CN110430185A - The method and detection device of loophole are executed for sense command - Google Patents

The method and detection device of loophole are executed for sense command Download PDF

Info

Publication number
CN110430185A
CN110430185A CN201910705518.8A CN201910705518A CN110430185A CN 110430185 A CN110430185 A CN 110430185A CN 201910705518 A CN201910705518 A CN 201910705518A CN 110430185 A CN110430185 A CN 110430185A
Authority
CN
China
Prior art keywords
context data
loophole
network
network equipment
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910705518.8A
Other languages
Chinese (zh)
Inventor
孙杰
王金希
郭运雷
黄寅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN201910705518.8A priority Critical patent/CN110430185A/en
Publication of CN110430185A publication Critical patent/CN110430185A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

Present disclose provides a kind of methods for executing loophole for sense command, comprising: obtains the network environment data of the network equipment;Using context data model, network environment data is handled based on ontology knowledge base to generate the first context data;And the second context data is exported from the first context data using pre-defined rule, the second context data is for judging that the network equipment executes loophole with the presence or absence of order.The disclosure additionally provides a kind of detection device, a kind of electronic equipment and a kind of computer readable storage medium that loophole is executed for sense command.

Description

The method and detection device of loophole are executed for sense command
Technical field
This disclosure relates to network security artificial intelligence field more particularly to a kind of method for executing loophole for sense command And detection device.
Background technique
With the development of computer networking technology, traditional security protection system has much been not enough to cope with hacker constantly to be become Change and improved attack.As the type and quantity of various industries science and technology assets sharply increase, the management of assets can be inevitable There is a series of loophole in ground.Existing assets security protection system needs biggish personnel's investment and poor in timeliness, protection covering Not comprehensive enough, accuracy rate it is low and can not effective protection 0Day loophole, there are biggish technology generation-differences with current attack means. How to carry out acquiring network security data in real time using machine, and security expert is replaced intelligently to understand data, analyze The timeliness of assets security protection is improved with processing, comprehensive and accuracy becomes a technical problem.
Summary of the invention
An aspect of this disclosure provides a kind of method for executing loophole for sense command, comprising: obtains network and sets Standby network environment data;Using context data model, based on ontology knowledge base to the network environment data handled with Generate the first context data;And using pre-defined rule from first context data export the second context data, described second Context data is for judging that the network equipment executes loophole with the presence or absence of order.
An aspect of this disclosure provides a kind of detection device that loophole is executed for sense command, comprising: obtains dress It sets, for obtaining the network environment data of the network equipment;Scene model building device is based on ontology for utilizing context data model Knowledge base is handled the network environment data to generate the first context data;And scene reasoning device, for utilizing Pre-defined rule exports the second context data from first context data, and second context data is for judging that the network is set It is standby to execute loophole with the presence or absence of order.
An aspect of this disclosure provides a kind of electronic equipment, comprising: one or more processors;Memory is used for Store one or more programs, wherein when one or more of programs are executed by one or more of processors, so that One or more of processors realize the method according to the present disclosure for executing loophole for sense command.
An aspect of this disclosure provides a kind of computer readable storage medium, is stored with computer executable instructions, Described instruction is when executed for realizing the method according to the present disclosure for executing loophole for sense command.
According to the technical solution of the embodiment of the present disclosure, the data of acquisition are analyzed and processed in conjunction with ontology knowledge base, And the network equipment is automatically controlled according to the judging result of analysis processing, so that the disclosure is by utilizing knowing in ontology knowledge base Know, the rate of false alarm of loophole attack can be reduced, and reduces the risk of the obstruction of network.In addition, by the disclosure for detecting life It enables the method for executing loophole or detection device can be with the safe condition of the real-time detection network equipment, and leakage can be executed to order Hole is assessed in real time, a large amount of artificial without consuming.In addition, executing loophole for sense command using the disclosure When method or detection device detect the presence of loophole attack, network can be blocked in time before attack in force event occurs Response of the equipment to other network equipments, which thereby enhances the safe coefficient of the network equipment.
Detailed description of the invention
In order to which the disclosure and its advantage is more fully understood, referring now to being described below in conjunction with attached drawing, in which:
Fig. 1, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure Equipment sense command execute loophole schematic diagram;
Fig. 2, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure Detection device block diagram;
Fig. 3 is diagrammatically illustrated according to the embodiment of the present disclosure based on expertise and machine learning for constructing network The schematic diagram of Security ontology knowledge base.
Fig. 4 diagrammatically illustrates an example of the Security ontology knowledge base according to the embodiment of the present disclosure;
Fig. 5 diagrammatically illustrates the example that loophole ontology knowledge base is executed according to the order of the embodiment of the present disclosure;
Fig. 6, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure Method flow chart;
Fig. 7 diagrammatically illustrates an example of the finite state machine of the response message according to the embodiment of the present disclosure;
Fig. 8 diagrammatically illustrates the example that loophole finite state machine is executed according to the order of the embodiment of the present disclosure;With And
Fig. 9 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.
Specific embodiment
Hereinafter, will be described with reference to the accompanying drawings embodiment of the disclosure.However, it should be understood that these descriptions are only exemplary , and it is not intended to limit the scope of the present disclosure.In the following detailed description, to elaborate many specific thin convenient for explaining Section is to provide the comprehensive understanding to the embodiment of the present disclosure.It may be evident, however, that one or more embodiments are not having these specific thin It can also be carried out in the case where section.In addition, in the following description, descriptions of well-known structures and technologies are omitted, to avoid Unnecessarily obscure the concept of the disclosure.
Term as used herein is not intended to limit the disclosure just for the sake of description specific embodiment.It uses herein The terms "include", "comprise" etc. show the presence of the feature, step, operation and/or component, but it is not excluded that in the presence of Or add other one or more features, step, operation or component.
It, in general should be according to this using statement as " at least one in A, B and C etc. " is similar to Field technical staff is generally understood the meaning of the statement to make an explanation (for example, " system at least one in A, B and C " Should include but is not limited to individually with A, individually with B, individually with C, with A and B, with A and C, have B and C, and/or System etc. with A, B, C).Using statement as " at least one in A, B or C etc. " is similar to, generally come Saying be generally understood the meaning of the statement according to those skilled in the art to make an explanation (for example, " having in A, B or C at least One system " should include but is not limited to individually with A, individually with B, individually with C, with A and B, have A and C, have B and C, and/or the system with A, B, C etc.).
Shown in the drawings of some block diagrams and/or flow chart.It should be understood that some sides in block diagram and/or flow chart Frame or combinations thereof can be realized by computer program instructions.These computer program instructions can be supplied to general purpose computer, The processor of special purpose computer or other programmable data processing units, so that these instructions are when executed by this processor can be with Creation is for realizing function/operation device illustrated in these block diagrams and/or flow chart.The technology of the disclosure can be hard The form of part and/or software (including firmware, microcode etc.) is realized.In addition, the technology of the disclosure, which can be taken, is stored with finger The form of computer program product on the computer readable storage medium of order, the computer program product is for instruction execution system System uses or instruction execution system is combined to use.
This disclosure relates to network security artificial intelligence field.It is knowledge table that one core of artificial intelligence field, which studies a question, Show.The representation of knowledge, that is, knowledge formalization representation, purpose is not only to solve the storage problem of knowledge in a computer, heavier What is wanted is to use knowledge and managerial knowledge with making this representation method in a computer and can be convenient, and can be according to certain Rule-based reasoning deduces to obtain new knowledge, and machine is made to have intelligent behavior.
Containing a large amount of value and individual privacy in big data era, scientific and technological assets, hacker can be attacked using all means It hits loophole, robs assets information, the continuous changes and improvements of attack means, external situation is more severe.In addition, traditional safety is anti- Shield technology is mainly analyzed by data of the security expert to acquisition, and the progress of the Safeguard tactics such as artificial preset rules is formulated Protection.This artificial preventive means has been not enough to cope with that attack process is complicated, speed is fast, the duration is long, single-point hides ability By force, it is attacked without the attack such as APT that apparent feature is arrived by real-time detection.In addition, for some loopholes, for example, 0Day leaks Hole can not have been protected by artificial preset rules, need an emerging technology and make assets security protection system more It is intelligent.In addition, the order of the scientific and technological assets of computer equipment " perception " how to be allowed to execute loophole, and its perception " can be recognized " To things or scene be a core the problem of.
The technology that industry security protection system uses at present is mainly analyzed by data of the security expert to acquisition, is made The Safeguard tactics such as fixed artificial preset rules are protected.It is multiple that this traditional preventive means is not enough to cope with attack process It is miscellaneous, speed is fast, the duration is long, single-point hide ability it is strong, without apparent feature by real-time detection arrive for order execute Attack of the attack of loophole such as 0day loophole.
The data of acquisition are analyzed and processed in view of this, ontology knowledge base is utilized in the disclosure." ontology " is one Kind philosophical concept, it is the philosophia perennis of the existing essence of research.Ontology is imparted new definition by artificial intelligence circle.One Ontology is " the specific Formal Specification explanation of shared conceptual model ".The representation of knowledge is one group in a field by ontology Relationship between concept and its these concepts, essence are that the ontology knowledge base of a structuring is established to machine, which knows Knowing library is abstract summary of the mankind to a certain domain knowledge, is realized with machine understandable mode.Machine utilizes the ontology knowledge Library can carry out the arrangement of systematization to the data of acquisition, that is, machine is allowed to generate thinking, the behavior control as machine thereafter The basis of system.
Fig. 1, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure Equipment sense command execute loophole schematic diagram.
As shown in Figure 1, acquisition equipment 10 from the network equipment for acquiring network environment data, network environment data includes The data of network environment locating for the collected network equipment, the network equipment is, for example, Web server.Equipment 10 is acquired from Web service Device 20 acquires the response message responded in network flow to request message, wherein the network environment data acquired can be one A or multiple network environment datas, request message are the request messages issued from other network equipments.Acquisition equipment 10 can be The agency (agent) arranged in the assets such as network equipment.Optionally, acquisition equipment 10 can also be sensor.Assets example Technical asset including system software information and the data assets for e.g. including individual subscriber bank account in this way.Web service Device 20 can handle the request message including HTTP request, and application server 30 can provide application service for Web server.It adopts After the network environment data for collecting the network equipment, by including that the detection device 200 in Web server 20 utilizes ontology knowledge Library 50 and regulation engine 40 are analyzed and processed network environment data, and according to the result of analysis to determine whether preventing Web server executes movement.
Fig. 2, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure Detection device block diagram.
As shown in Fig. 2, detection device 200 may include acquisition device 2100, scene model building device 2200, scene reasoning dress Set 2300 and scene responding device 2400.Wherein, acquisition device 2100 is used to obtain it from Web server from acquisition equipment 10 The network environment data of 20 acquisitions, according to an embodiment of the disclosure, the network environment data of acquisition is carried out to request message The response message of response.Scene model building device 2200 models response message using ontology knowledge base.In the multiple of acquisition When network environment data is multi-source heterogeneous data, multiple network environment datas of acquisition are converted to system by scene model building device 2200 One format, and standardization, determining incidence relation are established between multiple network environment datas of acquisition.It is closed establishing association After system, scene model building device 2200 is that each network environment data adds machine understandable semantic description, generates low order feelings Scape, that is, generate machine understandable context data.Wherein, scene can be one group of stateful entity, including description entity shape The information of state.Scene reasoning device 2300 can carry out reasoning from logic for example, by regulation engine, derive height by low order scene Rank scene, that is, the context data after deriving reasoning.Scene responding device 2400 judges according to the high-order scene derived Web server executes loophole with the presence or absence of order, determines whether to control Web server, for example, Web is prevented to take Device be engaged in request message transmission response message.
It is described further below with reference to ontology knowledge base come the detection device 200 to the disclosure.
Ontology knowledge base 50 may include network security ontology knowledge base, abbreviation Security ontology knowledge base.Security ontology is known Knowing library may include that the order based on network ontology language OWL building executes loophole ontology knowledge base.Construct ontology knowledge base Method is generally divided into two classes: 1, being come out ontology describing with ontology description language with the help of domain expert, by hand mode Construct ontology;2, domain body is extracted from the data of structuring or text, using the method for automation or semi-automation come structure Build ontology.The disclosure combines the advantage of the two, and building network security ontology knowledge base includes: to construct this using domain expertise Relationship between the core classes and core classes of body knowledge base, using machine learning building core classes derivative class between and with Relationship between core classes.
In accordance with an embodiment of the present disclosure, context data model is being utilized, based on ontology knowledge base to the network environment number According to before being handled to generate the first context data, network security ontology knowledge base can be constructed in advance.
Fig. 3 is diagrammatically illustrated according to the embodiment of the present disclosure based on expertise and machine learning for constructing network The schematic diagram of Security ontology knowledge base.
As shown in figure 3, using the relationship between the core classes and core classes of expertise building Security ontology knowledge base, Utilize the relationship between the derivative class of machine learning building core classes and between core classes.
It wherein, include using using the relationship between the derivative class of machine learning building core classes and between core classes Pretreatment unit, resolver and mapping device are realized.
Wherein, the multi-source heterogeneous data that pretreatment unit is used to acquire for different Agent carry out the integration of ontology term, It extracted by the part-of-speech tagging of natural language processing, stem, remove the preconditioning techniques such as general term, obtain the useful letter in data Breath, and then constitute term word set.Agent acquisition multi-source heterogeneous data include but is not limited to network flow, Firewall Log and Threaten information etc..
Resolver is used for: step (1) word frequency statistics: the frequency occurred using term in term word set generates frequency square Battle array.Step (2) mode inference: one probability topic model with latent semantic analysis technology of building utilizes probability graph model With the theory and method of topic model, joint probability distribution is indicated by using figure, graph theory and probability theory are organically combined, According to frequency matrix, passes through probability topic model and use sampling algorithm, it is associated that statistical inference goes out each concept (class) theme Term and its association probability characteristic item.Step (3) association determines: by semantic similarity determination method, in conjunction with acquired Probability distribution is closed, a concept (class) is taken out according to the semantic similarity between one group of term under the distribution of each sub-topics. Step (4) Relation extraction: the joint probability distribution obtained according to step (2), repeating said steps (3), until all themes- Word distribution is all sampled product concept (class), and concept (class) collection is obtained;Further according to the probability distribution and similarity calculation between theme Method, sampling obtains the corresponding concept of super subject layer (class), to obtain the hierarchical relationship between concept (class) centralized concept (class).
Mapping device is used to the hierarchical relationship between concept (class) centralized concept (class) being mapped as OWL file.
The technical solution of the embodiment of the present disclosure in order to facilitate understanding, below with reference to Fig. 4 and Fig. 5 respectively to Security ontology knowledge Library and order execute loophole ontology knowledge base and are illustrated.
Fig. 4 diagrammatically illustrates an example of the Security ontology knowledge base according to the embodiment of the present disclosure.As shown in figure 4, Show the data correlation relation between assets, loophole, Malware and security mechanism Security ontology.It can use machine readable Language construct Security ontology knowledge base.Fig. 4 shows this four classes of such as assets, loophole, Malware and security mechanism The derivative class segmented below with class and the individual for belonging to certain a kind of example.It is soft that Fig. 4 shows such as assets, loophole, malice Part and security mechanism this four classes are the core classes of Security ontology knowledge base, and the relationship between the attribute and class of core classes is by field Expertise building;The derivative class and belong to the individual of certain a kind of example by the automatic structure of machine learning that core classes are segmented below It builds.For example, assets class may include technical asset class, and technical asset class may include hardware and software class.Software Class envelope operation system class, operating system class include individual Windows (operating system).Loophole class includes type and grade class, Class types include that memory overflows class, and memory overflows individual (loophole) of the class for example with one " MS17-010 ".For example, This individual of WannaCry virus belongs to virus type, and virus type belongs to Malware class.Security mechanism includes Host Security Mechanism class, patch class belongs to patch management class, and patch management class belongs to Host Security mechanism class.Those skilled in the art can To understand, merely illustrative shown in Fig. 4, the embodiment of the present disclosure is not limited thereto.
For example, working as the network environment data for the slave Web server acquisition that acquisition device 2100 obtains for example including character When " KB4012212 ", by using Security ontology knowledge base structural relation scene model building device 2200 it can be concluded that The semanteme of " KB4012212 " is the patch release number of server windows operating system, and is not only a string of characters, inspection Measurement equipment 200 adds corresponding semantic description to " KB4012212 ".When the scene model building device 2200 of detection device 200 is to Web The windows operating system of server is scanned without reading word from the patch release number of windows operating system It accords with and produces a large amount of non-txt files in " KB4012212 " and server, then the scene reasoning device 2300 of detection device 200 is logical It crosses and show that server has the loophole of " MS17-010 " using regulation engine reasoning, may suffer from order and execute attacking for loophole It hits.
Fig. 5 diagrammatically illustrates the example that loophole ontology knowledge base is executed according to the order of the embodiment of the present disclosure.Life Enabling and executing loophole ontology knowledge base includes class and example and the incidence relation between it.Order executes loophole ontology knowledge base It is established based on semantic sensors Network ontology (SSN Ontology).HTTP Proxy (Agent) is a reality of sensor class Example, HTTP Proxy can observe the one or several attributes of feature of interest by observation, for example, http response message is sense One example of interest characteristics class.For example, http response message may include 5 attributes: DNS suffix, the address ipv6, ipv4 Location, subnet mask and default gateway.Each attribute has corresponding observed result to export after being observed.Order executes loophole and holds Row ipconfig is also an example of feature of interest class, but order execute loophole execute the attribute of ipconfig cannot be by HTTP Proxy is directly observed and being obtained.A class for observing class is time interval (the observed result time), and time interval class belongs to Duration describes class (having duration description).It will be understood by those skilled in the art that merely illustrative shown in Fig. 5, this public affairs Embodiment is opened to be not limited thereto.
Fig. 6, which is diagrammatically illustrated, executes loophole for sense command based on ontology knowledge base according to the embodiment of the present disclosure Method flow chart.
Below by taking http response message as an example, to executed for sense command based on ontology knowledge base the method for loophole into Row explanation.For those skilled in the art, clearly the described specific embodiment is not constituted to disclosure protection scope Limitation.
In step S510, acquisition device 2100 obtains the network environment data of the network equipment.
For example, acquisition device 2100 obtains http response message, acquired http response message packet from acquisition equipment 10 Include DNS suffix, the address ipv6, the address ipv4, subnet mask and default gateway information.Optionally, acquired http response report Text may include at least one of DNS suffix, the address ipv6, the address ipv4, subnet mask and default gateway information.
In step S520, scene model building device 2200 utilizes context data model, based on ontology knowledge base to network environment Data are modeled.
Specifically, it is to ring with HTTP that scene model building device 2200, which executes loophole ontology knowledge base using order shown in fig. 5, It answers the relevant data of message to add machine understandable semantic description, obtains low order scene: with DNS suffix, the address ipv6, ipv4 Address, subnet mask and the associated data of default gateway.
In step S530, scene reasoning device 2300 exports high-order scene from low order context data using pre-defined rule, high Rank scene is for judging that the network equipment executes loophole with the presence or absence of order.
Specifically, scene reasoning device 2300 carries out reasoning from logic by regulation engine 40, derives height by low order scene Rank scene.
It derives wherein it is possible to carry out primary or multiple high-order scene, such as continues in the case where deriving the first high-order scene It is derived by the second high-order scene.
Derive that high-order scene is further described to by low order scene below with reference to Fig. 7 and Fig. 8.Fig. 7 and Fig. 8 difference Show the example of regulation engine 40.The finite state machine that Fig. 7 shows response message is the acquisition of Observable entity HTTP Proxy Response message state.Wherein there is the normal change between response message abnormal state of affairs and state of response message State.For example, response message can become response message abnormal state from normal condition or keep normal condition, and ring It answers message that can become response message normal condition from abnormal state or keeps abnormal state.Fig. 8 shows order and holds Row loophole finite state machine is the state for obtaining the order execution loophole of interested entity.Similar with Fig. 7, there are orders to execute leakage Hole exists and order executes the change state between the state and state that loophole is not present.For example, order execute loophole can be with Becoming order execution loophole from existence, there is no states perhaps to keep existence or order execution loophole can be never Existence becomes order and executes loophole existence or keep that state is not present.It will be understood by those skilled in the art that Fig. 7 With it is merely illustrative shown in Fig. 8, the embodiment of the present disclosure is not limited thereto.
Specifically, scene reasoning device 2300 is for example, by the inference rule of jess regulation engine as shown in Figure 7 by low Rank scene, which derives, obtains the first high-order scene: the state of response message, in the present embodiment, the state of response message are as follows: not just Often;And continue to derive.
Derived using the inference rule of Fig. 8 by the first high-order scene and obtain the second high-order scene: order executes depositing for loophole In state, in the present embodiment, order executes the existence of loophole are as follows: order, which executes loophole, to be existed.Wherein, http response report The state of text can be by observed result (such as the step of DNS suffix, the address ipv6, the address ipv4, subnet mask and default gateway S520 it) is derived from.The state that order executes loophole execution ipconfig is derived from by the state of http response message.
Next, scene responding device 2400 judges to prevent net according to the high-order scene of acquisition in step S540 Network equipment is directed to the request message issued from least one other network equipment and sends response message.Since the disclosure is according to derivation High-order scene out controls Web server to determine using ontology knowledge base, prevents response message returning to request The IP address of side, and prevent the message request sent from the IP address.Requesting party is, for example, at least one other network equipment. To in discovery there are when loophole, before attack in force event occurs, in time to may network equipment progress under fire It blocks, shortens the time of response, improve efficiency.
Fig. 9 diagrammatically illustrates the block diagram of the electronic equipment according to the embodiment of the present disclosure.
Electronic equipment shown in Fig. 9 is only an example, should not function and use scope band to the embodiment of the present disclosure Carry out any restrictions.
As shown in figure 9, electronic equipment 800 includes processor 810, computer readable storage medium 820.The electronic equipment 800 can execute the method according to the embodiment of the present disclosure.
Specifically, processor 810 for example may include general purpose microprocessor, instruction set processor and/or related chip group And/or special microprocessor (for example, specific integrated circuit (ASIC)), etc..Processor 810 can also include using for caching The onboard storage device on way.Processor 810 can be the different movements for executing the method flow according to the embodiment of the present disclosure Single treatment unit either multiple processing units.
Computer readable storage medium 820, such as can be non-volatile computer readable storage medium, specific example Including but not limited to: magnetic memory apparatus, such as tape or hard disk (HDD);Light storage device, such as CD (CD-ROM);Memory, such as Random access memory (RAM) or flash memory;Etc..
Computer readable storage medium 820 may include computer program 821, which may include generation Code/computer executable instructions execute processor 810 according to the embodiment of the present disclosure Method or its any deformation.
Computer program 821 can be configured to have the computer program code for example including computer program module.Example Such as, in the exemplary embodiment, the code in computer program 821 may include one or more program modules, for example including 821A, module 821B ....It should be noted that the division mode and number of module are not fixation, those skilled in the art can To be combined according to the actual situation using suitable program module or program module, when these program modules are combined by processor 810 When execution, processor 810 is executed according to the method for the embodiment of the present disclosure or its any deformation.
Although this specification includes many specific implementation details, these details are not necessarily to be construed as to claimed Range or the range of any open design are construed as limiting, but for illustrating specific to the specific embodiment of specific open design Feature.In single embodiment, it can also combine and realize in this specification described in the context of standalone embodiment Special characteristic.Opposite, the different characteristic of the context-descriptive of single embodiment can also be respectively real in multiple embodiments It is existing, or realized with any sub-portfolio.In addition, although preceding feature can be described as be in certain combinations and work and very To initially so claimed, but in some cases can be from from combined one or more features claimed It is deleted in combination, and combination claimed can be for the variant of sub-portfolio or sub-portfolio.
Describe the specific implementation of this theme.Be obviously for those skilled in the art, described embodiment its His embodiment, change and displacement are within the scope of the appended claims.Although with particular order in drawings and claims Operation is described, this is understood not to: desired result it is required that certain order shown in pressing or in order in order to realize To execute these operations, or the operation of all diagrams of requirement execution (some operations can be regarded as optional).In certain feelings Under condition, multitask or parallel processing (or combination of multitask and parallel processing) can be preferably and optionally to hold Row.
In addition, the separation of various system modules and component in realization above-mentioned or integrated being understood not to all Such separation or integrated is required in embodiment, and should be understood that described program assembly and system generally may be used To be integrated in single software product or be encapsulated as multiple software product together.
Therefore, foregoing example embodiment does not define or limit the disclosure.Spirit and scope of the present disclosure are not being departed from In the case of, there may also be other to change, replaces and changes.Above-described embodiment only illustrates the principle of the disclosure.It should be understood that herein Described in arrangement and the modifications and variations of details those skilled in the art will be apparent.Accordingly, it is intended to only It is limited by the range of appended Patent right requirement, rather than by by being presented to describing and explaining for embodiment herein Detail limits.

Claims (12)

1. a kind of method for executing loophole for sense command, comprising:
Obtain the network environment data of the network equipment;
Using context data model, the network environment data is handled to generate the first scene number based on ontology knowledge base According to;And
The second context data is exported from first context data using pre-defined rule, second context data is for judging institute It states the network equipment and executes loophole with the presence or absence of order.
2. according to the method described in claim 1, wherein, the network environment data includes the network equipment to from least one The response message that other a network equipments are responded.
3. according to the method described in claim 2, further include:
Judge that the network equipment executes loophole with the presence or absence of order using second context data;And
Loophole is executed in response to judging that the network equipment has order, the network equipment is controlled, to prevent It states the network equipment and is directed to the request message transmission response message issued from least one other network equipment.
4. according to the method described in claim 1, wherein, the ontology knowledge base includes network security ontology knowledge base, described Network security ontology knowledge base includes that the order based on network ontology language OWL building executes loophole ontology knowledge base.
5. according to the method described in claim 4, wherein, using context data model, being based on ontology knowledge base to the network Environmental data is handled to generate the first context data and include:
The network environment data is transformed to the data of predetermined format;
The incidence relation between the data of the predetermined format is established using ontology knowledge base;And
It is that the machine understandable semanteme of network environment data addition is retouched using ontology knowledge base based on the incidence relation It states, to generate first context data.
6. method according to claim 1 or 5, wherein exporting and judging from first context data using pre-defined rule The network equipment executes related second context data of loophole with the presence or absence of order
Using the inference rule including jess engine, second context data is exported from first context data.
7. being the network using ontology knowledge base according to the method described in claim 5, wherein, being based on the incidence relation Environmental data adds machine understandable semantic description, includes: to generate first context data
Based on ontology knowledge base, to context data addition and at least one in item related with the network equipment below Semantic description to generate first context data:
DNS suffix;
The address ipv6;
The address ipv4;
Subnet mask;
Default gateway.
8. a kind of detection device for executing loophole for sense command, comprising:
Acquisition device, for obtaining the network environment data of the network equipment;
Scene model building device, for utilize context data model, based on ontology knowledge base to the network environment data at Reason is to generate the first context data;And
Scene reasoning device, for using pre-defined rule from first context data export the second context data, described second Context data is for judging that the network equipment executes loophole with the presence or absence of order.
9. detection device according to claim 8, wherein the network environment data include the network equipment to The response message that few other network equipments are responded.
10. detection device according to claim 8, further includes:
Scene responding device, for judging that the network equipment executes leakage with the presence or absence of order using second context data Hole;And
Loophole is executed in response to judging that the network equipment has order, the network equipment is controlled, to prevent It states the network equipment and is directed to the request message transmission response message issued from least one other network equipment.
11. a kind of electronic equipment, comprising:
One or more processors;
Memory, for storing one or more programs,
Wherein, when one or more of programs are executed by one or more of processors, so that one or more of Processor realizes method described in any one of claims 1 to 7.
12. a kind of computer readable storage medium, is stored with computer executable instructions, described instruction is used for reality when executed Method described in existing any one of claims 1 to 7.
CN201910705518.8A 2019-07-31 2019-07-31 The method and detection device of loophole are executed for sense command Pending CN110430185A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910705518.8A CN110430185A (en) 2019-07-31 2019-07-31 The method and detection device of loophole are executed for sense command

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910705518.8A CN110430185A (en) 2019-07-31 2019-07-31 The method and detection device of loophole are executed for sense command

Publications (1)

Publication Number Publication Date
CN110430185A true CN110430185A (en) 2019-11-08

Family

ID=68413664

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910705518.8A Pending CN110430185A (en) 2019-07-31 2019-07-31 The method and detection device of loophole are executed for sense command

Country Status (1)

Country Link
CN (1) CN110430185A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597559A (en) * 2020-05-15 2020-08-28 北京铭图天成信息技术有限公司 Method, device, equipment and storage medium for detecting system command injection vulnerability

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1761208A (en) * 2005-11-17 2006-04-19 郭世泽 System and method for evaluating security and survivability of network information system
CN103207856A (en) * 2013-04-03 2013-07-17 同济大学 Ontology concept and hierarchical relation generation method
US20140090064A1 (en) * 2012-09-25 2014-03-27 International Business Machines Corporation Training classifiers for program analysis
CN109361534A (en) * 2018-09-20 2019-02-19 中国航天系统科学与工程研究院 A kind of network security emulation system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1761208A (en) * 2005-11-17 2006-04-19 郭世泽 System and method for evaluating security and survivability of network information system
US20140090064A1 (en) * 2012-09-25 2014-03-27 International Business Machines Corporation Training classifiers for program analysis
CN103207856A (en) * 2013-04-03 2013-07-17 同济大学 Ontology concept and hierarchical relation generation method
CN109361534A (en) * 2018-09-20 2019-02-19 中国航天系统科学与工程研究院 A kind of network security emulation system

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
劳鑫: "在线评论对商品销售的影响研究", 《中国优秀硕士学位论文全文数据库 经济与管理科学辑》 *
孙杰: "基于本体的自适应智能安全防护体系研究", 《信息与电脑》 *
纪幼纯: "基于主题建模和分层隐变量模型的新闻推荐系统研究", 《中国优秀硕士学位论文全文数据纪幼纯,《中国优秀硕士学位论文全文数据库 信息科技辑》 *
马文峰: "《数字资源整合:理论、方法与应用》", 31 December 2007, 北京图书馆出版社 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597559A (en) * 2020-05-15 2020-08-28 北京铭图天成信息技术有限公司 Method, device, equipment and storage medium for detecting system command injection vulnerability
CN111597559B (en) * 2020-05-15 2023-10-13 北京铭图天成信息技术有限公司 System command injection vulnerability detection method and device, equipment and storage medium

Similar Documents

Publication Publication Date Title
EP3528463B1 (en) An artificial intelligence cyber security analyst
JP7436501B2 (en) Inferring temporal relationships about cybersecurity events
US20180367561A1 (en) Threat disposition analysis and modeling using supervised machine learning
Gupta et al. Layered approach using conditional random fields for intrusion detection
Lichodzijewski et al. Dynamic intrusion detection using self-organizing maps
CN110138787A (en) A kind of anomalous traffic detection method and system based on hybrid neural networks
Zhu et al. Network anomaly detection and identification based on deep learning methods
CN111538842A (en) Intelligent sensing and predicting method and device for network space situation and computer equipment
CN107111609A (en) Lexical analyzer for neural language performance identifying system
CN113347170A (en) Intelligent analysis platform design method based on big data framework
Bebortta et al. An adaptive machine learning-based threat detection framework for industrial communication networks
Tecuci et al. Instructable Cognitive Agents for Autonomous Evidence-Based Reasoning
CN110430185A (en) The method and detection device of loophole are executed for sense command
Alohali et al. Swarm intelligence for IoT attack detection in fog-enabled cyber-physical system
Sen et al. On holistic multi-step cyberattack detection via a graph-based correlation approach
CN110224975A (en) The determination method and device of APT information, storage medium, electronic device
CN110188537A (en) Separate-storage method and device, storage medium, the electronic device of data
Khan et al. Lightweight testbed for cybersecurity experiments in scada-based systems
Alqurashi et al. On the performance of isolation forest and multi layer perceptron for anomaly detection in industrial control systems networks
Ding et al. A data-driven based security situational awareness framework for power systems
Mishra et al. An efficient concept generation approach to identifying most influential node in a Terrorist Network using Weighted Formal Concept Analysis
Chen et al. Research on ontology-based network security knowledge map
Milutinovic et al. Performance of arithmetic optimization algorithm for ELM tuning applied to IoT security
Wu et al. Research on Situational Awareness Technology of Industrial Control Network Based on Big Data
Liu et al. SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20191108