CN109510828A - A kind of determination method and system of threat disposition effect in network - Google Patents
A kind of determination method and system of threat disposition effect in network Download PDFInfo
- Publication number
- CN109510828A CN109510828A CN201811376254.8A CN201811376254A CN109510828A CN 109510828 A CN109510828 A CN 109510828A CN 201811376254 A CN201811376254 A CN 201811376254A CN 109510828 A CN109510828 A CN 109510828A
- Authority
- CN
- China
- Prior art keywords
- disposition
- attack
- effect
- threat
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Abstract
The embodiment of the present invention provides a kind of determination method and system of the threat disposition effect in network.Wherein, method includes: to choose several objects from the object for threatening Disposal Strategies by the execution of object of attack by object of attack for any of network to form by the disposition result verification object set of object of attack;If being successfully by the disposition result in the disposition result verification object set of object of attack at least in the presence of an object, then based on by the index contribution degree table of object of attack, determine that contribution degree meets the index of selecting index condition, to form by the target indicator set of object of attack;According to, by the target indicator set of object of attack, effect is disposed in the determining threat for threatening Disposal Strategies in network.Method and system provided in an embodiment of the present invention carry out comprehensive verification and assessment to disposition effect from global angle, improve the efficiency and accuracy of disposition recruitment evaluation according to different disposition objects and strategy.
Description
Technical field
The present embodiments relate to the threat disposition effects in technical field of network security more particularly to a kind of network really
Determine method and system.
Background technique
Heterogeneous network scale interconnects, the technical system difference of each network, and different type, the safety equipment of manufacturer are anti-in network
Capacity variance is protected, so that the protective capacities of heterogeneous networks is different, therefore difficult for the single protection of single network, single defence stand
To cope with the Cyberthreat got worse, needs to threaten disposition command centre around a certain security target, according to threat situation, set
The generations such as standby protective capacities accordingly threaten Disposal Strategies, and corresponding multiclass, multiple disposition objects are distributed to after decomposing, and realize not
Protection is cooperateed with between the cooperative cooperating between object and different zones, to carry out linkage disposition to Cyberthreat.
In order to realize effective linkage disposition to threat, need different threat Disposal Strategies being distributed to protective capacities difference
Different safety equipments, then determine threaten linkage disposition effect, to reasonably adjust threat Disposal Strategies.However, existing prestige
Side of body disposal technology does not carry out linkage disposition to threat, only realizes local protection;Existing disposition effect determines that technology does not also integrate
Consider the threat disposition effect of each linkage disposition object, comprehensive assessment do not carried out to threat disposition effect from global angle, it is difficult to
Determine threaten linkage disposition effect, can not accurate evaluation large scale network practical safe condition.
Summary of the invention
For the technical problems in the prior art, the embodiment of the present invention provides the threat disposition effect in a kind of network
Determination method and system.
In a first aspect, the embodiment of the present invention provides a kind of determination method of the threat disposition effect in network, comprising:
For any of network by object of attack, from the object for being threatened Disposal Strategies by the execution of object of attack
In, several objects are chosen to form the disposition result verification object set by object of attack;
If the disposition result in the disposition result verification object set by object of attack at least in the presence of an object is
Success, then based on the index contribution degree table by object of attack, determine that contribution degree meets the index of selecting index condition, with group
At the target indicator set by object of attack;Wherein, the disposition result of object is successfully to refer at object successful execution threat
Set strategy;
According to by the target indicator set of object of attack, determining the threat disposition for threatening Disposal Strategies in the network
Effect.
Second aspect, the embodiment of the present invention provide a kind of determination system of the threat disposition effect in network, comprising:
Dispose result verification object set and obtain module, for for any of network by object of attack, from described
It is threatened in the object of Disposal Strategies by the execution of object of attack, chooses several objects to form the disposition by object of attack
Result verification object set;
Target indicator set obtain module, if in the disposition result verification object set by object of attack at least
Disposition result there are an object is successfully, then based on the index contribution degree table by object of attack, to determine that contribution degree is full
The index of sufficient selecting index condition, to form the target indicator set by object of attack;Wherein, the disposition result of object is
Successfully refer to that object successful execution threatens Disposal Strategies;
Effect determining module, for according to, by the target indicator set of object of attack, determining the threat in the network
Effect is disposed in the threat of Disposal Strategies.
The third aspect, the embodiment of the present invention provides a kind of electronic equipment, including memory, processor and is stored in memory
Computer program that is upper and can running on a processor, is realized when the processor executes described program as first aspect provides
Method the step of.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, are stored thereon with calculating
Machine program is realized as provided by first aspect when the computer program is executed by processor the step of method.
The determination method and system of threat disposition effect in a kind of network provided in an embodiment of the present invention, by safety
After equipment executes threat Disposal Strategies, according to the difference for threatening situation, disposition object, Disposal Strategies, choice of dynamical is different to be tested
Card means, the disposition effect for moving object from global angle distich carry out comprehensive determination, so that it is determined that linkage disposition effect is threatened, it can
Realize effective determination to disposition effect is threatened, the practical safe condition of accurate evaluation large scale network.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the determination method flow diagram of the threat disposition effect in a kind of network provided in an embodiment of the present invention;
Fig. 2 is a kind of network structure topological diagram provided in an embodiment of the present invention;
Fig. 3 is the structural representation of the determination system of the threat disposition effect in a kind of network provided in an embodiment of the present invention
Figure;
Fig. 4 is the module relationship of the determination system of the threat disposition effect in a kind of network provided in an embodiment of the present invention
Figure;
Fig. 5 is the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is the determination method flow diagram of the threat disposition effect in a kind of network provided in an embodiment of the present invention, such as Fig. 1
It is shown, this method comprises:
Step 101, for any of network by object of attack, disposition plan is threatened from the execution by object of attack
In object slightly, several objects are chosen to form the disposition result verification object set by object of attack.
Method provided in an embodiment of the present invention is applied and is illustrated in complex network environment, wherein complex network ring
Border is commonly referred to as dedicated network, Incorporate network, Internet of Things, all kinds of service systems (such as: electronics ticket service system
System, e-commerce system, electronic government affairs system) where the large scale scale heterogeneous network such as network.Complex network environment is usually by more
A equipment and/or system is constituted.For convenience, complex network environment is referred to as target network, equipment and system is equal
Referred to as object.
Equipment includes but is not limited to: terminal (fixed terminal, mobile terminal, ICBM SHF satellite terminal), server, router, access
Gateway, Interworking GateWay, content filtering equipment, firewall, encryption device, authenticating device, VPN, honey jar, interchanger, modulation /demodulation
Any one or more in device, hub and bridge;System includes but is not limited to: intrusion prevention system, intrusion detection system
System, invaded status, Verification System, right discriminating system, equipment management system, in threat analysis system any one or it is more
Kind.It should be noted that equipment herein can be physical equipment, be also possible to be obtained using virtualization technology is virtually set
It is standby.Object being referred specifically to for different according to different application field.
In the private network, in addition to general class equipment, object further includes some non-universal class equipment, and equipment includes but unlimited
Any one or more in the equipment such as: industry control gateway, traffic filtering monitoring device, circulation management and control devices;System include but
It is not limited to: any one or more in the systems such as storage system, office system, document exchange system, supervisory systems.
In Incorporate network, equipment includes but is not limited to: all kinds of satellites, high speed spacecraft terminal, space-based backbone
Net ground based terminal, Ka large capacity broadband be portable/fixed terminal, mobile military hand-held/civilian car-mounted terminal of high rail satellite, low rail star
Seat is hand-held/and car-mounted terminal, Ku (FDMA) be portable/fixed terminal, Ku (TDMA) be portable/security terminals such as fixed terminal, space-based bone
It is interconnected safely between dry safety satellite access gateway, broadband satellite safe access gateway, satellite mobile security access gateway, heterogeneous network
Secure internet such as closes at any one or more in gateways between gateway, terrestrial network;System includes but is not limited to: authentication pipe
Reason system, internetworking safety control system, password resource management system, threatens convergence analysis and situation at access authentication system
Any one or more in the systems such as early warning system, network-wide security equipment system for unified management.
In Internet of Things, equipment includes but is not limited to: between Internet of Things firewall, Internet of Things comprehensive safety access gateway, net
Interworking GateWay, isomeric data collect any one or more in the equipment such as gateway, one-way/two-way data isolation equipment;System
Including but not limited to: data exchange application proxy software, stream compression monitoring system, can layout application guard system, Internet of Things
Topological mapping system, security service demand and resource management system, data storage dispatching management information system, in Internet of Things security management and control
Heart management system, equipment are found and any one or more in the systems such as identifying system.
In the network where all kinds of service systems, equipment includes but is not limited to: electronics authority high speed authorization services equipment,
Any one or more in the equipment such as unified certification service equipment;System includes but is not limited to: electronics authority authorization services pipe
Reason system, electronics authority condition managing and control system, unified certification service management system, electronics authority examination service system,
System, magnanimity electronics authority data-storage system, identity identification system, cryptographic service support are issued in the collaboration of multi-service electronics authority
Any one or more in the systems such as system, data-storage system.
Attacker launches a offensive to target network would generally be such that one or several objects in target network are attacked,
The object that will suffer from attack is known as by object of attack.For in target network, by object of attack, commander can be disposed by threatening
It is centrally generated and/or decomposes obtained threat Disposal Strategies and learn that this is threatened the object of Disposal Strategies by the execution of object of attack,
Several objects are chosen from these objects to form by the disposition result verification object set of object of attack.
Step 102, if at least there is the place of an object in the disposition result verification object set by object of attack
Setting result is successfully, then based on the index contribution degree table by object of attack, to determine that contribution degree meets selecting index condition
Index, to form the target indicator set by object of attack;Wherein, the disposition result of object is successfully to refer to that object is successfully held
Row threatens Disposal Strategies.
The index contribution degree table index and tribute of the index to a certain disposition result good authentication by object of attack
The mapping relations for degree of offering.
The index contribution degree table middle finger target contribution degree can preparatory static settings, dynamically can also assign and adjust, this hair
Bright embodiment is not especially limited this.
The index includes but is not limited to: network interface state index of correlation, network state index of correlation, TCP connection phase
Close index, satellite node port index of correlation, satellite node port index of correlation, operating system index of correlation, file system phase
Close index, any one or more in progress information index of correlation.Wherein,
Network interface state index of correlation, e.g., wireless receiving and dispatching signal strength (transmission rate, bandwidth), access point, access wave
Beam, frequency point, receiver packet number, receive byte number, receive erroneous packets number, number of dropped packets, the buffer area fifo mistake, packet frames error number,
Whether whether transmission packet number, transmission byte number, transmission erroneous packets number, network can be used, whether WiFi can be used, WiFi is perceived can be used,
Connection speed;
Network state index of correlation, e.g., TCP ESTABLISHED status number, TCP SYN SENT status number, TCP SYN
RECV status number, 1 status number of TCP FIN WAIT, TCP FIN WAIT2 status number, TCP TIME WAIT status number, TCP
CLOSED status number, TCP CLOSE WAIT status number, TCP LAST ACK status number, TCP LISTEN status number, TCP
CLOSING status number, TCP IDLE state number, immigration TCP connection number, departure TCP connection number;
TCP connection index of correlation, e.g., actively the TCP connection number of foundation, the TCP connection number passively established, trial are established and are connected
Connect the frequency of failure, resetting connection number, current connection number, into entity TCP segment, leave entity TCP segment, retransmit
Number receives error number, sends re-transmission number;
Link state index of correlation, e.g., link section start, link terminal point, link bandwidth, link utilization, link connect
The general character, link propagation time delay, link retention time;
Satellite node port index of correlation, e.g., satellite node port index, satellite node port type, satellite node end
Byte number that antenna corresponding to mouthful maximum rate, satellite node port, satellite node port receive, satellite node port are sent
Byte number, satellite node port abandon input byte number, satellite node port abandon output word joint number;
Operating system index of correlation, e.g., system user number, system show process number, power-on time, progress information, statistics letter
Breath etc..Wherein, progress information acquisition item includes but is not limited to: process ID, process name, process status, Parent process ID, process are preferential
Grade, process nice value, process cpu busy percentage, the Thread Count under process, filec descriptor sum, terminate-and-stay-resident size, process rise
Begin time, CPU accounting.
File system index of correlation, e.g., file system use ratio, inode number of nodes, inode number of nodes, quiet can be used
State filesystem information (hard disc apparatus name, path, total cospace), living document system information (use space, available space,
Use percentage);
Progress information index of correlation, e.g., process sum, Sleeping process number, Running process number, Zombie process
Number, Stopped process number, Idle process number, total number of threads etc..
In addition, component assesses index is different according to the difference of application field.For example, referring in Incorporate network
Mark may also include but be not limited to abnormal ICBM SHF satellite terminal inbound information, password resource exception use information, linkage control staining effect
Information;In electronics ticket service system, index, which can also may also include but be not limited to electronics authority abnormal behaviour information correlation, to be referred to
Mark, the electronics authority abnormal behaviour information index of correlation include but is not limited to the volume of transfiniting/type issue, repetition/false invoice report
Pin, repeatedly attempts password at false system connection;In the private network, office system index of correlation includes but is not limited to relevant device
Violation file operation, violation with system are circulated, violation publication, exceptional communication, violation storage, the access operation of violation medium, are examined
Count log.
Specifically, the object disposed in result verification object set threatens Disposal Strategies for executing, but for each
Object, it is understood that there may be run succeeded or execute two kinds of implementing results of failure.It is understood that if disposition result verification object set
All objects in conjunction can determine that the threat Disposal Strategies fail for the threat to threatening Disposal Strategies to be performed both by failure
It is disposed, it is therefore not necessary to continue subsequent operation;If dispose result verification object set at least exist one to threat at
The successful object of strategy execution is set, then can determine that the threat Disposal Strategies have been used for being disposed the threat, therefore, is continued
Subsequent operation, to determine that effect is disposed in the threat of the threat Disposal Strategies.
For example, if only include firewall FW1 and firewall FW2 in disposition result verification object set, and, only firewall
FW1 to threatening Disposal Strategies to run succeeded, perhaps only firewall FW2 to threatening Disposal Strategies to run succeeded or firewall FW1
With firewall FW2 to threatening Disposal Strategies to run succeeded, then determine to dispose in result verification object set at least in the presence of one
The disposition result of object is successfully, and to continue subsequent operation, to determine that effect is disposed in the threat of the threat Disposal Strategies.
Further, if disposition result verification object set at least in the presence of an object disposition result be successfully,
Based on the index contribution degree table by object of attack, determine that contribution degree meets the index of selecting index condition, to form target
Index set.Wherein, whether index contribution degree table is used to record can be determined that object abnormal index and the index for right
As the contribution degree of abnormal sex determination, it should be noted that if the contribution degree of a certain index is higher, which is selected to sentence
A possibility that determining the abnormality of object is also higher.
Further, it is based on index contribution degree table, determines that contribution degree meets the index of selecting index condition, to form target
Index set.Wherein, selecting index condition includes but is not limited to: ranking is former from high to low for contribution degree, contribution degree be particular value,
Contribution degree is higher than particular value etc., and the present invention is not especially limit this.
Step 103, according to by the target indicator set of object of attack, determining the Disposal Strategies that threaten in the network
Threaten disposition effect.
Specifically, disposition effect is threatened to refer to the effectiveness for threatening Disposal Strategies for disposing Cyberthreat, reflection
Threat Disposal Strategies, which are performed, finishes front and back, the variation of the safe condition of network.When the safe condition of network is better, accordingly
Ground threatens disposition effect better, conversely, threatening disposition effect poorer.
The determination method of threat disposition effect in a kind of network provided in an embodiment of the present invention, by being held in safety equipment
Row threaten Disposal Strategies after, according to threaten situation, disposition object, Disposal Strategies difference, the different verifying means of choice of dynamical,
The disposition effect for moving object from global angle distich carries out comprehensive determination, so that it is determined that threatening linkage disposition effect, it can be achieved that right
Threaten effective determination of disposition effect, the practical safe condition of accurate evaluation large scale network.
On the basis of the various embodiments described above, the step 101 of above-described embodiment is specifically described in the embodiment of the present invention,
That is, being illustrated to the acquisition of disposition result verification object set.For any of network by object of attack, from described
It is threatened in the object of Disposal Strategies by the execution of object of attack, chooses several objects to form the disposition by object of attack
Result verification object set further comprises:
Determine it is described by object of attack to attacker and/or the path of external network, to form set of paths.
Specifically, attacker refers to the attacker to launch a offensive to target network, refers to target network by object of attack
The under fire side attacked in network, is corresponding with a confidence region by object of attack, the network other than confidence region is known as the quilt
The external network of object of attack.
For by object of attack, determining this by object of attack to attacker and/or the road of external network in target network
Diameter, to form set of paths.For example, Fig. 2 is a kind of network structure topological diagram provided in an embodiment of the present invention, such as Fig. 2 institute
Show, includes target network (domain 1 and the area DMZ), attacker and external network (domain 2) in network.In target network by attack pair
As for Web service 1 and database server, Web service 1 to attacker only has a paths: Web service 1 is via Web service 1
Place server, firewall FW2, gateway reach attacker, for the convenience of description, being referred to as path 1;Outside is arrived in Web service 1
Network only has a paths: Web service 1 is arrived via 1 place server of Web service, firewall FW1, interchanger, xegregating unit 2
Up to domain 2, for the convenience of description, being referred to as path 2;Database service only has a paths: database service institute to attacker
Attacker is reached in server, xegregating unit 1, firewall FW1, firewall FW2, gateway, for the convenience of description, being referred to as road
Diameter 3;Database service only has a paths: server, xegregating unit 1, firewall where database service to external network
FW1, xegregating unit 2 reach domain 2, for the convenience of description, being referred to as path 4.Therefore, set of paths be path 1, path 2,
Path 3, path 4 }.
Determine each path in the set of paths via object in whether comprising for executing threat Disposal Strategies
Object, and the path for being used to execute the object for threatening Disposal Strategies will not included after rejecting in the set of paths, generate mesh
Mark set of paths.
Specifically, for that, by object of attack, can be disposed at the threat that command centre generates by threatening in target network
It sets strategy and learns that this is threatened the object of Disposal Strategies by the execution of object of attack.Therefore, it can determine that each path in set of paths
Via object in whether comprising for executes threat Disposal Strategies object.
For example, as shown in Fig. 2, if Web service 1 and database service suffer two class Denial of Service attack: SYN Flood
It is attacked with CC (Challenge Collapsar), Disposal Strategies is threatened to be:
Firewall TCP connection number/SYN segment threshold value setting: setting is between early 8 points to 12 points of evening on firewall FW2
The TCP connection upper limit of Web service 1, and set per second by specified object (being in this example 1 place server of Web service)
SYN segments threshold value;
Service timing to close: setting Web service 1 stops externally service between late 12 points to next day early at 8 points;
Service timing is forbidden accessing: being set on firewall FW1 at late 12 points and forbids Web service 1 between next day early at 8 points
Access database service.
Therefore, according to threat Disposal Strategies it is known that executing the object for threatening Disposal Strategies are as follows: where Web service 1
Server, firewall FW1 and firewall FW2.
For the path 1 in set of paths, via object be 1 place server of Web service, firewall FW2, net
It closes;For path 2, via object be 1 place server of Web service, firewall FW1, xegregating unit 2;For path 3,
Its via object be firewall FW1, interchanger, firewall FW2, gateway;For path 4, via object be database
Server, xegregating unit 1, firewall FW1, firewall FW2, gateway where service.Wherein, path 1 is via for executing prestige
Coerce the 1 place server of Web service and firewall FW1 of Disposal Strategies;Path 2 takes via the Web for executing threat Disposal Strategies
Server where business 1;Path 3 is via for executing the firewall FW1 for threatening Disposal Strategies;Path 4 is via for holding
Row threatens the firewall FW1 of Disposal Strategies;But due to executing the equipment for threatening Disposal Strategies in path 2 and path 4
Strategy is unrelated with the other equipment in respective paths, therefore two paths is rejected, therefore obtain target path set and be combined into { road
Diameter 1, path 3 }, being removed set of paths is { path 2, path 4 }.
For the path in the destination path set, from the path via for executing threat Disposal Strategies
Disposition result verification object of several objects as the path is chosen in object.
Specifically, for path 1, if by path 1 via Web service 1 where server and firewall FW2 in
The dry disposition result verification object as path 1;For path 3, by path 3 via firewall FW1 and firewall FW2
In several disposition result verification objects as path 3.
The disposition result verification object in each path in the destination path set is combined, is generated described by attack pair
The disposition result verification object set of elephant.
Specifically, if using path 1 via firewall FW2 as the disposition result verification object in path 1;If will
Path 3 via disposition result verification object of the firewall FW1 as path 3, then, disposition result verification object set is
{ FW1, FW2 }.
On the basis of the various embodiments described above, the embodiment of the present invention is illustrated the selection of disposition result verification object.
That is, from the path via for executes threat Disposal Strategies object in choose several objects as the path
Result verification object is disposed, further comprises:
For the path via for executing the object of threat Disposal Strategies, according to the operating status of object and right
In the first weight, loading condition and corresponding second weight, confidence level and the corresponding third weight answered any one or it is more
It is a, several objects are chosen as disposition result verification object.
Specifically, the operating status of object includes but is not limited to close, is silent, is abnormal and normal;The loading condition of object
Including but not limited to CPU, storage and network bandwidth resources service condition, can be used percentage expression;The confidence level of object
Whether the credibility for referring to candidate target, can be indicated with the data of discrete type, can once be invaded etc. and to be carried out according to equipment
Assignment.
Further, according to the operating status of object and corresponding first weight, loading condition and corresponding second weight,
It is any one or more in confidence level and corresponding third weight, several objects are chosen as disposition result verification object
Method includes but is not limited to following methods:
For the path in destination path set via for executes threat Disposal Strategies object, by the fortune of object
Row state, loading condition and confidence level quantize.Wherein, the operating status of object, loading condition and confidence level are carried out
Numeralization refers to: according to the quality of the operating status of object, the operating status numerical value of object being turned to the numerical value between 0~1;Root
According to the quality of the loading condition of object, the loading condition numerical value of object is turned into the numerical value between 0~1;According to the credible of object
The confidence score of object is turned to the numerical value between 0~1 by the quality of degree.
For any one object, the operating status after the numeralization of the object is multiplied with corresponding first weight,
First is obtained as a result, the loading condition after the numeralization of the object is multiplied with corresponding second weight, obtains the second knot
Confidence level after the numeralization of the object is multiplied with corresponding third weight, obtains third result by fruit.According to the first knot
Fruit, the second result and third result are calculated, and the calculated result value of the object is obtained.
The calculated result value of object is compared, will meet object by the calculated result value for obtaining object in all objects
The object of selection condition is as disposition result verification object.It should be noted that object select condition includes but is not limited to: calculating
End value is maximum, calculated result value time is big, calculated result value is particular value, calculated result value higher than particular value etc..
For example, with from path 3 via for executes threat Disposal Strategies object in choose several objects
It is illustrated as disposition result verification object.Path 3 via for executes threaten Disposal Strategies object be Web service
Server, firewall FW1 and firewall FW2 where 1, in which:
Operating status, loading condition and the confidence level of server where Web service 1 are respectively as follows:
Operating status: it operates normally, the operating status after numeralization is 1;
Loading condition: 70% load operation, the loading condition after numeralization are 70%;
Confidence level: 70% is credible, and the confidence level after numeralization is 70%;
Weight shared by operating status is 0.2, and weight shared by loading condition is 0.2, and weight shared by confidence level is 0.6.
Operating status, loading condition and the confidence level of server where firewall FW1 are respectively as follows:
Operating status: it operates normally, the operating status after numeralization is 1;
Loading condition: 75% load operation, the loading condition after numeralization are 75%;
Confidence level: 90% is credible, and the confidence level after numeralization is 90%;
Weight shared by operating status is 0.2, and weight shared by loading condition is 0.2, and weight shared by confidence level is 0.6.
Operating status, loading condition and the confidence level of server where firewall FW2 are respectively as follows:
Operating status: it operates normally, the operating status after numeralization is 1;
Loading condition: 100% load operation, the loading condition after numeralization are 100%;
Confidence level: 99% is credible, and the confidence level after numeralization is 99%;
Weight shared by operating status is 0.2, and weight shared by loading condition is 0.2, and weight shared by confidence level is 0.6.
So, path 3 via for executes threat Disposal Strategies object in object weighted average are as follows:
The weighted average A (Web1) of 1 place server of Web service=1*0.2+ (- 70%) * 0.2+ (70%) * 0.6=
0.48;
The weighted average A (FW1) of FW1=1*0.2+ (- 75%) * 0.2+ (90%) * 0.6=0.49;
The weighted average A (FW3) of FW2=1*0.2+ (- 100%) * 0.2+ (- 99%) * 0.6=0.594.
If object select condition is weighted average maximum, then, it is tested firewall FW2 as the disposition result in path 3
Demonstrate,prove object.
On the basis of the various embodiments described above, if at least being deposited in the disposition result verification object set by object of attack
It is successfully, then based on the index contribution degree table by object of attack, to determine that contribution degree meets in the disposition result of an object
The index of selecting index condition, before further include:
For the object in the disposition result verification object set by object of attack, the disposition to the object is determined
As a result target verification mode.
Specifically, if the disposition result verification object in path 1 is firewall FW2, the disposition result verification object in path 3 is
Firewall FW1, then disposing result verification object set is { FW1, FW2 }, for disposing the object in result verification object set,
Determine the target verification mode to the disposition result of the object.
It should be noted that there are many verification modes, such as direct verification mode and/or indirect verification mode, this implementation
Example needs to choose a kind of target verification mode of disposition result as object from a variety of verification modes.Wherein, it directly verifies
Mode refers to that authentication reappears attack, but attack strength is attacked lower than true, duration shorter than true attack, and according to
By object of attack or execute the mode for threatening the object of Disposal Strategies to carry out result judgement to the feedback of replay attacks.Indirectly
Verification mode refer to pass through authentication send general type but have verifying ability data packet (such as: verifying network reachability when, hair
Send ping packet), and threaten the object of Disposal Strategies to carry out the feedback of verify data packet according to by object of attack or execution
The mode of result judgement.The embodiment of the present invention can select one kind from direct verification mode and/or indirect verification mode, as right
The target verification mode of the disposition result of object.The attack strength content includes but is not limited to: attack frequency, attack source number
Amount, any one or more in attack traffic size.
It is verified according to disposition result of the target verification mode to the object, with the disposition of the determination object
It as a result is success or failure.
Specifically, the disposition result of object is successfully to refer to that object successful execution threatens Disposal Strategies, the disposition result of object
Disposal Strategies failure is threatened unsuccessfully to refer to that object executes.
On the basis of the various embodiments described above, the target verification mode to the disposition result of the object is determined, further
Include:
Determine the candidate verification mode set verified to the disposition result of the object.
Specifically, the candidate verification mode set of object is usually { direct verification mode, indirect verification mode }, two kinds of times
Verification mode is selected to elaborate in the above-described embodiments, details are not described herein again.
For the candidate verification mode in the candidate verification mode set, tested according to user's checking demand, the candidate
To potential loss caused by network, the candidate verification mode when card mode verifies the disposition result of the object
It is any one or more in the history validity of verifying cost and the candidate verification mode, determine the candidate verification mode
Scoring.
Specifically, user's checking demand includes but is not limited to: a possibility that being proved to be successful.
To potential loss caused by network when the disposition result of candidate verification mode object is verified are as follows: if referring to disposition
Failure, take the verification mode when being verified to loss caused by object in network (such as: when by object of attack by
SYN Flood attack, but threaten Disposal Strategies invalid, and verification mode is to reappear SYN Flood attack so that by object of attack
" impaired ").
The verifying cost of candidate verification mode includes but is not limited to required meter when being verified using the verification mode
The influence factor of calculation, storage and/or network bandwidth resources expense, direct verification mode verifying cost includes: the class of replay attacks
Type, intensity and duration;The influence factor that indirect verification mode verifies cost is the concrete type of verification mode.
The history validity of candidate verification mode are as follows: in history verifying, disposition result is carried out using the verification mode
The ratio of the number of good authentication and the total verifying number verified using the verification mode.
When candidate verification mode there are many when, can take the mode of cost trade-offs, i.e., consider to take a certain candidate simultaneously
Forward direction income brought by verification mode (user demand satisfaction) and negative sense income (while considering that disposition failure bring is potential
Lose, take and verify cost brought by a certain candidate verification mode), choose the candidate verifying that positive income is higher than negative sense income
Mode chooses positive income and subtracts negative sense income when the positive income there are many candidate verification mode is all higher than negative sense income
Difference maximum one.The positive income and negative sense income of different candidate's verification modes static in advance can assign, can also root
The dynamic such as resource consumption according to the resource load situation of object, verification mode calculates, and is not construed as limiting to this.
For example, it is illustrated with disposing the firewall FW1 in result verification object set { FW1, FW2 }.It is right
In firewall FW1:
User's checking demand are as follows: 80%;
In direct verification mode: caused by potential loss be 0.9, verifying cost is 0.7, and history validity is 85%;
In indirect verification mode: caused by potential loss be 0.2, verifying cost be 0.1, history validity be 90%.
So, for firewall FW1:
Positive income=history validity ÷ of direct verification mode verifies demand=85% ÷ 80%=1.0625;
The negative sense income of direct verification mode is=0.8* caused by potential loss+0.2* verify cost=0.8*0.9+
0.2*0.7=0.86;
The direct positive income of verification mode and difference=1.0625-0.86=0.2025 of negative sense income;
The positive income of indirect verification mode=history validity ÷ verifies demand=90% ÷ 80%=1.125;
The negative sense income of indirect verification mode be=0.8* caused by potential loss+0.2* verify cost=0.8*0.2+
0.2*0.1=0.18;
The positive income of indirect verification mode and difference=1.125-0.18=0.945 of negative sense income;
Therefore, by 0.2025 scoring as direct verification mode, by 0.945 scoring as indirect verification mode.
The scoring for selecting candidate verification mode in verification mode set is compared, scoring selection condition will be met
Candidate verification mode, the target verification mode as the disposition result to the object.The target verification mode can be directly
Verification mode is connect, can be indirect verification mode, is also possible to the combination of direct verification mode and indirect verification mode.
Specifically, scoring selection condition can be scoring is maximum, scoring time is big etc., and the embodiment of the present invention does not make this to have
Body limits.If scoring selection condition is that scoring is maximum, by the scoring of the candidate verification mode in candidate verification mode set into
Row compares, using the corresponding candidate verification mode of maximum scoring as the target verification mode of the disposition result to firewall FW1.
Specifically, since 0.945 is greater than 0.2025, it is verified using indirect verification mode as to firewall FW1
Target verification mode.
Further, it is verified by disposition result of the target verification mode to firewall FW1, with the determination object
Disposition result be success or failure.Detailed process is as follows:
Firewall FW1 is determined by target verification mode, an actual result is obtained, by actual result and expection
As a result it compares, if actual result is consistent with expected results, it is determined that disposition result is that successfully, on the contrary is disposition failure.Than
Such as say hair ping packet when, it is contemplated that the result is that " ping return the result for purpose host it is unreachable ", just see that actual result is
It is not really to return inaccessible information, it still can be logical with ping.If obstructed (the i.e. return unreachable letter of destination host of ping
Breath), illustrate that disposing result is successfully, to continue subsequent operation;If can be logical with ping, just illustrate disposition failure.
On the basis of the various embodiments described above, the embodiment of the present invention illustrate how according in the network by object of attack
Target indicator set determines the threat disposition effect for threatening Disposal Strategies:
For, by object of attack, from candidate effect calculation method set, choosing a candidate effect in the network
Calculation method, as the target effect calculation method by object of attack.
Specifically, candidate effect calculation method set may include: that weighted mean method, analytic hierarchy process (AHP), fuzzy synthesis are commented
Valence method, Fuzzy AHP, Bayesian network, Markov process, Petri network, attack graph, D-S evidence theory, gray relative
Analysis, Rough Set, clustering etc..
The prestige is determined according to the target indicator set by object of attack based on the target effect calculation method
It coerces Disposal Strategies and effect is disposed to the threat by object of attack.
For example, if target effect calculation method is weighted mean method, include: by the target indicator set of object of attack
Cpu busy percentage, network bandwidth occupancy, TCP connection number, service response time and response success rate, it is determined that target indicator
Value.
If the value of cpu busy percentage is 40%, the value of network bandwidth occupancy is 35%, the value of TCP connection number is
1300, the value of service response time is 0.1s, the value of response success rate is 95%, and cpu busy percentage value is 40%
Scoring is 3, and the scoring that network bandwidth occupancy value is 35% is 3, and the scoring of the value 1300 of TCP connection number is 2, and service is rung
The scoring of value 0.1s between seasonable is 4, and the scoring for responding the value of success rate is 4, and the weight of each target indicator is 0.2,
Then threaten disposition Effect value=0.2* (3+3+2+4+4)=3.2.According to scoring, determine that the threat Disposal Strategies attack this
Effect is disposed in the threat of object.
Effect and/or important journey are disposed by the threat of object of attack in the network according to the threat Disposal Strategies
Degree determines the threat disposition effect for threatening Disposal Strategies.
On the basis of the various embodiments described above, the embodiment of the present invention is illustrated how from candidate effect calculation method set,
A candidate effect calculation method is chosen, as the target effect calculation method by object of attack:
According to time complexity, the spatial complex of candidate effect calculation method in the candidate effect calculation method set
Degree, any one or more in validity, choose and meet the effect calculation method that effect calculation method chooses condition, as institute
It states by the target effect calculation method of object of attack.
Specifically, effect calculation method choose condition can be with are as follows: time complexity is minimum, time complexity is pre- less than first
If threshold value, space complexity are minimum, space complexity is pre- higher than third less than the second preset threshold, validity highest, validity
If any number of weighted averages and minimum or maximum in threshold value, time complexity/space complexity/validity three,
Meet under the premise of validity preset value time complexity and/or space complexity is as small as possible etc..Specific choosing method can
It is realized in a manner of through direct comparison method, multi-objective programming method etc., this is not construed as limiting.
On the basis of the various embodiments described above, according to the threat Disposal Strategies in the network by the prestige of object of attack
Side of body disposition effect and/or significance level determine the threat disposition effect for threatening Disposal Strategies, further comprise:
For any of network by object of attack, by the threat disposition effect numeralization by object of attack, and
The significance level by object of attack is quantized;
According to the threat disposition effect after numeralization and/or the significance level after numeralization, obtain described by object of attack
Opposite disposition Effect value;It is described obtain it is described by object of attack disposition Effect value mode include but is not limited to: directly by institute
Threat disposition effect after stating numeralization be used as by object of attack it is opposite dispose Effect value, will be at the threat after the numeralization
Effect is set to be multiplied to obtain the opposite disposition Effect value etc. by object of attack with the significance level after the numeralization.
Effect value is disposed by the opposite of object of attack according in the network, is obtained at the threat for threatening Disposal Strategies
Set Effect value;The mode of the threat disposition Effect value for obtaining threatening Disposal Strategies includes but is not limited to: will be in the network
It is added by the opposite disposition Effect value of object of attack.
Threat disposition Effect value is matched with default Effect value grade, to obtain the threat Disposal Strategies
Threaten disposition effect.
On the basis of the various embodiments described above, threat disposition Effect value is matched with default Effect value grade,
Effect is disposed to obtain the threat for threatening Disposal Strategies, further comprises:
According to matching result, threat Disposal Strategies are adjusted;
And/or
After Disposal Strategies after the adjustment execute, threat disposition effect is determined again.
Specifically, it if threat disposition effect meets preset condition, keeps threatening Disposal Strategies constant;If the prestige
Side of body disposition effect is unsatisfactory for preset condition, then is removed whether set of paths is empty described in judgement;If described be removed path set
It is combined into sky, then it is assumed that it threatens Disposal Strategies not play a role, threat Disposal Strategies is adjusted, and/or, replacement or upgrading road
Safety equipment or system on diameter;If described be removed set of paths non-empty, then it is assumed that enough threat Disposal Strategies are not disposed,
Further deployment threatens Disposal Strategies on the path for being removed set of paths.The preset condition includes but is not limited to:
Not less than default Effect value, it is higher than default Effect value.
Optionally, after Disposal Strategies after the adjustment execute, threat disposition effect is determined again.
Fig. 3 is the structural representation of the determination system of the threat disposition effect in a kind of network provided in an embodiment of the present invention
Figure, as shown in figure 3, the system includes:
Dispose result verification object set obtain module 301, for for any of network by object of attack, from institute
It states and is threatened in the object of Disposal Strategies by the execution of object of attack, choose several objects to form the place by object of attack
Set result verification object set;Target indicator set obtains module 302, if for the disposition result verification by object of attack
Disposition result in object set at least in the presence of an object is successfully, then based on the index contribution degree by object of attack
Table determines that contribution degree meets the index of selecting index condition, to form the target indicator set by object of attack;Wherein,
The disposition result of object is successfully to refer to that object successful execution threatens Disposal Strategies;Effect determining module 303, for according to the net
By the target indicator set of object of attack in network, the threat disposition effect for threatening Disposal Strategies is determined.
Specifically, attacker launches a offensive to target network would generally be such that several objects in target network are attacked
It hits, the object that will suffer from attack is known as by object of attack.For, by object of attack, disposing result verification object in target network
Set, which obtains module 301, to learn the execution by object of attack by the threat Disposal Strategies for threatening disposition command centre to generate
The object for threatening Disposal Strategies, chooses several objects from these objects to form by the disposition result verification pair of object of attack
As set.Target indicator set obtain module 302 in the disposition result verification object set by object of attack at least
When disposition result there are an object is successfully, based on the index contribution degree table by object of attack, determine that contribution degree is full
The index of sufficient selecting index condition, to form the target indicator set by object of attack;Wherein, the disposition result of object is
Successfully refer to that object successful execution threatens Disposal Strategies.Effect determining module 303 according in the network by the target of object of attack
Index set determines the threat disposition effect for threatening Disposal Strategies.Specifically, disposition effect is threatened to refer to threatening disposition
Strategy for dispose Cyberthreat effectiveness, reflect threaten Disposal Strategies be performed finish front and back, the safe shape of network
The variation of state.When the safe condition of network is better, correspondingly, threaten disposition effect better, conversely, disposition effect is threatened to get over
Difference.
The determination system of threat disposition effect in a kind of network provided in an embodiment of the present invention, by being held in safety equipment
Row threaten Disposal Strategies after, according to threaten situation, disposition object, Disposal Strategies difference, the different verifying means of choice of dynamical,
The disposition effect for moving object from global angle distich carries out comprehensive determination, so that it is determined that threatening linkage disposition effect, it can be achieved that right
Threaten effective determination of disposition effect, the practical safe condition of accurate evaluation large scale network.
Fig. 4 is the module relationship of the determination system of the threat disposition effect in a kind of network provided in an embodiment of the present invention
Figure, as shown in figure 4, the system includes: that disposition result verification object set obtains module, disposition result verification mode determines mould
Block, disposition result verification module, target indicator set obtain module, effect calculation method determining module, effect determining module, with
And storage unit;
Wherein, the disposition result verification object set obtains module, for receiving by object of attack and Disposal Strategies, and
According to the warning message and/or Disposal Strategies, obtain from the storage unit by object of attack to attacker and/or extranets
The path of network, the object for executing Disposal Strategies, so that it is determined that disposition result verification object set;
The disposition result verification mode determining module is obtained for receiving from the disposition result verification object set
The disposition result verification object set of module, and according to the disposition result verification object set, from the storage unit
The middle candidate verification mode set for obtaining object in the disposition result verification object set, so that it is determined that the disposition result is tested
The target verification mode of object in object set is demonstrate,proved, and sends it to disposition result verification module;
The disposition result verification module, for receiving the disposition knot for carrying out self-disposal result verification mode determining module
The target verification mode of object in fruit identifying object set, and knot is disposed to corresponding object according to the target verification mode
Fruit verifying, and disposition result is sent to target indicator set and obtains module;
The target indicator set obtains module, for receiving the disposition for carrying out self-disposal result verification module as a result, simultaneously root
Index contribution degree is obtained from the storage unit according to the disposition result, so that it is determined that target indicator set, and by the mesh
Mark index set is sent to effect determining module;
The effect calculation method determining module, for obtaining candidate effect calculation method set, and root from storage unit
Target effect calculation method is determined according to the candidate effect calculation method set, and the target effect calculation method is sent to
Effect determining module;
The effect determining module, for receive from target indicator set obtain module target indicator set, and come
From the target effect calculation method of effect calculation method determining module, and according to the target indicator set and the target effect
Calculation method, which determines, threatens disposition effect;
The storage unit includes but is not limited to for storing: by object of attack to attacker and/or the road of external network
Diameter information bank executes the object information library for threatening Disposal Strategies, verification mode information bank, effectiveness indicator information bank, effect calculating
Any one or more in method information bank.
Fig. 5 is the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention, as shown in figure 5, the electronics
Equipment may include: processor (processor) 501, communication interface (Communications Interface) 502, storage
Device (memory) 503 and communication bus 504, wherein processor 501, communication interface 502, memory 503 pass through communication bus
504 complete mutual communication.Processor 501, which can call, to be stored on memory 503 and can run on processor 501
Computer program, the method to execute the various embodiments described above offer, for example, for any of network by attack pair
As choosing several objects to form described attacked from the object for threatening Disposal Strategies by the execution of object of attack
The disposition result verification object set of object;If at least having one in the disposition result verification object set by object of attack
The disposition result of a object is successfully, then based on the index contribution degree table by object of attack, to determine that contribution degree meets index
The index of selection condition, to form the target indicator set by object of attack;Wherein, the disposition result of object is successfully to refer to
Object successful execution threatens Disposal Strategies;According to, by the target indicator set of object of attack, determining the threat in the network
Effect is disposed in the threat of Disposal Strategies.
In addition, the logical order in above-mentioned memory 503 can be realized by way of SFU software functional unit and conduct
Independent product when selling or using, can store in a computer readable storage medium.Based on this understanding, originally
The technical solution of the inventive embodiments substantially part of the part that contributes to existing technology or the technical solution in other words
It can be embodied in the form of software products, which is stored in a storage medium, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes the present invention respectively
The all or part of the steps of a embodiment the method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory
(ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk
Etc. the various media that can store program code.
The embodiment of the present invention also provides a kind of non-transient computer readable storage medium, is stored thereon with computer program,
The computer program is implemented to carry out the transmission method of the various embodiments described above offer when being executed by processor, for example, for
Any of network is chosen several from the object for threatening Disposal Strategies by the execution of object of attack by object of attack
A object is to form the disposition result verification object set by object of attack;If described tested by the disposition result of object of attack
The disposition result demonstrate,proved in object set at least in the presence of an object is successfully, then based on the index contribution degree by object of attack
Table determines that contribution degree meets the index of selecting index condition, to form the target indicator set by object of attack;Wherein,
The disposition result of object is successfully to refer to that object successful execution threatens Disposal Strategies;According in the network by the target of object of attack
Index set determines the threat disposition effect for threatening Disposal Strategies.
The apparatus embodiments described above are merely exemplary, wherein described, unit can as illustrated by the separation member
It is physically separated with being or may not be, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules realize the purpose of the embodiment of the present invention.Those of ordinary skill in the art are not paying wound
In the case where the labour for the property made, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (12)
1. a kind of determination method of the threat disposition effect in network characterized by comprising
For any of network by object of attack, from the object for threatening Disposal Strategies by the execution of object of attack,
Several objects are chosen to form the disposition result verification object set by object of attack;
If in the disposition result verification object set by object of attack at least in the presence of an object disposition result be successfully,
Then based on the index contribution degree table by object of attack, determine that contribution degree meets the index of selecting index condition, to form
It states by the target indicator set of object of attack;Wherein, the disposition result of object is successfully to refer to that object successful execution threatens disposition plan
Slightly;
According to by the target indicator set of object of attack, determining the threat disposition effect for threatening Disposal Strategies in the network
Fruit.
2. the method according to claim 1, wherein for any of network by object of attack, from described
It is threatened in the object of Disposal Strategies by the execution of object of attack, chooses several objects to form the disposition by object of attack
Result verification object set further comprises:
Determine it is described by object of attack to attacker and/or the path of external network, to form set of paths;
Determine each path in the set of paths via object in whether comprising the object for executing threat Disposal Strategies,
And the path for being used to execute the object for threatening Disposal Strategies will not included after rejecting in the set of paths, generate destination path
Set;
For the path in the destination path set, from the path via for executing the object of threat Disposal Strategies
The middle disposition result verification object for choosing several objects as the path;
The disposition result verification object in each path in the destination path set is combined, is generated described by object of attack
Dispose result verification object set.
3. according to the method described in claim 2, it is characterized in that, from the path via for execute threaten disposition plan
Disposition result verification object of several objects as the path is chosen in object slightly, further comprises:
For the path via for executing the object of threat Disposal Strategies, according to the operating status of object and corresponding
It is any one or more in first weight, loading condition and corresponding second weight, confidence level and corresponding third weight, choosing
Take disposition result verification object of several objects as the path.
4. the method according to claim 1, wherein if the disposition result verification object set by object of attack
The disposition result that at least there is an object in conjunction is successfully, then based on the index contribution degree table by object of attack, to determine
Contribution degree meets the index of selecting index condition, before further include:
For the object in the disposition result verification object set by object of attack, the disposition result to the object is determined
Target verification mode;
It is verified according to disposition result of the target verification mode to the object, with the disposition result of the determination object
For success or failure.
5. according to the method described in claim 4, it is characterized in that, determining the target verification side to the disposition result of the object
Formula further comprises:
Determine the candidate verification mode set verified to the disposition result of the object;
For the candidate verification mode in the candidate verification mode set, according to user's checking demand, the candidate authentication
To the verifying of potential loss caused by network, the candidate verification mode when formula verifies the disposition result of the object
It is any one or more in the history validity of cost and the candidate verification mode, determine commenting for the candidate verification mode
Point;
The scoring for selecting candidate verification mode in verification mode set is compared, the candidate of scoring selection condition will be met
Verification mode, the target verification mode as the disposition result to the object.
6. the method according to claim 1, wherein according in the network by the target indicator collection of object of attack
It closes, determines the threat disposition effect for threatening Disposal Strategies, further comprise:
For any of described network by object of attack, from candidate effect calculation method set, a candidate effect is chosen
Fruit calculation method, as the target effect calculation method by object of attack;
It is determined at the threat based on the target effect calculation method according to the target indicator set by object of attack
It sets strategy and effect is disposed to the threat by object of attack;
Effect and/or significance level are disposed by the threat of object of attack in the network according to the threat Disposal Strategies, really
Effect is disposed in the fixed threat for threatening Disposal Strategies.
7. according to the method described in claim 6, it is characterized in that, choosing a time from candidate effect calculation method set
Effect calculation method is selected, as the target effect calculation method by object of attack, further comprises:
According to the time complexity of candidate effect calculation method in the candidate effect calculation method set, space complexity, have
Effect property in any one or more, choose meet effect calculation method choose condition effect calculation method, as the quilt
The target effect calculation method of object of attack.
8. according to the method described in claim 6, it is characterized in that, according to the threat Disposal Strategies to being attacked in the network
The threat disposition effect and/or significance level for hitting object determine the threat disposition effect for threatening Disposal Strategies, further wrap
It includes:
For any of network by object of attack, by the threat disposition effect numeralization by object of attack, and by institute
It states by the significance level numeralization of object of attack;
According to the threat disposition effect after numeralization and/or the significance level after numeralization, the phase by object of attack is obtained
To disposition Effect value;
According to, by the opposite disposition Effect value of object of attack, the threat disposition for obtaining the threat Disposal Strategies is imitated in the network
Fruit value;
Threat disposition Effect value is matched with default Effect value grade, to obtain the threat for threatening Disposal Strategies
Dispose effect.
9. according to the method described in claim 8, it is characterized in that, by threat disposition Effect value and default Effect value grade
It is matched, disposes effect to obtain the threat for threatening Disposal Strategies, further comprise:
According to matching result, threat Disposal Strategies are adjusted;
And/or
After Disposal Strategies after the adjustment execute, threat disposition effect is determined again.
10. a kind of determination system of the threat disposition effect in network characterized by comprising
It disposes result verification object set and obtains module, for, by object of attack, being attacked from described for any of network
The execution for hitting object threatens in the object of Disposal Strategies, chooses several objects to form the disposition result by object of attack
Identifying object set;
Target indicator set obtains module, if at least existing in the disposition result verification object set by object of attack
The disposition result of one object is successfully, then based on the index contribution degree table by object of attack, to determine that contribution degree satisfaction refers to
The index of selection condition is marked, to form the target indicator set by object of attack;Wherein, the disposition result of object is successfully
Refer to that object successful execution threatens Disposal Strategies;
Effect determining module, for according to by the target indicator set of object of attack, determining the threat disposition in the network
Effect is disposed in the threat of strategy.
11. a kind of electronic equipment including memory, processor and stores the calculating that can be run on a memory and on a processor
Machine program, which is characterized in that the processor is realized when executing described program such as any one of claim 1 to 9 the method
Step.
12. a kind of non-transient computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer
It is realized when program is executed by processor such as the step of any one of claim 1 to 9 the method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811376254.8A CN109510828B (en) | 2018-11-19 | 2018-11-19 | Method and system for determining threat disposal effect in network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811376254.8A CN109510828B (en) | 2018-11-19 | 2018-11-19 | Method and system for determining threat disposal effect in network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109510828A true CN109510828A (en) | 2019-03-22 |
| CN109510828B CN109510828B (en) | 2020-07-03 |
Family
ID=65748963
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811376254.8A Active CN109510828B (en) | 2018-11-19 | 2018-11-19 | Method and system for determining threat disposal effect in network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109510828B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102638458A (en) * | 2012-03-23 | 2012-08-15 | 中国科学院软件研究所 | Method for identifying vulnerability utilization safety threat and determining associated attack path |
| CN102739652A (en) * | 2012-06-07 | 2012-10-17 | 中国电子科技集团公司第三十研究所 | Network anti-attack performance assessment index system establishing method and device |
| CN105119874A (en) * | 2015-06-17 | 2015-12-02 | 广东电网有限责任公司信息中心 | Method for evaluating validity of information safety protection system |
| US20170103213A1 (en) * | 2014-07-23 | 2017-04-13 | Cisco Technology, Inc. | Verifying network attack detector effectiveness |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN108629474A (en) * | 2017-03-24 | 2018-10-09 | 北京航天计量测试技术研究所 | Flow safety evaluation method based on attack graph model |
-
2018
- 2018-11-19 CN CN201811376254.8A patent/CN109510828B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102638458A (en) * | 2012-03-23 | 2012-08-15 | 中国科学院软件研究所 | Method for identifying vulnerability utilization safety threat and determining associated attack path |
| CN102739652A (en) * | 2012-06-07 | 2012-10-17 | 中国电子科技集团公司第三十研究所 | Network anti-attack performance assessment index system establishing method and device |
| US20170103213A1 (en) * | 2014-07-23 | 2017-04-13 | Cisco Technology, Inc. | Verifying network attack detector effectiveness |
| CN105119874A (en) * | 2015-06-17 | 2015-12-02 | 广东电网有限责任公司信息中心 | Method for evaluating validity of information safety protection system |
| CN108629474A (en) * | 2017-03-24 | 2018-10-09 | 北京航天计量测试技术研究所 | Flow safety evaluation method based on attack graph model |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109510828B (en) | 2020-07-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109698819B (en) | Threat disposal management method and system in network | |
| Gupta et al. | Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment | |
| US11201882B2 (en) | Detection of malicious network activity | |
| CN100421086C (en) | Policy-based network security management | |
| CN109714312A (en) | A kind of acquisition strategies generation method and system based on outside threat | |
| AU2004289001B2 (en) | Method and system for addressing intrusion attacks on a computer system | |
| Li et al. | Distributed network intrusion detection system in satellite-terrestrial integrated networks using federated learning | |
| CN109639648B (en) | Acquisition strategy generation method and system based on acquired data abnormity | |
| Ricciulli et al. | TCP SYN flooding defense | |
| CN115087977A (en) | Method and system for preventing malicious automation attacks | |
| CN108400955A (en) | A kind of means of defence and system of network attack | |
| CN107968765A (en) | A kind of network inbreak detection method and server | |
| CN108683654A (en) | A kind of network vulnerability evaluation method based on zero-day attacks figure | |
| Sree et al. | HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce | |
| Walfish et al. | Distributed Quota Enforcement for Spam Control. | |
| Verma et al. | A detailed survey of denial of service for IoT and multimedia systems: Past, present and futuristic development | |
| Fenil et al. | Towards a secure software defined network with adaptive mitigation of dDoS attacks by machine learning approaches | |
| CN109474623A (en) | Network safety prevention and its parameter determination method, device and equipment, medium | |
| CN112398857A (en) | Firewall testing method and device, computer equipment and storage medium | |
| Melo et al. | ISM-AC: An immune security model based on alert correlation and software-defined networking | |
| CN109510828A (en) | A kind of determination method and system of threat disposition effect in network | |
| Ravindran | Managing robustness of distributed applications under uncertainties: An information assurance perspective | |
| CN112910778A (en) | Network security routing method and system | |
| Nguyen et al. | A behavior-based mobile malware detection model in software-defined networking | |
| Gamble et al. | Mitigating service impersonation attacks in clouds |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |