CN112532631A - Equipment safety risk assessment method, device, equipment and medium - Google Patents
Equipment safety risk assessment method, device, equipment and medium Download PDFInfo
- Publication number
- CN112532631A CN112532631A CN202011373277.0A CN202011373277A CN112532631A CN 112532631 A CN112532631 A CN 112532631A CN 202011373277 A CN202011373277 A CN 202011373277A CN 112532631 A CN112532631 A CN 112532631A
- Authority
- CN
- China
- Prior art keywords
- attack
- security
- information
- attack stage
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The application discloses a method, a device, equipment and a medium for evaluating equipment security risk, wherein the method comprises the following steps: acquiring a safety event of target equipment within a past preset time length; determining security information of the target device within the past preset time length based on the security event, wherein the security information comprises attack stage depth information and attack stage integrity information, the attack stage depth information represents a highest attack stage suffered by the target device, and the attack stage integrity information represents integrity of the attack stage suffered by the target device; and performing security risk assessment on the target equipment based on the security information. Therefore, the security risk of the current device is evaluated through the correlation analysis of the security event, the source tracing analysis and the correlation analysis are favorably carried out aiming at an attacker, the comprehensiveness is strong, and the false alarm rate is reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a medium for evaluating a security risk of a device.
Background
In the information-oriented era, various devices connected with the network can be attacked, so that the devices have risks, the risks of the devices need to be evaluated, the devices can be protected and maintained according to the risks after evaluation, and corresponding losses are avoided.
Currently, a detection device generally considers that each security event generated when an attack is detected is independent from each other, and performs an evaluation of the security risk of an attacked device based on the independent security events. In the above evaluation method, since the security risk evaluation of the device is performed by independently opening the security event, the false alarm rate is made high. Moreover, the source tracing analysis and the correlation analysis for the attacker are not facilitated, and the comprehensiveness is poor.
Disclosure of Invention
In view of this, an object of the present application is to provide a method, an apparatus, a device, and a medium for evaluating a security risk of a device, where the security risk of a current device is evaluated through a correlation analysis of a security event, which is beneficial to performing a tracing analysis and a correlation analysis for an attacker, and has a strong comprehensibility, thereby reducing a false alarm rate. The specific scheme is as follows:
in a first aspect, the application discloses a device security risk assessment method, including:
acquiring a safety event of target equipment within a past preset time length;
determining security information of the target device within the past preset time length based on the security event, wherein the security information comprises attack stage depth information and attack stage integrity information, the attack stage depth information represents a highest attack stage suffered by the target device, and the attack stage integrity information represents integrity of the attack stage suffered by the target device;
and performing security risk assessment on the target equipment based on the security information.
Optionally, the determining, based on the security event, security information of the target device within the past preset time period includes:
counting attack stage fields in the security events to determine the highest attack stage in the security events;
and determining the attack stage depth information corresponding to the highest attack stage according to the preset corresponding relationship between the attack stage and the attack stage depth information to obtain the attack stage depth information of the target device within the past preset time length.
Optionally, before determining the attack stage depth information corresponding to the highest attack stage according to the preset corresponding relationship between the attack stage and the attack stage depth information, the method further includes:
acquiring pre-divided attack stages, wherein the attack stages are divided based on asset conditions of an attacked person and an attack sequence of the attacked person, and the attack stages sequentially comprise risk, attack, successful attack, host collapse, diffusion, purpose achievement and authority maintenance from low to high;
and acquiring the attack stage depth information corresponding to each attack stage to obtain the corresponding relation between the attack stages and the attack stage depth information.
Optionally, in the process of determining, based on the security event, security information of the target device within the preset time period in the past, the method further includes:
determining target hazard information of the target equipment within the past preset time based on the safety event, wherein the target hazard information represents a threat level faced by the target equipment;
determining the target hazard information as a component of the security information.
Optionally, the determining, based on the security event, target hazard information of the target device within the preset time period in the past includes:
judging whether the current attacked state of the target equipment is successful;
if so, taking the accumulated value of the harmfulness parameters of a first type of security events in the security events as target harmfulness information of the target equipment within the past preset time length, wherein the first type of security events are security events with attack state fields as attack success;
if not, taking the accumulated value of the harmfulness parameters of a second type of security events in the security events as the target harmfulness information of the target equipment within the past preset time length, wherein the second type of security events are security events with attack state fields of attack failure.
Optionally, the performing security risk assessment on the target device based on the security information includes:
determining an excessive parameter according to the target harmfulness information and the attack stage depth information;
and determining the security risk parameter of the target equipment according to the excessive parameter and the attack stage integrity information.
Optionally, the determining, based on the security event, security information of the target device within the past preset time period includes:
determining an attack phase sequence corresponding to the target device based on an attack phase field in the security event, wherein the attack phase sequence represents a high-low sequence of attack phases received by the target device within the past preset time;
and determining attack phase integrity information of the target equipment within the past preset time length based on the attack phase sequence.
Optionally, the determining, based on the attack phase sequence, attack phase integrity information of the target device within the past preset time includes:
and determining attack stage integrity information of the target equipment within the past preset duration based on the attack stage sequence, a preset attack stage sequence and an edit distance algorithm.
In a second aspect, the present application discloses an equipment security risk assessment apparatus, including:
the system comprises a security event acquisition module, a security event processing module and a security event processing module, wherein the security event acquisition module is used for acquiring a security event of target equipment within a past preset time length;
an information determining module, configured to determine, based on the security event, security information of the target device within the past preset duration, where the security information includes attack stage depth information and attack stage integrity information, the attack stage depth information indicates a highest attack stage to which the target device is subjected, and the attack stage integrity information indicates integrity of an attack stage to which the target device is subjected;
and the risk assessment module is used for carrying out security risk assessment on the target equipment based on the security information.
In a third aspect, the present application discloses an electronic device, comprising:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is used for executing the computer program to realize the device security risk assessment method disclosed in the foregoing.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the device security risk assessment method disclosed above.
It can be seen that, in the present application, a security event of a target device within a past preset time is first obtained, and then security information of the target device within the past preset time is determined based on the security event, where the security information includes attack stage depth information and attack stage integrity information, the attack stage depth information represents a highest attack stage received by the target device, the attack stage integrity information represents integrity of the attack stage received by the target device, and then security risk assessment can be performed on the target device based on the security information. In view of this, when the device security risk assessment needs to be performed, all security events of the target device within the past preset duration are obtained first, then the security information of the target device within the past preset duration is determined based on the security events, and then the security risk assessment is performed on the target device based on the security information, so that compared with the prior art in which the risk assessment is performed based on a single security event independently, the device security risk assessment method obtains the security information of the target device by performing joint analysis on all the security events of the device within the past preset duration, can perform the security risk assessment on the target device according to the security information, and assess the security risk of the current device through the correlation analysis of the security events, thereby facilitating the source tracing analysis and the correlation analysis for attackers, and the comprehensiveness is strong. And because the attack stage depth information and the attack stage integrity information are selected to jointly carry out the security risk assessment of the equipment, the false alarm rate is also reduced.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an apparatus security risk assessment method disclosed in the present application;
FIG. 2 is a flowchart illustrating an attacker performing an attack according to the present disclosure;
FIG. 3 is a field diagram of a security event disclosed herein;
FIG. 4 is a flowchart of a particular method for assessing security risk of a device disclosed herein;
FIG. 5 is a flow chart of a security risk assessment method disclosed herein;
FIG. 6 is a schematic structural diagram of an apparatus security risk assessment apparatus disclosed in the present application;
fig. 7 is a schematic structural diagram of an electronic device disclosed in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, an embodiment of the present application discloses an equipment security risk assessment method, including:
step S11: and acquiring the safety event of the target equipment within the past preset time length.
In a specific implementation process, all security events of a target device within a preset time period in the past need to be acquired, where the target device is a device that needs to perform security risk assessment, and the preset time period may be determined according to a specific situation, and is not specifically limited herein, and may be, for example, all security events within a past month. A security event (cyber securty alert/event) is an suggestive alarm generated by a conventional security device after identifying a malicious attacker behavior. That is, all security events within the past preset duration corresponding to the target device are acquired.
Referring to fig. 2, a process diagram for conducting an attack for an attacker is shown. A malicious attacker sends out an attacked data stream by means of the Internet, the data volume firstly passes through the flow layer security device, if the flow layer security device identifies an attack behavior, a corresponding security event is initiated, then the data stream can also pass through a switch or network equipment to reach a victim asset, the attack behavior on the victim asset can be detected by the terminal security device, the security event is initiated, and the security event can also be initiated by other security devices.
That is, an attacker often attacks the victim asset through the internet or an intranet network (intrusion success, intranet attack) and other modes, and may use a traffic layer security device such as a firewall, a UTM (Unified Threat Management), a security gateway and the like to protect the victim asset, and install a security device based on terminal behavior and log Detection such as an EDR (Endpoint Detection and Response), antivirus software, a terminal gateway and other devices to defend the operating system of the victim asset.
In the prior art, when each device initiates a security event, the security event in a specific format is generated according to the existing rule thereof and used for describing the current situation, and different devices have the own format, so that when the security event initiated by different devices is analyzed, different fields are required to be adopted, which is not convenient for uniform analysis, and a set of standards of the security event format can be adopted for standardizing the definition of each field of the security event.
Specifically, the security events of different devices at least include, but are not limited to, occurrence time, attacker IP, victim IP (Internet Protocol), network information quintuple, attack times, attack type, detailed description, signature or data packet proof information, hazard level, reliability, attack stage, and attack state. The occurrence time mainly records the occurrence time of the current security event, the first occurrence event and the time of each attack on the data packet. The attacker, the victim IP and the network five-tuple mainly relate to network information contained in the current security time. The attack times are mainly divided into the accumulation of single attacks. The data packet field is information of the current security event alarm prompt, and includes an unlimited HTTP (Hyper Text Transfer Protocol) field, an original traffic data packet, behavior feature summary information, and the like. The detailed description is provided to describe the principle of the current security event occurring mainly, particularly, what causes the security event to occur. The threat level is used to describe the urgency of the current threat event and to evaluate the status of the threat attack posed by the asset to determine whether the current attack was successful or unsuccessful, or the status is unknown. The attack types are mainly used for reflecting types of current attacker behaviors, such as web attacks, command execution, database attacks, brute force cracking, vulnerability exploitation and the like.
The fields of the security events initiated by the security devices are uniformly defined, so that the security events initiated by different security devices all comprise the same field, and the security events initiated by different security devices are conveniently and uniformly analyzed.
Referring to fig. 3, a field diagram of a security event is shown. After a malicious attacker with an IP address of 1.2.3.4 attacks the asset of a victim with an IP address of 1.2.3.5, the occurrence time included in the initiated security event is 29 days 8 months after 2020, the attack IP is 1.2.3.4, the IP of the victim is 1.2.3.5, the attack state is attack success, which is described in detail as S2-command execution attack, the attack times are 15 times, evidence-taking information is a data packet field, and the attack type is web command execution.
Step S12: determining security information of the target device within the past preset time length based on the security event, wherein the security information includes attack stage depth information and attack stage integrity information, the attack stage depth information represents a highest attack stage suffered by the target device, and the attack stage integrity information represents integrity of the attack stage suffered by the target device.
After the security event is acquired, it is further required to determine security information of the target device within the past preset time based on the security event. That is, determining attack stage depth information and attack stage integrity information of the target device within the past preset time length based on the security event, where the attack stage depth information represents a highest attack stage to which the target device is subjected, and the attack stage integrity information represents integrity of the attack stage to which the target device is subjected.
In the application, the asset condition of an attacker and the attack sequence of the attacker are mainly combined to divide the invasion stage of the current attacker under the penetration test or actual attack scene, so that a user can more clearly understand the harmfulness of the current security event, and better decision handling is realized. The attack phase can be divided into 7 attack phases, mainly: risk, attack, success attack, host computer sink, diffusion, goal achievement, authority maintenance.
Among these, there is a risk: the stage is mainly in an attack scene that part of assets are not in reality, and security events discovered through passive traffic sensing or active vulnerability scanning, such as that a 445 port of a certain asset is opened or MS17-010L vulnerabilities are not repaired, and security events identified under scenes such as configuration risks, weak passwords, vulnerability unrepair, website vulnerabilities and the like covering the assets belong to the attack stage.
And (3) suffering from an attack: a malicious attacker uses a certain attack method, different types of attacks are initiated on the current victim asset, and all unsuccessful security events are divided into the stages. The conventional attacker usually collects information, and the security events generated after the behavior attempted by using various attack methods is discovered by the security device belong to the stage. Common scenarios are web attacks, brute force cracking, phishing mail reception, etc.
Successful attack: when an attacker tries in the attack stage, all security events which are successfully attacked belong to the successful attack stage.
And (3) host collapse: after a successful attack stage, a malicious attacker often scans some internal networks, collects sensitive information of a current host, improves the authority of a current user, or downloads more programs such as viruses and trojans from the internet. The behavior of bedding for subsequent attacks is generally divided into a current stage after being detected by the security device.
Diffusion: after a successful attack phase, often an attacker attempts to attack other hosts to control more assets in order to obtain more rights, the behavior is identified and defined as a diffusion phase. Common attack modes are security events such as violently breaking other hosts and attacking other hosts by using the assets of the current victim.
The purpose is achieved: this stage mainly includes that some malicious attackers have achieved malicious purposes for the current assets, such as common behavior identification of data leakage, lasso, mining, botnet establishment, DDOS initiation, and the like.
And (3) permission maintenance: in this stage, security events identified in the process of leaving backdoor on the asset by the host for better controlling after the malicious attacker completes the attack mainly include scenes of adding malicious accounts, creating services, modifying a registry, implanting backdoor trojans or rootkits and the like.
Compared with the prior art in which the attack stages are divided only from the attack order of the attacker, the attack tracing can be better supported, the risk of the current victim asset can be displayed more intuitively, and the judgment and processing of a user are facilitated.
Of the 7 attack stages, the lowest attack stage is risk existence, and the highest attack stage is authority maintenance. According to the 7 divided stages, attack stage depth information can be configured for each attack stage, for example, the attack stage depth information corresponding to the risk is 1, the attack stage depth information corresponding to the attack suffered from the attack is 2, the attack stage depth information corresponding to the successful attack is 3, the attack stage depth information corresponding to the host computer sink-out is 4, the attack stage depth information corresponding to the diffusion is 5, the purpose is that the corresponding attack stage depth information is 6, the authority maintains the corresponding attack stage depth information to be 7, and when the authority maintains that the highest attack stage in the security event within the past preset duration is the 7 th stage, the corresponding attack stage depth information is 7. The attack phase integrity information may be determined according to the integrity of the attack phase included in the security event.
And step S13, performing security risk assessment on the target equipment based on the security information.
After the security information is determined, security risk assessment can be performed on the target device based on the security information.
Since the attack stage depth information only indicates the highest attack stage in the security event, the possible error of security risk assessment performed on the target device according to the attack stage depth information alone is large, so that the attack stage depth information and the attack stage integrity information are integrated to perform security risk assessment, and the accuracy of assessment can be improved.
It can be seen that, in the present application, a security event of a target device within a past preset time is first obtained, and then security information of the target device within the past preset time is determined based on the security event, where the security information includes attack stage depth information and attack stage integrity information, the attack stage depth information represents a highest attack stage received by the target device, the attack stage integrity information represents integrity of the attack stage received by the target device, and then security risk assessment can be performed on the target device based on the security information. In view of this, when the device security risk assessment needs to be performed, all security events of the target device within the past preset duration are obtained first, then the security information of the target device within the past preset duration is determined based on the security events, and then the security risk assessment is performed on the target device based on the security information, so that compared with the prior art in which the risk assessment is performed based on a single security event independently, the device security risk assessment method obtains the security information of the target device by performing joint analysis on all the security events of the device within the past preset duration, can perform the security risk assessment on the target device according to the security information, and assess the security risk of the current device through the correlation analysis of the security events, thereby facilitating the source tracing analysis and the correlation analysis for attackers, and the comprehensiveness is strong. And because the attack stage depth information and the attack stage integrity information are selected to jointly carry out the security risk assessment of the equipment, the false alarm rate is also reduced.
Referring to fig. 4, an embodiment of the present application discloses a specific method for evaluating a security risk of a device, where the method includes:
step S21: and acquiring the safety event of the target equipment within the past preset time length.
Step S22: determining attack stage depth information of the target device within the past preset time length based on the security event.
After the security event is acquired, determining attack stage depth information of the target device within the past preset time length according to the security event. Specifically, the attack stage field in the security event may be counted first to determine the highest attack stage in the security event; and determining the attack stage depth information corresponding to the highest attack stage according to the preset corresponding relationship between the attack stage and the attack stage depth information to obtain the attack stage depth information of the target device within the past preset time length.
That is, pre-divided attack stages may be obtained, where the attack stages are divided based on asset conditions of an attacker and an attack order of the attacker, and the attack stages sequentially include risk, attack, successful attack, host collapse, diffusion, goal achievement, and permission maintenance from low to high; and acquiring the attack stage depth information corresponding to each attack stage to obtain the corresponding relation between the attack stages and the attack stage depth information. For example, the attack stage depth information corresponding to the first attack stage (where there is a risk) is 1, the attack stage depth information corresponding to the second attack stage (where there is an attack) is 2, the attack stage depth information corresponding to the third attack stage (where there is a successful attack) is 3, the attack stage depth information corresponding to the fourth attack stage (where there is a host sink) is 4, the attack stage depth information corresponding to the fifth attack stage (where there is a spread) is 5, the attack stage depth information corresponding to the sixth attack stage (where there is a destination reached) is 6, and the attack stage depth information corresponding to the seventh attack stage (where there is a right maintained) is 7. Thus, after the highest attack stage in the security event is determined, the attack stage depth information corresponding to the highest attack stage is determined according to the preset corresponding relationship between the attack stage and the attack stage depth information, and the attack stage depth information of the target device within the past preset time length is obtained.
Step S23: and determining attack stage integrity information of the target device within the past preset time length based on the security event.
Since the attacker often invades step by step, if only the security event proof that the last attack stage does not have the middle attack stage occurs, the risk value is relatively low, and the higher the integrity of the stages is, the higher the risk value is. It is also necessary to determine attack stage integrity information of the target device within the past preset time period based on the security event.
Specifically, an attack phase sequence corresponding to the target device may be determined based on an attack phase field in the security event, where the attack phase sequence represents a high-low order of attack phases received by the target device within the past preset time duration; and determining attack phase integrity information of the target equipment within the past preset time length based on the attack phase sequence.
Wherein determining attack phase integrity information of the target device within the past preset duration based on the attack phase sequence comprises: and determining attack stage integrity information of the target equipment within the past preset duration based on the attack stage sequence, a preset attack stage sequence and an edit distance algorithm. The edit distance, also called Levenshtein distance (Levenshtein), is a quantitative measure of the degree of difference between two strings (e.g., english text) by how many times a string is changed into another string. The preset attack phase sequence represents a complete attack phase sequence.
For example, 1 to 7 can be used to represent the above-mentioned 7 attack stages from low to high, respectively, and then all attack stages can be represented as a known array sequence [1, 2, 3, 4, 5, 6, 7], and the most ideal state attacker performs intrusion according to the steps of each stage 1 to 7 and can be identified; however, in the actual situation, such situations as insufficient traffic, lack of detection capability, and the like, cause that most of the scenes cannot appear, an edit distance algorithm is introduced here to confirm the integrity of the current attack stage, an attack stage sequence such as [1, 3, 5, 6] or [1, 4, 5, 6, 7] is generated for all recorded security events according to the stages, the edit distance is calculated by using the obtained actual attack stage sequence and the preset attack stage sequence [1, 2, 3, 4, 5, 6, 7] to confirm the integrity of the current attack stage, and the smaller the edit distance, the more complete the current attack sequence is.
Step S24: determining target hazard information for the target device within the past preset time period based on the security event, wherein the target hazard information represents a threat level faced by the target device.
In practical applications, the security information may further include target hazard information, where the target hazard information represents a threat level faced by the target device.
Specifically, it may be determined whether the current attacked state of the target device is successful; if so, taking the accumulated value of the harmfulness parameters of a first type of security events in the security events as target harmfulness information of the target equipment within the past preset time length, wherein the first type of security events are security events with attack state fields as attack success; if not, taking the accumulated value of the harmfulness parameters of a second type of security events in the security events as the target harmfulness information of the target equipment within the past preset time length, wherein the second type of security events are security events with attack state fields of attack failure.
That is, it is determined whether the target device is successfully attacked, if yes, an accumulated value of the hazard parameters of each security event of which the attack state is successful in the security event is used as the target hazard information of the target device within the past preset time, and if not, the accumulated value of the hazard parameters of each security event of which the attack state is failure in the security event is used as the target hazard information of the target device within the past preset time.
Step S25: and determining an excessive parameter according to the target harmfulness information and the attack stage depth information.
Step S26: and determining the security risk parameter of the target equipment according to the excessive parameter and the attack stage integrity information.
After the attack stage depth information, the attack stage integrity information, and the target harmfulness information are determined, the security risk of the target device may be evaluated based on the attack stage depth information, the attack stage integrity information, and the target harmfulness information.
Specifically, the determining of the transition parameter according to the target harmfulness information and the attack stage depth information may be determining a product of the target harmfulness parameter and the attack stage depth parameter as the transition parameter. The determining the security risk parameter of the target device according to the transition parameter and the attack stage integrity information may be to use a ratio of the transition parameter to the attack stage integrity parameter as the security risk parameter of the target device. The target harmfulness parameter is a numerical value representing the target harmfulness in the target harmfulness information, the attack stage depth parameter is a numerical value including the attack stage depth in the attack stage depth information, and the attack stage integrity parameter is a numerical value including the attack stage integrity in the attack stage integrity information.
The above process can be formulated as
Wherein Risk represents a security Risk parameter, R1 represents a target hazard parameter, R2 represents an attack stage depth parameter, and R3 represents an attack stage integrity parameter.
The safety risk of the target equipment is comprehensively evaluated based on three dimensions of the depth information of the attack stage, the integrity information of the attack stage and the target harmfulness information, so that the accuracy of risk evaluation can be improved.
Referring to fig. 5, a plurality of security events of a target device in a preset market in the past are obtained, where each security event includes fields such as occurrence time, attack IP, victim IP, attack state, detailed description, attack times, proof information, and attack type, for example, after a malicious attacker with an IP address of 1.2.3.4 attacks a victim asset with an IP address of 1.2.3.5, the occurrence time included in the initiated security event is 11:51:41 on 8.29/29/2020, the attack IP is 1.2.3.4, the victim IP is 1.2.3.5, the attack state is attack success, the detailed description is S2-command execution attack, the attack times are 15 times, the proof information is a data packet field, and the attack type is web command execution. The security risk of the target device may then be assessed based on the attack phase and the hazardness parameters of each of the plurality of security events in the set of security events within the past predetermined time period.
Referring to fig. 6, an embodiment of the present application discloses an apparatus for evaluating security risk, including:
the security event acquiring module 11 is configured to acquire a security event of the target device within a past preset time;
an information determining module 12, configured to determine, based on the security event, security information of the target device within the past preset time duration, where the security information includes attack stage depth information and attack stage integrity information, the attack stage depth information indicates a highest attack stage to which the target device is subjected, and the attack stage integrity information indicates integrity of an attack stage to which the target device is subjected;
and a risk assessment module 13, configured to perform security risk assessment on the target device based on the security information.
It can be seen that, in the present application, a security event of a target device within a past preset time is first obtained, and then security information of the target device within the past preset time is determined based on the security event, where the security information includes attack stage depth information and attack stage integrity information, the attack stage depth information represents a highest attack stage received by the target device, the attack stage integrity information represents integrity of the attack stage received by the target device, and then security risk assessment can be performed on the target device based on the security information. In view of this, when the device security risk assessment needs to be performed, all security events of the target device within the past preset duration are obtained first, then the security information of the target device within the past preset duration is determined based on the security events, and then the security risk assessment is performed on the target device based on the security information, so that compared with the prior art in which the risk assessment is performed based on a single security event independently, the device security risk assessment method obtains the security information of the target device by performing joint analysis on all the security events of the device within the past preset duration, can perform the security risk assessment on the target device according to the security information, and assess the security risk of the current device through the correlation analysis of the security events, thereby facilitating the source tracing analysis and the correlation analysis for attackers, and the comprehensiveness is strong. And because the attack stage depth information and the attack stage integrity information are selected to jointly carry out the security risk assessment of the equipment, the false alarm rate is also reduced.
In some specific implementations, the information determining module 12 is configured to: counting attack stage fields in the security events to determine the highest attack stage in the security events; and determining the attack stage depth information corresponding to the highest attack stage according to the preset corresponding relationship between the attack stage and the attack stage depth information to obtain the attack stage depth information of the target device within the past preset time length.
In some specific implementations, the information determining module 12 is configured to: acquiring pre-divided attack stages, wherein the attack stages are divided based on asset conditions of an attacked person and an attack sequence of the attacked person, and the attack stages sequentially comprise risk, attack, successful attack, host collapse, diffusion, purpose achievement and authority maintenance from low to high; and acquiring the attack stage depth information corresponding to each attack stage to obtain the corresponding relation between the attack stages and the attack stage depth information.
In some specific implementations, the information determining module 12 is further configured to: determining target hazard information of the target equipment within the past preset time based on the safety event, wherein the target hazard information represents a threat level faced by the target equipment; determining the target hazard information as a component of the security information.
In some specific implementations, the information determining module 12 is configured to: judging whether the current attacked state of the target equipment is successful; if so, taking the accumulated value of the harmfulness parameters of a first type of security events in the security events as target harmfulness information of the target equipment within the past preset time length, wherein the first type of security events are security events with attack state fields as attack success; if not, taking the accumulated value of the harmfulness parameters of a second type of security events in the security events as the target harmfulness information of the target equipment within the past preset time length, wherein the second type of security events are security events with attack state fields of attack failure.
In some specific implementations, the risk assessment module 13 is configured to: determining an excessive parameter according to the target harmfulness information and the attack stage depth information; and determining the security risk parameter of the target equipment according to the excessive parameter and the attack stage integrity information.
In some specific implementations, the information determining module 12 is configured to: determining an attack phase sequence corresponding to the target device based on an attack phase field in the security event, wherein the attack phase sequence represents a high-low sequence of attack phases received by the target device within the past preset time; and determining attack phase integrity information of the target equipment within the past preset time length based on the attack phase sequence.
In some specific implementations, the information determining module 12 is configured to: and determining attack stage integrity information of the target equipment within the past preset duration based on the attack stage sequence, a preset attack stage sequence and an edit distance algorithm.
Fig. 7 is a schematic structural diagram of an electronic device 20 provided in an embodiment of the present application, where the electronic device 20 may specifically implement the steps of the device security risk assessment method disclosed in the foregoing embodiment.
In general, the electronic device 20 in the present embodiment includes: a processor 21 and a memory 22.
The processor 21 may include one or more processing cores, such as a four-core processor, an eight-core processor, and so on. The processor 21 may be implemented by at least one hardware of a DSP (digital signal processing), an FPGA (field-programmable gate array), and a PLA (programmable logic array). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a GPU (graphics processing unit) which is responsible for rendering and drawing images to be displayed on the display screen. In some embodiments, the processor 21 may include an AI (artificial intelligence) processor for processing computing operations related to machine learning.
Memory 22 may include one or more computer-readable storage media, which may be non-transitory. Memory 22 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 22 is at least used for storing the following computer program 221, wherein after being loaded and executed by the processor 21, the steps of the device security risk assessment method disclosed in any of the foregoing embodiments can be implemented.
In some embodiments, the electronic device 20 may further include a display 23, an input/output interface 24, a communication interface 25, a sensor 26, a power supply 27, and a communication bus 28.
Those skilled in the art will appreciate that the configuration shown in FIG. 7 is not limiting of electronic device 20 and may include more or fewer components than those shown.
Further, an embodiment of the present application also discloses a computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the device security risk assessment method disclosed in any of the foregoing embodiments.
For the specific process of the above method for evaluating the security risk of the device, reference may be made to the corresponding contents disclosed in the foregoing embodiments, which are not described herein again.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of other elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method, the device, the equipment and the medium for evaluating the equipment security risk provided by the application are introduced in detail, specific examples are applied in the method to explain the principle and the implementation of the application, and the description of the embodiments is only used for helping to understand the method and the core idea of the application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (11)
1. An equipment security risk assessment method, comprising:
acquiring a safety event of target equipment within a past preset time length;
determining security information of the target device within the past preset time length based on the security event, wherein the security information comprises attack stage depth information and attack stage integrity information, the attack stage depth information represents a highest attack stage suffered by the target device, and the attack stage integrity information represents integrity of the attack stage suffered by the target device;
and performing security risk assessment on the target equipment based on the security information.
2. The device security risk assessment method according to claim 1, wherein the determining the security information of the target device within the past preset time period based on the security event comprises:
counting attack stage fields in the security events to determine the highest attack stage in the security events;
and determining the attack stage depth information corresponding to the highest attack stage according to the preset corresponding relationship between the attack stage and the attack stage depth information to obtain the attack stage depth information of the target device within the past preset time length.
3. The device security risk assessment method according to claim 2, wherein before determining the attack stage depth information corresponding to the highest attack stage according to the preset corresponding relationship between the attack stage and the attack stage depth information, the method further comprises:
acquiring pre-divided attack stages, wherein the attack stages are divided based on asset conditions of an attacked person and an attack sequence of the attacked person, and the attack stages sequentially comprise risk, attack, successful attack, host collapse, diffusion, purpose achievement and authority maintenance from low to high;
and acquiring the attack stage depth information corresponding to each attack stage to obtain the corresponding relation between the attack stages and the attack stage depth information.
4. The device security risk assessment method according to claim 1, wherein the determining the security information of the target device within the past preset time period based on the security event further comprises:
determining target hazard information of the target equipment within the past preset time based on the safety event, wherein the target hazard information represents a threat level faced by the target equipment;
determining the target hazard information as a component of the security information.
5. The device security risk assessment method according to claim 4, wherein the determining the target hazard information of the target device within the past preset time period based on the security event comprises:
judging whether the current attacked state of the target equipment is successful;
if so, taking the accumulated value of the harmfulness parameters of a first type of security events in the security events as target harmfulness information of the target equipment within the past preset time length, wherein the first type of security events are security events with attack state fields as attack success;
if not, taking the accumulated value of the harmfulness parameters of a second type of security events in the security events as the target harmfulness information of the target equipment within the past preset time length, wherein the second type of security events are security events with attack state fields of attack failure.
6. The device security risk assessment method according to claim 4, wherein the performing security risk assessment on the target device based on the security information comprises:
determining an excessive parameter according to the target harmfulness information and the attack stage depth information;
and determining the security risk parameter of the target equipment according to the excessive parameter and the attack stage integrity information.
7. The device security risk assessment method according to any one of claims 1 to 6, wherein the determining the security information of the target device within the past preset time period based on the security event comprises:
determining an attack phase sequence corresponding to the target device based on an attack phase field in the security event, wherein the attack phase sequence represents a high-low sequence of attack phases received by the target device within the past preset time;
and determining attack phase integrity information of the target equipment within the past preset time length based on the attack phase sequence.
8. The device security risk assessment method according to claim 7, wherein the determining attack stage integrity information of the target device within the past preset time period based on the attack stage sequence comprises:
and determining attack stage integrity information of the target equipment within the past preset duration based on the attack stage sequence, a preset attack stage sequence and an edit distance algorithm.
9. An equipment security risk assessment apparatus, comprising:
the system comprises a security event acquisition module, a security event processing module and a security event processing module, wherein the security event acquisition module is used for acquiring a security event of target equipment within a past preset time length;
an information determining module, configured to determine, based on the security event, security information of the target device within the past preset duration, where the security information includes attack stage depth information and attack stage integrity information, the attack stage depth information indicates a highest attack stage to which the target device is subjected, and the attack stage integrity information indicates integrity of an attack stage to which the target device is subjected;
and the risk assessment module is used for carrying out security risk assessment on the target equipment based on the security information.
10. An electronic device, comprising:
a memory and a processor;
wherein the memory is used for storing a computer program;
the processor is configured to execute the computer program to implement the device security risk assessment method according to any one of claims 1 to 8.
11. A computer-readable storage medium for storing a computer program, wherein the computer program, when executed by a processor, implements the device security risk assessment method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011373277.0A CN112532631A (en) | 2020-11-30 | 2020-11-30 | Equipment safety risk assessment method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011373277.0A CN112532631A (en) | 2020-11-30 | 2020-11-30 | Equipment safety risk assessment method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112532631A true CN112532631A (en) | 2021-03-19 |
Family
ID=74995186
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011373277.0A Pending CN112532631A (en) | 2020-11-30 | 2020-11-30 | Equipment safety risk assessment method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112532631A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113055407A (en) * | 2021-04-21 | 2021-06-29 | 深信服科技股份有限公司 | Asset risk information determination method, device, equipment and storage medium |
| CN113965356A (en) * | 2021-09-28 | 2022-01-21 | 新华三信息安全技术有限公司 | Security event analysis method, device, equipment and machine-readable storage medium |
| CN114240013A (en) * | 2021-07-30 | 2022-03-25 | 北京永信至诚科技股份有限公司 | Key information infrastructure-oriented defense command method and system |
| CN114666148A (en) * | 2022-03-31 | 2022-06-24 | 深信服科技股份有限公司 | Risk assessment method and device and related equipment |
| CN116389171A (en) * | 2023-06-05 | 2023-07-04 | 汉兴同衡科技集团有限公司 | Information security assessment detection method, system, device and medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108229176A (en) * | 2017-12-29 | 2018-06-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of determining Web applications protection effect |
| CN108259449A (en) * | 2017-03-27 | 2018-07-06 | 新华三技术有限公司 | A kind of method and system for defending APT attacks |
| CN109617885A (en) * | 2018-12-20 | 2019-04-12 | 北京神州绿盟信息安全科技股份有限公司 | Capture host automatic judging method, device, electronic equipment and storage medium |
| CN109660539A (en) * | 2018-12-20 | 2019-04-19 | 北京神州绿盟信息安全科技股份有限公司 | It falls device identification method, device, electronic equipment and storage medium |
| CN109842632A (en) * | 2019-03-27 | 2019-06-04 | 深信服科技股份有限公司 | A kind of tender spots of network system determines method, system and associated component |
| US20190222597A1 (en) * | 2015-10-28 | 2019-07-18 | Fractal Industries, Inc. | System and method for comprehensive data loss prevention and compliance management |
| CN110912884A (en) * | 2019-11-20 | 2020-03-24 | 深信服科技股份有限公司 | Detection method, detection equipment and computer storage medium |
| CN111245787A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for equipment defect identification and equipment defect degree evaluation |
| CN111756759A (en) * | 2020-06-28 | 2020-10-09 | 杭州安恒信息技术股份有限公司 | Network attack tracing method, device and equipment |
-
2020
- 2020-11-30 CN CN202011373277.0A patent/CN112532631A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190222597A1 (en) * | 2015-10-28 | 2019-07-18 | Fractal Industries, Inc. | System and method for comprehensive data loss prevention and compliance management |
| CN108259449A (en) * | 2017-03-27 | 2018-07-06 | 新华三技术有限公司 | A kind of method and system for defending APT attacks |
| CN108229176A (en) * | 2017-12-29 | 2018-06-29 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and device of determining Web applications protection effect |
| CN109617885A (en) * | 2018-12-20 | 2019-04-12 | 北京神州绿盟信息安全科技股份有限公司 | Capture host automatic judging method, device, electronic equipment and storage medium |
| CN109660539A (en) * | 2018-12-20 | 2019-04-19 | 北京神州绿盟信息安全科技股份有限公司 | It falls device identification method, device, electronic equipment and storage medium |
| CN109842632A (en) * | 2019-03-27 | 2019-06-04 | 深信服科技股份有限公司 | A kind of tender spots of network system determines method, system and associated component |
| CN110912884A (en) * | 2019-11-20 | 2020-03-24 | 深信服科技股份有限公司 | Detection method, detection equipment and computer storage medium |
| CN111245787A (en) * | 2019-12-31 | 2020-06-05 | 西安交大捷普网络科技有限公司 | Method and device for equipment defect identification and equipment defect degree evaluation |
| CN111756759A (en) * | 2020-06-28 | 2020-10-09 | 杭州安恒信息技术股份有限公司 | Network attack tracing method, device and equipment |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113055407A (en) * | 2021-04-21 | 2021-06-29 | 深信服科技股份有限公司 | Asset risk information determination method, device, equipment and storage medium |
| CN114240013A (en) * | 2021-07-30 | 2022-03-25 | 北京永信至诚科技股份有限公司 | Key information infrastructure-oriented defense command method and system |
| CN114240013B (en) * | 2021-07-30 | 2022-11-08 | 北京永信至诚科技股份有限公司 | Key information infrastructure-oriented defense command method and system |
| CN113965356A (en) * | 2021-09-28 | 2022-01-21 | 新华三信息安全技术有限公司 | Security event analysis method, device, equipment and machine-readable storage medium |
| CN113965356B (en) * | 2021-09-28 | 2023-12-26 | 新华三信息安全技术有限公司 | Security event analysis method, device, equipment and machine-readable storage medium |
| CN114666148A (en) * | 2022-03-31 | 2022-06-24 | 深信服科技股份有限公司 | Risk assessment method and device and related equipment |
| CN114666148B (en) * | 2022-03-31 | 2024-02-23 | 深信服科技股份有限公司 | Risk assessment method and device and related equipment |
| CN116389171A (en) * | 2023-06-05 | 2023-07-04 | 汉兴同衡科技集团有限公司 | Information security assessment detection method, system, device and medium |
| CN116389171B (en) * | 2023-06-05 | 2023-08-11 | 汉兴同衡科技集团有限公司 | Information security assessment detection method, system, device and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3588898B1 (en) | Defense against apt attack | |
| CN109922075B (en) | Network security knowledge graph construction method and device and computer equipment | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| CN107426242B (en) | Network security protection method, device and storage medium | |
| CN112532631A (en) | Equipment safety risk assessment method, device, equipment and medium | |
| CN111756759B (en) | Network attack tracing method, device and equipment | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| JP6400758B2 (en) | System and method for protecting computers from unauthorized remote management | |
| US10142343B2 (en) | Unauthorized access detecting system and unauthorized access detecting method | |
| CA2545916A1 (en) | Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data | |
| CN110598404A (en) | Security risk monitoring method, monitoring device, server and storage medium | |
| US11258812B2 (en) | Automatic characterization of malicious data flows | |
| US20090178140A1 (en) | Network intrusion detection system | |
| CN112351017B (en) | Transverse penetration protection method, device, equipment and storage medium | |
| US20210194915A1 (en) | Identification of potential network vulnerability and security responses in light of real-time network risk assessment | |
| WO2016121348A1 (en) | Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored | |
| KR20170122548A (en) | Method and Apparatus for Recognizing APT(Advanced Persistent Threat) using Co-Relational Data Analytics | |
| US20240045954A1 (en) | Analysis of historical network traffic to identify network vulnerabilities | |
| US20230007013A1 (en) | Visualization tool for real-time network risk assessment | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| Bhuiyan et al. | API vulnerabilities: Current status and dependencies | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| CN115688100A (en) | Method, device, equipment and medium for placing bait file | |
| EP3252645B1 (en) | System and method of detecting malicious computer systems | |
| CN110784471A (en) | Blacklist collection management method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |