CN109257329A - A kind of website risk index computing system and method based on magnanimity Web log - Google Patents

A kind of website risk index computing system and method based on magnanimity Web log Download PDF

Info

Publication number
CN109257329A
CN109257329A CN201710594365.5A CN201710594365A CN109257329A CN 109257329 A CN109257329 A CN 109257329A CN 201710594365 A CN201710594365 A CN 201710594365A CN 109257329 A CN109257329 A CN 109257329A
Authority
CN
China
Prior art keywords
website
attack
log
loophole
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710594365.5A
Other languages
Chinese (zh)
Inventor
卢新岱
戴桦
孔晓昀
蔡怡挺
姜维
周辉
吕磅
姚影
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd filed Critical Electric Power Research Institute of State Grid Zhejiang Electric Power Co Ltd
Priority to CN201710594365.5A priority Critical patent/CN109257329A/en
Publication of CN109257329A publication Critical patent/CN109257329A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to a kind of website risk index calculation methods based on magnanimity Web log, acquisition unit including the support magnanimity Web log being deployed on Web server, Security Information Analysis unit and website risk assessment unit, and acquisition unit-analytical unit-assessment unit is sequentially connected.Acquisition unit monitors journal file in real time, according to certain time interval, extracts the Web log generated in real time, pretreatment generates field;The present invention is based on magnanimity Web log analysis, can grab Web attack in real time, and in conjunction with website, there are the CVSS values of loophole and the extent of injury of attack, carry out website risk assessment, ensure that the accuracy, real-time, foresight of evaluation index.

Description

A kind of website risk index computing system and method based on magnanimity Web log
Technical field
The present invention relates to a kind of technical field of network security, specifically a kind of website risk based on magnanimity Web log refers to Number computing system and method.
Background technique
With the rapid development of Internet, the complexity of network security is also increasingly highlighted with importance.Assault Constantly, network security problem is increasingly paid attention to by people.Website risk assessment technology, be according to website current environment, The threat analyzing the fragility of current web and being faced, provides accurate, objective risk data, for there is web portal security Defense system is built and improves to be of great importance.Web log is as an important component in network security, to therein Real-time attack is extracted and is analyzed, and provides important information for computer forensics.And website vulnerability has CVSS (Common Vulnerability Scoring System) graded index of authority is provided.It combines both as website risk assessment Preliminary data is provided, ensure that the accuracy, real-time, foresight of the evaluation index.In the prior art, Anhui cloud atlas information skill Art Co., Ltd delivered the patent of " Website safety risk estimating method and system " in September, 2016, realizes and passes through scanning Loophole building simulation attack method assess network risks, however, in the program not over Web log crawl reality in net The attack that station is subjected to lacks the assessment that threat is attacked in reality as assessment foundation;Zhang Feng et al. was published in 2014 " Journal of Beijing University of Posts and Telecommunications (learn by Beijing University of Post & Telecommunication Report) " paper " Research of Web Access Log Analysis of Security Technology Web (visit Ask the research of Log security analytical technology) " it realizes through Web log crawl attack, quantity is attacked in calculating, attack threatens, This three term coefficient of success attack rate obtains website risk index, however, it is security event source that the program, which does not account for website vulnerability, Head and the attack origin cause of formation, lack the assessment to fragility.
Summary of the invention
There are limitations for website risk assessment in the prior art for the present invention mainly solution, do not provide Web log Security information is included in scope of assessment, or lacks the problem of attack harm is combined assessment with website vulnerability threat, provides one Kind be based on magnanimity Web log analysis technology, according to real-time attack and loophole CVSS the website risk evaluating system to score and Method.
Above-mentioned technical problem of the invention is mainly to be addressed by following technical proposals:
Website risk index calculation method based on magnanimity Web log, including the support magnanimity being deployed on Web server The acquisition unit of Web Log Source, Security Information Analysis unit and website risk assessment unit, and acquisition unit-analytical unit-is commented Estimate unit to be sequentially connected;
Wherein acquisition unit: real time monitoring logfile directory is extracted and is generated in real time according to certain time interval t Web log, pretreatment generate field, are sent to analytical unit;
Analytical unit: on the one hand receiving log field, grabs sensitive field according to attack feature database, on the other hand sweeps Website loophole is retouched, website fragility is analyzed, sends analysis result to assessment unit;
Assessment unit: receiving analysis as a result, according to preset appraisal procedure with and index evaluation website risk, obtain risk Index.
Preferably, the website risk index calculation method, comprising the following steps:
S1.Web log integrity;
S2. target Web site is scanned, corresponding vulnerability information is obtained, CVSS score value is based on, calculates the fragility value of website;
S3. it for magnanimity Web log, is analyzed one by one using attack regular expression, obtains corresponding attack type;
S4. according to certain sampling interval t, it is based on current attack event, calculates the threat value of website;
S5. fragility value and website threat value are integrated, harm grading is attacked in conjunction with OWASP authority, assesses website risk, Calculate the risk index of website.
Preferably, Web log integrity process includes: in step S1
S 11. identifies log Source Type, identifies tetra- class log of Tomcat, Apache, NginX and IIS according to log feature;
S12. Log Source is standardized, source IP, time, access mode, URL, response in log are extracted using regular expression Code and 6 fields of browser type constitute information aggregate I corresponding with a log.
Preferably, scanning target Web site in step S2, the fragility value process for calculating website includes:
S21. target Web site is scanned, set up a web site structure node tree;
S22. Hole Detection is carried out respectively to each node of website structure node tree, the HTTP for constructing attack signature is asked It asks, such loophole is determined whether there is according to its response characteristic, attack is leaked according to SQL injection, cross site scripting loophole, weak passwurd Hole, http header tracking loophole, Struts2 remote command executes loophole, file uploads loophole, sensitive information leakage loophole, text Part traverses loophole, other classifications;
S23. it is independently assessed for each loophole, point basic evaluation index, timeliness evaluation index and environment are commented Estimate index, the CVSS score value C of each loophole is calculated based on CVSSi, Ci∈ [0,10], numerical value is bigger, and the expression loophole is more serious;
S24. fragile value calculates, according to the C of each loophole typei, seek website fragility value, website fragility value W,Wherein [0,8] n ∈ indicates the loophole type that targeted sites include;
Preferably, carrying out analytic process packet one by one using attack regular expression for magnanimity Web log in step S3 It includes:
S31. building include SQL injection, system command injection, cross-site scripting attack, traverse attack, WebShell, Struts2 remote command executes the intrusion feature database of loophole, sensitive document access, network parameter eight kinds of attack types of modification, with The log field performance characteristic of regular expression summary attacking ways;
S32. log field with feature database one by one match crawl attack, from magnanimity Web log field concentrate take out to The field of processing is successively matched with the expression formula in feature database, if successful matching, illustrates the corresponding primary attack thing of this section of log Part adds attack type information in the corresponding information aggregate I of this log.
S33. after analyzing, every kind of number of times of attack collection AC and attack sum AS are obtained,
AC [n]={ AC1, AC2... ..., ACn,
Wherein [1,8] n ∈ indicates attack type, ACiIndicate the number of i-th kind of attack;
S34. attack type specific gravity calculates, attack type proportion A in i-thi
A [n]={ A1, A2..., An};
Preferably, according to certain sampling interval in the step S4, the threat value process for calculating website includes:
S41. the determination in sampling interval, if time threshold T, by sample log amount threshold M, if calculated apart from the last time When time interval t reaches threshold value, i.e. t=T or distance is the log quantity m arrival threshold value sampled after last sampling, i.e. m When=M, new calculating is carried out;
S42. attack and website loophole map, every kind of attack corresponding 1 or multiple loopholes, according to attack specific gravity collection A [n] and loophole CVSS value, establish mapping table Ai→Cj;From mapping table, obtain threatening collection D [n],
D [n]={ d1, d2... ..., dn,
Wherein [1,8] n ∈ indicates attack type, diFor threat index, according to the associated website loophole of attack specific gravity The product of CVSS score value maximum value is concentrated to obtain, i.e.,
Preferably, comprehensive fragility value and website threat value in step S5, assess website risk, calculate the wind of website Dangerous exponential process includes:
S51. the setting for attacking coefficient of injury, substantially threatens in conjunction with caused by various attacks, gives attack type harm system Number is as follows:
Attack type Coefficient of injury
The injection of SQL/ system command 10
Cross site scripting 9
WebShell 8
Network parameter modification 7
Traversal attack 6
Sensitive document access 5
It is long-range to execute loophole 4
Vulnerability scanning 3
Harm collection K [n] is established according to numerical value in table,
K [n]={ k1, k2... ..., kn,
Wherein [1,8] n ∈ indicates attack type;
S52. website risk set is calculated, collects D [n] and harm collection K [n] according to threatening, website risk set R [n],
R [n]={ r1, r2... ..., rn,
Wherein [1,8] n ∈ indicates attack type, riIndicate the risk index of i-th kind of attack,
ri=di* ki
S53. it calculates website risk index and risk index RS is obtained according to website risk set R [n], Wherein [0,10] RS ∈, RS value is higher, and risk under attack is bigger, and website is more dangerous.
The beneficial effects of the present invention are:
Based on magnanimity Web log analysis, grab Web attack in real time, in conjunction with website there are the CVSS value of loophole and The extent of injury of attack calculates website risk index, realizes risk assessment.The present invention, which has, to be easily achieved, and is had a wide range of application, The advantages that strong real-time, index is accurate.
Detailed description of the invention
Attached drawing 1 is a kind of structural frames diagram of the present embodiment;
Attached drawing 2 is the method flow schematic diagram of the present embodiment.
Specific embodiment
Below with reference to the embodiments and with reference to the accompanying drawing the technical solutions of the present invention will be further described.
As depicted in figs. 1 and 2, website risk index calculation method of the present embodiment based on magnanimity Web log, including deployment The acquisition unit of support magnanimity Web Log Source on Web server, Security Information Analysis unit and website risk assessment list Member, and acquisition unit-analytical unit-assessment unit is sequentially connected;
Acquisition unit: real time monitoring logfile directory extracts the Web day generated in real time according to certain time interval t Will, pretreatment generate field, are sent to analytical unit;
Analytical unit: on the one hand receiving log field, grabs sensitive field according to attack feature database, on the other hand sweeps Website loophole is retouched, website fragility is analyzed, sends analysis result to assessment unit;
Assessment unit: receiving analysis as a result, according to preset appraisal procedure with and index evaluation website risk, obtain risk Index.
In the present embodiment, based on the website risk index calculation method of magnanimity Web log, comprising the following steps:
S1.Web log integrity;
S2. target Web site is scanned, corresponding vulnerability information is obtained, CVSS score value is based on, calculates the fragility value of website;
S3. it for magnanimity Web log, is analyzed one by one using attack regular expression, obtains corresponding attack type;
S4. according to certain sampling interval t, it is based on current attack event, calculates the threat value of website;
S5. fragility value and website threat value are integrated, harm grading is attacked in conjunction with OWASP authority, assesses website risk, Calculate the risk index of website.
In the present embodiment, Web log integrity process includes: in step S1
S11. it identifies log Source Type, tetra- class log of Tomcat, Apache, NginX and IIS is identified according to log feature;
S12. Log Source is standardized, source IP, time, access mode, URL, response in log are extracted using regular expression Code and 6 fields of browser type constitute information aggregate I corresponding with a log.
In the present embodiment, target Web site is scanned in step S2, the fragility value process for calculating website includes:
S21. target Web site is scanned, set up a web site structure node tree;
S22. Hole Detection is carried out respectively to each node of website structure node tree, the HTTP for constructing attack signature is asked It asks, such loophole is determined whether there is according to its response characteristic, attack is leaked according to SQL injection, cross site scripting loophole, weak passwurd Hole, http header tracking loophole, Struts2 remote command executes loophole, file uploads loophole, sensitive information leakage loophole, text Part traverses loophole, other classifications;
S23. it is independently assessed for each loophole, point basic evaluation index, timeliness evaluation index and environment are commented Estimate index, the CVSS score value C of each loophole is calculated based on CVSSi, Ci∈ [0,10], numerical value is bigger, and the expression loophole is more serious;
S24. fragile value calculates, according to the C of each loophole typei, seek website fragility value, website fragility value W,Wherein [0,8] n ∈ indicates the loophole type that targeted sites include;
In the present embodiment 3, for magnanimity Web log in step S3, analyzed one by one using attack regular expression Process includes:
S31. building include SQL injection, system command injection, cross-site scripting attack, traverse attack, WebShell, Struts2 remote command executes the intrusion feature database of loophole, sensitive document access, network parameter eight kinds of attack types of modification, with The log field performance characteristic of regular expression summary attacking ways;
S32. log field with feature database one by one match crawl attack, from magnanimity Web log field concentrate take out to The field of processing is successively matched with the expression formula in feature database, if successful matching, illustrates the corresponding primary attack thing of this section of log Part adds attack type information in the corresponding information aggregate I of this log.
S33. after analyzing, every kind of number of times of attack collection AC and attack sum AS are obtained,
AC [n]={ AC1, AC2... ..., ACn,
Wherein [1,8] n ∈ indicates attack type, ACiIndicate the number of i-th kind of attack;
S34. attack type specific gravity calculates, attack type proportion A in i-thi
A [n]={ A1, A2..., An};
More specifically, according to certain sampling interval in step S4, the threat value process for calculating website includes:
S41. the determination in sampling interval, if time threshold T, by sample log amount threshold M, if calculated apart from the last time When time interval t reaches threshold value, i.e. t=T or distance is the log quantity m arrival threshold value sampled after last sampling, i.e. m When=M, new calculating is carried out;
S42. attack and website loophole map, every kind of attack corresponding 1 or multiple loopholes, according to attack specific gravity collection A [n] and loophole CVSS value, establish mapping table Ai→Cj;From mapping table, obtain threatening collection D [n],
D [n]={ d1, d2... ..., dn,
Wherein [1,8] n ∈ indicates attack type, diFor threat index, according to the associated website loophole of attack specific gravity The product of CVSS score value maximum value is concentrated to obtain, i.e.,
In the present embodiment, comprehensive fragility value and website threat value in step S5, assess website risk, calculate website Risk index process include:
S51. the setting for attacking coefficient of injury, substantially threatens in conjunction with caused by various attacks, gives attack type harm system Number is as follows:
Harm collection K [n] is established according to numerical value in table,
K [n]={ k1, k2... ..., kn,
Wherein [1,8] n ∈ indicates attack type;
S52. website risk set is calculated, collects D [n] and harm collection K [n] according to threatening, website risk set R [n],
R [n]={ r1, r2... ..., rn,
Wherein [1,8] n ∈ indicates attack type, riIndicate the risk index of i-th kind of attack,
ri=di* ki
S53. it calculates website risk index and risk index RS is obtained according to website risk set R [n],
Wherein [0,10] RS ∈, RS value is higher, and risk under attack is bigger, and website is more dangerous.
This method is simulated with a specific embodiment below, is described in detail by taking Fig. 2 as an example.This system is deployed in website After server, configuration path, real time monitoring Web log generates catalogue.When log production quantity reaches threshold value M or elapsed time When reaching threshold value T, collection terminal acquires newly-generated Web log, is pre-processed.Four seed types of the system for mainstream instantly Web log: Tomcat, Apache, NginX have corresponding configuration file with IIS.Acquisition unit identifies day according to log field Will type calls corresponding configuration file, then carries out log source calibration, and main process is to extract day using regular expression Source IP in will, time, 6 access mode, URL, answer code and browser type fields constitute information corresponding with a log Set I, in the following example:
I1={ " 202.107.201.13 ", " 18/Aug/2016:16:43:55 ", " HEAD ", "/api/call.php? Action=query&num=11%27%29/**/union/**/select/**/1,2,3, concat%280x7e, 0x27, username, 0x7e, 0x27, password%29,5,6,7,8,9,10,11,12,13,14,15,16/**/ From/**/user/**/limit/**/0,1%23 ", " 302 ", " Mozilla/5.0 (compatible;Baiduspider/ 2.0;+ http://www.baidu.com/search/spider.html xA3 xA9 ",
Acquisition unit has handled the log of all acquisitions, and information aggregate I is sent to analytical unit.
When system deployment is after server, analytical unit scanning server all of the port and website, set up a web site structure Node tree.Then Hole Detection is carried out to all nodes, constructs the HTIP request of attack signature, is according to the determination of its response characteristic It is no there are such loophole, attack according to SQL injection, cross site scripting loophole, weak passwurd loophole, http header tracking loophole, Structs2 remote command executes loophole, file uploads loophole, sensitive information leakage loophole, file traversal loophole, other classifications It carries out.It scores for scanning the loophole come according to CVSS, with CiRecord.After scoring, in the following example, scanning is learnt when next stop There are SQL injection loophole, cross site scripting loophole, Structs2 remote commands to execute loophole, sensitive information leakage loophole, file for point Traverse loophole, file uploads 6 loopholes of loophole.CVSS score value successively is 7.5,4.7,10.0,2.1,5,4.5.Then it obtains:
C={ " 7.5 ", " 4.7 ", " 10 ", " 2.1 ", " 5 ", " 4.S " }.
Wherein, CVSS score value is in [0,10] range, and score value is higher, and loophole is more serious.
On the other hand, analytical unit receives the information aggregate I from acquisition unit.Analytical unit calls Log Types corresponding Intrusion feature database, feature database include SQL injection, system command injection, cross-site scripting attack, traversal attack, WebShell, Struct2 remote command executes loophole, sensitive document access, network parameter eight kinds of attack types of modification, general with regular expression Include the log field performance characteristic of attacking ways.Analytical unit takes out field to be processed from I, successively with the table in feature database It is matched up to formula, if successful matching, illustrates the corresponding attack of this section of log, in the corresponding information aggregate I of this log Element in add attack type information.Every kind of number of times of attack collection AC and attack sum AS are constructed, the attack of crawl is recorded Event, then with the ratio of AC and AS, i.e.,Calculate attack specific gravity collection A.Such as sample above, wherein url field with The expression formula successful match of SQL injection in feature database illustrates that this log is that SQL injection attack leaves, adds " SQL injection " To I, while the corresponding AC of SQL injection in number of times of attack collection ACiNumerical value adds 1, and attack sum AS numerical value adds 1.Analysis finishes institute in I Some log fields, have just grabbed attack all in the period, obtain the AC for corresponding to the period and AS at this time.It is as follows Example:
AC={ " 26 ", " 3 ", " 1 ", " 2 ", " 312 " },
Wherein, AC1Corresponding SQL injection, AC2Corresponding cross-site scripting attack, AC3Corresponding Struts2 remote command executes loophole Attack, AC4Corresponding sensitive document access, AC5Respective path traversal attack.
AS=344,
Then attack specific gravity collection A is calculated, is obtained:
The two aspect data that assessment unit is analyzed: including the server loophole point of website loophole CVSS score value collection C It analyses result and analyzes result with the Web Log security comprising attacking specific gravity collection A.Assessment unit is according to website loophole CVSS score value collection C Website fragility value W is calculated, there is formula:
Then, assessment unit establishes attack and website loophole maps, every kind of attack corresponding 1 or multiple loopholes, According to attack specific gravity collection A and loophole CVSS collection C, mapping table A is establishedi→Cj.In the following example:
SQL injection corresponds to SQL injection loophole;
Cross-site scripting attack corresponds to cross site scripting loophole and file uploads loophole;
Struts2 remote command executes loophole and attacks corresponding Struts2 remote command execution loophole;
Sensitive document accesses corresponding sensitive information leakage loophole;
Traversal path attacks respective file and traverses loophole.
Assessment unit calculates attack threat index, the attack rate of specific gravity loophole CVSS corresponding with the attack that every kind is attacked Score value (if the corresponding multiple loopholes of an attack, take the maximum value of CVSS score value in loophole) is multiplied, i.e.,Establishing attack threatens collection D to save data.Obtain following result:
d1=A1×C1=0.0765 × 7.5=0.57375,
d2=A2×C2=0.0087 × 4.7=0.04089,
d3=A3×C3=0.0029 × 10.0=0.02900,
d4=A4×C4=0.0058 × 2.1=0.01218,
d5=A5×C5=0.9070 × 5.0=4.53500,
D={ 0.57375,0.04089,0.02900,0.01218,4.53500 }.
The classification that system threatens greatly network ten according to the website OWASP, and combine and substantially threatened caused by various attacks, Given attack type coefficient of injury is as follows:
Attack type Coefficient of injury
The injection of SQL/ system command 10
Cross site scripting 9
WebShell 8
Network parameter modification 7
Traversal attack 6
Sensitive document access 5
It is long-range to execute loophole 4
Vulnerability scanning 3
For assessment unit according to the attack type grabbed in numerical value in table and Web log analysis, harm collection K is established in screening. It is obtained by 6 kinds of attack types:
K={ 10,9,4,5,6 }.
Assessment unit threatens collection D and attack harm collection K according to attack, calculates risk of attacks index r, establishes risk set R guarantor It deposits, there is formula:
ri=di*ki
It is as follows to obtain result:
r1=d1*k1=0.57375 × 10=5.73750,
r2=d2*k2=0.04089 × 9=0.36801,
r3=d3*k3=0.02900 × 4=0.11600,
r4=d4*k4=0.01218 × 5=0.06090,
r5=d5*k5=4.53500 × 6=27.21000,
R={ 5.73750,0.36801,0.11600,0.06090,27.21000 }.
Assessment unit, which calculates website risk index RS, has formula according to website risk set R:
Obtain following result:
Finally, the risk evaluation result of this example website is 5.79, the medium risk faced, it should which timed maintenance needs simultaneously It to repair and upgrade according to the loophole that we scan, especially to reinforce attacking SQL injection and attack phase with file traversal The defensive measure of pass.
Although the terms such as website fragility value, attack threat value, website risk index are used more herein, do not arrange A possibility that except other terms are used.The use of these items is only for be more convenient to describe and explain essence of the invention; Being construed as any additional limitation is disagreed with spirit of that invention.

Claims (7)

1. a kind of website risk index calculation method based on magnanimity Web log, it is characterised in that: be deployed on Web server Support magnanimity Web Log Source acquisition unit, Security Information Analysis unit and website risk assessment unit, and acquisition unit, Analytical unit and assessment unit are sequentially connected;
Acquisition unit: real time monitoring logfile directory extracts the Web log generated in real time according to certain time interval t, Pretreatment generates field, is sent to analytical unit;
Analytical unit: on the one hand receiving log field, grabs sensitive field, another aspect scanning movement according to attack feature database Point loophole, analyzes website fragility, sends analysis result to assessment unit;
Assessment unit: receiving analysis as a result, according to preset appraisal procedure with and index evaluation website risk, obtain risk and refer to Number.
2. a kind of website risk index calculation method based on magnanimity Web log according to claim 1, feature exist In, comprising the following steps:
S1.Web log integrity;
S2. target Web site is scanned, corresponding vulnerability information is obtained, CVSS score value is based on, calculates the fragility value of website;
S3. it for magnanimity Web log, is analyzed one by one using attack regular expression, obtains corresponding attack type;
S4. according to certain sampling interval t, it is based on current attack event, calculates the threat value of website;
S5. fragility value and website threat value are integrated, harm grading is attacked in conjunction with OWASP authority, assesses website risk, calculate The risk index of website.
3. a kind of website risk index calculation method based on magnanimity Web log according to claim 2, feature exist In Web log integrity process includes: in the step S1
S11. it identifies log Source Type, tetra- class log of Tomcat, Apache, NginX and IIS is identified according to log feature;
S12. standardize Log Source, using regular expression extract log in source IP, the time, access mode, URL, answer code and 6 fields of browser type constitute information aggregate I corresponding with a log.
4. a kind of website risk index calculation method based on magnanimity Web log according to claim 2, feature exist In scanning target Web site in the step S2, the fragility value process for calculating website includes:
S21. target Web site is scanned, set up a web site structure node tree;
S22. Hole Detection is carried out to each node of website structure node tree respectively, constructs the HTTP request of attack signature, root Such loophole is determined whether there is according to its response characteristic, is attacked according to SQL injection, cross site scripting loophole, weak passwurd loophole, HTTP Header tracks loophole, Struts2 remote command executes loophole, file uploads loophole, sensitive information leakage loophole, file traversal leakage Hole, other classifications;
S23. it is independently assessed for each loophole, point basic evaluation index, timeliness evaluation index and environmental assessment refer to Mark, the CVSS score value of each loophole is calculated based on CVSS, numerical value is bigger, and the expression loophole is more serious;
S24. fragile value calculates, and according to each loophole type, asks website fragility value, website fragility value W.
5. a kind of website risk index calculation method based on magnanimity Web log according to claim 2, feature exist In for magnanimity Web log in the step S3, carrying out one by one analytic process using attack regular expression includes:
S31. building is remote including SQL injection, system command injection, cross-site scripting attack, traversal attack, WebShell, Struts2 Journey order executes the intrusion feature database of loophole, sensitive document access, network parameter eight kinds of attack types of modification, with regular expression Summarize the log field performance characteristic of attacking ways;
S32. log field matches crawl attack with feature database one by one, concentrates taking-up to be processed from magnanimity Web log field Field, successively matched with the expression formula in feature database, if successful matching, illustrate the corresponding attack of this section of log, Attack type information is added in the corresponding information aggregate I of this log;
S33. after analyzing, every kind of number of times of attack collection AC and attack sum are obtained;
S34. attack type specific gravity calculates.
6. a kind of website risk index calculation method based on magnanimity Web log according to claim 2, feature exist According to certain sampling interval in the step S4, the threat value process for calculating website includes:
S41. the determination in sampling interval, if time threshold T, by sample log amount threshold M, if the time apart from last time calculating Interval t reaches threshold value or distance is after sampling the last time, and the log quantity m sampled reaches threshold value, that is, carries out new calculating;
S42. attack and website loophole map, every kind of attack corresponding 1 or multiple loopholes, according to attack specific gravity collection A [n] With loophole CVSS value, mapping table is established;From mapping table, obtain threatening collection D [n], wherein n indicates attack type.
7. a kind of website risk index calculation method based on magnanimity Web log according to claim 2, feature exist In comprehensive fragility value and website threat value, assess website risk, calculate the risk index process of website in the step S5 Include:
S51. the setting for attacking coefficient of injury, substantially threatens in conjunction with caused by various attacks, gives attack type coefficient of injury such as Under:
Attack type Coefficient of injury The injection of SQL/ system command 10 Cross site scripting 9 WebShell 8 Network parameter modification 7 Traversal attack 6 Sensitive document access 5 It is long-range to execute loophole 4 Vulnerability scanning 3
Harm collection K [n] is established according to numerical value in table;
S52. website risk set is calculated, collects D [n] and harm collection K [n], website risk set R [n] according to threatening;
S53. it calculates website risk index and risk index RS is obtained according to website risk set, wherein RS value is higher, under attack Risk it is bigger, website is more dangerous.
CN201710594365.5A 2017-07-13 2017-07-13 A kind of website risk index computing system and method based on magnanimity Web log Pending CN109257329A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710594365.5A CN109257329A (en) 2017-07-13 2017-07-13 A kind of website risk index computing system and method based on magnanimity Web log

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710594365.5A CN109257329A (en) 2017-07-13 2017-07-13 A kind of website risk index computing system and method based on magnanimity Web log

Publications (1)

Publication Number Publication Date
CN109257329A true CN109257329A (en) 2019-01-22

Family

ID=65051926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710594365.5A Pending CN109257329A (en) 2017-07-13 2017-07-13 A kind of website risk index computing system and method based on magnanimity Web log

Country Status (1)

Country Link
CN (1) CN109257329A (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110191120A (en) * 2019-05-28 2019-08-30 中国科学院信息工程研究所 A kind of network system loophole methods of risk assessment and device
CN110191094A (en) * 2019-04-26 2019-08-30 北京奇安信科技有限公司 Monitoring method and device, storage medium, the terminal of abnormal data
CN110213238A (en) * 2019-05-06 2019-09-06 北京奇安信科技有限公司 Threat detection method and device, storage medium, the computer equipment of data
CN110225018A (en) * 2019-05-31 2019-09-10 江苏百达智慧网络科技有限公司 A method of based on more equipment evaluation web application fragility
CN110808947A (en) * 2019-05-23 2020-02-18 南瑞集团有限公司 Automatic vulnerability quantitative evaluation method and system
CN111031014A (en) * 2019-11-28 2020-04-17 北京网思科平科技有限公司 Method, device and equipment for evaluating host risk of network security system
CN111428248A (en) * 2020-06-10 2020-07-17 浙江鹏信信息科技股份有限公司 Vulnerability noise reduction identification method and system based on grade assignment
CN111625837A (en) * 2020-05-22 2020-09-04 北京金山云网络技术有限公司 Method and device for identifying system vulnerability and server
CN111858782A (en) * 2020-07-07 2020-10-30 Oppo(重庆)智能科技有限公司 Database construction method, device, medium and equipment based on information security
CN112015946A (en) * 2019-05-30 2020-12-01 中国移动通信集团重庆有限公司 Video detection method and device, computing equipment and computer storage medium
CN112866271A (en) * 2021-02-01 2021-05-28 中国南方电网有限责任公司 Attack tracing-based sensitive file protection method, device and system
CN113542200A (en) * 2020-04-20 2021-10-22 中国电信股份有限公司 Risk control method, risk control device and storage medium
CN113761318A (en) * 2021-04-30 2021-12-07 中科天玑数据科技股份有限公司 Webpage risk discovery method
CN114189360A (en) * 2021-11-19 2022-03-15 上海纽盾科技股份有限公司 Situation-aware network vulnerability defense method, device and system
CN114244824A (en) * 2021-11-25 2022-03-25 国家计算机网络与信息安全管理中心河北分中心 Method for quickly identifying identity of WEB asset risk Server in network space
CN114329456A (en) * 2020-09-27 2022-04-12 中国移动通信集团河南有限公司 Webpage backdoor detection method, device and equipment
CN117544407A (en) * 2023-12-19 2024-02-09 中国电信股份有限公司濮阳分公司 Network security risk assessment method, system and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741472A (en) * 2005-09-05 2006-03-01 北京启明星辰信息技术有限公司 Network invading event risk evaluating method and system
CN101610174A (en) * 2009-07-24 2009-12-23 深圳市永达电子股份有限公司 A kind of log correlation analysis system and method
CN101800668A (en) * 2010-03-23 2010-08-11 成都市华为赛门铁克科技有限公司 Method and device for merging logs
CN103425929A (en) * 2012-05-22 2013-12-04 百度在线网络技术(北京)有限公司 Web white box scanning method and device
CN104144063A (en) * 2013-05-08 2014-11-12 朱烨 Website security monitoring and alarming system based on log analysis and firewall security matrixes
CN104767757A (en) * 2015-04-17 2015-07-08 国家电网公司 Multiple-dimension security monitoring method and system based on WEB services
CN105427172A (en) * 2015-12-04 2016-03-23 北京华热科技发展有限公司 Risk assessment method and system
CN105721427A (en) * 2016-01-14 2016-06-29 湖南大学 Method for mining attack frequent sequence mode from Web log
CN106790023A (en) * 2016-12-14 2017-05-31 平安科技(深圳)有限公司 Network security Alliance Defense method and apparatus

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1741472A (en) * 2005-09-05 2006-03-01 北京启明星辰信息技术有限公司 Network invading event risk evaluating method and system
CN101610174A (en) * 2009-07-24 2009-12-23 深圳市永达电子股份有限公司 A kind of log correlation analysis system and method
CN101800668A (en) * 2010-03-23 2010-08-11 成都市华为赛门铁克科技有限公司 Method and device for merging logs
CN103425929A (en) * 2012-05-22 2013-12-04 百度在线网络技术(北京)有限公司 Web white box scanning method and device
CN104144063A (en) * 2013-05-08 2014-11-12 朱烨 Website security monitoring and alarming system based on log analysis and firewall security matrixes
CN104767757A (en) * 2015-04-17 2015-07-08 国家电网公司 Multiple-dimension security monitoring method and system based on WEB services
CN105427172A (en) * 2015-12-04 2016-03-23 北京华热科技发展有限公司 Risk assessment method and system
CN105721427A (en) * 2016-01-14 2016-06-29 湖南大学 Method for mining attack frequent sequence mode from Web log
CN106790023A (en) * 2016-12-14 2017-05-31 平安科技(深圳)有限公司 Network security Alliance Defense method and apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
何鹏程,方勇: "《一种基于Web日志和网站参数的入侵检测和风险评估模型的研究》", 《信息网络安全》 *

Cited By (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110191094A (en) * 2019-04-26 2019-08-30 北京奇安信科技有限公司 Monitoring method and device, storage medium, the terminal of abnormal data
CN110213238A (en) * 2019-05-06 2019-09-06 北京奇安信科技有限公司 Threat detection method and device, storage medium, the computer equipment of data
CN110808947A (en) * 2019-05-23 2020-02-18 南瑞集团有限公司 Automatic vulnerability quantitative evaluation method and system
CN110808947B (en) * 2019-05-23 2022-03-04 南瑞集团有限公司 Automatic vulnerability quantitative evaluation method and system
CN110191120A (en) * 2019-05-28 2019-08-30 中国科学院信息工程研究所 A kind of network system loophole methods of risk assessment and device
CN110191120B (en) * 2019-05-28 2020-07-07 中国科学院信息工程研究所 Vulnerability risk assessment method and device for network system
CN112015946B (en) * 2019-05-30 2023-11-10 中国移动通信集团重庆有限公司 Video detection method, device, computing equipment and computer storage medium
CN112015946A (en) * 2019-05-30 2020-12-01 中国移动通信集团重庆有限公司 Video detection method and device, computing equipment and computer storage medium
CN110225018A (en) * 2019-05-31 2019-09-10 江苏百达智慧网络科技有限公司 A method of based on more equipment evaluation web application fragility
CN111031014A (en) * 2019-11-28 2020-04-17 北京网思科平科技有限公司 Method, device and equipment for evaluating host risk of network security system
CN111031014B (en) * 2019-11-28 2022-05-03 北京网思科平科技有限公司 Method, device and equipment for evaluating host risk of network security system
CN113542200A (en) * 2020-04-20 2021-10-22 中国电信股份有限公司 Risk control method, risk control device and storage medium
CN113542200B (en) * 2020-04-20 2023-03-24 中国电信股份有限公司 Risk control method, risk control device and storage medium
CN111625837A (en) * 2020-05-22 2020-09-04 北京金山云网络技术有限公司 Method and device for identifying system vulnerability and server
CN111428248A (en) * 2020-06-10 2020-07-17 浙江鹏信信息科技股份有限公司 Vulnerability noise reduction identification method and system based on grade assignment
CN111858782A (en) * 2020-07-07 2020-10-30 Oppo(重庆)智能科技有限公司 Database construction method, device, medium and equipment based on information security
CN114329456A (en) * 2020-09-27 2022-04-12 中国移动通信集团河南有限公司 Webpage backdoor detection method, device and equipment
CN114329456B (en) * 2020-09-27 2024-07-26 中国移动通信集团河南有限公司 Webpage backdoor detection method, device and equipment
CN112866271A (en) * 2021-02-01 2021-05-28 中国南方电网有限责任公司 Attack tracing-based sensitive file protection method, device and system
CN112866271B (en) * 2021-02-01 2022-03-01 中国南方电网有限责任公司 Attack tracing-based sensitive file protection method, device and system
CN113761318A (en) * 2021-04-30 2021-12-07 中科天玑数据科技股份有限公司 Webpage risk discovery method
CN114189360A (en) * 2021-11-19 2022-03-15 上海纽盾科技股份有限公司 Situation-aware network vulnerability defense method, device and system
CN114189360B (en) * 2021-11-19 2023-09-29 上海纽盾科技股份有限公司 Situation-aware network vulnerability defense method, device and system
CN114244824A (en) * 2021-11-25 2022-03-25 国家计算机网络与信息安全管理中心河北分中心 Method for quickly identifying identity of WEB asset risk Server in network space
CN114244824B (en) * 2021-11-25 2024-05-03 国家计算机网络与信息安全管理中心河北分中心 Method for quickly identifying identity of network space WEB type asset risk Server
CN117544407A (en) * 2023-12-19 2024-02-09 中国电信股份有限公司濮阳分公司 Network security risk assessment method, system and storage medium
CN117544407B (en) * 2023-12-19 2024-09-10 中国电信股份有限公司濮阳分公司 Network security risk assessment method, system and storage medium

Similar Documents

Publication Publication Date Title
CN109257329A (en) A kind of website risk index computing system and method based on magnanimity Web log
CN104468477B (en) A kind of WebShell detection method and system
Li et al. Use and misuse of landscape indices
Gardiner et al. Lessons from lady beetles: accuracy of monitoring data from US and UK citizen‐science programs
CN106453386A (en) Automatic internet asset monitoring and risk detecting method based on distributed technology
US20150363791A1 (en) Business action based fraud detection system and method
CN101370008A (en) System for real-time intrusion detection of SQL injection WEB attacks
CN109510815A (en) A kind of multistage detection method for phishing site and detection system based on supervised learning
Janssen et al. Beetle diversity in a matrix of old‐growth boreal forest: influence of habitat heterogeneity at multiple scales
CN104753946A (en) Security analysis framework based on network traffic metadata
Balkanli et al. Supervised learning to detect DDoS attacks
CN108337255A (en) A kind of detection method for phishing site learnt based on web automatic tests and width
CN102222187A (en) Domain name structural feature-based hang horse web page detection method
CN104657659B (en) A kind of storage cross-site attack script loophole detection method, apparatus and system
CN106779278A (en) The evaluation system of assets information and its treating method and apparatus of information
CN108768921A (en) A kind of malicious web pages discovery method and system of feature based detection
CN115225384B (en) Network threat degree evaluation method and device, electronic equipment and storage medium
CN106101071B (en) A kind of method of the defence link drain type CC attack of Behavior-based control triggering
CN106549959A (en) A kind of recognition methodss of agent IP Protocol IP address and device
CN107818132A (en) A kind of webpage agent discovery method based on machine learning
CN114338195A (en) Web traffic anomaly detection method and device based on improved isolated forest algorithm
CN110191137A (en) A kind of network system quantization safety evaluation method and device
CN108566392A (en) Defence CC attacking systems based on machine learning and method
CN110378115A (en) A kind of data layer system of information security attack-defence platform
CN110351266A (en) The black method for producing IP of identification network neural network based

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB02 Change of applicant information

Address after: 310014, Huadian Road, Xiacheng District, Zhejiang, Hangzhou 1

Applicant after: STATE GRID ZHEJIANG ELECTRIC POWER COMPANY LIMITED ELECTRIC POWER Research Institute

Address before: 310014, Huadian Road, Xiacheng District, Zhejiang, Hangzhou 1

Applicant before: ELECTRIC POWER RESEARCH INSTITUTE OF STATE GRID ZHEJIANG ELECTRIC POWER Co.

CB02 Change of applicant information
CB03 Change of inventor or designer information

Inventor after: Dai Hua

Inventor after: Lu Xindai

Inventor after: Kong Xiaoyun

Inventor after: Cai Yiting

Inventor after: Jiang Wei

Inventor after: Zhou Hui

Inventor after: Lv Bang

Inventor after: Yao Ying

Inventor before: Lu Xindai

Inventor before: Dai Hua

Inventor before: Kong Xiaoyun

Inventor before: Cai Yiting

Inventor before: Jiang Wei

Inventor before: Zhou Hui

Inventor before: Lv Bang

Inventor before: Yao Ying

CB03 Change of inventor or designer information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190122

WD01 Invention patent application deemed withdrawn after publication