade is determined as height.If be related to alternative document be then determined as it is low.If
The reading attribute for not changing correlation is then determined as nothing.
Define the mapping relations of I characteristic sets and I attributes:C=t | t ∈ ({ w } ∩ (F p1-Fp2)) or t ∈ ({ w } ∩
(Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user respectively, and w, which is represented, to be contained in attribute
There is a write permission, it is the authority having in attribute that t, which is represented,.This formula is indicated:One user does not have this file in itself
Write permission, but he obtains the write permission of this file by certain mode or method, so as to result in the complete of file
The destruction of whole property.Here the attribute related to I has:
Chmod, fchmodchown, fchown, lchown, setresuid, setreuid, setuid, setfsuid, this
The attribute of important file path is also related to outside:/ bin ,/boot ,/dev ,/etc ,/lib ,/proc ,/root ,/srv ,/
sys。
I attribute evaluation rule:I is defined as Three Estate:High and low, nothing.If the parameter road extracted from above-mentioned attribute
Footpath is identical with above-mentioned path file attribute, then grade is determined as height.If be related to alternative document be then determined as it is low.If
That does not change correlation writes attribute, then is determined as nothing.
Define the mapping relations of A characteristic sets and A attributes:A={ Nu, Mu, Du, Cu }, wherein Nu represent network utilization
Rate, Mu represents the utilization rate of internal memory, and Du represents disk utilization, and Cu represents CPU utilization rate.We are mainly from this
Four aspects investigate the influence of the availability to characteristic set A.Be worth one says be at present we can by correlation be
System calls the related data for this four aspects for directly removing to obtain main frame or server, therefore we are not necessarily to further
Go enumerate correlation attribute.
A attribute evaluation rule:I is defined as Three Estate:It is high and low, nothing.If any one utilization of Nu, Mu, Du, Cu
Rate has exceeded 80% during attack, then grade is determined as height.If any one utilization rate of Nu, Mu, Du, Cu is in attack
During exceeded 40%, then grade is determined as low.If any one utilization rate of Nu, Mu, Du, Cu is during attack
Not less than 40%, then it is determined as nothing.
(3) to all pitching pile attribute repeat steps (2), training obtains attribute processing model;
The online evaluation part includes:
(T1) attribute of attack process is gathered, the attribute of attack process includes pitching pile attribute and monitoring attributes;
(T2) for pitching pile attribute, the pitching pile characteristic set grade in attack process is obtained using attribute processing model;It is right
In monitoring attributes, the monitoring characteristic set grade during hitting is directly obtained by system;
(T3) grade and the grade of monitoring characteristic set to pitching pile characteristic set carries out comprehensive assessment and obtains attack process
Leak severity.
Further, the specific implementation of comprehensive assessment is:
P=(m × a1×a2×a3+n×(1-(1-a4)×(1-a5)×(1-a6))-k)×f
Wherein, P is the leak severity of attack process, a1Represent the grade of vector of attack, a2Expression attack complexity etc.
Level, a3Represent the grade of certification, a4Represent the grade of privacy, a5Represent the grade of integrality, a6Represent the grade of availability, m
For the first preset value, n is the second preset value, and k is the 3rd preset value, and f is assessment parameter.
It is preferred that, m=8, n=6.246, k=1.5, as 1- (1-a4)×(1-a5)×(1-a6During)=0, f takes 0, works as 1-
(1-a4)×(1-a5)×(1-a6) when being not equal to 0, f takes 1.176.
As shown in Fig. 2 online evaluation part includes:
(1) attribute of attack process, including pitching pile attribute and monitoring attributes are gathered;
(2) characteristic set of attack is estimated using pitching pile attribute, wherein the pitching pile feature set of attack
Conjunction includes:Vector of attack (AV), attack complexity (AC), certification (AU), private (C) and integrality (I), are dependence first
Processing model in call corresponding processing attribute method, to vector of attack (AV), attack complexity (AC), certification (AU) attribute
After Treatment Analysis, vector of attack (AV), attack complexity (AC), the interim grade of certification (AU) and attribute are obtained, is compared
The interim grade of the characteristic set of attack is obtained using processing attribute method each time, higher ranked attack is preserved
Characteristic set interim grade and attribute, when all properties have all been handled, obtain the feature set of higher ranked attack
The interim grade closed is the characteristic set grade of attack, is saved it in results set Result, while also from slotting
The attribute that modification file permission is picked out in stake attribute is used as the input of next step;
(3) attribute for obtaining attribute and modification file permission using monitoring is estimated to effect characteristicses set, and monitoring is special
Collection, which is closed, to be included being availability (A), wherein the attribute progress attribute Treatment Analysis to the modification file permission in step (2) is obtained
Private (C) and integrality (I) grade, the grade of availability (A) directly can be read from monitoring attributes, and these results are all divided
It is other to be stored in results set Result;
(4) to vector of attack (AV), attack complexity (AC), certification (AU), private (C), integrality (I) and availability
(A) grade carries out comprehensive assessment and obtains the leak severity of attack process, and its result is stored in into results set Result
In;
(5) two parts content is finally obtained:One be each characteristic set grade, characteristic set includes:Vector of attack
(AV), attack complexity (AC), certification (AU), private (C), integrality (I) and availability (A), another is attack process
Leak severity.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, it is not used to
The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the invention etc., it all should include
Within protection scope of the present invention.
Claims (8)
1. the leak severity comprehensive estimation method of a kind of attack process, it is characterised in that including off-line training and online evaluation
Part,
The off-line training part includes:
(S1) define the mapping relations between pitching pile attribute and pitching pile characteristic set, and pitching pile attribute assessment rule;
(S2) pitching pile attribute is gathered, the grade of pitching pile attribute is obtained using the assessment rule of pitching pile attribute, and then belong to according to pitching pile
Mapping relations between property and pitching pile characteristic set, obtain the grade of pitching pile characteristic set;
(S3) to all pitching pile attribute repeat steps (S2), training obtains attribute processing model;
The online evaluation part includes:
(T1) attribute of attack process is gathered, the attribute of attack process includes pitching pile attribute and monitoring attributes;
(T2) for pitching pile attribute, the pitching pile characteristic set grade in attack process is obtained using attribute processing model;For prison
Attribute is controlled, the monitoring characteristic set grade in attack process is directly obtained by system;
(T3) grade and the grade of monitoring characteristic set to pitching pile characteristic set carries out the leakage that comprehensive assessment obtains attack process
Hole severity.
2. a kind of leak severity comprehensive estimation method based on attack process as claimed in claim 1, it is characterised in that institute
Stating pitching pile characteristic set includes:Vector of attack (AV), attack complexity (AC), certification (AU), private (C) and integrality (I),
The monitoring characteristic set is availability (A).
3. a kind of leak severity comprehensive estimation method based on attack process as claimed in claim 2, it is characterised in that institute
The specific implementation for stating comprehensive assessment is:
P=(m × a1×a2×a3+n×(1-(1-a4)×(1-a5)×(1-a6))-k)×f
Wherein, P is the leak severity of attack process, a1Represent the grade of vector of attack, a2The grade of attack complexity is represented,
a3Represent the grade of certification, a4Represent the grade of privacy, a5Represent the grade of integrality, a6The grade of availability is represented, m is
First preset value, n is the second preset value, and k is the 3rd preset value, and f is assessment parameter.
4. a kind of leak severity comprehensive estimation method based on attack process as claimed in claim 2, it is characterised in that institute
The specific implementation for stating step (S1) is:
(S11) mapping relations between AU attributes and AU characteristic sets are defined, AU={ Op, Sp }, wherein Op represents the close of system
Code file path parameter, Sp represents the cryptogam path parameter of leak software, extracts the path parameter of the attribute related to AU;
(S12) AU attribute evaluation rule:AU is defined as Three Estate:High, neutralization is low;
(S13) mapping relations of AV characteristic sets and AV attributes are defined:AV={ N, A, L, P }, wherein N represent long-range attack class
Type, A represents local network attack type, and L represents local attack type, and P represents physical attacks type;
(S14) AV attribute evaluation rule:AV is defined as four grades:Long-range attack grade, local network attack grade, is locally attacked
Hit grade, physical attacks grade;
(S15) mapping relations of AC characteristic sets and AC attributes are defined:AC={ Sc, DSC }, wherein Sc represent leak software
Configuration, DSC represents different dangerous systems and called;
(S16) AC attribute evaluation rule:AC is defined as Three Estate:It is high, medium and low;
(S17) mapping relations of C characteristic sets and C attributes are defined:C=t | t ∈ ({ r } ∩ (Fp1-F p2)) ort ∈ ({ r } ∩
(Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user respectively, and r, which is represented, to be contained in attribute
There is a read right, it is the authority having in attribute that t, which is represented,;
(S18) C attribute evaluation rule:C is defined as Three Estate:High and low, nothing;
(S19) mapping relations of I characteristic sets and I attributes are defined:C=t | t ∈ ({ w } ∩ (Fp1-Fp2)) ort ∈ ({ w } ∩
(Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user respectively, and w, which is represented, to be contained in attribute
There is a write permission, it is the authority having in attribute that t, which is represented,;
(S20) I attribute evaluation rule:I is defined as Three Estate:High and low, nothing.
5. a kind of leak severity integrated estimation system based on attack process, it is characterised in that including off-line training module and
Online evaluation module,
The off-line training module includes:
First training module, for defining the mapping relations between pitching pile characteristic set and pitching pile attribute, and pitching pile attribute
Assess rule;
Second training module, for gathering pitching pile attribute, obtains the grade of pitching pile attribute using the assessment rule of pitching pile attribute, enters
And according to the mapping relations between pitching pile characteristic set and pitching pile attribute, obtain the grade of pitching pile characteristic set;
3rd training module, for repeating the second module to all pitching pile attributes, training obtains attribute processing model;
The online evaluation module includes:
First evaluation module, the attribute for gathering attack process, the attribute of attack process includes pitching pile attribute and monitoring attributes;
Second evaluation module, for for pitching pile attribute, the pitching pile feature set in attack process to be obtained using attribute processing model
Close grade;For monitoring attributes, the monitoring characteristic set grade in attack process is directly obtained by system;
3rd evaluation module, the grade for the grade to pitching pile characteristic set and monitoring characteristic set carries out comprehensive assessment and obtained
The leak severity of attack process.
6. a kind of leak severity integrated estimation system based on attack process as claimed in claim 5, it is characterised in that institute
Stating pitching pile characteristic set includes:Vector of attack (AV), attack complexity (AC), certification (AU), private (C) and integrality (I),
The monitoring characteristic set is availability (A).
7. a kind of leak severity integrated estimation system based on attack process as claimed in claim 6, it is characterised in that institute
The specific implementation for stating comprehensive assessment is:
P=(m × a1×a2×a3+n×(1-(1-a4)×(1-a5)×(1-a6))-k)×f
Wherein, P is the leak severity of attack process, a1Represent the grade of vector of attack, a2The grade of attack complexity is represented,
a3Represent the grade of certification, a4Represent the grade of privacy, a5Represent the grade of integrality, a6The grade of availability is represented, m is
First preset value, n is the second preset value, and k is the 3rd preset value, and f is assessment parameter.
8. a kind of leak severity integrated estimation system based on attack process as claimed in claim 6, it is characterised in that institute
Stating the first training module includes:
AU mapping relations modules, for defining the mapping relations between AU attributes and AU characteristic sets, AU={ Op, Sp }, wherein
Op represents the cryptogam path parameter of system, and Sp represents the cryptogam path parameter of leak software, extracts related to AU
The path parameter of attribute;
AU assesses rule module, the attribute evaluation rule for AU:AU is defined as Three Estate:High, neutralization is low;
AV mapping relations modules, the mapping relations for defining AV characteristic sets and AV attributes:AV={ N, A, L, P }, wherein N generations
Table long-range attack type, A represents local network attack type, and L represents local attack type, P represents physical attacks class
Type;
AV assesses rule module, the attribute evaluation rule for AV:AV is defined as four grades:Long-range attack grade, LAN
Attack grade, local attack grade, physical attacks grade;
AC mapping relations modules, the mapping relations for defining AC characteristic sets and AC attributes:AC={ Sc, DSC }, wherein Sc generations
The table configuration of leak software, DSC represents different dangerous systems and called;
AC assesses rule module, the attribute evaluation rule for AC:AC is defined as Three Estate:It is high, medium and low;
C mapping relations modules, the mapping relations for defining C characteristic sets and C attributes:C=t | t ∈ ({ r } ∩ (F p1-F
P2)) or t ∈ ({ r } ∩ (Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user, r respectively
It is to contain read right in attribute to represent, and it is the authority having in attribute that t, which is represented,;
C assesses rule module, the attribute evaluation rule for C:C is defined as Three Estate:High and low, nothing;
I mapping relations modules, the mapping relations for defining I characteristic sets and I attributes:C=t | t ∈ ({ w } ∩ (Fp1-
Fp2)) ort ∈ ({ w } ∩ (Up1-Up2)) }, wherein, Fp1, Fp2, Up1 and Up2 represent the file permission of different user, w respectively
It is to contain write permission in attribute to represent, and it is the authority having in attribute that t, which is represented,;
I assesses rule module, the attribute evaluation rule for I:I is defined as Three Estate:High and low, nothing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710243627.3A CN107194259B (en) | 2017-04-14 | 2017-04-14 | A kind of loophole severity comprehensive estimation method and system based on attack process |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710243627.3A CN107194259B (en) | 2017-04-14 | 2017-04-14 | A kind of loophole severity comprehensive estimation method and system based on attack process |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107194259A true CN107194259A (en) | 2017-09-22 |
| CN107194259B CN107194259B (en) | 2019-06-28 |
Family
ID=59870920
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710243627.3A Active CN107194259B (en) | 2017-04-14 | 2017-04-14 | A kind of loophole severity comprehensive estimation method and system based on attack process |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107194259B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110808947A (en) * | 2019-05-23 | 2020-02-18 | 南瑞集团有限公司 | Automatic vulnerability quantitative evaluation method and system |
| CN110831306A (en) * | 2019-12-13 | 2020-02-21 | 杭州罗莱迪思照明系统有限公司 | Intelligent lighting system and safety design method thereof |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101950338A (en) * | 2010-09-14 | 2011-01-19 | 中国科学院研究生院 | Bug repair method based on hierarchical bug threat assessment |
| CN102799822A (en) * | 2012-07-11 | 2012-11-28 | 中国信息安全测评中心 | Software running security measurement and estimation method based on network environment |
| CN103984900A (en) * | 2014-05-19 | 2014-08-13 | 南京赛宁信息技术有限公司 | Android application vulnerability detection method and Android application vulnerability detection system |
| CN104933362A (en) * | 2015-06-15 | 2015-09-23 | 福州大学 | Automatic detection method of API (Application Program Interface) misuse-type bug of Android application software |
| CN105427172A (en) * | 2015-12-04 | 2016-03-23 | 北京华热科技发展有限公司 | Risk assessment method and system |
-
2017
- 2017-04-14 CN CN201710243627.3A patent/CN107194259B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101950338A (en) * | 2010-09-14 | 2011-01-19 | 中国科学院研究生院 | Bug repair method based on hierarchical bug threat assessment |
| CN102799822A (en) * | 2012-07-11 | 2012-11-28 | 中国信息安全测评中心 | Software running security measurement and estimation method based on network environment |
| CN103984900A (en) * | 2014-05-19 | 2014-08-13 | 南京赛宁信息技术有限公司 | Android application vulnerability detection method and Android application vulnerability detection system |
| CN104933362A (en) * | 2015-06-15 | 2015-09-23 | 福州大学 | Automatic detection method of API (Application Program Interface) misuse-type bug of Android application software |
| CN105427172A (en) * | 2015-12-04 | 2016-03-23 | 北京华热科技发展有限公司 | Risk assessment method and system |
Non-Patent Citations (2)
| Title |
|---|
| 睢辰萌: "基于漏洞分析的软件安全性评估系统研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
| 黎学斌: "基于AHP和CVSS的信息系统评估", 《西安邮电大学学报》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110808947A (en) * | 2019-05-23 | 2020-02-18 | 南瑞集团有限公司 | Automatic vulnerability quantitative evaluation method and system |
| CN110808947B (en) * | 2019-05-23 | 2022-03-04 | 南瑞集团有限公司 | Automatic vulnerability quantitative evaluation method and system |
| CN110831306A (en) * | 2019-12-13 | 2020-02-21 | 杭州罗莱迪思照明系统有限公司 | Intelligent lighting system and safety design method thereof |
| CN110831306B (en) * | 2019-12-13 | 2022-05-17 | 杭州罗莱迪思科技股份有限公司 | Intelligent lighting system and safety design method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107194259B (en) | 2019-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200195667A1 (en) | Url attack detection method and apparatus, and electronic device | |
| Das et al. | Anomaly detection in industrial control systems using logical analysis of data | |
| JP6389302B2 (en) | System and method for identifying suspicious user behavior in user interaction with various banking services | |
| CN107659543B (en) | Protection method for APT (android packet) attack of cloud platform | |
| Sommestad et al. | The cyber security modeling language: A tool for assessing the vulnerability of enterprise system architectures | |
| CN106326742A (en) | System and method for determining modified web pages | |
| WO2022121145A1 (en) | Ethereum phishing scam detection method and apparatus based on graph classification | |
| CN109446817A (en) | A kind of detection of big data and auditing system | |
| Delamaro et al. | Using concepts of content‐based image retrieval to implement graphical testing oracles | |
| CN102045358A (en) | Intrusion detection method based on integral correlation analysis and hierarchical clustering | |
| Younis et al. | Comparing and evaluating CVSS base metrics and microsoft rating system | |
| CN107918911A (en) | System and method for performing safe web bank transaction | |
| CN112187716B (en) | Knowledge graph display method for malicious codes in network attack | |
| CN114091042A (en) | Risk early warning method | |
| Alhassan et al. | A fuzzy classifier-based penetration testing for web applications | |
| CN107194259A (en) | A kind of leak severity comprehensive estimation method and system based on attack process | |
| Fan et al. | Smart contract scams detection with topological data analysis on account interaction | |
| Hao et al. | SCScan: A SVM-based scanning system for vulnerabilities in blockchain smart contracts | |
| Boer et al. | Algorithm Assurance: Auditing Applications of Artificial Intelligence | |
| Haidar et al. | E-banking Information Security Risks Analysis Based on Ontology | |
| Wu et al. | Towards Understanding Asset Flows in Crypto Money Laundering Through the Lenses of Ethereum Heists | |
| Fernandez et al. | Evaluating the degree of security of a system built using security patterns | |
| Pedraza-García et al. | Mitigating security threats using tactics and patterns: A controlled experiment | |
| Zhou | Security risk analysis based on data criticality | |
| Sahifa | Implementation of intrusion detection systems to detect phishing in the banking industry |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |