CN113872959B - Method, device and equipment for judging risk asset level and dynamically degrading risk asset level - Google Patents
Method, device and equipment for judging risk asset level and dynamically degrading risk asset level Download PDFInfo
- Publication number
- CN113872959B CN113872959B CN202111122053.7A CN202111122053A CN113872959B CN 113872959 B CN113872959 B CN 113872959B CN 202111122053 A CN202111122053 A CN 202111122053A CN 113872959 B CN113872959 B CN 113872959B
- Authority
- CN
- China
- Prior art keywords
- risk
- asset
- assets
- code value
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention provides a method, a device and equipment for judging and dynamically degrading the level of a risk asset, wherein the method comprises the following steps: according to each security event in the source data, determining the source address and the asset in the destination address of each security event, and determining the attack relation between the source address and the destination address; determining risk factors corresponding to the risk assets according to the asset and attack relation of each security event; according to the risk factors, determining risk assets in the assets of each security event and code values corresponding to the risk assets; determining the risk level of each risk asset according to each risk asset and the code value and the prestored history record of each risk asset; and when the risk level degradation is triggered, the risk level of each risk asset is redetermined. By utilizing the method provided by the invention, the risk assets of the security event are combined with the history record, the context analysis is carried out, and the risk level of the risk assets is dynamically adjusted, so that the accuracy and the sensitivity for judging the risk asset level can be improved.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a method, apparatus and device for determining and dynamically degrading a risk asset level.
Background
The safety management platform is used for providing safety early warning and response according to big data, is provided with a self-adaptive system architecture for continuously and automatically defending, detecting, responding and predicting, can assist safety specialists to find safety problems, and can realize safety closed-loop management through actual operation and maintenance means. The risk assets are very important management objects of the security management platform, and how to analyze the risk assets and the risk degree thereof in a large number of managed assets so as to solve potential safety hazards is an important problem in the field of information security.
In the risk assessment method in the related technology, factors such as attack chain stages, or values of assets, or related safety characteristics are mostly used as assessment standards of risk assets, and the accuracy of risk assessment is low; moreover, in the related art, for a scene in which a risk asset is identified and handled, there is no corresponding response scheme, and the sensitivity is poor.
Disclosure of Invention
The invention provides a method, a device and equipment for judging and dynamically degrading the risk asset grade, which combine the grade judgment of the risk asset of a security event with a history record, perform context analysis and dynamically adjust the risk grade of the risk asset, so that the accuracy and the sensitivity of judging the risk asset grade can be improved.
In a first aspect, the present invention provides a method of risk asset level determination and dynamic degradation, the method comprising:
according to each security event in the source data, determining the source address and the destination address of each security event, and determining the attack relation between the source address and the destination address; wherein the assets are preset contents to be protected;
determining risk factors corresponding to the risk assets according to the asset and attack relation of each security event;
determining risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors;
determining the risk level of each risk asset according to each risk asset and the code value and the prestored history record of each risk asset;
and when the risk level degradation is triggered, the risk level of each risk asset is redetermined.
The risk asset grade judging and dynamic degrading method provided by the invention provides a risk asset grade judging mechanism based on a security event, which can automatically judge the risk asset grade, find out dangerous assets and improve the risk identification and security analysis capability; instead of directly judging the risk asset grade according to single-point risk factors in isolation, the risk asset of the security event is combined with the history record, and context analysis is carried out, so that the accuracy of the risk asset grade judgment can be improved; the dynamic degradation method for the risk asset level can dynamically adjust the risk asset level when the risk level degradation is triggered, and the sensitivity and the practicability of the risk asset level determination can be improved.
Optionally, the risk factors include at least one of attack chain stage, threat level, and attack direction; the attack direction comprises a transverse attack initiated from an asset to another asset and a connectionless attack initiated from an asset to a non-asset;
according to the risk factors, determining the risk assets in the assets of each security event and the code values corresponding to the risk assets, including:
determining that the corresponding attack chain stage is not smaller than a first threshold value in the assets of each security event, and the assets with threat level not smaller than a second threshold value are risk assets corresponding to a first code value;
determining that the corresponding attack direction is a transverse attack or an externally connected attack in the assets of each security event is a risk asset corresponding to the second code value;
determining that the asset of which the corresponding attack chain stage is not smaller than a third threshold value is a risk asset corresponding to a third code value in the assets of each security event;
determining that the asset of which the corresponding attack chain stage is not smaller than a fourth threshold value is a risk asset corresponding to a fourth code value in the assets of each security event;
wherein the first threshold is greater than the third threshold and the third threshold is greater than the fourth threshold.
The method for judging the grade of the risk asset and dynamically degrading the risk asset provided by the invention provides a specific implementation mode for setting the risk factors, and provides an implementation mode for determining the risk asset and the code value thereof according to the risk factors.
Optionally, determining the risk level of each risk asset includes:
determining that the risk level of the risk asset with the corresponding code value being the first code value and the second code value is a collapse;
determining that the risk level is not the risk asset with the collapse, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset with the corresponding code value being the first code value is high risk;
the risk level of the risk asset that is determined to be not a sag and not a high risk is a low risk.
The method for judging the risk asset level and dynamically degrading the risk asset provided by the invention provides a concrete implementation mode for judging the risk level of each risk asset according to different code values corresponding to the risk asset, comprehensively considers the code values and the historical records, and improves the feasibility and accuracy of the method for judging the risk asset level and dynamically degrading the risk asset.
Optionally, after determining the risk asset and the code value corresponding to each risk asset in the assets of each security event, the method further includes:
according to the pre-stored historical risk assets, determining newly-added risk assets in the risk assets respectively;
and inserting newly added risk assets and corresponding code values into the historical risk assets and the corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
The method for judging the level of the risk asset and dynamically degrading the risk asset provided by the invention provides a method for changing the historical risk asset and the historical code value, the newly added risk asset and the code value are inserted, the non-newly added risk asset and the non-newly added risk code value are updated, the comprehensiveness of a historical record is ensured, and the feasibility and the accuracy of the method for judging the level of the risk asset and dynamically degrading the risk asset are improved.
Optionally, when the risk level degradation is triggered, redefining the risk level of each risk asset includes:
after any security event is treated, deleting the code value and the code value related to the any security event in the history;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the history record.
The risk asset grade judging and dynamic degrading method provided by the invention provides a method for dynamically adjusting the risk grade of the risk asset, and when a security event is treated, the risk grade of the risk asset is dynamically adjusted, so that convenience is provided for the subsequent direct treatment of the risk asset, and the accuracy, the sensitivity and the maintenance convenience of the risk asset grade judging and dynamic degrading method provided by the invention are greatly improved.
Optionally, redefining the risk level of the risk asset of any one of the security events includes:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is a collapse in the risk asset of any security event;
determining that the risk level of the risk asset including the third code value and the corresponding code value does not include the first code value in the risk asset of any security event is high risk;
and determining that the risk level of the risk asset which does not comprise the first code value, does not comprise the third code value and comprises the fourth code value in the risk asset of any security event is low risk.
The risk asset level judging and dynamic degrading method provided by the invention provides a method for redefining the risk level of the risk asset, and the attack direction is not considered any more, so that the feasibility and accuracy of the risk asset level judging and dynamic degrading method provided by the invention are improved.
Optionally, handling any security event includes:
all risk assets of any one security event are handled.
The invention provides a specific implementation mode for handling security events, and the method for judging and dynamically degrading the risk asset level improves the feasibility and accuracy of the method for judging and dynamically degrading the risk asset level.
In a second aspect, the present invention provides a risk asset level determination and dynamic downgrade apparatus comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is used for reading the program in the memory and executing the following steps:
according to each security event in the source data, determining the source address and the destination address of each security event, and determining the attack relation between the source address and the destination address; wherein the assets are preset contents to be protected;
determining risk factors corresponding to the risk assets according to the asset and attack relation of each security event;
determining risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors;
Determining the risk level of each risk asset according to each risk asset and the code value and the prestored history record of each risk asset;
and when the risk level degradation is triggered, the risk level of each risk asset is redetermined.
Optionally, the risk factors include at least one of attack chain stage, threat level, and attack direction; the attack direction comprises a transverse attack initiated from an asset to another asset and a connectionless attack initiated from an asset to a non-asset;
the processor determines the risk assets in the assets of each security event and the code values corresponding to the risk assets according to the risk factors, and the method comprises the following steps:
determining that the corresponding attack chain stage is not smaller than a first threshold value in the assets of each security event, and the assets with threat level not smaller than a second threshold value are risk assets corresponding to a first code value;
determining that the corresponding attack direction is a transverse attack or an externally connected attack in the assets of each security event is a risk asset corresponding to the second code value;
determining that the asset of which the corresponding attack chain stage is not smaller than a third threshold value is a risk asset corresponding to a third code value in the assets of each security event;
Determining that the asset of which the corresponding attack chain stage is not smaller than a fourth threshold value is a risk asset corresponding to a fourth code value in the assets of each security event;
wherein the first threshold is greater than the third threshold and the third threshold is greater than the fourth threshold.
Optionally, the processor determines a risk level of the respective risk asset, including:
determining that the risk level of the risk asset with the corresponding code value being the first code value and the second code value is a collapse;
determining that the risk level is not the risk asset with the collapse, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset with the corresponding code value being the first code value is high risk;
the risk level of the risk asset that is determined to be not a sag and not a high risk is a low risk.
Optionally, after determining the risk asset and the code value corresponding to each risk asset in the assets of each security event, the processor is further configured to:
according to the pre-stored historical risk assets, determining newly-added risk assets in the risk assets respectively;
and inserting newly added risk assets and corresponding code values into the historical risk assets and the corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
Optionally, when the processor triggers a risk level degradation, redetermining a risk level of the risk assets, including:
after any security event is treated, deleting the code value and the code value related to the any security event in the history;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the history record.
Optionally, the processor re-determines a risk level of the risk asset for the any security event, including:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is a collapse in the risk asset of any security event;
determining that the risk level of the risk asset including the third code value and the corresponding code value does not include the first code value in the risk asset of any security event is high risk;
and determining that the risk level of the risk asset which does not comprise the first code value, does not comprise the third code value and comprises the fourth code value in the risk asset of any security event is low risk.
Optionally, the processor handles any security event, including:
all risk addresses of any security event are handled.
In a third aspect, the present invention provides a risk asset level determination and dynamic degradation apparatus, comprising:
an asset determining unit, configured to determine, according to each security event in source data, an asset in a source address and a destination address of each security event, and determine an attack relationship between the source address and the destination address; wherein the assets are preset contents to be protected;
the risk factor determining unit is used for determining risk factors corresponding to the risk assets according to the asset and attack relation of the security events;
the risk asset determining unit is used for determining the risk assets in the assets of each security event and the code values corresponding to the risk assets according to the risk factors;
the risk level determining unit is used for determining the risk level of each risk asset according to each risk asset and the code value and the prestored history record of each risk asset;
and the dynamic degradation unit is used for redetermining the risk level of each risk asset when the risk level degradation is triggered.
Optionally, the risk factors include at least one of attack chain stage, threat level, and attack direction; the attack direction comprises a transverse attack initiated from an asset to another asset and a connectionless attack initiated from an asset to a non-asset;
The risk asset determining unit determines, according to the risk factors, risk assets in the assets of the security events and code values corresponding to the risk assets, including:
determining that the corresponding attack chain stage is not smaller than a first threshold value in the assets of each security event, and the assets with threat level not smaller than a second threshold value are risk assets corresponding to a first code value;
determining that the corresponding attack direction is a transverse attack or an externally connected attack in the assets of each security event is a risk asset corresponding to the second code value;
determining that the asset of which the corresponding attack chain stage is not smaller than a third threshold value is a risk asset corresponding to a third code value in the assets of each security event;
determining that the asset of which the corresponding attack chain stage is not smaller than a fourth threshold value is a risk asset corresponding to a fourth code value in the assets of each security event;
wherein the first threshold is greater than the third threshold and the third threshold is greater than the fourth threshold.
Optionally, the risk level determining unit determines a risk level of each risk asset, including:
determining that the risk level of the risk asset with the corresponding code value being the first code value and the second code value is a collapse;
Determining that the risk level is not the risk asset with the collapse, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset with the corresponding code value being the first code value is high risk;
the risk level of the risk asset that is determined to be not a sag and not a high risk is a low risk.
Optionally, after determining the risk asset and the code value corresponding to each risk asset in the assets of each security event, the risk asset determining unit is further configured to:
according to the pre-stored historical risk assets, determining newly-added risk assets in the risk assets respectively;
and inserting newly added risk assets and corresponding code values into the historical risk assets and the corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
Optionally, when the dynamic downgrading unit triggers risk level downgrading, redetermining a risk level of each risk asset, including:
after any security event is treated, deleting the code value and the code value related to the any security event in the history;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the history record.
Optionally, the dynamic downgrade unit redetermines a risk level of the risk asset of the any security event, including:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is a collapse in the risk asset of any security event;
determining that the risk level of the risk asset including the third code value and the corresponding code value does not include the first code value in the risk asset of any security event is high risk;
and determining that the risk level of the risk asset which does not comprise the first code value, does not comprise the third code value and comprises the fourth code value in the risk asset of any security event is low risk. Optionally, the dynamic downgrade unit handles any security event, including:
all risk assets of any one security event are handled.
In a fourth aspect, the present invention provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of the risk asset level determination and dynamic downgrade method as provided in the first aspect above.
In a fifth aspect, the present invention provides a chip, where the chip is coupled to a memory in a device, so that the chip invokes, at runtime, program instructions stored in the memory, to implement a risk asset class determination and dynamic degradation method according to the above aspects of the embodiments of the present application and any one of the possible related aspects.
In a sixth aspect, the present invention provides a computer program product which, when run on an electronic device, causes the electronic device to perform a method of risk asset level determination and dynamic degradation that implements the aspects of the embodiments of the present application and any one of the aspects that may be involved.
Drawings
FIG. 1 is a flow chart of a method for risk asset level determination and dynamic degradation provided by an embodiment of the present invention;
FIG. 2 is a flow chart of an implementation of evaluating risk asset levels provided by an embodiment of the present invention;
FIG. 3 is a flow chart of a method for redefining a risk asset level provided by an embodiment of the present invention;
FIG. 4 is a schematic diagram of a risk asset class determination and dynamic degradation device according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an apparatus for determining a risk asset level and dynamically degrading the risk asset level according to an embodiment of the present invention.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein.
The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In the description of the embodiments of the present application, unless otherwise indicated, "/" means or, for example, a/B may represent a or B; the text "and/or" is merely an association relation describing the associated object, and indicates that three relations may exist, for example, a and/or B may indicate: in addition, in the description of the embodiments of the present application, "a plurality" means two or more, and other words and the like, it is to be understood that the preferred embodiments described herein are merely for illustration and explanation of the present application, and are not intended to limit the present application, and embodiments of the present application and features of the embodiments may be combined with each other without conflict.
In the following, some terms in the embodiments of the present invention are explained for easy understanding by those skilled in the art.
(1) The term "security event" in embodiments of the present invention refers to any event that attempts to change the security state of the system, such as changing access control measures, changing security levels, changing user passwords, etc.
(2) The term analytic hierarchy process (Analytic Hierarchy Process, AHP) in the embodiment of the invention is a method for decomposing a complex problem into a plurality of layers and a plurality of factors, comparing and judging the importance degree between every two indexes, establishing a judging matrix, calculating the maximum eigenvalue and the corresponding eigenvector of the judging matrix to obtain weights of importance degrees of different schemes, and providing basis for selecting the optimal scheme.
(3) In the embodiment of the invention, the term "structured query language (Structured Query Language, SQL) injection attack" is one of the common means for a hacker to attack a database, and a user can submit a section of database query code to obtain data according to the returned result of a program.
(4) The term "combat tactic, technical and common sense (Adversarial Tactics, techniques, and Common Knowledge, ATT & CK) model" in the embodiments of the present invention is an attack matrix model formed by refining actual observed cyber attack data.
(5) In the embodiment of the present invention, the term "broiler chicken", also called puppet machine, refers to a machine that can be remotely controlled by a hacker.
In view of the above problems with related art risk assessment methods, the present application proposes a risk asset level determination and dynamic degradation method, apparatus and device.
A method, device and equipment for judging the risk asset level and dynamically degrading the risk asset level in the embodiment of the application are described in detail below with reference to the accompanying drawings.
Example 1
An embodiment of the present invention provides a flowchart of a method for determining a risk asset level and dynamically degrading the risk asset level, as shown in fig. 1, including:
step S101, according to each security event in source data, determining the source address and the destination address of each security event and determining the attack relation between the source address and the destination address; wherein the assets are preset contents to be protected;
assets herein generally refer to what the user is interested in, and are valuable to the user, including software assets, hardware resources, etc., such as the user's computer, server, etc.
As an alternative embodiment, the security events in the source data are retrieved by a risk asset engine, such as an enterprise security administration platform instant analysis service (Enterprise Security Platform Right Away Analysis Service, ESPSAS) invoking the source data.
Specifically, the security event is obtained by matching according to the rule of the ESP.
For example, the data a is subjected to a series of merging, filtering, etc. rules on the ESP described above to obtain security event B.
It should be noted that, the security event includes a source address and a destination address. The source address and the destination address may be in one-to-many or many-to-one relationship.
And analyzing each security event, splitting a source field and a destination field, and obtaining a source address and a destination address.
The specific implementation of the source address and the destination address may be specifically set according to specific implementation, for example, an internet protocol (Internet Protocol, IP) address, or a uniform resource locator (Uniform Resource Locator, URL) address, which is not limited in any way by the embodiment of the present invention.
Based on the unique identifier of the search result on the remote server, an asset identification number (Identity Document, ID), asset_id, determines the asset in the source address and destination address of each security event, and determines the attack relationship associated with each security event.
For example, for one-to-many security events a- > B, C, D, assuming a, B, C are assets, then the determined asset is [ a, B, C ], and the attack relationship associated with the security event is a- > B, A- > C, A- > D.
The following implementation is adopted to determine the assets in the source address and the destination address of each security event according to the asset_id:
the user adds the asset concerned by himself, such as a core server-1.1.1.1, to the platform in advance, and the platform allocates an asset_id, namely a label, to the asset for marking; when the source address and/or the destination address of each security event is 1.1.1.1, the security event is successfully matched with the asset, namely the source address and/or the destination address are determined to be the asset.
Step S102, determining risk factors corresponding to the risk assets according to the asset and attack relation of each security event;
as an alternative embodiment, an AHP is used to determine risk factors for the risk asset.
Wherein the risk factors include at least one of attack chain stage, threat level and attack direction; the attack direction includes a lateral attack from an asset to another asset, and a connectionless attack from an asset to a non-asset.
As an alternative embodiment, the attack direction further comprises an external attack.
The external attack is that an attacker carries out a series of attack actions on a target system through an external virtual IP or a fake site to acquire partial basic information or perform the bedding work of further attack; the horizontal attack indicates that the attack has moved horizontally to the intranet, and it is possible that broilers already exist in the system; the externally connected attack indicates that sensitive information leakage has occurred or that an attacker has stolen data.
It should be noted that, the threat of the external attack, the transverse attack and the external attack is increased in sequence, and when the transverse attack or the external attack occurs, the system is dangerous or has been trapped.
The above-mentioned transverse attack and external connection attack can be judged according to the attack relation of the security event, for example, the attack of A- > B, C and D occurs, wherein A and B are assets, and for A, the transverse attack of A- > B occurs, and the external connection attack of A- > C and A- > D occurs.
The directions of attack by B, C, and D cannot be determined from the information alone.
As an alternative implementation manner, the attack chain stage may be divided into seven stages according to the ATT & CK model, and the stages are in turn: investigation, tool fabrication, delivery, attack penetration, installation tools, command control, malicious activity.
The investigation refers to the first step of attack information collection, and the weakness of the target is known.
Tool creation is a tool for preparing an attack against a vulnerability after knowing the vulnerability of a target on the basis of investigation.
Delivery refers to targeted delivery of weapons, such as malicious code, into a target environment.
Attack penetration refers to utilizing loopholes or defects to trigger malicious codes which are put in, and obtaining system control rights.
The security tool is to implant a malicious program or a back door into the system, so that the back door can be used to continuously obtain control authority after the bug is repaired or the system is restarted.
Command control refers to the fact that the controlled server can immediately execute the attack, or can wait for further instructions from the attacker's remote server, until the server is completely controlled by the attacker.
Malicious activities refer to developing direct intrusion attacks, stealing data, disrupting system operation, or moving further laterally within the internal network.
It should be noted that the first 4 phases of behavior will increase the risk value of the system, and the hazard is generally considered to have formed since this phase of installation of the tool.
As an alternative embodiment, the threat level may be mild, general, large, heavy, particularly heavy, for a total of 5 levels.
Step S103, determining risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors;
based on the attack chain stage, the threat level and the attack direction, determining risk assets in the assets according to preset rules, and determining code values corresponding to the risk assets.
Step S104, determining the risk level of each risk asset according to each risk asset and the code value and the prestored history record of each risk asset.
The risk level refers to a threat impact level caused after the occurrence of the security event, and is not the possibility of the occurrence of the security event, and the security event is known in the present application when determining the risk asset level.
Step S105, when the risk level degradation is triggered, the risk level of each risk asset is redetermined.
The triggering condition for triggering the degradation of the risk level may be determining the risk assets and the code value, and the pre-stored history record of each risk asset changes.
The embodiment of the invention can dynamically adjust the risk asset level when the risk level degradation is triggered, and can improve the sensitivity and the practicability of the risk asset level judgment.
According to the method and the device, not only are all risk assets and code values determined according to the security event considered, but also the history record of all the pre-stored risk assets is considered, namely, the risk asset grade judgment is carried out by combining the context environment, so that the judgment accuracy can be improved.
For example, when an attack chain is in the last three stages and has a large threat level on the first day, two days later, the asset initiates the attack, and the present application performs association analysis in combination with the security event behavior of the last days, so as to determine the risk level of the risk asset.
As an optional implementation manner, after determining the attack relationship between the source address and the destination address, the method further includes:
storing the above-mentioned assets and attack relation to an asset cache;
and storing the assets and the attack relation into a database through a warehousing thread.
When the asset and the attack relation are stored in the asset cache, a state label is marked on the asset and the attack relation according to the newly-added state of the asset and the attack relation.
For the newly added asset and attack relation of the state label, the asset and attack relation is inserted into a database; and updating the asset and the attack relation to a database for the asset and the attack relation with the state label which is not newly added.
In the operation of performing the above-described insertion or update, the attack relationship is split end-to-end and merged by day by event name.
For example, for the attack relationship A-BCD, A-B, A-C, A-D are obtained by end-to-end splitting.
The merging of the event names according to the days refers to: if one record is the weak password security event of A-B and the other record is the weak password security event of A-B, the insertion operation is not performed, but the update is directly performed on the basis of the first record, and the occurrence frequency of the weak password of A-B is 2 times; if the other record is a brute force cracking event of A-B, although A-B is unchanged, the event name is changed from a weak password to brute force cracking, the insertion operation is performed, the merging is not performed, and at the moment, the database stores 2 records, namely, the A-B weak password and the A-B brute force cracking.
The application adopts the following implementation mode, according to the risk factors, determining the risk assets in the assets of each security event and the code values corresponding to the risk assets:
determining that the corresponding attack chain stage is not smaller than a first threshold value in the assets of each security event, and the assets with threat level not smaller than a second threshold value are risk assets corresponding to a first code value;
determining that the corresponding attack direction is a transverse attack or an externally connected attack in the assets of each security event is a risk asset corresponding to the second code value;
determining that the asset of which the corresponding attack chain stage is not smaller than a third threshold value is a risk asset corresponding to a third code value in the assets of each security event;
Determining that the asset with the corresponding attack chain stage not smaller than a fourth threshold value is a risk asset corresponding to a fourth code value in the assets of each security event;
wherein the first threshold is greater than the third threshold, and the third threshold is greater than the fourth threshold.
The specific values of the first threshold, the second threshold, the third threshold, and the fourth threshold may be specifically set according to specific implementation, for example, the first threshold is set to 5, the second threshold is set to be larger, the third threshold is set to 3, and the fourth threshold is set to 1, which is not limited in this application.
As an alternative embodiment, the code value of the risk asset may be implemented by using a risk level mapping code value. Specific risk level maps are shown in table 1 below:
table 1: code value and risk level mapping table of risk assets (1)
Wherein, the risk asset with the attack chain stage > =5 and the threat level > =higher is the risk asset corresponding to the first code value, and the first code value is the risk level mapping code value with the value of 1; the risk asset with external connection or transverse attack is a risk asset corresponding to a second code value, wherein the second code value is a risk level mapping code value with a value of 2; the risk asset of attack chain stage > =3 is a risk asset corresponding to a third code value, the third code value being a risk level mapping code value with a value of 3; the risk asset of attack chain stage > =1 is a risk asset corresponding to a fourth code value, which is a risk level mapping code value of value 4.
After determining the risk assets and the code values of the risk assets in the assets of each security event, the embodiment of the invention further comprises:
according to the pre-stored historical risk assets, determining newly-added risk assets in the risk assets respectively;
and inserting newly added risk assets and corresponding code values into the historical risk assets and the corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
The ESPSAS is used to obtain the warehousing status of the asset, if the asset can be obtained and the status is untreated before the asset is described, otherwise, the asset is a newly added risk asset.
When the warehouse-in state of the asset is acquired, firstly acquiring data from a local cache, acquiring from a redis secondary cache if acquisition fails, and acquiring from a postgresql database if acquisition fails again.
The embodiment of the invention adopts the following implementation modes to determine the risk level of each risk asset, and comprises the following steps:
determining that the risk level of the risk asset with the corresponding code value being the first code value and the second code value is a collapse;
determining that the risk level is not the risk asset with the collapse, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset with the corresponding code value being the first code value is high risk;
The risk level of the risk asset that is determined to be not a sag and not a high risk is a low risk.
The risk grade is divided into 3 grades of collapse, high risk and low risk, the threat degree is gradually decreased, and the specific judgment and calculation method is as follows: (1) collapse: the attack chain stage is at 5, or 6, or 7, and the security event threat level is above high, and there is a foreign attack or a lateral attack, i.e. a risk asset with corresponding code values of a first code value and a second code value. (2) high risk: the attack chain stage is more than 3, or the non-invaginated asset with external connection attack or transverse attack exists, namely 1) the corresponding code value is a first code value; 2) The corresponding code value is a second code value; 3) The corresponding code value is a third code value; 4) The corresponding code values are a second code value and a third code value. (3) A low risk asset, a non-high risk and non-collapse asset with an attack chain stage greater than 1, i.e. 1) the corresponding code value is a fourth code value; 2) The corresponding code values are a second code value and a fourth code value.
Taking assets a, B as an example, the risk level determination process will be described using the following example:
for example, the first security event processed in (1) is an sql injection attack of a- > B, C, D, and the event ID is 1, assuming that the attack chain phase of this security event is at 5 and the level is higher, assuming that a, B, C are assets, then the data of the risk level table at this time is shown in table 2 below:
Table 2: risk level meter (1)
Wherein the security event is A- > B, C, D can be disassembled into A- > B, A- > C, A- > D, then the attack chain stage of the security event is 5 and the level is higher, and the conditions of 1,3 and 4 in the table 1 are met for the assets A, B and C.
From the perspective of a, assets B and C are attacked, i.e. a lateral attack is occurring, and non-asset D is also attacked, i.e. an external connection attack is occurring, so asset a conforms to 2 in the mapping table, and therefore the risk level calculation level Flag corresponding to a is 1,2,3,4.
From the perspective of B, by the condition a- > BCD, it is only known that B is attacked by a, and as to whether B attacks other assets and non-assets is not described, B does not meet condition 2, so the risk level calculation level Flag corresponding to B is 1,3,4.
(2) The second security event processed is an attack of B- > C, the event ID is 2, assuming that the attack chain stage of the security event is 3, taking the asset a, B as an example, then the data of the risk level table is shown in the following table 3, and B will add an association record:
table 3: risk level meter (2)
Since it is judged that B is 1,3,4 in accordance with the first security event, a second security event is now supplemented: b attacks C, namely B attacks transversely, so B can add a record, B also accords with the condition 2 of the mapping table, and B can be judged as being sunk.
It should be noted that, in a specific implementation, the current risk level of B may be cached in the memory, and the calculation of the risk level of B is performed according to the tag already possessed by B.
As shown in fig. 2, an embodiment of the present invention provides a flowchart for evaluating a risk asset class, including:
step S201, splitting each security event in the source data, determining the source address and the destination address of each security event, and determining the attack relation between the source address and the destination address;
assets are extracted from the source field and the destination field.
Step S202, determining risk factors corresponding to the risk assets according to the asset and attack relation of the security events;
step S203, determining risk assets in the assets of each security event according to the risk factors;
step S204, judging whether the risk assets are put in storage, if yes, executing step S205, otherwise, executing step S208;
step S205, merging attack relations;
updating an attack relation table and an association table of risk assets;
step S206, updating security events associated with the attack relationship;
updating an attack relation and security event association table;
step S207, updating the risk asset and the security event status, and executing step S211;
Updating a risk asset and security event association table;
step S208, inserting a risk asset table;
step S209, inserting an attack relationship;
an attack relationship table and an association table of risk assets are inserted.
Step S210, inserting risk assets and security event states;
a risk asset and security event association table is inserted.
Step S211, calculating an attack relation diagram;
updating the attack relation graph.
Step S212, calculating the risk level, and ending the flow.
And updating the risk level table.
After determining the risk level of each risk asset, the embodiments of the present invention use the following embodiments to redetermine the risk level of each risk asset when the risk level degradation is triggered:
after any security event is treated, deleting the code value and the code value related to the any security event in the history;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the history record.
That is, after the status of the security event changes, the risk asset is dynamically downgraded.
Firstly, the risk level of the risk asset is caused by a security event generated by the asset, after one of the associated security events is handled by an operation and maintenance personnel, the risk asset engine is informed in a message queue mode, the security event is handled, the risk asset engine is required to degrade the risk asset influenced by the security event, at the moment, records related to the security event in the risk asset level table, such as label values of the risk asset generated by the handled security event, are directly deleted, and then the labels remained after the security event is cleared are calculated once in a mode of re-aggregating labels by a background thread, so that the current real-time level can be calculated.
When the risk level is recalculated, the latest risk level can be calculated only by grouping and counting the related assets according to the risk level calculation level Flag.
As an alternative embodiment, handling any security event includes:
all risk assets handling any of the security events described above.
It should be noted that, when the associated treatment of the risk asset and the security event is involved in the dynamic degradation, the risk asset is dynamically degraded after the associated treatment of the risk asset and the security event.
The associated disposition policy for the risk asset and security event is as follows:
(1) After the risk asset is disposed of, the state of the risk asset table is first modified, then the state of the associated security event is modified, and if and only if the risk asset generated by the security event associated with the asset is disposed of in its entirety, a request to dispose of the security event, such as security event a- > B, C, D, assuming that a, B, C is an asset, is sent to the research message Topic, and then the research is notified to dispose of the security event if and only if the asset a, B, C is disposed of.
(2) The security event is handled, after a security event is handled, the research judgement will send a data notice to Topic, when the notice is acquired, the risk asset related to the security event is handled, and the judgement is again carried out, if all the security events related to the asset are handled, the state of the asset is modified to be handled.
The embodiment of the invention adopts the following implementation modes to redetermine the risk level of the risk asset of any security event, and comprises the following steps:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is a collapse in the risk asset of any security event;
determining that the risk level of the risk asset including the third code value and the corresponding code value does not include the first code value in the risk asset of any security event is high risk;
and determining that the risk level of the risk asset which does not comprise the first code value, does not comprise the third code value and comprises the fourth code value in the risk asset of any security event is low risk.
It should be noted that, when the risk level is redetermined, it is no longer necessary to determine whether there is an external connection or a transverse attack, because the attack direction is a verification condition, after the operation and maintenance of the related event, even if the asset does not have a tag of the attack direction, the corresponding code value is (1) a first code value, or the corresponding code value is a first code value and a second code value, and it is determined that the asset is sagged; (2) The corresponding code value is a third code value or the corresponding code value is the third code value and the second code value, and the high risk is judged; (3) The corresponding code value is a fourth code value, or the corresponding code value is the fourth code value and the second code value, and the high risk is judged. The specific risk level mapping table is shown in table 4 below:
Table 4: risk level mapping table (2)
| Risk level | Code value calculation risk level standard |
| Collapse of | 1 or 1&2 |
| High risk | 3 or 3&2 |
| Low risk | 4 or 4&2 |
As shown in fig. 3, an embodiment of the present invention provides a flowchart of an implementation for redefining a risk asset level, including:
step S301, a consumption security event handles topic;
step S302, acquiring a changed security event ID, and deleting a record associated with the security event in a risk asset class table;
step S303, recalculating the risk level of the asset associated with the security event;
step S304, updating the risk level in the risk asset table.
Compared with the risk asset level judging mode in the prior art, the method takes the attack chain stage, threat level and attack direction of the security event with higher reliability of influencing asset risk as influencing factors, and combines the context content to carry out comprehensive judgment and calculation, thereby improving the accuracy of asset level judgment, and having higher reliability and lower false alarm rate. In addition, dynamic degradation is combined with security events to carry out dynamic association treatment, degradation judgment is carried out in two directions from the asset and the event, compared with the prior art, the method has higher accuracy and flexibility, all actions are automatically and dynamically adjusted by the engine, and the pressure of operation and maintenance personnel can be reduced.
Example 2
An embodiment of the present invention provides a schematic diagram of a risk asset level determination and dynamic downgrade apparatus 400, including a memory 401 and a processor 402, as shown in fig. 4, wherein:
the memory is used for storing a computer program;
the processor is used for reading the program in the memory and executing the following steps:
according to each security event in the source data, determining the source address and the destination address of each security event, and determining the attack relation between the source address and the destination address; wherein the assets are preset contents to be protected;
determining risk factors corresponding to the risk assets according to the asset and attack relation of each security event;
determining risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors;
determining the risk level of each risk asset according to each risk asset and the code value and the prestored history record of each risk asset;
and when the risk level degradation is triggered, the risk level of each risk asset is redetermined.
Optionally, the risk factors include at least one of attack chain stage, threat level, and attack direction; the attack direction comprises a transverse attack initiated from an asset to another asset and a connectionless attack initiated from an asset to a non-asset;
The processor determines the risk assets in the assets of each security event and the code values corresponding to the risk assets according to the risk factors, and the method comprises the following steps:
determining that the corresponding attack chain stage is not smaller than a first threshold value in the assets of each security event, and the assets with threat level not smaller than a second threshold value are risk assets corresponding to a first code value;
determining that the corresponding attack direction is a transverse attack or an externally connected attack in the assets of each security event is a risk asset corresponding to the second code value;
determining that the asset of which the corresponding attack chain stage is not smaller than a third threshold value is a risk asset corresponding to a third code value in the assets of each security event;
determining that the asset of which the corresponding attack chain stage is not smaller than a fourth threshold value is a risk asset corresponding to a fourth code value in the assets of each security event;
wherein the first threshold is greater than the third threshold and the third threshold is greater than the fourth threshold.
Optionally, the processor determines a risk level of the respective risk asset, including:
determining that the risk level of the risk asset with the corresponding code value being the first code value and the second code value is a collapse;
determining that the risk level is not the risk asset with the collapse, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset with the corresponding code value being the first code value is high risk;
The risk level of the risk asset that is determined to be not a sag and not a high risk is a low risk.
Optionally, after determining the risk asset and the code value corresponding to each risk asset in the assets of each security event, the processor is further configured to:
according to the pre-stored historical risk assets, determining newly-added risk assets in the risk assets respectively;
and inserting newly added risk assets and corresponding code values into the historical risk assets and the corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
Optionally, when the processor triggers a risk level degradation, redetermining a risk level of the risk assets, including:
after any security event is treated, deleting the code value and the code value related to the any security event in the history;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the history record.
Optionally, the processor re-determines a risk level of the risk asset for the any security event, including:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is a collapse in the risk asset of any security event;
Determining that the risk level of the risk asset including the third code value and the corresponding code value does not include the first code value in the risk asset of any security event is high risk;
and determining that the risk level of the risk asset which does not comprise the first code value, does not comprise the third code value and comprises the fourth code value in the risk asset of any security event is low risk.
Optionally, the processor handles any security event, including:
all risk assets of any one security event are handled.
An embodiment of the present invention provides a schematic diagram of a risk asset level determination and dynamic degradation apparatus, as shown in fig. 5, including:
an asset determining unit 501, configured to determine, according to each security event in source data, an asset in a source address and a destination address of each security event, and determine an attack relationship between the source address and the destination address; wherein the assets are preset contents to be protected;
a risk factor determining unit 502, configured to determine a risk factor corresponding to the risk asset according to the asset and attack relationship of each security event;
a risk asset determining unit 503, configured to determine, according to the risk factors, a risk asset in the assets of each security event and a code value corresponding to each risk asset;
A risk level determining unit 504, configured to determine a risk level of each risk asset according to each risk asset and the code value, and a pre-stored history of each risk asset;
and the dynamic degradation unit 505 is configured to redetermine the risk level of each risk asset when the risk level degradation is triggered.
Optionally, the risk factors include at least one of attack chain stage, threat level, and attack direction; the attack direction comprises a transverse attack initiated from an asset to another asset and a connectionless attack initiated from an asset to a non-asset;
the risk asset determining unit determines, according to the risk factors, risk assets in the assets of the security events and code values corresponding to the risk assets, including:
determining that the corresponding attack chain stage is not smaller than a first threshold value in the assets of each security event, and the assets with threat level not smaller than a second threshold value are risk assets corresponding to a first code value;
determining that the corresponding attack direction is a transverse attack or an externally connected attack in the assets of each security event is a risk asset corresponding to the second code value;
determining that the asset of which the corresponding attack chain stage is not smaller than a third threshold value is a risk asset corresponding to a third code value in the assets of each security event;
Determining that the asset of which the corresponding attack chain stage is not smaller than a fourth threshold value is a risk asset corresponding to a fourth code value in the assets of each security event;
wherein the first threshold is greater than the third threshold and the third threshold is greater than the fourth threshold.
Optionally, the risk level determining unit determines a risk level of each risk asset, including:
determining that the risk level of the risk asset with the corresponding code value being the first code value and the second code value is a collapse;
determining that the risk level is not the risk asset with the collapse, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset with the corresponding code value being the first code value is high risk;
the risk level of the risk asset that is determined to be not a sag and not a high risk is a low risk.
Optionally, after determining the risk asset and the code value corresponding to each risk asset in the assets of each security event, the risk asset determining unit is further configured to:
according to the pre-stored historical risk assets, determining newly-added risk assets in the risk assets respectively;
and inserting newly added risk assets and corresponding code values into the historical risk assets and the corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
Optionally, when the dynamic downgrading unit triggers risk level downgrading, redetermining a risk level of each risk asset, including:
after any security event is treated, deleting the code value and the code value related to the any security event in the history;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the history record.
Optionally, the dynamic downgrade unit redetermines a risk level of the risk asset of the any security event, including:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is a collapse in the risk asset of any security event;
determining that the risk level of the risk asset including the third code value and the corresponding code value does not include the first code value in the risk asset of any security event is high risk;
and determining that the risk level of the risk asset which does not comprise the first code value, does not comprise the third code value and comprises the fourth code value in the risk asset of any security event is low risk.
The present invention also provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of the risk asset level determination and dynamic degradation method as provided in embodiment 1 above.
In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.
The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be stored by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
The foregoing has described in detail the technical solutions provided herein, and specific examples have been used to illustrate the principles and embodiments of the present application, where the above examples are only used to help understand the methods and core ideas of the present application; meanwhile, as those skilled in the art will have modifications in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (10)
1. A method of risk asset level determination and dynamic degradation, comprising:
according to each security event in the source data, determining the source address and the destination address of each security event, and determining the attack relation between the source address and the destination address; wherein the assets are preset contents to be protected;
determining risk factors corresponding to the risk assets according to the asset and attack relation of each security event;
determining risk assets in the assets of each security event and code values corresponding to the risk assets according to the risk factors;
determining the risk level of each risk asset according to each risk asset and the code value and the prestored history record of each risk asset;
and when the risk level degradation is triggered, the risk level of each risk asset is redetermined.
2. The method of claim 1, wherein the risk factors include at least one of attack chain stage, threat level, and attack direction; the attack direction comprises a transverse attack initiated from an asset to another asset and a connectionless attack initiated from an asset to a non-asset;
According to the risk factors, determining the risk assets in the assets of each security event and the code values corresponding to the risk assets, including:
determining that the corresponding attack chain stage is not smaller than a first threshold value in the assets of each security event, and the assets with threat level not smaller than a second threshold value are risk assets corresponding to a first code value;
determining that the corresponding attack direction is a transverse attack or an externally connected attack in the assets of each security event is a risk asset corresponding to the second code value;
determining that the asset of which the corresponding attack chain stage is not smaller than a third threshold value is a risk asset corresponding to a third code value in the assets of each security event;
determining that the asset of which the corresponding attack chain stage is not smaller than a fourth threshold value is a risk asset corresponding to a fourth code value in the assets of each security event;
wherein the first threshold is greater than the third threshold and the third threshold is greater than the fourth threshold.
3. The method of claim 2, wherein determining the risk level for each of the risk assets comprises:
determining that the risk level of the risk asset with the corresponding code value being the first code value and the second code value is a collapse;
Determining that the risk level is not the risk asset with the collapse, wherein the corresponding code value is the second code value and/or the third code value, or the risk level of the risk asset with the corresponding code value being the first code value is high risk;
the risk level of the risk asset that is determined to be not a sag and not a high risk is a low risk.
4. The method of claim 1, wherein after determining the risk assets and the code values corresponding to the risk assets in the assets of each security event, further comprising:
according to the pre-stored historical risk assets, determining newly-added risk assets in the risk assets respectively;
and inserting newly added risk assets and corresponding code values into the historical risk assets and the corresponding historical code values, and updating non-newly added risk assets and corresponding code values.
5. The method of any one of claims 1-4, wherein redefining the risk level of each of the risk assets upon triggering a risk level degradation comprises:
after any security event is treated, deleting the code value and the code value related to the any security event in the history;
and re-determining the risk level of the risk asset of any security event according to each risk asset, the current code value and the history record.
6. The method of claim 5, wherein redefining the risk level of the risk asset for any one of the security events comprises:
determining that the risk level of the risk asset of which the corresponding code value comprises the first code value is a collapse in the risk asset of any security event;
determining that the risk level of the risk asset including the third code value and the corresponding code value does not include the first code value in the risk asset of any security event is high risk;
and determining that the risk level of the risk asset which does not comprise the first code value, does not comprise the third code value and comprises the fourth code value in the risk asset of any security event is low risk.
7. The method of claim 5, wherein handling any security event comprises:
all risk assets of any one security event are handled.
8. A risk asset level determination and dynamic downgrade apparatus comprising a memory and a processor, wherein:
the memory is used for storing a computer program;
the processor is configured to read the program in the memory and perform the steps of the risk asset class determination and dynamic degradation method of any one of claims 1 to 7.
9. A risk asset level determination and dynamic degradation apparatus, comprising:
an asset determining unit, configured to determine, according to each security event in source data, an asset in a source address and a destination address of each security event, and determine an attack relationship between the source address and the destination address; wherein the assets are preset contents to be protected;
the risk factor determining unit is used for determining risk factors corresponding to the risk assets according to the asset and attack relation of the security events;
the risk asset determining unit is used for determining the risk assets in the assets of each security event and the code values corresponding to the risk assets according to the risk factors;
the risk level determining unit is used for determining the risk level of each risk asset according to each risk asset and the code value and the prestored history record of each risk asset;
and the dynamic degradation unit is used for redetermining the risk level of each risk asset when the risk level degradation is triggered.
10. A computer readable storage medium, characterized in that it stores a computer program which, when executed by a processor, implements the steps of the risk asset class determination and dynamic degradation method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111122053.7A CN113872959B (en) | 2021-09-24 | 2021-09-24 | Method, device and equipment for judging risk asset level and dynamically degrading risk asset level |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111122053.7A CN113872959B (en) | 2021-09-24 | 2021-09-24 | Method, device and equipment for judging risk asset level and dynamically degrading risk asset level |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113872959A CN113872959A (en) | 2021-12-31 |
| CN113872959B true CN113872959B (en) | 2023-05-16 |
Family
ID=78993809
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111122053.7A Active CN113872959B (en) | 2021-09-24 | 2021-09-24 | Method, device and equipment for judging risk asset level and dynamically degrading risk asset level |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113872959B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884712B (en) * | 2022-04-26 | 2023-11-07 | 绿盟科技集团股份有限公司 | Method, device, equipment and medium for determining risk level information of network asset |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2015106215A (en) * | 2013-11-29 | 2015-06-08 | 三菱電機株式会社 | Risk analysis device and risk analysis program |
| WO2019028341A1 (en) * | 2017-08-03 | 2019-02-07 | T-Mobile Usa, Inc. | Similarity search for discovering multiple vector attacks |
| CN109474515A (en) * | 2018-11-13 | 2019-03-15 | 平安科技(深圳)有限公司 | Mail push method, device, computer equipment and the storage medium of risk case |
| CN113055407A (en) * | 2021-04-21 | 2021-06-29 | 深信服科技股份有限公司 | Asset risk information determination method, device, equipment and storage medium |
| WO2021151335A1 (en) * | 2020-01-31 | 2021-08-05 | 华为技术有限公司 | Network event processing method and apparatus, and readable storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8966591B2 (en) * | 2013-01-18 | 2015-02-24 | Ca, Inc. | Adaptive strike count policy |
| US10616258B2 (en) * | 2013-10-12 | 2020-04-07 | Fortinet, Inc. | Security information and event management |
| US11477245B2 (en) * | 2015-10-28 | 2022-10-18 | Qomplx, Inc. | Advanced detection of identity-based attacks to assure identity fidelity in information technology environments |
| AU2016367922B2 (en) * | 2015-12-11 | 2019-08-08 | Servicenow, Inc. | Computer network threat assessment |
-
2021
- 2021-09-24 CN CN202111122053.7A patent/CN113872959B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2015106215A (en) * | 2013-11-29 | 2015-06-08 | 三菱電機株式会社 | Risk analysis device and risk analysis program |
| WO2019028341A1 (en) * | 2017-08-03 | 2019-02-07 | T-Mobile Usa, Inc. | Similarity search for discovering multiple vector attacks |
| CN109474515A (en) * | 2018-11-13 | 2019-03-15 | 平安科技(深圳)有限公司 | Mail push method, device, computer equipment and the storage medium of risk case |
| WO2021151335A1 (en) * | 2020-01-31 | 2021-08-05 | 华为技术有限公司 | Network event processing method and apparatus, and readable storage medium |
| CN113055407A (en) * | 2021-04-21 | 2021-06-29 | 深信服科技股份有限公司 | Asset risk information determination method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113872959A (en) | 2021-12-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8839440B2 (en) | Apparatus and method for forecasting security threat level of network | |
| EP3068095B1 (en) | Monitoring apparatus and method | |
| CN105939326B (en) | Method and device for processing message | |
| JP6290659B2 (en) | Access management method and access management system | |
| CN112787992A (en) | Method, device, equipment and medium for detecting and protecting sensitive data | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| JP6058246B2 (en) | Information processing apparatus, information processing method, and program | |
| US8813229B2 (en) | Apparatus, system, and method for preventing infection by malicious code | |
| JP7311350B2 (en) | MONITORING DEVICE, MONITORING METHOD, AND MONITORING PROGRAM | |
| US10819731B2 (en) | Exception remediation logic rolling platform | |
| CN110062380A (en) | A kind of connected reference request safety detection method of mobile application system | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| CN111431753A (en) | Asset information updating method, device, equipment and storage medium | |
| CN108234426B (en) | APT attack warning method and APT attack warning device | |
| CN112995236B (en) | Internet of things equipment safety management and control method, device and system | |
| KR20210063049A (en) | Method for calculating risk for industrial control system and apparatus using the same | |
| CN113872959B (en) | Method, device and equipment for judging risk asset level and dynamically degrading risk asset level | |
| CN113711559A (en) | System and method for detecting anomalies | |
| CN108040036A (en) | A kind of industry cloud Webshell safety protecting methods | |
| CN111131166B (en) | User behavior prejudging method and related equipment | |
| CN111539644B (en) | Network asset risk control method and device | |
| CN111885088A (en) | Log monitoring method and device based on block chain | |
| CN108429746B (en) | Privacy data protection method and system for cloud tenants | |
| CN111858488A (en) | File storage access system and method based on big data | |
| CN114500122B (en) | Specific network behavior analysis method and system based on multi-source data fusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |