CN112751809A - Asset vulnerability calculation method and device, storage medium and server - Google Patents

Asset vulnerability calculation method and device, storage medium and server Download PDF

Info

Publication number
CN112751809A
CN112751809A CN201911050203.0A CN201911050203A CN112751809A CN 112751809 A CN112751809 A CN 112751809A CN 201911050203 A CN201911050203 A CN 201911050203A CN 112751809 A CN112751809 A CN 112751809A
Authority
CN
China
Prior art keywords
information
vulnerability
asset
score
calculating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911050203.0A
Other languages
Chinese (zh)
Inventor
袁军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201911050203.0A priority Critical patent/CN112751809A/en
Priority to PCT/CN2020/121862 priority patent/WO2021082966A1/en
Publication of CN112751809A publication Critical patent/CN112751809A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The embodiment of the application discloses a method and a device for calculating asset vulnerability, a storage medium and a server, and belongs to the technical field of network security. The method comprises the following steps: acquiring attribute information of an asset, wherein the attribute information comprises at least one of vulnerability information of unrepaired vulnerabilities in the asset, port information of an open port, operating system information and security defense information; and calculating the grade of the vulnerability of the asset according to the attribute information. According to the method and the device, the accuracy and the calculation efficiency of asset vulnerability calculation can be improved.

Description

Asset vulnerability calculation method and device, storage medium and server
Technical Field
The embodiment of the application relates to the technical field of network security, in particular to a method and a device for calculating asset vulnerability, a storage medium and a server.
Background
Risk assessment in the field of network security is to apply scientific means and systematically analyze threats faced by assets and existing vulnerabilities thereof and assess the degree of damage possibly caused once threat events occur. Risk assessment relates to the calculation of asset vulnerability for assessing the severity of asset vulnerability and providing a reference for security operation and maintenance personnel to maintain assets.
In the related technology, an expert team can be established firstly, each expert in the expert team scores the vulnerability of the assets according to the data grade stored in the assets, the importance level of a business system operated on the assets, the trust relationship among the assets and other dimensions, and then the score of the vulnerability of the assets is calculated according to the score of each expert.
The scoring dimension of the asset vulnerability is fuzzy or single, and the asset vulnerability is difficult to quantify, so that the subjective scoring is required by experts, and whether the experience of the experts is rich or not influences the scoring accuracy. In addition, as the number of assets increases, the workload of asset vulnerability calculation is large, thereby affecting the efficiency of asset vulnerability calculation.
Disclosure of Invention
The embodiment of the application provides a method and a device for calculating the vulnerability of an asset, a storage medium and a server, which are used for solving the problems of inaccurate scoring of the vulnerability of the asset and low calculation efficiency. The technical scheme is as follows:
in one aspect, a method for computing vulnerability of an asset is provided, the method comprising: acquiring attribute information of an asset, wherein the attribute information comprises at least one of vulnerability information of unrepaired vulnerabilities in the asset, port information of an open port, operating system information and security defense information; and calculating the grade of the vulnerability of the asset according to the attribute information.
In one aspect, a computing device for asset vulnerability is provided, the device comprising: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring attribute information of an asset, and the attribute information comprises at least one of vulnerability information of unrepaired vulnerabilities in the asset, port information of an open port, operating system information and security defense information; and the calculating module is used for calculating the grade of the vulnerability of the asset according to the attribute information.
In one aspect, there is provided a computer readable storage medium having stored therein at least one instruction, at least one program, set of codes, or set of instructions that is loaded and executed by a processor to implement a method of computing an asset vulnerability as described above.
In one aspect, a server is provided, the server comprising a processor and a memory, the memory having stored therein at least one instruction, the instruction being loaded and executed by the processor to implement the method for computing asset vulnerability as described above.
The technical scheme provided by the embodiment of the application has the beneficial effects that at least:
by acquiring the attribute information of the asset, wherein the attribute information comprises at least one of vulnerability information of unrepaired vulnerabilities in the asset, port information of an open port, operating system information and security defense information, and the attribute information comprises information of four dimensions, and the attribute information of each dimension can be quantized, so that the score of the vulnerability of the asset can be automatically calculated according to the attribute information without subjective scoring by an expert, the problem of inaccurate score scoring of the expert can be avoided, and the accuracy of asset vulnerability calculation is improved; in addition, even if the workload of the asset vulnerability calculation is large, the score can be automatically calculated according to the attribute information, so that the calculation efficiency of the asset vulnerability calculation is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of a method for computing asset vulnerabilities provided by one embodiment of the present application;
FIG. 2 is a flow chart of a method for calculating asset vulnerabilities provided by another embodiment of the present application;
FIG. 3 is a schematic flow chart diagram illustrating a method for calculating asset vulnerabilities according to another embodiment of the present application;
FIG. 4 is a flow chart of a method for calculating asset vulnerabilities provided by another embodiment of the present application;
FIG. 5 is a flow chart of a method for calculating asset vulnerabilities provided by another embodiment of the present application;
FIG. 6 is a schematic flow chart diagram illustrating a method for calculating asset vulnerabilities according to another embodiment of the present application;
FIG. 7 is a block diagram of a computing device for asset vulnerability provided by yet another embodiment of the present application;
FIG. 8 is a block diagram of a computing system, according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present application more clear, the embodiments of the present application will be further described in detail with reference to the accompanying drawings.
Since network security is not only related to information resources and asset risks of organizations and individual users, but also related to national security and social stability, risk assessment of network security is required. Risk assessment in the field of network security is to apply scientific means, analyze threats faced by networks and information systems and vulnerability of the threats, and assess the degree of harm possibly caused once threat events occur. Safety operation and maintenance personnel can make targeted protection countermeasures and rectification measures for resisting threats according to the risk assessment report, so that information safety risks are prevented and solved or the risks are controlled within an acceptable level.
Generally, risk assessment involves three elements, asset value, threat, vulnerability. Each element has a respective attribute. Wherein the asset value attribute is asset value importance; the threat attribute is an asset threat frequency of occurrence; the vulnerability attribute is the severity of the asset vulnerability. Risk assessment mainly relates to asset value identification, vulnerability identification and threat identification, and the embodiment mainly focuses on vulnerability identification of assets, namely, calculating the scores of the vulnerabilities of the assets.
Because the method for calculating the vulnerability of the asset in the related art has subjectivity, the evaluation method is too complex and difficult to implement, and the evaluation dimension is fuzzy, the embodiment provides a method for calculating the vulnerability of the asset, the method for calculating the vulnerability of the asset acquires the attribute information of the asset from an IT (Internet Technology ) asset management system, classifies the attribute information according to different dimensions, calculates the score of the vulnerability of the asset to complete the identification of the vulnerability of the asset, and the method for calculating the vulnerability of the asset is introduced through several embodiments below.
Referring to fig. 1, a flowchart of a method for computing an asset vulnerability provided by an embodiment of the present application is shown, and the method for computing an asset vulnerability can be applied to a server. The method for calculating the vulnerability of the asset can comprise the following steps:
step 101, obtaining attribute information of an asset, where the attribute information includes at least one of vulnerability information of an unrepaired vulnerability in the asset, port information of an open port, operating system information, and security defense information.
The asset is a device, and may be a terminal, a server, and the like, and the embodiment is not limited.
In this embodiment, the server may obtain attribute information of the asset from the IP asset management system, where the attribute information is related to vulnerability of the asset itself. Wherein, the attribute information includes but is not limited to: vulnerability information of unrepaired vulnerabilities in assets, port information of ports opened in assets, operating system information of operating systems installed in assets, and security defense information of security defense programs such as antivirus programs and firewalls installed in assets.
In one embodiment, the server may also categorize the attribute information. For example, the server may classify vulnerability information of an unrepaired vulnerability into an attribute factor for asset vulnerability calculation, where the attribute factor represents the vulnerability of the vulnerability, and is referred to as RV for short; port information of an open port can be classified into an attribute factor of asset vulnerability calculation, wherein the attribute factor represents the open port, namely RP; operating system information may be classified as an attribute factor of the asset vulnerability calculation, which represents the operating platform, abbreviated as RS; the security defense information may be classified as an attribute factor of the asset vulnerability calculation that represents the protection capability, abbreviated as RD, which is exemplified below.
1. The RV includes information about the unrepaired vulnerability, may indicate the vulnerability of the vulnerability, etc., which may indicate which safe zones of vulnerability exist for an asset itself that may be circulated in threat intelligence.
The vulnerability information may include identification information of the vulnerability, which may include at least one of an Identity (ID) and a name (name). Of course, the vulnerability information may also include other information, and this embodiment is not limited. Assuming that the ID of the vulnerability information of one vulnerability is cve _10001 and the name of the vulnerability information is Flash leak; if the ID of the vulnerability information of another vulnerability is cve _20004 and the name is Explorer risk, the RV table is shown in the following table.
Watch 1
ID name
cve_10001 Flash leak
cve_20004 Explorer risk
2. The RP includes the port number of the port opened by the asset and the service provided by the port, etc., which may indicate whether an interface exposed by the asset has a possibility of being utilized or invaded. Unlike the RV, vulnerabilities are known information that has been discovered to be exploited by attackers, whereas the RP is only a possible inference of vulnerability, after all a certain service is turned on and not necessarily compromised.
The port information may include identification information of the port, which may include a name (name) of the port. Optionally, since the port is used to provide a service, the port number may further include service information, which may include a name (name) of the service. Of course, the port information may also include other information, and this embodiment is not limited. Assuming that the port name in the port information is 32001 and the service name is telnet, the RP table is shown in table two below.
Watch two
TYPE name
port 32001
service telnet
3. The RS includes operating system information, which may indicate attributes of the system platform.
The operating system information may include type information of an operating system, which may be Windows or Linux. In addition, since the number of vulnerabilities and the harmfulness of the vulnerabilities of the operating systems of different versions are different, the operating system information may further include a version number of the operating system, so that the vulnerability of the operating system is indicated by the version number. For example, xp systems are no longer currently maintained by authorities and are therefore more vulnerable; linux also has many derived system versions with different vulnerabilities. Assuming that the asset has a Linux system with a version number of 3.16.001 installed therein, the RS table is shown in the first row of table three below; assuming a version number of 10.01 Windows system is installed in the asset, the RS table is shown in the second row of Table three below.
Watch III
Sys_TYPE Sys_version
Linux 3.16.001
Windows 10.01
4. The RD includes security defense information that may indicate the protective capabilities of the asset, such as whether to install a virus killer, whether to turn on a firewall, or whether there are other defensive measures, etc. It may account for the defense and robustness of an asset, with the greater the defense, the greater the ability to resist possible attacks and the less risk.
The security defense information may include a TYPE (default _ TYPE), a name (name), a state (status), and an Update mode (Update _ mode), assuming that the state of the firewall (firewall) is strict (strict); the name of the Anti-virus program is mcAfee, the status is open (open), the update mode is daily update (day), and the RD table is shown in the following table four.
Watch four
defence_TYPE name status Update_mode
firewall strict
Anti-virus mcAfee open daily
And step 102, calculating the grade of the vulnerability of the assets according to the attribute information.
In this embodiment, when the attribute information is classified as an attribute factor, a score of the attribute factor is calculated, and the score is used as a score of vulnerability of the asset; when the attribute information is classified into a plurality of attribute factors, the score of each attribute factor is calculated, and the product obtained by multiplying all the scores is used as the score of the vulnerability of the asset.
In summary, according to the asset vulnerability calculating method provided by the embodiment of the present application, by obtaining the attribute information of the asset, where the attribute information includes at least one of vulnerability information of unrepaired vulnerabilities in the asset, port information of an open port, operating system information and security defense information, since the attribute information includes information of four dimensions and the attribute information of each dimension can be quantized, the score of the vulnerability of the asset can be automatically calculated according to the attribute information without subjective scoring by an expert, so that the problem of inaccurate score scoring by the expert can be avoided, and the accuracy of asset vulnerability calculation is improved; in addition, even if the workload of the asset vulnerability calculation is large, the score can be automatically calculated according to the attribute information, so that the calculation efficiency of the asset vulnerability calculation is improved.
It should be noted that, because the attribute information may be classified into a plurality of attribute factors, different calculation methods may be adopted for different attribute factors, so that the score of the attribute factor is more reasonable. For example, when the attribute information includes at least one of vulnerability information, port information, and operating system information, the server further needs to obtain threat information, and calculate a score of the vulnerability of the asset according to the attribute information and the threat information; when the attribute information includes security defense information, the server does not need to acquire threat information and directly calculates the vulnerability score of the asset according to the attribute information. The manner of acquiring threat information is described below.
In this embodiment, the server may obtain threat information from a threat intelligence system. The threat intelligence system may be an external threat intelligence system (such as a universal vulnerability scoring system CVSS), an internal proprietary threat intelligence system, or a threat intelligence system formed by combining multiple threat intelligence systems, which is not limited in this embodiment.
After the threat information is obtained, the server may classify the threat information with reference to the attribute factor, and the threat information may be classified into vulnerability-related threat information, port-related threat information, and operating system-related threat information. The three threat information are exemplified below.
1. The vulnerability-related threat information may indicate a threat level of the vulnerability, and the threat level may be represented by two dimensions, the source of the vulnerability and the hazard level. The source of the vulnerability may be an operating system or an application, and generally speaking, the vulnerability on the operating system surface is more harmful than the vulnerability on the application surface. The hazard level may be converted from a threat level of a threat intelligence system, for example, if the threat level in the threat intelligence system is lethal, severe, high-level, medium-level, low-level, the corresponding hazard level may be 5, 4, 3, 2, 1, i.e., the greater the hazard level, the greater the hazard.
It should be noted that, this embodiment is only illustrated with the threat level being 5 levels, and in actual implementation, the threat level may be greater than 5 levels or less than 5 levels, which is not limited in this embodiment. In addition, the embodiment is only exemplified by the threat level and the hazard level being in a positive correlation, and in actual implementation, the threat level and the hazard level may also be in a negative correlation, and the embodiment is not limited.
When the threat information includes the name, source, and hazard level of the vulnerability, the threat information may be as shown in table five below.
Watch five
Name (R) Source Hazard classification
Vulnerability 1 2-operating System 1
Vulnerability 2 1-application program 2
Vulnerability 3 1-application program 3
It should be noted that the server may read an identifier or a name of the vulnerability in the vulnerability information, and then search the threat information of the vulnerability in the threat information according to the identifier or the name.
2. The port-related threat information may indicate a threat level for the port, and the threat level may be represented by a hazard level. That is, the hazard level may be obtained by converting the threat level of the threat intelligence system, which is described in detail in the foregoing, and is not described herein again.
When the threat information includes a port number and a hazard level, the threat information may be as shown in table six below.
Watch six
Port number Hazard classification
10045 2
2345 3
It should be noted that the server may read the port number of the port in the port information, and then search the threat information of the port in the threat information according to the port number.
3. The operating system-related threat information may indicate a threat level of the operating system, and the threat level may be represented by two dimensions, a number of vulnerabilities for unrepaired vulnerabilities in the operating system and a maximum hazard level. The maximum hazard level may be obtained by converting the threat level of the threat information system, which is described in the foregoing, and is not described herein again.
When the threat information includes a system version, a number of vulnerabilities, and a maximum hazard level, the threat information may be as shown in table seven below.
Watch seven
System version Number of holes Maximum hazard rating
Linux3.6 10 2
Windows10 100 3
It should be noted that the server may read the type and version number of the operating system in the operating system information, and then search the threat information of the operating system in the threat information according to the type and version number.
Referring to fig. 2, a flowchart of a method for computing an asset vulnerability, which may be applied in a server, is shown, according to another embodiment of the present application, and attribute information includes vulnerability information, and threat information includes vulnerability-related threat information. The method for calculating the vulnerability of the asset can comprise the following steps:
step 201, obtaining attribute information of an asset, where the attribute information includes vulnerability information of a vulnerability that is not repaired in the asset.
The explanation of the attribute information is described in step 101, and is not described herein.
Step 202, obtaining threat information matched with the vulnerability information, wherein the threat information is used for indicating a threat level corresponding to the vulnerability information.
The explanation of the threat information is described in detail in the above description, and is not described in detail here.
And step 203, calculating first weight values of all the holes according to the hole information and the threat information, wherein the first weight values are used for indicating the vulnerability grade of the corresponding hole.
The calculation process of the first weight value may include the following sub-steps:
in sub-step 2031, for each vulnerability indicated by the vulnerability information, a source code value and a first hazard level of the vulnerability are obtained from the threat information, the source code value is obtained by encoding the source of the vulnerability, and the first hazard level is obtained by encoding the threat level of the vulnerability.
The source may be an operating system or an application, and therefore, the server also needs to encode (also called quantize) the source to obtain the source code value. For example, if the os is coded to 2 and the application is coded to 1, the source code value from the os is 2 and the source code value from the application is 1.
Threat levels in a threat intelligence system may be fatal, severe, high-level, medium-level, low-level, so the server needs to encode (also called quantize) the threat level to obtain a corresponding first threat level. For example, if the threat level of a certain vulnerability is high, the first hazard level of the vulnerability is 3 if the fatal code is 5, the severe code is 4, the high level code is 3, the medium level code is 2, and the low level code is 1.
In step 2032, the source code value is multiplied by the first hazard level to obtain a first weight value of the vulnerability.
If the first weight value is marked as WiThen W isiA source code value and a first hazard level.
If the source code value is [1,2 ]]The value of the first hazard class is [1,5 ]]Then W isiHas a value range of [1,10 ]]。
The server may calculate the first weight values of all holes through step 2031-2032, and obtain the first weight value set { W ≧ 1) assuming that there are N (N ≧ 1) holes1,W2,…,WN}。
Step 204, calculating a first average value of all the first weight values.
If the first average value is recorded as RVmeanThen, then
Figure BDA0002255147860000101
Step 205, the first average value is multiplied by the largest first weight value of all the first weight values, and then normalization processing is performed, so as to obtain the score of the vulnerability of the asset.
The server may select the largest first weight value from the first weight value set, denoted as RVprime=max{W1,W2,…,WN}。
The server may combine the first average value and the largest first weight value into a score pair<RVprime,RVmean>。
The server may multiply the first average value by a maximum first weight value, i.e., X ═ RVprime*RVmean(ii) a Then normalizing X, i.e.
Figure BDA0002255147860000102
To obtain RV ═ trans (RV)prime*RVmean). Among them, 1.04 is an experimental value.
In this embodiment, for example, the attribute information is taken as vulnerability information, and the numerical value calculated in step 205 may be used as a score of vulnerability of the asset.
In summary, according to the asset vulnerability calculating method provided by the embodiment of the present application, by obtaining the attribute information of the asset, where the attribute information includes vulnerability information of a vulnerability that is not repaired in the asset, since the attribute information can be quantized, the score of the vulnerability of the asset can be automatically calculated according to the attribute information without subjective scoring by an expert, so that the problem of inaccurate scoring by the expert can be avoided, and the accuracy of asset vulnerability calculation is improved; in addition, even if the workload of the asset vulnerability calculation is large, the score can be automatically calculated according to the attribute information, so that the calculation efficiency of the asset vulnerability calculation is improved.
By calculating the maximum value and the average value of the first weighted value, the influence of the most serious quantization value of the vulnerability on the vulnerability of the asset can be reflected, the influence of the average quantization value of the vulnerability on the whole vulnerability of the asset can also be reflected, and the vulnerability of the asset can be comprehensively reflected by the quantization mode from multiple angles.
Referring to fig. 3, a flowchart of a method for computing an asset vulnerability, which may be applied to a server, according to another embodiment of the present application is shown, and attribute information includes port information, and threat information includes port-related threat information. The method for calculating the vulnerability of the asset can comprise the following steps:
step 301, obtaining attribute information of an asset, where the attribute information includes port information of an open port.
The explanation of the attribute information is described in step 101, and is not described herein.
Step 302, obtaining threat information matched with the port information, where the threat information is used to indicate a threat level corresponding to the port information.
The explanation of the threat information is described in detail in the above description, and is not described in detail here.
And step 303, calculating second weight values of all opened ports according to the port information and the threat information, wherein the second weight values are used for indicating the vulnerability level of the corresponding port.
The calculation process of the second weight value may include the following sub-steps:
and a substep 3031, for each port indicated by the port information, obtaining a second hazard level of the port from the threat information, wherein the second hazard level is obtained by encoding the threat level of the port.
The threat levels in the threat intelligence system may be fatal, severe, high-level, medium-level, low-level, so the server needs to encode (also called quantize) the threat levels to obtain a corresponding second threat level. For example, if the threat level of a port is high, the second threat level of the port is 3 if the fatal code is 5, the fatal code is 4, the high level is 3, the medium level is 2, and the low level is 1.
In step 3032, the second hazard level is added to the first value to obtain a second weight value of the port.
If the second weight value is marked as WPiThen WPiSecond hazard level + first value. The first value is an empirical value or a value calculated according to a formula, and the embodiment is not limited.
If the first value is 5, the second hazard level takes the value of [1,5 ]]Then WPiHas a value range of [6,10 ]]。
The server may calculate the second weight values of all the ports through steps 3031-3032, and obtain the second weight value set { W ≧ 1) assuming that there are M vulnerabilities (M ≧ 1)1,W2,…,WM}。
In step 304, a second average of all the second weight values is calculated.
If the second average value is denoted as RPmeanThen, then
Figure BDA0002255147860000121
And 305, multiplying the second average value by the largest second weight value in all the second weight values, and then performing normalization processing to obtain the grade of the vulnerability of the asset.
The server may select the largest second weight value from the second set of weight values, denoted as RPprime=max{W1,W2,…,WM}。
The server may combine the second average value and the maximum second weight value into a score pair<RPprime,RPmean>。
The server may multiply the second average value by a maximum second weight value, i.e., X ═ RPprime*RPmean(ii) a Then normalizing X, i.e.
Figure BDA0002255147860000122
Get RP ═ trans (RP)prime*RPmean). Among them, 1.04 is an experimental value.
In this embodiment, the attribute information is taken as port information for example, and the numerical value calculated in step 305 may be used as a score of vulnerability of the asset.
In summary, according to the asset vulnerability calculating method provided by the embodiment of the present application, by acquiring the attribute information of the asset, where the attribute information includes the port information of the open port, since the attribute information can be quantized, the score of the vulnerability of the asset can be automatically calculated according to the attribute information without subjective scoring by an expert, so that the problem of inaccurate scoring by the expert can be avoided, and the asset vulnerability calculating accuracy is improved; in addition, even if the workload of the asset vulnerability calculation is large, the score can be automatically calculated according to the attribute information, so that the calculation efficiency of the asset vulnerability calculation is improved.
By calculating the maximum value and the average value of the second weighted value, the influence of the most serious quantization value of the port on the vulnerability of the asset can be reflected, the influence of the average quantization value of the port on the overall vulnerability of the asset can also be reflected, and the vulnerability of the asset can be comprehensively reflected by the quantization mode from multiple angles.
Referring to fig. 4, a flowchart of a method for computing an asset vulnerability, which may be applied in a server, is shown, according to another embodiment of the present application, and attribute information includes operating system information, and threat information includes operating system-related threat information. The method for calculating the vulnerability of the asset can comprise the following steps:
step 401, obtaining property information of an asset, wherein the property information includes operating system information.
The explanation of the attribute information is described in step 101, and is not described herein.
Step 402, obtaining threat information matched with the operating system information, where the threat information includes the number of vulnerabilities in the operating system, the total number of vulnerabilities of all operating systems, and a third hazard level of the operating system, where the third hazard level is obtained by encoding the threat level of the operating system.
The explanation of the threat information is described in detail in the above description, and is not described in detail here.
In step 403, the quotient obtained by dividing the number of vulnerabilities by the total number of vulnerabilities is multiplied by a second numerical value.
The server divides the vulnerability number of the operating system of the asset by the total vulnerability number to obtain the percentage of the vulnerability of the operating system of the asset in the total vulnerability, and then multiplies the percentage by a second numerical value. The second value is an empirical value or a value calculated according to a formula, for example, 5, and this embodiment is not limited.
Step 404, add the third hazard level to the obtained product to obtain a score of the vulnerability of the asset.
Wherein RS ═ number of vulnerabilities of the operating system of the asset/total vulnerabilities + second numerical value + third hazard level.
In this embodiment, the attribute information is taken as the operating system information for example, and the numerical value calculated in step 404 may be used as the score of the vulnerability of the asset.
In summary, according to the asset vulnerability calculating method provided by the embodiment of the present application, by acquiring the attribute information of the asset, where the attribute information includes the operating system information, and because the attribute information can be quantified, the score of the vulnerability of the asset can be automatically calculated according to the attribute information without subjective scoring by an expert, so that the problem of inaccurate scoring by the expert can be avoided, and the asset vulnerability calculating accuracy is improved; in addition, even if the workload of the asset vulnerability calculation is large, the score can be automatically calculated according to the attribute information, so that the calculation efficiency of the asset vulnerability calculation is improved.
Referring to fig. 5, a flowchart of a method for computing the vulnerability of the asset, which may be applied in the server, and the attribute information includes security defense information, according to another embodiment of the present application is shown. The method for calculating the vulnerability of the asset can comprise the following steps:
step 501, obtaining attribute information of an asset, wherein the attribute information comprises security defense information, and the security defense information comprises first configuration information of a antivirus program installed in the asset and second configuration information of a firewall installed in the asset.
The explanation of the attribute information is described in step 101, and is not described herein.
Step 502, obtaining first configuration information, and calculating a first score of the antivirus program according to the first configuration information.
The obtaining process of the first score may include: acquiring a first score corresponding to each configuration information in the first configuration information; and adding all the first scores to obtain a first score.
In this embodiment, the server may preset a first score corresponding to each configuration information, and the following description is made in terms of a brand of the antivirus program, whether the antivirus program sets the timing scan, and whether the antivirus program sets the timing update virus library.
1. Brand of disinfection program: the ability and effect of brands for different disinfection programs will usually be different, so the first score of a brand can be set with reference to user feedback and ratings given by professional public trust authorities. Let us assume that the first score of this term is denoted as R1(AV), then R may be set1(AV) and a first correspondence of configuration information of different brands, and setting R1(AV) has a value range of [1,5 ]]And the lower the first score, the higher the overall rating of the brand's disinfection program.
2. Whether the disinfection program sets the timing scan: let us assume that the first score of this term is denoted as R2(AV), different values may be set for the configuration information of yes and no, and the value set for yes is smaller than the value set for no, and the embodiment does not limit the specific values. For example, the first score corresponding to "yes" is set to 0, and the first score corresponding to "no" is set to 3.
3. Whether the antivirus program sets a timing update virus library: let us assume that the first score of this term is denoted as R3(AV), different values may be set for the configuration information of yes and no, and the value set for yes is smaller than the value set for no, and the embodiment does not limit the specific values. For example, the first score corresponding to "yes" is set to 0, and the first score corresponding to "no" is set to 2.
In the formation of R1(AV)、R2(AV) and R3After (AV), the server may add all the first scores to obtain a first score. Assuming that the first score is R (AV), then
Figure BDA0002255147860000151
Wherein, the value range of R (AV) is [1, 10%]。
The present embodiment is only illustrated by the configurations of the three aspects, and in actual implementation, the first score may be calculated according to any one or more of the three types of configuration information, or may also be calculated according to other configuration information, which is not limited in the present embodiment.
Step 503, obtaining the second configuration information, and calculating a second score of the firewall according to the second configuration information.
The obtaining process of the second score may include: acquiring a second score corresponding to each configuration information in the second configuration information; and adding all the second scores to obtain a second score.
In this embodiment, the server may preset a second score corresponding to each configuration information, and the following two aspects are described in terms of whether the firewall is opened and a policy condition of an Access Control List (ACL) for opening the firewall, respectively.
1. Whether the firewall is opened: let us assume that the second score of this term is denoted as R1(FW), different values may be set for the configuration information of "yes" and "no", and the value set for "yes" is smaller than the value set for "no", and the present embodiment does not limit the specific values. For example, the second score corresponding to "yes" is set to 0, and the second score corresponding to "no" is set to 5.
2. Policy conditions for firewall-opened ACLs: let us assume that the second score of this term is denoted as R2(FW), the server may analyze the policy status of the ACL if the policy of the ACL is too relaxed, such as the occurrence of any->any, the situation of the allow any service shows that the configuration of the firewall is not proper, and a higher second score can be set; if the policy of the ACL is very strict, a lower second score may be set. Wherein the value range of the second score is [1,5 ]]。
In the formation of R1(FW) and R2(FW), the server may add all of the second scores to obtain a second score. Assuming that the second score is denoted as R (FW), R (FW) ═ R1(FW)+R2(FW). Wherein R (FW) has a value range of [1,10 ]]。
The present embodiment is only illustrated by the configurations of the two aspects, and in actual implementation, the second score may be calculated according to any one or two of the two types of configuration information, or may also be calculated according to other configuration information, which is not limited in the present embodiment.
Step 504, the maximum of the first score and the second score is used as the score of the vulnerability of the asset.
Where RD ═ max (r (av), r (fw)).
In this embodiment, the attribute information is exemplified as the security defense information, and the numerical value calculated in step 504 may be used as the score of the vulnerability of the asset.
In summary, according to the asset vulnerability calculating method provided by the embodiment of the present application, by acquiring the attribute information of the asset, where the attribute information includes the security defense information, and because the attribute information can be quantified, the score of the vulnerability of the asset can be automatically calculated according to the attribute information without subjective scoring by an expert, so that the problem of inaccurate scoring by the expert can be avoided, and the asset vulnerability calculating accuracy is improved; in addition, even if the workload of the asset vulnerability calculation is large, the score can be automatically calculated according to the attribute information, so that the calculation efficiency of the asset vulnerability calculation is improved.
It should be noted that the server may also combine the calculation flows shown in fig. 2 to 5, and then the server may calculate the score of the attribute factor RV, the score of the attribute factor RP, the score of the attribute factor RS, and the score of the attribute factor RD, and perform fusion calculation on the four scores to obtain the score of the vulnerability of the asset, please refer to fig. 6.
If the vulnerability score of the asset is marked as RfeaturesThen, the four scores are integrated by the formula Y-RV-RP-RS-RD, and the value range of Y is [1,10 ]4](ii) a Then carrying out normalization processing on Y to obtain a calculation result RfeaturesHas a value range of [1,10 ]]. Wherein, normalizing formulaIs composed of
Figure BDA0002255147860000161
And 1.0003 is the experimental value.
The scores of the vulnerability of the assets can be fused by multiplication with the scores of various attribute information, the influence of mutual superposition of all dimensions is considered, and compared with the score of the vulnerability of the assets calculated by adding all dimensions, the vulnerability of the whole asset can be more comprehensively evaluated.
Referring to fig. 7, a block diagram of a computing device for asset vulnerability provided by an embodiment of the present application is shown, which may be applied in a server. The computing device of the asset vulnerability may include:
an obtaining module 710, configured to obtain attribute information of an asset, where the attribute information includes at least one of vulnerability information of an unrepaired vulnerability in the asset, port information of an open port, operating system information, and security defense information;
a calculating module 720 for calculating a score of the vulnerability of the asset according to the attribute information.
In an embodiment, when the attribute information includes at least one of vulnerability information, port information, and operating system information, the calculation module 720 is further configured to: acquiring threat information matched with each attribute information, wherein the threat information is used for indicating a threat level corresponding to the attribute information; a score is calculated based on the attribute information and the threat information.
In an embodiment, when the attribute information includes vulnerability information, the calculating module 720 is further configured to: calculating first weight values of all the holes according to the hole information and the threat information, wherein the first weight values are used for indicating the vulnerability grade of the corresponding hole; calculating a first average value of all the first weight values; and multiplying the first average value by the largest first weight value in all the first weight values, and then carrying out normalization processing to obtain a score.
In an embodiment, the calculating module 720 is further configured to: for each vulnerability indicated by the vulnerability information, acquiring a source code value and a first hazard level of the vulnerability from the threat information, wherein the source code value is obtained by coding the source of the vulnerability, and the first hazard level is obtained by coding the threat level of the vulnerability; and multiplying the source code value by the first hazard level to obtain a first weight value of the vulnerability.
In an embodiment, when the attribute information includes port information, the calculating module 720 is further configured to: calculating second weight values of all opened ports according to the port information and the threat information, wherein the second weight values are used for indicating the vulnerability levels of the corresponding ports; calculating a second average value of all second weight values; and multiplying the second average value by the largest second weight value in all the second weight values, and then carrying out normalization processing to obtain a score.
In an embodiment, the calculating module 720 is further configured to: for each port indicated by the port information, acquiring a second hazard level of the port from the threat information, wherein the second hazard level is obtained by encoding the threat level of the port; and adding the first numerical value to the second hazard level to obtain a second weighted value of the port.
In an embodiment, when the attribute information includes operating system information, the threat information includes a number of vulnerabilities in the operating system, a total number of vulnerabilities of all operating systems, and a third hazard level of the operating system, where the third hazard level is obtained by encoding a threat level of the operating system, the calculating module 720 is further configured to: multiplying a quotient obtained by dividing the number of the vulnerabilities by the total number of the vulnerabilities by a second numerical value; and adding the obtained product to the third hazard grade to obtain a score.
In one embodiment, when the attribute information includes security defense information, and the security defense information includes first configuration information of a antivirus installed in the asset and second configuration information of a firewall installed in the asset, the calculation module 720 is further configured to: acquiring first configuration information, and calculating a first score of the antivirus program according to the first configuration information; acquiring second configuration information, and calculating a second score of the firewall according to the second configuration information; and taking the maximum value of the first score and the second score as the score.
In an embodiment, the calculating module 720 is further configured to: acquiring a first score corresponding to each configuration information in the first configuration information; and adding all the first scores to obtain a first score.
In an embodiment, the calculating module 720 is further configured to: acquiring a second score corresponding to each configuration information in the second configuration information; and adding all the second scores to obtain a second score.
In summary, according to the computing device for asset vulnerability provided by the embodiment of the present application, by obtaining the attribute information of an asset, where the attribute information includes at least one of vulnerability information of an unrepaired vulnerability in the asset, port information of an open port, operating system information and security defense information, since the attribute information includes information of four dimensions and the attribute information of each dimension can be quantized, the score of the vulnerability of the asset can be automatically computed according to the attribute information without subjective scoring by an expert, so that the problem of inaccurate score scoring by the expert can be avoided, and the accuracy of asset vulnerability computation is improved; in addition, even if the workload of the asset vulnerability calculation is large, the score can be automatically calculated according to the attribute information, so that the calculation efficiency of the asset vulnerability calculation is improved.
One embodiment of the present application provides a computer-readable storage medium having stored therein at least one instruction, at least one program, set of codes, or set of instructions that is loaded and executed by a processor to implement a method of computing an asset vulnerability as described above.
One embodiment of the present application provides a server comprising a processor and a memory, wherein the memory stores at least one instruction, and the instruction is loaded and executed by the processor to realize the asset vulnerability calculation method.
Referring to fig. 8, one embodiment of the present application provides a computing system that includes a server that may include an asset vulnerability computing device as shown in fig. 7 and a threat intelligence system.
It should be noted that: in the above embodiment, when the computing device for asset vulnerability calculates the asset vulnerability, only the division of the functional modules is taken as an example, and in practical application, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the computing device for asset vulnerability is divided into different functional modules to complete all or part of the functions described above. In addition, the asset vulnerability calculating device provided in the above embodiments and the asset vulnerability calculating method embodiment belong to the same concept, and specific implementation processes thereof are described in detail in the method embodiment and are not described herein again.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description should not be taken as limiting the embodiments of the present application, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the embodiments of the present application should be included in the scope of the embodiments of the present application.

Claims (13)

1. A method for computing vulnerability of assets, the method comprising:
acquiring attribute information of an asset, wherein the attribute information comprises at least one of vulnerability information of unrepaired vulnerabilities in the asset, port information of an open port, operating system information and security defense information;
and calculating the grade of the vulnerability of the asset according to the attribute information.
2. The method of claim 1, wherein when the attribute information includes at least one of the vulnerability information, the port information, and the operating system information, the calculating a score for the vulnerability of the asset from the attribute information comprises:
acquiring threat information matched with each attribute information, wherein the threat information is used for indicating a threat level corresponding to the attribute information;
calculating the score according to the attribute information and the threat information.
3. The method of claim 2, wherein when the attribute information includes the vulnerability information, the calculating the score from the attribute information and the threat information comprises:
calculating first weight values of all holes according to the hole information and the threat information, wherein the first weight values are used for indicating the vulnerability grade of the corresponding hole;
calculating a first average value of all the first weight values;
and multiplying the first average value by the largest first weight value in all the first weight values, and then carrying out normalization processing to obtain the score.
4. The method of claim 3, wherein the calculating a first weight value for all holes according to the hole information and the threat information comprises:
for each vulnerability indicated by the vulnerability information, acquiring a source code value and a first hazard level of the vulnerability from the threat information, wherein the source code value is obtained by coding a source of the vulnerability, and the first hazard level is obtained by coding a threat level of the vulnerability;
and multiplying the source code value by the first hazard level to obtain a first weight value of the vulnerability.
5. The method of claim 2, wherein when the attribute information includes the port information, the calculating the score from the attribute information and the threat information comprises:
calculating second weight values of all opened ports according to the port information and the threat information, wherein the second weight values are used for indicating the vulnerability levels of the corresponding ports;
calculating a second average value of all second weight values;
and multiplying the second average value by the largest second weight value in all the second weight values, and then carrying out normalization processing to obtain the score.
6. The method of claim 5, wherein calculating the second weight values for all open ports according to the port information and the threat information comprises:
for each port indicated by the port information, acquiring a second hazard level of the port from the threat information, wherein the second hazard level is obtained by encoding the threat level of the port;
and adding the first numerical value to the second hazard level to obtain a second weight value of the port.
7. The method of claim 2, wherein when the attribute information includes the operating system information, the threat information includes a number of vulnerabilities in the operating system, a total number of vulnerabilities for all operating systems, and a third hazard level for the operating system, the third hazard level being encoded as a threat level for the operating system, the calculating the score according to the attribute information and the threat information comprises:
multiplying a quotient obtained by dividing the number of vulnerabilities by the total number of vulnerabilities by a second numerical value;
and adding the obtained product to the third hazard grade to obtain the score.
8. The method of any of claims 1-7, wherein when the attribute information includes the security defense information, and the security defense information includes first configuration information of a antivirus installed in the asset and second configuration information of a firewall installed in the asset, the calculating a score for the vulnerability of the asset from the attribute information comprises:
acquiring the first configuration information, and calculating a first score of the antivirus program according to the first configuration information;
acquiring the second configuration information, and calculating a second score of the firewall according to the second configuration information;
taking the maximum of the first score and the second score as the score.
9. The method of claim 8, wherein said calculating a first score for the disinfection program based on the first configuration information comprises:
acquiring a first score corresponding to each configuration information in the first configuration information;
and adding all the first scores to obtain the first score.
10. The method of claim 8, wherein calculating a second rating for the firewall according to the second configuration information comprises:
acquiring a second score corresponding to each configuration information in the second configuration information;
and adding all the second scores to obtain the second score.
11. An asset vulnerability computing apparatus, the apparatus comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring attribute information of an asset, and the attribute information comprises at least one of vulnerability information of unrepaired vulnerabilities in the asset, port information of an open port, operating system information and security defense information;
and the calculating module is used for calculating the grade of the vulnerability of the asset according to the attribute information.
12. A computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement a method of computing an asset vulnerability according to any one of claims 1 to 10.
13. A server, comprising a processor and a memory, the memory having stored therein at least one instruction, the instruction being loaded and executed by the processor to implement the method of calculating asset vulnerability according to any one of claims 1 to 10.
CN201911050203.0A 2019-10-31 2019-10-31 Asset vulnerability calculation method and device, storage medium and server Pending CN112751809A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201911050203.0A CN112751809A (en) 2019-10-31 2019-10-31 Asset vulnerability calculation method and device, storage medium and server
PCT/CN2020/121862 WO2021082966A1 (en) 2019-10-31 2020-10-19 Asset vulnerability calculation method and device, storage medium, and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911050203.0A CN112751809A (en) 2019-10-31 2019-10-31 Asset vulnerability calculation method and device, storage medium and server

Publications (1)

Publication Number Publication Date
CN112751809A true CN112751809A (en) 2021-05-04

Family

ID=75641246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911050203.0A Pending CN112751809A (en) 2019-10-31 2019-10-31 Asset vulnerability calculation method and device, storage medium and server

Country Status (2)

Country Link
CN (1) CN112751809A (en)
WO (1) WO2021082966A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11720686B1 (en) 2020-04-08 2023-08-08 Wells Fargo Bank, N.A. Security model utilizing multi-channel data with risk-entity facing cybersecurity alert engine and portal
US11777992B1 (en) 2020-04-08 2023-10-03 Wells Fargo Bank, N.A. Security model utilizing multi-channel data
US11706241B1 (en) * 2020-04-08 2023-07-18 Wells Fargo Bank, N.A. Security model utilizing multi-channel data
CN115225533B (en) * 2022-07-26 2023-09-19 深圳证券通信有限公司 Security analysis method and related device
CN115296929B (en) * 2022-09-28 2023-01-13 北京珞安科技有限责任公司 Industrial firewall management system and method
CN116050841B (en) * 2023-01-28 2023-06-13 国家信息中心 Information security risk assessment method, device, terminal equipment and storage medium
CN116232768B (en) * 2023-05-08 2023-08-01 汉兴同衡科技集团有限公司 Information security assessment method, system, electronic equipment and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9141805B2 (en) * 2011-09-16 2015-09-22 Rapid7 LLC Methods and systems for improved risk scoring of vulnerabilities
CN104346565B (en) * 2013-07-30 2017-10-10 北京神州泰岳软件股份有限公司 A kind of vulnerability scanning method and system
CN103581186B (en) * 2013-11-05 2016-09-07 中国科学院计算技术研究所 A kind of network security situational awareness method and system
CN105427172A (en) * 2015-12-04 2016-03-23 北京华热科技发展有限公司 Risk assessment method and system
CN106878316B (en) * 2017-02-28 2020-07-07 新华三技术有限公司 Risk quantification method and device
CN109246153A (en) * 2018-11-09 2019-01-18 中国银行股份有限公司 Network safety situation analysis model and network safety evaluation method

Also Published As

Publication number Publication date
WO2021082966A1 (en) 2021-05-06

Similar Documents

Publication Publication Date Title
CN112751809A (en) Asset vulnerability calculation method and device, storage medium and server
US20210288995A1 (en) Operational Network Risk Mitigation System And Method
RU2477929C2 (en) System and method for prevention safety incidents based on user danger rating
CN111507597A (en) Network information security risk assessment model and method
Kamhoua et al. Cyber-threats information sharing in cloud computing: A game theoretic approach
Doynikova et al. Countermeasure selection based on the attack and service dependency graphs for security incident management
Kholidy et al. A cost-aware model for risk mitigation in Cloud computing systems
Jakóbik Stackelberg game modeling of cloud security defending strategy in the case of information leaks and corruption
Wang et al. Threat Analysis of Cyber Attacks with Attack Tree+.
Telo Privacy and cybersecurity concerns in Smart governance systems in developing countries
Enoch et al. Automated security investment analysis of dynamic networks
Biswas et al. AVICS-eco framework: an approach to attack prediction and vulnerability assessment in a cyber ecosystem
You et al. Review on cybersecurity risk assessment and evaluation and their approaches on maritime transportation
Kanoun et al. Advanced reaction using risk assessment in intrusion detection systems
Meriah et al. A survey of quantitative security risk analysis models for computer systems
Zhang et al. Multistage game theoretical approach for ransomware attack and defense
Granadillo et al. Using a 3D geometrical model to improve accuracy in the evaluation and selection of countermeasures against complex cyber attacks
Nicho et al. Applying system dynamics to model advanced persistent threats
Taveras Cyber Risk Management, Procedures and Considerations to Address the Threats of a Cyber Attack
Lakhdhar et al. Proactive security for safety and sustainability of mission critical systems
Gheorghică et al. A new framework for enhanced measurable cybersecurity in computer networks
Weintraub et al. Continuous monitoring system based on systems' environment
Li et al. Cross-boundary enterprise security monitoring
Trad Entity Transformation Projects: Security Management Concept (SMC)
US20230252138A1 (en) Cybersecurity workflow management using autodetection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination