CN110768970A - Equipment evaluation and abnormality detection method, device, electronic equipment and storage medium - Google Patents

Equipment evaluation and abnormality detection method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN110768970A
CN110768970A CN201910981643.1A CN201910981643A CN110768970A CN 110768970 A CN110768970 A CN 110768970A CN 201910981643 A CN201910981643 A CN 201910981643A CN 110768970 A CN110768970 A CN 110768970A
Authority
CN
China
Prior art keywords
equipment
detected
attribute information
degree
safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910981643.1A
Other languages
Chinese (zh)
Other versions
CN110768970B (en
Inventor
孙尚勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910981643.1A priority Critical patent/CN110768970B/en
Publication of CN110768970A publication Critical patent/CN110768970A/en
Application granted granted Critical
Publication of CN110768970B publication Critical patent/CN110768970B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0817Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking functioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Environmental & Geological Engineering (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention provides a device evaluation and anomaly detection method, a device, an electronic device and a storage medium, when attribute information of a device to be detected is unified, not only various safety information related to attacks, loopholes and the like are counted, but also the utilization rate of components in the device to be detected is counted, the safety information reflects the safety degree of the device, the utilization rate of the components restricts the performance of the device, the safety degree of the device to be detected is determined according to various safety information, the usability of the device to be detected is determined according to the utilization rate of the components, the higher the safety degree is, the safer the device to be detected is represented, the higher the usability is, the better the performance of the device to be detected is represented, therefore, the health degree of the device to be detected is evaluated according to the safety degree and the usability, the more the safety degree is, the higher the safety degree is, the larger the usability is, the greater the health degree of the equipment to be detected is, the higher the accuracy of equipment evaluation and equipment abnormality detection is.

Description

Equipment evaluation and abnormality detection method, device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for device evaluation and anomaly detection, an electronic device, and a storage medium.
Background
The rapid development of network technology brings great convenience to the life of people, however, equipment in a network system faces attack threats at any time, network attacks are gradually developed into organized crimes or attack behaviors from personal behaviors of hackers in the past, and the trends of means specialization, target commercialization, source internationalization and carrier mobility are presented. Therefore, the effective evaluation of the health of the equipment plays an important role in the safe operation of the network system.
Whether the equipment is healthy is mainly influenced by external attack and self loophole, therefore, in a traditional equipment evaluation mode, the health degree of the equipment is evaluated mainly by integrating the attack number of the equipment subjected to the external attack and the loophole number with the loophole, and the health degree of the equipment is negatively related to the attack number and the loophole number, namely, the more the attack number of the equipment subjected to the attack is, the more the loophole number of the equipment is, the lower the health degree of the equipment is, and the more the abnormity is easy to occur.
However, when the device is evaluated, only the number of attacks of the device subjected to external attacks and the number of vulnerabilities of the device itself are considered too many, the health degree obtained by evaluation is greatly different from the actual health degree of the device, and the accuracy of the device evaluation is low. Further, the accuracy of detecting whether the device is abnormal based on the degree of health is caused to be low.
Disclosure of Invention
The embodiment of the invention aims to provide a device evaluation and abnormality detection method, a device, an electronic device and a storage medium, so as to improve the accuracy of device evaluation and the accuracy of device abnormality detection. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides an apparatus evaluation method, where the method includes:
counting attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected;
determining the safety degree of the equipment to be detected according to various safety information, and determining the availability degree of the equipment to be detected according to the utilization rate of components in the equipment to be detected;
and evaluating the health degree of the equipment to be detected according to the safety degree and the availability degree, wherein the health degree is positively correlated with the safety degree and the availability degree.
In a second aspect, an embodiment of the present invention provides an apparatus anomaly detection method, where the method includes:
counting attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected;
inputting the attribute information into a pre-established anomaly detection model to obtain a detection result of whether the equipment to be detected is anomalous or not;
the anomaly detection model is obtained by training based on a preset training set, the preset training set comprises a plurality of positive sample attribute information and a plurality of negative sample attribute information, the positive sample attribute information is the attribute information of the equipment with the health degree larger than or equal to a preset health degree threshold value according to the equipment evaluation method provided by the first aspect of the embodiment of the invention, and the negative sample attribute information is the attribute information of the equipment with the health degree smaller than the preset health degree threshold value according to the equipment evaluation method provided by the first aspect of the embodiment of the invention.
In a third aspect, an embodiment of the present invention provides an apparatus for evaluating a device, where the apparatus includes:
the statistical module is used for counting the attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected;
the determining module is used for determining the safety degree of the equipment to be detected according to various safety information and determining the availability degree of the equipment to be detected according to the utilization rate of components in the equipment to be detected;
and the evaluation module is used for evaluating the health degree of the equipment to be detected according to the safety degree and the availability degree, wherein the health degree is positively correlated with the safety degree and the availability degree.
In a fourth aspect, an embodiment of the present invention provides an apparatus for detecting device abnormality, where the apparatus includes:
the statistical module is used for counting the attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected;
the detection module is used for inputting the attribute information into a pre-established abnormity detection model to obtain a detection result of whether the equipment to be detected is abnormal;
the anomaly detection model is obtained by training based on a preset training set, the preset training set comprises a plurality of positive sample attribute information and a plurality of negative sample attribute information, the positive sample attribute information is the attribute information of the equipment with the health degree larger than or equal to a preset health degree threshold value according to the equipment evaluation method provided by the first aspect of the embodiment of the invention, and the negative sample attribute information is the attribute information of the equipment with the health degree smaller than the preset health degree threshold value according to the equipment evaluation method provided by the first aspect of the embodiment of the invention.
In a fifth aspect, the present invention provides an electronic device, including a processor and a storage medium, where the storage medium stores machine executable instructions capable of being executed by the processor, and the processor is caused by the machine executable instructions to perform the device evaluation method provided in the first aspect of the present invention, and/or perform the device anomaly detection method provided in the second aspect of the present invention.
In a sixth aspect, embodiments of the present invention provide a storage medium storing machine-executable instructions, which, when invoked and executed by a processor, cause the processor to perform a device evaluation method provided in the first aspect of the embodiments of the present invention and/or perform a device anomaly detection method provided in the second aspect of the embodiments of the present invention.
The equipment evaluation and abnormality detection method, device, electronic equipment and storage medium provided by the embodiment of the invention count the attribute information of the equipment to be detected, determine the safety degree of the equipment to be detected according to various safety information in the attribute information, determine the availability degree of the equipment to be detected according to the utilization rate of components of the equipment to be detected in the attribute information, and evaluate the health degree of the equipment to be detected according to the safety degree and the availability degree, wherein the health degree is positively correlated with the safety degree and the availability degree. When the attribute information of the equipment to be detected is counted, not only various related safety information such as attacks, bugs and the like are counted, but also the utilization rate of components in the equipment to be detected is counted, the safety information reflects the safety degree of the equipment, the utilization rate of the components restricts the performance of the equipment and reflects the availability degree of the equipment, the safety degree of the equipment to be detected can be determined according to various safety information, the availability degree of the equipment to be detected can be determined according to the utilization rate of the components, the higher the safety degree is, the safer the equipment to be detected is represented, and the higher the availability degree is, the better the performance of the equipment to be detected is represented, therefore, the health degree of the equipment to be detected can be evaluated according to the safety degree and the availability degree, the actual health degree of the equipment to be detected can be accurately reflected by the evaluation result, and the larger the safety degree is, the larger the availability degree is, the larger the health degree of the equipment to be detected is, and the accuracy of equipment evaluation is improved. Further, whether the equipment to be detected is abnormal or not is detected based on a more accurate evaluation result of the health degree of the equipment, so that the equipment abnormity detection is more accurate.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart illustrating an apparatus evaluation method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating an apparatus evaluation method according to another embodiment of the present invention;
FIG. 3 is a flowchart illustrating an apparatus anomaly detection method according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of the training of the anomaly detection model according to the embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a convolutional neural network according to an embodiment of the present invention;
FIG. 6 is a schematic structural diagram of an apparatus evaluation device according to an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of an apparatus anomaly detection device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the invention;
fig. 9 is a schematic structural diagram of an electronic device according to another embodiment of the invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve the accuracy of equipment evaluation, the embodiment of the invention provides an equipment evaluation method and device. Next, a method for evaluating equipment provided in an embodiment of the present invention will be described.
The execution subject of the device evaluation method provided by the embodiment of the invention can be the device itself, and can also be the electronic device providing evaluation service in the network system.
As shown in fig. 1, a device evaluation method provided by an embodiment of the present invention may include the following steps.
S101, counting attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected.
The equipment to be detected in the embodiment of the invention can be network security equipment such as firewall equipment and gateway equipment in a network system, and can also be terminal equipment such as a personal computer, a printer and a camera, the equipment needs to be evaluated, whether the equipment is healthy or not is related to the stable operation of the whole network system, the equipment is usually called as assets of the network system, the evaluation of the equipment to be detected is usually real-time, the evaluation aims at analyzing whether the equipment is healthy or not currently, and judgment basis is provided for the conditions of detection of whether the equipment is abnormal or not, prediction of easily occurring abnormality and the like.
The attribute information of the equipment to be detected comprises various safety information, the utilization rate of components in the equipment and the like. The safety information is information generated by threat factors influencing the safety performance of the equipment to be detected, such as the type and the number of attacks suffered by the equipment to be detected, the type and the number of bugs existing in the equipment, and the like; the utilization rate of the component is statistical information of the used condition of the hardware resource of the device to be detected, and is generated in the use process of the device component, for example, the utilization rate of the CPU, the utilization rate of the memory, the utilization rate of the disk, the utilization rate of the hard disk, and the like, and the utilization rate of the component reflects the remaining available condition of the component and also restricts the performance of the device to be detected.
S102, determining the safety degree of the equipment to be detected according to various safety information, and determining the availability degree of the equipment to be detected according to the utilization rate of components in the equipment to be detected.
The safety degree is an analysis result obtained by comprehensively analyzing various safety information, and represents the safety degree of the equipment to be detected, the safety degree is higher, the equipment to be detected is safer, the safety degree can be obtained by performing weighted operation on the various safety information, and of course, the safety degree can also be obtained by calculating the various safety information by using other calculation modes, such as logarithm taking, normal distribution solving and the like.
The availability is an analysis result obtained by analyzing the utilization rate of the components, and represents whether the equipment to be detected is still available or not and how large the availability is, the higher the availability is, the better the performance of the equipment to be detected is, the availability can be obtained by integrating the utilization rates of a plurality of components, and the utilization rates of the plurality of components are obtained by carrying out weighted operation on the utilization rates of the plurality of components or carrying out calculation modes such as logarithm taking, normal distribution solving and the like.
S103, evaluating the health degree of the equipment to be detected according to the safety degree and the availability degree, wherein the health degree is positively correlated with the safety degree and the availability degree.
After the safety degree and the availability degree of the equipment to be detected are obtained through calculation, the safety degree and the availability degree can comprehensively reflect whether the equipment is healthy, the higher the safety degree is and the higher the availability degree is, the healthier the equipment to be detected is, and the lower the possibility of abnormality is, so that in the embodiment of the invention, the health degree of the equipment to be detected can be evaluated according to the safety degree and the availability degree, and the health degree is positively correlated with the safety degree and the availability degree. In summary, the health degree is a parameter for comprehensively evaluating various safety information and component utilization rate of the device to be detected. The higher the health degree is, the healthier the equipment to be detected is, and the lower the possibility of abnormity is; the smaller the health degree is, the less healthy the device to be detected is, and the higher the possibility that abnormality occurs.
Since the health degree is positively correlated with the safety degree and the availability degree, when the health degree is evaluated, the health degree can be generally calculated by adopting a weighted summation mode, for example:
Hi=γi1*Sii2*Ui(1)
wherein HiIs the health of the device i, gammai1Weight assigned to the degree of security of device i, γi2A weight assigned to the availability of device i. Gamma rayi1And gammai2The sum of (1) can be specifically taken according to the actual equipment condition. In general, gamma may bei1、γi2The value is 0.5, and in some special scenarios, weights of different sizes can be taken according to the importance degree of safety and availability.
In addition to the above-mentioned weighted summation, the health degree may be calculated by taking a logarithm, calculating an index, or the like, as long as the calculated health degree and the safety degree and the availability satisfy a positive correlation relationship.
By applying the embodiment of the invention, when the attribute information of the equipment to be detected is counted, not only various safety information related to attacks, leaks and the like is counted, but also the utilization rate of components in the equipment to be detected is counted, the safety information reflects the safety degree of the equipment, the utilization rate of the components restricts the performance of the equipment and reflects the availability degree of the equipment, the safety degree of the equipment to be detected can be determined according to various safety information, the availability degree of the equipment to be detected can be determined according to the utilization rate of the components, the higher the safety degree is, the safer the equipment to be detected is represented, the higher the availability degree is, the better the performance of the equipment to be detected is represented, therefore, the health degree of the equipment to be detected can be evaluated according to the safety degree and the availability degree, the higher the safety degree is, the higher the health degree of the equipment to be detected is, the accuracy of equipment evaluation is improved. Further, whether the equipment to be detected is abnormal or not is detected based on a more accurate evaluation result of the health degree of the equipment, so that the equipment abnormity detection is more accurate.
Optionally, the multiple kinds of security information may include the number of attacks that the device to be detected is attacked at various levels and the number of vulnerabilities of various levels of vulnerabilities existing in the device to be detected itself.
Correspondingly, the calculation mode for determining the safety degree of the equipment to be detected according to various safety information specifically can be as follows:
the attack number of various levels of attacks is integrated, the attack threat index of the equipment to be detected is calculated, and the vulnerability threat index of the equipment to be detected is calculated by integrating the vulnerability number of various levels of vulnerabilities; and determining the safety degree of the equipment to be detected according to the attack threat index and the vulnerability threat index, wherein the safety degree is negatively correlated with the attack threat index and the vulnerability threat index.
In the embodiment of the present invention, the security information may include the number of attacks (for example, the number of high-risk attacks, the number of medium-risk attacks, and the number of low-risk attacks) that the device to be detected is subjected to various levels of attacks, and the number of vulnerabilities (for example, the number of high-risk vulnerabilities, the number of medium-risk vulnerabilities, and the number of low-risk vulnerabilities) of various levels of vulnerabilities existing in the device to be detected itself.
The attack number of attacks of various levels is integrated, the attack threat index of the equipment to be detected can be calculated, the attack threat index represents the severity of the attack threat of the equipment to be detected, and the higher the attack threat index is, the heavier the attack degree of the equipment to be detected is; the vulnerability threat index of the equipment to be detected can be calculated by integrating the vulnerability number of the vulnerabilities of various levels, the vulnerability threat index represents the severity of the vulnerability existing in the equipment to be detected, and the larger the vulnerability threat index is, the more and the heavier the vulnerability existing in the equipment to be detected is. The attack threat index may be obtained by performing weighted average on the attack numbers of various levels of attacks, the vulnerability threat index may be obtained by performing weighted average on the vulnerability numbers of various levels of vulnerabilities, and of course, the attack threat index and the vulnerability threat index may also be calculated by using other calculation methods, for example, taking a logarithm, solving a normal distribution, and the like.
After the attack threat index and the vulnerability threat index are obtained through calculation, the security of the equipment to be detected is directly influenced by the attack and the vulnerability, the equipment to be detected is unsafe when the attack threat index is larger, and the equipment is unsafe when the vulnerability threat index is larger. The safety degree can be calculated by carrying out weighted summation, logarithm taking and normal distribution on the attack threat index and the vulnerability threat index, and then carrying out reciprocal taking, reciprocal taking and the like.
Optionally, the availability is inversely related to the usage of the component; the usage of the components may include at least one of the following three: CPU utilization, memory utilization, and disk utilization.
The availability of the component directly affects the availability of the device to be detected, and the availability of the device to be detected is negatively correlated with the availability of the device component, that is, the higher the availability of the component is, the worse the availability of the device to be detected is, in the embodiment of the present invention, the device component may include, but is not limited to, a CPU, a memory, a disk, and the like, so the availability of the component may include at least one of a CPU usage, a memory usage, and a disk usage, and may also include the availability of other components, such as different types of storage media and the like. Specifically, the method for calculating the availability of the device to be detected according to the utilization rate of the components may be to perform calculation by performing weighted summation, logarithm taking, normal distribution, reciprocal taking, inverse number taking and the like on the utilization rate of the components.
Hereinafter, the device evaluation method provided by the embodiment of the present invention is described in detail by specific examples.
Taking the above-mentioned three levels of high, medium, and low as examples, it is assumed that attribute information of the device i shown in table 1 is obtained statistically in 12:01 of 5/15/2019, 12:05 of 5/15/2019, and 12:10 of 5/15/2019.
Table 1 attribute information statistical table of devices
According to the above embodiment, the calculation formula for calculating the attack threat index is set as follows:
Figure BDA0002235377290000082
wherein A isiIs the attack threat index, p, of device ii1Is the number of high risk attacks, p, suffered by the device ii2Is the number of intermediate risk attacks suffered by device i, pi3Is the number of low risk attacks, X, suffered by device iiIs the threat degree (value range is 0-100, in this embodiment, value is 80) of the high-risk attack of the equipment i, and Y isiIs the threat degree (value range is 0-100, in this embodiment 50), Z of the medium-risk attack of the equipment iiThe threat degree of the low-risk attack of the equipment i is (the value range is 0-100, and the value is 20 in the embodiment). Note that X of different devicesiY which may be the same or different, and for the same reason, different devicesiZ, which may be the same or different, for different devicesiThe components may be the same or different, and may be determined according to actual conditions.
When A isiDifferent values may correspond to different attack threat levels, e.g., when A is differentiWhen the value is 0, the attack threat level of the device i is safe; when 0 is present<AiWhen the attack threat level of the device i is less than or equal to 50, the attack threat level of the device i is low; when 50 is turned on<AiWhen the attack threat level of the equipment i is less than or equal to 80, the attack threat level of the equipment i is middle; when 80<AiAnd when the value is less than or equal to 100, the attack threat level of the device i is high.
Based on the formula (2), the attack threat index of the device i is 44 in 5, 15 and 12:01 in 2019, the attack threat index of the device i is 37.1 in 5, 15 and 12:05 in 2019, and the attack threat index of the device i is 37.9 in 5, 15 and 12:10 in 2019. Namely, the attack threat level of the device is low in 5 and 15 months in 2019 at 12:01, 5 and 15 months in 2019 at 12:05 and 5 and 15 months in 2019 at 12: 10.
Setting a calculation formula for calculating the vulnerability threat index as follows:
Figure BDA0002235377290000091
wherein, BiIs the vulnerability threat index, t, of device ii1Is the number of high-risk holes, t, existing in the device ii2Is the number of medium-risk holes, t, existing in the device ii3Is the number of low risk holes, Q, existing in the device iiIs the threat degree (value range is 0-100, in this embodiment, value is 80) of the high-risk leak of the equipment i, ViIs the threat degree (value range is 0-100, in this embodiment 50) of the medium-risk vulnerability of the equipment i, WiThe threat degree of the low-risk vulnerability of the device i is (the value range is 0-100, and the value is 20 in the embodiment). Note that Q of different devicesiV which may be the same or different, and in the same way, different devicesiW which may be the same or different, different devicesiThe components may be the same or different, and may be determined according to actual conditions.
Similarly, when BiDifferent values may correspond to different vulnerability threat levels, e.g., when BiWhen the value is 0, the vulnerability threat level of the device i is safe; when 0 is present<BiWhen the value is less than or equal to 50, the vulnerability of the device i is representedThe threat level is low; when 50 is turned on<BiWhen the vulnerability threat level is less than or equal to 80, indicating that the vulnerability threat level of the device i is middle; when 80<BiAnd when the value is less than or equal to 100, the vulnerability threat level of the device i is high.
Based on the formula (3), the vulnerability threat index of the device i at 12:01 in 5/15/2019 can be calculated to be 32.5, the vulnerability threat index at 12:05 in 5/15/2019 is calculated to be 35, and the vulnerability threat index at 12:10 in 5/15/2019 is calculated to be 36.6. Namely, the vulnerability threat levels of the equipment are all low in 5 and 15 months in 2019 at 12:01, 5 and 15 months in 2019 at 12:05 and 5 and 15 months in 2019 at 12: 10.
The calculation formula for setting the safety degree of the computing equipment is as follows:
Si=100-(αi1*Aii2*Bi) (4)
wherein S isiSafety of device i, αi1Weight assigned to attack threat index for device i, αi2Weight assigned to vulnerability threat index for device i αi1And αi2The sum of (1) can be specifically taken according to the actual network condition.
At αi1And αi2Taking 0.5 as an example, based on the formula (4) and the attack threat index and the vulnerability threat index obtained by calculation, the safety degree of the device i in 2019 is 61.75 in 5, month and 15 days 12:01, the safety degree of the device i in 2019 in 5, month and 15 days 12:05 is 63.95, and the safety degree of the device i in 2019 in 5, month and 15 days 12:10 is 62.75.
The calculation formula for setting the availability of the computing equipment is as follows:
Ui=100-100*(βi1*mici2*miri3*mid) (5)
wherein, UiIs the availability of device i, micIs the CPU usage rate, m, of device iirIs the memory usage rate, m, of device iidDisk usage for device i, βi1Weight assigned to CPU usage of device i, βi2Weight assigned to memory usage for device i, βi3Weight assigned to disk usage for device i βi1、βi2And βi3The sum of (1) can be specifically taken according to the actual use condition of the equipment.
At βi1Values of 0.3, βi2Values of 0.3, βi3Taking the value of 0.4 as an example, based on the available calculation of the formula (5), the availability of the equipment in 2019 is 80.4 at 12:01 in 5/15/2019, 84.5 at 12:05 in 5/15/2019, and 13 at 12:10 in 5/15/2019.
By gammai1And gammai2Taking the average value of 0.5 as an example, based on the formula (1), the health degree of the equipment in 2019 at 12:01 in 5, 15 and 15 can be calculated to be 71.1, the health degree of the equipment in 2019 at 12:05 in 5, 15 and 10 in 2019 at 12: 9. It can be seen that the device was the lowest in health at 12:10 on 5/15/2019, and the device was the worst in health.
Based on the above embodiment, an embodiment of the present invention further provides an apparatus anomaly detection method, as shown in fig. 2, including the following steps.
S201, counting attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected.
S202, determining the safety degree of the equipment to be detected according to various safety information, and determining the availability degree of the equipment to be detected according to the utilization rate of components in the equipment to be detected.
S203, evaluating the health degree of the equipment to be detected according to the safety degree and the availability degree, wherein the health degree is positively correlated with the safety degree and the availability degree.
And S204, judging whether the health degree is smaller than a preset health degree threshold value, if so, determining that the equipment to be detected is abnormal, and otherwise, determining that the equipment to be detected is normal.
The health degree can indirectly reflect whether the equipment to be detected is abnormal or not, and the lower the health degree is, the higher the possibility that the equipment to be detected is abnormal is, therefore, in the embodiment of the invention, a health degree threshold value can be set, if the health degree is greater than or equal to the threshold value, the equipment to be detected is considered to be normal, otherwise, the equipment to be detected is considered to be abnormal. After determining that the device to be detected is normal or abnormal, a label may be added to the corresponding attribute information, for example, 0 is added to indicate that the device is normal, and 1 indicates that the device is abnormal.
It should be noted that, when there are few devices, the exception detection for a small number of devices can be quickly implemented by implementing the flow of fig. 2; when there are many devices, the method shown in fig. 2 may be implemented to make a decision on a device-by-device basis, but may take some time.
As in the above example, the health degree of the device in 2019 on 5, 15, 12:01 was calculated to be 71.1, the health degree in 2019 on 5, 15, 12:05 on 5, 15, 12:10 on 2019 on 5, 15, 12:10 was calculated to be 37.9, the health degree threshold value was set to 50, and if the health degree is greater than or equal to 50, the device was considered to be normal, and if the health degree is less than 50, the device was considered to be abnormal. Therefore, the detection results of the device being normal at 12:01 at 5/15/2019, normal at 12:05 at 5/15/2019, and abnormal at 12:10 at 5/15/2019 can be obtained.
By applying the embodiment of the invention, when the attribute information of the equipment to be detected is counted, not only various safety information related to attacks, leaks and the like is counted, but also the utilization rate of components in the equipment to be detected is counted, the safety information reflects the safety degree of the equipment, the utilization rate of the components restricts the performance of the equipment and reflects the availability degree of the equipment, the safety degree of the equipment to be detected can be determined according to various safety information, the availability degree of the equipment to be detected can be determined according to the utilization rate of the components, the higher the safety degree is, the safer the equipment to be detected is represented, the higher the availability degree is, the better the performance of the equipment to be detected is represented, therefore, the health degree of the equipment to be detected can be evaluated according to the safety degree and the availability degree, the higher the safety degree is, the higher the health degree of the equipment to be detected is, the accuracy of equipment evaluation is improved. Further, whether the equipment to be detected is abnormal or not is detected based on a more accurate evaluation result of the health degree of the equipment, so that the equipment abnormity detection is more accurate.
When the number of devices is very large and real-time detection of device states is required, it is obvious that the amount of calculation is very large and real-time performance is poor when performing anomaly detection according to the method in the above embodiment, and therefore, in order to ensure real-time performance of device anomaly detection, the embodiment of the present invention provides a device anomaly detection method, as shown in fig. 3, including the following steps.
S301, counting attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected.
S302, inputting the attribute information into a pre-established abnormality detection model to obtain a detection result of whether the equipment to be detected is abnormal.
The anomaly detection model is obtained by training based on a preset training set, the preset training set comprises a plurality of positive sample attribute information and a plurality of negative sample attribute information, the positive sample attribute information is the attribute information of the equipment with the health degree larger than or equal to a preset health degree threshold value obtained by evaluation according to any equipment evaluation method provided by the embodiment of the invention, and the negative sample attribute information is the attribute information of the equipment with the health degree smaller than the preset health degree threshold value obtained by evaluation according to any equipment evaluation method provided by the embodiment of the invention. The preset health threshold in this embodiment may be the same as or different from the preset health threshold used in the embodiment shown in fig. 2 when the detection device is abnormal, and in general, the preset health threshold having the same size is selected.
The embodiment of the invention provides an equipment abnormity detection method based on deep learning, an abnormity detection model is trained through a large amount of positive and negative sample attribute information, after the abnormity detection model is trained, the attribute information of equipment to be detected is input into the abnormity detection model, and then the detection result of whether the equipment is abnormal can be obtained.
The sample attribute information in the preset training set is acquired from the device in the historical operation process, specifically, the preset training set includes a large amount of positive sample attribute information and negative sample attribute information, the positive sample attribute information refers to attribute information of the device with the health degree greater than or equal to a preset health degree threshold, the negative sample attribute information refers to attribute information of the device with the health degree less than the preset health degree threshold, and the specific health degree evaluation mode refers to the embodiment shown in fig. 1 and is not described herein again.
Optionally, the plurality of negative example attribute information may include: the attribute information of a plurality of devices with the safety degrees smaller than a preset safety degree threshold value, and/or the attribute information of a plurality of devices with the availability degrees smaller than a preset availability degree threshold value.
The attribute information comprises various kinds of safety information and the utilization rate of equipment components, the safety degree of the equipment can be determined according to the safety information, the availability degree of the equipment can be determined according to the utilization rate of the components, in order to more comprehensively cover that the health degree caused by various conditions is smaller than a preset health degree threshold value, the attribute information of the equipment with a plurality of safety degrees smaller than the preset safety degree threshold value and the attribute information with a plurality of availability degrees smaller than the preset availability degree threshold value can be selected from the negative sample attribute information, and in the selection process, all the safety information and the component utilization rate are covered as much as possible.
For example, N pieces of negative sample attribute information of the device with the security degree smaller than the preset security degree threshold value may be selected, where the N/2 pieces of negative sample attribute information have attack threat indexes higher than the preset attack threat index threshold value, and the N/2 pieces of negative sample attribute information have vulnerability threat indexes higher than the preset vulnerability threat index threshold value, and the selected negative sample attribute information should cover a high-risk attack, a medium-risk attack, a low-risk attack, a high-risk vulnerability, a medium-risk vulnerability, and a low-risk vulnerability. And then selecting N pieces of negative sample attribute information of the equipment with the availability smaller than the preset availability threshold, wherein the N pieces of negative sample attribute information comprise N/3 pieces of negative sample attribute information with the CPU utilization rate higher than the preset utilization threshold, N/3 pieces of negative sample attribute information with the memory utilization rate higher than the preset utilization threshold, and N/3 pieces of negative sample attribute information with the disk utilization rate higher than the preset utilization threshold. In addition, M positive sample attribute information is selected, and M may be much larger than N.
After the sample attribute information is selected, each sample attribute information can be converted into a vector form, in the example of the attribute information of 12:01 in 5 months, 15 days and 15 months in 2019, the vector form is converted into a vector form of <3,2,5,0,5,7,20,12 and 25>, the sample attribute information is stored in a preset training set, and an anomaly detection model is obtained based on training of the preset training set. The specific model training mode is shown in fig. 4 and includes the following steps.
S401, aiming at each sample attribute information in a preset training set, inputting the sample attribute information into a convolutional neural network with a preset structure to carry out convolution operation, and obtaining the probability that the type of the sample attribute information is an actual labeling type, wherein the actual labeling type is positive sample attribute information or negative sample attribute information which is labeled on the sample attribute information in advance.
The structure of the convolutional neural network is shown in fig. 5, and the convolutional neural network comprises an input layer, a hidden layer and an output layer, wherein the hidden layer is often more than one layer and is composed of a plurality of convolutional layers and a full-connection layer, the structure of the convolutional neural network can be specifically that one full-connection layer is connected behind one convolutional layer, or a full-connection layer is connected behind a plurality of convolutional layers at the last layer of the hidden layer, the output layer can be a softmax layer, and the probability that sample attribute information is positive sample attribute information or negative sample attribute information is output by the softmax layer. The structure of the convolutional neural network is shown in table 2, and it is assumed that 5 hidden layers are included, and here, it is not limited whether the 5 hidden layers are convolutional layers or fully-connected layers.
TABLE 2 convolutional neural network architecture
Input layer Hidden layer 1 Hidden layer 2 Hidden layer 3 Hidden layer 4 Hidden layer 5 softmax layer
And inputting each sample attribute information into an input layer as an input, and transmitting the sample attribute information forwards layer by layer through a convolutional neural network to finally obtain the probability that one sample attribute information is positive sample attribute information and the probability that the sample attribute information is negative sample attribute information. Whether each sample attribute information is the positive sample attribute information or the negative sample attribute information is labeled in advance, so that the probability that the type of one sample attribute information is the actual labeled type can be directly known.
S402, determining a loss value corresponding to the sample attribute according to the probability.
Based on the probability that the type of the sample attribute information obtained by network calculation is the actual labeling type of the sample attribute information, the loss value corresponding to the sample attribute information can be obtained.
And S403, adjusting network parameters of the convolutional neural network based on the loss value.
S404, completing training when the convolution neural network after the network parameters are determined to be adjusted is converged, and obtaining an abnormal detection model.
And adjusting the network parameters of the convolutional neural network based on the obtained loss value, inputting the attribute information of the other sample into the convolutional neural network with the adjusted network parameters until the convolutional neural network is converged, and finishing training when the network parameters of the convolutional neural network are optimal, wherein the obtained convolutional neural network with the optimal network parameters is the anomaly detection model.
Optionally, an execution subject of the training flow shown in fig. 4 of the present invention may be the same as or different from the execution subject of the apparatus anomaly detection method shown in fig. 3, and is determined according to the actual situation.
Optionally, an execution subject of the device anomaly detection method provided in the embodiment of the present invention may be the same as or different from an execution subject of the device evaluation method, which is not limited in the present invention.
By applying the embodiment of the invention and the equipment anomaly detection method based on deep learning, the anomaly detection model is trained through a large amount of positive and negative sample attribute information, and after the anomaly detection model is trained, the attribute information of the equipment to be detected is input into the anomaly detection model, so that the detection result of whether the equipment is abnormal can be obtained. Under the condition that the number of the devices is very large and the real-time detection of the device states is required, the abnormal states of the devices can be detected rapidly in real time, and the device abnormality detection efficiency is improved.
Corresponding to the embodiment of the device evaluation method shown in fig. 1, an embodiment of the present invention provides a device evaluation apparatus, as shown in fig. 6, the apparatus may include:
the statistical module 610 is configured to count attribute information of the device to be detected, where the attribute information includes various safety information and a utilization rate of components in the device to be detected;
the determining module 620 is used for determining the safety degree of the device to be detected according to various safety information and determining the availability degree of the device to be detected according to the utilization rate of components in the device to be detected;
the evaluation module 630 is configured to evaluate the health degree of the device to be detected according to the safety degree and the availability degree, where the health degree is positively correlated to the safety degree and the availability degree.
Optionally, the multiple kinds of security information may include the number of attacks that the device to be detected is attacked at various levels and the number of vulnerabilities of various levels of vulnerabilities existing in the device to be detected itself;
the determining module 620 may specifically be configured to, when determining the security level of the device to be detected according to a plurality of security information:
the attack number of various levels of attacks is integrated, the attack threat index of the equipment to be detected is calculated, and the vulnerability threat index of the equipment to be detected is calculated by integrating the vulnerability number of various levels of vulnerabilities;
and determining the safety degree of the equipment to be detected according to the attack threat index and the vulnerability threat index, wherein the safety degree is negatively correlated with the attack threat index and the vulnerability threat index.
Optionally, the availability is inversely related to the usage of the component; the usage of the components may include at least one of the following three: CPU utilization, memory utilization, and disk utilization.
Optionally, the apparatus may further include:
and the detection module is used for determining that the equipment to be detected is abnormal if the health degree is smaller than a preset health degree threshold value.
By applying the embodiment of the invention, when the attribute information of the equipment to be detected is counted, not only various safety information related to attacks, leaks and the like is counted, but also the utilization rate of components in the equipment to be detected is counted, the safety information reflects the safety degree of the equipment, the utilization rate of the components restricts the performance of the equipment and reflects the availability degree of the equipment, the safety degree of the equipment to be detected can be determined according to various safety information, the availability degree of the equipment to be detected can be determined according to the utilization rate of the components, the higher the safety degree is, the safer the equipment to be detected is represented, the higher the availability degree is, the better the performance of the equipment to be detected is represented, therefore, the health degree of the equipment to be detected can be evaluated according to the safety degree and the availability degree, the higher the safety degree is, the higher the health degree of the equipment to be detected is, the accuracy of equipment evaluation is improved. Further, whether the equipment to be detected is abnormal or not is detected based on a more accurate evaluation result of the health degree of the equipment, so that the equipment abnormity detection is more accurate.
Corresponding to the embodiment of the method for detecting device abnormality shown in fig. 3, an embodiment of the present invention provides a device for detecting device abnormality, and as shown in fig. 7, the device may include:
the statistical module 710 is configured to count attribute information of the device to be detected, where the attribute information includes various safety information and a utilization rate of components in the device to be detected;
the detection module 720 is configured to input the attribute information into a pre-established anomaly detection model to obtain a detection result of whether the device to be detected is anomalous;
the anomaly detection model is obtained by training based on a preset training set, the preset training set comprises a plurality of positive sample attribute information and a plurality of negative sample attribute information, the positive sample attribute information is the attribute information of the equipment with the health degree larger than or equal to a preset health degree threshold value obtained by evaluation according to the equipment evaluation method provided by the embodiment of the invention, and the negative sample attribute information is the attribute information of the equipment with the health degree smaller than the preset health degree threshold value obtained by evaluation according to the equipment evaluation method provided by the embodiment of the invention.
Optionally, the plurality of negative example attribute information may include: the attribute information of a plurality of devices with the safety degrees smaller than a preset safety degree threshold value, and/or the attribute information of a plurality of devices with the availability degrees smaller than a preset availability degree threshold value.
Optionally, the apparatus may further comprise a training module; a training module to:
inputting the sample attribute information into a convolutional neural network with a preset structure for convolutional operation aiming at each sample attribute information in a preset training set to obtain the probability that the type of the sample attribute information is an actual labeling type, wherein the actual labeling type is positive sample attribute information or negative sample attribute information which is labeled on the sample attribute information in advance;
determining a loss value corresponding to the sample attribute information according to the probability;
adjusting network parameters of the convolutional neural network based on the loss values;
and finishing training when the convolutional neural network after the network parameters are determined to be adjusted is converged, so as to obtain an abnormal detection model.
By applying the embodiment of the invention and the equipment anomaly detection method based on deep learning, the anomaly detection model is trained through a large amount of positive and negative sample attribute information, and after the anomaly detection model is trained, the attribute information of the equipment to be detected is input into the anomaly detection model, so that the detection result of whether the equipment is abnormal can be obtained. Under the condition that the number of the devices is very large and the real-time detection of the device states is required, the abnormal states of the devices can be detected rapidly in real time, and the device abnormality detection efficiency is improved.
An electronic device according to an embodiment of the present invention is shown in fig. 8, and includes a processor 801 and a storage medium 802, where the storage medium 802 stores machine executable instructions capable of being executed by the processor 801, and the processor 801 is caused by the machine executable instructions to perform the device evaluation method.
In this embodiment, the processor 801 is caused by machine executable instructions to implement, by reading the machine executable instructions stored in the storage medium 802: when the attribute information of the equipment to be detected is counted, not only various related safety information such as attacks, bugs and the like are counted, but also the utilization rate of components in the equipment to be detected is counted, the safety information reflects the safety degree of the equipment, the utilization rate of the components restricts the performance of the equipment and reflects the availability degree of the equipment, the safety degree of the equipment to be detected can be determined according to various safety information, the availability degree of the equipment to be detected can be determined according to the utilization rate of the components, the higher the safety degree is, the safer the equipment to be detected is represented, and the higher the availability degree is, the better the performance of the equipment to be detected is represented, therefore, the health degree of the equipment to be detected can be evaluated according to the safety degree and the availability degree, the actual health degree of the equipment to be detected can be accurately reflected by the evaluation result, and the larger the safety degree is, the larger the availability degree is, the larger the health degree of the equipment to be detected is, and the accuracy of equipment evaluation is improved. Further, whether the equipment to be detected is abnormal or not is detected based on a more accurate evaluation result of the health degree of the equipment, so that the equipment abnormity detection is more accurate.
In addition, embodiments of the present invention provide a storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to perform the above-described device evaluation method.
In this embodiment, the storage medium executes the machine executable instruction of the device evaluation method provided in the embodiment of the present invention when running, so that it is possible to implement: when the attribute information of the equipment to be detected is counted, not only various related safety information such as attacks, bugs and the like are counted, but also the utilization rate of components in the equipment to be detected is counted, the safety information reflects the safety degree of the equipment, the utilization rate of the components restricts the performance of the equipment and reflects the availability degree of the equipment, the safety degree of the equipment to be detected can be determined according to various safety information, the availability degree of the equipment to be detected can be determined according to the utilization rate of the components, the higher the safety degree is, the safer the equipment to be detected is represented, and the higher the availability degree is, the better the performance of the equipment to be detected is represented, therefore, the health degree of the equipment to be detected can be evaluated according to the safety degree and the availability degree, the actual health degree of the equipment to be detected can be accurately reflected by the evaluation result, and the larger the safety degree is, the larger the availability degree is, the larger the health degree of the equipment to be detected is, and the accuracy of equipment evaluation is improved. Further, whether the equipment to be detected is abnormal or not is detected based on a more accurate evaluation result of the health degree of the equipment, so that the equipment abnormity detection is more accurate.
An embodiment of the present invention provides an electronic device, as shown in fig. 9, including a processor 901 and a storage medium 902, where the storage medium 902 stores machine executable instructions that can be executed by the processor 901, and the processor 901 is caused by the machine executable instructions to execute the above-mentioned device abnormality detection method.
In this embodiment, the processor 901 is caused by machine executable instructions to implement, by reading the machine executable instructions stored in the storage medium 902: the equipment abnormity detection method based on deep learning trains an abnormity detection model through a large amount of positive and negative sample attribute information, and after the abnormity detection model is trained, the attribute information of equipment to be detected is input into the abnormity detection model, so that the detection result of whether the equipment is abnormal can be obtained. Under the condition that the number of the devices is very large and the real-time detection of the device states is required, the abnormal states of the devices can be detected rapidly in real time, and the device abnormality detection efficiency is improved.
In addition, an embodiment of the present invention provides a storage medium, where the storage medium stores machine executable instructions, and when the storage medium is called and executed by a processor, the machine executable instructions cause the processor to execute the above device abnormality detection method.
In this embodiment, the storage medium executes the machine executable instruction of the device anomaly detection method provided in the embodiment of the present invention when running, so that it is possible to implement: the equipment abnormity detection method based on deep learning trains an abnormity detection model through a large amount of positive and negative sample attribute information, and after the abnormity detection model is trained, the attribute information of equipment to be detected is input into the abnormity detection model, so that the detection result of whether the equipment is abnormal can be obtained. Under the condition that the number of the devices is very large and the real-time detection of the device states is required, the abnormal states of the devices can be detected rapidly in real time, and the device abnormality detection efficiency is improved.
The storage medium may include a RAM (Random Access Memory) or an NVM (Non-volatile Memory), such as at least one disk Memory. In the alternative, the storage medium may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
For the electronic device and the storage medium embodiment, since the contents of the related methods are substantially similar to those of the foregoing method embodiments, the description is relatively simple, and for the relevant points, reference may be made to part of the description of the method embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the device, the electronic apparatus, and the storage medium embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to part of the description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (11)

1. A method for device evaluation, the method comprising:
counting attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected;
determining the safety degree of the equipment to be detected according to the various safety information, and determining the availability degree of the equipment to be detected according to the utilization rate of components in the equipment to be detected;
and evaluating the health degree of the equipment to be detected according to the safety degree and the availability degree, wherein the health degree is positively correlated with the safety degree and the availability degree.
2. The method according to claim 1, wherein the multiple kinds of security information include the number of attacks that the device to be detected is subjected to various levels of attacks and the number of vulnerabilities of the device to be detected that has various levels of vulnerabilities;
the determining the safety degree of the equipment to be detected according to the various safety information comprises the following steps:
the attack number of the attacks in various levels is integrated, the attack threat index of the equipment to be detected is calculated, and the vulnerability threat index of the equipment to be detected is calculated by integrating the vulnerability number of the vulnerabilities in various levels;
and determining the safety degree of the equipment to be detected according to the attack threat index and the vulnerability threat index, wherein the safety degree is negatively correlated with the attack threat index and the vulnerability threat index.
3. The method of claim 1, wherein the availability is inversely related to a usage rate of the component; the usage of the assembly includes at least one of the following three: CPU utilization, memory utilization, and disk utilization.
4. The method according to any of claims 1-3, characterized in that after said evaluation of the health of the device to be tested on the basis of said safety measure and said availability measure, the method further comprises:
and if the health degree is smaller than a preset health degree threshold value, determining that the equipment to be detected is abnormal.
5. A device anomaly detection method, the method comprising:
counting attribute information of the equipment to be detected, wherein the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected;
inputting the attribute information into a pre-established abnormality detection model to obtain a detection result of whether the equipment to be detected is abnormal or not;
the anomaly detection model is obtained by training based on a preset training set, the preset training set comprises a plurality of positive sample attribute information and a plurality of negative sample attribute information, the positive sample attribute information is the attribute information of the equipment with the health degree larger than or equal to a preset health degree threshold value obtained by evaluation according to the method of any one of claims 1 to 3, and the negative sample attribute information is the attribute information of the equipment with the health degree smaller than the preset health degree threshold value obtained by evaluation according to the method of any one of claims 1 to 3.
6. The method of claim 5, wherein the plurality of negative example attribute information comprises: the attribute information of a plurality of devices with the safety degrees smaller than a preset safety degree threshold value, and/or the attribute information of a plurality of devices with the availability degrees smaller than a preset availability degree threshold value.
7. The method of claim 5, wherein the training of the anomaly detection model comprises:
inputting the sample attribute information into a convolutional neural network with a preset structure for convolution operation aiming at each sample attribute information in the preset training set to obtain the probability that the type of the sample attribute information is an actual labeling type, wherein the actual labeling type is positive sample attribute information or negative sample attribute information which is labeled on the sample attribute information in advance;
determining a loss value corresponding to the sample attribute information according to the probability;
adjusting network parameters of the convolutional neural network based on the loss values;
and finishing training when the convolutional neural network after the network parameters are determined to be adjusted is converged, so as to obtain an abnormal detection model.
8. An apparatus for equipment evaluation, the apparatus comprising:
the device comprises a statistic module, a judging module and a control module, wherein the statistic module is used for counting attribute information of equipment to be detected, and the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected;
the determining module is used for determining the safety degree of the equipment to be detected according to the various safety information and determining the availability degree of the equipment to be detected according to the utilization rate of components in the equipment to be detected;
and the evaluation module is used for evaluating the health degree of the equipment to be detected according to the safety degree and the availability degree, wherein the health degree is positively correlated with the safety degree and the availability degree.
9. An apparatus for detecting abnormality of a device, the apparatus comprising:
the device comprises a statistic module, a judging module and a control module, wherein the statistic module is used for counting attribute information of equipment to be detected, and the attribute information comprises various safety information and the utilization rate of components in the equipment to be detected;
the detection module is used for inputting the attribute information into a pre-established abnormity detection model to obtain a detection result of whether the equipment to be detected is abnormal or not;
the anomaly detection model is obtained by training based on a preset training set, the preset training set comprises a plurality of positive sample attribute information and a plurality of negative sample attribute information, the positive sample attribute information is the attribute information of the equipment with the health degree larger than or equal to a preset health degree threshold value obtained by evaluation according to the method of any one of claims 1 to 3, and the negative sample attribute information is the attribute information of the equipment with the health degree smaller than the preset health degree threshold value obtained by evaluation according to the method of any one of claims 1 to 3.
10. An electronic device comprising a processor and a storage medium storing machine executable instructions executable by the processor, the processor being caused by the machine executable instructions to perform the method of any one of claims 1 to 4 and/or to perform the method of any one of claims 5 to 7.
11. A storage medium storing machine executable instructions which, when invoked and executed by a processor, cause the processor to perform the method of any one of claims 1 to 4 and/or the method of any one of claims 5 to 7.
CN201910981643.1A 2019-10-16 2019-10-16 Equipment evaluation and abnormality detection method, device, electronic equipment and storage medium Active CN110768970B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910981643.1A CN110768970B (en) 2019-10-16 2019-10-16 Equipment evaluation and abnormality detection method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910981643.1A CN110768970B (en) 2019-10-16 2019-10-16 Equipment evaluation and abnormality detection method, device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110768970A true CN110768970A (en) 2020-02-07
CN110768970B CN110768970B (en) 2022-02-25

Family

ID=69332061

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910981643.1A Active CN110768970B (en) 2019-10-16 2019-10-16 Equipment evaluation and abnormality detection method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110768970B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541653A (en) * 2020-04-02 2020-08-14 山东商业职业技术学院 Data communication monitoring system and method
CN112039689A (en) * 2020-07-21 2020-12-04 网宿科技股份有限公司 Network equipment performance evaluation method, device, equipment and storage medium
CN112135311A (en) * 2020-09-24 2020-12-25 维沃移动通信有限公司 Monitoring method and device for radio frequency device, electronic equipment and readable storage medium
CN113347184A (en) * 2021-06-01 2021-09-03 国家计算机网络与信息安全管理中心 Method, device, equipment and medium for testing network flow security detection engine

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103748999B (en) * 2010-06-09 2012-02-08 北京理工大学 A kind of network safety situation integrated estimation system
CN102904780A (en) * 2012-10-29 2013-01-30 苏州山石网络有限公司 Method and device for detecting network health degree
CN105959144A (en) * 2016-06-02 2016-09-21 中国科学院信息工程研究所 Safety data acquisition and anomaly detection method and system facing industrial control network
CN107977301A (en) * 2017-11-21 2018-05-01 东软集团股份有限公司 Detection method, device, storage medium and the electronic equipment of unit exception
CN110113226A (en) * 2019-04-16 2019-08-09 新华三信息安全技术有限公司 A kind of method and device of detection device exception

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103748999B (en) * 2010-06-09 2012-02-08 北京理工大学 A kind of network safety situation integrated estimation system
CN102904780A (en) * 2012-10-29 2013-01-30 苏州山石网络有限公司 Method and device for detecting network health degree
CN105959144A (en) * 2016-06-02 2016-09-21 中国科学院信息工程研究所 Safety data acquisition and anomaly detection method and system facing industrial control network
CN107977301A (en) * 2017-11-21 2018-05-01 东软集团股份有限公司 Detection method, device, storage medium and the electronic equipment of unit exception
CN110113226A (en) * 2019-04-16 2019-08-09 新华三信息安全技术有限公司 A kind of method and device of detection device exception

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541653A (en) * 2020-04-02 2020-08-14 山东商业职业技术学院 Data communication monitoring system and method
CN112039689A (en) * 2020-07-21 2020-12-04 网宿科技股份有限公司 Network equipment performance evaluation method, device, equipment and storage medium
CN112039689B (en) * 2020-07-21 2023-09-08 网宿科技股份有限公司 Network equipment performance evaluation method, device, equipment and storage medium
CN112135311A (en) * 2020-09-24 2020-12-25 维沃移动通信有限公司 Monitoring method and device for radio frequency device, electronic equipment and readable storage medium
CN113347184A (en) * 2021-06-01 2021-09-03 国家计算机网络与信息安全管理中心 Method, device, equipment and medium for testing network flow security detection engine

Also Published As

Publication number Publication date
CN110768970B (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN110768970B (en) Equipment evaluation and abnormality detection method, device, electronic equipment and storage medium
US11637853B2 (en) Operational network risk mitigation system and method
Colas et al. How many random seeds? statistical power analysis in deep reinforcement learning experiments
US20230067128A1 (en) Prioritizing security controls using a cyber digital twin simulator
US11750657B2 (en) Cyber digital twin simulator for security controls requirements
US10878102B2 (en) Risk scores for entities
CN108667856B (en) Network anomaly detection method, device, equipment and storage medium
US11140189B2 (en) System and method for discovering optimal network attack paths
Papamichail et al. User-perceived source code quality estimation based on static analysis metrics
US11861006B2 (en) High-confidence malware severity classification of reference file set
CN109194684B (en) Method and device for simulating denial of service attack and computing equipment
US11244043B2 (en) Aggregating anomaly scores from anomaly detectors
US11514179B2 (en) Systems and methods for computing database interactions and evaluating interaction parameters
Blocki et al. Regret minimizing audits: A learning-theoretic basis for privacy protection
Shin et al. Cyber security risk analysis model composed with activity-quality and architecture model
CN107645510A (en) A kind of computational methods and computing device of regional safety prevention ability
Irissappane et al. A Framework to Choose Trust Models for Different E-Marketplace Environments.
Keramati et al. Novel security metrics for ranking vulnerabilities in computer networks
Shatnawi An integrated framework for developing discrete‐time modelling in software reliability engineering
CN107896232B (en) IP address evaluation method and device
CN116170225A (en) System testing method, device, equipment and storage medium based on network target range
Shahriar et al. A fuzzy logic-based buffer overflow vulnerability auditor
AU2020290431A1 (en) Software application for continually assessing, processing, and remediating cyber-risk in real time
EP4033386A1 (en) Systems and methods for sensor trustworthiness
US20240126889A1 (en) Threat detection and mitigation in a networked environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant