CN108449345B

CN108449345B - Network asset continuous safety monitoring method, system, equipment and storage medium

Info

Publication number: CN108449345B
Application number: CN201810240298.1A
Authority: CN
Inventors: 庞思铭; 周欣; 王振兴; 王朋涛
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2018-03-22
Filing date: 2018-03-22
Publication date: 2022-01-18
Anticipated expiration: 2038-03-22
Also published as: CN108449345A

Abstract

The application discloses a method, a system, equipment and a storage medium for continuously monitoring the security of network assets, wherein the method comprises the following steps: continuously monitoring the shadow assets in an exposed state in a target internet platform, and automatically comparing and analyzing the currently monitored shadow assets with historical shadow assets to obtain the change condition of the shadow assets; the method comprises the steps of continuously monitoring the security threats existing in a target internet platform, and automatically comparing and analyzing the currently monitored security threats and historical security threats to obtain the change conditions of the security threats. The monitoring information acquired in the application is more comprehensive, the acquired shadow assets and the acquired security threats can be ensured to be dynamically updated in real time, the timeliness of the information is ensured, and in addition, the change situation of the shadow assets and the change situation of the security threats can be determined in an automatic comparison and analysis mode, so that a user can timely know new security risks.

Description

Network asset continuous safety monitoring method, system, equipment and storage medium

Technical Field

The invention relates to the technical field of internet security, in particular to a method, a system, equipment and a storage medium for continuously and safely monitoring network assets.

Background

Currently, with the development of large-scale organization business internetworking and the continuous improvement of business complexity, the security of internet business faces serious challenges, and many internet business security assessment means and detection means formed in the early internet development process are difficult to effectively monitor the security risk of the current internet platform, that is, the traditional internet business security assessment means and detection means are difficult to adapt to the requirements of the current internet development situation on the security, so that higher security risk exists in many current internet platforms.

In summary, it can be seen that how to effectively monitor the security risk of the internet platform is a problem to be solved urgently.

Disclosure of Invention

In view of this, the present invention provides a method, a system, a device and a storage medium for continuously monitoring security of a network asset, which can effectively monitor security risks of an internet platform. The specific scheme is as follows:

in a first aspect, the invention discloses a method for continuously monitoring security of network assets, which comprises the following steps:

continuously monitoring the shadow assets in an exposed state in a target internet platform, and automatically comparing and analyzing the currently monitored shadow assets with historical shadow assets to obtain the change condition of the shadow assets;

and continuously monitoring the security threats existing in the target Internet platform, and automatically comparing and analyzing the currently monitored security threats and historical security threats to obtain the change condition of the security threats.

Optionally, the step of continuously monitoring the shadow assets in the exposed state in the target internet platform includes:

and continuously monitoring any one or more of the sub-domain name assets, the sensitive data assets and the network services in the exposed state in the target Internet platform.

Optionally, the step of continuously monitoring the sub-domain name assets in the exposed state includes:

and continuously monitoring the sub-domain name assets in an exposed state by utilizing a Search Hacking mode and/or a DNS domain transmission loophole mode and/or a dictionary blasting mode of a common domain name and/or a sub-domain library query function of an internet open network management platform.

Optionally, the step of continuously monitoring the exposed sensitive data asset includes:

continuously monitoring ICP record information of the target domain name;

and/or monitoring enterprise information of an enterprise to which the target domain name belongs by utilizing the ICP filing information;

and/or continuously monitoring the contact information of the enterprise staff in the exposed state and/or the source code of the enterprise software product on the open source code hosting platform by utilizing a social database and a Search Hacking mode and combining the enterprise information acquired by utilizing the ICP filing information.

Optionally, the step of continuously monitoring the exposed network service includes:

acquiring a website map containing the isolated chain catalog by combining a crawler technology and a Search Hacking mode;

and/or acquiring an application fingerprint corresponding to the website web application, and identifying the type and version information of the website web application by using the application fingerprint;

and/or acquiring the IP of the website host and the fingerprint information of the operating system, and identifying the type and version information of the operating system by using the fingerprint information;

and/or continuously monitoring the service port opened by the host of the website.

Optionally, the step of continuously monitoring the security threat existing in the target internet platform includes:

and continuously monitoring any one or more of vulnerability, network disconnection events, website tampering events, web horses and sensitive words of the host and website web applications in the target Internet platform.

Optionally, the step of continuously monitoring the vulnerability of the host and the web application of the website includes:

continuously detecting the vulnerability of the host and the website web application corresponding to the target domain name by utilizing a vulnerability detection tool to obtain an initial vulnerability detection result;

and verifying the initial vulnerability detection result by using a corresponding vulnerability verification tool to obtain a verified vulnerability detection result.

Optionally, the step of continuously monitoring the vulnerability of the host and the web application of the website further includes:

and screening all vulnerabilities in the verified vulnerability detection result to determine the highly available vulnerabilities.

Optionally, the method further includes:

determining data meeting preset conditions in the monitored shadow assets, security threats, the change conditions of the shadow assets and the change conditions of the security threats as security events to be audited;

pushing the security event to be audited to a preset cloud expert access platform;

and when a corresponding security event auditor logs in the cloud expert access platform and audits the security event to be audited in the cloud expert access platform, pushing a corresponding security event audit result to a preset client.

Optionally, the method further includes:

and dynamically maintaining the detection rules corresponding to the shadow asset monitoring process and/or the detection rules corresponding to the security threat monitoring process.

Optionally, the method further includes:

constructing a corresponding network asset topological graph according to the monitored shadow assets;

acquiring a target data dimension selected by a user through a preset dimension selection interface, and displaying data and/or data change conditions corresponding to the target data dimension on the network asset topological graph;

the target data dimension is any one of a domain name dimension, a host dimension, a port dimension, a web application type dimension, a host security threat dimension, a web application security threat dimension and a geographic position dimension.

Optionally, the method further includes:

and when a browsing request initiated by a user for the detail information of any site in the network asset topological graph is acquired, displaying the website map of the site, and marking the isolated chain directory on the website map.

Optionally, the method further includes:

and showing the sensitive data assets in the shadow assets on the network asset topological graph.

Optionally, when the target data dimension is a host security threat dimension or a web application security threat dimension, the step of displaying data and/or a change condition of the data corresponding to the target data dimension on the network asset topological graph includes:

acquiring various safety risk data corresponding to the target data dimension;

dynamically adjusting the display priority of each safety risk data in the multiple safety risk data correspondingly according to the safety event weight pre-configured by the background and the attention priority pre-marked by the client and in combination with the average condition of various safety risks in the industry;

correspondingly displaying the various security risk data on the network asset topological graph according to the high-low order of the display priority;

wherein the plurality of security risk data comprises: the method comprises the following steps of creating a sub domain name and a change condition of the sub domain name under the condition of private site creation, creating a port with high potential safety hazard and a change condition of the port, exposing sensitive data assets of enterprises possibly, vulnerability information of high available vulnerabilities and a change condition of the vulnerability information, a network disconnection event occurring in a target website, a website tampering event, a web horse and sensitive words.

Optionally, the method further includes:

in the process of displaying the multiple kinds of security risk data, the average value, the average repair time and the repair suggestion of various security risks in the industry are displayed on the network asset topological graph in a comparison display mode.

In a second aspect, the present invention discloses a network asset continuous safety monitoring system, which comprises:

the exposed surface monitoring module is used for continuously monitoring the shadow assets in an exposed state in the target Internet platform, and automatically comparing and analyzing the currently monitored shadow assets with historical shadow assets to obtain the change condition of the shadow assets;

and the security threat monitoring module is used for continuously monitoring the security threats existing in the target Internet platform and automatically comparing and analyzing the currently monitored security threats and historical security threats to obtain the change conditions of the security threats.

Optionally, the monitoring system further includes:

the cloud expert auditing module is used for determining data meeting preset conditions in the monitored shadow assets, security threats, the change conditions of the shadow assets and the change conditions of the security threats as security events to be audited; pushing the security event to be audited to a preset cloud expert access platform; and when a corresponding security event auditor logs in the cloud expert access platform and audits the security event to be audited in the cloud expert access platform, pushing a corresponding security event audit result to a preset client.

Optionally, the monitoring system further includes a security risk integrated management module; wherein, the comprehensive management module of security risk includes:

the network asset topological graph constructing submodule is used for constructing a corresponding network asset topological graph according to the monitored shadow assets;

the safety risk information presentation sub-module is used for acquiring a target data dimension selected by a user through a preset dimension selection interface and displaying data and/or data change conditions corresponding to the target data dimension on the network asset topological graph;

Optionally, when the target data dimension is a host security threat dimension or a web application security threat dimension, then:

the safety risk information presentation submodule is specifically used for acquiring various safety risk data corresponding to the target data dimension; dynamically adjusting the display priority of each safety risk data in the multiple safety risk data correspondingly according to the safety event weight pre-configured by the background and the attention priority pre-marked by the client and in combination with the average condition of various safety risks in the industry; correspondingly displaying the various security risk data on the network asset topological graph according to the high-low order of the display priority;

In a third aspect, the invention discloses a network asset continuous safety monitoring device, which comprises a processor and a memory; wherein the processor implements the aforementioned disclosed method for continuous security monitoring of network assets when executing the computer program stored in the memory.

In a fourth aspect, the present invention discloses a computer readable storage medium for storing a computer program which, when executed by a processor, implements the network asset continuous security monitoring method disclosed above.

Therefore, the shadow assets in an exposed state in the Internet platform are monitored, and the security threats existing on the Internet platform are also monitored, so that the exposed surfaces and the security threats of the assets on the Internet platform can be determined, and the acquired monitoring information is more comprehensive; in addition, the monitoring process of the shadow assets and the monitoring process of the security threats are continuously carried out, so that the acquired shadow assets and the security threats are dynamically updated in real time, and the timeliness of the monitored information is ensured; in addition, the invention also determines the change condition of the shadow assets and the change condition of the security threats in an automatic comparison and analysis mode, so that a user can conveniently and timely know the newly added security risks so as to take corresponding countermeasures in time. In conclusion, the invention can realize effective monitoring on the security risk of the Internet platform.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

FIG. 1 is a flow chart of a method for continuous security monitoring of network assets, in accordance with the present disclosure;

FIG. 2 is a schematic diagram of an exemplary sensitive data exposure monitoring process;

FIG. 3 is a sub-flow diagram of a particular method for continuous security monitoring of network assets, in accordance with the present disclosure;

FIG. 4 is a diagram of a specific security event collection result;

FIG. 5 is a sub-flow diagram of a particular method for continuous security monitoring of network assets, in accordance with the present disclosure;

FIG. 6 is a topology diagram presented in sub-domain dimensions;

FIG. 7 is a topology diagram shown in IP and geographic location dimensions;

FIG. 8 is a sub-flow diagram of a particular method for continuous security monitoring of network assets, in accordance with the present disclosure;

FIG. 9 is a schematic diagram of a network asset continuous security monitoring system according to the present invention;

fig. 10 is a schematic structural diagram of a specific network asset continuous security monitoring system disclosed in the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The embodiment of the invention discloses a network asset continuous safety monitoring method, which is shown in figure 1 and comprises the following steps:

step S11: continuously monitoring the shadow assets in an exposed state in the target internet platform, and automatically comparing and analyzing the currently monitored shadow assets and historical shadow assets to obtain the change condition of the shadow assets.

It should be understood that, in this embodiment, the continuous monitoring may refer to monitoring continuously in real time, or may refer to monitoring periodically according to a preset time period.

IT should be noted that the Shadow asset in this embodiment, that is, Shadow IT, refers to an asset that is isolated from a planned IT facility or is apart from IT management, control and security audit in the IT construction process of an enterprise or organization, and includes, but is not limited to, a sub-domain name asset, a sensitive data asset and a network service. That is, in step S11, the step of continuously monitoring the shadow assets in the exposed state in the target internet platform includes: and continuously monitoring any one or more of the sub-domain name assets, the sensitive data assets and the network services in the exposed state in the target Internet platform.

In this embodiment, the step of continuously monitoring the sub-domain name assets in the exposed state may specifically include: and continuously monitoring the sub-Domain Name assets in an exposed state by utilizing a Search Hacking mode and/or a Domain Name System (DNS) Domain transmission loophole mode and/or a dictionary blasting mode of common Domain names and/or a sub-Domain library query function of an internet open network management platform.

In addition, when the sub-domain name asset in the exposed state is continuously monitored in the embodiment, the sub-domain name asset in the exposed state corresponding to the target domain name may be continuously monitored. The target domain name may be a domain name submitted by a user through a preset domain name submission interface, or a domain name that needs special attention and is automatically selected by a background system according to actual needs. It can be understood that after the domain name submitted by the user through the domain name submitting interface is acquired, the ownership of the domain name by the user needs to be verified, and after the domain name is verified, the subsequent continuous monitoring process of the sub-domain name assets is allowed to be deployed.

In this embodiment, after each time the monitoring of the sub-domain asset in the exposed state corresponding to the target domain name is completed, the multi-level sub-domain asset corresponding to the monitored sub-domain name can be found in a recursive search manner.

In this embodiment, the step of continuously monitoring the sensitive data asset in the exposed state may specifically include: ICP (Internet Content Provider) record information of the target domain name is continuously monitored; and/or monitoring enterprise information of an enterprise to which the target domain name belongs by utilizing the ICP filing information; and/or continuously monitoring the contact information of the enterprise staff in the exposed state and/or the source code of the enterprise software product on the open source code hosting platform by utilizing a social database and a Search Hacking mode and combining the enterprise information acquired by utilizing the ICP filing information. Fig. 2 shows a specific sensitive data exposure surface monitoring process, in which ICP docket information of a target domain name, a social database and a Google Hacking manner are used.

The enterprise information monitored by using the ICP filing information may specifically include, but is not limited to, other domain names of the enterprise except for the target domain name, enterprise principal names, enterprise names, and the like. The target domain name may specifically include any one or more of a domain name submitted by a user through a preset domain name submission interface, a domain name automatically selected by a background system according to actual needs and needing special attention, and a domain name obtained in the process of continuously monitoring the sub-domain name assets in the exposed state. Additionally, the open source code hosting platform includes, but is not limited to, a gitHub platform.

In this embodiment, the step of continuously monitoring the network service in the exposed state may specifically include: acquiring a website map containing the isolated chain catalog by combining a crawler technology and a Search Hacking mode; and/or acquiring an application fingerprint corresponding to the website web application, and identifying the type and version information of the website web application by using the application fingerprint; and/or acquiring the IP of the website host and the fingerprint information of the operating system, and identifying the type and version information of the operating system by using the fingerprint information; and/or continuously monitoring the service port opened by the host of the website.

That is, in this embodiment, the process of continuously monitoring the exposed web service may specifically include monitoring a site map including the isolated link directory, monitoring type and version information of the web application of the website, monitoring type and version information of the operating system, and monitoring an open service port of each host or any specific host of the website.

The method comprises the steps of monitoring a website map containing the isolated link directory, capturing a website page resource topological graph through a crawler technology, trying to acquire a website isolated link page through a Search Hacking mode and in combination with an industry dictionary, and acquiring a relatively more complete website map through the combination of the crawler technology and the Search Hacking mode. This is because if only a crawler technology is used to capture a page logic topology, only pages with link relationships in different levels on a corresponding site can be obtained, and since other web services deployed on the same host as the site may be placed on other website directories, such directories may not be captured by the crawler.

In addition, the process of monitoring the type and version information of the website web application may specifically include acquiring an application fingerprint corresponding to the website web application, and identifying the type and version information of the website web application by using the application fingerprint. The application fingerprint corresponding to the web application of the website may specifically include, but is not limited to, a website copyright information keyword, a head tag keyword, a hash value of a specific file, js (javascript) specifying a name under a specified path, css (caching styles sheets) file or code, a specific URL (uniform Resource locator) keyword, and a tag value of a specific URL.

Secondly, the process of monitoring the type and version information of the operating system may specifically include acquiring the IP of the host of the website and the fingerprint information of the operating system, and identifying the type and version information of the operating system by using the fingerprint information. The fingerprint information of the web host IP and the operating system includes, but is not limited To, ttl (time To live) distance of TCP (Transmission Control Protocol) and UDP (User data program), TCP handshake fingerprint, ICMP (internet Control Message Protocol) echo fingerprint, ICMP timestamp fingerprint, and smb (server Message block) fingerprint.

In this embodiment, when continuously monitoring the exposed network service, specifically, the exposed network service of the target domain name open in the public network may be continuously monitored. The target domain name may specifically include any one or more of a domain name submitted by a user through a preset domain name submission interface, a domain name automatically selected by a background system according to actual needs and needing special attention, and a domain name obtained in the process of continuously monitoring the sub-domain name assets in the exposed state.

In the step S11, after the shadow asset currently in the exposed state is monitored to obtain a corresponding shadow asset, the shadow asset is automatically compared with the historical shadow asset to obtain a change condition of the shadow asset. For example, when the monitored shadow assets include sub-domain name assets, sensitive data assets, and network services, the change condition of the corresponding shadow assets may specifically include a change condition of the sub-domain name assets, a change condition of the sensitive data assets, and a change condition of the network services. More specifically, when the monitored web service includes the type and version information of the web application of the website and a service port opened by the host of the website, the change condition of the corresponding web service may specifically include the change condition of the type and version information of the web application of the website and the change condition of the service port. In the embodiment, the change condition of the shadow assets can be acquired conveniently and more intuitively by acquiring the change condition of the shadow assets, and whether the security risk with higher level exists in the current internet platform can be quickly determined according to the change condition of the shadow assets. For example, when a change of service port indicates that a port with a high risk is suddenly opened, it may be determined that a higher security risk exists in the corresponding host, and a corresponding alarm may be issued.

Step S12: and continuously monitoring the security threats existing in the target Internet platform, and automatically comparing and analyzing the currently monitored security threats and historical security threats to obtain the change condition of the security threats.

In this embodiment, the step of continuously monitoring the security threat existing in the target internet platform may specifically include: and continuously monitoring any one or more of vulnerability, network disconnection events, website tampering events, web horses and sensitive words of the host and website web applications in the target Internet platform.

The step of continuously monitoring the vulnerability of the host and the website web application may specifically include: continuously detecting the vulnerability of the host and the website web application corresponding to the target domain name by utilizing a vulnerability detection tool to obtain an initial vulnerability detection result; and verifying the initial vulnerability detection result by using a corresponding vulnerability verification tool to obtain a verified vulnerability detection result. Through the vulnerability verification operation, the false detection rate of the vulnerability detection result can be effectively reduced.

In this embodiment, different types of vulnerabilities need to be detected by different vulnerability detection tools, so as to obtain an initial vulnerability detection result. When the initial vulnerability detection result is verified by using a vulnerability verification tool, the initial vulnerability detection result may be verified by using a vulnerability verification tool corresponding to a fingerprint of a corresponding site web application or a host operating system.

Further, in order to enable the user to discover the vulnerability with the higher hazard level in the vulnerability detection result after the verification as early as possible, so as to preferentially deal with the vulnerability with the higher hazard level, the present embodiment may further include, in the process of continuously monitoring the vulnerability of the host and the web application of the website, that: and screening all vulnerabilities in the verified vulnerability detection result to determine the highly available vulnerabilities.

It should be noted that the highly available vulnerability in this embodiment specifically refers to a 0day vulnerability or an Nday vulnerability that has a large risk and a vulnerability attack code has been revealed or a targeted attack tool with a very low difficulty in use can be found on the internet.

In step S12, in addition to continuously monitoring the security threats existing in the target internet platform, the change situations of the security threats, such as the change situations of security vulnerabilities, especially the real-time increase situations of the number of highly available vulnerabilities, are obtained by automatically comparing and analyzing the currently monitored security threats and historical security threats.

Therefore, the embodiment of the invention not only monitors the shadow assets in an exposed state in the Internet platform, but also monitors the security threats existing on the Internet platform, thereby determining the asset exposed surface and the security threats on the Internet platform and enabling the obtained monitoring information to be more comprehensive; in addition, the monitoring process of the shadow assets and the monitoring process of the security threats are continuously carried out in the embodiment of the invention, so that the acquired shadow assets and the security threats are dynamically updated information in real time, and the timeliness of the monitored information is ensured; in addition, the embodiment of the invention also determines the change condition of the shadow assets and the change condition of the security threats in an automatic comparison and analysis mode, so that a user can conveniently and timely know the newly added security risks so as to take corresponding countermeasures in time. In conclusion, the embodiment of the invention can realize effective monitoring on the security risk of the Internet platform.

On the basis of the foregoing embodiment, the embodiment of the present invention discloses a specific method for continuously monitoring security of a network asset, which is shown in fig. 3 and further includes:

step S21: and determining data meeting preset conditions in the monitored shadow assets, security threats, the change conditions of the shadow assets and the change conditions of the security threats as security events to be audited.

Specifically, in this embodiment, the shadow assets, the security threats, the change conditions of the shadow assets, and the change conditions of the security threats obtained in the foregoing embodiments are collected, and then data meeting a preset condition in all the collected data is determined as a security event to be audited. Fig. 4 shows a specific security event collection result, which relates to information such as a domain name, a service name, an IP address, an operator, a geographic location, a high risk port service, a number of available vulnerabilities, and a number of high risk vulnerabilities.

In this embodiment, the data meeting the preset condition may specifically be data meeting a data selection rule configured by an administrator in advance, for example, if the data selection rule configured by the administrator in advance specifies a change situation of only selecting a security threat, the specific process of step S21 is: and determining the data corresponding to the change condition of the security threat as the security event to be audited. For another example, if the administrator pre-configures the data selection rule to specify that only highly available vulnerabilities and changes thereof that have not been automatically confirmed are selected, the specific process of step S21 is: and determining the high-availability vulnerability which is not automatically confirmed and the change situation thereof as the security event to be audited. For another example, assuming that the data selection rule pre-configured by the administrator specifies that only the legally authorized data is selected, the specific process of step S21 is as follows: and determining the monitored data which is legally authorized in the shadow assets, the security threats, the change conditions of the shadow assets and the change conditions of the security threats as security events to be audited, for example, determining the website tampering events which are legally authorized as the security events to be audited.

Of course, the data meeting the preset condition may specifically be data meeting a data selection rule preset by a background system by default.

Step S22: and pushing the security event to be audited to a preset cloud expert access platform.

In this embodiment, in order to remind a security event auditor to log in the cloud expert access platform in time to audit a security event to be audited, corresponding audit prompt information may be generated when the security event to be audited is pushed to the cloud expert access platform, and the audit prompt information is sent to a preset prompt information receiving module on the terminal device of the security event auditor, so that the security event auditor can check the corresponding audit prompt information through the preset prompt information receiving module of the terminal device. It can be understood that the preset prompting message receiving module includes, but is not limited to, an independent client program, a personal mailbox system, a mobile phone short message receiving module, and a public number of a corresponding monitoring platform in instant messaging software.

Step S23: and when a corresponding security event auditor logs in the cloud expert access platform and audits the security event to be audited in the cloud expert access platform, pushing a corresponding security event audit result to a preset client.

For example, assuming that the security event to be audited is a legally authorized website tampering event, after a security event auditor logs in the cloud expert access platform, the legally authorized website tampering event can be audited, a corresponding security event audit result is generated, and the security event audit result is pushed to a client of a corresponding website client.

In addition, the method in this embodiment may further include generating a change trend of the security data of the website client according to the security event to be audited, which is acquired in the cloud expert access platform and is related to the website client, and storing the change trend on the cloud expert access platform. After the security event auditor logs in the cloud expert access platform, the security event auditor can check the change trend of the security data of the website client. Furthermore, the security event auditor can perform online communication with the website client through an information online communication interface preset in the cloud expert access platform, so that corresponding website customized improvement opinions can be provided for the website client according to the change trend.

Further, the method for continuously monitoring security of network assets in this embodiment may further include: and dynamically maintaining the detection rules corresponding to the shadow asset monitoring process and/or the detection rules corresponding to the security threat monitoring process.

In this embodiment, the detection rules may be dynamically maintained in a manual maintenance manner, and specifically, a rule management interface may be provided for an administrator in advance, so that the administrator dynamically maintains the detection rules corresponding to the shadow asset monitoring process and/or the detection rules corresponding to the security threat monitoring process through the rule management interface, so as to ensure that the detection rules of the full platform maintain high advancement.

On the basis of the foregoing embodiment, the embodiment of the present invention discloses a specific method for continuously monitoring security of a network asset, which is shown in fig. 5 and further includes:

step S31: and constructing a corresponding network asset topological graph according to the monitored shadow assets.

Specifically, in this embodiment, a corresponding website sub-domain logical Relationship graph is generated according to the monitored sub-domain assets in the exposed state, and further, according to the monitored network services in the exposed state, and based on the sub-domain prefixes and the website homepage titles, service types that may be carried by each sub-domain, such as an official website, a mailbox service, an OA (Office Automation), a CRM (Customer Relationship Management) system, and the like, are automatically determined, so that an enterprise public network service topological graph is formed, and a host topological graph corresponding to each sub-domain can be displayed. In this embodiment, the IP address, the geographic location, the type of the running web service, the change condition of the web service, the open service port, the newly added or changed port information and change condition with potential risk, and the data summary information of various security threats approved by the security event auditor of each host can be displayed in the host topological graph according to actual needs.

Step S32: acquiring a target data dimension selected by a user through a preset dimension selection interface, and displaying data and/or data change conditions corresponding to the target data dimension on the network asset topological graph;

For example, in this embodiment, when the geographical location dimension selected by the user through the preset dimension selection interface is acquired, the network asset on the network asset topological graph may be automatically map-projected on the electronic map according to the geographical location of the network asset, so that the user may conveniently and clearly see the geographical location distribution of the network asset.

Fig. 6 is a topological diagram presented in sub-domain dimension, in fig. 6, for different domain names but jumping to the same Web application, the pointing relationship expression will be made by dotted arrows, as shown in fig. 6, m.example domain name points to m.example.com, example.com.cn and example.cn point to example.com; in addition, in fig. 6, the lower subdomain name will point to the upper domain name by a solid arrow; the main domain name, the secondary sub-domain name, the tertiary sub-domain name and the like are different in size; the sub-domain names are petal-shaped and unfolded on the basis of the upper-level domain names (the user can click to fold the sub-domain names), and the sub-domain names which have high risk are marked with remarkable colors (such as red), such as example. com in fig. 6; sub-domain names corresponding to assets that are found to suddenly increase or change during monitoring will also be labeled with a particular color (e.g., yellow); domain names without valid Web services will also have a special color (e.g., grey), as shown in fig. 6 as v.example, tv.example, example-inc.com, etc.; a color that is relatively insignificant (e.g., white) without high risk; the user can configure the richness of the key information display contents of each subdomain displayed on the topological graph. For example, by default, only the topological relation of each subdomain domain name may be shown when the mouse is not skipped, and the degree of risk may be indicated by color, while the user may be shown key information and a summary of the key risk when the mouse is skipped over a specific domain name. As shown in fig. 6, the m.example.com domain name shows information including a service name, IP information, an operator, a geographic location, a number of available vulnerabilities, a number of high-risk vulnerabilities, a high-risk port, and the like when the mouse skips over; the user can also configure to display more dimensional information when the mouse is not over; when a user clicks a specific subdomain asset with a mouse, a risk detail page is entered, a detailed website map can be seen, a catalog where an isolated chain page is located is displayed in the website map, and risks to be repaired of the asset are displayed according to repair priorities, wherein the risks to be repaired comprise available high-risk bugs, high-risk ports or services, sensitive information possibly exposed, high-risk bugs, tampering or network breaking and the like (the listing sequence of the risks does not represent the repair priorities, and the repair priorities are determined by a plurality of factors such as importance weights marked by customers, industry average values of all risks, current risk score values and the like).

Fig. 7 is a topology diagram shown in IP and geographic location dimensions. In fig. 7, the same IP-based subdomain will expand around this IP petal (which the user can click to close) to show the physical relevance of several services on the same host, and to show the hosts at risk. The user can configure the richness of the key information display contents of each subdomain displayed on the topological graph. The sub-domain names or hosts that are found in the monitoring to correspond to assets that suddenly increase or change will also be labeled with a particular color. In the topology, for a host with a plurality of subdomain services and high risk, the color and the shape size of the host are relatively more striking, so that a client can feel that the threat priority is higher. When a user clicks a specific sub-domain asset by a mouse, the detailed website map can be seen, the risk details can be seen, and the to-be-repaired risk of the asset is displayed according to the repair priority.

Further, the monitoring method in this embodiment may further specifically include: and when a browsing request initiated by a user for the detail information of any site in the network asset topological graph is acquired, displaying the website map of the site, and marking the isolated chain directory on the website map.

In addition, the monitoring method in this embodiment may further include: and showing the sensitive data assets in the shadow assets on the network asset topological graph. For example, the exposed contact information of the enterprise employee and/or the path of the source code of the enterprise software product on the open source code hosting platform can be shown on the network asset topology map.

In this embodiment, referring to fig. 8, when the target data dimension is a host security threat dimension or a web application security threat dimension, the step of displaying data and/or a change condition of the data corresponding to the target data dimension on the network asset topological graph may specifically include:

step S41: acquiring various safety risk data corresponding to the target data dimension;

step S42: dynamically adjusting the display priority of each safety risk data in the multiple safety risk data correspondingly according to the safety event weight pre-configured by the background and the attention priority pre-marked by the client and in combination with the average condition of various safety risks in the industry;

step S43: correspondingly displaying the various security risk data on the network asset topological graph according to the high-low order of the display priority;

wherein the plurality of security risk data includes, but is not limited to: the method comprises the following steps of creating a sub domain name and a change condition of the sub domain name under the condition of private site creation, creating a port with high potential safety hazard and a change condition of the port, exposing sensitive data assets of enterprises possibly, vulnerability information of high available vulnerabilities and a change condition of the vulnerability information, a network disconnection event occurring in a target website, a website tampering event, a web horse and sensitive words.

In addition, the monitoring method in this embodiment may further include: in the process of displaying the multiple kinds of security risk data, the average value, the average repair time and the repair suggestion of various security risks in the industry are displayed on the network asset topological graph in a comparison display mode.

Further, the embodiment may also present, according to the change condition of the shadow asset and the change condition of the security threat, a change trend of asset exposure, data exposure, newly adding a high-risk service port, and newly adding an available vulnerability for a user, where a time span corresponding to the change trend may be hour, or day, week, month, year, and the like.

In this embodiment, after the security event auditor performs audit confirmation on the security event to be audited, the security event auditor may further generate corresponding security alarm information, and then send the security alarm information to the preset alarm information receiving module on the terminal device of the client. It can be understood that the preset alarm information receiving module includes, but is not limited to, instant messaging software, a mobile phone short message receiving module, a personal mailbox system, and the like.

Correspondingly, the embodiment of the present invention further discloses a system for monitoring continuous security of network assets, as shown in fig. 9, the system includes:

the exposed surface monitoring module 11 is used for continuously monitoring the shadow assets in an exposed state in the target internet platform, and automatically comparing and analyzing the currently monitored shadow assets with historical shadow assets to obtain the change conditions of the shadow assets;

and the security threat monitoring module 12 is configured to continuously monitor security threats existing in the target internet platform, and obtain a change condition of the security threats by automatically comparing and analyzing the currently monitored security threats and historical security threats.

The exposed surface monitoring module 11 may specifically include a sub-domain name asset exposed surface monitoring submodule, a sensitive data asset exposed surface monitoring submodule, and a network service exposed surface monitoring submodule; wherein the content of the first and second substances,

the sub-domain name asset exposure surface monitoring sub-module is specifically used for continuously monitoring the sub-domain name assets in an exposure state by utilizing a Search Hacking mode and/or a DNS domain transmission vulnerability mode and/or a dictionary blasting mode of common domain names and/or a sub-domain library query function of an Internet open network management platform.

The sensitive data asset exposure surface monitoring submodule is specifically used for continuously monitoring ICP filing information of a target domain name; and/or monitoring enterprise information of an enterprise to which the target domain name belongs by utilizing the ICP filing information; and/or continuously monitoring the contact information of the enterprise staff in the exposed state and/or the source code of the enterprise software product on the open source code hosting platform by utilizing a social database and a Search Hacking mode and combining the enterprise information acquired by utilizing the ICP filing information.

The network service exposure surface monitoring submodule is specifically used for acquiring a website map containing the isolated chain catalog by combining a crawler technology and a Search Hacking mode; and/or acquiring an application fingerprint corresponding to the website web application, and identifying the type and version information of the website web application by using the application fingerprint; and/or acquiring the IP of the website host and the fingerprint information of the operating system, and identifying the type and version information of the operating system by using the fingerprint information; and/or continuously monitoring the service port opened by the host of the website.

In addition, the security threat monitoring module 12 may be specifically configured to continuously monitor any one or more of vulnerability, network disconnection event, website tampering event, web bridge, and sensitive word of the host and the website web application in the target internet platform.

The step of the security threat monitoring module 12 continuously monitoring the vulnerability of the host and the web application of the website may specifically include: continuously detecting the vulnerability of the host and the website web application corresponding to the target domain name by utilizing a vulnerability detection tool to obtain an initial vulnerability detection result; and verifying the initial vulnerability detection result by using a corresponding vulnerability verification tool to obtain a verified vulnerability detection result.

Further, the security threat monitoring module 12 may also screen all vulnerabilities in the verified vulnerability detection result to determine a highly available vulnerability.

Referring to fig. 10, the monitoring system in this embodiment may further include:

the cloud expert auditing module 13 is used for determining data meeting preset conditions in the monitored shadow assets, security threats, the change conditions of the shadow assets and the change conditions of the security threats as security events to be audited; pushing the security event to be audited to a preset cloud expert access platform; and when a corresponding security event auditor logs in the cloud expert access platform and audits the security event to be audited in the cloud expert access platform, pushing a corresponding security event audit result to a preset client.

The cloud expert auditing module 13 may specifically include an account management sub-module, a security event configuration sub-module, an auditing sub-module, a detection rule management sub-module, a security event collection sub-module, a security task prompting sub-module, a security event auditing sub-module, and a security event pushing sub-module. Specifically, the method comprises the following steps:

an account management submodule: the configuration management functions of multiple roles such as an account and configuration manager, a security event auditor, an audit operator, a detection rule manager and the like are provided, and the account of each role can be created. The role of 'account and configuration manager' can complete the functions including account creation and authority configuration, and can configure the automatic dispatch strategy of the security event auditing task; the security event auditor can carry out manual audit confirmation on the automatically distributed security event to be audited and push the security event to the user interface; the 'auditing operator' can audit the operation behaviors of other users and export a system log; the role of "detection rule administrator" is used for performing operations such as global switch configuration of detection rules, export and import of the latest detection rule base, and the like.

A security event configuration submodule: the security event management system can be configured by an account number and a configuration manager role, all security events can be directly transmitted and automatically pushed to a user interface before the configuration, and a certain type or several types of security events can be selected and automatically distributed to a security event auditor role for auditing through the module, and then pushed to the user interface after the auditing is confirmed. For example, a high-risk vulnerability that is not automatically validated may be configured to be distributed to a particular "security event auditor" for auditing.

An audit submodule: an auditing operator can log in the module, audit the operation behaviors of other account users and export a system operation log.

And a detection rule management submodule: the role of 'detection rule administrator' can log in the module to carry out global switch configuration on the detection rule of the system, and can export and import the latest detection rule. The detection rules which can be updated comprise detection rules corresponding to the shadow asset monitoring process, detection rules corresponding to the security threat monitoring process and the like, and the full-platform detection rules are ensured to be kept up to date through the continuous maintenance of the role administrator.

A security event collection sub-module: the security threat events and security threat data detected by the security threat monitoring module 12 are automatically collected. The detected security threat events comprise newly discovered security events such as high-risk vulnerabilities, website tampering, network breaks, network horses and sensitive words. The method is particularly concerned about highly available vulnerabilities and events such as website tampering, web breaks, web horses and sensitive word discovery which occur in websites which are marked by users in a key mode. The asset data obtained by the exposed surface monitoring module 11 is automatically collected, including historically found sub-domain asset data, sub-domain change data, potentially exposed sensitive data assets, port services with greater security risks, and change situations. The security data is transmitted to the security event auditing submodule as a security event.

The safety task prompting submodule: the module can depend on a mobile phone client program, the program is not limited to be an independent client program or a public number of a monitoring system platform of instant messaging software, each security event auditor has a program account and can be bound with the program, and when an audit task distributed based on a security event audit task automatic distribution strategy is allocated to a specific security event auditor, the program installed on a mobile phone of the security event auditor receives a prompt message. The security event auditor can log in the cloud expert access platform in time according to the response level of the security event, complete a corresponding audit task, and push the security event audit result to a corresponding user.

A security event auditing submodule: after login authorization, the security event auditor can audit the security events of authorized users in the Web interface provided by the module. The module background automatically and comprehensively arranges and presents the user security events collected by the security event collection sub-module, wherein the user security events comprise newly discovered security events such as high-risk vulnerabilities, website tampering, web breaks, web horses and sensitive words, and the events such as the highly available vulnerabilities and website tampering, web breaks, web horses and sensitive word discovery which occur on websites marked by users in a key mode are displayed in a key priority mode. The method also comprises historically discovered sub-domain asset data, particularly sub-domain name change data, potentially exposed enterprise sensitive data assets, port services with greater potential safety hazards and change situations. For a security event configured in the role of "account and configuration administrator" and which has to be audited by a "security event auditor", the "security event auditor" can audit authorized security events by means of the module. Such as audit verification of authorized customer site tampering events. The security event auditor can also see the change trend of the client security data from the Web interface of the module, and can be used as a basis for communicating with the client and providing customized improvement opinions for the client based on the trend data. The module can also provide the function of online communication between a security event auditor and authorized clients, and can answer questions for the clients online.

A security event push sub-module: after the security event auditor confirms the security event, the event can be pushed to the client. The module pushes the checked result to the Web platform of the user and the application account of the mobile terminal, wherein the mobile terminal can be a mobile phone application program or a public platform account of the platform on the instant messaging client software.

Further, the monitoring system in this embodiment may further include a security risk integrated management module 14; the safety risk integrated management module 14 may include a network asset topology map building submodule and a safety risk information presenting submodule; wherein the content of the first and second substances,

In this embodiment, when the target data dimension is a host security threat dimension or a web application security threat dimension, then:

In addition, the safety risk integrated management module 14 may further include an asset entry and marking sub-module, a site map sub-module, a sensitive data display sub-module, a network threat trend analysis sub-module, and a safety event warning sub-module. Specifically, the method comprises the following steps:

asset entry and marking submodule: the user can input basic asset information such as a domain name, an IP and the like which need to be monitored in the module, and mark information such as service industry characteristic keywords, service name keywords, service attention priority and the like. The entered asset domain name, IP, etc. will be monitored after verifying the customer authorization.

A website map sub-module: and when a browsing request initiated by a user for the detail information of any site in the network asset topological graph is acquired, displaying the website map of the site, and marking the isolated chain directory on the website map.

The sensitive data display submodule comprises: sensitive data assets in the shadow assets are shown on the network asset topological graph, such as paths where enterprise source codes are found on an open source code hosting platform, email addresses and telephones of enterprise employees found on a search engine, and the like.

The network threat trend analysis submodule comprises: and according to the detection data comparison result which is continuously and automatically completed, presenting the change trends of asset exposure, data exposure, newly increased high-risk service ports and newly increased available vulnerabilities for the user. The time span can be expanded in multiple dimensions of hours, days, weeks, months, years, etc. Based on the collection of data, a user can see the change and update of the asset topology, the introduction process and the change trend of high-risk safety risks on the platform. The platform will give the customer improved suggestions for safety improvement in the subsequent business development process based on the data trends.

A security event alarm sub-module: the module pushes safety warning information to a client through a mobile App or based on a mobile instant messaging application platform (such as WeChat), wherein the pushed information comes from safety event information which is approved and confirmed by a cloud expert and acquired by an exposed surface monitoring module and a safety threat monitoring module.

Furthermore, the invention also discloses a network asset continuous safety monitoring device, which comprises a processor and a memory; wherein, the processor implements the network asset continuous safety monitoring method disclosed in the foregoing embodiment when executing the computer program stored in the memory.

For the specific steps of the foregoing method for continuously monitoring security of network assets, reference may be made to the corresponding contents disclosed in the foregoing embodiments, and details are not repeated herein.

Further, the present invention also discloses a computer readable storage medium for storing a computer program, wherein the computer program is executed by a processor to implement the network asset continuous security monitoring method disclosed in the foregoing embodiments.

The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The method, the system, the device and the storage medium for continuously monitoring the security of the network assets provided by the invention are introduced in detail, a specific example is applied in the description to explain the principle and the implementation mode of the invention, and the description of the embodiment is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims

1. A method for continuously monitoring security of network assets is characterized by comprising the following steps:

continuously monitoring the shadow assets in an exposed state in a target internet platform, and automatically comparing and analyzing the currently monitored shadow assets with historical shadow assets to obtain the change condition of the shadow assets; constructing a corresponding network asset topological graph according to the monitored shadow assets; acquiring a target data dimension selected by a user through a preset dimension selection interface, and displaying data and/or data change conditions corresponding to the target data dimension on the network asset topological graph; wherein the shadow assets include sensitive data assets and/or web services;

2. The method for continuously monitoring the security of the network assets according to claim 1, wherein the step of continuously monitoring the exposed shadow assets in the target internet platform comprises:

3. The method for continuous security monitoring of network assets according to claim 2, wherein the step of continuously monitoring the sub domain name assets in the exposed state comprises:

4. The method of claim 2, wherein the step of continuously monitoring the exposed sensitive data assets comprises:

continuously monitoring ICP record information of the target domain name;

5. The method of claim 2, wherein the step of continuously monitoring the exposed network service comprises:

6. The method for continuous security monitoring of network assets as claimed in claim 1, wherein the step of continuously monitoring security threats existing in the target internet platform comprises:

7. The method of claim 6, wherein the step of continuously monitoring vulnerabilities of host and web applications comprises:

8. The method for continuous security monitoring of network assets of claim 7, wherein the step of continuously monitoring vulnerabilities of host and web applications further comprises:

9. The method for continuous security monitoring of network assets according to any one of claims 1 to 8, further comprising:

10. The method for continuous security monitoring of network assets according to any one of claims 1 to 8, further comprising:

11. The method for continuous security monitoring of network assets according to any one of claims 1 to 8, wherein the target data dimension is any one of a domain name dimension, a host dimension, a port dimension, a web application type dimension, a host security threat dimension, a web application security threat dimension, and a geographic location dimension.

12. The method for continuous security monitoring of network assets of claim 11, further comprising:

13. The method for continuous security monitoring of network assets of claim 11, further comprising:

14. The method for continuously monitoring security of network assets according to claim 11, wherein when the target data dimension is a host security threat dimension or a web application security threat dimension, the step of displaying data and/or changes of data corresponding to the target data dimension on the network asset topology map comprises:

acquiring various safety risk data corresponding to the target data dimension;

15. The method for continuous security monitoring of network assets of claim 14, further comprising:

16. A system for continuous security monitoring of network assets, comprising:

the exposed surface monitoring module is used for continuously monitoring the shadow assets in an exposed state in the target Internet platform, and automatically comparing and analyzing the currently monitored shadow assets with historical shadow assets to obtain the change condition of the shadow assets; wherein the shadow assets include sensitive data assets and/or web services;

the comprehensive security risk management module comprises: the network asset topological graph constructing submodule is used for constructing a corresponding network asset topological graph according to the monitored shadow assets; the safety risk information presentation sub-module is used for acquiring a target data dimension selected by a user through a preset dimension selection interface and displaying data and/or data change conditions corresponding to the target data dimension on the network asset topological graph;

17. The system for continuous security monitoring of network assets of claim 16, further comprising:

18. The system for continuous security monitoring of network assets of claim 16, wherein the target data dimension is any one of a domain name dimension, a host dimension, a port dimension, a web application type dimension, a host security threat dimension, a web application security threat dimension, a geo-location dimension.

19. The network asset continuous security monitoring system of claim 18, wherein when the target data dimension is a host security threat dimension or a web application security threat dimension, then:

20. A network asset continuous security monitoring device comprising a processor and a memory; wherein the processor, when executing the computer program stored in the memory, implements the method for continuous security monitoring of network assets of any one of claims 1 to 15.

21. A computer-readable storage medium storing a computer program which, when executed by a processor, implements a method for continuous security monitoring of network assets as claimed in any one of claims 1 to 15.