CN109510828B - Method and system for determining threat disposal effect in network - Google Patents
Method and system for determining threat disposal effect in network Download PDFInfo
- Publication number
- CN109510828B CN109510828B CN201811376254.8A CN201811376254A CN109510828B CN 109510828 B CN109510828 B CN 109510828B CN 201811376254 A CN201811376254 A CN 201811376254A CN 109510828 B CN109510828 B CN 109510828B
- Authority
- CN
- China
- Prior art keywords
- threat
- attacked
- objects
- verification
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention provides a method and a system for determining threat disposal effects in a network. The method comprises the following steps: for any attacked object in the network, selecting a plurality of objects from the objects of the attacked object, which execute the threat disposal strategy, to form a disposal result verification object set of the attacked object; if the processing result of the attacked object verifies that at least one object in the processing result set is successful, determining indexes with contribution degrees meeting the index selection condition based on the index contribution table of the attacked object to form a target index set of the attacked object; and determining the threat disposal effect of the threat disposal strategy according to the target index set of the attacked object in the network. According to the method and the system provided by the embodiment of the invention, the treatment effect is comprehensively verified and evaluated from the global perspective according to different treatment objects and strategies, so that the efficiency and the accuracy of treatment effect evaluation are improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method and a system for determining threat disposal effects in a network.
Background
The method comprises the steps of interconnection of heterogeneous network scales, difference of technical systems of various networks, and difference of protection capabilities of safety devices of different types and manufacturers in the networks, so that the protection capabilities of different networks are different, and aiming at the fact that single protection of a single network and a single defense point is difficult to deal with increasingly serious network threats, a threat disposal command center is required to surround a certain safety target, corresponding threat disposal strategies are generated according to threat conditions, device protection capabilities and the like, and are distributed to multiple corresponding disposal objects after decomposition, cooperative cooperation among different objects and cooperative protection among different regions are realized, and accordingly, linkage disposal of the network threats is realized.
In order to realize effective linkage handling of threats, different threat handling strategies need to be distributed to different security devices with different protection capabilities, and then the threat linkage handling effect is determined, so that the threat handling strategies are reasonably adjusted. However, the existing threat disposal technology does not perform linkage disposal on the threats and only realizes local protection; the threat disposal effects of all linked disposal objects are not comprehensively considered by the existing disposal effect determination technology, the threat disposal effects are not comprehensively evaluated from the global perspective, the threat linked disposal effects are difficult to determine, and the actual safety state of a large-scale network cannot be accurately evaluated.
Disclosure of Invention
To solve the technical problems in the prior art, embodiments of the present invention provide a method and a system for determining a threat handling effect in a network.
In a first aspect, an embodiment of the present invention provides a method for determining a threat handling effect in a network, including:
for any attacked object in the network, selecting a plurality of objects from the objects of the attacked object, which execute the threat handling policy, to form a handling result verification object set of the attacked object;
if the processing result of at least one object in the processing result verification object set of the attacked object is successful, determining an index with contribution degree meeting an index selection condition based on the index contribution table of the attacked object to form a target index set of the attacked object; wherein, the success of the treatment result of the object means that the object successfully executes the threat treatment strategy;
and determining the threat handling effect of the threat handling strategy according to the target index set of the attacked object in the network.
In a second aspect, an embodiment of the present invention provides a system for determining threat treatment effectiveness in a network, including:
a processing result verification object set acquisition module, configured to select, for any attacked object in the network, a plurality of objects from objects of the attacked object that execute a threat processing policy to form a processing result verification object set of the attacked object;
a target index set obtaining module, configured to determine, based on the index contribution table of the attacked object, an index whose contribution degree meets an index selection condition to form a target index set of the attacked object if the processing result of the attacked object verifies that at least one object in the object set has a processing result that is successful; wherein, the success of the treatment result of the object means that the object successfully executes the threat treatment strategy;
and the effect determination module is used for determining the threat handling effect of the threat handling strategy according to the target index set of the attacked object in the network.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the steps of the method provided in the first aspect when executing the program.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
According to the method and the system for determining the threat disposal effect in the network, after the security device executes the threat disposal strategy, different verification means are dynamically selected according to different threat conditions, disposal objects and disposal strategies, and the disposal effect of the linkage object is comprehensively determined from the global perspective, so that the threat linkage disposal effect is determined, the effective determination of the threat disposal effect can be realized, and the actual security state of a large-scale network is accurately evaluated.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for determining threat treatment effectiveness in a network according to an embodiment of the present invention;
fig. 2 is a network topology diagram according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a system for determining threat disposal effects in a network according to an embodiment of the present invention;
FIG. 4 is a block diagram of a system for determining threat treatment effectiveness in a network according to an embodiment of the present invention;
fig. 5 is a schematic physical structure diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a flowchart of a method for determining a threat handling effect in a network according to an embodiment of the present invention, as shown in fig. 1, the method includes:
step 101, for any attacked object in the network, selecting a plurality of objects from the objects of the attacked object, which execute the threat handling policy, to form a handling result verification object set of the attacked object.
The method provided by the embodiment of the invention is applied to a complex network environment for explanation, wherein the complex network environment generally refers to a large-scale heterogeneous network such as a private network, a world-wide integrated network, an internet of things, a network where various service systems (such as an electronic credential service system, an electronic commerce system and an electronic government affair system) are located, and the like. Complex network environments are often made up of multiple devices and/or systems. For convenience of description, the complex network environment is simply referred to as a target network, and both the device and the system are referred to as objects.
Devices include, but are not limited to: any one or more of a terminal (fixed terminal, mobile terminal, satellite terminal), server, router, access gateway, internet gateway, content filtering device, firewall, cryptographic device, authentication device, VPN, honeypot, switch, modem, hub, and bridge; systems include, but are not limited to: any one or more of an intrusion prevention system, an intrusion detection system, an intrusion response system, an authentication system, a device management system, and a threat analysis system. Here, the device may be a physical device or a virtual device obtained by using a virtualization technology. The specific designation of objects varies depending on the application domain.
In a private network, an object includes some non-generic class devices in addition to generic class devices, including but not limited to: any one or more of industrial control gateway, flow filtering monitoring equipment, flow transfer control equipment and the like; systems include, but are not limited to: any one or more of a storage system, an office system, a file exchange system, a supervisory system, and the like.
In a heaven-earth integrated network, devices include, but are not limited to: any one or more of various satellites, high-speed spacecraft terminals, space-based backbone network ground terminals, Ka high-capacity broadband portable/fixed terminals, high-orbit satellite mobile military handheld/civil vehicle-mounted terminals, low-orbit constellation handheld/vehicle-mounted terminals, Ku (FDMA) portable/fixed terminals, Ku (TDMA) portable/fixed terminals and other security terminals, space-based backbone satellite security access gateways, broadband satellite security access gateways, satellite mobile security access gateways, security internet gateways between heterogeneous networks, security internet gateways between ground networks and other gateways; systems include, but are not limited to: any one or more of an identity authentication management system, an access authentication system, an internetwork interconnection security control system, a password resource management system, a threat fusion analysis and situation early warning system, a whole-network security equipment unified management system and the like.
In the internet of things, devices include, but are not limited to: any one or more of devices such as an Internet of things firewall, an Internet of things comprehensive security access gateway, an internetwork interconnection gateway, a heterogeneous data collection gateway, a unidirectional/bidirectional data isolation device and the like; systems include, but are not limited to: the system comprises any one or more of data exchange application agent software, a data circulation monitoring system, a programmable application protection system, an Internet of things topological mapping system, a safety service demand and resource management system, a data storage scheduling management system, an Internet of things safety management and control center management system, an equipment discovery and identification system and the like.
In a network where various types of service systems are located, devices include, but are not limited to: any one or more of electronic credential high-speed approval service equipment, unified authentication service equipment and the like; systems include, but are not limited to: electronic certificate approval service management system, electronic certificate state management and control system, unified authentication service management system, electronic certificate checking service system, multi-business electronic certificate collaborative issuing system, mass electronic certificate data storage system, identity authentication system, password service support system, data storage system and any one or more of the systems.
An attacker attacking a target network usually attacks one or several objects in the target network, and the attacked objects are called attacked objects. For an attacked object in the target network, the object of the attacked object executing the threat handling policy can be known through the threat handling policy generated and/or decomposed by the threat handling command center, and several objects are selected from the objects to form a handling result verification object set of the attacked object.
102, if the processing result of at least one object in the processing result verification object set of the attacked object is successful, determining an index with contribution degree meeting an index selection condition based on the index contribution table of the attacked object to form a target index set of the attacked object; wherein, the success of the handling result of the object means that the threat handling policy is successfully executed by the object.
The index contribution table refers to a mapping relation between an index and a contribution degree of the index to successful verification of a treatment result of a certain attacked object.
The contribution degree of the index in the index contribution table may be statically set in advance, and may also be dynamically assigned and adjusted, which is not specifically limited in the embodiment of the present invention.
The indicators include, but are not limited to: any one or more of network interface state related indexes, network state related indexes, TCP connection related indexes, satellite node port related indexes, operating system related indexes, file system related indexes and process information related indexes. Wherein the content of the first and second substances,
network interface state related indexes such as wireless transceiving signal strength (transmission rate, bandwidth), access point, access beam, frequency point, number of received packets, number of received bytes, number of received error packets, number of lost packets, fifo buffer error, number of packet frame errors, number of transmitted packets, number of transmitted bytes, number of transmitted error packets, whether a network is available, whether WiFi sensing is available, connection speed;
network state related indicators, such as TCP ESTABLISHED state number, TCP SYN SENT state number, TCP SYNRECV state number, TCP FIN WAIT 1 state number, TCP FIN WAIT2 state number, TCP TIME WAIT state number, TCPCLOSED state number, TCP CLOSE WAIT state number, TCP LAST ACK state number, TCP LISTEN state number, TCPCLOSING state number, TCP IDLE state number, inbound TCP connection number, outbound TCP connection number;
TCP connection-related indicators, such as the number of TCP connections actively established, the number of TCP connections passively established, the number of failed attempts to establish a connection, the number of reset connections, the number of current connections, TCP segments entering the entity, TCP segments leaving the entity, the number of retransmissions, the number of reception errors, the number of transmission retransmissions;
link state related indicators, such as link start, link end, link bandwidth, link utilization, link connectivity, link propagation delay, link retention time;
the relevant indexes of the satellite node port, such as the index of the satellite node port, the type of the satellite node port, the maximum rate of the satellite node port, an antenna corresponding to the satellite node port, the number of bytes received by the satellite node port, the number of bytes sent by the satellite node port, the number of input bytes discarded by the satellite node port and the number of output bytes discarded by the satellite node port;
relevant indexes of the operating system, such as the number of system users, the number of system current processes, power-on time, process information, statistical information and the like. Wherein, the process information acquisition items include but are not limited to: the method comprises the following steps of process ID, process name, process state, parent process ID, process priority, process nice value, process CPU utilization rate, number of threads under the process, total number of file descriptors, resident memory size, process starting time and CPU proportion.
File system related indicators, such as file system used proportion, inode node number, available inode node number, static file system information (hard disk device name, path, total space), dynamic file system information (used space, available space, percentage of use);
the process information related indexes are the total number of processes, the Sleeping process number, the Running process number, the Zombie process number, the Stopped process number, the Idle process number, the total number of threads and the like.
Further, part of the evaluation index differs depending on the application field. For example, in a world-wide integrated network, the index may further include, but is not limited to, abnormal satellite terminal network access information, password resource abnormal use information, and linkage control effect feedback information; in the e-credential service system, the indicators may also include, but are not limited to, e-credential abnormal behavior information related indicators including, but not limited to, overlimit/category opening, repeat/false invoice reimbursement, false system connection, multiple attempt password; in the private network, the relevant indexes of the office system include but are not limited to illegal file operation, illegal circulation, illegal release, abnormal communication, illegal storage, illegal medium access operation and audit log of relevant equipment and systems.
In particular, the handling results verify that the objects in the set of objects are used to execute the threat handling policy, but for each object there may be both execution success or execution failure execution results. It can be understood that if the handling result verifies that all the objects in the object set fail to execute the threat handling policy, it may be determined that the threat handling policy is not used for handling the threat, and therefore, subsequent operations do not need to be continued; if the handling result verifies that at least one object successfully executed on the threat handling policy exists in the object set, it can be determined that the threat handling policy has been used for handling the threat, and therefore, subsequent operations are continued to determine the threat handling effect of the threat handling policy.
For example, if only the firewall FW1 and the firewall FW2 are included in the handling result verified object set, and only the firewall FW1 succeeds in executing the threat handling policy, or only the firewall FW2 succeeds in executing the threat handling policy, or both the firewall FW1 and the firewall FW2 succeed in executing the threat handling policy, it is determined that the handling result of at least one object in the handling result verified object set is successful, and subsequent operations are continued to determine the threat handling effect of the threat handling policy.
Further, if the processing result verifies that the processing result of at least one object in the object set is successful, determining the index with the contribution degree meeting the index selection condition based on the index contribution table of the attacked object to form a target index set. The index contribution table is used to record an index that can determine whether or not the object is abnormal and a degree of contribution of the index to the determination of the abnormality of the object, and it should be noted that, as the degree of contribution of an index is higher, the probability that the index is selected to determine the abnormality of the object is higher.
Further, based on the index contribution table, the indexes with contribution degrees meeting the index selection condition are determined to form a target index set. The index selection conditions include, but are not limited to: the contribution degree ranks from high to low, the contribution degree is a specific value, the contribution degree is higher than the specific value, and the like, which is not specifically limited in the embodiment of the present invention.
Specifically, the threat handling effect refers to the degree of effectiveness of the threat handling policy in handling the network threat, and reflects the change of the security state of the network before and after the threat handling policy is executed. When the security state of the network is better, the threat disposal effect is better correspondingly, and conversely, the threat disposal effect is worse.
According to the method for determining the threat disposal effect in the network, after the security device executes the threat disposal strategy, different verification means are dynamically selected according to different threat conditions, disposal objects and disposal strategies, and the disposal effect of the linkage object is comprehensively determined from the global perspective, so that the threat linkage disposal effect is determined, the effective determination of the threat disposal effect can be realized, and the actual security state of a large-scale network is accurately evaluated.
On the basis of the above embodiments, the embodiment of the present invention specifically describes step 101 of the above embodiment, that is, describes acquisition of a treatment result verification target set. For any attacked object in the network, selecting a plurality of objects from the objects of the attacked object, which execute the threat handling policy, to form a handling result verification object set of the attacked object, and further comprising:
determining paths of the attacked objects to attackers and/or external networks to form a path set.
Specifically, the attacker refers to an attacker who attacks a target network, the attacked object refers to an attacked party in the target network, the attacked object corresponds to a trusted zone, and a network outside the trusted zone is referred to as an external network of the attacked object.
For an attacked object in a target network, determining the path of the attacked object to an attacker and/or an external network to form a path set. For example, fig. 2 is a network topology diagram provided by an embodiment of the present invention, as shown in fig. 2, the network includes a target network (domain 1 and DMZ zone), an attacker, and an external network (domain 2). The attacked objects in the target network are the Web service 1 and the database server, and the Web service 1 has only one path to the attacker: the Web service 1 reaches an attacker through a server where the Web service 1 is located, a firewall FW2 and a gateway, and is called path 1 for convenience of description; web service 1 has only one path to the external network: the Web service 1 reaches the domain 2 via the server where the Web service 1 is located, a firewall FW1, a switch, and an isolation device 2, which is referred to as path 2 for convenience of description; there is only one path from the database service to the attacker: the server where the database service is located, the isolation device 1, the firewall FW1, the firewall FW2 and the gateway reach the attacker, and for convenience of description, the server is referred to as path 3; the database service has only one path to the external network: the server where the database service is located, the isolated device 1, the firewall FW1, and the isolated device 2 reach the domain 2, which is referred to as path 4 for convenience of description. Thus, the set of paths is { Path 1, Path 2, Path 3, Path 4 }.
And judging whether the objects passing through each path in the path set contain the objects for executing the threat disposal policy or not, removing the paths not containing the objects for executing the threat disposal policy from the path set, and generating a target path set.
Specifically, for an attacked object in the target network, the object of the attacked object executing the threat handling policy may be known through the threat handling policy generated by the threat handling command center. Accordingly, it may be determined whether the objects through which each path in the set of paths passes include an object for executing the threat handling policy.
For example, as shown in FIG. 2, if Web service 1 and the database service are attacked by two types of denial of service attacks: SYN Flood and CC (challenge Collapsar) attacks, the threat handling policy is:
firewall TCP connection number/SYN segment threshold setting: setting a TCP connection upper limit of the Web service 1 between the point 8 a and the point 12 a on the firewall FW2, and setting a threshold value of the number of SYN fragments passing through a specified object (in this example, the server where the Web service 1 is located) per second;
service timing closing: setting the Web service 1 to stop external service between 12 o 'clock at night and 8 o' clock at the next day;
service timing forbidding access: it is set on the firewall FW1 that the Web service 1 is prohibited from accessing the database service between 12 o 'clock late and 8 o' clock next day early.
Thus, according to the threat handling policy, it can be known that the objects that execute the threat handling policy are: a server where the Web service 1 is located, a firewall FW1, and a firewall FW 2.
For the path 1 in the path set, the objects passing through the path are a server where the Web service 1 is located, a firewall FW2 and a gateway; for the path 2, the objects passing through the path are a server where the Web service 1 is located, a firewall FW1 and an isolation device 2; for path 3, the objects passing through it are firewall FW1, switch, firewall FW2 and gateway; for the path 4, the server where the database service is located, the isolated device 1, the firewall FW1, the firewall FW2 and the gateway are objects through which the database service is located. Wherein path 1 is via a server of Web service 1 for executing a threat handling policy and firewall FW 1; path 2 is via the server where the Web service 1 executing the threat handling policy is located; path 3 is via a firewall FW1 for enforcing threat handling policies; path 4 is via a firewall FW1 for enforcing threat handling policies; however, since the policy of the device performing the threat handling policy is independent of other devices on the corresponding path in path 2 and path 4, the two paths are pruned, resulting in a target path set of { path 1, path 3} and a pruned path set of { path 2, path 4 }.
For a path in the target path set, selecting a number of objects from the objects through which the path passes for executing a threat handling policy as handling result verification objects of the path.
Specifically, for path 1, several of the server in which the Web service 1 via which path 1 is located and the firewall FW2 are treated as the treatment result authentication objects of path 1; for path 3, several of the firewall FW1 and firewall FW2 through which path 3 passes are authenticated as disposition results of path 3.
And combining the treatment result verification objects of all paths in the target path set to generate a treatment result verification object set of the attacked object.
Specifically, suppose that the firewall FW2 through which the path 1 passes is the subject of the disposition result authentication of the path 1; if the firewall FW1 through which the path 3 passes is taken as a disposition result verification object of the path 3, the set of disposition result verification objects is { FW1, FW2 }.
On the basis of the above embodiments, the embodiment of the present invention explains the selection of the treatment result verification target. That is, selecting several objects from the objects through which the path passes for executing the threat handling policy as the handling result verification objects of the path, further includes:
and selecting a plurality of objects as treatment result verification objects according to the running state of the objects, the corresponding first weight, the load condition, any one or more of the corresponding second weight, the reliability and the corresponding third weight for the objects which pass through the path and are used for executing the threat treatment strategy.
Specifically, the running state of the object includes, but is not limited to, off, silent, abnormal, and normal; load conditions of objects include, but are not limited to, CPU, storage, and network bandwidth resource usage, which may be expressed in terms of percentages; the credibility of the object refers to the credibility of the candidate object, can be represented by discrete data, and can be assigned according to whether the equipment is invaded once or not.
Further, the method for selecting a plurality of objects as the treatment result verification object includes, but is not limited to, the following methods according to the operation state of the object and any one or more of the corresponding first weight, the load condition, the corresponding second weight, the reliability and the corresponding third weight:
for the object through which the path in the target path set passes and used for executing the threat handling policy, the running state, the load condition and the credibility of the object are quantified. The operation state, the load condition and the reliability of the object are digitalized, and the digitalization is as follows: according to the quality of the running state of the object, numerically converting the running state of the object into a numerical value between 0 and 1; according to the quality of the load condition of the object, numerically converting the load condition of the object into a numerical value between 0 and 1; and according to the quality of the reliability of the object, the reliability of the object is quantified to a value between 0 and 1.
For any object, multiplying the digitized operating state of the object by the corresponding first weight to obtain a first result, multiplying the digitized load condition of the object by the corresponding second weight to obtain a second result, and multiplying the digitized reliability of the object by the corresponding third weight to obtain a third result. And calculating according to the first result, the second result and the third result to obtain a calculation result value of the object.
And obtaining the calculation result values of the objects in all the objects, comparing the calculation result values of the objects, and taking the object meeting the object selection condition as a treatment result verification object. It should be noted that the object selection conditions include, but are not limited to: the maximum calculation result value, the second largest calculation result value, the specific calculation result value, the calculation result value higher than the specific value, and the like.
For example, the following description will be made by selecting several objects from the objects through which the path 3 passes to execute the threat handling policy as the handling result verification objects. The objects through which path 3 passes for executing the threat handling policy are the server in which Web service 1 is located, firewall FW1 and firewall FW2, where:
the running state, the load condition and the reliability of the server where the Web service 1 is located are respectively as follows:
the operation state is as follows: normal operation, the numerical operation state is 1;
load conditions are as follows: running at 70% load, wherein the numerical load condition is 70%;
reliability: 70% credibility, and the credibility after numerical value is 70%;
the weight occupied by the running state is 0.2, the weight occupied by the load condition is 0.2, and the weight occupied by the reliability is 0.6.
The operating state, load condition and reliability of the server where the firewall FW1 is located are respectively:
the operation state is as follows: normal operation, the numerical operation state is 1;
load conditions are as follows: the load operation is carried out at 75 percent, and the numerical load condition is 75 percent;
reliability: the credibility is 90%, and the credibility after digitization is 90%;
the weight occupied by the running state is 0.2, the weight occupied by the load condition is 0.2, and the weight occupied by the reliability is 0.6.
The operating state, load condition and reliability of the server where the firewall FW2 is located are respectively:
the operation state is as follows: normal operation, the numerical operation state is 1;
load conditions are as follows: the load operation is 100%, and the numerical load condition is 100%;
reliability: the credibility is 99 percent, and the credibility after digitization is 99 percent;
the weight occupied by the running state is 0.2, the weight occupied by the load condition is 0.2, and the weight occupied by the reliability is 0.6.
Then, the weighted average of the objects in the objects through which path 3 is passed for executing the threat handling policy is:
the weighted average a (Web1) ═ 1 × 0.2+ (-70%) × 0.2+ (70%) × 0.6 ═ 0.48 for the server where Web service 1 is located;
a weighted average a (FW1) ═ 1 × 0.2+ (-75%) × 0.2+ (90%) × 0.6 ═ 0.49 of FW 1;
the weighted average value a of FW2 (FW3) ═ 1 × 0.2+ (-100%) × 0.2+ (-99%) × 0.6 ═ 0.594.
If the object selection condition is that the weighted average is maximum, the firewall FW2 is used as the disposition result of the path 3 to authenticate the object.
On the basis of the foregoing embodiments, if the disposition result of the attacked object verifies that the disposition result of at least one object in the object set is successful, determining, based on the index contribution table of the attacked object, an index whose contribution degree satisfies an index selection condition, where the method further includes:
and verifying the objects in the object set according to the treatment results of the attacked objects, and determining a target verification mode of the treatment results of the objects.
Specifically, if the disposition result verification object of path 1 is the firewall FW2 and the disposition result verification object of path 3 is the firewall FW1, the set of disposition result verification objects is { FW1, FW2}, and the target verification method of the disposition result of the object is determined for the objects in the set of disposition result verification objects.
It should be noted that there are various verification methods, such as a direct verification method and/or an indirect verification method, and in this embodiment, a target verification method that is a treatment result of a subject needs to be selected from the various verification methods. The direct verification mode refers to a mode that a verifier reproduces the attack, but the attack strength is lower than that of the real attack, the duration is shorter than that of the real attack, and the result judgment is carried out according to the feedback situation of the attacked object or the object executing the threat handling strategy to the reproduction attack. The indirect verification mode refers to a mode that a verifier sends a conventional data packet with verification capability (for example, when network reachability is verified, a ping packet is sent), and a result judgment is carried out on the feedback condition of the verification data packet according to an attacked object or an object executing a threat handling strategy. The embodiment of the invention can select one of a direct verification mode and an indirect verification mode as a target verification mode of a treatment result of a subject. The attack strength content includes, but is not limited to: any one or more of attack frequency, attack source number and attack traffic size.
Verifying the treatment result of the subject according to the target verification mode to determine whether the treatment result of the subject is successful or failed.
Specifically, a successful disposition result of the object indicates that the threat disposition policy is successfully executed by the object, and a failed disposition result of the object indicates that the threat disposition policy is failed to be executed by the object.
On the basis of the foregoing embodiments, determining a target verification manner for a treatment result of the subject further includes:
determining a set of candidate verification approaches to verify a treatment result of the subject.
Specifically, the set of candidate verification manners of the object is usually { direct verification manner, indirect verification manner }, and the two candidate verification manners are described in detail in the above embodiments and are not described herein again.
And for the candidate verification modes in the candidate verification mode set, determining the scores of the candidate verification modes according to any one or more of user verification requirements, potential loss to a network caused when the candidate verification modes verify the treatment result of the object, verification costs of the candidate verification modes and historical validity of the candidate verification modes.
Specifically, user authentication requirements include, but are not limited to: the likelihood of success of the verification.
The potential loss caused to the network when the treatment result of the candidate verification mode object is verified is as follows: the loss caused to the object in the network when the verification is performed by adopting the verification mode if the handling fails (for example, when the attacked object is attacked by the SYN Flood but the threat handling strategy is invalid, the verification mode is that the imitated SYN Flood attacks make the attacked object "damaged").
The verification cost of the candidate verification mode includes, but is not limited to, calculation, storage and/or network bandwidth resource overhead required for verification by using the verification mode, and the influencing factors of the verification cost of the direct verification mode include: recurrence of the type, intensity and duration of the attack; the influence factor of the verification cost of the indirect verification mode is the specific type of the verification mode.
The historical validity of the candidate verification mode is as follows: in the history verification, the ratio of the number of times of successful verification of the treatment result by the verification method to the total verification number of times of verification by the verification method is used.
When there are multiple candidate verification modes, a cost balancing mode can be adopted, namely, a positive income (user demand satisfaction degree) and a negative income (potential loss caused by treatment failure and verification cost caused by adopting a certain candidate verification mode are considered at the same time), a candidate verification mode with the positive income higher than the negative income is selected, and when the positive income of the multiple candidate verification modes is higher than the negative income, the maximum difference value between the positive income and the negative income is selected. The positive earnings and the negative earnings of the different candidate verification modes can be statically given in advance, and can also be dynamically calculated according to the resource load condition of the object, the resource consumption of the verification mode and the like, and the method is not limited.
For example, the firewall FW1 in the set { FW1, FW2} of disposition result verification objects is illustrated. For firewall FW 1:
the user authentication requirements are: 80 percent;
in the direct verification mode: the potential loss caused by the method is 0.9, the verification cost is 0.7, and the historical validity is 85%;
in the indirect verification mode: the potential loss caused is 0.2, the verification cost is 0.1, and the historical validity is 90%.
Then, for firewall FW 1:
the direct verification mode has the positive income, namely history validity, 85%, 80% and 1.0625;
the negative gain of the direct validation approach is 0.8 × potential loss +0.2 × validation cost 0.8 × 0.9+0.2 × 0.7 ═ 0.86;
the difference between the positive income and the negative income of the direct verification mode is 1.0625-0.86-0.2025;
the indirect verification mode has the positive income as history validity and verification requirement as 90% and 80% as 1.125;
the negative gain of the indirect validation method is 0.8 × potential loss +0.2 × validation cost 0.8 × 0.2+0.2 × 0.1 ═ 0.18;
the difference value between the positive income and the negative income of the indirect verification mode is 1.125-0.18-0.945;
therefore, 0.2025 was set as the score of the direct verification method, and 0.945 was set as the score of the indirect verification method.
And comparing scores of the candidate verification modes in the verification mode selection set, and taking the candidate verification mode meeting the score selection condition as a target verification mode of the treatment result of the object. The target verification mode may be a direct verification mode, an indirect verification mode, or a combination of the direct verification mode and the indirect verification mode.
Specifically, the score selection condition may be maximum score, and the like, and this is not specifically limited in the embodiment of the present invention. And if the score selection condition is that the score is maximum, comparing the scores of the candidate verification modes in the candidate verification mode set, and taking the candidate verification mode corresponding to the maximum score as a target verification mode of a disposal result of the firewall FW 1.
Specifically, since 0.945 is larger than 0.2025, the indirect authentication method is used as a target authentication method for authenticating the firewall FW 1.
Further, the disposition result of the firewall FW1 is verified in a target verification manner to determine whether the disposition result of the subject is successful or failed. The specific process is as follows:
and judging the firewall FW1 in a target verification mode to obtain an actual result, comparing the actual result with an expected result, and if the actual result is consistent with the expected result, determining that the disposal result is successful, otherwise, determining that the disposal fails. For example, when sending a ping packet, the expected result is "the return result of the ping is that the destination host is not reachable", and it is seen whether the actual result is that the unreachable information is really returned or the ping is possible. If the ping is not successful (namely the unreachable information of the target host is returned), the treatment result is successful, and the subsequent operation is continued; if ping is enabled, the failure of the treatment is indicated.
On the basis of the foregoing embodiments, the embodiments of the present invention explain how to determine the threat handling effect of the threat handling policy according to the target index set of the attacked object in the network:
and for the attacked object in the network, selecting one candidate effect calculation method from the candidate effect calculation method set as the target effect calculation method of the attacked object.
Specifically, the set of candidate effect calculation methods may include: weighted average method, analytic hierarchy process, fuzzy comprehensive evaluation method, fuzzy analytic hierarchy process, Bayesian network, Markov process, Petri network, attack graph, D-S evidence theory, grey correlation analysis, rough set theory, cluster analysis, etc.
And determining the threat disposal effect of the threat disposal strategy on the attacked object according to the target index set of the attacked object based on the target effect calculation method.
For example, if the target effect calculation method is a weighted average method, the target index set of the attacked object includes: and determining the value of the target index by using the CPU utilization rate, the network bandwidth occupancy rate, the TCP connection number, the service response time and the response success rate.
If the value of the CPU utilization rate is 40%, the value of the network bandwidth occupancy rate is 35%, the value of the TCP connection count is 1300, the value of the service response time is 0.1s, the value of the response success rate is 95%, the score of the CPU utilization rate is 40% is 3, the score of the network bandwidth occupancy rate is 35% is 3, the score of the TCP connection count is 1300 is 2, the score of the service response time is 0.1s is 4, the score of the response success rate is 4, and the weight of each target index is 0.2, then the threat handling effect value is 0.2 (3+3+2+4+4) to 3.2. And determining the threat treatment effect of the threat treatment strategy on the attacked object according to the scores.
And determining the threat handling effect of the threat handling strategy according to the threat handling effect and/or the importance degree of the threat handling strategy on the attacked object in the network.
On the basis of the above embodiments, the embodiments of the present invention explain how to select one candidate effect calculation method from a set of candidate effect calculation methods as a target effect calculation method for the attacked object:
and selecting an effect calculation method meeting the selection condition of the effect calculation method as a target effect calculation method of the attacked object according to any one or more of time complexity, space complexity and effectiveness of the candidate effect calculation methods in the candidate effect calculation method set.
Specifically, the selection conditions of the effect calculation method may be: the time complexity is minimum, the time complexity is smaller than a first preset threshold, the space complexity is minimum, the space complexity is smaller than a second preset threshold, the effectiveness is highest, the effectiveness is higher than a third preset threshold, the weighted average sum of any more of the time complexity, the space complexity and the effectiveness is minimum or maximum, the time complexity and/or the space complexity is minimum as far as possible on the premise that the effectiveness preset value is met, and the like. The specific selection method can be realized by a direct comparison method, a multi-target programming method and the like, and is not limited.
On the basis of the foregoing embodiments, determining a threat handling effect of the threat handling policy according to a threat handling effect and/or an importance degree of the threat handling policy on an attacked object in the network, further includes:
for any attacked object in the network, quantifying the threat treatment effect of the attacked object and quantifying the importance degree of the attacked object;
obtaining a relative treatment effect value of the attacked object according to the digitized threat treatment effect and/or the digitized importance degree; the manner of obtaining the treatment effect value of the attacked object includes but is not limited to: and directly taking the digitalized threat treatment effect as a relative treatment effect value of the attacked object, and multiplying the digitalized threat treatment effect by the digitalized importance degree to obtain the relative treatment effect value of the attacked object.
Obtaining a threat disposal effect value of the threat disposal strategy according to the relative disposal effect value of the attacked object in the network; the manner of obtaining the threat treatment effect value of the threat treatment policy includes, but is not limited to: adding the relative treatment effect values of the attacked objects in the network.
And matching the threat disposal effect value with a preset effect value grade to obtain the threat disposal effect of the threat disposal strategy.
On the basis of the foregoing embodiments, matching the threat handling effect value with a preset effect value level to obtain a threat handling effect of the threat handling policy, further includes:
adjusting the threat handling strategy according to the matching result;
and/or the presence of a gas in the gas,
and after the execution of the adjusted handling strategy is finished, determining the threat handling effect again.
Specifically, if the threat handling effect meets a preset condition, the threat handling strategy is kept unchanged; if the threat disposal effect does not meet the preset condition, judging whether the rejected path set is empty or not; if the rejected path set is empty, the threat handling strategy is considered to be ineffective, the threat handling strategy is adjusted, and/or the safety equipment or the system on the path is replaced or upgraded; if the culled path set is not empty, it is considered that enough threat handling policies are not deployed, and further deploying threat handling policies on paths of the culled path set. The preset conditions include, but are not limited to: not lower than the preset effect value and higher than the preset effect value.
Optionally, after the adjusted handling policy execution is finished, the threat handling effect is determined again.
Fig. 3 is a schematic structural diagram of a system for determining a threat disposal effect in a network according to an embodiment of the present invention, as shown in fig. 3, the system includes:
a processing result verified object set obtaining module 301, configured to select, for any attacked object in the network, a plurality of objects from objects of the attacked object that execute a threat processing policy to form a processing result verified object set of the attacked object; a target index set obtaining module 302, configured to determine, based on the index contribution table of the attacked object, an index whose contribution degree meets an index selection condition to form a target index set of the attacked object if the disposition result of the attacked object verifies that at least one object in the object set has a disposition result that is successful; wherein, the success of the treatment result of the object means that the object successfully executes the threat treatment strategy; an effect determining module 303, configured to determine a threat handling effect of the threat handling policy according to a target index set of an attacked object in the network.
Specifically, an attacker attacking a target network typically attacks several objects in the target network, and the attacked objects are referred to as attacked objects. For an attacked object in the target network, the disposition result verified object set obtaining module 301 may learn, through the threat disposition policy generated by the threat disposition command center, the object of the attacked object that executes the threat disposition policy, and select several objects from the objects to form the disposition result verified object set of the attacked object. When the processing result of at least one object in the processing result verification object set of the attacked object is successful, the target index set acquisition module 302 determines an index of which the contribution degree meets an index selection condition based on the index contribution table of the attacked object to form a target index set of the attacked object; wherein, the success of the handling result of the object means that the threat handling policy is successfully executed by the object. The effect determination module 303 determines a threat handling effect of the threat handling policy according to a target index set of an attacked object in the network. Specifically, the threat handling effect refers to the degree of effectiveness of the threat handling policy in handling the network threat, and reflects the change of the security state of the network before and after the threat handling policy is executed. When the security state of the network is better, the threat disposal effect is better correspondingly, and conversely, the threat disposal effect is worse.
According to the system for determining the threat disposal effect in the network, after the security device executes the threat disposal strategy, different verification means are dynamically selected according to different threat conditions, disposal objects and disposal strategies, and the disposal effect of the linkage object is comprehensively determined from the global perspective, so that the threat linkage disposal effect is determined, the effective determination of the threat disposal effect can be realized, and the actual security state of a large-scale network is accurately evaluated.
Fig. 4 is a module relationship diagram of a system for determining threat treatment effectiveness in a network according to an embodiment of the present invention, as shown in fig. 4, the system includes: the device comprises a treatment result verification object set acquisition module, a treatment result verification mode determination module, a treatment result verification module, a target index set acquisition module, an effect calculation method determination module, an effect determination module and a storage unit;
the processing result verification object set acquisition module is configured to receive an attacked object and a processing policy, and acquire, according to the alarm information and/or the processing policy, a path from the attacked object to an attacker and/or an external network and an object for executing the processing policy from the storage unit, thereby determining a processing result verification object set;
the treatment result verification mode determining module is configured to receive the treatment result verification object set from the treatment result verification object set obtaining module, and obtain, according to the treatment result verification object set, a candidate verification mode set of objects in the treatment result verification object set from the storage unit, thereby determining a target verification mode of the objects in the treatment result verification object set and sending the target verification mode to the treatment result verification module;
the processing result verification module is used for receiving a target verification mode of an object in the processing result verification object set from the processing result verification mode determination module, verifying a processing result of a corresponding object according to the target verification mode, and sending the processing result to the target index set acquisition module;
the target index set acquisition module is used for receiving the treatment result from the treatment result verification module, acquiring the index contribution degree from the storage unit according to the treatment result, determining a target index set and sending the target index set to the effect determination module;
the effect calculation method determination module is used for acquiring a candidate effect calculation method set from a storage unit, determining a target effect calculation method according to the candidate effect calculation method set, and sending the target effect calculation method to the effect determination module;
the effect determination module is used for receiving the target index set from the target index set acquisition module and the target effect calculation method from the effect calculation method determination module, and determining the threat treatment effect according to the target index set and the target effect calculation method;
the storage unit is used for storing data including but not limited to: any one or more of a path information base from the attacked object to the attacker and/or an external network, an object information base for executing a threat handling policy, an authentication mode information base, an effect index information base and an effect calculation method information base.
Fig. 5 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 5, the electronic device may include: a processor (processor)501, a communication Interface (Communications Interface)502, a memory (memory)503, and a communication bus 504, wherein the processor 501, the communication Interface 502, and the memory 503 are configured to communicate with each other via the communication bus 504. The processor 501 may invoke a computer program stored on the memory 503 and executable on the processor 501 to perform the methods provided by the above embodiments, including, for example: for any attacked object in the network, selecting a plurality of objects from the objects of the attacked object, which execute the threat handling policy, to form a handling result verification object set of the attacked object; if the processing result of at least one object in the processing result verification object set of the attacked object is successful, determining an index with contribution degree meeting an index selection condition based on the index contribution table of the attacked object to form a target index set of the attacked object; wherein, the success of the treatment result of the object means that the object successfully executes the threat treatment strategy; and determining the threat handling effect of the threat handling strategy according to the target index set of the attacked object in the network.
In addition, the logic instructions in the memory 503 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or make a contribution to the prior art, or may be implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Embodiments of the present invention further provide a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to perform the transmission method provided in the foregoing embodiments when executed by a processor, and the method includes: for any attacked object in the network, selecting a plurality of objects from the objects of the attacked object, which execute the threat handling policy, to form a handling result verification object set of the attacked object; if the processing result of at least one object in the processing result verification object set of the attacked object is successful, determining an index with contribution degree meeting an index selection condition based on the index contribution table of the attacked object to form a target index set of the attacked object; wherein, the success of the treatment result of the object means that the object successfully executes the threat treatment strategy; and determining the threat handling effect of the threat handling strategy according to the target index set of the attacked object in the network.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (12)
1. A method of determining threat handling effectiveness in a network, comprising:
for any attacked object in the network, selecting a plurality of objects from the objects of the attacked object, which execute the threat disposal strategy, to form a disposal result verification object set of the attacked object;
if the processing result of at least one object in the processing result verification object set of the attacked object is successful, determining an index with contribution degree meeting an index selection condition based on the index contribution table of the attacked object to form a target index set of the attacked object; wherein, the success of the treatment result of the object means that the object successfully executes the threat treatment strategy;
determining a threat disposal effect of the threat disposal strategy according to a target index set of an attacked object in the network;
the target is a device and/or a system forming a network, the attacked target is one or several targets suffering from attack, and the index contribution table is a mapping relation between an index and a contribution degree of the index to successful verification of a treatment result of the attacked target.
2. The method of claim 1, wherein for any attacked object in the network, selecting a number of objects from the objects of the attacked object that execute the threat handling policy to form a handling result verification object set of the attacked object, further comprising:
determining paths of the attacked objects to attackers and/or external networks to form a path set;
judging whether objects passing through each path in the path set contain objects for executing the threat handling strategy, and generating a target path set after paths not containing the objects for executing the threat handling strategy are removed from the path set;
for a path in the target path set, selecting a number of objects from the objects through which the path passes for executing a threat handling policy as handling result verification objects of the path;
and combining the treatment result verification objects of all paths in the target path set to generate a treatment result verification object set of the attacked object.
3. The method of claim 2, wherein selecting a number of objects from the objects through which the path passes for executing the threat handling policy as the handling result verification objects for the path further comprises:
and for the objects which pass through the path and are used for executing the threat handling strategy, selecting a plurality of objects as the handling result verification objects of the path according to the running state of the objects, the corresponding first weight, the load condition, any one or more of the corresponding second weight, the corresponding reliability and the corresponding third weight.
4. The method according to claim 1, wherein if the disposition result of the attacked object verifies that the disposition result of at least one object in the object set is successful, determining an indicator whose contribution degree satisfies an indicator selection condition based on an indicator contribution table of the attacked object, and before further comprising:
verifying an object in an object set according to a treatment result of the attacked object, and determining a target verification mode of the treatment result of the object;
verifying the treatment result of the subject according to the target verification mode to determine whether the treatment result of the subject is successful or failed.
5. The method of claim 4, wherein determining a target verification of treatment outcome of the subject further comprises:
determining a set of candidate verification manners for verifying the treatment result of the subject;
for a candidate verification mode in the candidate verification mode set, determining a score of the candidate verification mode according to any one or more of a user verification requirement, potential loss to a network caused when the candidate verification mode verifies the treatment result of the object, verification cost of the candidate verification mode and historical validity of the candidate verification mode;
and comparing scores of the candidate verification modes in the verification mode selection set, and taking the candidate verification mode meeting the score selection condition as a target verification mode of the treatment result of the object.
6. The method of claim 1, wherein determining a threat handling effect of the threat handling policy is based on a set of target metrics of an attacked object in the network, further comprising:
for any attacked object in the network, selecting a candidate effect calculation method from the candidate effect calculation method set as a target effect calculation method of the attacked object;
determining the threat disposal effect of the threat disposal strategy on the attacked object according to the target index set of the attacked object based on the target effect calculation method;
and determining the threat handling effect of the threat handling strategy according to the threat handling effect and/or the importance degree of the threat handling strategy on the attacked object in the network.
7. The method according to claim 6, wherein selecting one candidate effect calculation method from the set of candidate effect calculation methods as the target effect calculation method for the attacked object further comprises:
and selecting an effect calculation method meeting the selection condition of the effect calculation method as a target effect calculation method of the attacked object according to any one or more of time complexity, space complexity and effectiveness of the candidate effect calculation methods in the candidate effect calculation method set.
8. The method of claim 6, wherein determining the threat handling effect of the threat handling policy is based on the threat handling effect and/or the importance of the threat handling policy on the attacked object in the network, further comprising:
for any attacked object in the network, quantifying the threat treatment effect of the attacked object and quantifying the importance degree of the attacked object;
obtaining a relative treatment effect value of the attacked object according to the digitized threat treatment effect and/or the digitized importance degree;
obtaining a threat disposal effect value of the threat disposal strategy according to the relative disposal effect value of the attacked object in the network;
and matching the threat disposal effect value with a preset effect value grade to obtain the threat disposal effect of the threat disposal strategy.
9. The method of claim 8, wherein matching the threat treatment effectiveness value to a preset effectiveness value level for a threat treatment effect of the threat treatment policy further comprises:
adjusting the threat handling strategy according to the matching result;
and/or the presence of a gas in the gas,
and after the execution of the adjusted handling strategy is finished, determining the threat handling effect again.
10. A system for determining threat handling effectiveness in a network, comprising:
a processing result verification object set acquisition module, configured to select, for any attacked object in the network, a plurality of objects from objects of the attacked object that execute the threat processing policy to form a processing result verification object set of the attacked object;
a target index set obtaining module, configured to determine, based on the index contribution table of the attacked object, an index whose contribution degree meets an index selection condition to form a target index set of the attacked object if the processing result of the attacked object verifies that at least one object in the object set has a processing result that is successful; wherein, the success of the treatment result of the object means that the object successfully executes the threat treatment strategy;
an effect determination module, configured to determine a threat handling effect of the threat handling policy according to a target index set of an attacked object in the network;
the target is a device and/or a system forming a network, the attacked target is one or several targets suffering from attack, and the index contribution table is a mapping relation between an index and a contribution degree of the index to successful verification of a treatment result of the attacked target.
11. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 9 are implemented when the processor executes the program.
12. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811376254.8A CN109510828B (en) | 2018-11-19 | 2018-11-19 | Method and system for determining threat disposal effect in network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811376254.8A CN109510828B (en) | 2018-11-19 | 2018-11-19 | Method and system for determining threat disposal effect in network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109510828A CN109510828A (en) | 2019-03-22 |
| CN109510828B true CN109510828B (en) | 2020-07-03 |
Family
ID=65748963
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811376254.8A Active CN109510828B (en) | 2018-11-19 | 2018-11-19 | Method and system for determining threat disposal effect in network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109510828B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102638458A (en) * | 2012-03-23 | 2012-08-15 | 中国科学院软件研究所 | Method for identifying vulnerability utilization safety threat and determining associated attack path |
| CN102739652A (en) * | 2012-06-07 | 2012-10-17 | 中国电子科技集团公司第三十研究所 | Network anti-attack performance assessment index system establishing method and device |
| CN105119874A (en) * | 2015-06-17 | 2015-12-02 | 广东电网有限责任公司信息中心 | Method for evaluating validity of information safety protection system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9686312B2 (en) * | 2014-07-23 | 2017-06-20 | Cisco Technology, Inc. | Verifying network attack detector effectiveness |
| CN108629474B (en) * | 2017-03-24 | 2021-11-12 | 北京航天计量测试技术研究所 | Process safety assessment method based on attack graph model |
| CN108494810B (en) * | 2018-06-11 | 2021-01-26 | 中国人民解放军战略支援部队信息工程大学 | Attack-oriented network security situation prediction method, device and system |
-
2018
- 2018-11-19 CN CN201811376254.8A patent/CN109510828B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102638458A (en) * | 2012-03-23 | 2012-08-15 | 中国科学院软件研究所 | Method for identifying vulnerability utilization safety threat and determining associated attack path |
| CN102739652A (en) * | 2012-06-07 | 2012-10-17 | 中国电子科技集团公司第三十研究所 | Network anti-attack performance assessment index system establishing method and device |
| CN105119874A (en) * | 2015-06-17 | 2015-12-02 | 广东电网有限责任公司信息中心 | Method for evaluating validity of information safety protection system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109510828A (en) | 2019-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109698819B (en) | Threat disposal management method and system in network | |
| Ahmed et al. | Protecting iots from mirai botnet attacks using blockchains | |
| RU2668710C1 (en) | Computing device and method for detecting malicious domain names in network traffic | |
| US10110627B2 (en) | Adaptive self-optimzing DDoS mitigation | |
| AU2004289001B2 (en) | Method and system for addressing intrusion attacks on a computer system | |
| KR101217647B1 (en) | Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs | |
| US20100235879A1 (en) | Systems, methods, and media for enforcing a security policy in a network including a plurality of components | |
| CN108809749B (en) | Performing upper layer inspection of a stream based on a sampling rate | |
| JP2019021294A (en) | SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS | |
| Igbe et al. | Deterministic dendritic cell algorithm application to smart grid cyber-attack detection | |
| WO2016191232A1 (en) | Mitigation of computer network attacks | |
| WO2015134034A1 (en) | Network security for encrypted channel based on reputation | |
| Guerber et al. | Machine Learning and Software Defined Network to secure communications in a swarm of drones | |
| Ramaki et al. | A survey of IT early warning systems: architectures, challenges, and solutions | |
| US11838319B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
| KR20080026122A (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
| CN115087977A (en) | Method and system for preventing malicious automation attacks | |
| CN108183884B (en) | Network attack determination method and device | |
| Verma et al. | A detailed survey of denial of service for IoT and multimedia systems: Past, present and futuristic development | |
| CN108322454B (en) | Network security detection method and device | |
| Melo et al. | ISM-AC: An immune security model based on alert correlation and software-defined networking | |
| Abdulqadder et al. | Validating user flows to protect software defined network environments | |
| RU2703329C1 (en) | Method of detecting unauthorized use of network devices of limited functionality from a local network and preventing distributed network attacks from them | |
| CN109510828B (en) | Method and system for determining threat disposal effect in network | |
| Sedaghat | The Forensics of DDoS Attacks in the Fifth Generation Mobile Networks Based on Software-Defined Networks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |