CN113806751A - Method, device and medium for determining vulnerability and intelligence information activity - Google Patents

Method, device and medium for determining vulnerability and intelligence information activity Download PDF

Info

Publication number
CN113806751A
CN113806751A CN202111124494.0A CN202111124494A CN113806751A CN 113806751 A CN113806751 A CN 113806751A CN 202111124494 A CN202111124494 A CN 202111124494A CN 113806751 A CN113806751 A CN 113806751A
Authority
CN
China
Prior art keywords
vulnerability
time interval
preset time
activity
period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111124494.0A
Other languages
Chinese (zh)
Inventor
唐欢欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202111124494.0A priority Critical patent/CN113806751A/en
Publication of CN113806751A publication Critical patent/CN113806751A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method, a device and a medium for determining vulnerability and intelligence information activeness, which comprises the following steps: and taking the first preset time interval as a period, and counting vulnerability related data generated under the condition that the security equipment of the whole network is attacked in each period by the cloud, wherein the vulnerability related data is generated by the security equipment according to a preset vulnerability rule. And calculating vulnerability activity degrees of all the vulnerabilities of the security equipment of the whole network according to the vulnerability related data corresponding to all the periods in the second preset time interval. The traditional single-point statistical method can only show the vulnerability related data when a single security device is attacked, and can not show the vulnerability related data when the security device of the whole network is attacked, so that the vulnerability liveness of all the vulnerabilities of the whole network can not be shown. Therefore, according to the technical scheme, all vulnerability related data generated under the condition that the security equipment of the whole network is attacked can be counted, all vulnerability activeness of the whole network is analyzed, and the security protection level of the whole network is improved.

Description

Method, device and medium for determining vulnerability and intelligence information activity
Technical Field
The invention relates to the technical field of information security, in particular to a method, a device and a medium for determining vulnerability and intelligence information liveness.
Background
Network attack events such as viruses, trojans, worms and the like cause serious damage to the national politics, economy and society, and most of the threats are the purposes of stealing important data and information and even destroying the system by using vulnerabilities existing in application software or operating system software.
At present, in order to prevent a vulnerability from being attacked, a single-point statistical method is mainly adopted for a security device to obtain vulnerability related data generated when the security device is attacked, and then the situation of vulnerability utilization in the security device is analyzed. For example, when a security device is attacked by a bug on a single security device such as a firewall, an endpoint security device or a situation awareness platform, corresponding data related to the bug is generated, and then the activity of the bug in the single security device is analyzed, so that the method of single-point statistics can only display the data related to the bug when the single security device is attacked, but cannot display all data related to the bug when the security device in the whole network is attacked, and further cannot display the bug activity of the security device in the whole network.
Therefore, how to obtain all vulnerability liveness of the security devices of the whole network is a problem to be solved urgently by the technical personnel in the field.
Disclosure of Invention
The invention aims to provide a method, a device and a medium for determining vulnerability and intelligence information activity, which are used for counting vulnerability related data and intelligence information related data generated when security equipment of the whole network is attacked and analyzing vulnerability activity and intelligence information activity of all the vulnerabilities of the whole network according to the vulnerability related data and the intelligence information related data.
In order to solve the above technical problem, the present invention provides a method for determining vulnerability activity, which includes:
taking a first preset time interval as a period, and counting vulnerability related data generated under the condition that security equipment of the whole network is attacked in each period, wherein the vulnerability related data are generated by the security equipment according to a preset vulnerability rule;
and calculating vulnerability activity according to the vulnerability related data corresponding to all periods in a second preset time interval, wherein the second preset time interval is greater than the first preset time interval.
Preferably, the calculating the vulnerability activity level according to the vulnerability related data corresponding to all periods within the second preset time interval includes:
if one vulnerability corresponds to one vulnerability rule, counting the hit times of the vulnerability rules corresponding to all vulnerabilities in each period by taking the first preset time interval as a period;
and calculating the vulnerability activity of each vulnerability in the whole network according to the hit times of the vulnerability rules corresponding to all vulnerabilities in each period taking the second preset time interval as a period.
Preferably, the calculating the vulnerability activity level according to the vulnerability related data corresponding to all cycles in the second preset time interval further includes:
if one vulnerability corresponds to a plurality of vulnerability rules, counting the number of hits of the vulnerability rules corresponding to one vulnerability in each period by taking the first preset time interval as the period;
and calculating the vulnerability activity of each vulnerability in the whole network according to the hit times of the vulnerability rules corresponding to the same vulnerability in each period with the second preset time interval as the period.
Preferably, after counting the number of hits of the vulnerability rules corresponding to all vulnerabilities in each period, the method further includes:
and determining the vulnerability trend of all vulnerabilities according to the hit times of the vulnerability rules corresponding to all vulnerabilities in each period taking the second preset time interval as a period.
Preferably, the method for determining vulnerability activity further includes:
and converting the vulnerability activity level into the corresponding activity level according to the corresponding relation between the preset activity level and the activity level.
Preferably, after the determining the vulnerability trends of all the vulnerabilities, the method further includes:
and determining corresponding protection measures according to the vulnerability activity and/or the vulnerability trend and/or the activity level and/or the vulnerability trend gradient.
In order to solve the above technical problem, the present invention further provides a device for determining vulnerability activity, including:
the system comprises a first statistical module, a second statistical module and a third statistical module, wherein the first statistical module is used for taking a first preset time interval as a period and counting vulnerability related data generated under the condition that security equipment of the whole network is attacked in each period, and the vulnerability related data is generated by the security equipment according to preset vulnerability rules;
the first calculation module is used for calculating vulnerability activity according to the vulnerability related data corresponding to all periods in a second preset time interval, wherein the second preset time interval is larger than the first preset time interval.
In order to solve the above technical problem, the present invention further provides a method for determining intelligence information liveness, including:
taking a first preset time interval as a period, and counting information related data generated under the condition that the safety equipment of the whole network is attacked in each period, wherein the information related data is generated by the safety equipment according to a preset information rule;
and calculating the intelligence information activity according to the relevant data of the intelligence information corresponding to all the periods in a second preset time interval, wherein the second preset time interval is greater than the first preset time interval.
In order to solve the above technical problem, the present invention further provides an apparatus for determining intelligence information activity, including:
the second statistical module is used for taking the first preset time interval as a period and counting the related data of the information generated under the condition that the safety equipment of the whole network is attacked in each period, wherein the related data of the information is generated by the safety equipment according to the preset information rule;
and the second calculation module is used for calculating the intelligence information activity according to the relevant data of the intelligence information corresponding to all the periods in a second preset time interval, wherein the second preset time interval is greater than the first preset time interval.
In order to solve the above technical problem, the present invention also provides an apparatus, comprising a memory for storing a computer program;
a processor for implementing the method for determining vulnerability activity and/or the steps of the method for determining intelligence information activity when executing the computer program.
In order to solve the above technical problem, the present invention further provides a computer readable storage medium, having a computer program stored thereon, where the computer program is executed by a processor to implement the method for determining vulnerability activity and/or the steps of the method for determining intelligence information activity.
The method for determining the vulnerability activity provided by the invention comprises the following steps: and taking the first preset time interval as a period, and counting vulnerability related data generated under the condition that the security equipment of the whole network is attacked in each period by the cloud, wherein the vulnerability related data is generated by the security equipment according to a preset vulnerability rule. And after the cloud end counts the vulnerability related data of the whole network, calculating the vulnerability activeness of all the vulnerabilities of the safety equipment of the whole network according to the vulnerability related data corresponding to all the periods in the second preset time interval. The traditional single-point statistical method can only show the vulnerability related data when a single security device is attacked, and can not show the vulnerability related data when the security device of the whole network is attacked, so that the vulnerability liveness of all the vulnerabilities of the whole network can not be shown. Therefore, according to the technical scheme, all vulnerability related data generated when security equipment of the whole network is attacked can be counted, vulnerability activeness of all vulnerabilities of the whole network is analyzed according to the vulnerability related data, a data source is provided for adopting corresponding protection measures, and the safety protection level of the whole network is improved.
In addition, the device and the medium for determining the vulnerability activity degree, and the method, the device and the medium for determining the intelligence information activity degree correspond to the method for determining the vulnerability activity degree, and the effects are the same.
Drawings
In order to illustrate the embodiments of the present invention more clearly, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a structural diagram of a method for determining vulnerability activity according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for determining vulnerability activity according to an embodiment of the present invention;
fig. 3 is a structural diagram of an apparatus for determining vulnerability activity according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating an apparatus for determining activity of an alert message according to an embodiment of the present invention;
fig. 5 is a structural diagram of an apparatus for determining vulnerability and intelligence information liveness according to another embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without any creative work belong to the protection scope of the present invention.
The core of the invention is to provide a method, a device and a medium for determining vulnerability and intelligence information activity, which are used for counting vulnerability related data and intelligence information related data generated when security equipment of the whole network is attacked and analyzing all vulnerability activities and intelligence information activity of the whole network according to the vulnerability related data and the intelligence information related data.
In order that those skilled in the art will better understand the disclosure, the invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
The security device comprises an IP protocol cipher machine, a security router, a firewall, a situation awareness platform and the like, and network attack events such as trojans, network monitoring, viruses and the like are generally realized by utilizing bugs in the security device to achieve the purposes of attacking the security device to obtain important information and even destroying a system. In specific implementation, a certain time interval is taken as a period, the frequency of a certain vulnerability being utilized to attack the security equipment of the whole network in each period is detected, if the frequency of the certain vulnerability being utilized to attack the security equipment of the whole network is in a trend of decreasing or keeping the level, a warning is not required to be sent and a protective measure is not required to be taken, if the frequency of the vulnerability being utilized to attack the security equipment is in a trend of slowly increasing or fluctuating around a fixed value, a warning is required to be sent to warn a worker that the corresponding protective measure possibly needs to be taken, and if the frequency of the vulnerability being utilized to attack the security equipment is in a trend of sharply increasing, a warning is required to be sent and the corresponding protective measure needs to be taken. Therefore, the understanding of the vulnerability activeness of all the holes of the whole network plays a crucial role in improving the network security level of the whole network.
In order to obtain the vulnerability activity of the vulnerability, the vulnerability related data generated when a single security device is attacked is generally obtained by a single-point statistical method to analyze the vulnerability activity of the single security device, so that the single-point statistical method can only show the condition that the vulnerability of the single security device is utilized, and cannot show the vulnerability related information of the whole network. In order to count the relevant data of all the leaks in the whole network to know the vulnerability activity of all the leaks in the whole network, the invention provides a method for determining the vulnerability activity. Fig. 1 is a structural diagram of a method for determining vulnerability liveness according to an embodiment of the present invention, and as shown in fig. 1, the structure includes a plurality of security devices, and the plurality of security devices are connected to a cloud 1, where the cloud 1 may be one server or a plurality of servers. Firstly, taking a first preset time interval as a period, the cloud 1 counts vulnerability related data generated when all security devices in each period are attacked, determines vulnerability activeness of all vulnerabilities of the whole network corresponding to each period in a second preset time interval according to the vulnerability related data, and provides a data source for adopting corresponding protective measures to prevent the security devices of the whole network from being attacked.
Fig. 2 is a flowchart of a method for determining vulnerability activity according to an embodiment of the present invention. As shown in fig. 2, the method includes:
s10: and taking the first preset time interval as a period, and counting vulnerability related data generated under the condition that the security equipment of the whole network is attacked in each period.
In a specific embodiment, the cloud 1 counts vulnerability-related data generated when the security devices of the whole network in each period are attacked by taking the first preset time interval as a period, wherein the vulnerability-related data is generated by the security devices according to a preset vulnerability rule. The preset vulnerability rules can be that the cloud 1 acquires corresponding attack behavior rules from each domestic vulnerability sharing platform according to vulnerability characteristics of security equipment of the whole network, numbers each attack behavior rule to acquire a corresponding vulnerability rule ID, then integrates each attack behavior rule and the vulnerability rule ID corresponding to each attack behavior rule to form a vulnerability rule package, and pushes the vulnerability rule package to the security equipment of the whole network. To facilitate understanding of the attack behavior rules, the following is exemplified. For example, the behavior rules corresponding to Microsoft Windows and Windows Server remote code execution vulnerabilities are such that remote code execution is implemented using the vulnerabilities. For another example, the attack behavior rule of the Oracle MySQL Server denial of service vulnerability is that utilizing the vulnerability causes the MySQL Server to hang or frequently and repeatedly crash.
In a specific embodiment, the vulnerability rule package may be an attack behavior rule that meets vulnerability characteristics of the security device and is obtained from a national information vulnerability sharing platform (CNVD) and a foreign platform such as a Common Vulnerabilities and Exposures (CVE), a corresponding vulnerability rule ID is formulated for each attack behavior rule, and then each attack behavior rule and the vulnerability rule ID corresponding to each attack behavior rule are integrated together in a list form to form the vulnerability rule package, where the integration may be in the form of a list or in other forms, which is not limited by the present invention. It should be noted that the attack behavior rule that conforms to the vulnerability characteristics of the security device may be obtained from each domestic vulnerability sharing platform, may also be obtained from each foreign vulnerability sharing platform, and of course, may also be obtained by combining the domestic and foreign vulnerability sharing platforms to obtain the attack behavior rule that conforms to the vulnerability characteristics of the security device, which is not limited in this invention. In addition, it should be noted that the vulnerability rule packages pushed to the whole network may be the same, or different vulnerability rule packages may be obtained according to the characteristics of vulnerabilities belonging to each security device, and the different vulnerability rule packages are pushed to corresponding security devices.
It should be noted that, for integrating each attack behavior rule and the vulnerability rule ID corresponding to each attack behavior rule into a vulnerability rule package, it may be detected that a new vulnerability is generated, and correspondingly, when a new attack behavior rule and a new vulnerability rule ID are generated, the attack behavior rule and the vulnerability rule ID corresponding to each attack behavior rule are re-integrated to form the vulnerability rule package. It is also possible to set a fixed period for a new integration of the bug rule package, for example, a new bug rule package is integrated once a week. Or setting a fixed period, detecting whether a new attack behavior rule and a new vulnerability rule ID are generated after the fixed period, if so, reintegrating a new vulnerability rule packet, otherwise, not integrating. The invention is not limited in this regard.
In addition, it should be noted that the attack behavior rules correspond to the vulnerability rule IDs one to one, and the vulnerability rule IDs may be formed by numbering the attack behavior rules by using arabic numbers, or by numbering the attack behavior rules by using roman numbers, or by using other numbering forms, which is not limited in the present invention.
Of course, the preset bug rule may be set in other setting manners, and the present invention is not limited thereto. In addition, in consideration of the fact that the difficulty in analyzing the contents of the attack behavior rules to analyze the activity of the vulnerability is high, after the cloud 1 acquires the attack behavior rules conforming to the vulnerability characteristics of the security device, the attack behavior rules are numbered to form vulnerability rules ID, so that the cloud 1 determines the vulnerability activity according to the vulnerability rules ID, and therefore, a vulnerability rule packet including the attack behavior rules and vulnerability rule IDs corresponding to the attack behavior rules is preferred. For convenience of understanding, the vulnerability rules will be described below by taking a vulnerability rule package as an example, in a specific embodiment, the cloud 1 pushes the vulnerability rule package to all the security devices connected to the cloud 1, and when the security devices in the whole network are attacked to generate corresponding vulnerability related data, the cloud 1 counts vulnerability related data of all the vulnerabilities of the security devices in each period by taking a first preset time interval as a period.
It should be noted that, the time and the time interval for pushing the vulnerability rule packages to the security device by the cloud 1 are not limited, and if it is shown through the data counted in the past that the activity of all the vulnerabilities tends to be stable, the vulnerability rule packages can be pushed once at a fixed time interval, for example, once every week, and the pushing mode can ensure that the security device can receive new vulnerability rule packages periodically, so that the vulnerability activity of all vulnerabilities of the whole network cannot be counted due to the vulnerability rule packages of a certain security device being lost or damaged.
Or after a fixed time interval, detecting whether the vulnerability rule packet updates the attack behavior rules and the vulnerability rule IDs corresponding to the attack behavior rules, that is, detecting whether the vulnerability rule packet is updated, if the vulnerability rule packet is updated, pushing the vulnerability rule packet, otherwise, not pushing the vulnerability rule packet. The method of detecting whether the bug rule packet is updated or not after a fixed time interval can avoid unnecessary work caused by pushing when the bug rule packet is not updated, and resource waste is caused.
And once the attack behavior rules of the vulnerability rule packet and the vulnerability rule IDs corresponding to the attack behavior rules are detected to be updated, the new vulnerability rule packet can be immediately pushed to the security equipment of the whole network. According to the pushing mode, when new attack behavior rules and corresponding vulnerability rule IDs are generated, the vulnerability rule packet of the security device can be updated in time, and then the relevant data of vulnerability activeness of all the vulnerabilities of the whole network can be obtained in time.
In addition, it should be further noted that the cloud 1 may push the same vulnerability rule package to security devices of the whole network, or may push different vulnerability rule packages according to different requirements of the service, which is not limited in the present invention, and preferably pushes the same vulnerability rule package. Certainly, when the cloud 1 detects that a new security device is connected to the cloud 1, the cloud 1 may push the vulnerability rule package to the new security device alone, or may push the vulnerability rule package to the newly connected security device after the uniform pushing time is reached.
In a specific embodiment, the cloud 1 counts vulnerability-related data generated when security devices in the whole network are attacked, and the vulnerability-related data includes the following three conditions:
(1) once one or more security devices in the security device of the whole network are attacked to generate corresponding data related to the vulnerability, the security device immediately and actively uploads the corresponding data related to the vulnerability to the cloud 1 and records the data in the security log.
(2) And after a preset period, each safety device uploads vulnerability related data generated when each safety device is attacked to the cloud end 1 at regular time. For example, eight morning hours after the last time of uploading the vulnerability-related data, each security device in the whole network actively uploads the vulnerability-related data generated when being attacked to the cloud 1 and records the vulnerability-related data in the security log, and it should be noted that the preset period for uploading the vulnerability-related data is not limited in the present invention.
(3) When the security device is attacked and generates vulnerability related data, an instruction for acquiring new vulnerability related data is sent to the cloud end 1, and the cloud end 1 actively acquires the vulnerability related data of the whole network after receiving the instruction. It should be noted that, after receiving the instruction, the cloud 1 may obtain the vulnerability-related data immediately, or may obtain the vulnerability-related data actively after a preset time interval, which is not limited in the present invention.
S11: and calculating vulnerability activity according to vulnerability related data corresponding to all periods in a second preset time interval.
With the first preset time interval as a period, after the step S10 counts vulnerability-related data generated when all security devices in the whole network are attacked in each period, vulnerability liveness of all vulnerabilities in each period is calculated according to the counted vulnerability-related data and vulnerability-related data corresponding to all periods in the second preset time interval. It is noted that the second predetermined time interval is greater than the first predetermined time interval.
In a specific embodiment, when any one of the security devices in the whole network is attacked, corresponding vulnerability-related data is generated, and the cloud 1 acquires the vulnerability-related data and records the vulnerability-related data in the security log. In addition, the cloud 1 needs to aggregate all vulnerability related data recorded in the security log in each period with the first preset time interval as the period, and calculate vulnerability liveness of all vulnerabilities of the whole network according to vulnerability related data corresponding to all periods in the second preset time interval.
When the vulnerability rule is a vulnerability rule packet, where the vulnerability rule packet includes each attack behavior rule and a vulnerability rule ID corresponding to each attack behavior rule, the vulnerability-related data generated by the security device according to the vulnerability rule may include the vulnerability rule ID, and may also include network traffic data that conforms to the vulnerability characteristics when the security device is attacked. Since the liveness of all the holes in the whole network can be analyzed according to the number of times of hitting the hole rule ID, the cloud 1 counts hole related data generated when the security equipment in the whole network is attacked and uploads the hole related data in the security log, wherein the hole related data only comprises the hole rule ID. Of course, in order to show the relevant information of the vulnerability more comprehensively, the network traffic data meeting the vulnerability characteristics when the security device is attacked can also be uploaded to the security log so as to be convenient for the user to view, which is not limited by the present invention. It should be noted that, when acquiring vulnerability-related data generated when the security device is attacked, the cloud 1 needs to compress and encrypt the vulnerability-related data, so as to ensure the security of the transmission data while ensuring the transmission speed, and certainly, the encryption method is not limited in the present invention.
In a specific embodiment, when a vulnerability corresponds to a vulnerability rule, the activity of the vulnerability is calculated according to the hit times of the vulnerability rule. When a vulnerability corresponds to multiple vulnerability rules, the activity of the vulnerability is calculated according to the hit times of the vulnerability rules belonging to the same vulnerability, and how to calculate the activity of the vulnerability according to the hit times of the vulnerability rule ID is described in detail in the following.
The method for determining the vulnerability activity provided by the embodiment of the invention comprises the following steps: and taking the first preset time interval as a period, and counting vulnerability related data generated under the condition that the security equipment of the whole network is attacked in each period by the cloud, wherein the vulnerability related data is generated by the security equipment according to a preset vulnerability rule. And after the cloud end counts the vulnerability related data of the whole network, calculating the vulnerability activeness of all the vulnerabilities of the safety equipment of the whole network according to the vulnerability related data corresponding to all the periods in the second preset time interval. The traditional single-point statistical method can only show the vulnerability related data when a single security device is attacked, and can not show the vulnerability related data when the security device of the whole network is attacked, so that the vulnerability liveness of all the vulnerabilities of the whole network can not be shown. Therefore, according to the technical scheme, all vulnerability related data generated when security equipment of the whole network is attacked can be counted, vulnerability activeness of all vulnerabilities of the whole network is analyzed according to the vulnerability related data, a data source is provided for adopting corresponding protection measures, and the safety protection level of the whole network is improved.
In a specific embodiment, after the cloud acquires corresponding vulnerability-related data generated when the security device is attacked, the vulnerability-related data needs to be analyzed to calculate the activity of the vulnerability of the whole network. And when one vulnerability corresponds to one vulnerability rule, calculating the activity of the vulnerability according to the hit times of the vulnerability rule. For convenience of understanding, the vulnerability rules are taken as a vulnerability rule package for example, where the vulnerability rule package includes attack behavior rules and vulnerability rule IDs corresponding to the attack behavior rules.
When one vulnerability corresponds to one attack behavior rule and one vulnerability rule ID, the hit times of the vulnerability rule ID can be directly used as the vulnerability activity of the vulnerability. For example, a certain vulnerability a corresponds to 1 attack behavior rule and 1 vulnerability rule ID1, if the vulnerability a is utilized to attack the corresponding security device, the number of times that the vulnerability rule ID1 is hit in each period with the first preset time interval as the period can be directly used as the activity of the vulnerability a, for example, the first preset time interval is 12 hours, and the vulnerability rule ID1 is hit 2 times in 12 hours, so the activity of the vulnerability a is 2.
Or counting the hit times of the hole leakage rule ID1 in each period with the first preset time interval as the period, and then taking the average value of the hit times of the hole leakage rule IDs 1 corresponding to all periods in the second preset time interval as the activity of the hole leakage a. For example, the first preset time interval is 1 day, the second preset time interval is 2 days, the vulnerability rule ID1 hits 1 time for day 1, the vulnerability rule ID1 hits 3 times for day 2, the vulnerability rule ID1 hits 4 times in total for 2 days, and hit 2 times per day on average, so the activity of the vulnerability a is 2 times. It should be noted that the first preset time interval may be 1 hour, half day, one week, etc., and the second preset time interval may be 2 days, 3 days, one week, one month, etc., which are not limited in this respect, but it should be noted that the second preset time interval is greater than the first preset time interval.
In specific implementation, new vulnerabilities are continuously generated along with the development of the era, and new vulnerability rule packages are correspondingly generated, so that the vulnerability rule packages of the security devices need to be updated. It should be noted that, the new vulnerability rule package may be pushed once every fixed time, for example, at 8 am 3 days after the last pushing, the new vulnerability rule package is pushed to the security devices in the whole network on time. Or, it may be determined whether the vulnerability rule packet updates content every other fixed time, if so, the new rule packet is pushed to the security devices of the whole network, and if not, the vulnerability rule packet is not pushed, for example, at 8 am after the last update of one week, whether the vulnerability rule packet is updated is detected, and if so, the vulnerability rule packet is pushed, otherwise, the vulnerability rule packet is not pushed. It may also be that once the vulnerability rule package update is detected, a new vulnerability rule package is pushed to the security device once. The present invention is not limited to this, and the push is preferably performed every fixed time.
According to the method for determining the vulnerability activity, the number of the vulnerability rules corresponding to the vulnerability is determined according to the characteristic quantity corresponding to the vulnerability, so that one or more vulnerability rules corresponding to each vulnerability can be provided. When calculating the activity of the vulnerability, the hit frequency of the vulnerability rule can be directly used as the activity of the vulnerability, or the hit frequency of the vulnerability rule in each period with the first preset time interval as the period can be counted first, and then the average value of the hit frequency of the vulnerability rule corresponding to all periods in the second preset time interval is used as the vulnerability activity of the vulnerability. The activity of the loopholes of the whole network is determined by calculating the hit times of the loophole rules, the calculation mode is simple and convenient, and the activity of the loopholes can be visually displayed as a result, so that a data source is provided for taking corresponding protection measures, and the protection level of the whole network is improved.
On the basis of the above embodiment, when one vulnerability corresponds to a plurality of vulnerability rules, the sum of the hit times of vulnerability rules belonging to the same vulnerability in each period with the first preset time interval as the period can be directly used as the activity of the vulnerability. Or counting the hit times of the leak rules in each period with the first preset time interval as the period, and then taking the average value of the sum of the hit times of the leak rules of the same vulnerability corresponding to all periods in the second preset time interval as the activity of the vulnerability. Similarly, for convenience of understanding, a case where the vulnerability rule is a vulnerability rule package is taken as an example for description, where the vulnerability rule package includes each attack behavior rule and a vulnerability rule ID corresponding to each attack behavior rule.
With the first preset time interval as a period, the sum of the hit times of the vulnerability rule IDs belonging to the same vulnerability in each period may be directly used as the activity of the vulnerability, for example: the vulnerability B corresponds to 2 attack behavior rules and 2 vulnerability rule IDs, and the 2 vulnerability rule IDs are vulnerability rule IDs 2 and vulnerability rule IDs 3 respectively. When the vulnerability B is utilized to attack the corresponding security device, the vulnerability rule ID2 is hit 1 time and the vulnerability rule ID3 is hit 2 times within a first preset time interval of 12 hours, so that the vulnerability rule ID2 and the vulnerability rule ID3 are hit 3 times together within the first preset time interval of 12 hours, and the activity of the vulnerability B is 3 times. Likewise, the first predetermined time interval may be 1 hour, half a day, one week, etc., which is not limited by the present invention.
In addition, the first preset time interval can be used as a period, the hit times of the hole leaking rule in each period are counted, and then the activity of the hole is taken as the average value of the sum of the hit times of the hole leaking rules corresponding to the same hole in all periods in the second preset time interval. For example: the vulnerability C corresponds to 2 attack behavior rules and 2 vulnerability rule IDs, the 2 vulnerability rule IDs are a vulnerability rule ID4 and a vulnerability rule ID5 respectively, the first preset time interval is 1 day, and the second preset time interval is 2 days. When the vulnerability B is utilized to attack the corresponding security device, if the vulnerability rule ID4 is hit 1 time on day 1, the vulnerability rule ID5 is hit 2 times, the vulnerability rule ID4 is hit 2 times on day 2, and the vulnerability rule ID5 is hit 3 times, the vulnerability rule ID4 and the vulnerability rule ID5 are hit 8 times in total within 2 days, and the average number of hits is 4 times per day, so the liveness of the vulnerability C is 4 times. Similarly, the first predetermined time interval may be 1 hour, half day, one week, etc., and the second predetermined time interval may be 2 days, 3 days, one week, one month, etc., which are not limited in this respect, but it should be noted that the second predetermined time interval is greater than the first predetermined time interval.
According to the method for determining the vulnerability activity, provided by the embodiment of the invention, when one vulnerability corresponds to a plurality of vulnerability rules, the sum of the hit times of the vulnerability rules which belong to the same vulnerability in each period can be directly used as the activity of the vulnerability by taking the first preset time interval as the period. Or counting the hit times of the leak rules in each period with the first preset time interval as the period, and then taking the average value of the sum of the hit times of the leak rules of the same vulnerability corresponding to all periods in the second preset time interval as the activity of the vulnerability. The calculation mode is simple and convenient, the liveness of the loophole can be visually displayed as a result, a data source is provided for taking corresponding protection measures, and then the protection level of the whole network is improved.
On the basis of the embodiment, in order to show the trend that the loopholes of the whole network are utilized to attack the security equipment, the loophole trends of all the loopholes are calculated according to the hit times of the loophole rules corresponding to all the periods in the second preset time interval after the hit times of the loophole rules corresponding to all the loopholes of the whole network in each period are counted by taking the first preset time interval as the period, so that a user can check and judge whether corresponding protective measures need to be taken or not. For example, if the vulnerability activity of a certain vulnerability shows a sharp rising trend, a user is required to take protection measures as soon as possible, if the vulnerability activity of a certain vulnerability shows a slow rising trend or a trend that the vulnerability tends to be stable around a certain value, the user can continue to monitor without taking protection measures, and if the vulnerability activity of a certain vulnerability shows a falling trend, the user can not continue to monitor. It should be noted that the vulnerability trend may be presented in the form of a graph or a bar graph, and the presentation form of the vulnerability trend is not limited in the present invention.
According to the method for determining the vulnerability activity, the vulnerability trend of the vulnerability is determined according to the hit times of the vulnerability rules corresponding to all vulnerabilities of the whole network, a user can visually check the activity degree and the trend of the vulnerability, and then whether corresponding protection measures are taken or not can be judged according to the vulnerability trend, so that the protection level of the whole network is further improved.
In a specific embodiment, in addition to determining vulnerability activity of all vulnerabilities of the whole network according to the hit times of vulnerability rules corresponding to vulnerabilities so as to facilitate users to take corresponding protective measures, the vulnerability activity of all vulnerabilities of the whole network can be converted into vulnerability activity levels, and the vulnerability activity levels are transmitted to a security log so as to facilitate users to check and take corresponding protective measures. For example, the vulnerability activity level is marked by five-pointed star, one star is marked as a low-risk vulnerability, two or three stars are marked as medium-risk vulnerabilities, four stars are marked as high-risk vulnerabilities, five stars are marked as vulnerabilities needing emergency treatment, and after conversion is carried out into vulnerability levels according to the activity of all vulnerabilities of the whole network, a user can select protective measures according to the vulnerability levels. It should be noted that, for the division of the vulnerability class and the mark form, the vulnerability activity is converted into a conversion mode of the vulnerability class, and the present invention is not limited thereto.
According to the method for determining the vulnerability activity, the vulnerability activity is converted into the vulnerability grade according to the vulnerability activity of all the vulnerabilities of the whole network, and a user can visually observe the danger degree of the vulnerability according to the vulnerability grade, so that corresponding protection measures can be taken in time, and the protection level of the whole network is further improved.
In a specific embodiment, the cloud analyzes and acquires vulnerability activity, vulnerability trend, vulnerability activity level and vulnerability trend gradient of all the vulnerabilities of the whole network. The gradient of the vulnerability trend is divided into different gradient levels according to the vulnerability trend presentation graph, and a user can visually observe the gradient level of each vulnerability in the whole network through the gradient of the vulnerability trend, so that corresponding protection measures can be taken. For example, the gradient of the vulnerability trend is divided into three levels, when the vulnerability trend is located in a first gradient region, protective measures are not needed, when the vulnerability trend is located in a second gradient region, protective measures are not needed to be taken immediately but the change situation of the activity of the vulnerability in the region needs to be paid attention to all the time, and when the vulnerability trend is located in a third gradient region, protective measures are needed to be taken immediately by a user. The present invention is not limited to the division of the gradient and the number of levels of the gradient. And after the cloud end analyzes and acquires the vulnerability activity, vulnerability trend, vulnerability activity level and vulnerability trend gradient of all the vulnerabilities of the whole network, the vulnerability activity, vulnerability activity level and vulnerability trend gradient are transmitted to the security log, so that a user can visually check the related data of all the vulnerabilities of the whole network, and then corresponding protection measures can be taken according to the data.
According to the method for determining the vulnerability activity, provided by the embodiment of the invention, the user can take corresponding protection measures according to the acquired vulnerability activity, vulnerability trend, vulnerability activity level and vulnerability trend gradient, so that the protection level of the whole network is further improved.
In the above embodiments, the method for determining the vulnerability activity level is described in detail, and the present invention further provides an embodiment corresponding to the apparatus for determining the vulnerability activity level. It should be noted that the present invention describes the embodiment of the apparatus part from two perspectives, one is based on the functional module, and the other is based on the hardware structure.
Fig. 3 is a structural diagram of an apparatus for determining vulnerability activity according to an embodiment of the present invention. As shown in fig. 3, the apparatus includes:
the first statistical module 10 is configured to count vulnerability related data generated when security devices of the whole network are attacked in each period, where the vulnerability related data is generated by the security devices according to a preset vulnerability rule, with a first preset time interval as a period;
the first calculation module 11 is configured to calculate vulnerability activity according to the vulnerability related data corresponding to all cycles in a second preset time interval, where the second preset time interval is greater than the first preset time interval.
As a preferred embodiment, the apparatus further includes a conversion module, and the conversion module is configured to convert the vulnerability activity level into a corresponding activity level according to a preset correspondence between the activity level and the activity level.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
The invention provides a device for determining vulnerability activity, which comprises: and taking the first preset time interval as a period, and counting vulnerability related data generated under the condition that the security equipment of the whole network is attacked in each period by the cloud, wherein the vulnerability related data is generated by the security equipment according to a preset vulnerability rule. And after the cloud end counts the vulnerability related data of the whole network, calculating the vulnerability activeness of all the vulnerabilities of the safety equipment of the whole network according to the vulnerability related data corresponding to all the periods in the second preset time. The traditional single-point statistical method can only show the vulnerability related data when a single security device is attacked, and can not show the vulnerability related data when the security device of the whole network is attacked, so that the vulnerability liveness of all the vulnerabilities of the whole network can not be shown. Therefore, according to the technical scheme, all vulnerability related data generated when security equipment of the whole network is attacked can be counted, vulnerability activeness of all vulnerabilities of the whole network is analyzed according to the vulnerability related data, a data source is provided for adopting corresponding protection measures, and the safety protection level of the whole network is improved.
The method specifically described in the foregoing embodiment is applied to determining vulnerability activity, and the present application also provides an embodiment corresponding to the method, which is applied to determining intelligence information activity, and certainly can also be applied to determining other resource activity, and the present invention is not limited thereto, where the intelligence information includes: a Uniform Resource Locator (URL), a Domain Name System (DNS), and the like.
Since the embodiment of the method for determining the vulnerability activity level corresponds to the embodiment of the method for determining the intelligence information activity level, but the corresponding target objects are different, please refer to the description of the embodiment of the method for determining the vulnerability activity level, which is not repeated herein.
The method for determining the information activity of the situation report, which is provided by the invention, comprises the following steps: and taking the first preset time interval as a period, and carrying out statistics on information related data generated under the condition that the safety equipment of the whole network is attacked in each period by the cloud, wherein the information related data is generated by the safety equipment according to a preset information rule. And after the cloud end counts the relevant data of the information of the whole network, calculating the information activity of all the information of the safety equipment of the whole network according to the relevant data of the information corresponding to all the periods in a second preset time interval. The traditional single-point statistical method can only show the related data of the information when a single safety device is attacked, but can not show the related data of the information when the safety device of the whole network is attacked, and further can not show the information activity of all the information of the whole network. Therefore, the technical scheme can count all information related data generated when the safety equipment of the whole network is attacked, and analyze the information activity of all the information of the whole network according to the information related data, thereby providing a data source for adopting corresponding protective measures and improving the safety protection level of the whole network.
In the above embodiments, the method for determining the activity of the intelligence information is described in detail, and the present invention also provides a corresponding embodiment of the apparatus for determining the activity of the intelligence information. It should be noted that the present invention describes the embodiment of the apparatus part from two perspectives, one is based on the functional module, and the other is based on the hardware structure.
Fig. 4 is a structural diagram of an apparatus for determining the liveness of information according to an embodiment of the present invention. As shown in fig. 4, the apparatus includes:
a second statistical module 12, configured to take a first preset time interval as a period, and perform statistics on information related data generated when the security device of the whole network is attacked in each period, where the information related data is generated by the security device according to a preset information rule;
the second calculating module 13 is configured to calculate an intelligence information activity according to the relevant data of the intelligence information corresponding to all cycles in a second preset time interval, where the second preset time interval is greater than the first preset time interval.
As a preferred embodiment, the apparatus further includes a conversion module, and the conversion module is configured to convert the intelligence information activity level into a corresponding activity level according to a preset correspondence between the activity level and the activity level.
Since the embodiments of the apparatus portion and the method portion correspond to each other, please refer to the description of the embodiments of the method portion for the embodiments of the apparatus portion, which is not repeated here.
The invention provides a device for determining information activeness of an emotion, which comprises: and taking the first preset time interval as a period, and carrying out statistics on information related data generated under the condition that the safety equipment of the whole network is attacked in each period by the cloud, wherein the information related data is generated by the safety equipment according to a preset information rule. And after the cloud end counts the relevant data of the information of the whole network, calculating the information activity of all the information of the safety equipment of the whole network according to the relevant data of the information corresponding to all the periods in a second preset time interval. The traditional single-point statistical method can only show the related data of the information when a single safety device is attacked, but can not show the related data of the information when the safety device of the whole network is attacked, and further can not show the information activity of all the information of the whole network. Therefore, the technical scheme can count all information related data generated when the safety equipment of the whole network is attacked, and analyze the information activity of all the information of the whole network according to the information related data, thereby providing a data source for adopting corresponding protective measures and improving the safety protection level of the whole network.
Fig. 5 is a structural diagram of an apparatus for determining vulnerability and intelligence information activity according to another embodiment of the present invention, and as shown in fig. 5, the apparatus for determining vulnerability and intelligence information activity includes: a memory 20 for storing a computer program;
the processor 21, when executing the computer program, implements the steps of the method for determining vulnerability and intelligence information liveness as mentioned in the above embodiments.
The device for determining vulnerability and intelligence information activity provided by the embodiment may include, but is not limited to, a smart phone, a tablet computer, a notebook computer or a desktop computer.
The processor 21 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 21 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 21 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also called a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 21 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content required to be displayed on the display screen. In some embodiments, the processor 21 may further include an AI (Artificial Intelligence) processor for processing a calculation operation related to machine learning.
The memory 20 may include one or more computer-readable storage media, which may be non-transitory. Memory 20 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In this embodiment, the memory 20 is at least used for storing the computer program 201, wherein after being loaded and executed by the processor 21, the computer program can implement the relevant steps of the method for determining vulnerability and intelligence information liveness disclosed in any of the foregoing embodiments. In addition, the resources stored in the memory 20 may also include an operating system 202, data 203, and the like, and the storage manner may be a transient storage manner or a permanent storage manner. Operating system 202 may include, among others, Windows, Unix, Linux, and the like. Data 203 may include, but is not limited to, relevant data involved in determining vulnerabilities and intelligence information liveness, and the like.
In some embodiments, the means for determining vulnerability and intelligence information activity may further comprise a display screen 22, an input/output interface 23, a communication interface 24, a power source 25, and a communication bus 26.
Those skilled in the art will appreciate that the architecture shown in FIG. 5 is not intended to be limiting as to the means for determining vulnerability and intelligence information liveness and may include more or fewer components than those shown.
The device for determining the activity of the loopholes and the intelligence information comprises a memory and a processor, wherein the processor can realize the following method when executing the program stored in the memory: a method for determining vulnerability and intelligence information liveness.
The device for determining the vulnerability and the intelligence information activity degree, provided by the embodiment of the invention, can acquire vulnerability related data and intelligence information related data generated when security equipment of the whole network is attacked, and analyze the vulnerability activity degree and the intelligence information activity degree of the whole network according to the vulnerability related data and the intelligence information related data, thereby providing a data source for adopting corresponding protection measures and improving the safety protection level of the whole network.
Finally, the invention also provides a corresponding embodiment of the computer readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps as set forth in the above-mentioned method embodiments.
It is to be understood that if the method in the above embodiments is implemented in the form of software functional units and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and performs all or part of the steps of the methods according to the embodiments of the present invention, or all or part of the technical solution. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The invention provides a method, a device and a medium for determining vulnerability and intelligence information liveness. A detailed description is given. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (11)

1. A method for determining vulnerability liveness, comprising:
taking a first preset time interval as a period, and counting vulnerability related data generated under the condition that security equipment of the whole network is attacked in each period, wherein the vulnerability related data are generated by the security equipment according to a preset vulnerability rule;
and calculating vulnerability activity according to the vulnerability related data corresponding to all periods in a second preset time interval, wherein the second preset time interval is greater than the first preset time interval.
2. The method for determining vulnerability activity according to claim 1, wherein the calculating vulnerability activity according to the vulnerability related data corresponding to all cycles in a second preset time interval comprises:
if one vulnerability corresponds to one vulnerability rule, counting the hit times of the vulnerability rules corresponding to all vulnerabilities in each period by taking the first preset time interval as a period;
and calculating the vulnerability activity of each vulnerability in the whole network according to the hit times of the vulnerability rules corresponding to all vulnerabilities in each period taking the second preset time interval as a period.
3. The method for determining vulnerability activity according to claim 1, wherein the calculating vulnerability activity according to the vulnerability related data corresponding to all cycles in a second preset time interval further comprises:
if one vulnerability corresponds to a plurality of vulnerability rules, counting the number of hits of the vulnerability rules corresponding to one vulnerability in each period by taking the first preset time interval as the period;
and calculating the vulnerability activity of each vulnerability in the whole network according to the hit times of the vulnerability rules corresponding to the same vulnerability in each period with the second preset time interval as the period.
4. The method for determining vulnerability activity according to claim 2 or 3, wherein after counting the number of hits of the vulnerability rules corresponding to all vulnerabilities in each period, the method further comprises:
and determining the vulnerability trend of all vulnerabilities according to the hit times of the vulnerability rules corresponding to all vulnerabilities in each period taking the second preset time interval as a period.
5. The method for determining vulnerability activity according to claim 4, further comprising:
and converting the vulnerability activity level into the corresponding activity level according to the corresponding relation between the preset activity level and the activity level.
6. The method for determining vulnerability activity according to claim 5, wherein after the determining vulnerability trends of all the vulnerabilities, further comprising:
and determining corresponding protection measures according to the vulnerability activity and/or the vulnerability trend and/or the activity level and/or the vulnerability trend gradient.
7. An apparatus for determining vulnerability liveness, comprising:
the system comprises a first statistical module, a second statistical module and a third statistical module, wherein the first statistical module is used for taking a first preset time interval as a period and counting vulnerability related data generated under the condition that security equipment of the whole network is attacked in each period, and the vulnerability related data is generated by the security equipment according to preset vulnerability rules;
the first calculation module is used for calculating vulnerability activity according to the vulnerability related data corresponding to all periods in a second preset time interval, wherein the second preset time interval is larger than the first preset time interval.
8. A method for determining intelligence information liveness, comprising:
taking a first preset time interval as a period, and counting information related data generated under the condition that the safety equipment of the whole network is attacked in each period, wherein the information related data is generated by the safety equipment according to a preset information rule;
and calculating the intelligence information activity according to the relevant data of the intelligence information corresponding to all the periods in a second preset time interval, wherein the second preset time interval is greater than the first preset time interval.
9. An apparatus for determining intelligence information liveness, comprising:
the second statistical module is used for taking the first preset time interval as a period and counting the related data of the information generated under the condition that the safety equipment of the whole network is attacked in each period, wherein the related data of the information is generated by the safety equipment according to the preset information rule;
and the second calculation module is used for calculating the intelligence information activity according to the relevant data of the intelligence information corresponding to all the periods in a second preset time interval, wherein the second preset time interval is greater than the first preset time interval.
10. An apparatus, comprising a memory to store a computer program;
a processor for implementing the method of determining vulnerability activity according to any of claims 1 to 6 and/or the steps of the method of determining intelligence information activity according to claim 8 when executing the computer program.
11. A computer-readable storage medium, having stored thereon, a computer program which, when executed by a processor, carries out the method of determining vulnerability activity according to any of claims 1 to 6, and/or the method of determining intelligence information activity according to claim 8.
CN202111124494.0A 2021-09-24 2021-09-24 Method, device and medium for determining vulnerability and intelligence information activity Pending CN113806751A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111124494.0A CN113806751A (en) 2021-09-24 2021-09-24 Method, device and medium for determining vulnerability and intelligence information activity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111124494.0A CN113806751A (en) 2021-09-24 2021-09-24 Method, device and medium for determining vulnerability and intelligence information activity

Publications (1)

Publication Number Publication Date
CN113806751A true CN113806751A (en) 2021-12-17

Family

ID=78896734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111124494.0A Pending CN113806751A (en) 2021-09-24 2021-09-24 Method, device and medium for determining vulnerability and intelligence information activity

Country Status (1)

Country Link
CN (1) CN113806751A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932337A (en) * 2012-10-24 2013-02-13 中国航天科工集团第二研究院七〇六所 Network security state predication method
CN103685258A (en) * 2013-12-06 2014-03-26 北京奇虎科技有限公司 Method and device for fast scanning website loopholes
CN107203720A (en) * 2016-12-30 2017-09-26 北京神州泰岳信息安全技术有限公司 risk value calculating method and device
CN110535859A (en) * 2019-08-29 2019-12-03 北京知道创宇信息技术股份有限公司 Network security emergency capability determines method, apparatus and electronic equipment
CN112989355A (en) * 2021-02-08 2021-06-18 中国农业银行股份有限公司 Vulnerability threat perception method, device, storage medium and equipment
CN113079141A (en) * 2021-03-23 2021-07-06 贵州航天云网科技有限公司 Network security situation perception system and method based on artificial intelligence

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102932337A (en) * 2012-10-24 2013-02-13 中国航天科工集团第二研究院七〇六所 Network security state predication method
CN103685258A (en) * 2013-12-06 2014-03-26 北京奇虎科技有限公司 Method and device for fast scanning website loopholes
CN107203720A (en) * 2016-12-30 2017-09-26 北京神州泰岳信息安全技术有限公司 risk value calculating method and device
CN110535859A (en) * 2019-08-29 2019-12-03 北京知道创宇信息技术股份有限公司 Network security emergency capability determines method, apparatus and electronic equipment
CN112989355A (en) * 2021-02-08 2021-06-18 中国农业银行股份有限公司 Vulnerability threat perception method, device, storage medium and equipment
CN113079141A (en) * 2021-03-23 2021-07-06 贵州航天云网科技有限公司 Network security situation perception system and method based on artificial intelligence

Similar Documents

Publication Publication Date Title
US11323460B2 (en) Malicious threat detection through time series graph analysis
US11212306B2 (en) Graph database analysis for network anomaly detection systems
US9565203B2 (en) Systems and methods for detection of anomalous network behavior
JP6201614B2 (en) Log analysis apparatus, method and program
ES2813065T3 (en) Method and apparatus for detecting security using an industry internet operating system
US10997289B2 (en) Identifying malicious executing code of an enclave
US10135862B1 (en) Testing security incident response through automated injection of known indicators of compromise
Muhammad et al. Integrated security information and event management (siem) with intrusion detection system (ids) for live analysis based on machine learning
EP2835948A1 (en) Method for processing a signature rule, server and intrusion prevention system
US11777961B2 (en) Asset remediation trend map generation and utilization for threat mitigation
US20220277078A1 (en) Attack Kill Chain Generation and Utilization for Threat Analysis
WO2018211827A1 (en) Assessment program, assessment method, and information processing device
CN108073499B (en) Application program testing method and device
JP4500921B2 (en) Log analysis apparatus, log analysis method, and log analysis program
CN114338372A (en) Network information security monitoring method and system
CN112532636A (en) Malicious domain name detection method and device based on T-Pot honeypot and backbone network flow
JP2013152497A (en) Black list extraction device, extraction method and extraction program
JP2018060288A (en) Network monitoring device, network monitoring program, and network monitoring method
US9471779B2 (en) Information processing system, information processing device, monitoring device, monitoring method
CN113806751A (en) Method, device and medium for determining vulnerability and intelligence information activity
JP2018022248A (en) Log analysis system, log analysis method and log analysis device
CN105656848B (en) Application layer rapid attack detection method and related device
CN109462503B (en) Data detection method and device
Xu et al. [Retracted] Method of Cumulative Anomaly Identification for Security Database Based on Discrete Markov chain
WO2019123449A1 (en) A system and method for analyzing network traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination