CN113872959A - Risk asset grade judgment and dynamic degradation method, device and equipment - Google Patents

Risk asset grade judgment and dynamic degradation method, device and equipment Download PDF

Info

Publication number
CN113872959A
CN113872959A CN202111122053.7A CN202111122053A CN113872959A CN 113872959 A CN113872959 A CN 113872959A CN 202111122053 A CN202111122053 A CN 202111122053A CN 113872959 A CN113872959 A CN 113872959A
Authority
CN
China
Prior art keywords
risk
assets
asset
determining
code value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111122053.7A
Other languages
Chinese (zh)
Other versions
CN113872959B (en
Inventor
张方
赵恒�
杨逸斐
潘晓勃
晁璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202111122053.7A priority Critical patent/CN113872959B/en
Publication of CN113872959A publication Critical patent/CN113872959A/en
Application granted granted Critical
Publication of CN113872959B publication Critical patent/CN113872959B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a method, a device and equipment for determining the level of a risk asset and dynamically degrading, wherein the method comprises the following steps: according to each security event in the source data, determining assets in a source address and a destination address of each security event, and determining an attack relation between the source address and the destination address; determining risk factors corresponding to the risk assets according to the assets and attack relations of the safety events; determining risk assets in the assets of each safety event and code values corresponding to the risk assets according to the risk factors; determining the risk level of each risk asset according to each risk asset, the code value and the pre-stored historical record of each risk asset; and when the risk level degradation is triggered, re-determining the risk level of each risk asset. By utilizing the method provided by the invention, the risk assets of the security events are combined with the historical records, context analysis is carried out, the risk level of the risk assets is dynamically adjusted, and the accuracy and the sensitivity for judging the risk asset level can be improved.

Description

Risk asset grade judgment and dynamic degradation method, device and equipment
Technical Field
The invention relates to the field of network security, in particular to a method, a device and equipment for judging the level of a risk asset and dynamically degrading the risk asset.
Background
The safety management platform is used for providing safety early warning and response according to big data, has a self-adaptive system architecture for continuously performing automatic defense, detection, response and prediction, can assist safety experts to find safety problems, and can realize safety closed-loop management through an actual operation and maintenance means. The risk assets are very important management objects of a safety management platform, and how to analyze the risk assets and the risk degree thereof in a large number of managed assets so as to solve the potential safety hazard is an important problem in the field of information safety.
In the risk assessment method in the related technology, factors such as attack chain stage, asset value, related safety characteristics and the like are mostly used as the assessment standard of risk assets, and the accuracy of risk assessment is low; moreover, in the related art, for the scenes after the risk assets are identified and treated, no corresponding response scheme exists, and the sensitivity is poor.
Disclosure of Invention
The invention provides a method, a device and equipment for judging the grade of a risk asset and dynamically degrading, which combine the grade judgment of the risk asset of a security event with a historical record, carry out context analysis, dynamically adjust the risk grade of the risk asset and improve the accuracy and the sensitivity of judging the grade of the risk asset.
In a first aspect, the present invention provides a method for determining and dynamically downgrading a risk asset class, the method comprising:
according to each security event in source data, determining assets in a source address and a destination address of each security event, and determining an attack relation between the source address and the destination address; wherein the assets are preset contents needing to be protected;
determining risk factors corresponding to the risk assets according to the assets and attack relations of the safety events;
determining risk assets in the assets of each safety event and code values corresponding to the risk assets according to the risk factors;
determining the risk level of each risk asset according to each risk asset, the code value and the pre-stored historical record of each risk asset;
and when the risk level degradation is triggered, re-determining the risk level of each risk asset.
The method for judging the level of the risk assets and dynamically degrading the risk assets provided by the invention provides a mechanism for judging the level of the risk assets based on the safety events, so that the level of the risk assets can be automatically judged, dangerous assets can be found out, and the capability of risk identification and safety analysis is improved; the risk asset grade judgment is not directly carried out according to single-point risk factors in an isolated manner, but the risk asset of the security event is combined with the historical record and subjected to context analysis, so that the accuracy of the risk asset grade judgment can be improved; the method for dynamically degrading the risk asset level can dynamically adjust the risk asset level when the risk level degradation is triggered, and can improve the sensitivity and the practicability of risk asset level judgment.
Optionally, the risk factors include at least one of a chain of attacks stage, a threat level, and a direction of attack; the attack direction comprises a lateral attack launched from an asset to another asset and an external attack launched from the asset to a non-asset;
determining the risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors, wherein the code values comprise:
determining that the corresponding attack chain stage is not less than a first threshold value and the assets with the threat level not less than a second threshold value in the assets of each security event are the risk assets corresponding to the first code value;
determining that the assets of each security event, of which the corresponding attack direction is transverse attack or external connection attack, are risk assets corresponding to the second code value;
determining that the assets of each security event, of which the corresponding attack chain stage is not less than a third threshold value, are risk assets corresponding to a third code value;
determining assets of each security event, wherein the assets of the corresponding attack chain stage not less than a fourth threshold are risk assets corresponding to a fourth code value;
wherein the first threshold is greater than the third threshold, and the third threshold is greater than the fourth threshold.
The method for judging the grade of the risk asset and dynamically degrading provided by the invention provides a specific implementation mode for setting the risk factor and an implementation mode for determining the risk asset and the code value thereof according to the risk factor, the risk asset is screened from the assets through the risk factors respectively corresponding to different risk assets, and the code value corresponding to the risk asset is further determined, so that the accuracy of judging the grade of the risk asset can be improved, and the feasibility of the method for judging the grade of the risk asset and dynamically degrading provided by the invention is improved.
Optionally, determining a risk level for each of the at-risk assets comprises:
determining the risk level of the risk asset of which the corresponding code values are the first code value and the second code value as failure;
determining that the risk level is not the high risk in the lost risk assets, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset of which the corresponding code value is the first code value is the high risk;
determining the risk level of the risk asset that is not a loss and is not a high risk is a low risk.
The method for judging the risk asset grade and dynamically degrading provided by the invention provides a specific implementation mode for judging the risk grade of each risk asset according to different code values corresponding to the risk assets, and comprehensively considers the code values and the history records, thereby improving the feasibility and the accuracy of the method for judging the risk asset grade and dynamically degrading provided by the invention.
Optionally, after determining the risk assets in the assets of each security event and the code values corresponding to the risk assets, the method further includes:
respectively determining newly added risk assets in the risk assets according to pre-stored historical risk assets;
inserting newly added risk assets and corresponding code values in the historical risk assets and corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
The method for judging the level of the risk asset and dynamically degrading the risk asset provided by the invention provides a method for changing the historical risk asset and the historical code value, newly-added risk assets and code values are inserted, and non-newly-added risk assets and code values are updated, so that the comprehensiveness of the history record is ensured, and the feasibility and the accuracy of the method for judging the level of the risk asset and dynamically degrading the risk asset provided by the invention are improved.
Optionally, when the risk level degradation is triggered, re-determining the risk level of each risk asset includes:
after any security event is handled, deleting the code value and the code value related to the any security event in the historical record;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the historical record.
The method for judging and dynamically degrading the risk asset level provided by the invention provides a method for dynamically adjusting the risk level of the risk asset, and after a security event is disposed, the risk level of the risk asset is dynamically adjusted, so that convenience is provided for directly disposing the risk asset subsequently, and the accuracy, the sensitivity and the convenience in maintenance of the method for judging and dynamically degrading the risk asset level provided by the invention are greatly improved.
Optionally, re-determining the risk level of the at-risk asset for the any security event comprises:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is lost in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not comprise the first code value and comprises the third code value is high risk, in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not include the first code value and does not include the third code value and includes the fourth code value is low risk.
The method for judging the risk asset level and dynamically degrading the risk asset level provided by the invention provides a method for re-determining the risk level of the risk asset, the attack direction is not considered any more, and the feasibility and the accuracy of the method for judging the risk asset level and dynamically degrading the risk asset level provided by the invention are improved.
Optionally, handling any security event includes:
all of the risk assets of the any security event are handled.
The method for judging the level of the risk assets and dynamically degrading provided by the invention provides a specific implementation mode for handling the security events, and the risk assets and the security events are handled in an associated manner, so that the implementability and the accuracy of the method for judging the level of the risk assets and dynamically degrading provided by the invention are improved.
In a second aspect, the present invention provides a risk asset ranking and dynamic downgrading apparatus comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is used for reading the program in the memory and executing the following steps:
according to each security event in source data, determining assets in a source address and a destination address of each security event, and determining an attack relation between the source address and the destination address; wherein the assets are preset contents needing to be protected;
determining risk factors corresponding to the risk assets according to the assets and attack relations of the safety events;
determining risk assets in the assets of each safety event and code values corresponding to the risk assets according to the risk factors;
determining the risk level of each risk asset according to each risk asset, the code value and the pre-stored historical record of each risk asset;
and when the risk level degradation is triggered, re-determining the risk level of each risk asset.
Optionally, the risk factors include at least one of a chain of attacks stage, a threat level, and a direction of attack; the attack direction comprises a lateral attack launched from an asset to another asset and an external attack launched from the asset to a non-asset;
the processor determines risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors, and the determination comprises the following steps:
determining that the corresponding attack chain stage is not less than a first threshold value and the assets with the threat level not less than a second threshold value in the assets of each security event are the risk assets corresponding to the first code value;
determining that the assets of each security event, of which the corresponding attack direction is transverse attack or external connection attack, are risk assets corresponding to the second code value;
determining that the assets of each security event, of which the corresponding attack chain stage is not less than a third threshold value, are risk assets corresponding to a third code value;
determining assets of each security event, wherein the assets of the corresponding attack chain stage not less than a fourth threshold are risk assets corresponding to a fourth code value;
wherein the first threshold is greater than the third threshold, and the third threshold is greater than the fourth threshold.
Optionally, the processor determines a risk level for each of the at-risk assets, including:
determining the risk level of the risk asset of which the corresponding code values are the first code value and the second code value as failure;
determining that the risk level is not the high risk in the lost risk assets, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset of which the corresponding code value is the first code value is the high risk;
determining the risk level of the risk asset that is not a loss and is not a high risk is a low risk.
Optionally, after determining the risk assets of each security event and the code values corresponding to the risk assets, the processor is further configured to:
respectively determining newly added risk assets in the risk assets according to pre-stored historical risk assets;
inserting newly added risk assets and corresponding code values in the historical risk assets and corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
Optionally, when the processor triggers a risk level degradation, re-determining the risk level of each risk asset includes:
after any security event is handled, deleting the code value and the code value related to the any security event in the historical record;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the historical record.
Optionally, the processor re-determining the risk level of the at-risk asset for the any security event comprises:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is lost in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not comprise the first code value and comprises the third code value is high risk, in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not include the first code value and does not include the third code value and includes the fourth code value is low risk.
Optionally, the processor handles any security event, including:
all risk addresses of the any security event are handled.
In a third aspect, the present invention provides an apparatus for determining and dynamically downgrading a risk asset class, comprising:
the asset determining unit is used for determining assets in a source address and a destination address of each security event according to each security event in source data and determining an attack relation between the source address and the destination address; wherein the assets are preset contents needing to be protected;
a risk factor determining unit, configured to determine a risk factor corresponding to the risk asset according to the asset and attack relationship of each security event;
the risk asset determination unit is used for determining risk assets in the assets of all safety events and code values corresponding to all the risk assets according to the risk factors;
the risk grade determining unit is used for determining the risk grade of each risk asset according to each risk asset, the code value and the pre-stored historical record of each risk asset;
and the dynamic degradation unit is used for re-determining the risk level of each risk asset when the risk level degradation is triggered.
Optionally, the risk factors include at least one of a chain of attacks stage, a threat level, and a direction of attack; the attack direction comprises a lateral attack launched from an asset to another asset and an external attack launched from the asset to a non-asset;
the risk asset determination unit determines risk assets in the assets of the security events and code values corresponding to the risk assets according to the risk factors, and the determination comprises the following steps:
determining that the corresponding attack chain stage is not less than a first threshold value and the assets with the threat level not less than a second threshold value in the assets of each security event are the risk assets corresponding to the first code value;
determining that the assets of each security event, of which the corresponding attack direction is transverse attack or external connection attack, are risk assets corresponding to the second code value;
determining that the assets of each security event, of which the corresponding attack chain stage is not less than a third threshold value, are risk assets corresponding to a third code value;
determining assets of each security event, wherein the assets of the corresponding attack chain stage not less than a fourth threshold are risk assets corresponding to a fourth code value;
wherein the first threshold is greater than the third threshold, and the third threshold is greater than the fourth threshold.
Optionally, the determining the risk level of each risk asset by the risk level determining unit includes:
determining the risk level of the risk asset of which the corresponding code values are the first code value and the second code value as failure;
determining that the risk level is not the high risk in the lost risk assets, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset of which the corresponding code value is the first code value is the high risk;
determining the risk level of the risk asset that is not a loss and is not a high risk is a low risk.
Optionally, after determining the risk assets in the assets of each security event and the code values corresponding to the risk assets, the risk asset determining unit is further configured to:
respectively determining newly added risk assets in the risk assets according to pre-stored historical risk assets;
inserting newly added risk assets and corresponding code values in the historical risk assets and corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
Optionally, when the dynamic degradation unit triggers risk level degradation, re-determining the risk level of each risk asset includes:
after any security event is handled, deleting the code value and the code value related to the any security event in the historical record;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the historical record.
Optionally, the dynamically downgrading unit redetermines the risk level of the risk asset of the any security event, including:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is lost in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not comprise the first code value and comprises the third code value is high risk, in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not include the first code value and does not include the third code value and includes the fourth code value is low risk. Optionally, the dynamic destaging unit handles any security event, including:
all of the risk assets of the any security event are handled.
In a fourth aspect, the present invention provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method for risk asset ranking and dynamic downgrading as provided in the first aspect above.
In a fifth aspect, the present invention provides a chip, where the chip is coupled to a memory in a device, so that the chip invokes program instructions stored in the memory when running, thereby implementing the above aspects of the embodiments of the present application and any method for determining and dynamically degrading risk asset levels that may be involved in the aspects.
In a sixth aspect, the present invention provides a computer program product, which, when run on an electronic device, causes the electronic device to execute a method for risk asset ranking and dynamic downgrading that implements the above aspects and any of the aspects related to the embodiments of the present application may relate to.
Drawings
FIG. 1 is a flow chart of a method for determining a level of an at-risk asset and dynamically downgrading according to an embodiment of the present invention;
FIG. 2 is a flow diagram of one implementation of assessing a level of an at-risk asset provided by an embodiment of the present invention;
FIG. 3 is a flow diagram of one implementation of re-ranking an at-risk asset provided by an embodiment of the invention;
FIG. 4 is a schematic diagram of an apparatus for determining a level of an at-risk asset and dynamically downgrading according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a risk asset level determination and dynamic downgrading apparatus according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or otherwise described herein.
The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the description of the embodiments of the present application, "/" means "or" unless otherwise specified, for example, a/B may mean a or B; "and/or" in the text is only an association relationship describing an associated object, and means that three relationships may exist, for example, a and/or B may mean: in the description of the embodiments of the present application, "a" or "a" refers to two or more, and other terms and the like should be understood similarly, the preferred embodiments described herein are only used for explaining and explaining the present application, and are not used for limiting the present application, and features in the embodiments and examples of the present application may be combined with each other without conflict.
Hereinafter, some terms in the embodiments of the present invention are explained to facilitate understanding by those skilled in the art.
(1) The term "security event" in embodiments of the present invention refers to any event that attempts to change the security state of a system, such as changing access control measures, changing security levels, changing user passwords, etc.
(2) The term "Analytic Hierarchy Process (AHP)" in the embodiment of the invention is a method for decomposing a complex problem into a plurality of levels and a plurality of factors, comparing and judging the importance degree between every two indexes, establishing a judgment matrix, calculating the maximum characteristic value and the corresponding characteristic vector of the judgment matrix to obtain the weight of importance degrees of different schemes, and providing a basis for selecting the optimal scheme.
(3) In the embodiment of the invention, the term "Structured Query Language (SQL) injection attack" is one of the common means for hackers to attack the database, and a user can submit a section of database Query code and obtain data according to the result returned by a program.
(4) The term "anti-Tactics, Techniques and Common Knowledge (ATT & CK) model" in the embodiments of the present invention is a model that forms an attack matrix by extracting actual observed network attack data.
(5) In the embodiment of the present invention, the term "broiler", also called puppet machine, refers to a machine that can be remotely controlled by a hacker.
In view of the above problems of the related art risk assessment method, the present application provides a method, an apparatus and a device for risk asset rank determination and dynamic degradation.
A method, an apparatus and a device for determining a risk asset rank and dynamically degrading according to the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Example 1
An embodiment of the present invention provides a flowchart of a method for determining a risk asset level and dynamically degrading, as shown in fig. 1, the method includes:
step S101, according to each security event in source data, determining assets in a source address and a destination address of each security event, and determining an attack relation between the source address and the destination address; wherein the assets are preset contents needing to be protected;
assets herein generally refer to things of interest to a user that are valuable to the user, including software assets, hardware resources, etc., such as the user's computer, server, etc.
As an alternative embodiment, the source data is called by an inauguration asset engine, such as Enterprise Security management Platform immediate Analysis Service (espaas), to obtain each Security event in the source data.
Specifically, matching is performed according to the rule of the ESP to obtain the security event.
For example, data a is subjected to a series of rules of merging, filtering, etc. on the ESP to obtain a security event B.
It should be noted that the security event includes a source address and a destination address. The source address and the destination address may be in a one-to-many or many-to-one relationship.
And analyzing each security event, splitting a source field and a destination field, and obtaining a source address and a destination address.
The specific implementation of the source address and the destination address may be specifically set according to a specific implementation, for example, an Internet Protocol (IP) address or a Uniform Resource Locator (URL) address, which is not limited in this embodiment of the present invention.
And determining assets in the source address and the destination address of each security event according to the unique identifier, the asset Identity (ID), and the asset ID of the search result on the remote server, and determining the attack relation related to each security event.
For example, for a one-to-many security event a- > B, C, D, assuming a, B, C are assets, then the determined asset is [ a, B, C ], and the attack relationship associated with the security event is a- > B, A- > C, A- > D.
Wherein, the assets in the source address and the destination address of each security event are determined according to the asset _ id by adopting the following implementation mode:
a user adds an asset concerned by the user, such as a core server-1.1.1.1, to a platform in advance, and the platform allocates an asset _ id, namely a tag, to the asset for marking; when the source address and/or the destination address of each security event exists and is 1.1.1.1, the security events are successfully matched with the assets, namely, the source address and/or the destination address are determined to be the assets.
Step S102, determining risk factors corresponding to the risk assets according to the assets and attack relations of the safety events;
as an alternative embodiment, the AHP is adopted to determine the corresponding risk factor of the risk asset.
Wherein the risk factors include at least one of attack chain stage, threat level and attack direction; the attack directions include a lateral attack from an asset to another asset, and an attach attack from an asset to a non-asset.
As an optional implementation manner, the attack direction further includes an external attack.
The external attack is that an attacker carries out a series of attack behaviors on a target system through an external virtual IP or a forged site to obtain partial basic information or make laying work for further attack; the transverse attack means that the attack moves transversely to the inner network, and possibly, broilers exist in the system; the external connection attack shows that sensitive information leakage has occurred or an attacker steals data.
It should be noted that, the threats of the external attack, the lateral attack and the external attack are increased in sequence, and when the lateral attack or the external attack occurs, it indicates that the system is dangerous or has been attacked.
The above-mentioned lateral attack and external attack can be determined according to the attack relationship of the security event, for example, the attack of a- > B, C, D occurs, where a, B are assets, and then for a, the lateral attack of a- > B occurs, and the external attack of a- > C, a- > D occurs.
It should be noted that the attack directions of B, C, and D cannot be determined only from the above information.
As an alternative implementation, the attack chain stage may be divided into seven stages according to the ATT & CK model, and the following are performed in sequence: investigation, tool making, delivery, attack penetration, tool installation, command control, malicious activities.
The investigation refers to the first step of attack to collect information and know the weakness of the target.
The tool creation means that, after the target vulnerability is known based on the investigation, a tool for attack is prepared for the vulnerability.
Delivery refers to the targeted delivery of a weapon, such as malicious code, into a target environment.
Attack penetration refers to the fact that a vulnerability or a defect is utilized to trigger a malicious code which is already put in, and system control authority is obtained.
The security tool is used for pointing to a system to implant a malicious program or a backdoor, so that after a bug is repaired or the system is restarted, the backdoor can be used for continuously obtaining control authority.
Command control means that the attack can be executed immediately by the controlled server, and further instructions from the remote server of the attacker can be waited for until the server is completely controlled by the attacker.
Malicious activities refer to the development of direct intrusion attacks, the stealing of data, the destruction of system operation, or further lateral movement in the internal network.
It should be noted that the behavior of the first 4 phases increases the risk value of the system, and it is generally assumed that a hazard has already been created since the phase of installing the tool.
As an alternative embodiment, the threat level may be slight, general, large, significant, particularly significant, for a total of 5 levels.
Step S103, determining risk assets in the assets of each safety event and code values corresponding to the risk assets according to the risk factors;
and determining the risk assets in the assets according to preset rules based on the attack chain stage, the threat level and the attack direction, and determining code values corresponding to the risk assets.
And step S104, determining the risk level of each risk asset according to each risk asset, the code value and the pre-stored historical record of each risk asset.
The risk level refers to a threat impact level caused after the occurrence of the security event, and is not the possibility of the occurrence of the security event.
And step S105, re-determining the risk level of each risk asset when the risk level degradation is triggered.
The triggering condition for triggering the risk level degradation may be to determine the risk assets and the code values, and to change the pre-stored history of the risk assets.
The embodiment of the invention can dynamically adjust the risk asset grade when the risk grade degradation is triggered, and can improve the sensitivity and the practicability of the risk asset grade judgment.
According to the method and the device, not only are all the risky assets and code values determined according to the security events considered, but also the pre-stored historical records of all the risky assets are considered, namely the risky asset grade judgment is carried out in combination with the context environment, and the judgment accuracy can be improved.
For example, an attack chain occurs in the first day in the last three stages and the attack with a high threat level occurs, the asset launches the attack two days later, and the application can perform correlation analysis by combining the security event behaviors of the last several days to determine the risk level of the risky asset.
As an optional implementation manner, after determining the attack relationship between the source address and the destination address, the method further includes:
storing the assets and the attack relation to an asset cache;
and storing the assets and the attack relation to a database through a warehousing thread.
And when the assets and the attack relations are stored in the asset cache, marking state labels for the assets and the attack relations according to the newly added states of the assets and the attack relations.
For the newly added assets and attack relations of the state labels, inserting the assets and the attack relations into a database; and updating the asset and attack relation to the asset and attack relation of which the state label is not newly added to the database.
It should be noted that, when the above insertion or update operation is performed, the attack relationship is split end to end and merged by event name by day.
For example, for the attack relationship A-BCD, the A-B, the A-C and the A-D are obtained by splitting end to end.
The merging by the event name on a daily basis means that: if one record is the weak password security event of A-B and the other record is also the weak password security event of A-B, the insertion operation is not carried out, but the updating is directly carried out on the basis of the first record, and the occurrence frequency of the weak password of A-B is 2 times; and if the other record is the violent cracking event of the A-B, although the A-B is not changed, the event name is changed from the weak password to the violent cracking event, the inserting operation is carried out, merging is not carried out, and at the moment, 2 records, the weak password of the A-B and the violent cracking of the A-B are respectively stored in the database.
According to the risk factors, determining the risk assets in the assets of each safety event and the code values corresponding to the risk assets by adopting the following implementation mode:
determining that the corresponding attack chain stage is not less than a first threshold value and the assets with the threat level not less than a second threshold value in the assets of each security event are the risk assets corresponding to the first code value;
determining that the assets of the security events, of which the corresponding attack directions are transverse attacks or external connection attacks, are risk assets corresponding to the second code values;
determining that the assets of the security events, of which the corresponding attack chain stage is not less than a third threshold value, are risk assets corresponding to a third code value;
determining that the assets of the security events, of which the corresponding attack chain stage is not less than a fourth threshold value, are risk assets corresponding to a fourth code value;
wherein the first threshold is greater than the third threshold, and the third threshold is greater than the fourth threshold.
Specific values of the first threshold, the second threshold, the third threshold and the fourth threshold may be specifically set according to specific implementation, for example, the first threshold is set to 5, the second threshold is set to be larger, the third threshold is set to 3, and the fourth threshold is set to 1, which is not limited in this application.
As an alternative embodiment, the code values of the risk assets can be implemented by mapping the code values with the risk levels. The specific risk level mapping table is shown in table 1 below:
table 1: code value and risk level mapping table of risk assets (1)
Figure BDA0003277610890000161
The attack chain stage > is 5, and the threat level > is a higher risk asset, wherein the higher risk asset is a risk asset corresponding to a first code value, and the first code value is a risk level mapping code value with a value of 1; the risk assets with external connection or transverse attack are risk assets corresponding to a second code value, and the second code value is a risk level mapping code value with the value of 2; the risk asset with the attack chain stage > -3 is a risk asset corresponding to a third code value, and the third code value is a risk level mapping code value with the value of 3; the risk asset whose attack chain stage > is 1 is a risk asset corresponding to the fourth code value, which is a risk level mapping code value whose value is 4.
After determining the risk assets in the assets of each security event and the code values of the risk assets, the embodiment of the invention further comprises the following steps:
respectively determining newly added risk assets in the risk assets according to pre-stored historical risk assets;
and inserting newly-added risk assets and corresponding code values into the historical risk assets and the corresponding historical code values, and updating non-newly-added risk assets and corresponding code values.
And acquiring the warehousing state of the asset by adopting the ESPSAAS, wherein if the warehousing state of the asset can be acquired, the asset is warehoused before and the state is not processed, otherwise, the asset is a newly increased risk asset.
When the warehousing state of the assets is obtained, data are obtained from a local cache, if the obtaining fails, the data are obtained from a redis secondary cache, and if the obtaining fails again, the data are obtained from a postgresql database.
The embodiment of the invention adopts the following implementation mode to determine the risk level of each risk asset, comprising the following steps:
determining the risk level of the risk asset of which the corresponding code values are the first code value and the second code value as failure;
determining that the risk level is not the high risk in the lost risk assets, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset of which the corresponding code value is the first code value is the high risk;
determining the risk level of the risk asset that is not a loss and is not a high risk is a low risk.
The risk grade is divided into 3 grades of collapse, high risk and low risk, the threat degree is decreased gradually, and the specific judgment and calculation method is as follows: (1) and (3) collapse: the attack chain stage is at 5, or 6, or 7, and the security event threat level is above high, and there is an outattack or a side attack, i.e., a risk asset whose corresponding code values are the first code value and the second code value. (2) High risk: the attack chain stage is larger than 3, or the non-lost assets of external attack or transverse attack exist, namely 1) the corresponding code value is a first code value; 2) the corresponding code value is a second code value; 3) the corresponding code value is a third code value; 4) the corresponding code values are the second code value and the third code value. (3) A low-risk asset, a non-high-risk and non-lost asset with an attack chain stage greater than 1, that is, 1) the corresponding code value is a fourth code value; 2) the corresponding code values are a second code value and a fourth code value.
Taking assets a and B as an example, the following example is used to illustrate the risk level determination process:
for example, (1) the first security event processed is an sql injection attack of a- > B, C, D, and the event ID is 1, assuming that the attack chain stage of this security event is 5 and the level is higher, assuming that a, B, C are assets, then the data of the risk level table at this time is as shown in table 2 below:
table 2: risk level meter (1)
Figure BDA0003277610890000181
Wherein the security event is A- > B, C, D can be split into A- > B, A- > C, A- > D, and then the attack chain stage of the security event is 5 and the level is higher, so that the assets A, B, C all conform to the conditions 1, 3, 4 in the above Table 1.
From the perspective of a, the assets B and C are attacked, namely, a lateral attack occurs, and the non-asset D is attacked, namely, an external attack also occurs, so that the asset a conforms to 2 in the mapping table, and therefore the risk level calculation level Flag corresponding to a is 1, 2, 3, 4.
From the perspective of B, only B is known to be attacked by A through the condition of A- > BCD, and as for B, whether other assets and non-assets are attacked or not is not stated, B does not accord with the condition 2, so that the risk level calculation level Flag corresponding to B is 1, 3 and 4.
(2) The second security event to be processed is an attack of B- > C, the event ID is 2, and assuming that the attack chain stage of this security event is 3, taking assets a and B as an example, the data of the risk level table is shown in the following table 3, and B adds an association record:
table 3: risk level meter (2)
Figure BDA0003277610890000191
Because B is determined to be 1, 3, 4 based on the first security event, the second security event is currently complemented: b initiates an attack on C, namely B generates a transverse attack again, so B can add a record, and B also accords with the condition 2 of the mapping table, and B can be judged to be lost.
It should be noted that, in specific implementation, the current risk level of B may be cached in the memory, and the risk level of B may be calculated according to the label that B already has.
As shown in FIG. 2, an embodiment of the present invention provides a flowchart of an implementation of assessing a level of an at-risk asset, comprising:
step S201, each security event in source data is split, assets in a source address and a destination address of each security event are determined, and an attack relation between the source address and the destination address is determined;
the asset is extracted from the source field and destination field.
Step S202, determining risk factors corresponding to the risk assets according to the assets and attack relations of the security events;
step S203, determining the risk assets in the assets of each safety event according to the risk factors;
step S204, judging whether the risk assets are put in storage, if so, executing step S205, otherwise, executing step S208;
step S205, merging the attack relations;
updating an attack relation table and an association table of the risk assets;
step S206, updating the security event associated with the attack relation;
updating an attack relation and security event association table;
step S207, updating the state of the risk assets and the safety events, and executing step S211;
updating the association table of the risk assets and the safety events;
step S208, inserting a risk asset table;
step S209, inserting an attack relation;
and inserting an attack relation table and an association table of the risk assets.
Step S210, inserting risk assets and safety event states;
and inserting an association table of the risk assets and the safety events.
Step S211, calculating an attack relation graph;
and updating the attack relation chart.
In step S212, the risk level is calculated, and the process ends.
And updating the risk level table.
After determining the risk level of each risk asset, the embodiment of the present invention determines the risk level of each risk asset again when triggering risk level degradation by using the following implementation manner:
after any security event is handled, deleting the code value and the code value related to any security event in the history record;
and re-determining the risk level of the risk asset of any security event according to the risk assets, the current code value and the historical record.
That is, the dynamic degradation of the at-risk assets occurs after the state of the security event has changed.
Firstly, the risk level of the risk asset is caused by the security event occurring in the asset, after one of the associated security events is handled by operation and maintenance personnel, the risk asset engine is notified in a message queue manner, the security event is handled, the risk asset affected by the security event is required to be degraded by the risk asset engine, at this time, a record related to the security event in a risk asset level table, for example, a tag value of the risk asset generated by the handled security event for the handled security event, is directly deleted, and then, a calculation is performed on the tag remaining after the security event is cleared in a mode of re-aggregating the tag by a background thread, so that the current real-time level can be calculated.
And during recalculation, only after the related assets are subjected to grouping statistics according to the risk level calculation level Flag, the latest risk level can be calculated.
As an alternative embodiment, handling any security event includes:
all of the risky assets of any of the above security events are handled.
It should be noted that, the dynamic downgrading involves the associated disposal of the risk assets and the security events, and the risk assets are only dynamically downgraded after the risk assets and the security events are associated disposed.
The associated handling policies for the risky assets and security events are as follows:
(1) after the risk assets are disposed, the state of the risk asset table is modified first, then the state of the associated security event is modified, and if and only if all the risk assets generated by the associated security event of the asset are disposed, then a request for disposing the security event, such as security events a- > B, C, D, is sent to the gauging message Topic, and if and only if a, B, C are assets, then the gauging is notified to dispose the security event if and only if all the assets a, B, C are disposed.
(2) And (4) safety event handling, after a certain safety event is handled, the judging module sends a data notification to the Topic, after the notification is obtained, the risk assets related to the safety event are handled, the judgment is carried out again, and if all safety events related to the assets are handled, the state of the assets is modified to be handled.
The embodiment of the invention adopts the following implementation modes to re-determine the risk level of the risk asset of any one of the security events, including:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is lost in the risk assets of any one security event;
determining that the risk level of the risk asset of any one of the security events, the corresponding code value of which does not include the first code value and includes the third code value, is high risk;
and determining the risk level of the risk asset of any one of the security events, wherein the corresponding code value does not comprise the first code value, does not comprise the third code value and comprises the fourth code value, as a low risk.
It should be noted that, when the risk level is determined again, it is no longer necessary to determine whether there is an external connection or a lateral attack, because the attack direction is a verification condition, after the operation and maintenance has lost the relevant event, even if the asset no longer has a tag of the attack direction, but (1) the corresponding code value is the first code value, or the corresponding code value is the first code value and the second code value, it is determined that the asset is lost; (2) the corresponding code value is a third code value, or the corresponding code value is the third code value and the second code value, and the high risk is judged; (3) and if the corresponding code value is the fourth code value, or the corresponding code value is the fourth code value and the second code value, judging that the risk is high. The specific risk level mapping table is shown in table 4 below:
table 4: risk level mapping table (2)
Risk rating Code value calculation risk level criteria
Collapse due to collapse 1 or 1&2
High risk 3 or 3&2
Low risk 4 or 4&2
As shown in FIG. 3, an embodiment of the present invention provides a flow chart of an implementation of re-ranking an at-risk asset, comprising:
step S301, a consumption security event handles topic;
step S302, acquiring the ID of the changed security event, and deleting the record associated with the security event in the risk asset level table;
step S303, recalculating the risk level of the asset associated with the security event;
and step S304, updating the risk level in the risk asset table.
Compared with a risk asset level judgment mode in the prior art, the method takes the attack chain stage, the threat level and the attack direction of the safety event with higher reliability influencing the asset risk as influence factors, and carries out comprehensive judgment calculation by combining context content, so that the accuracy of asset level judgment is improved, the reliability is higher, and the false alarm rate is lower. In addition, dynamic degradation is combined with a security event to perform dynamic association processing, degradation judgment is performed from both directions of assets and events, compared with the prior art, the method is higher in accuracy and flexibility, all actions are automatically and dynamically adjusted and completed by an engine, and the stress of operation and maintenance personnel can be reduced.
Example 2
An embodiment of the present invention provides a schematic diagram of a risk asset level determination and dynamic downgrading apparatus 400, which includes a memory 401 and a processor 402, as shown in fig. 4, where:
the memory is used for storing a computer program;
the processor is used for reading the program in the memory and executing the following steps:
according to each security event in source data, determining assets in a source address and a destination address of each security event, and determining an attack relation between the source address and the destination address; wherein the assets are preset contents needing to be protected;
determining risk factors corresponding to the risk assets according to the assets and attack relations of the safety events;
determining risk assets in the assets of each safety event and code values corresponding to the risk assets according to the risk factors;
determining the risk level of each risk asset according to each risk asset, the code value and the pre-stored historical record of each risk asset;
and when the risk level degradation is triggered, re-determining the risk level of each risk asset.
Optionally, the risk factors include at least one of a chain of attacks stage, a threat level, and a direction of attack; the attack direction comprises a lateral attack launched from an asset to another asset and an external attack launched from the asset to a non-asset;
the processor determines risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors, and the determination comprises the following steps:
determining that the corresponding attack chain stage is not less than a first threshold value and the assets with the threat level not less than a second threshold value in the assets of each security event are the risk assets corresponding to the first code value;
determining that the assets of each security event, of which the corresponding attack direction is transverse attack or external connection attack, are risk assets corresponding to the second code value;
determining that the assets of each security event, of which the corresponding attack chain stage is not less than a third threshold value, are risk assets corresponding to a third code value;
determining assets of each security event, wherein the assets of the corresponding attack chain stage not less than a fourth threshold are risk assets corresponding to a fourth code value;
wherein the first threshold is greater than the third threshold, and the third threshold is greater than the fourth threshold.
Optionally, the processor determines a risk level for each of the at-risk assets, including:
determining the risk level of the risk asset of which the corresponding code values are the first code value and the second code value as failure;
determining that the risk level is not the high risk in the lost risk assets, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset of which the corresponding code value is the first code value is the high risk;
determining the risk level of the risk asset that is not a loss and is not a high risk is a low risk.
Optionally, after determining the risk assets of each security event and the code values corresponding to the risk assets, the processor is further configured to:
respectively determining newly added risk assets in the risk assets according to pre-stored historical risk assets;
inserting newly added risk assets and corresponding code values in the historical risk assets and corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
Optionally, when the processor triggers a risk level degradation, re-determining the risk level of each risk asset includes:
after any security event is handled, deleting the code value and the code value related to the any security event in the historical record;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the historical record.
Optionally, the processor re-determining the risk level of the at-risk asset for the any security event comprises:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is lost in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not comprise the first code value and comprises the third code value is high risk, in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not include the first code value and does not include the third code value and includes the fourth code value is low risk.
Optionally, the processor handles any security event, including:
all of the risk assets of the any security event are handled.
An embodiment of the present invention provides a schematic diagram of a device for determining a risk asset level and dynamically degrading, as shown in fig. 5, the device includes:
an asset determination unit 501, configured to determine, according to each security event in source data, an asset in a source address and a destination address of each security event, and determine an attack relationship between the source address and the destination address; wherein the assets are preset contents needing to be protected;
a risk factor determining unit 502, configured to determine a risk factor corresponding to the risk asset according to the asset and attack relationship of each security event;
an risky asset determining unit 503, configured to determine, according to the risk factor, a risky asset in the assets of each security event and a code value corresponding to each risky asset;
a risk level determining unit 504, configured to determine a risk level of each risk asset according to each risk asset and the code value, and a history of each risk asset stored in advance;
and a dynamic degradation unit 505, configured to re-determine the risk level of each risk asset when the risk level degradation is triggered.
Optionally, the risk factors include at least one of a chain of attacks stage, a threat level, and a direction of attack; the attack direction comprises a lateral attack launched from an asset to another asset and an external attack launched from the asset to a non-asset;
the risk asset determination unit determines risk assets in the assets of the security events and code values corresponding to the risk assets according to the risk factors, and the determination comprises the following steps:
determining that the corresponding attack chain stage is not less than a first threshold value and the assets with the threat level not less than a second threshold value in the assets of each security event are the risk assets corresponding to the first code value;
determining that the assets of each security event, of which the corresponding attack direction is transverse attack or external connection attack, are risk assets corresponding to the second code value;
determining that the assets of each security event, of which the corresponding attack chain stage is not less than a third threshold value, are risk assets corresponding to a third code value;
determining assets of each security event, wherein the assets of the corresponding attack chain stage not less than a fourth threshold are risk assets corresponding to a fourth code value;
wherein the first threshold is greater than the third threshold, and the third threshold is greater than the fourth threshold.
Optionally, the determining the risk level of each risk asset by the risk level determining unit includes:
determining the risk level of the risk asset of which the corresponding code values are the first code value and the second code value as failure;
determining that the risk level is not the high risk in the lost risk assets, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset of which the corresponding code value is the first code value is the high risk;
determining the risk level of the risk asset that is not a loss and is not a high risk is a low risk.
Optionally, after determining the risk assets in the assets of each security event and the code values corresponding to the risk assets, the risk asset determining unit is further configured to:
respectively determining newly added risk assets in the risk assets according to pre-stored historical risk assets;
inserting newly added risk assets and corresponding code values in the historical risk assets and corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
Optionally, when the dynamic degradation unit triggers risk level degradation, re-determining the risk level of each risk asset includes:
after any security event is handled, deleting the code value and the code value related to the any security event in the historical record;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the historical record.
Optionally, the dynamically downgrading unit redetermines the risk level of the risk asset of the any security event, including:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is lost in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not comprise the first code value and comprises the third code value is high risk, in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not include the first code value and does not include the third code value and includes the fourth code value is low risk.
The present invention also provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method for determining a level of a risky asset and dynamically downgrading as provided in embodiment 1 above.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical division, and in actual implementation, there may be other divisions, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present application may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may be stored in a computer readable storage medium.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that a computer can store or a data storage device, such as a server, a data center, etc., that is integrated with one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The technical solutions provided by the present application are introduced in detail, and the present application applies specific examples to explain the principles and embodiments of the present application, and the descriptions of the above examples are only used to help understand the method and the core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A method for determining and dynamically downgrading a risk asset class, comprising:
according to each security event in source data, determining assets in a source address and a destination address of each security event, and determining an attack relation between the source address and the destination address; wherein the assets are preset contents needing to be protected;
determining risk factors corresponding to the risk assets according to the assets and attack relations of the safety events;
determining risk assets in the assets of each safety event and code values corresponding to the risk assets according to the risk factors;
determining the risk level of each risk asset according to each risk asset, the code value and the pre-stored historical record of each risk asset;
and when the risk level degradation is triggered, re-determining the risk level of each risk asset.
2. The method of claim 1, wherein the risk factors include at least one of a chain of attacks stage, a threat level, and a direction of attack; the attack direction comprises a lateral attack launched from an asset to another asset and an external attack launched from the asset to a non-asset;
determining the risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors, wherein the code values comprise:
determining that the corresponding attack chain stage is not less than a first threshold value and the assets with the threat level not less than a second threshold value in the assets of each security event are the risk assets corresponding to the first code value;
determining that the assets of each security event, of which the corresponding attack direction is transverse attack or external connection attack, are risk assets corresponding to the second code value;
determining that the assets of each security event, of which the corresponding attack chain stage is not less than a third threshold value, are risk assets corresponding to a third code value;
determining assets of each security event, wherein the assets of the corresponding attack chain stage not less than a fourth threshold are risk assets corresponding to a fourth code value;
wherein the first threshold is greater than the third threshold, and the third threshold is greater than the fourth threshold.
3. The method of claim 2, wherein determining a risk rating for each of the at-risk assets comprises:
determining the risk level of the risk asset of which the corresponding code values are the first code value and the second code value as failure;
determining that the risk level is not the high risk in the lost risk assets, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset of which the corresponding code value is the first code value is the high risk;
determining the risk level of the risk asset that is not a loss and is not a high risk is a low risk.
4. The method of claim 1, wherein after determining the at-risk assets of the assets of each security event and the code values corresponding to the at-risk assets, further comprising:
respectively determining newly added risk assets in the risk assets according to pre-stored historical risk assets;
inserting newly added risk assets and corresponding code values in the historical risk assets and corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
5. The method according to any one of claims 1 to 4, wherein the step of re-determining the risk level of each risk asset when a risk level degradation is triggered comprises:
after any security event is handled, deleting the code value and the code value related to the any security event in the historical record;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the historical record.
6. The method of claim 5, wherein re-determining the risk level of the at-risk asset of any security event comprises:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is lost in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not comprise the first code value and comprises the third code value is high risk, in the risk assets of any security event;
determining that the risk level of the risk asset of which the corresponding code value does not include the first code value and does not include the third code value and includes the fourth code value is low risk.
7. The method of claim 5, wherein handling any security event comprises:
all of the risk assets of the any security event are handled.
8. An apparatus for risk asset ranking and dynamic downgrading, comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is used for reading the program in the memory and executing the steps of the risk asset level judgment and dynamic degradation method of any one of claims 1-7.
9. An apparatus for determining and dynamically downgrading a risk asset class, comprising:
the asset determining unit is used for determining assets in a source address and a destination address of each security event according to each security event in source data and determining an attack relation between the source address and the destination address; wherein the assets are preset contents needing to be protected;
a risk factor determining unit, configured to determine a risk factor corresponding to the risk asset according to the asset and attack relationship of each security event;
the risk asset determination unit is used for determining risk assets in the assets of all safety events and code values corresponding to all the risk assets according to the risk factors;
the risk grade determining unit is used for determining the risk grade of each risk asset according to each risk asset, the code value and the pre-stored historical record of each risk asset;
and the dynamic degradation unit is used for re-determining the risk level of each risk asset when the risk level degradation is triggered.
10. A computer-readable storage medium, storing a computer program which, when executed by a processor, performs the steps of the method for risk asset ranking and dynamic downgrading according to any one of claims 1 to 7.
CN202111122053.7A 2021-09-24 2021-09-24 Method, device and equipment for judging risk asset level and dynamically degrading risk asset level Active CN113872959B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111122053.7A CN113872959B (en) 2021-09-24 2021-09-24 Method, device and equipment for judging risk asset level and dynamically degrading risk asset level

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111122053.7A CN113872959B (en) 2021-09-24 2021-09-24 Method, device and equipment for judging risk asset level and dynamically degrading risk asset level

Publications (2)

Publication Number Publication Date
CN113872959A true CN113872959A (en) 2021-12-31
CN113872959B CN113872959B (en) 2023-05-16

Family

ID=78993809

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111122053.7A Active CN113872959B (en) 2021-09-24 2021-09-24 Method, device and equipment for judging risk asset level and dynamically degrading risk asset level

Country Status (1)

Country Link
CN (1) CN113872959B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114884712A (en) * 2022-04-26 2022-08-09 绿盟科技集团股份有限公司 Network asset risk level information determination method, device, equipment and medium
CN118037046A (en) * 2024-02-21 2024-05-14 广州番禺职业技术学院 Asset data processing method and system based on history record

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140208386A1 (en) * 2013-01-18 2014-07-24 Ca, Inc. Adaptive Strike Count Policy
US20150106867A1 (en) * 2013-10-12 2015-04-16 Fortinet, Inc. Security information and event management
JP2015106215A (en) * 2013-11-29 2015-06-08 三菱電機株式会社 Risk analysis device and risk analysis program
US20170171231A1 (en) * 2015-12-11 2017-06-15 Brightpoint Security, Inc. Computer Network Threat Assessment
WO2019028341A1 (en) * 2017-08-03 2019-02-07 T-Mobile Usa, Inc. Similarity search for discovering multiple vector attacks
CN109474515A (en) * 2018-11-13 2019-03-15 平安科技(深圳)有限公司 Mail push method, device, computer equipment and the storage medium of risk case
US20210084073A1 (en) * 2015-10-28 2021-03-18 Qomplx, Inc. Advanced detection of identity-based attacks to assure identity fidelity in information technology environments
CN113055407A (en) * 2021-04-21 2021-06-29 深信服科技股份有限公司 Asset risk information determination method, device, equipment and storage medium
WO2021151335A1 (en) * 2020-01-31 2021-08-05 华为技术有限公司 Network event processing method and apparatus, and readable storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140208386A1 (en) * 2013-01-18 2014-07-24 Ca, Inc. Adaptive Strike Count Policy
US20150106867A1 (en) * 2013-10-12 2015-04-16 Fortinet, Inc. Security information and event management
JP2015106215A (en) * 2013-11-29 2015-06-08 三菱電機株式会社 Risk analysis device and risk analysis program
US20210084073A1 (en) * 2015-10-28 2021-03-18 Qomplx, Inc. Advanced detection of identity-based attacks to assure identity fidelity in information technology environments
US20170171231A1 (en) * 2015-12-11 2017-06-15 Brightpoint Security, Inc. Computer Network Threat Assessment
WO2019028341A1 (en) * 2017-08-03 2019-02-07 T-Mobile Usa, Inc. Similarity search for discovering multiple vector attacks
CN109474515A (en) * 2018-11-13 2019-03-15 平安科技(深圳)有限公司 Mail push method, device, computer equipment and the storage medium of risk case
WO2021151335A1 (en) * 2020-01-31 2021-08-05 华为技术有限公司 Network event processing method and apparatus, and readable storage medium
CN113055407A (en) * 2021-04-21 2021-06-29 深信服科技股份有限公司 Asset risk information determination method, device, equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114884712A (en) * 2022-04-26 2022-08-09 绿盟科技集团股份有限公司 Network asset risk level information determination method, device, equipment and medium
CN114884712B (en) * 2022-04-26 2023-11-07 绿盟科技集团股份有限公司 Method, device, equipment and medium for determining risk level information of network asset
CN118037046A (en) * 2024-02-21 2024-05-14 广州番禺职业技术学院 Asset data processing method and system based on history record
CN118037046B (en) * 2024-02-21 2024-06-21 广州番禺职业技术学院 Asset data processing method and system based on history record

Also Published As

Publication number Publication date
CN113872959B (en) 2023-05-16

Similar Documents

Publication Publication Date Title
CN110719291B (en) Network threat identification method and identification system based on threat information
CN109922075B (en) Network security knowledge graph construction method and device and computer equipment
US10291630B2 (en) Monitoring apparatus and method
US8839440B2 (en) Apparatus and method for forecasting security threat level of network
US10282542B2 (en) Information processing apparatus, information processing method, and computer readable medium
US8739290B1 (en) Generating alerts in event management systems
US20170061126A1 (en) Process Launch, Monitoring and Execution Control
US8813229B2 (en) Apparatus, system, and method for preventing infection by malicious code
JP6058246B2 (en) Information processing apparatus, information processing method, and program
CN113872959B (en) Method, device and equipment for judging risk asset level and dynamically degrading risk asset level
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN111104579A (en) Identification method and device for public network assets and storage medium
CN108234426B (en) APT attack warning method and APT attack warning device
US11893110B2 (en) Attack estimation device, attack estimation method, and attack estimation program
US10742668B2 (en) Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof
CN116305155A (en) Program safety detection protection method, device, medium and electronic equipment
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods
JP7019533B2 (en) Attack detection device, attack detection system, attack detection method and attack detection program
CN108429746B (en) Privacy data protection method and system for cloud tenants
CN111104670B (en) APT attack identification and protection method
CN111131166B (en) User behavior prejudging method and related equipment
CN112235304A (en) Dynamic security protection method and system for industrial internet
CN111885088A (en) Log monitoring method and device based on block chain
CN116049822A (en) Application program supervision method, system, electronic device and storage medium
CN114363002B (en) Method and device for generating network attack relation diagram

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant