CN112637215A - Network security detection method and device, electronic equipment and readable storage medium - Google Patents

Network security detection method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN112637215A
CN112637215A CN202011554743.5A CN202011554743A CN112637215A CN 112637215 A CN112637215 A CN 112637215A CN 202011554743 A CN202011554743 A CN 202011554743A CN 112637215 A CN112637215 A CN 112637215A
Authority
CN
China
Prior art keywords
network data
network
threat
data
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011554743.5A
Other languages
Chinese (zh)
Other versions
CN112637215B (en
Inventor
姚善
杨圣峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011554743.5A priority Critical patent/CN112637215B/en
Publication of CN112637215A publication Critical patent/CN112637215A/en
Application granted granted Critical
Publication of CN112637215B publication Critical patent/CN112637215B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The application provides a network security detection method, a network security detection device, electronic equipment and a readable storage medium, and relates to the technical field of network security. The method can comprise the following steps: acquiring a network data set obtained by acquiring network equipment in a mechanism unit and an application program in the network equipment, wherein the network data set comprises at least one of vulnerability data and threat data; preprocessing the network data in the network data set to obtain target network data in a specified format; acquiring target multidimensional parameters corresponding to target network data based on the corresponding relation between the network data and the multidimensional parameters, wherein the target multidimensional parameters comprise at least two of importance degree values corresponding to mechanism units, reference values corresponding to the availability and the influence degree of the target network data, vulnerability data or threat data in the target network data in the same type of threatened degree values of network equipment and the reference values of the network equipment; and determining a first detection result of the threat value representing the target network data according to the target multidimensional parameter.

Description

Network security detection method and device, electronic equipment and readable storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a network security detection method, an apparatus, an electronic device, and a readable storage medium.
Background
As more and more vulnerabilities are exposed to internet applications and devices, the need for timely discovery and timely protection of vulnerabilities or other network threats is increasing. Currently, network security is typically evaluated for a single vulnerability. When the network threat assessment of network attack is carried out on complex utilization vulnerabilities, the problem of inaccurate or incomplete detection exists in a single assessment detection mode.
Disclosure of Invention
An object of the embodiments of the present application is to provide a network security detection method, an apparatus, an electronic device, and a readable storage medium, which can solve the problem of inaccurate or incomplete network threat detection.
In order to achieve the above object, embodiments of the present application are implemented as follows:
in a first aspect, an embodiment of the present application provides a network security detection method, where the method includes:
acquiring a network data set obtained by network equipment in an acquisition organization unit and an application program in the network equipment, wherein the network data set comprises at least one of vulnerability data and threat data;
preprocessing the network data in the network data set to obtain target network data in a specified format;
acquiring a target multidimensional parameter corresponding to the target network data based on a corresponding relation between the network data and the multidimensional parameter, wherein the target multidimensional parameter comprises at least two of an importance degree value corresponding to the organization unit, a reference value corresponding to the availability and influence degree of the target network data, a similar threatened degree value of the vulnerability data or the threat data in the target network data in the network equipment, and a reference value of the network equipment;
and determining a first detection result of the threat value representing the target network data according to the target multidimensional parameter.
In the foregoing embodiment, when performing network security detection on threats of target network data, by combining at least two data of importance degree values corresponding to mechanism units, reference values corresponding to availability and influence degrees of the target network data, vulnerability data or threat data in the target network data, similar threatened degree values of network devices, and reference values of the network devices themselves, the threats of the target network data can be detected from multiple dimensions, thereby facilitating improvement of accuracy and integrity of network threat detection.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and determining a second detection result of the threat value representing the network equipment according to the threat value of each type of target network data of the network equipment or the threat value of each type of target network data of an application program in the network equipment.
In the foregoing embodiment, the second detection result of the network device is obtained through detection by using the threat value of the target network data with higher accuracy, which is beneficial to improving the accuracy of the second detection result.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and determining a third detection result representing the threat value of the organization unit according to the threat value of each network device in the organization unit.
In the above embodiment, the third detection result of the organization unit is detected and obtained through the threat value of the network device with higher accuracy, which is beneficial to improving the accuracy of the third detection result.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and when at least one type of threat value among the threat value of the target network data, the threat value of the network equipment and the threat value of the organization unit reaches a corresponding preset value, sending out an early warning prompt.
In the above embodiment, by sending the warning prompt, the method is beneficial for the staff to take corresponding precautionary measures against the network threat in time, and is beneficial for reducing the loss caused by the network threat.
With reference to the first aspect, in some optional embodiments, the method further comprises:
and outputting and displaying at least one type of threat values of the target network data, the threat values of the network equipment and the threat values of the organization units, wherein when the threat values of any type reach corresponding preset values, the threat values reaching the preset values and the types of the threat values are displayed in a display mode representing early warning.
In the above embodiment, the detection result is visualized, which is beneficial for the monitoring and management of network security for the staff.
With reference to the first aspect, in some optional embodiments, before obtaining the target multidimensional parameter corresponding to the target network data, the method further includes:
and creating and storing multidimensional parameters corresponding to each type of vulnerability data and each type of threat data in the network data.
With reference to the first aspect, in some optional embodiments, preprocessing the network data in the network data set to obtain target network data in a specified format includes:
carrying out data deduplication on the network data in the network data set to obtain a network data set subjected to data deduplication;
filtering the interference data in the network data set after the duplication is removed according to a preset filtering rule to obtain a filtered network data set;
and converting each network data in the filtered network data set into the target network data in the specified format.
In a second aspect, an embodiment of the present application further provides a network security detection apparatus, where the apparatus includes:
the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a network data set obtained by network equipment in an acquisition mechanism unit and an application program in the network equipment, and the network data set comprises at least one of vulnerability data and threat data;
the preprocessing unit is used for preprocessing the network data in the network data set to obtain target network data in a specified format;
a second obtaining unit, configured to obtain a target multidimensional parameter corresponding to the target network data based on a corresponding relationship between network data and the multidimensional parameter, where the target multidimensional parameter includes at least two of an importance value corresponding to the organization unit, a reference value corresponding to availability and an influence of the target network data, a similar threatened level value of the vulnerability data or the threat data in the target network data in the network device, and a reference value of the network device itself;
and the detection determining unit is used for determining a first detection result of the threat value representing the target network data according to the target multidimensional parameter.
In a third aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes a processor and a memory coupled to each other, and a computer program is stored in the memory, and when the computer program is executed by the processor, the electronic device is caused to perform the method described above.
In a fourth aspect, the present application further provides a computer-readable storage medium, in which a computer program is stored, and when the computer program runs on a computer, the computer is caused to execute the above method.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic diagram of communication connection between an electronic device and a network device in an organization unit according to an embodiment of the present application.
Fig. 2 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Fig. 3 is a schematic flow chart of a network security detection method according to an embodiment of the present application.
Fig. 4 is a table diagram illustrating a reference value of the degree of importance corresponding to the organization unit provided in the embodiment of the present application.
Fig. 5 is a table diagram illustrating availability of target network data and reference values corresponding to the influence according to an embodiment of the present disclosure.
Fig. 6 is a table diagram illustrating a benchmark value of the similar threat level of vulnerability data or threat data according to an embodiment of the present application.
Fig. 7 is a table diagram illustrating a reference value of a network device according to an embodiment of the present application.
Fig. 8 is a block diagram of a network security detection apparatus according to an embodiment of the present application.
Icon: 10-an electronic device; 11-a processing module; 12-a storage module; 13-a communication module; 20-a network device; 200-network security detection means; 210-a first obtaining unit; 220-a pre-processing unit; 230-a second acquisition unit; 240 — detection determination unit.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that the terms "first," "second," and the like are used merely to distinguish one description from another, and are not intended to indicate or imply relative importance. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, an electronic device 10 according to an embodiment of the present application may establish a communication connection with a network device 20 in an organization unit, and may acquire network data of the network device 20 and an application program in the network device 20, so as to detect a threat existing in the network data.
The organization unit may be, but is not limited to, an organization such as a company, a school, etc., and is not particularly limited thereto. One or more network devices 20 may be included in an organization. Network device 20 may be, but is not limited to, a personal computer, a server, etc. One or more applications may be installed in one network device 20, and the applications may be determined according to actual situations, and are not limited specifically herein.
Referring to fig. 2, the electronic device 10 may include a processing module 11 and a storage module 12. The memory module 12 stores therein a computer program which, when executed by said processing module 11, enables the electronic device 10 to perform the steps of the method described below.
Of course, the electronic device 10 may also include other modules, for example, the electronic device 10 may also include a communication module 13, which may be used to establish a communication connection with the network device 20.
The processing module 11, the storage module 12 and the communication module 13 are electrically connected directly or indirectly to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
Referring to fig. 3, an embodiment of the present application further provides a network security detection method, which can be applied to the electronic device 10, and the electronic device 10 executes or implements the steps of the method. The electronic device 10 may be a personal computer, a server, etc., and is not particularly limited herein. The method may comprise the steps of:
step S110, acquiring a network data set obtained by acquiring the network equipment 20 in a mechanism unit and an application program in the network equipment 20, wherein the network data set comprises at least one of vulnerability data and threat data;
step S120, preprocessing the network data in the network data set to obtain target network data in a specified format;
step S130, obtaining a target multidimensional parameter corresponding to the target network data based on a corresponding relationship between network data and multidimensional parameters, where the target multidimensional parameter includes at least two of an importance level value corresponding to the organization unit, a reference value corresponding to availability and influence level of the target network data, a similar threatened level value of the vulnerability data or the threat data in the target network data in the network device 20, and a reference value of the network device 20 itself;
step S140, determining a first detection result of the threat value representing the target network data according to the target multidimensional parameter.
In the foregoing embodiment, when performing network security detection on threats of target network data, by combining at least two data of the importance level value corresponding to a mechanism unit, the reference value corresponding to the availability and the influence level of the target network data, the similar threatened level value of vulnerability data or threat data in the target network data in the network device 20, and the reference value of the network device 20 itself, the threats of the target network data can be detected from multiple dimensions, which is favorable for improving accuracy and integrity of network threat detection.
The individual steps of the process are explained in detail below, as follows:
in step S110, the network data set includes vulnerability data and threat data of the application program in the network device 20, and in addition, the network data set may also include other vulnerability data and threat data except the application program in the network device 20. For example, the network data set includes vulnerability data, threat data, etc. that may also be the operating system of the network device 20 itself.
The network data set may be obtained by the electronic device 10 from the network device 20 or other device. For example, the electronic device 10 may collect vulnerability data, threat data, and other network data from the network device 20 as the acquired network data set in real-time. Alternatively, the network data set obtained by the network device 20 and the application program in the network device 20 in the institution unit may be acquired in advance, the network data set is stored in the network device 20 itself or in another device, and the electronic device 10 may acquire the network data set acquired in advance from the network device 20 or another device, where the manner of acquiring the network data set is not particularly limited.
The vulnerability data and the threat data may be obtained by analyzing traffic data and log data of the network device 20, and the manner of determining the vulnerability data and the threat data is well known to those skilled in the art and will not be described herein again.
In step S120, the electronic device 10 may clean the network data in the network data set through a corresponding preprocessing policy to filter out interference data, and then unify the format of the network data, so as to perform subsequent analysis processing on the network data in the unified format. The preprocessing strategy can be flexibly set according to actual conditions to filter interference data and obtain network data expected to be reserved by a user. The preprocessing strategy includes, but is not limited to, a deduplication rule, a preset filtering rule. Wherein the deduplication rules may be used to remove redundant data in the network dataset. The preset filtering rule may be set according to actual situations, for example, the preset filtering rule may be used to retain the network data of the specified network device 20 and filter out the network data except for the specified network device 20.
Alternatively, step S120 may include:
carrying out data deduplication on the network data in the network data set to obtain a network data set subjected to data deduplication;
filtering the interference data in the network data set after the duplication is removed according to a preset filtering rule to obtain a filtered network data set;
and converting each network data in the filtered network data set into the target network data in the specified format.
Understandably, if there are multiple identical network data sets in the network data set, the electronic device 10 may perform deduplication on the multiple identical network data sets, and only reserve one of the multiple identical network data sets to remove redundant data. In addition, the electronic device 10 may also filter out the interference data in the heavy network data by presetting a filtering rule. The interference data may be determined according to actual conditions, and is not particularly limited herein.
Understandably, in a network dataset, there are typically many types of data content in different field formats. After the network data in the network data set is subjected to deduplication and filtering, the electronic device 10 may convert the deduplicated and filtered network data into network data in a specified format. The data field format of the specified format for representing the network data can be set according to actual conditions. By converting the format of the network data, the field format of the network data can be unified, so that the network data in each unified format in the network data set can be analyzed and processed conveniently.
Referring to fig. 4 to fig. 7, in step S130, the electronic device 10 stores a corresponding relationship between the network data and the multidimensional parameter in advance. The corresponding relationship may be one or more mapping tables, including a mapping relationship between data content of the network data and the multidimensional parameter. The electronic device 10 may search for a multidimensional parameter corresponding to the target network data based on the corresponding relationship, where the multidimensional parameter is a target multidimensional parameter of the target network data. Wherein the multidimensional parameters include benchmark values for cyber threats in the plurality of dimensions of the network data. For example, the multidimensional parameter may include at least two of an importance value corresponding to an organization unit, a reference value corresponding to availability and influence of the target network data, a similar threat level value of vulnerability data or threat data in the target network data in the network device 20, and a reference value of the network device 20 itself.
The importance degree value corresponding to the mechanism unit can be understood as a reference value of the network threat existing in the mechanism unit, and can be determined according to the actual situation. For example, the higher the security requirement of the organization unit, the higher the reference value. Alternatively, the reference value may be assigned to the mechanism units having different properties according to the properties of the mechanism units. As an example, the benchmark value for the presence of a cyber threat by an organization entity may be as shown in fig. 4.
The availability (denoted as the property) and influence (denoted as the IMPACT) of the target network data are corresponding reference values, i.e., reference values measured from the target network data itself. The availability can comprise a plurality of dimensions such as attack path (denoted as AV), complexity (denoted as AC), authority requirement (denoted as PR), user interaction (denoted as UE) and the like, and can be set according to actual conditions. The influence degree can include confidentiality (denoted as C), integrity (denoted as I), availability (denoted as a) and the like of the network data, and can be set according to actual situations. As an example, the reference values corresponding to the availability and the influence of the target network data may be as shown in fig. 5.
In fig. 5, the attack path may include remote, local, and physical dimensions. Complexity may include low, high, and so forth dimensions. The privilege requirements may include no requirements, low privileges, high privileges, and the like dimensions. User interaction may include two dimensions, no interaction and interaction. The attack path, complexity, authority requirement and user interaction of the loophole or the threat event in the network data can be determined according to the actual situation.
The confidentiality levels of the network data can include three levels, namely high, low and none, and the confidentiality level of the single network data can be determined according to actual conditions. Similarly, the integrity and the availability of the network data can include three levels, namely high, low and none, and can be determined according to actual conditions.
The similar threat degree value is that the vulnerability data in the target network data or the threat data has a network threat reference value in the same or similar device as the network device 20, and is used for performing similar threat measurement on the target (the network device 20) where the vulnerability event and the threat event occur. As an example, the reference value of the homogeneous threatened level value of the target network data may be as shown in fig. 6, where "SU" in fig. 6 represents the number of network devices 20 affecting the homogeneous network.
The reference value of the network device 20 itself can be measured by the dimensionalities of confidentiality (denoted as C), integrity (denoted as I), availability (denoted as a), and the like of the network device 20 itself, and can be flexibly set according to the actual situation. As an example, the reference value of the network device 20 itself may be as shown in fig. 7. The confidentiality level of the network device 20 may include three levels, i.e., high, low, and none, and may be determined according to actual situations. Similarly, the integrity and availability of the network device 20 may include three levels, i.e., high, low, none, and all three levels, which may be determined according to actual situations.
In step S140, after acquiring the multidimensional parameter corresponding to the network data, the electronic device 10 may obtain a detection result of the target network data based on a preset algorithm. The detection result may include a threat value characterizing the target network data. The preset algorithm can be set according to actual conditions.
For example, referring to fig. 4 to 7 in combination, the electronic device 10 may obtain the network threat reference value of the organization unit, which is recorded as EXP, by the electronic device 10 according to the corresponding relationship between the network data and the multidimensional parameter based on fig. 41Wherein EXP1=Unit。
Based on fig. 5, the electronic device 10 may obtain the reference value corresponding to the availability and the influence of the target network data, which is denoted as EXP2This can be obtained by the following formula (1):
EXP2=RD(10*AV*AC*PR*UE*(C+I+A)) (1)
based on fig. 6, the electronic device 10 may obtain the vulnerability data or the reference value of the similar threat degree of the threat data in the network device 20, which is recorded as EXP3,EXP3=SU。
Based on fig. 7, the electronic device 10 can obtain the reference value of the network device 20 itself, which is denoted as EXP4,EXP4=RD(10*(C+I+A))。
Threat value of target network data, denoted as RiThe threat value may be calculated by the following formula, which may be a preset algorithm for calculating the threat value of the target network data, as follows:
Ri=RD({EXP1+[(10-EXP2)*EXP4]}*EXP3) (2)
wherein, RD in all the above formulas is used to define the minimum number of the first digit after the decimal point, and the second digit after the decimal point is rounded.
As an optional implementation manner, after step S140, the method may further include:
determining the second detection result of the threat value representing the network device 20 according to the threat value of each type of target network data of the network device 20 or according to the threat value of each type of target network data of the application program in the network device 20.
Understandably, the second detection result includes a threat value that may include the individual network device 20 itself. Additionally, the second detection result may also include a threat value for a single application in the network device 20.
For example, it is assumed that one network device 20 has n network data with threats, that is, the number of threat data and vulnerabilities is n, which indicates that the network device 20 has n network threats, and n is an integer greater than 0. The threat value of each network data is RiAccording to the threat value RiOf the threat value list arranged from high to low as R1,R2,R3…RnWherein, the value range of i is 1 to n, and the threat value algorithm of a single network device 20 is as follows:
Figure BDA0002852698460000111
wherein the content of the first and second substances,
Figure BDA0002852698460000112
is the influence coefficient. μ is a convergence coefficient and can be determined according to actual conditions. The threat value of a single network device 20 may be calculated by equation (3).
Similarly, if there are n threats in an application of one network device 20, that is, the number of threat data and vulnerabilities is n, the threat value of the application can be calculated by the above formula (3).
As an optional implementation manner, after step S140, the method may further include:
determining a third detection result characterizing the threat value of the organizational unit based on the threat value of each network device 20 in the organizational unit.
In this embodiment, the third detection result may include a cyber threat value existing by the agency unit. Generally, a single organization may include one or more network devices 20. The threat value of each network device 20 may be calculated by the above formula (3). The threat value of the organization is calculated in a manner similar to the calculation of the threat value of the network device 20, and can be calculated by the above equation (3). It should be noted that, in calculating the threat value of the organization, the convergence coefficient μmay be different from that of the calculation network device 20, and may be determined according to actual situations. The threat value detected as described above represents a network threat value of the external network environment to the organization unit, the network device 20 in the organization unit, and the application program in the network device 20.
As an optional implementation manner, after step S140, the method may further include:
and when at least one type of threat value among the threat value of the target network data, the threat value of the network equipment 20 and the threat value of the organization unit reaches a corresponding preset value, sending out an early warning prompt.
In this embodiment, the threat value of the target network data, the threat value of the network device 20, and the threat value of the organization unit are threat values of different categories, and the threat values of different categories may correspond to different preset values, and may all be set according to actual conditions. When the threat value reaches the preset value, it usually indicates that the vulnerability or threat data poses a great network security risk to the network device 20, which may cause the secret data in the network device 20 to be leaked or cause the network device 20 to be attacked by virus.
The preset value of the threat value of the target network data may be referred to as a first preset value, the preset value of the threat value of the network device 20 may be referred to as a second preset value, and the preset value of the threat value of the agency unit may be referred to as a third preset value. For example, the electronic device 10 may issue an alert when the threat value of any category reaches a preset value for that category. The warning prompt mode may be, but is not limited to, a voice prompt, a light prompt, and the like, and is not limited specifically here. In addition, the electronic device 10 may also send an early warning prompt to the user terminal that reserves the mobile phone number or the mailbox. The user terminal may be, but is not limited to, a smartphone, a tablet computer, etc. By sending out the early warning prompt, the method is beneficial for the staff to take corresponding precautionary measures against the network threat in time, and is beneficial for reducing the loss caused by the network threat.
As an optional implementation manner, after step S140, the method may further include:
and outputting and displaying at least one type of threat values of the target network data, the threat values of the network equipment 20 and the threat values of the organization units, wherein when the threat values of any type reach corresponding preset values, the threat values reaching the preset values and the types of the threat values are displayed in a display mode representing early warning.
The display mode difference of the representation early warning and the common display mode can be flexibly set according to the actual situation. The common display mode is a display mode when the threat value of any type is smaller than the preset value of the type. For example, in the normal display mode, the threat value is output in a green display; and in the early warning display mode, the threat value is displayed and output in red. Or, in the common display mode, the threat value does not need to be output in a bold display mode; in the early warning display mode, the threat value needs to be displayed and output in a bold mode. Through carrying out the visualization with the testing result to show the great data of threat value through early warning display mode, so, be favorable to the staff to pay close attention to the great network data of threat value fast, and then be favorable to carrying out network security's control management.
Prior to step S130, the method may further comprise:
and creating and storing multidimensional parameters corresponding to each type of vulnerability data and each type of threat data in the network data.
Understandably, each type of vulnerability data, the occurrence object of each type of threat data, is typically a network device 20. When creating the corresponding relationship between the network data and the multidimensional parameters, the measurement may be performed based on multiple dimensions, such as various types of network devices 20, organization units where the network devices 20 are located, and the same type of vulnerability/threat event, so as to obtain each type of vulnerability data and the multidimensional parameters corresponding to each type of threat data. For example, each type of created vulnerability data and the multidimensional parameter corresponding to each type of threat data may include reference values of multiple dimensions as shown in fig. 4 to 7, which is beneficial to improving the accuracy and integrity of the detected threat values.
Based on the design, threat information such as vulnerability data and threat data comprehensively detects threat values from multiple dimensions such as a threat image, a threat target (network equipment 20), transverse propagation (propagation of the same type of network equipment 20), a unit organization and the like, so that the network security events with large influence are processed in time according to the numerical value and the sequence of the threat values. In addition, by the method, the threat values of the assets such as the network equipment 20 and the application program can be calculated, so that the threat situation of a unit mechanism can be calculated according to the threat values of a plurality of assets, and the network threat can be conveniently monitored and managed from a plurality of perspectives such as areas, industries and the like.
Referring to fig. 8, an embodiment of the present application further provides a network security detection apparatus 200, which can be applied to the electronic device 10 described above for executing the steps of the method. The network security detection apparatus 200 includes at least one software functional module which can be stored in the storage module 12 in the form of software or Firmware (Firmware) or solidified in an Operating System (OS) of the electronic device 10. The processing module 11 is used for executing executable modules stored in the storage module 12, such as software functional modules and computer programs included in the network security detection apparatus 200.
The network security detection apparatus 200 may include a first obtaining unit 210, a preprocessing unit 220, a second obtaining unit 230, and a detection determining unit 240, and may perform the following operations:
a first obtaining unit 210, configured to obtain a network data set obtained by acquiring a network device 20 in a mechanism unit and an application program in the network device 20, where the network data set includes at least one of vulnerability data and threat data;
a preprocessing unit 220, configured to preprocess the network data in the network data set to obtain target network data in a specified format;
a second obtaining unit 230, configured to obtain a target multidimensional parameter corresponding to the target network data based on a corresponding relationship between network data and the multidimensional parameter, where the target multidimensional parameter includes at least two of an importance value corresponding to the organization unit, a reference value corresponding to availability and influence of the target network data, a similar threatened level value of the vulnerability data or the threat data in the target network data in the network device 20, and a reference value of the network device 20 itself;
a detection determining unit 240, configured to determine, according to the target multidimensional parameter, a first detection result of a threat value representing the target network data.
Optionally, the detection determining unit 240 is further configured to determine the second detection result of the threat value representing the network device 20 according to the threat value of each type of target network data of the network device 20 or according to the threat value of each type of target network data of the application program in the network device 20.
Optionally, the detection determining unit 240 is further configured to determine a third detection result characterizing the threat value of the institution unit according to the threat value of each network device 20 in the institution unit.
Optionally, the network security detection apparatus 200 may further include a prompting unit, configured to send an early warning prompt when at least one type of threat value among the threat values of the target network data, the threat values of the network devices 20, and the threat values of the organization units reaches a corresponding preset value.
Optionally, the network security detection apparatus 200 may further include an output display unit, configured to output and display at least one type of threat values among the threat values of the target network data, the threat values of the network devices 20, and the threat values of the organization units, where when any type of threat values reaches a corresponding preset value, the threat values reaching the preset value and the types of the threat values are displayed in a display mode representing an early warning.
Optionally, the network security detection apparatus 200 may further include a creation unit. Before the second obtaining unit 230 executes step S130, the creating unit is configured to create and store multidimensional parameters corresponding to each type of vulnerability data and each type of threat data in the network data.
Optionally, the preprocessing unit 220 may be further configured to:
carrying out data deduplication on the network data in the network data set to obtain a network data set subjected to data deduplication;
filtering the interference data in the network data set after the duplication is removed according to a preset filtering rule to obtain a filtered network data set;
and converting each network data in the filtered network data set into the target network data in the specified format.
In this embodiment, the processing module 11 may be an integrated circuit chip having signal processing capability. The processing module 11 may be a general-purpose processor. For example, the processor may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, or discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application.
The memory module 12 may be, but is not limited to, a random access memory, a read only memory, a programmable read only memory, an erasable programmable read only memory, an electrically erasable programmable read only memory, and the like. In this embodiment, the storage module 12 may be configured to store network data such as vulnerability data and threat data. Of course, the storage module 12 may also be used to store a program, and the processing module 11 executes the program after receiving the execution instruction.
The communication module 13 is used for establishing a communication connection between the electronic device 10 and the network device 20 through a network, and transceiving data through the network.
It is understood that the configuration shown in fig. 2 is only a schematic configuration of the electronic device 10, and that the electronic device 10 may further include more components than those shown in fig. 2. The components shown in fig. 2 may be implemented in hardware, software, or a combination thereof.
It should be noted that, as will be clear to those skilled in the art, for convenience and brevity of description, the specific working process of the electronic device 10 described above may refer to the corresponding process of each step in the foregoing method, and will not be described in too much detail herein.
The embodiment of the application also provides a computer readable storage medium. The computer-readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to execute the network security detection method as described in the above embodiments.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments of the present application.
In summary, the present application provides a network security detection method, an apparatus, an electronic device, and a readable storage medium. The method can comprise the following steps: acquiring a network data set obtained by acquiring network equipment in a mechanism unit and an application program in the network equipment, wherein the network data set comprises at least one of vulnerability data and threat data; preprocessing the network data in the network data set to obtain target network data in a specified format; acquiring target multidimensional parameters corresponding to target network data based on the corresponding relation between the network data and the multidimensional parameters, wherein the target multidimensional parameters comprise at least two of importance degree values corresponding to mechanism units, reference values corresponding to the availability and the influence degree of the target network data, vulnerability data or threat data in the target network data in the same type of threatened degree values of network equipment and the reference values of the network equipment; and determining a first detection result of the threat value representing the target network data according to the target multidimensional parameter.
In the scheme, when network security detection is performed on the threat of the target network data, the threat of the target network data can be detected from multiple dimensions by combining at least two data of the importance degree value corresponding to a mechanism unit, the reference value corresponding to the availability and the influence degree of the target network data, the similar threatened degree value of vulnerability data or threat data in the target network data in network equipment and the reference value of the network equipment, so that the accuracy and the integrity of network threat detection can be improved.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. The apparatus, system, and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A network security detection method, the method comprising:
acquiring a network data set obtained by network equipment in an acquisition organization unit and an application program in the network equipment, wherein the network data set comprises at least one of vulnerability data and threat data;
preprocessing the network data in the network data set to obtain target network data in a specified format;
acquiring a target multidimensional parameter corresponding to the target network data based on a corresponding relation between the network data and the multidimensional parameter, wherein the target multidimensional parameter comprises at least two of an importance degree value corresponding to the organization unit, a reference value corresponding to the availability and influence degree of the target network data, a similar threatened degree value of the vulnerability data or the threat data in the target network data in the network equipment, and a reference value of the network equipment;
and determining a first detection result of the threat value representing the target network data according to the target multidimensional parameter.
2. The method of claim 1, further comprising:
and determining a second detection result of the threat value representing the network equipment according to the threat value of each type of target network data of the network equipment or the threat value of each type of target network data of an application program in the network equipment.
3. The method of claim 2, further comprising:
and determining a third detection result representing the threat value of the organization unit according to the threat value of each network device in the organization unit.
4. The method according to any one of claims 1-3, further comprising:
and when at least one type of threat value among the threat value of the target network data, the threat value of the network equipment and the threat value of the organization unit reaches a corresponding preset value, sending out an early warning prompt.
5. The method of claim 1, further comprising:
and outputting and displaying at least one type of threat values of the target network data, the threat values of the network equipment and the threat values of the organization units, wherein when the threat values of any type reach corresponding preset values, the threat values reaching the preset values and the types of the threat values are displayed in a display mode representing early warning.
6. The method of claim 1, wherein prior to obtaining the target multidimensional parameters corresponding to the target network data, the method further comprises:
and creating and storing multidimensional parameters corresponding to each type of vulnerability data and each type of threat data in the network data.
7. The method of claim 1, wherein preprocessing the network data in the network data set to obtain target network data in a specified format comprises:
carrying out data deduplication on the network data in the network data set to obtain a network data set subjected to data deduplication;
filtering the interference data in the network data set after the duplication is removed according to a preset filtering rule to obtain a filtered network data set;
and converting each network data in the filtered network data set into the target network data in the specified format.
8. An apparatus for detecting network security, the apparatus comprising:
the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring a network data set obtained by network equipment in an acquisition mechanism unit and an application program in the network equipment, and the network data set comprises at least one of vulnerability data and threat data;
the preprocessing unit is used for preprocessing the network data in the network data set to obtain target network data in a specified format;
a second obtaining unit, configured to obtain a target multidimensional parameter corresponding to the target network data based on a corresponding relationship between network data and the multidimensional parameter, where the target multidimensional parameter includes at least two of an importance value corresponding to the organization unit, a reference value corresponding to availability and an influence of the target network data, a similar threatened level value of the vulnerability data or the threat data in the target network data in the network device, and a reference value of the network device itself;
and the detection determining unit is used for determining a first detection result of the threat value representing the target network data according to the target multidimensional parameter.
9. An electronic device, characterized in that the electronic device comprises a processor and a memory coupled to each other, the memory storing a computer program which, when executed by the processor, causes the electronic device to perform the method according to any of claims 1-7.
10. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the method according to any one of claims 1 to 7.
CN202011554743.5A 2020-12-22 2020-12-22 Network security detection method and device, electronic equipment and readable storage medium Active CN112637215B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011554743.5A CN112637215B (en) 2020-12-22 2020-12-22 Network security detection method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011554743.5A CN112637215B (en) 2020-12-22 2020-12-22 Network security detection method and device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN112637215A true CN112637215A (en) 2021-04-09
CN112637215B CN112637215B (en) 2023-10-13

Family

ID=75324778

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011554743.5A Active CN112637215B (en) 2020-12-22 2020-12-22 Network security detection method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN112637215B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114866297A (en) * 2022-04-20 2022-08-05 中国科学院信息工程研究所 Network data detection method and device, electronic equipment and storage medium
CN115987695A (en) * 2023-03-21 2023-04-18 融科联创(天津)信息技术有限公司 Network security monitoring system based on big data analysis

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150180891A1 (en) * 2013-12-19 2015-06-25 Splunk Inc. Using network locations obtained from multiple threat lists to evaluate network data or machine data
CN110149327A (en) * 2019-05-20 2019-08-20 中国南方电网有限责任公司 Alarm method, device, computer equipment and the storage medium of network security threats
CN110392048A (en) * 2019-07-04 2019-10-29 湖北央中巨石信息技术有限公司 Network security situation awareness model and method based on CE-RBF
CN110881050A (en) * 2019-12-20 2020-03-13 万翼科技有限公司 Security threat detection method and related product
US20200120126A1 (en) * 2018-10-15 2020-04-16 International Business Machines Corporation Prioritizing vulnerability scan results
CN111131294A (en) * 2019-12-30 2020-05-08 武汉英迈信息科技有限公司 Threat monitoring method, apparatus, device and storage medium
CN111324889A (en) * 2020-03-04 2020-06-23 深信服科技股份有限公司 Security event prediction method, device, equipment and computer readable storage medium
CN111787000A (en) * 2020-06-30 2020-10-16 绿盟科技集团股份有限公司 Network security evaluation method and electronic equipment
CN111880942A (en) * 2020-08-03 2020-11-03 北京天融信网络安全技术有限公司 Network threat processing method and device
CN112039862A (en) * 2020-08-21 2020-12-04 公安部第一研究所 Multi-dimensional stereo network-oriented security event early warning method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150180891A1 (en) * 2013-12-19 2015-06-25 Splunk Inc. Using network locations obtained from multiple threat lists to evaluate network data or machine data
US20200120126A1 (en) * 2018-10-15 2020-04-16 International Business Machines Corporation Prioritizing vulnerability scan results
CN110149327A (en) * 2019-05-20 2019-08-20 中国南方电网有限责任公司 Alarm method, device, computer equipment and the storage medium of network security threats
CN110392048A (en) * 2019-07-04 2019-10-29 湖北央中巨石信息技术有限公司 Network security situation awareness model and method based on CE-RBF
CN110881050A (en) * 2019-12-20 2020-03-13 万翼科技有限公司 Security threat detection method and related product
CN111131294A (en) * 2019-12-30 2020-05-08 武汉英迈信息科技有限公司 Threat monitoring method, apparatus, device and storage medium
CN111324889A (en) * 2020-03-04 2020-06-23 深信服科技股份有限公司 Security event prediction method, device, equipment and computer readable storage medium
CN111787000A (en) * 2020-06-30 2020-10-16 绿盟科技集团股份有限公司 Network security evaluation method and electronic equipment
CN111880942A (en) * 2020-08-03 2020-11-03 北京天融信网络安全技术有限公司 Network threat processing method and device
CN112039862A (en) * 2020-08-21 2020-12-04 公安部第一研究所 Multi-dimensional stereo network-oriented security event early warning method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114866297A (en) * 2022-04-20 2022-08-05 中国科学院信息工程研究所 Network data detection method and device, electronic equipment and storage medium
CN114866297B (en) * 2022-04-20 2023-11-24 中国科学院信息工程研究所 Network data detection method and device, electronic equipment and storage medium
CN115987695A (en) * 2023-03-21 2023-04-18 融科联创(天津)信息技术有限公司 Network security monitoring system based on big data analysis
CN115987695B (en) * 2023-03-21 2023-06-20 融科联创(天津)信息技术有限公司 Network security monitoring system based on big data analysis

Also Published As

Publication number Publication date
CN112637215B (en) 2023-10-13

Similar Documents

Publication Publication Date Title
US9800605B2 (en) Risk scoring for threat assessment
TWI595375B (en) Anomaly detection using adaptive behavioral profiles
WO2016150313A1 (en) Method and apparatus for detecting suspicious process
CN111178760B (en) Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium
US20080184367A1 (en) System and method for determining data entropy to identify malware
Taveras SCADA live forensics: real time data acquisition process to detect, prevent or evaluate critical situations
RU2017118317A (en) SYSTEM AND METHOD FOR AUTOMATIC CALCULATION OF CYBER RISK IN BUSINESS CRITICAL APPLICATIONS
CN112702342B (en) Network event processing method and device, electronic equipment and readable storage medium
CN112637215B (en) Network security detection method and device, electronic equipment and readable storage medium
CN114598504B (en) Risk assessment method and device, electronic equipment and readable storage medium
US20210409436A1 (en) Variable dcf security scores and data threat portfolio views
CN114124552A (en) Network attack threat level obtaining method, device and storage medium
CN111756745B (en) Alarm method, alarm device, terminal equipment and computer readable storage medium
CN114338372A (en) Network information security monitoring method and system
CN112511387A (en) Network attack monitoring system based on multi-source information analysis
CN117501658A (en) Evaluation of likelihood of security event alarms
KR101180092B1 (en) Method and system for analyzing security event, and recording medium thereof
JP7396371B2 (en) Analytical equipment, analytical methods and analytical programs
CN116886335A (en) Data security management system
CN112650180A (en) Safety warning method, device, terminal equipment and storage medium
KR20140081071A (en) Method and system for real-time security performance and measurement management
Gonzalez-Granadillo et al. Enhancing information sharing and visualization capabilities in security data analytic platforms
JP2017107405A (en) Security countermeasure planning support system
US10742667B1 (en) System and method for dynamical modeling multi-dimensional security event data into a graph representation
CN113468542A (en) Exposed surface asset risk assessment method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant