CN112231712A - Vulnerability risk assessment method and device - Google Patents
Vulnerability risk assessment method and device Download PDFInfo
- Publication number
- CN112231712A CN112231712A CN202011147810.1A CN202011147810A CN112231712A CN 112231712 A CN112231712 A CN 112231712A CN 202011147810 A CN202011147810 A CN 202011147810A CN 112231712 A CN112231712 A CN 112231712A
- Authority
- CN
- China
- Prior art keywords
- behavior
- network
- graph
- vulnerability
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a vulnerability risk assessment method and a vulnerability risk assessment device, wherein the method comprises the following steps: aiming at each asset in the monitored network, acquiring vulnerability attribute information of the asset and network access relation information of the asset; generating an attack graph of each asset according to the vulnerability attribute information and the network access relationship information of the asset; simplifying each attack graph to obtain a network behavior dependency graph corresponding to the attack graph; generating a network behavior relation graph based on each network behavior dependency graph; calculating the probability of each vulnerability being utilized in the network behavior relation graph by using a preset algorithm; and performing risk assessment on the vulnerabilities in the monitored network according to the probability of each vulnerability being utilized. When the vulnerability risk assessment is carried out, besides the vulnerability attribute information of each asset in the monitored network, the vulnerability risk assessment method also combines the network access relation information in the network, namely the specific environment of the network, thereby improving the accuracy of the vulnerability assessment result in the network.
Description
Technical Field
The application relates to the technical field of network security, in particular to a vulnerability risk assessment method and device.
Background
In a network environment, because bug patches are not timely, software and hardware compatibility is realized, bug fixing cost is high, even the fixing of part of bugs needs to be suspended or restarted for service, and the like, and new bugs are continuously appeared, the fixing of all known bugs in the network is almost impossible. Or, there are always a certain number of vulnerabilities in the network, and the difficulty of exploiting different vulnerabilities is different, and the damage to the network is also different. At present, a Common method is to score vulnerabilities by using a Common Vulnerability Scoring System (CVSS), which includes Vulnerability hazard degree, utilization difficulty and other angles, however, CVSS Scoring describes Vulnerability risk factors from a global angle and is not combined with a network specific environment, so that Vulnerability risk assessment results are inaccurate.
Therefore, how to improve the accuracy of the vulnerability risk assessment result is one of the considerable technical problems.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for vulnerability risk assessment, so as to improve the accuracy of vulnerability risk assessment results.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, a vulnerability risk assessment method is provided, which is applied to a network device, and the method includes:
aiming at each asset in the monitored network, acquiring vulnerability attribute information of the asset and network access relation information of the asset;
generating an attack graph of each asset according to the vulnerability attribute information and the network access relationship information of the asset;
simplifying each attack graph to obtain a network behavior dependency graph corresponding to the attack graph;
generating a network behavior relation graph based on each network behavior dependency graph;
calculating the probability of each vulnerability being utilized in the network behavior relation graph by using a preset algorithm;
and according to the probability of each vulnerability being utilized, performing risk assessment on the vulnerabilities in the monitored network.
According to a second aspect of the present application, there is provided a vulnerability risk assessment apparatus disposed in a network device, the apparatus including:
the system comprises an acquisition module, a monitoring module and a monitoring module, wherein the acquisition module is used for acquiring vulnerability attribute information of each asset in a monitored network and network access relation information of the asset;
the first generation module is used for generating an attack graph of each asset according to the vulnerability attribute information and the network access relation information of the asset;
the simplified processing module is used for carrying out simplified processing on each attack graph to obtain a network behavior dependency graph corresponding to the attack graph;
the second generation module is used for generating a network behavior relation graph based on each network behavior dependency graph;
the computing module is used for computing the probability of each vulnerability being utilized in the network behavior relation graph by using a preset algorithm;
and the risk evaluation module is used for carrying out risk evaluation on the vulnerabilities in the monitored network according to the utilization probability of each vulnerability.
According to a third aspect of the present application, there is provided a network device comprising a processor and a machine-readable storage medium, the machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a fourth aspect of the present application, there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are as follows:
when the vulnerability risk assessment is carried out, besides the vulnerability attribute information of each asset in the monitored network, the vulnerability risk assessment is carried out based on the vulnerability attribute information and the network access relation information in the monitored network, namely the specific environment of the network, so that the accuracy of the vulnerability assessment result in the monitored network can be improved; in addition, after the attack graphs are generated based on the two pieces of information, in order to improve the risk evaluation speed and further improve the accuracy of risk evaluation results, the method and the system simplify the attack graphs of the assets to obtain the network behavior dependency graphs of the assets, and then merge the network behavior dependency graphs to obtain the network behavior relation graphs, which are equivalent to performing risk evaluation on the network behavior relation graphs formed based on the assets in the monitored network, and cover all the assets in the evaluation process, so that the accuracy of vulnerability risk evaluation results can be improved.
Drawings
Fig. 1 is a schematic structural diagram of a network device according to an embodiment of the present application;
fig. 2 is a flowchart of a vulnerability risk assessment method according to an embodiment of the present application;
FIG. 3 is an attack diagram of an asset provided by an embodiment of the present application;
FIG. 4a is a flowchart of a method for simplifying an attack graph provided by an embodiment of the present application;
FIG. 4b is a schematic diagram of an attack graph simplified precondition provided by an embodiment of the present application;
FIG. 4c is a schematic diagram of an incoming directed edge and an outgoing directed edge of a postcondition provided by an embodiment of the present application;
FIG. 4d is a schematic illustration of a simplified post condition provided by an embodiment of the present application;
FIG. 4e is a network behavior dependency graph provided by an embodiment of the present application;
fig. 5 is a schematic diagram illustrating a preposed behavior set of a behavior node in a network behavior dependency graph according to an embodiment of the present application;
fig. 6 is a logic diagram for merging network behavior dependency graphs to obtain a network behavior relationship graph according to an embodiment of the present application;
fig. 7 is a block diagram of a vulnerability risk assessment apparatus according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects such as the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Fig. 1 is a block diagram of a network device 100 according to the present embodiment. The network device 100 includes a memory 110, a processor 120, and a communication module 130. The memory 110, the processor 120, and the communication module 130 are electrically connected to each other directly or indirectly to enable data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
The memory 110 is used to store programs or data. The Memory 110 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The processor 120 is used to read/write data or programs stored in the memory 110 and perform corresponding functions. For example, the computer program stored in the memory 110 can implement the vulnerability risk assessment method disclosed in the embodiments of the present application when executed by the processor 120.
The communication module 130 is used for establishing a communication connection between the network device 100 and another communication terminal through a network, and for transceiving data through the network. For example, the network device 100 may acquire vulnerability attribute information of each asset in the monitored network and network access relationship information of the asset from other communication terminals through the communication module 130.
It should be understood that the configuration shown in fig. 1 is merely a schematic diagram of the configuration of network device 100, and that network device 100 may include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof. Optionally, the network device 100 in this embodiment of the application may be a network security device such as a situation awareness platform, and may also be other devices, which is determined according to actual situations.
The vulnerability risk assessment method provided by the present application is explained in detail below.
Referring to fig. 2, fig. 2 is a flowchart of a vulnerability risk assessment method provided in the present application, where the method may be applied to the network device 100, and the network device implements the method and includes the following steps:
s201, aiming at each asset in the monitored network, acquiring vulnerability attribute information of the asset and network access relation information of the asset.
In the step, the vulnerability attribute information comprises vulnerability names, vulnerability utilization rules and the like, and the vulnerability attribute information of each asset can be respectively obtained through a vulnerability database, a vulnerability scanning result and a vulnerability utilization rule base; the network access relationship may be obtained based on monitoring access paths of the respective assets.
It should be noted that in the present application, the asset may be an IP address in the monitored network, and the asset may be used by a client, a server, or a virtual host.
By implementing the step S201, when calculating the probability of the vulnerability being utilized, the network access relationship in the network is considered, that is, the vulnerability in the network is evaluated in combination with the specific network environment, so that the vulnerability evaluation result is more accurate and has a higher reference value.
S202, generating an attack graph of each asset according to the vulnerability attribute information and the network access relation information of the asset.
In this step, after obtaining the above information, an attack graph of each asset may be generated based on vulnerability attribute information and network access relationship information of the asset by using mulval, which is an open source tool.
S203, simplifying each attack graph to obtain a network behavior dependency graph corresponding to the attack graph.
Specifically, the attack graph for each asset includes preconditions, postconditions, and rules that form the network behavior for each network behavior; the network behaviors comprise normal network behaviors and vulnerability exploitation; it should be noted that, since the network access behaviors are continuous, the preconditions and postconditions are all relative when forming the attack graph, and referring to the attack graph shown in fig. 3, it can be known that the preconditions for the network behavior 1 are condition 1 and condition 2, and the postcondition is condition 3; however, for the network behavior 2, the precondition of the network behavior 2 is the condition 3, the condition 4, and the condition 5, and the postcondition of the network behavior 2 is the condition 6, that is, the condition 3 can be understood as the precondition of the network behavior 2, and can also be understood as the postcondition of the network behavior 1, and therefore, the description is made with reference to the network behavior in the present application, the condition for entering the network behavior is the precondition, and the postcondition is the postcondition driven based on the network behavior.
On this basis, step S203 can be implemented according to the flow shown in fig. 4a, including the following steps:
s401, aiming at each rule related to each attack graph, the postconditions belonging to other rules in the preconditions corresponding to the rule are reserved in the attack graph, and the preconditions not belonging to other rules corresponding to the rule are deleted in the attack graph.
Specifically, with reference to fig. 4b, the oval in fig. 4b represents a rule forming the behavior of the network, and the rectangle in fig. 4b represents a precondition of the rule, which does not belong to a postcondition of another rule; the diamonds represent postconditions of the rule, and postconditions of one rule may be postconditions of other rules. For example, when the network behavior is an exploit, then the ellipse represents an exploit rule, the matrix represents a precondition for the exploit rule, and the diamond represents a postcondition for the exploit rule. On this basis, when step S401 is implemented, the preconditions corresponding to Rule _1 in fig. 4b, which do not belong to other rules, are deleted, that is, the preconditions Pre _ cond _1 and Pre _ cond _ are deleted? (Act _ k) and Pre _ cond _ r, while preserving the postcondition not belonging to other rules in the corresponding precondition of the rule, i.e. preserving the precondition Pre _ cond _ s.
S402, taking the network behavior corresponding to the rule as a behavior node, and connecting the reserved post condition to the behavior node to obtain a first simplified attack graph, wherein the behavior node is a normal network behavior node or a vulnerability node.
In this step, in order to obtain the dependency relationship between the network behaviors, after step S401 is executed, the network behavior corresponding to the rule is further required to be used as a behavior node, and a reserved post condition is connected to the behavior node and is denoted as Act _ k, that is, the oval rule in fig. 4b is replaced by the behavior node Act _ k, the behavior node is represented by a circle in fig. 4b, and then a reserved Pre condition Pre _ cond _ S is connected to the behavior node Act _ k, so that a first simplified attack graph on the right side of fig. 4b can be obtained.
It should be noted that, the behavior node may be identified by a network behavior name, and when the network behavior is a normal network behavior, the behavior node may be identified by a normal network behavior name; when the network behavior is a vulnerability, the behavior node may be a vulnerability name identifier in the vulnerability rule, that is, Act _ k in fig. 4b may be a vulnerability name or a normal network behavior name.
And S403, deleting each post condition in the first simplified attack graph, deleting directed incoming edges between each post condition and the behavior node connected with the post condition, reserving directed outgoing edges of the post condition, and connecting one end of the reserved directed outgoing edges originally connected with the post condition to the behavior node corresponding to the post condition to obtain the network behavior dependency graph corresponding to the attack graph.
The directed-in edge is an edge pointing to the postcondition, and the directed-out edge is an edge pointing to the postcondition.
Specifically, before the step S403 is described, a directed-in edge and a directed-out edge are described, as shown in fig. 4c, an edge pointed to by an arrow to the postcondition is a directed-in edge, and a directed-out edge is an edge pointed to by the postcondition, where the postcondition generally points to a next behavior node in actual application.
On this basis, when step S403 is executed, each Post-condition in the first simplified attack graph and each Post-connected directed incoming edge are deleted, as shown in fig. 4d, that is, the Post-conditions Post _ cond _1 and Post _ cond _ r are deleted, then the directed incoming edge between the Post-condition Post _ cond _1 and the behavior node Act _ k is deleted, that is, the directed incoming edge of the Post-condition Post _ cond _1 and the directed incoming edge between the Post-condition Post _ cond _ r and the behavior node Act _ k are deleted, that is, the directed incoming edge of the Post-condition Post _ cond _ r are deleted, and the other end of the directed outgoing edge of the Post-condition Post _ cond _1 (the end originally connected to the Post-condition Post _ cond _ 1) is connected to the behavior node Act _ k, and similarly the other end of the directed outgoing edge of the Post-condition Post _ cond _ r (the end of the directed incoming edge originally connected to the Post-condition Post _ cond _ ack _ k) is connected to the behavior node Act _ k, therefore, a network behavior dependency graph between behavior nodes is obtained, it should be noted that fig. 4d only illustrates a processing procedure of a post-condition of one behavior node as an example, in practical applications, a plurality of behavior nodes and a plurality of post-conditions exist in the first simplified attack graph, and a processing procedure of each post-condition is the same as that of the example of fig. 4d, so that a detailed description thereof is omitted here.
In addition, since the post condition of the current behavior node is deleted, but the directed edge of the post condition is generally connected to the next behavior node, the relationship between the current behavior node and the next behavior node, that is, the network behavior dependency graph shown in fig. 4e, can be constructed through the directed edge.
Optionally, after step S203 is executed, the following process may be further included: and recording a preposed behavior node set of preposed behavior nodes generating the network behaviors corresponding to the behavior nodes aiming at each behavior node in each network behavior dependency graph.
Specifically, for convenience in subsequently calculating the probability of each vulnerability being exploited, based on each behavior node in each network behavior dependency graph, the pre-behavior nodes that generate the network behaviors corresponding to the behavior node may be traversed, and then the traversed pre-behavior nodes are recorded in a set form and are recorded as a set of pre-behavior nodes. With reference to fig. 5, the left side of the arrow in fig. 5 is a network behavior dependency graph, and the front behavior nodes of the behavior node Act _ k are Act _1 to Act _ r, based on the network behavior dependency graph, a front behavior node set S _1 formed by the front behavior nodes of the behavior node Act _ k may be recorded, where S _1 is { Act _1, … …, Act _ r }, and r > is 1, and for convenience of subsequent use, a correspondence relationship between the front behavior node set S _1 corresponding to the behavior node Act _ k may be recorded by (S _1, Act _ k), and reference is made to the right side of the arrow in fig. 5, so as to represent that occurrence of the behavior node Act _ k is triggered only when a behavior node included in S _1 occurs.
And S204, generating a network behavior relation diagram based on each network behavior dependency diagram.
In this step, since each asset may include a plurality of vulnerabilities and a plurality of network behaviors, and one vulnerability may exist in a plurality of assets, and similarly, one network behavior may exist in a plurality of assets, and based on this, each network behavior dependency graph may include the same behavior node, then step S204 may be implemented according to the following procedure: and merging the network behavior dependency graphs according to the behavior nodes to obtain a network behavior relation graph. Specifically, based on each network behavior dependency graph, merging the connection relationships of the same behavior node is performed, which is exemplified by a plurality of network behavior dependency graphs shown in fig. 6, where m network behavior dependency graphs include a behavior node Act _ k, and refer to the left side of an arrow in fig. 6, then, based on the behavior node Act _ k, merging the m network behavior dependency graphs, that is, performing union processing on a set of front behavior nodes of the behavior node Act _ k in the network behavior dependency graph, that is, { Act _1, … …, Act _ t }, that is, S _ 1.
Optionally, in order to improve the accuracy of vulnerability risk assessment based on the network behavior relationship diagram, after obtaining the network behavior relationship diagram, the following process may be further performed: and recording the corresponding preposed behavior node set of each behavior node after merging. Specifically, please refer to fig. 6, because the preconditions for triggering the occurrence of the behavior node Act _ k are different, that is, the behavior node Act _ k corresponds to different sets of pre-behavior nodes, and when the behavior node included in each set occurs, the occurrence of the behavior node Act _ k is triggered, therefore, when calculating the probability, the behavior nodes in the sets need to be satisfied at the same time to trigger the occurrence of the behavior node Act _ k, and therefore, it is necessary to maintain and store the sets of pre-behavior nodes corresponding to the behavior node Act _ k, that is, (S _1, Act _ k) … … (S _ m, Act _ k) in fig. 6.
S205, calculating the probability of each vulnerability being utilized in the network behavior relation graph by using a preset algorithm.
Specifically, in the network behavior relationship, when a behavior node is a vulnerability node, the behavior node represents a vulnerability, and the vulnerability name has a unique identifier, for example, CAN-2000-: for each behavior node in the network behavior relation graph, the following iterative operations are executed: distributing the current risk value of the behavior node to each directed outgoing edge of the behavior node to obtain the weight value of each directed outgoing edge, wherein the sum of the weight values distributed to each directed outgoing edge is the current risk value; executing a PageRank algorithm iteration processing flow once, adjusting the weight values of each directed incoming edge and directed outgoing edge, and calculating a new risk value of the behavior node based on a preposed behavior node set of the behavior node and the weight values of the directed incoming edges of the behavior node; and taking the new risk value as the current risk value, executing the step of distributing the current risk value of the behavior node to each directed outgoing edge of the behavior node to obtain the weight value of each directed outgoing edge until an iteration termination condition is reached, and determining the new risk value obtained by calculation when the iteration termination condition is reached as the utilized probability of the behavior node.
Specifically, the risk value may be a PageRank value. Based on this, before calculating the probability, each directed incoming edge and each directed outgoing edge need to be initialized, that is, the same PageRank value is set for each behavior node during initialization, then iterative calculation is performed, the current PageRank value of each behavior node is continuously updated along with each round of iterative calculation, a final PageRank value obtained by each behavior node is obtained through a plurality of rounds of iterative calculation, and the final PageRank value (risk value) is the probability that the behavior node is utilized.
Specifically, when calculating the probability of a behavior node being utilized, for each iteration, the current PageRank value of the behavior node is assigned to the directed outgoing edge of the behavior node to obtain the weight value of each directed outgoing edge of the behavior node, and accordingly, the directed out edge of the behavior node's predecessor behavior node will be connected to the behavior node and act as the directed in edge of the behavior node, so that, when a round of PageRank iteration is performed, the weight values of the directed incoming edge and the directed outgoing edge of the behavior node are adjusted, then the latest PageRank value of the behavior node can be determined based on the preposed behavior node set of the behavior node and the current weight value of the directed incoming edge of the behavior node, then judging whether the iteration times reach the set times, if not, taking the latest PageRank value as the current PageRank value and repeatedly executing the iteration process; and when the set times are reached, outputting the latest PageRank value, wherein the latest PageRank value is the probability of the behavior node being utilized.
It should be noted that when the PageRank value is assigned to each directed exit, the PageRank value may be assigned equally or in other assignment manners, which is not limited in this embodiment. It should be noted that the above iteration termination condition may also be other situations, and may be specifically determined according to actual situations.
Optionally, for each iteration, the following method may be adopted to calculate a new risk value of the behavior node based on the set of pre-behavior nodes of the behavior node and the weight value of the directed incoming edge of the behavior node: performing product operation on the weight value of the directed incoming edge of the behavior node used for connecting the preposed behavior node set; and summing the operation results of product operation based on each preposed behavior node set to obtain a new risk value of the behavior node.
Specifically, taking fig. 6 as an example for explanation, through the pre-recorded correspondence between each behavior node and the pre-behavior node set, m pre-behavior node sets of the behavior node Act _ k, that is, S _1 to S _ m, may be obtained, when the probability that the behavior node Act _ k is utilized is confirmed, first, the weighted values of the directed outgoing edges of the behavior nodes included in the m pre-behavior node sets (that is, the directed incoming edges of the behavior node Act _ k) are respectively calculated to perform an operation of performing an product, and then m product results (operation results) may be respectively obtained, and then the obtained sum result is the new PageRank value of the behavior node Act _ k.
It should be noted that, when a behavior node is a vulnerability node, the vulnerability node represents a vulnerability, and therefore, after the probability of each behavior node being utilized is calculated, which behavior nodes are vulnerability nodes can be determined from the names of the behavior nodes, and further, the probability of each vulnerability being utilized can be obtained.
It should be noted that, in the present application, when the probability of each vulnerability being exploited is calculated based on the network behavior relationship diagram, an offline calculation mode may be adopted, so that the calculation amount for traversing all sets online may be effectively reduced, and the time for traversing all sets is greatly reduced.
And S206, performing risk assessment on the vulnerabilities in the monitored network according to the utilization probability of each vulnerability.
Specifically, after the probability of each vulnerability being utilized is determined based on step S205, the vulnerabilities may be ranked according to the probability values, and then vulnerabilities with a high risk, vulnerabilities with a low risk, and the like in the monitored network may be obtained, thereby implementing vulnerability assessment of the monitored network.
In addition, after the probability that each behavior node is utilized is obtained, after the vulnerability nodes are identified, the rest are normal network behavior nodes, and on the basis, the probabilities of normal network behaviors can be sequenced, so that which network behaviors have higher risks and which network behaviors have lower risks can be obtained, and the network environment of the monitored network can be better evaluated.
By implementing the vulnerability risk assessment method provided by any embodiment of the application, when vulnerability risk assessment is performed, vulnerability attribute information of each asset in a monitored network is considered, network access relation information in the monitored network is also combined, namely the specific environment of the network is considered, and then vulnerability risk assessment is performed based on the two information, so that the accuracy of vulnerability assessment results in the monitored network can be improved; in addition, after the attack graphs are generated based on the two pieces of information, in order to improve the risk evaluation speed and further improve the accuracy of risk evaluation results, the method and the system simplify the attack graphs of the assets to obtain the network behavior dependency graphs of the assets, and then merge the network behavior dependency graphs to obtain the network behavior relation graphs, which are equivalent to performing risk evaluation on the network behavior relation graphs formed based on the assets in the monitored network, and cover all the assets in the evaluation process, so that the accuracy of vulnerability risk evaluation results can be improved.
Based on the same inventive concept, the application also provides a vulnerability risk assessment device corresponding to the vulnerability risk assessment method. The implementation of the vulnerability risk assessment device may refer to the above description of the vulnerability risk assessment method, which is not discussed herein.
Referring to fig. 7, fig. 7 is a vulnerability risk assessment apparatus provided in a network device according to an exemplary embodiment of the present application, where the apparatus includes:
an obtaining module 701, configured to obtain, for each asset in a monitored network, vulnerability attribute information of the asset and network access relationship information of the asset;
a first generating module 702, configured to generate an attack graph of each asset according to vulnerability attribute information and network access relationship information of the asset;
a simplification processing module 703, configured to simplify each attack graph to obtain a network behavior dependency graph corresponding to the attack graph;
a second generating module 704, configured to generate a network behavior relationship diagram based on each network behavior dependency diagram;
the calculating module 705 is configured to calculate, by using a preset algorithm, a probability that each vulnerability in the network behavior relationship graph is utilized;
and a risk evaluation module 706, configured to perform risk evaluation on the vulnerabilities in the monitored network according to the probability that each vulnerability is exploited.
Optionally, the attack graph provided by this embodiment includes a precondition and a postcondition of each network behavior, and a rule forming the network behavior; the network behavior comprises normal network behavior and exploit; then
The simplified processing module 703 is configured to, for each rule related to each attack graph, reserve a postcondition that belongs to another rule in the preconditions corresponding to the rule in the attack graph, and delete a precondition that does not belong to another rule and corresponds to the rule in the attack graph; taking the network behavior corresponding to the rule as a behavior node, and connecting the reserved post condition to the behavior node to obtain a first simplified attack graph, wherein the behavior node is a normal network behavior node or a vulnerability node; deleting each post condition in the first simplified attack graph, deleting directed incoming edges between each post condition and behavior nodes connected with the post condition, reserving directed outgoing edges of the post condition, and connecting one end of the reserved directed outgoing edges originally connected with the post condition to the behavior nodes corresponding to the post condition to obtain a network behavior dependency graph corresponding to the attack graph; the directed-in edge is an edge pointing to the postcondition, and the directed-out edge is an edge pointing to the postcondition.
Optionally, the second generating module 704 is specifically configured to perform merging processing on each network behavior dependency graph according to the behavior node to obtain a network behavior relationship graph.
Optionally, the vulnerability risk assessment apparatus provided in this embodiment further includes:
a recording module (not shown in the figure) for recording, for each behavior node in each network behavior dependency graph, a set of pre-behavior nodes of the pre-behavior nodes generating the network behavior corresponding to the behavior node; and after the second generation module 704 performs merging processing on each network behavior dependency graph according to the behavior nodes to obtain a network behavior relationship graph, recording and storing a pre-behavior node set corresponding to each behavior node after merging.
Optionally, the computing module 705 is specifically configured to, for each behavior node in the network behavior relationship graph, perform the following iterative operations: distributing the current risk value of the behavior node to each directed outgoing edge of the behavior node to obtain the weight value of each directed outgoing edge, wherein the sum of the weight values distributed to each directed outgoing edge is the current risk value; executing a PageRank algorithm iteration processing flow once, adjusting the weight values of each directed incoming edge and directed outgoing edge, and calculating a new risk value of the behavior node based on a preposed behavior node set of the behavior node and the weight values of the directed incoming edges of the behavior node; and taking the new risk value as the current risk value, executing the step of distributing the current risk value of the behavior node to each directed outgoing edge of the behavior node to obtain the weight value of each directed outgoing edge until an iteration termination condition is reached, and determining the new risk value obtained by calculation when the iteration termination condition is reached as the utilized probability of the behavior node.
Optionally, the calculating module 705 is specifically configured to perform product operation on the weight value of the directed incoming edge of the behavior node used for connecting the pre-behavior node set; and summing the operation results of product operation based on each preposed behavior node set to obtain a new risk value of the behavior node.
Optionally, the probability of each vulnerability being exploited in the network behavior relationship graph is calculated by using a preset algorithm in an offline manner.
Based on the same inventive concept, the embodiment of the present application further provides a machine-readable storage medium, where a computer program is stored, and when the computer program is called and executed by a processor, the computer program causes the processor to execute the vulnerability risk assessment method provided by the embodiment of the present application.
As for the embodiments of the network device and the machine-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the methods.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and actions of each unit/module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the units/modules described as separate parts may or may not be physically separate, and the parts displayed as units/modules may or may not be physical units/modules, may be located in one place, or may be distributed on a plurality of network units/modules. Some or all of the units/modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. The vulnerability risk assessment method is applied to network equipment, and comprises the following steps:
aiming at each asset in the monitored network, acquiring vulnerability attribute information of the asset and network access relation information of the asset;
generating an attack graph of each asset according to the vulnerability attribute information and the network access relationship information of the asset;
simplifying each attack graph to obtain a network behavior dependency graph corresponding to the attack graph;
generating a network behavior relation graph based on each network behavior dependency graph;
calculating the probability of each vulnerability being utilized in the network behavior relation graph by using a preset algorithm;
and according to the probability of each vulnerability being utilized, performing risk assessment on the vulnerabilities in the monitored network.
2. The method of claim 1, wherein the attack graph includes preconditions, postconditions, and rules forming each network behavior; the network behavior comprises normal network behavior and exploit; then
Simplifying each attack graph to obtain a network behavior dependency graph corresponding to the attack graph, wherein the network behavior dependency graph comprises the following steps:
for each rule related to each attack graph, reserving postconditions belonging to other rules in the preconditions corresponding to the rule in the attack graph, and deleting the preconditions not belonging to other rules corresponding to the rule in the attack graph; taking the network behavior corresponding to the rule as a behavior node, and connecting the reserved post condition to the behavior node to obtain a first simplified attack graph, wherein the behavior node is a normal network behavior node or a vulnerability node;
deleting each post condition in the first simplified attack graph, deleting directed incoming edges between each post condition and behavior nodes connected with the post condition, reserving directed outgoing edges of the post condition, and connecting one end of the reserved directed outgoing edges originally connected with the post condition to the behavior nodes corresponding to the post condition to obtain a network behavior dependency graph corresponding to the attack graph; the directed-in edge is an edge pointing to the postcondition, and the directed-out edge is an edge pointing to the postcondition.
3. The method of claim 2, wherein generating the network behavior relationship graph based on the respective network behavior dependency graphs comprises:
and merging the network behavior dependency graphs according to the behavior nodes to obtain a network behavior relation graph.
4. The method of claim 3, further comprising:
recording a preposed behavior node set of preposed behavior nodes generating network behaviors corresponding to the behavior nodes aiming at each behavior node in each network behavior dependency graph;
after the network behavior dependency graphs are merged according to the behavior nodes to obtain a network behavior relation graph, the method further comprises the following steps:
and recording and storing the pre-behavior node set corresponding to each behavior node after combination.
5. The method of claim 4, wherein calculating the probability of each vulnerability being exploited in the network behavioral relationship graph using a predetermined algorithm comprises:
for each behavior node in the network behavior relation graph, the following iterative operations are executed:
distributing the current risk value of the behavior node to each directed outgoing edge of the behavior node to obtain the weight value of each directed outgoing edge, wherein the sum of the weight values distributed to each directed outgoing edge is the current risk value;
executing a PageRank algorithm iteration processing flow once, adjusting the weight values of each directed incoming edge and directed outgoing edge, and calculating a new risk value of the behavior node based on a preposed behavior node set of the behavior node and the weight values of the directed incoming edges of the behavior node;
and taking the new risk value as the current risk value, executing the step of distributing the current risk value of the behavior node to each directed outgoing edge of the behavior node to obtain the weight value of each directed outgoing edge until an iteration termination condition is reached, and determining the new risk value obtained by calculation when the iteration termination condition is reached as the utilized probability of the behavior node.
6. The method of claim 5, wherein calculating the new risk value of the behavior node based on the set of pre-existing behavior nodes of the behavior node and the weight value of the directed incoming edge of the behavior node comprises:
performing product operation on the weight value of the directed incoming edge of the behavior node used for connecting the preposed behavior node set;
and summing the operation results of product operation based on each preposed behavior node set to obtain a new risk value of the behavior node.
7. The method according to claim 1, wherein the probability of each vulnerability being exploited in the network behavioral relationship graph is calculated in an off-line manner by using a preset algorithm.
8. A vulnerability risk assessment device, arranged in a network device, the device comprising:
the system comprises an acquisition module, a monitoring module and a monitoring module, wherein the acquisition module is used for acquiring vulnerability attribute information of each asset in a monitored network and network access relation information of the asset;
the first generation module is used for generating an attack graph of each asset according to the vulnerability attribute information and the network access relation information of the asset;
the simplified processing module is used for carrying out simplified processing on each attack graph to obtain a network behavior dependency graph corresponding to the attack graph;
the second generation module is used for generating a network behavior relation graph based on each network behavior dependency graph;
the computing module is used for computing the probability of each vulnerability being utilized in the network behavior relation graph by using a preset algorithm;
and the risk evaluation module is used for carrying out risk evaluation on the vulnerabilities in the monitored network according to the utilization probability of each vulnerability.
9. The apparatus of claim 8, wherein the attack graph comprises preconditions, postconditions, and rules forming each network behavior; the network behavior comprises normal network behavior and exploit; then
The simplified processing module is used for keeping postconditions which belong to other rules in the preconditions corresponding to the rules in the attack graph and deleting the preconditions which do not belong to other rules and correspond to the rules in the attack graph aiming at each rule related to each attack graph; taking the network behavior corresponding to the rule as a behavior node, and connecting the reserved post condition to the behavior node to obtain a first simplified attack graph, wherein the behavior node is a normal network behavior node or a vulnerability node; deleting each post condition in the first simplified attack graph, deleting directed incoming edges between each post condition and behavior nodes connected with the post condition, reserving directed outgoing edges of the post condition, and connecting one end of the reserved directed outgoing edges originally connected with the post condition to the behavior nodes corresponding to the post condition to obtain a network behavior dependency graph corresponding to the attack graph; the directed-in edge is an edge pointing to the postcondition, and the directed-out edge is an edge pointing to the postcondition.
10. The apparatus of claim 9,
the second generation module is specifically configured to perform merging processing on each network behavior dependency graph according to the behavior nodes to obtain a network behavior relationship graph.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011147810.1A CN112231712B (en) | 2020-10-23 | 2020-10-23 | Vulnerability risk assessment method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011147810.1A CN112231712B (en) | 2020-10-23 | 2020-10-23 | Vulnerability risk assessment method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112231712A true CN112231712A (en) | 2021-01-15 |
| CN112231712B CN112231712B (en) | 2023-03-28 |
Family
ID=74110252
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011147810.1A Active CN112231712B (en) | 2020-10-23 | 2020-10-23 | Vulnerability risk assessment method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112231712B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117579499B (en) * | 2023-12-27 | 2024-05-31 | 长扬科技(北京)股份有限公司 | Network behavior audit recording method, device, computing equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170046519A1 (en) * | 2015-08-12 | 2017-02-16 | U.S Army Research Laboratory ATTN: RDRL-LOC-I | Methods and systems for defending cyber attack in real-time |
| CN109995793A (en) * | 2019-04-12 | 2019-07-09 | 中国人民解放军战略支援部队信息工程大学 | Network dynamic threatens tracking quantization method and system |
| CN110868377A (en) * | 2018-12-05 | 2020-03-06 | 北京安天网络安全技术有限公司 | Method and device for generating network attack graph and electronic equipment |
-
2020
- 2020-10-23 CN CN202011147810.1A patent/CN112231712B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170046519A1 (en) * | 2015-08-12 | 2017-02-16 | U.S Army Research Laboratory ATTN: RDRL-LOC-I | Methods and systems for defending cyber attack in real-time |
| CN110868377A (en) * | 2018-12-05 | 2020-03-06 | 北京安天网络安全技术有限公司 | Method and device for generating network attack graph and electronic equipment |
| CN109995793A (en) * | 2019-04-12 | 2019-07-09 | 中国人民解放军战略支援部队信息工程大学 | Network dynamic threatens tracking quantization method and system |
Non-Patent Citations (5)
| Title |
|---|
| WENBO WU ET AL.: "Risk assessment method for cybersecurity of cyber-physical systems based on inter-dependency of vulnerabilities" * |
| 宋舜宏等: "一种应用主机访问图的网络漏洞评估模型", 《小型微型计算机系统》 * |
| 游梦娜: "基于攻击图的网络脆弱性评估技术研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 王佳欣等: "基于依赖关系图和通用漏洞评分系统的网络安全度量", 《计算机应用》 * |
| 赵宇飞: "网络攻击图生成方法的设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117579499B (en) * | 2023-12-27 | 2024-05-31 | 长扬科技(北京)股份有限公司 | Network behavior audit recording method, device, computing equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112231712B (en) | 2023-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11637853B2 (en) | Operational network risk mitigation system and method | |
| EP3490223B1 (en) | System and method for simulating and foiling attacks on a vehicle on-board network | |
| US9118704B2 (en) | Homoglyph monitoring | |
| US9864855B2 (en) | Verification data processing method and device and storage medium | |
| Kochovski et al. | An architecture and stochastic method for database container placement in the edge-fog-cloud continuum | |
| CN112100071B (en) | Test case generation method and device, computer equipment and storage medium | |
| CN108287823B (en) | Message data processing method and device, computer equipment and storage medium | |
| CN110689084B (en) | Abnormal user identification method and device | |
| CN114692169B (en) | Page vulnerability processing method applying big data and AI analysis and page service system | |
| JP6629973B2 (en) | Method and apparatus for recognizing a service request to change a mobile phone number | |
| KR20210065687A (en) | Apparatus, method, storage medium of storing program and computer program for analyzing cyber assets damage using system operation status information | |
| CN111343188A (en) | Vulnerability searching method, device, equipment and storage medium | |
| CN114615016A (en) | Enterprise network security assessment method and device, mobile terminal and storage medium | |
| CN114531299A (en) | Big data analysis method for cloud service safety protection and safety protection system | |
| CN112231712B (en) | Vulnerability risk assessment method and device | |
| US9560027B1 (en) | User authentication | |
| CN113162892B (en) | POC verification environment rapid generation method, readable medium and equipment | |
| CN111405563B (en) | Risk detection method and device for protecting user privacy | |
| CN113518086B (en) | Network attack prediction method, device and storage medium | |
| CN111131198B (en) | Updating method and device for network security policy configuration | |
| CN114666136A (en) | Network attack behavior detection method and device | |
| CN107465744B (en) | Data downloading control method and system | |
| Simpson et al. | Scalable Misinformation Mitigation in Social Networks Using Reverse Sampling | |
| CN112860702A (en) | Test execution work order verification method and device, computer equipment and storage medium | |
| CN111241376A (en) | Multistage information matching method and device and cloud service platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |