CN113408948A - Network asset management method, device, equipment and medium - Google Patents
Network asset management method, device, equipment and medium Download PDFInfo
- Publication number
- CN113408948A CN113408948A CN202110802258.3A CN202110802258A CN113408948A CN 113408948 A CN113408948 A CN 113408948A CN 202110802258 A CN202110802258 A CN 202110802258A CN 113408948 A CN113408948 A CN 113408948A
- Authority
- CN
- China
- Prior art keywords
- network
- threat
- asset
- management
- index
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0637—Strategic management or analysis, e.g. setting a goal or target of an organisation; Planning actions based on goals; Analysis or evaluation of effectiveness of goals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0639—Performance analysis of employees; Performance analysis of enterprise or organisation operations
- G06Q10/06393—Score-carding, benchmarking or key performance indicator [KPI] analysis
Abstract
The embodiment of the disclosure discloses a network asset management method, a device, equipment and a medium, wherein the method comprises the following steps: determining target network asset information among the management network assets according to a threat event in a predetermined network area network traffic, the predetermined network area including two or more management network assets; determining a risk assessment value of the target network asset according to the first assessment index of the target network asset, the second assessment index of the threat event and the third assessment index of threat intelligence; and carrying out risk management on the target network assets according to the risk assessment values. By adopting the technical scheme of the embodiment of the disclosure, the risk division of the network assets is more comprehensive and accurate, and the risk management of the network assets is facilitated.
Description
Technical Field
Embodiments of the present disclosure relate to data processing technologies, and in particular, to a method, an apparatus, a device, and a medium for managing network assets.
Background
The key information infrastructure refers to network information service provided for the public or an information system or an industrial control system for supporting important industries such as energy, communication, finance, transportation, public utilities and the like to operate. The key information infrastructure belongs to one of network assets, and at present, a network asset risk classification system is mainly embodied from the aspects of confidentiality, integrity and availability of assets, and only carries out risk classification on the confidentiality, the integrity and the availability of the key information infrastructure, which is not beneficial to the protection of the key information infrastructure.
Disclosure of Invention
The embodiment of the disclosure provides a method, a device, equipment and a medium for managing network assets, so that the risk division of the network assets is more comprehensive and accurate, and the risk management of the network assets is facilitated.
In a first aspect, an embodiment of the present disclosure provides a network asset management method, where the method includes:
determining target network asset information among the management network assets according to a threat event in a predetermined network area network traffic, the predetermined network area including two or more management network assets;
determining a risk assessment value of the target network asset according to the first assessment index of the target network asset, the second assessment index of the threat event and the third assessment index of threat intelligence;
and carrying out risk management on the target network assets according to the risk assessment values.
In a second aspect, an embodiment of the present disclosure provides a network asset management apparatus, including:
a target module for determining target network asset information in the management network assets according to threat events in a predetermined network area network traffic, the predetermined network area including two or more management network assets;
the evaluation module is used for determining the risk evaluation value of the target network asset according to the first evaluation index of the target network asset, the second evaluation index of the threat event and the third evaluation index of the threat intelligence;
and the management module is used for carrying out risk management on the target network assets according to the risk assessment value.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement network asset management as described in embodiments of the disclosure.
In a fourth aspect, embodiments of the present disclosure provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements network asset management as described in embodiments of the present disclosure.
The risk assessment value of the target network asset is determined according to the first assessment index of the target network asset, the second assessment index of the threat event and the third assessment index of threat intelligence aiming at target network asset information corresponding to the threat event in the preset network area.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale.
Fig. 1 is a flowchart of a network asset management method according to an embodiment of the present disclosure;
fig. 2 is a block diagram of a network asset management device according to a second embodiment of the present disclosure;
fig. 3 is a structural diagram of an electronic device according to a third embodiment of the disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
Example one
Fig. 1 is a flowchart of a network asset management method according to an embodiment of the present disclosure, which may be performed by a network security event monitoring and analyzing system. Wherein, a threat attack characteristic library, a network threat information library, a network asset information library and a threat information database are deployed in the network security event monitoring and analyzing system.
The deployed threat attack characteristic library is used for managing characteristic information of various network threat attacks and providing various types of network threat attack characteristics. The Threat attack feature library includes various types of network Threat attack feature information and network attack event monitoring rules, the network attack event monitoring rules are used for detecting network attack events in network traffic, and the types of the monitoring rules include, but are not limited to, Advanced Persistent Threat (APT) attack event monitoring rules, vulnerability exploitation event monitoring rules, lemonade event monitoring rules, remote control trojan event monitoring rules, zombie network event monitoring rules, Distributed Denial of Service (DDoS) attack event monitoring rules, malicious propagation event monitoring rules, website backdoor event monitoring rules, web page tampering event monitoring rules, mine excavation program event monitoring rules, fish fishing mail event monitoring rules, password blasting event monitoring rules, network scanning event monitoring rules, and the like. Optionally, the deployed threat attack feature library may add or update the cyber threat attack feature information in a manual or system automatic manner.
The deployed network threat information base is used for managing various types of network threat attack information and providing threat degree and threat degree index values of various types of network threat attacks, wherein the threat degree and the threat degree index values are second evaluation indexes. The network threat information base comprises network threat attack information, threat degree of network threat attack type and threat degree index value. The types of cyber threat attacks include, but are not limited to, APT attacks, exploits, extortions, lemonades, remote trojans, botnets, DDoS attacks, malicious transmission, website backdoors, webpage tampering, phishing mails, mine excavation programs, password blasting, network scanning, and the like. For an exemplary threat level ranking criteria for a cyber threat attack, see Table 1. Optionally, the deployed cyber threat information base may add or update the cyber threat attack information in a manual manner or a system automatic manner.
TABLE 1 threat level ranking criteria for cyber threat attacks
The deployed network asset information base is used for managing various types of network asset information, providing importance and importance index values of various types of network assets, and maintaining a network asset risk assessment value mapping table, wherein the importance and the importance index values are first assessment indexes. The network asset information base comprises network asset information and the importance and importance index values of the network assets. Network asset types include, but are not limited to, enterprise application classes such as financial management systems, office automation systems, customer relationship management systems, email systems, web portal systems; system software classes such as operating systems, database management systems; support systems, such as development framework, middleware; devices of the internet of things, such as industrial control devices and video monitoring devices; security products such as firewalls, antivirus gateways, network intrusion detection and defense equipment, network isolation and one-way lead-in equipment, network security audit equipment, DDoS attack prevention equipment, internet behavior management equipment, host monitoring and audit equipment, Web application firewalls, tamper prevention systems, data leakage prevention systems and APT attack detection systems; network device classes such as servers, routers, switches, network storage, Asymmetric Digital Subscriber Line (ADSL), wireless networks; office peripherals such as printers, copiers, and facsimile machines. For an exemplary ranking criteria of importance of network assets see table 2. Optionally, the deployed network asset information base may add or update the network asset information in a manual or system automatic manner.
TABLE 2 importance ranking criteria for network assets
And the deployed threat intelligence information base is used for managing various types of network threat intelligence information and providing credibility and credibility index values of threat intelligence associated with threat attack and network assets, wherein the credibility and credibility index values are third evaluation indexes. The threat intelligence information base contains threat intelligence information and reliability index value of the threat intelligence. Threat intelligence is associated with network attacks, network assets, and threat intelligence types include, but are not limited to, malicious Internet Protocol (IP) addresses, malicious Uniform Resource Locator (URL) addresses, malicious domain addresses, malicious sample files, malicious sample information Digest algorithms (Message-Digest Algorithm, MD5), hack organization information, hack tools, hack features, threat attack stages, and the like. Exemplary threat intelligence ratings criteria are shown in table 3. Optionally, the deployed cyber threat intelligence information base may add or update the cyber threat information in a manual or system-automatic manner.
| Index value | Degree of confidence | Threat intelligence rating specification | Reliability confirmation method |
| 4 | Super high | Confirmation of threat intelligence by security technologists | Safety technical expert |
| 3 | Height of | Confirmation of threat information through multiple decision engines | Multiple judging engines |
| 2 | In | Validation of threat intelligence through a single decision engine | Individual judgment engine |
| 1 | Is low in | The threat information is not confirmed by the expert and the engine | Is free of |
TABLE 3 credibility rating guidelines for threat intelligence
The network asset management method of the present embodiment includes steps S110, S120, and S130. As shown in fig. 1, the method specifically includes the following steps:
s110, determining target network asset information in the management network assets according to threat events in network flow of a predetermined network area, wherein the predetermined network area comprises two or more management network assets.
Further, before determining target network asset information in the management network asset based on a threat event in predetermined network area network traffic, the method further comprises: and acquiring the network flow of the predetermined network area at a network flow inlet and outlet of the predetermined network area.
Optionally, the network security event monitoring and analyzing system screens out network traffic with an attack behavior for the network traffic flowing through the entrance and exit by using an attack feature matching technology, and extracts information such as a network threat attack type and an attack target.
Optionally, the network traffic gateway may be a machine room network traffic gateway of a large-scale internet enterprise, and network traffic data forwarded by the traffic collection device is received from the network traffic gateway in real time.
Further, before determining target network asset information in the management network asset based on a threat event in predetermined network area network traffic, the method further comprises: and linking the threat attack characteristic library according to the data characteristics of the network flow to obtain the threat flow with the attack behavior, and determining the corresponding threat event.
Optionally, the network security event monitoring and analyzing system obtains the threat level and the index value of the extracted network threat attack type by traversing the network threat information base. For example, a network threat attack event detected by a network security event monitoring and analyzing system is collided with a network threat information base by adopting a threat type accurate matching method to obtain the threat degree of the attack type.
Optionally, the network security event monitoring and analyzing system obtains the network asset type, the network asset importance and the index value of the attack target by traversing the network asset information base according to the extracted attack target address. For example, a network attack target detected by a network security event monitoring and analyzing system is collided with a network asset information base by adopting an accurate matching method based on target addresses such as IP, URL, domain name and the like, so as to obtain the importance of potential attacked network assets.
And S120, determining the risk assessment value of the target network asset according to the first assessment index of the target network asset, the second assessment index of the threat event and the third assessment index of the threat intelligence.
Optionally, the obtained information such as the network attack threat degree index value, the network asset importance degree index value, the threat intelligence reliability index value, etc. is used as an input parameter, and the risk assessment value of the network asset (i.e. the potential attacked asset) can be obtained after the network asset risk assessment algorithm is executed.
The calculation formula of the network asset risk assessment algorithm is as follows:
wherein: t is an abbreviation of Threat (thread) and represents a Threat degree index value of the network Threat; a is an abbreviation for Asset (Asset) representing the importance index value of a network Asset; i is an abbreviation for Intelligence (Intelligence) and represents a confidence index value for cyber threat Intelligence.
The calculation result of M (T, a, I) ═ T × a × I represents the absolute Risk assessment value of the network asset, and Risk represents the normalized Risk assessment value of the network asset.
Optionally, the network security event monitoring and analyzing system executes a network asset risk assessment algorithm to obtain a normalized risk assessment value of the network asset based on a threat degree index value of the cyber threat attack, an importance index value of the network asset, and a credibility index value of the cyber threat intelligence.
Further, before the determining the risk assessment value of the target network asset, the method further includes:
traversing the network threat information base according to the network threat attack type of the threat flow with the attack behavior to obtain corresponding threat degree and an index value which are used as the second evaluation index;
and traversing the network asset information base according to an attack target address of the threat flow with the attack behavior to obtain a corresponding network asset type and network asset importance and index values, wherein the network asset importance and the index values are used as the first evaluation index.
Further, the determining a risk assessment value of the target network asset based on the first assessment indicator of the target network asset, the second assessment indicator of the threat event, and the third assessment indicator of threat intelligence includes:
and executing a network asset risk assessment algorithm according to the first assessment index of the target network asset, the second assessment index of the threat event and the third assessment index of the threat intelligence to obtain a normalized output value as the risk assessment value.
And S130, performing risk management on the target network assets according to the risk assessment values.
TABLE 4 Risk assessment value versus rating Scale criteria
Referring to table 4, the cyber asset risk assessment values are directly mapped onto the cyber asset risk rating system, so that different degrees of risk management are performed according to different risk assessment values, for example: continuous attention or rapid emergency treatment, etc.
The method comprises the steps that the risk assessment value of the target network asset is determined according to a first assessment index of the target network asset, a second assessment index of the threat event and a third assessment index of threat intelligence aiming at target network asset information corresponding to the threat event in a preset network area, and in comparison with the risk level determined according to the confidentiality, integrity and availability of the asset in the prior art, the risk brought to the network asset by the external threat is considered besides the risk of the network asset, wherein the external threat comprises the threat event and the threat intelligence, so that the risk division of the network asset is more comprehensive and accurate, and the risk management of the network asset is facilitated.
An application example of the network asset management method is given below:
the network security event monitoring and analyzing system detects the received network flow data by using the network threat attack rule through the linkage threat attack feature library, and captures a webpage tampering attack event aiming at the enterprise portal website and initiated by a hacker organization.
The network security event monitoring and analyzing system obtains a threat degree index value of webpage tampering attack as 2 according to the threat degree grading criterion of the network threat attack by linking a network threat information base; obtaining an importance index value of a portal website as 4 according to a credibility grading criterion of threat information by linking a network asset information base; and obtaining a credibility index value of the threat information related to the hacker organization by linking the threat information database according to the credibility grading criterion of the threat information, wherein the credibility index value is 4.
The network security event monitoring and analyzing system calls a network asset risk assessment algorithm by taking the obtained web page tampering attack threat degree index value, the enterprise portal website importance degree index value and the hacker organization threat information reliability index value as input parameters, and calculates to obtain a risk assessment value of a portal website which is an event attack target, which is 50.
The network security event monitoring and analyzing system searches a network asset risk assessment value mapping table of a network asset information base according to the obtained risk assessment value to obtain a risk rating corresponding to the risk assessment value 50 as medium, and the risk management of the target network asset according to the risk assessment value is performed in the following mode: and prompting technical safety experts and system operators to pay continuous attention.
Example two
Fig. 2 is a block diagram of a network asset management device according to a second embodiment of the present disclosure, which may execute the network asset management method according to the first embodiment and may be configured in a network security event monitoring and analyzing system, as shown in fig. 2, the device includes a target module 210, an evaluation module 220, and a management module 230, where:
a target module 210, configured to determine target network asset information in the management network assets according to a threat event in a predetermined network area network traffic, where the predetermined network area includes two or more management network assets.
An evaluation module 220, configured to determine a risk evaluation value of the target network asset according to the first evaluation index of the target network asset, the second evaluation index of the threat event, and the third evaluation index of the threat intelligence.
And a management module 230, configured to perform risk management on the target network asset according to the risk assessment value.
On the basis of the above embodiment, the method further includes:
and the flow module is used for acquiring the network flow of the predetermined network area at the network flow inlet and outlet of the predetermined network area.
On the basis of the above embodiment, the method further includes:
and the threat module is used for linking the threat attack characteristic library according to the data characteristics of the network flow to obtain the threat flow with the attack behavior and determine the corresponding threat event.
On the basis of the above embodiment, the method further includes:
the index module is used for traversing the network threat information base according to the network threat attack type of the threat flow with the attack behavior to obtain corresponding threat degree and index values as the second evaluation index; and traversing the network asset information base according to an attack target address of the threat flow with the attack behavior to obtain a corresponding network asset type and network asset importance and index values, wherein the network asset importance and the index values are used as the first evaluation index.
On the basis of the foregoing embodiment, the evaluation module 220 is further configured to execute a network asset risk evaluation algorithm according to the first evaluation index of the target network asset, the second evaluation index of the threat event, and the third evaluation index of threat intelligence, and obtain a normalized output value as the risk evaluation value.
The network asset management device provided by the embodiment of the present disclosure and the network asset management method provided by the first embodiment belong to the same inventive concept, and the technical details that are not described in detail in the present embodiment can be referred to the above embodiments, and the present embodiment has the same beneficial effects as the traffic classification method.
EXAMPLE III
Referring now to FIG. 3, a block diagram of an electronic device 900 suitable for use in implementing embodiments of the present disclosure is shown. The electronic equipment in the embodiment of the disclosure has a network asset management function. The electronic device shown in fig. 3 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 3, the electronic device 900 may include a processing means (e.g., a central processing unit, a graphics processor, etc.) 901 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)902 or a program loaded from a storage means 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data necessary for the operation of the electronic apparatus 900 are also stored. The processing apparatus 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to bus 904.
Generally, the following devices may be connected to the I/O interface 905: input devices 906 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 907 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 908 including, for example, magnetic tape, hard disk, etc.; and a communication device 909. The communication device 909 may allow the electronic apparatus 900 to perform wireless or wired communication with other apparatuses to exchange data. While fig. 3 illustrates an electronic device 900 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication device 909, or installed from the storage device 908, or installed from the ROM 902. The computer program performs the above-described functions defined in the methods of the embodiments of the present disclosure when executed by the processing apparatus 901.
Example four
The computer readable medium described above in this disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: determining target network asset information among the management network assets according to a threat event in a predetermined network area network traffic, the predetermined network area including two or more management network assets; determining a risk assessment value of the target network asset according to the first assessment index of the target network asset, the second assessment index of the threat event and the third assessment index of threat intelligence; and carrying out risk management on the target network assets according to the risk assessment values.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present disclosure may be implemented by software or hardware.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (10)
1. A method for network asset management, the method comprising:
determining target network asset information among the management network assets according to a threat event in a predetermined network area network traffic, the predetermined network area including two or more management network assets;
determining a risk assessment value of the target network asset according to the first assessment index of the target network asset, the second assessment index of the threat event and the third assessment index of threat intelligence;
and carrying out risk management on the target network assets according to the risk assessment values.
2. The method of claim 1, further comprising, prior to determining target network asset information in the managed network assets based on threat events in predetermined network area network traffic:
and acquiring the network flow of the predetermined network area at a network flow inlet and outlet of the predetermined network area.
3. The method of claim 1, further comprising, prior to determining target network asset information in the managed network assets based on threat events in predetermined network area network traffic:
and linking the threat attack characteristic library according to the data characteristics of the network flow to obtain the threat flow with the attack behavior, and determining the corresponding threat event.
4. The method of claim 2, further comprising, prior to said determining a risk assessment value for said target network asset:
traversing the network threat information base according to the network threat attack type of the threat flow with the attack behavior to obtain corresponding threat degree and an index value which are used as the second evaluation index;
and traversing the network asset information base according to an attack target address of the threat flow with the attack behavior to obtain a corresponding network asset type and network asset importance and index values, wherein the network asset importance and the index values are used as the first evaluation index.
5. The method of any of claims 1 to 4, wherein determining the risk assessment value for the target network asset based on the first assessment indicator for the target network asset, the second assessment indicator for the threat event, and the third assessment indicator for threat intelligence comprises:
and executing a network asset risk assessment algorithm according to the first assessment index of the target network asset, the second assessment index of the threat event and the third assessment index of the threat intelligence to obtain a normalized output value as the risk assessment value.
6. A network asset management device, characterized in that said device comprises:
a target module for determining target network asset information in the management network assets according to threat events in a predetermined network area network traffic, the predetermined network area including two or more management network assets;
the evaluation module is used for determining the risk evaluation value of the target network asset according to the first evaluation index of the target network asset, the second evaluation index of the threat event and the third evaluation index of the threat intelligence;
and the management module is used for carrying out risk management on the target network assets according to the risk assessment value.
7. The apparatus of claim 6, further comprising:
and the flow module is used for acquiring the network flow of the predetermined network area at the network flow inlet and outlet of the predetermined network area.
8. The apparatus of claim 6, further comprising:
and the threat module is used for linking the threat attack characteristic library according to the data characteristics of the network flow to obtain the threat flow with the attack behavior and determine the corresponding threat event.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the network asset management method of any of claims 1-5.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the network asset management method according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110802258.3A CN113408948A (en) | 2021-07-15 | 2021-07-15 | Network asset management method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110802258.3A CN113408948A (en) | 2021-07-15 | 2021-07-15 | Network asset management method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113408948A true CN113408948A (en) | 2021-09-17 |
Family
ID=77686573
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110802258.3A Pending CN113408948A (en) | 2021-07-15 | 2021-07-15 | Network asset management method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113408948A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114070650A (en) * | 2022-01-11 | 2022-02-18 | 浙江国利网安科技有限公司 | Network asset evaluation method and device, electronic equipment and readable storage medium |
| CN114095261A (en) * | 2021-11-24 | 2022-02-25 | 绿盟科技集团股份有限公司 | Attack asset marking method, device, medium and equipment |
| CN114124552A (en) * | 2021-11-29 | 2022-03-01 | 恒安嘉新(北京)科技股份公司 | Network attack threat level obtaining method, device and storage medium |
| CN114301716A (en) * | 2022-02-22 | 2022-04-08 | 绿盟科技集团股份有限公司 | Network security assessment method and device, network security equipment and storage medium |
| CN114500024A (en) * | 2022-01-19 | 2022-05-13 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
| CN115225384A (en) * | 2022-07-19 | 2022-10-21 | 天翼安全科技有限公司 | Network threat degree evaluation method and device, electronic equipment and storage medium |
| CN115361185A (en) * | 2022-08-10 | 2022-11-18 | 重庆电子工程职业学院 | Network security discrimination and study system and method |
| CN115378744A (en) * | 2022-10-25 | 2022-11-22 | 天津丈八网络安全科技有限公司 | Network security test evaluation system and method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120143650A1 (en) * | 2010-12-06 | 2012-06-07 | Thomas Crowley | Method and system of assessing and managing risk associated with compromised network assets |
| US8201257B1 (en) * | 2004-03-31 | 2012-06-12 | Mcafee, Inc. | System and method of managing network security risks |
| US9118714B1 (en) * | 2014-07-23 | 2015-08-25 | Lookingglass Cyber Solutions, Inc. | Apparatuses, methods and systems for a cyber threat visualization and editing user interface |
| CN109245944A (en) * | 2018-10-22 | 2019-01-18 | 西南石油大学 | Network safety evaluation method and system |
| CN112784281A (en) * | 2021-01-21 | 2021-05-11 | 恒安嘉新(北京)科技股份公司 | Safety assessment method, device, equipment and storage medium for industrial internet |
| CN113114690A (en) * | 2021-04-15 | 2021-07-13 | 恒安嘉新(北京)科技股份公司 | Threat event identification method, device, equipment and storage medium |
-
2021
- 2021-07-15 CN CN202110802258.3A patent/CN113408948A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8201257B1 (en) * | 2004-03-31 | 2012-06-12 | Mcafee, Inc. | System and method of managing network security risks |
| US20120143650A1 (en) * | 2010-12-06 | 2012-06-07 | Thomas Crowley | Method and system of assessing and managing risk associated with compromised network assets |
| US9118714B1 (en) * | 2014-07-23 | 2015-08-25 | Lookingglass Cyber Solutions, Inc. | Apparatuses, methods and systems for a cyber threat visualization and editing user interface |
| CN109245944A (en) * | 2018-10-22 | 2019-01-18 | 西南石油大学 | Network safety evaluation method and system |
| CN112784281A (en) * | 2021-01-21 | 2021-05-11 | 恒安嘉新(北京)科技股份公司 | Safety assessment method, device, equipment and storage medium for industrial internet |
| CN113114690A (en) * | 2021-04-15 | 2021-07-13 | 恒安嘉新(北京)科技股份公司 | Threat event identification method, device, equipment and storage medium |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095261A (en) * | 2021-11-24 | 2022-02-25 | 绿盟科技集团股份有限公司 | Attack asset marking method, device, medium and equipment |
| CN114095261B (en) * | 2021-11-24 | 2023-06-09 | 绿盟科技集团股份有限公司 | Attack asset marking method, device, medium and equipment |
| CN114124552A (en) * | 2021-11-29 | 2022-03-01 | 恒安嘉新(北京)科技股份公司 | Network attack threat level obtaining method, device and storage medium |
| CN114070650A (en) * | 2022-01-11 | 2022-02-18 | 浙江国利网安科技有限公司 | Network asset evaluation method and device, electronic equipment and readable storage medium |
| CN114500024B (en) * | 2022-01-19 | 2024-03-22 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
| CN114500024A (en) * | 2022-01-19 | 2022-05-13 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
| CN114301716B (en) * | 2022-02-22 | 2023-05-26 | 绿盟科技集团股份有限公司 | Network security assessment method and device, network security equipment and storage medium |
| CN114301716A (en) * | 2022-02-22 | 2022-04-08 | 绿盟科技集团股份有限公司 | Network security assessment method and device, network security equipment and storage medium |
| CN115225384A (en) * | 2022-07-19 | 2022-10-21 | 天翼安全科技有限公司 | Network threat degree evaluation method and device, electronic equipment and storage medium |
| CN115225384B (en) * | 2022-07-19 | 2024-01-23 | 天翼安全科技有限公司 | Network threat degree evaluation method and device, electronic equipment and storage medium |
| CN115361185A (en) * | 2022-08-10 | 2022-11-18 | 重庆电子工程职业学院 | Network security discrimination and study system and method |
| CN115378744A (en) * | 2022-10-25 | 2022-11-22 | 天津丈八网络安全科技有限公司 | Network security test evaluation system and method |
| CN115378744B (en) * | 2022-10-25 | 2023-01-10 | 天津丈八网络安全科技有限公司 | Network security test evaluation system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| CN113408948A (en) | Network asset management method, device, equipment and medium | |
| US11785040B2 (en) | Systems and methods for cyber security alert triage | |
| US10121000B1 (en) | System and method to detect premium attacks on electronic networks and electronic devices | |
| US10326781B2 (en) | Cloud-based gateway security scanning | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US10505953B2 (en) | Proactive prediction and mitigation of cyber-threats | |
| US9306964B2 (en) | Using trust profiles for network breach detection | |
| US10601848B1 (en) | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators | |
| US9185127B2 (en) | Network protection service | |
| US8286239B1 (en) | Identifying and managing web risks | |
| US8429751B2 (en) | Method and apparatus for phishing and leeching vulnerability detection | |
| US8839435B1 (en) | Event-based attack detection | |
| US8997236B2 (en) | System, method and computer readable medium for evaluating a security characteristic | |
| US8763071B2 (en) | Systems and methods for mobile application security classification and enforcement | |
| US20220201042A1 (en) | Ai-driven defensive penetration test analysis and recommendation system | |
| WO2019133453A1 (en) | Platform and method for retroactive reclassification employing a cybersecurity-based global data store | |
| JP2020503635A (en) | Gather indicators of compromise for security threat detection | |
| US20140380478A1 (en) | User centric fraud detection | |
| US10129276B1 (en) | Methods and apparatus for identifying suspicious domains using common user clustering | |
| US20100235915A1 (en) | Using host symptoms, host roles, and/or host reputation for detection of host infection | |
| US8713674B1 (en) | Systems and methods for excluding undesirable network transactions | |
| US10848502B2 (en) | Detection and prevention of hostile network traffic flow appropriation and validation of firmware updates | |
| Khan et al. | Towards augmented proactive cyberthreat intelligence | |
| Papanikolaou et al. | An autoML network traffic analyzer for cyber threat detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |