CN110430185A - The method and detection device of loophole are executed for sense command - Google Patents
The method and detection device of loophole are executed for sense command Download PDFInfo
- Publication number
- CN110430185A CN110430185A CN201910705518.8A CN201910705518A CN110430185A CN 110430185 A CN110430185 A CN 110430185A CN 201910705518 A CN201910705518 A CN 201910705518A CN 110430185 A CN110430185 A CN 110430185A
- Authority
- CN
- China
- Prior art keywords
- context data
- loophole
- network
- network equipment
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
Present disclose provides a kind of methods for executing loophole for sense command, comprising: obtains the network environment data of the network equipment;Using context data model, network environment data is handled based on ontology knowledge base to generate the first context data;And the second context data is exported from the first context data using pre-defined rule, the second context data is for judging that the network equipment executes loophole with the presence or absence of order.The disclosure additionally provides a kind of detection device, a kind of electronic equipment and a kind of computer readable storage medium that loophole is executed for sense command.
Description
Technical field
This disclosure relates to network security artificial intelligence field more particularly to a kind of method for executing loophole for sense command
And detection device.
Background technique
With the development of computer networking technology, traditional security protection system has much been not enough to cope with hacker constantly to be become
Change and improved attack.As the type and quantity of various industries science and technology assets sharply increase, the management of assets can be inevitable
There is a series of loophole in ground.Existing assets security protection system needs biggish personnel's investment and poor in timeliness, protection covering
Not comprehensive enough, accuracy rate it is low and can not effective protection 0Day loophole, there are biggish technology generation-differences with current attack means.
How to carry out acquiring network security data in real time using machine, and security expert is replaced intelligently to understand data, analyze
The timeliness of assets security protection is improved with processing, comprehensive and accuracy becomes a technical problem.
Summary of the invention
An aspect of this disclosure provides a kind of method for executing loophole for sense command, comprising: obtains network and sets
Standby network environment data;Using context data model, based on ontology knowledge base to the network environment data handled with
Generate the first context data;And using pre-defined rule from first context data export the second context data, described second
Context data is for judging that the network equipment executes loophole with the presence or absence of order.
An aspect of this disclosure provides a kind of detection device that loophole is executed for sense command, comprising: obtains dress
It sets, for obtaining the network environment data of the network equipment;Scene model building device is based on ontology for utilizing context data model
Knowledge base is handled the network environment data to generate the first context data;And scene reasoning device, for utilizing
Pre-defined rule exports the second context data from first context data, and second context data is for judging that the network is set
It is standby to execute loophole with the presence or absence of order.
An aspect of this disclosure provides a kind of electronic equipment, comprising: one or more processors;Memory is used for
Store one or more programs, wherein when one or more of programs are executed by one or more of processors, so that
One or more of processors realize the method according to the present disclosure for executing loophole for sense command.
An aspect of this disclosure provides a kind of computer readable storage medium, is stored with computer executable instructions,
Described instruction is when executed for realizing the method according to the present disclosure for executing loophole for sense command.
According to the technical solution of the embodiment of the present disclosure, the data of acquisition are analyzed and processed in conjunction with ontology knowledge base,
And the network equipment is automatically controlled according to the judging result of analysis processing, so that the disclosure is by utilizing knowing in ontology knowledge base
Know, the rate of false alarm of loophole attack can be reduced, and reduces the risk of the obstruction of network.In addition, by the disclosure for detecting life
It enables the method for executing loophole or detection device can be with the safe condition of the real-time detection network equipment, and leakage can be executed to order
Hole is assessed in real time, a large amount of artificial without consuming.In addition, executing loophole for sense command using the disclosure
When method or detection device detect the presence of loophole attack, network can be blocked in time before attack in force event occurs
Response of the equipment to other network equipments, which thereby enhances the safe coefficient of the network equipment.
Detailed description of the invention
In order to which the disclosure and its advantage is more fully understood, referring now to being described below in conjunction with attached drawing, in which:
Fig. 1, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure
Equipment sense command execute loophole schematic diagram;
Fig. 2, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure
Detection device block diagram;
Fig. 3 is diagrammatically illustrated according to the embodiment of the present disclosure based on expertise and machine learning for constructing network
The schematic diagram of Security ontology knowledge base.
Fig. 4 diagrammatically illustrates an example of the Security ontology knowledge base according to the embodiment of the present disclosure;
Fig. 5 diagrammatically illustrates the example that loophole ontology knowledge base is executed according to the order of the embodiment of the present disclosure;
Fig. 6, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure
Method flow chart;
Fig. 7 diagrammatically illustrates an example of the finite state machine of the response message according to the embodiment of the present disclosure;
Fig. 8 diagrammatically illustrates the example that loophole finite state machine is executed according to the order of the embodiment of the present disclosure;With
And
Fig. 9 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.
Specific embodiment
Hereinafter, will be described with reference to the accompanying drawings embodiment of the disclosure.However, it should be understood that these descriptions are only exemplary
, and it is not intended to limit the scope of the present disclosure.In the following detailed description, to elaborate many specific thin convenient for explaining
Section is to provide the comprehensive understanding to the embodiment of the present disclosure.It may be evident, however, that one or more embodiments are not having these specific thin
It can also be carried out in the case where section.In addition, in the following description, descriptions of well-known structures and technologies are omitted, to avoid
Unnecessarily obscure the concept of the disclosure.
Term as used herein is not intended to limit the disclosure just for the sake of description specific embodiment.It uses herein
The terms "include", "comprise" etc. show the presence of the feature, step, operation and/or component, but it is not excluded that in the presence of
Or add other one or more features, step, operation or component.
It, in general should be according to this using statement as " at least one in A, B and C etc. " is similar to
Field technical staff is generally understood the meaning of the statement to make an explanation (for example, " system at least one in A, B and C "
Should include but is not limited to individually with A, individually with B, individually with C, with A and B, with A and C, have B and C, and/or
System etc. with A, B, C).Using statement as " at least one in A, B or C etc. " is similar to, generally come
Saying be generally understood the meaning of the statement according to those skilled in the art to make an explanation (for example, " having in A, B or C at least
One system " should include but is not limited to individually with A, individually with B, individually with C, with A and B, have A and C, have
B and C, and/or the system with A, B, C etc.).
Shown in the drawings of some block diagrams and/or flow chart.It should be understood that some sides in block diagram and/or flow chart
Frame or combinations thereof can be realized by computer program instructions.These computer program instructions can be supplied to general purpose computer,
The processor of special purpose computer or other programmable data processing units, so that these instructions are when executed by this processor can be with
Creation is for realizing function/operation device illustrated in these block diagrams and/or flow chart.The technology of the disclosure can be hard
The form of part and/or software (including firmware, microcode etc.) is realized.In addition, the technology of the disclosure, which can be taken, is stored with finger
The form of computer program product on the computer readable storage medium of order, the computer program product is for instruction execution system
System uses or instruction execution system is combined to use.
This disclosure relates to network security artificial intelligence field.It is knowledge table that one core of artificial intelligence field, which studies a question,
Show.The representation of knowledge, that is, knowledge formalization representation, purpose is not only to solve the storage problem of knowledge in a computer, heavier
What is wanted is to use knowledge and managerial knowledge with making this representation method in a computer and can be convenient, and can be according to certain
Rule-based reasoning deduces to obtain new knowledge, and machine is made to have intelligent behavior.
Containing a large amount of value and individual privacy in big data era, scientific and technological assets, hacker can be attacked using all means
It hits loophole, robs assets information, the continuous changes and improvements of attack means, external situation is more severe.In addition, traditional safety is anti-
Shield technology is mainly analyzed by data of the security expert to acquisition, and the progress of the Safeguard tactics such as artificial preset rules is formulated
Protection.This artificial preventive means has been not enough to cope with that attack process is complicated, speed is fast, the duration is long, single-point hides ability
By force, it is attacked without the attack such as APT that apparent feature is arrived by real-time detection.In addition, for some loopholes, for example, 0Day leaks
Hole can not have been protected by artificial preset rules, need an emerging technology and make assets security protection system more
It is intelligent.In addition, the order of the scientific and technological assets of computer equipment " perception " how to be allowed to execute loophole, and its perception " can be recognized "
To things or scene be a core the problem of.
The technology that industry security protection system uses at present is mainly analyzed by data of the security expert to acquisition, is made
The Safeguard tactics such as fixed artificial preset rules are protected.It is multiple that this traditional preventive means is not enough to cope with attack process
It is miscellaneous, speed is fast, the duration is long, single-point hide ability it is strong, without apparent feature by real-time detection arrive for order execute
Attack of the attack of loophole such as 0day loophole.
The data of acquisition are analyzed and processed in view of this, ontology knowledge base is utilized in the disclosure." ontology " is one
Kind philosophical concept, it is the philosophia perennis of the existing essence of research.Ontology is imparted new definition by artificial intelligence circle.One
Ontology is " the specific Formal Specification explanation of shared conceptual model ".The representation of knowledge is one group in a field by ontology
Relationship between concept and its these concepts, essence are that the ontology knowledge base of a structuring is established to machine, which knows
Knowing library is abstract summary of the mankind to a certain domain knowledge, is realized with machine understandable mode.Machine utilizes the ontology knowledge
Library can carry out the arrangement of systematization to the data of acquisition, that is, machine is allowed to generate thinking, the behavior control as machine thereafter
The basis of system.
Fig. 1, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure
Equipment sense command execute loophole schematic diagram.
As shown in Figure 1, acquisition equipment 10 from the network equipment for acquiring network environment data, network environment data includes
The data of network environment locating for the collected network equipment, the network equipment is, for example, Web server.Equipment 10 is acquired from Web service
Device 20 acquires the response message responded in network flow to request message, wherein the network environment data acquired can be one
A or multiple network environment datas, request message are the request messages issued from other network equipments.Acquisition equipment 10 can be
The agency (agent) arranged in the assets such as network equipment.Optionally, acquisition equipment 10 can also be sensor.Assets example
Technical asset including system software information and the data assets for e.g. including individual subscriber bank account in this way.Web service
Device 20 can handle the request message including HTTP request, and application server 30 can provide application service for Web server.It adopts
After the network environment data for collecting the network equipment, by including that the detection device 200 in Web server 20 utilizes ontology knowledge
Library 50 and regulation engine 40 are analyzed and processed network environment data, and according to the result of analysis to determine whether preventing
Web server executes movement.
Fig. 2, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure
Detection device block diagram.
As shown in Fig. 2, detection device 200 may include acquisition device 2100, scene model building device 2200, scene reasoning dress
Set 2300 and scene responding device 2400.Wherein, acquisition device 2100 is used to obtain it from Web server from acquisition equipment 10
The network environment data of 20 acquisitions, according to an embodiment of the disclosure, the network environment data of acquisition is carried out to request message
The response message of response.Scene model building device 2200 models response message using ontology knowledge base.In the multiple of acquisition
When network environment data is multi-source heterogeneous data, multiple network environment datas of acquisition are converted to system by scene model building device 2200
One format, and standardization, determining incidence relation are established between multiple network environment datas of acquisition.It is closed establishing association
After system, scene model building device 2200 is that each network environment data adds machine understandable semantic description, generates low order feelings
Scape, that is, generate machine understandable context data.Wherein, scene can be one group of stateful entity, including description entity shape
The information of state.Scene reasoning device 2300 can carry out reasoning from logic for example, by regulation engine, derive height by low order scene
Rank scene, that is, the context data after deriving reasoning.Scene responding device 2400 judges according to the high-order scene derived
Web server executes loophole with the presence or absence of order, determines whether to control Web server, for example, Web is prevented to take
Device be engaged in request message transmission response message.
It is described further below with reference to ontology knowledge base come the detection device 200 to the disclosure.
Ontology knowledge base 50 may include network security ontology knowledge base, abbreviation Security ontology knowledge base.Security ontology is known
Knowing library may include that the order based on network ontology language OWL building executes loophole ontology knowledge base.Construct ontology knowledge base
Method is generally divided into two classes: 1, being come out ontology describing with ontology description language with the help of domain expert, by hand mode
Construct ontology;2, domain body is extracted from the data of structuring or text, using the method for automation or semi-automation come structure
Build ontology.The disclosure combines the advantage of the two, and building network security ontology knowledge base includes: to construct this using domain expertise
Relationship between the core classes and core classes of body knowledge base, using machine learning building core classes derivative class between and with
Relationship between core classes.
In accordance with an embodiment of the present disclosure, context data model is being utilized, based on ontology knowledge base to the network environment number
According to before being handled to generate the first context data, network security ontology knowledge base can be constructed in advance.
Fig. 3 is diagrammatically illustrated according to the embodiment of the present disclosure based on expertise and machine learning for constructing network
The schematic diagram of Security ontology knowledge base.
As shown in figure 3, using the relationship between the core classes and core classes of expertise building Security ontology knowledge base,
Utilize the relationship between the derivative class of machine learning building core classes and between core classes.
It wherein, include using using the relationship between the derivative class of machine learning building core classes and between core classes
Pretreatment unit, resolver and mapping device are realized.
Wherein, the multi-source heterogeneous data that pretreatment unit is used to acquire for different Agent carry out the integration of ontology term,
It extracted by the part-of-speech tagging of natural language processing, stem, remove the preconditioning techniques such as general term, obtain the useful letter in data
Breath, and then constitute term word set.Agent acquisition multi-source heterogeneous data include but is not limited to network flow, Firewall Log and
Threaten information etc..
Resolver is used for: step (1) word frequency statistics: the frequency occurred using term in term word set generates frequency square
Battle array.Step (2) mode inference: one probability topic model with latent semantic analysis technology of building utilizes probability graph model
With the theory and method of topic model, joint probability distribution is indicated by using figure, graph theory and probability theory are organically combined,
According to frequency matrix, passes through probability topic model and use sampling algorithm, it is associated that statistical inference goes out each concept (class) theme
Term and its association probability characteristic item.Step (3) association determines: by semantic similarity determination method, in conjunction with acquired
Probability distribution is closed, a concept (class) is taken out according to the semantic similarity between one group of term under the distribution of each sub-topics.
Step (4) Relation extraction: the joint probability distribution obtained according to step (2), repeating said steps (3), until all themes-
Word distribution is all sampled product concept (class), and concept (class) collection is obtained;Further according to the probability distribution and similarity calculation between theme
Method, sampling obtains the corresponding concept of super subject layer (class), to obtain the hierarchical relationship between concept (class) centralized concept (class).
Mapping device is used to the hierarchical relationship between concept (class) centralized concept (class) being mapped as OWL file.
The technical solution of the embodiment of the present disclosure in order to facilitate understanding, below with reference to Fig. 4 and Fig. 5 respectively to Security ontology knowledge
Library and order execute loophole ontology knowledge base and are illustrated.
Fig. 4 diagrammatically illustrates an example of the Security ontology knowledge base according to the embodiment of the present disclosure.As shown in figure 4,
Show the data correlation relation between assets, loophole, Malware and security mechanism Security ontology.It can use machine readable
Language construct Security ontology knowledge base.Fig. 4 shows this four classes of such as assets, loophole, Malware and security mechanism
The derivative class segmented below with class and the individual for belonging to certain a kind of example.It is soft that Fig. 4 shows such as assets, loophole, malice
Part and security mechanism this four classes are the core classes of Security ontology knowledge base, and the relationship between the attribute and class of core classes is by field
Expertise building;The derivative class and belong to the individual of certain a kind of example by the automatic structure of machine learning that core classes are segmented below
It builds.For example, assets class may include technical asset class, and technical asset class may include hardware and software class.Software
Class envelope operation system class, operating system class include individual Windows (operating system).Loophole class includes type and grade class,
Class types include that memory overflows class, and memory overflows individual (loophole) of the class for example with one " MS17-010 ".For example,
This individual of WannaCry virus belongs to virus type, and virus type belongs to Malware class.Security mechanism includes Host Security
Mechanism class, patch class belongs to patch management class, and patch management class belongs to Host Security mechanism class.Those skilled in the art can
To understand, merely illustrative shown in Fig. 4, the embodiment of the present disclosure is not limited thereto.
For example, working as the network environment data for the slave Web server acquisition that acquisition device 2100 obtains for example including character
When " KB4012212 ", by using Security ontology knowledge base structural relation scene model building device 2200 it can be concluded that
The semanteme of " KB4012212 " is the patch release number of server windows operating system, and is not only a string of characters, inspection
Measurement equipment 200 adds corresponding semantic description to " KB4012212 ".When the scene model building device 2200 of detection device 200 is to Web
The windows operating system of server is scanned without reading word from the patch release number of windows operating system
It accords with and produces a large amount of non-txt files in " KB4012212 " and server, then the scene reasoning device 2300 of detection device 200 is logical
It crosses and show that server has the loophole of " MS17-010 " using regulation engine reasoning, may suffer from order and execute attacking for loophole
It hits.
Fig. 5 diagrammatically illustrates the example that loophole ontology knowledge base is executed according to the order of the embodiment of the present disclosure.Life
Enabling and executing loophole ontology knowledge base includes class and example and the incidence relation between it.Order executes loophole ontology knowledge base
It is established based on semantic sensors Network ontology (SSN Ontology).HTTP Proxy (Agent) is a reality of sensor class
Example, HTTP Proxy can observe the one or several attributes of feature of interest by observation, for example, http response message is sense
One example of interest characteristics class.For example, http response message may include 5 attributes: DNS suffix, the address ipv6, ipv4
Location, subnet mask and default gateway.Each attribute has corresponding observed result to export after being observed.Order executes loophole and holds
Row ipconfig is also an example of feature of interest class, but order execute loophole execute the attribute of ipconfig cannot be by
HTTP Proxy is directly observed and being obtained.A class for observing class is time interval (the observed result time), and time interval class belongs to
Duration describes class (having duration description).It will be understood by those skilled in the art that merely illustrative shown in Fig. 5, this public affairs
Embodiment is opened to be not limited thereto.
Fig. 6, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure
Method flow chart.
Below by taking http response message as an example, to executed for sense command based on ontology knowledge base the method for loophole into
Row explanation.For those skilled in the art, clearly the described specific embodiment is not constituted to disclosure protection scope
Limitation.
In step S510, acquisition device 2100 obtains the network environment data of the network equipment.
For example, acquisition device 2100 obtains http response message, acquired http response message packet from acquisition equipment 10
Include DNS suffix, the address ipv6, the address ipv4, subnet mask and default gateway information.Optionally, acquired http response report
Text may include at least one of DNS suffix, the address ipv6, the address ipv4, subnet mask and default gateway information.
In step S520, scene model building device 2200 utilizes context data model, based on ontology knowledge base to network environment
Data are modeled.
Specifically, it is to ring with HTTP that scene model building device 2200, which executes loophole ontology knowledge base using order shown in fig. 5,
It answers the relevant data of message to add machine understandable semantic description, obtains low order scene: with DNS suffix, the address ipv6, ipv4
Address, subnet mask and the associated data of default gateway.
In step S530, scene reasoning device 2300 exports high-order scene from low order context data using pre-defined rule, high
Rank scene is for judging that the network equipment executes loophole with the presence or absence of order.
Specifically, scene reasoning device 2300 carries out reasoning from logic by regulation engine 40, derives height by low order scene
Rank scene.
It derives wherein it is possible to carry out primary or multiple high-order scene, such as continues in the case where deriving the first high-order scene
It is derived by the second high-order scene.
Derive that high-order scene is further described to by low order scene below with reference to Fig. 7 and Fig. 8.Fig. 7 and Fig. 8 difference
Show the example of regulation engine 40.The finite state machine that Fig. 7 shows response message is the acquisition of Observable entity HTTP Proxy
Response message state.Wherein there is the normal change between response message abnormal state of affairs and state of response message
State.For example, response message can become response message abnormal state from normal condition or keep normal condition, and ring
It answers message that can become response message normal condition from abnormal state or keeps abnormal state.Fig. 8 shows order and holds
Row loophole finite state machine is the state for obtaining the order execution loophole of interested entity.Similar with Fig. 7, there are orders to execute leakage
Hole exists and order executes the change state between the state and state that loophole is not present.For example, order execute loophole can be with
Becoming order execution loophole from existence, there is no states perhaps to keep existence or order execution loophole can be never
Existence becomes order and executes loophole existence or keep that state is not present.It will be understood by those skilled in the art that Fig. 7
With it is merely illustrative shown in Fig. 8, the embodiment of the present disclosure is not limited thereto.
Specifically, scene reasoning device 2300 is for example, by the inference rule of jess regulation engine as shown in Figure 7 by low
Rank scene, which derives, obtains the first high-order scene: the state of response message, in the present embodiment, the state of response message are as follows: not just
Often;And continue to derive.
Derived using the inference rule of Fig. 8 by the first high-order scene and obtain the second high-order scene: order executes depositing for loophole
In state, in the present embodiment, order executes the existence of loophole are as follows: order, which executes loophole, to be existed.Wherein, http response report
The state of text can be by observed result (such as the step of DNS suffix, the address ipv6, the address ipv4, subnet mask and default gateway
S520 it) is derived from.The state that order executes loophole execution ipconfig is derived from by the state of http response message.
Next, scene responding device 2400 judges to prevent net according to the high-order scene of acquisition in step S540
Network equipment is directed to the request message issued from least one other network equipment and sends response message.Since the disclosure is according to derivation
High-order scene out controls Web server to determine using ontology knowledge base, prevents response message returning to request
The IP address of side, and prevent the message request sent from the IP address.Requesting party is, for example, at least one other network equipment.
To in discovery there are when loophole, before attack in force event occurs, in time to may network equipment progress under fire
It blocks, shortens the time of response, improve efficiency.
Fig. 9 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.
Electronic equipment shown in Fig. 9 is only an example, should not function and use scope band to the embodiment of the present disclosure
Carry out any restrictions.
As shown in figure 9, electronic equipment 800 includes processor 810, computer readable storage medium 820.The electronic equipment
800 can execute the method according to the embodiment of the present disclosure.
Specifically, processor 810 for example may include general purpose microprocessor, instruction set processor and/or related chip group
And/or special microprocessor (for example, specific integrated circuit (ASIC)), etc..Processor 810 can also include using for caching
The onboard storage device on way.Processor 810 can be the different movements for executing the method flow according to the embodiment of the present disclosure
Single treatment unit either multiple processing units.
Computer readable storage medium 820, such as can be non-volatile computer readable storage medium, specific example
Including but not limited to: magnetic memory apparatus, such as tape or hard disk (HDD);Light storage device, such as CD (CD-ROM);Memory, such as
Random access memory (RAM) or flash memory;Etc..
Computer readable storage medium 820 may include computer program 821, which may include generation
Code/computer executable instructions execute processor 810 according to the embodiment of the present disclosure
Method or its any deformation.
Computer program 821 can be configured to have the computer program code for example including computer program module.Example
Such as, in the exemplary embodiment, the code in computer program 821 may include one or more program modules, for example including
821A, module 821B ....It should be noted that the division mode and number of module are not fixation, those skilled in the art can
To be combined according to the actual situation using suitable program module or program module, when these program modules are combined by processor 810
When execution, processor 810 is executed according to the method for the embodiment of the present disclosure or its any deformation.
Although this specification includes many specific implementation details, these details are not necessarily to be construed as to claimed
Range or the range of any open design are construed as limiting, but for illustrating specific to the specific embodiment of specific open design
Feature.In single embodiment, it can also combine and realize in this specification described in the context of standalone embodiment
Special characteristic.Opposite, the different characteristic of the context-descriptive of single embodiment can also be respectively real in multiple embodiments
It is existing, or realized with any sub-portfolio.In addition, although preceding feature can be described as be in certain combinations and work and very
To initially so claimed, but in some cases can be from from combined one or more features claimed
It is deleted in combination, and combination claimed can be for the variant of sub-portfolio or sub-portfolio.
Describe the specific implementation of this theme.Be obviously for those skilled in the art, described embodiment its
His embodiment, change and displacement are within the scope of the appended claims.Although with particular order in drawings and claims
Operation is described, this is understood not to: desired result it is required that certain order shown in pressing or in order in order to realize
To execute these operations, or the operation of all diagrams of requirement execution (some operations can be regarded as optional).In certain feelings
Under condition, multitask or parallel processing (or combination of multitask and parallel processing) can be preferably and optionally to hold
Row.
In addition, the separation of various system modules and component in realization above-mentioned or integrated being understood not to all
Such separation or integrated is required in embodiment, and should be understood that described program assembly and system generally may be used
To be integrated in single software product or be encapsulated as multiple software product together.
Therefore, foregoing example embodiment does not define or limit the disclosure.Spirit and scope of the present disclosure are not being departed from
In the case of, there may also be other to change, replaces and changes.Above-described embodiment only illustrates the principle of the disclosure.It should be understood that herein
Described in arrangement and the modifications and variations of details those skilled in the art will be apparent.Accordingly, it is intended to only
It is limited by the range of appended Patent right requirement, rather than by by being presented to describing and explaining for embodiment herein
Detail limits.
Claims (12)
1. a kind of method for executing loophole for sense command, comprising:
Obtain the network environment data of the network equipment;
Using context data model, the network environment data is handled to generate the first scene number based on ontology knowledge base
According to;And
The second context data is exported from first context data using pre-defined rule, second context data is for judging institute
It states the network equipment and executes loophole with the presence or absence of order.
2. according to the method described in claim 1, wherein, the network environment data includes the network equipment to from least one
The response message that other a network equipments are responded.
3. according to the method described in claim 2, further include:
Judge that the network equipment executes loophole with the presence or absence of order using second context data;And
Loophole is executed in response to judging that the network equipment has order, the network equipment is controlled, to prevent
It states the network equipment and is directed to the request message transmission response message issued from least one other network equipment.
4. according to the method described in claim 1, wherein, the ontology knowledge base includes network security ontology knowledge base, described
Network security ontology knowledge base includes that the order based on network ontology language OWL building executes loophole ontology knowledge base.
5. according to the method described in claim 4, wherein, using context data model, being based on ontology knowledge base to the network
Environmental data is handled to generate the first context data and include:
The network environment data is transformed to the data of predetermined format;
The incidence relation between the data of the predetermined format is established using ontology knowledge base;And
It is that the machine understandable semanteme of network environment data addition is retouched using ontology knowledge base based on the incidence relation
It states, to generate first context data.
6. method according to claim 1 or 5, wherein exporting and judging from first context data using pre-defined rule
The network equipment executes related second context data of loophole with the presence or absence of order
Using the inference rule including jess engine, second context data is exported from first context data.
7. being the network using ontology knowledge base according to the method described in claim 5, wherein, being based on the incidence relation
Environmental data adds machine understandable semantic description, includes: to generate first context data
Based on ontology knowledge base, to context data addition and at least one in item related with the network equipment below
Semantic description to generate first context data:
DNS suffix;
The address ipv6;
The address ipv4;
Subnet mask;
Default gateway.
8. a kind of detection device for executing loophole for sense command, comprising:
Acquisition device, for obtaining the network environment data of the network equipment;
Scene model building device, for utilize context data model, based on ontology knowledge base to the network environment data at
Reason is to generate the first context data;And
Scene reasoning device, for using pre-defined rule from first context data export the second context data, described second
Context data is for judging that the network equipment executes loophole with the presence or absence of order.
9. detection device according to claim 8, wherein the network environment data include the network equipment to
The response message that few other network equipments are responded.
10. detection device according to claim 8, further includes:
Scene responding device, for judging that the network equipment executes leakage with the presence or absence of order using second context data
Hole;And
Loophole is executed in response to judging that the network equipment has order, the network equipment is controlled, to prevent
It states the network equipment and is directed to the request message transmission response message issued from least one other network equipment.
11. a kind of electronic equipment, comprising:
One or more processors;
Memory, for storing one or more programs,
Wherein, when one or more of programs are executed by one or more of processors, so that one or more of
Processor realizes method described in any one of claims 1 to 7.
12. a kind of computer readable storage medium, is stored with computer executable instructions, described instruction is used for reality when executed
Method described in existing any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910705518.8A CN110430185A (en) | 2019-07-31 | 2019-07-31 | The method and detection device of loophole are executed for sense command |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910705518.8A CN110430185A (en) | 2019-07-31 | 2019-07-31 | The method and detection device of loophole are executed for sense command |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110430185A true CN110430185A (en) | 2019-11-08 |
Family
ID=68413664
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910705518.8A Pending CN110430185A (en) | 2019-07-31 | 2019-07-31 | The method and detection device of loophole are executed for sense command |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110430185A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111597559A (en) * | 2020-05-15 | 2020-08-28 | 北京铭图天成信息技术有限公司 | Method, device, equipment and storage medium for detecting system command injection vulnerability |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1761208A (en) * | 2005-11-17 | 2006-04-19 | 郭世泽 | System and method for evaluating security and survivability of network information system |
CN103207856A (en) * | 2013-04-03 | 2013-07-17 | 同济大学 | Ontology concept and hierarchical relation generation method |
US20140090064A1 (en) * | 2012-09-25 | 2014-03-27 | International Business Machines Corporation | Training classifiers for program analysis |
CN109361534A (en) * | 2018-09-20 | 2019-02-19 | 中国航天系统科学与工程研究院 | A kind of network security emulation system |
-
2019
- 2019-07-31 CN CN201910705518.8A patent/CN110430185A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1761208A (en) * | 2005-11-17 | 2006-04-19 | 郭世泽 | System and method for evaluating security and survivability of network information system |
US20140090064A1 (en) * | 2012-09-25 | 2014-03-27 | International Business Machines Corporation | Training classifiers for program analysis |
CN103207856A (en) * | 2013-04-03 | 2013-07-17 | 同济大学 | Ontology concept and hierarchical relation generation method |
CN109361534A (en) * | 2018-09-20 | 2019-02-19 | 中国航天系统科学与工程研究院 | A kind of network security emulation system |
Non-Patent Citations (4)
Title |
---|
劳鑫: "在线评论对商品销售的影响研究", 《中国优秀硕士学位论文全文数据库 经济与管理科学辑》 * |
孙杰: "基于本体的自适应智能安全防护体系研究", 《信息与电脑》 * |
纪幼纯: "基于主题建模和分层隐变量模型的新闻推荐系统研究", 《中国优秀硕士学位论文全文数据纪幼纯,《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
马文峰: "《数字资源整合:理论、方法与应用》", 31 December 2007, 北京图书馆出版社 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111597559A (en) * | 2020-05-15 | 2020-08-28 | 北京铭图天成信息技术有限公司 | Method, device, equipment and storage medium for detecting system command injection vulnerability |
CN111597559B (en) * | 2020-05-15 | 2023-10-13 | 北京铭图天成信息技术有限公司 | System command injection vulnerability detection method and device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3528463B1 (en) | An artificial intelligence cyber security analyst | |
JP7436501B2 (en) | Inferring temporal relationships about cybersecurity events | |
US20180367561A1 (en) | Threat disposition analysis and modeling using supervised machine learning | |
Gupta et al. | Layered approach using conditional random fields for intrusion detection | |
Lichodzijewski et al. | Dynamic intrusion detection using self-organizing maps | |
CN110138787A (en) | A kind of anomalous traffic detection method and system based on hybrid neural networks | |
Zhu et al. | Network anomaly detection and identification based on deep learning methods | |
CN111538842A (en) | Intelligent sensing and predicting method and device for network space situation and computer equipment | |
CN107111609A (en) | Lexical analyzer for neural language performance identifying system | |
CN113347170A (en) | Intelligent analysis platform design method based on big data framework | |
Bebortta et al. | An adaptive machine learning-based threat detection framework for industrial communication networks | |
Tecuci et al. | Instructable Cognitive Agents for Autonomous Evidence-Based Reasoning | |
CN110430185A (en) | The method and detection device of loophole are executed for sense command | |
Alohali et al. | Swarm intelligence for IoT attack detection in fog-enabled cyber-physical system | |
Sen et al. | On holistic multi-step cyberattack detection via a graph-based correlation approach | |
CN110224975A (en) | The determination method and device of APT information, storage medium, electronic device | |
CN110188537A (en) | Separate-storage method and device, storage medium, the electronic device of data | |
Khan et al. | Lightweight testbed for cybersecurity experiments in scada-based systems | |
Alqurashi et al. | On the performance of isolation forest and multi layer perceptron for anomaly detection in industrial control systems networks | |
Ding et al. | A data-driven based security situational awareness framework for power systems | |
Mishra et al. | An efficient concept generation approach to identifying most influential node in a Terrorist Network using Weighted Formal Concept Analysis | |
Chen et al. | Research on ontology-based network security knowledge map | |
Milutinovic et al. | Performance of arithmetic optimization algorithm for ELM tuning applied to IoT security | |
Wu et al. | Research on Situational Awareness Technology of Industrial Control Network Based on Big Data | |
Liu et al. | SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191108 |