CN113965417A - Asset risk detection method and device - Google Patents
Asset risk detection method and device Download PDFInfo
- Publication number
- CN113965417A CN113965417A CN202111566610.4A CN202111566610A CN113965417A CN 113965417 A CN113965417 A CN 113965417A CN 202111566610 A CN202111566610 A CN 202111566610A CN 113965417 A CN113965417 A CN 113965417A
- Authority
- CN
- China
- Prior art keywords
- configuration
- asset
- scene
- strategy
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The embodiment of the application provides an asset risk detection method and device, and relates to the technical field of network security, wherein the asset risk detection method comprises the following steps: firstly, determining a configuration scene and an alarm information item according to configuration data input by a user; configuring strategy configuration data corresponding to the configuration scene; then generating an asset risk detection strategy according to the configuration scene, the strategy configuration data and the alarm information item; further, acquiring data to be detected, and judging whether the data to be detected has asset risks according to an asset risk detection strategy; if the detection result is positive, the asset risk warning information aiming at the data to be detected is output according to the asset risk detection strategy, the individualized asset risk detection can be carried out aiming at different scenes, the applicability is good, the detection efficiency is high, the condition of missing detection is effectively avoided, and the network asset safety is further maintained.
Description
Technical Field
The application relates to the technical field of network security, in particular to an asset risk detection method and device.
Background
Along with the continuous enhancement of the attention degree of enterprises to the safety construction, the safety construction inside the enterprises is continuously perfected, and the network asset safety is more and more paid attention. The existing asset risk detection method generally performs risk detection on monitored traffic based on a universal detection rule. However, in practice, in the existing method, the general rule cannot cover all scenes, the applicability is poor, the detection efficiency is low, and the condition of missed detection is easy to occur, so that the safety of the network assets cannot be ensured.
Disclosure of Invention
The embodiment of the application aims to provide an asset risk detection method and device, which can be used for carrying out personalized asset risk detection aiming at different scenes, and have the advantages of good applicability and high detection efficiency, so that the condition of missed detection is effectively avoided, and the security of network assets is further maintained.
A first aspect of an embodiment of the present application provides an asset risk detection method, including:
determining a configuration scene and an alarm information item according to configuration data input by a user;
configuring policy configuration data corresponding to the configuration scene;
generating an asset risk detection strategy according to the configuration scene, the strategy configuration data and the alarm information item;
acquiring data to be detected, and judging whether the data to be detected has asset risks according to the asset risk detection strategy;
and if so, outputting asset risk alarm information aiming at the data to be detected according to the asset risk detection strategy.
In the implementation process, firstly, a configuration scene and an alarm information item are determined according to configuration data input by a user; configuring strategy configuration data corresponding to the configuration scene; then generating an asset risk detection strategy according to the configuration scene, the strategy configuration data and the alarm information item; further, acquiring data to be detected, and judging whether the data to be detected has asset risks according to an asset risk detection strategy; if the detection result is positive, the asset risk warning information aiming at the data to be detected is output according to the asset risk detection strategy, the individualized asset risk detection can be carried out aiming at different scenes, the applicability is good, the detection efficiency is high, the condition of missing detection is effectively avoided, and the network asset safety is further maintained.
Further, the configuration scene comprises one or more of a port-to-outside open scene, a service-to-outside open scene, a host access extranet scene, an internal asset mutual access scene, a software scene using non-compliance, a webpage component scene using non-compliance, an abnormal time login scene, an abnormal place login scene, and a high-frequency login failure scene.
Further, when the configuration scenario includes a scenario in which the port is open to the outside, the policy configuration data includes policy content for configuring a restricted access port and an asset;
when the configuration scene comprises a scene that the service is open to the outside, the policy configuration data comprises policy content for configuring access limiting service and assets;
when the configuration scene comprises a scene that the host is open to the outside, the policy configuration data comprises policy content for configuring the access-restricted host;
when the configuration scene comprises the host access extranet scene, the policy configuration data comprises the content of configuring the policy for the access-limited host;
when the configuration scene comprises the internal asset mutual access scene, the strategy configuration data comprises strategy contents for configuring access limiting source assets, destination ports and destination services;
when the configuration scenario includes the software scenario that uses non-compliance, the policy configuration data includes policy content that configures non-compliance software and assets of interest that restrict use;
when the configuration scenario includes the web page component scenario that uses non-compliance, the policy configuration data includes policy content that configures non-compliance web page applications, a framework library, and assets of interest that are restricted from use;
when the configuration scene comprises the abnormal time login scene, the policy configuration data comprises policy content for configuring limited login time and assets;
when the configuration scene comprises the abnormal place login scene, the strategy configuration data comprises strategy contents for limiting login places and assets;
when the configuration scenario includes the high frequency login failure scenario, the policy configuration data includes policy content for limiting login frequency and assets.
Further, the alarm information item at least comprises a risk alarm identifier and a risk severity level;
the risk alarm identification comprises one or more of an external open identification of a default port, an external open identification of a database service, an identification of an intranet using remote control software and an identification of an intranet using a suspicious component;
wherein the risk severity level comprises one or more of a severity level, a high risk level, a medium risk level, a risk level, and a low risk level.
Further, the determining a configuration scenario and an alarm information item according to configuration data input by a user includes:
determining a configuration scene according to configuration data input by a user and a strategy identifier based on the configuration scene;
matching corresponding strategy configuration items according to the configuration scene;
receiving configuration item data aiming at the strategy configuration item input by a user, and generating strategy configuration data according to the configuration item data and the strategy identification;
and receiving an alarm information item input by a user according to the configuration scene and the strategy configuration data.
Further, the determining whether the data to be detected has asset risks according to the asset risk detection policy includes:
generating a flow matching alarm rule according to the asset risk detection strategy;
judging whether the data to be detected simultaneously meets all the flow matching alarm rules;
if so, determining that the data to be detected has asset risk;
and if not, determining that the data to be detected has no asset risk.
Further, the asset risk warning information includes a target configuration scenario corresponding to the asset risk of the data to be detected, a risk warning name, a risk severity level, and target policy configuration data corresponding to the target configuration scenario.
A second aspect of the embodiments of the present application provides an asset risk detection device, including:
the determining unit is used for determining a configuration scene and an alarm information item according to configuration data input by a user;
the configuration unit is used for configuring policy configuration data corresponding to the configuration scene;
the strategy generating unit is used for generating an asset risk detection strategy according to the configuration scene, the strategy configuration data and the alarm information item;
the acquisition unit is used for acquiring data to be detected;
the asset risk detection unit is used for judging whether the data to be detected has asset risk according to the asset risk detection strategy;
and the alarm unit is used for outputting asset risk alarm information aiming at the data to be detected according to the asset risk detection strategy when the data to be detected has asset risk.
In the implementation process, a determining unit determines a configuration scene and an alarm information item according to configuration data input by a user; configuring a unit and configuring policy configuration data corresponding to a configuration scene; then the strategy generating unit generates an asset risk detection strategy according to the configuration scene, the strategy configuration data and the alarm information item; further, the acquisition unit acquires the data to be detected, and the asset risk detection unit judges whether the data to be detected has asset risk according to an asset risk detection strategy; if the detection result is yes, the alarm unit outputs asset risk alarm information aiming at the data to be detected according to the asset risk detection strategy, individualized asset risk detection can be carried out aiming at different scenes, the applicability is good, the detection efficiency is high, the condition of missed detection is effectively avoided, and the network asset safety is further maintained.
A third aspect of embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the asset risk detection method according to any one of the first aspect of embodiments of the present application.
A fourth aspect of the embodiments of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the method for detecting asset risk according to any one of the first aspect of the embodiments of the present application is performed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of an asset risk detection method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an asset risk detection device according to an embodiment of the present application;
FIG. 3 is a schematic illustration showing a configuration interface when a user inputs configuration data according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram illustrating a policy list after configuration is completed according to an embodiment of the present application;
FIG. 5 is a schematic illustration of an alarm configuration interface according to an embodiment of the present disclosure;
fig. 6 is a schematic diagram illustrating detection and display of an asset risk alarm according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating an asset risk detection method according to an embodiment of the present disclosure. The asset risk detection method comprises the following steps:
s101, determining a configuration scene according to configuration data input by a user and identifying a strategy based on the configuration scene.
In the embodiment of the present application, the execution subject of the method may be a TDP control device.
In the embodiment of the application, a user can configure asset risk strategies meeting the safety management specifications of the TDP control equipment according to requirements, and the customized strategies are stored in a TDP rule engine as special risk detection rules of the TDP.
In the embodiment of the application, the asset risk detection method is based on personalized scene configuration and can be suitable for different application scenes, so that the condition of missed detection is effectively avoided, and the security of network assets is further maintained.
Referring to fig. 3, fig. 3 is a schematic view illustrating a configuration interface when a user inputs configuration data according to an embodiment of the present disclosure. As shown in fig. 3, a user may input configuration data to determine at least one configuration scenario as desired. The policy identifier can also be determined based on the configuration scenario according to the configuration data for subsequent searching and screening.
In the embodiment of the present application, the configurable configuration scenario includes, but is not limited to, one or more of a port external open scenario, a service external open scenario, a host access external network scenario, an internal asset mutual access scenario, a software scenario using non-compliance, a web component scenario using non-compliance, an abnormal time login scenario, an abnormal place login scenario, and a high frequency login failure scenario, which is not limited in the embodiment of the present application.
And S102, matching the corresponding strategy configuration items according to the configuration scene.
In the embodiment of the present application, for different configuration scenarios, the corresponding scenario descriptions are shown in table one below.
Watch 1
S103, receiving configuration item data aiming at the strategy configuration item input by a user, and generating the strategy configuration data according to the configuration item data and the strategy identification.
And S104, receiving an alarm information item input by a user according to the configuration scene and the strategy configuration data.
In the embodiment of the application, the alarm information item at least comprises a risk alarm identifier and a risk severity level; the risk alarm identification comprises one or more of an external open identification of a default port, an external open identification of database service, an identification of remote control software used by an intranet, an identification of a suspicious component used by the intranet and the like; wherein the risk severity level includes one or more of a severity level, a high risk level, a medium risk level, a risk level, and a low risk level.
In the embodiment of the application, the alarm information item can be configured according to the configuration scene, the corresponding strategy configuration data and the corresponding configuration scene.
In the embodiment of the application, when configuring the alarm information item, it is necessary to obtain the alarm information configuration item data input by the user according to the alarm configuration specification, where the alarm configuration specification is shown in table two.
Watch two
In the embodiment of the present application, by implementing the steps S101 to S104, the configuration scene and the alarm information item can be determined according to the configuration data input by the user.
And S105, configuring policy configuration data corresponding to the configuration scene.
In the embodiment of the application, when the policy configuration data corresponding to the configuration scene is matched and configured, and the configuration scene comprises a scene with a port open to the outside, the policy configuration data comprises policy content for configuring the access limiting port and the asset;
when the configuration scene comprises a service open-to-outside scene, the policy configuration data comprises policy content for configuring the access-restricted service and the assets;
when the configuration scene comprises a scene that the host is open to the outside, the policy configuration data comprises policy content for configuring the access-limited host;
when the configuration scene comprises a host access external network scene, the policy configuration data comprises the content of configuring the policy for the access-limited host;
when the configuration scene comprises an internal asset mutual access scene, the strategy configuration data comprises strategy contents for configuring access source asset, destination port and destination service;
when the configuration scenario includes a software scenario that uses non-compliance, the policy configuration data includes policy content that configures the non-compliance software and the asset of interest that are restricted from use;
when the configuration scenario includes a web component scenario that uses non-compliance, the policy configuration data includes policy content that configures the non-compliance web application, the framework library, and the asset of interest that are restricted from use;
when the configuration scene comprises an abnormal time login scene, the policy configuration data comprises policy content for configuring the limited login time and the assets;
when the configuration scenario comprises an abnormal place login scenario, the policy configuration data comprises policy content for limiting login places and assets;
when the configuration scenario includes a high frequency login failure scenario, the policy configuration data includes policy content to limit login frequency and assets.
In the embodiment of the present application, the configuration of the restricted access port includes: a single port number (22), a port interval (1-1000), etc., and the embodiment of the present application is not limited thereto.
In an embodiment of the present application, restricting the configuration of the host includes: all hosts are limited according to IP addresses or service groups, and under the condition of selecting 'all hosts' or 'limiting according to service groups', whether partial host IP is excluded or not needs to be additionally configured; if "yes" is selected, a "trusted host IP list other than the following trusted host IP" needs to be configured additionally, and the like, and the embodiment of the present application is not limited.
In the embodiment of the present application, the service of restricting access includes: web service classes (e.g., WebLogic, WebSphere), database classes (e.g., MSSQL, Oracle, PostgreSQL, Redis database, Elasticsearch, MongoDB), file transfer classes (e.g., FTP/TFTP file transfer protocol, samba, NFS), mail service classes (e.g., SMTP mail service), Telnet classes (e.g., SSH, Telnet, RDP, VNC), and other classes (e.g., Zookeeper, DNS, zabbix, ActiveMQ, FastCGI, Memcached), etc., without limitation to the embodiments herein.
In particular, the optional restricted access service is shown in table three.
Watch III
In an embodiment of the present application, restricting asset allocation includes: all assets are limited according to IP addresses or limited according to service groups, and under the condition of selecting 'all assets' or 'limited according to service groups', whether partial asset IP is excluded or not needs to be additionally configured; if "yes" is selected, a "trusted asset IP list other than the following trusted asset IP" or the like needs to be configured additionally, and the embodiment of the present application is not limited thereto. For example: select a restricted asset, supporting the following format: a single IP address (222.222.222.222), a network segment (123.123.123.0/24), an IP range (123.123.123.100-123.123.123.255), a single IPv6 address (2001:3CA1:010F:001A:121B:0000:0000:0010), an IPv6 network segment (2001:3CA1:010F:001A:121B:0000:0000:0010/64), and the like.
In an embodiment of the present application, restricting the non-compliant software configuration includes: the remote control tool software (such as sunflower, TeamViewer) does not limit the embodiments of the present application.
In the embodiment of the present application, the non-compliant Web applications whose use is restricted are specifically shown in table four (top), table four (middle), and table four (bottom), and the framework libraries whose use is restricted are specifically shown in table five.
Watch four (Upper)
Watch four (middle)
Watch four (lower)
Watch five
After step S105, the following steps are also included:
and S106, generating an asset risk detection strategy according to the configuration scene, the strategy configuration data and the alarm information item.
In the embodiment of the application, the asset risk detection strategy configuration can be carried out, so that more comprehensive coverage aiming at the personalized asset risk scene is realized, and the requirement of an enterprise for specifically detecting the asset risk of a specific scene is met.
In the embodiment of the application, the policy configuration data input by the user is acquired through the risk policy configuration page, and the configured policy can be uniformly managed on the page, that is, a series of operations such as viewing, modifying, enabling, disabling, deleting and the like are performed, as shown in fig. 4.
In the embodiment of the present application, an alarm configuration interface when a user inputs an alarm information item is shown in fig. 5. By customizing the asset risk strategy, high-flexibility and high-customization asset detection is realized, and the problem that the traditional general rule is difficult to realize the risk detection coverage of some personalized scenes is solved.
In the embodiment of the present application, the policy configuration and the alarm of a common scenario are shown in table six below.
Watch six
And S107, acquiring data to be detected.
In the embodiment of the application, the core switch is obtained to analyze and analyze all the accessed mirror flows to obtain the data to be detected, and once the flows meeting the user configuration conditions are matched, a risk alarm is immediately generated.
After step S107, the following steps are also included:
and S108, generating a flow matching alarm rule according to the asset risk detection strategy.
S109, judging whether the data to be detected simultaneously meets all flow matching alarm rules, and if so, executing a step S110; if not, step S111 is performed.
In the embodiment of the application, the alarm rules are matched according to the flow corresponding to the configuration scene, and a risk alarm is generated when all the alarm rules are matched according to the flow. For example, if a port appears in multiple rules, as for a port open to the outside scenario, multiple alarms are issued when this port is matched and the corresponding restrictions are met.
In the embodiment of the application, all asset risk detection strategies configured by a user are stored in a database, and the bottom layer generates personalized flow matching alarm rules based on user configuration data.
And S110, determining that the data to be detected has no asset risk, and ending the process.
And S111, determining that the data to be detected has asset risk, and executing the step S112.
In the embodiment of the application, by implementing the steps S108 to S111, whether asset risks exist in the data to be detected can be judged according to an asset risk detection strategy.
And S112, outputting asset risk warning information aiming at the data to be detected according to the asset risk detection strategy.
In the embodiment of the present application, the asset risk warning information includes a target configuration scenario corresponding to the asset risk of the data to be detected, a risk warning name, a risk severity level, target policy configuration data corresponding to the target configuration scenario, and the like, which is not limited in the embodiment of the present application.
For example, the risk alarm name may be a SSH default port open to the outside, an MSSQL database service open to the outside, a Redis database service open to the outside, a TeamViewer remote control software used by the intranet, a shiro component used by the intranet, or the like.
In the embodiment of the application, the generated alarms can be viewed in a unified manner. Referring to fig. 6, fig. 6 is a schematic view illustrating an asset risk alarm detection according to an embodiment of the present disclosure.
In the embodiment of the application, the application environment of the method is set up as follows: a TDP control device is connected to the core switch. First, the policy shown in table seven below is configured on the risk configuration page, and the TDP control device is ensured to be in the enabled state. Then, a bottom level logical analysis is performed: the bottom layer is based on the configuration content, converts the configuration content into a Sensor detection rule of the TDP control equipment, and is used for detecting the risk flow meeting the configuration condition and generating an alarm log. And finally, outputting an alarm interface comprising asset risk alarm information for display. Specifically, the detected alarm log is displayed in a centralized manner, and the time of alarm generation, the risk alarm name configured by the user, the corresponding severity level, the detected related asset information and the like are recorded.
Watch seven
| Risk policy scenario | Risk alarm name | Severity level | Configuring content |
| The ports being open to the outside | SSH default port open to the outside | Height of | Limiting the port: 22 limit assets: all assets |
| Service open to outside | MSSQL database service is open to the outside | Height of | And (4) limiting service: MSSQL restricted assets: all assets |
| Service open to outside | Redis database services open to the outside | Height of | And (4) limiting service: redis Limit assets: all assets |
| Using non-compliant software | TeamViewer remote control software used by intranet | Height of | Limiting the desktop software: remote control tool software (e.g., sunflower, TeamViewer) limits assets: all assets |
In the embodiment of the application, access behaviors, service types provided, Web development frames used and application of a current client in a network are judged by judging the flow direction and matching flow message content characteristics through accessing enterprise outlet flow, which is usually mirror image flow of a core switch, based on identification and analysis of flow content, and whether the flow direction and the flow message content characteristics meet the flow matching alarm rules of a user configuration strategy or not is judged, if the flow matching alarm rules are met, corresponding risk alarms are generated, and only the alarms really meet the requirements of a business scene, the alarms are really worth attention of a user, so that accurate alarm is achieved, IT assets violating the strategy are further rectified, and the risk management efficiency of the IT assets is prompted.
In the embodiment of the application, the configuration scenes are set to configure the corresponding asset risk strategies, so that the coverage of different personalized asset risk scenes and the detection of corresponding risks are realized, the problem of alarm fatigue caused by a large amount of non-directional risk alarms in a traditional general rule matching mode is avoided, and the flexibility of asset risk detection is improved. Meanwhile, as the security strategy of the enterprise is possibly subjected to further fine adjustment based on the detection condition, the strategy management and continuous optimization can realize the self-adaptive complete closed loop of security defense of detection-response-prevention-protection, and the security protection capability can be continuously improved.
Therefore, the asset risk detection method described in the embodiment can be used for performing individualized asset risk detection aiming at different scenes, and has the advantages of good applicability and high detection efficiency, so that the condition of missed detection is effectively avoided, and the security of network assets is maintained.
Example 2
Referring to fig. 2, fig. 2 is a schematic structural diagram of an asset risk detection device according to an embodiment of the present application. As shown in fig. 2, the asset risk detection apparatus includes:
a determining unit 210, configured to determine a configuration scenario and an alarm information item according to configuration data input by a user;
a configuration unit 220, configured to configure policy configuration data corresponding to a configuration scenario;
a policy generating unit 230, configured to generate an asset risk detection policy according to the configuration scenario, the policy configuration data, and the alarm information item;
an obtaining unit 240, configured to obtain data to be detected;
the asset risk detection unit 250 is used for judging whether the data to be detected has asset risk according to an asset risk detection strategy;
and the alarm unit 260 is configured to output asset risk alarm information for the data to be detected according to the asset risk detection policy when the data to be detected has asset risk.
As an optional implementation manner, the configuration scenario includes one or more of a port-to-outside open scenario, a service-to-outside open scenario, a host access extranet scenario, an internal asset mutual access scenario, a software scenario using non-compliance, a web component scenario using non-compliance, an abnormal time login scenario, an abnormal place login scenario, and a high-frequency login failure scenario, which is not limited in this embodiment of the present application.
As an optional implementation, when the configuration scenario includes a port-out scenario, the policy configuration data includes policy content for configuring the restricted access port and the asset;
when the configuration scene comprises a service open-to-outside scene, the policy configuration data comprises policy content for configuring the access-restricted service and the assets;
when the configuration scene comprises a scene that the host is open to the outside, the policy configuration data comprises policy content for configuring the access-limited host;
when the configuration scene comprises a host access external network scene, the policy configuration data comprises the content of configuring the policy for the access-limited host;
when the configuration scene comprises an internal asset mutual access scene, the strategy configuration data comprises strategy contents for configuring access source asset, destination port and destination service;
when the configuration scenario includes a software scenario that uses non-compliance, the policy configuration data includes policy content that configures the non-compliance software and the asset of interest that are restricted from use;
when the configuration scenario includes a web component scenario that uses non-compliance, the policy configuration data includes policy content that configures the non-compliance web application, the framework library, and the asset of interest that are restricted from use;
when the configuration scene comprises an abnormal time login scene, the policy configuration data comprises policy content for configuring the limited login time and the assets;
when the configuration scenario comprises an abnormal place login scenario, the policy configuration data comprises policy content for limiting login places and assets;
when the configuration scenario includes a high frequency login failure scenario, the policy configuration data includes policy content to limit login frequency and assets.
As an optional implementation manner, the alarm information item at least comprises a risk alarm identifier and a risk severity level; the risk alarm identification comprises one or more of an external open identification of a default port, an external open identification of database service, an identification of remote control software used by an intranet and an identification of a suspicious component used by the intranet; wherein the risk severity level includes one or more of a severity level, a high risk level, a medium risk level, a risk level, and a low risk level.
As an alternative embodiment, the determining unit 210 includes:
a first sub-unit 211, configured to determine a configuration scenario according to configuration data input by a user and a policy identifier based on the configuration scenario;
a second subunit 212, configured to match a corresponding policy configuration item according to the configuration scenario;
a third subunit 213, configured to receive configuration item data for the policy configuration item input by the user, and generate policy configuration data according to the configuration item data and the policy identifier;
and a fourth sub-unit 214, configured to receive an alarm information item input by a user according to the configuration scenario and the policy configuration data.
As an alternative embodiment, the asset risk detection unit 250 includes:
a fifth subunit 251, configured to generate a flow matching alarm rule according to the asset risk detection policy;
a sixth subunit 252, configured to determine whether the data to be detected simultaneously satisfies all traffic matching alarm rules;
a seventh sub-unit 253, configured to determine that the data to be detected has asset risk when it is determined that all traffic matching alarm rules are simultaneously satisfied; and when judging that all the flow matching alarm rules are not met simultaneously, determining that the data to be detected has no asset risk.
In the embodiment of the present application, the asset risk warning information includes a target configuration scenario corresponding to the asset risk of the to-be-detected data, a risk warning name, a risk severity level, target policy configuration data corresponding to the target configuration scenario, and the like, which is not limited in the embodiment of the present application.
In the embodiment of the present application, for explanation of the asset risk detection device, reference may be made to the description in embodiment 1, and details are not repeated in this embodiment.
Therefore, the asset risk detection device described in the embodiment can perform personalized asset risk detection for different scenes, and is good in applicability and high in detection efficiency, so that the condition of missed detection is effectively avoided, and the network asset safety is maintained.
An embodiment of the present application provides an electronic device, which includes a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the asset risk detection method in embodiment 1 of the present application.
An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the asset risk detection method in embodiment 1 of the present application is executed.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An asset risk detection method, comprising:
determining a configuration scene and an alarm information item according to configuration data input by a user;
configuring policy configuration data corresponding to the configuration scene;
generating an asset risk detection strategy according to the configuration scene, the strategy configuration data and the alarm information item;
acquiring data to be detected, and judging whether the data to be detected has asset risks according to the asset risk detection strategy;
and if so, outputting asset risk alarm information aiming at the data to be detected according to the asset risk detection strategy.
2. The asset risk detection method of claim 1, wherein the configuration scenario comprises one or more of a port-to-outside open scenario, a service-to-outside open scenario, a host access extranet scenario, an internal asset cross-visit scenario, a software scenario using non-compliance, a web component scenario using non-compliance, an abnormal time login scenario, an abnormal place login scenario, and a high frequency login failure scenario.
3. The asset risk detection method according to claim 2, wherein when the configuration scenario includes a scenario in which the port is open to the outside, the policy configuration data includes policy contents configuring a restricted access port and an asset;
when the configuration scene comprises a scene that the service is open to the outside, the policy configuration data comprises policy content for configuring access limiting service and assets;
when the configuration scene comprises a scene that the host is open to the outside, the policy configuration data comprises policy content for configuring the access-restricted host;
when the configuration scene comprises the host access extranet scene, the policy configuration data comprises the content of configuring the policy for the access-limited host;
when the configuration scene comprises the internal asset mutual access scene, the strategy configuration data comprises strategy contents for configuring access limiting source assets, destination ports and destination services;
when the configuration scenario includes the software scenario that uses non-compliance, the policy configuration data includes policy content that configures non-compliance software and assets of interest that restrict use;
when the configuration scenario includes the web page component scenario that uses non-compliance, the policy configuration data includes policy content that configures non-compliance web page applications, a framework library, and assets of interest that are restricted from use;
when the configuration scene comprises the abnormal time login scene, the policy configuration data comprises policy content for configuring limited login time and assets;
when the configuration scene comprises the abnormal place login scene, the strategy configuration data comprises strategy contents for limiting login places and assets;
when the configuration scenario includes the high frequency login failure scenario, the policy configuration data includes policy content for limiting login frequency and assets.
4. The asset risk detection method of claim 1, wherein the alarm information items comprise at least a risk alarm identification and a risk severity level;
the risk alarm identification comprises one or more of an external open identification of a default port, an external open identification of a database service, an identification of an intranet using remote control software and an identification of an intranet using a suspicious component;
wherein the risk severity level comprises one or more of a severity level, a high risk level, a medium risk level, a risk level, and a low risk level.
5. The asset risk detection method of claim 1, wherein determining configuration scenarios and alarm information items from configuration data input by a user comprises:
determining a configuration scene according to configuration data input by a user and a strategy identifier based on the configuration scene;
matching corresponding strategy configuration items according to the configuration scene;
receiving configuration item data aiming at the strategy configuration item input by a user, and generating strategy configuration data according to the configuration item data and the strategy identification;
and receiving an alarm information item input by a user according to the configuration scene and the strategy configuration data.
6. The asset risk detection method according to claim 1, wherein the determining whether the data to be detected has asset risk according to the asset risk detection policy includes:
generating a flow matching alarm rule according to the asset risk detection strategy;
judging whether the data to be detected simultaneously meets all the flow matching alarm rules;
if so, determining that the data to be detected has asset risk;
and if not, determining that the data to be detected has no asset risk.
7. The asset risk detection method according to claim 6, wherein the asset risk warning information includes a target configuration scenario corresponding to the asset risk of the data to be detected, a risk warning name, a risk severity level, and target policy configuration data corresponding to the target configuration scenario.
8. An asset risk detection device, characterized in that it comprises:
the determining unit is used for determining a configuration scene and an alarm information item according to configuration data input by a user;
the configuration unit is used for configuring policy configuration data corresponding to the configuration scene;
the strategy generating unit is used for generating an asset risk detection strategy according to the configuration scene, the strategy configuration data and the alarm information item;
the acquisition unit is used for acquiring data to be detected;
the asset risk detection unit is used for judging whether the data to be detected has asset risk according to the asset risk detection strategy;
and the alarm unit is used for outputting asset risk alarm information aiming at the data to be detected according to the asset risk detection strategy when the data to be detected has asset risk.
9. An electronic device, characterized in that the electronic device comprises a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the asset risk detection method of any of claims 1 to 7.
10. A readable storage medium having stored thereon computer program instructions which, when read and executed by a processor, perform the asset risk detection method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111566610.4A CN113965417A (en) | 2021-12-21 | 2021-12-21 | Asset risk detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111566610.4A CN113965417A (en) | 2021-12-21 | 2021-12-21 | Asset risk detection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113965417A true CN113965417A (en) | 2022-01-21 |
Family
ID=79473376
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111566610.4A Pending CN113965417A (en) | 2021-12-21 | 2021-12-21 | Asset risk detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113965417A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114579980A (en) * | 2022-03-04 | 2022-06-03 | 福建中信网安信息科技有限公司 | Asset risk assessment method and terminal based on spatio-temporal data |
| CN114745166A (en) * | 2022-03-29 | 2022-07-12 | 烽台科技(北京)有限公司 | Industrial asset risk sensing method and device and electronic equipment |
| CN116545770A (en) * | 2023-07-03 | 2023-08-04 | 上海观安信息技术股份有限公司 | Scene detection method, device, medium and equipment |
| CN117910021A (en) * | 2024-03-19 | 2024-04-19 | 河北兰科网络工程集团有限公司 | Data security management method and device, electronic equipment and medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050125688A1 (en) * | 2003-12-04 | 2005-06-09 | Kazuki Ogawa | Policy rule scenario control apparatus and control method |
| US20130073531A1 (en) * | 2011-09-19 | 2013-03-21 | Microsoft Corporation | Integrating custom policy rules with policy validation process |
| CN110708197A (en) * | 2019-09-27 | 2020-01-17 | 招商局金融科技有限公司 | Monitoring device, method for setting monitoring policy of monitoring device, and storage medium |
| CN111371595A (en) * | 2020-02-25 | 2020-07-03 | 深信服科技股份有限公司 | Network security deployment method, device, equipment and readable storage medium |
| CN111400720A (en) * | 2020-03-16 | 2020-07-10 | 深信服科技股份有限公司 | Terminal information processing method, system and device and readable storage medium |
| CN112217817A (en) * | 2020-10-10 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Network asset risk monitoring method and device and related equipment |
| CN113516337A (en) * | 2021-03-25 | 2021-10-19 | 中国雄安集团数字城市科技有限公司 | Method and device for monitoring data security operation |
| CN113608796A (en) * | 2021-06-30 | 2021-11-05 | 北京新氧科技有限公司 | Rule engine configuration and operation method and device, electronic equipment and storage medium |
-
2021
- 2021-12-21 CN CN202111566610.4A patent/CN113965417A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050125688A1 (en) * | 2003-12-04 | 2005-06-09 | Kazuki Ogawa | Policy rule scenario control apparatus and control method |
| US20130073531A1 (en) * | 2011-09-19 | 2013-03-21 | Microsoft Corporation | Integrating custom policy rules with policy validation process |
| CN110708197A (en) * | 2019-09-27 | 2020-01-17 | 招商局金融科技有限公司 | Monitoring device, method for setting monitoring policy of monitoring device, and storage medium |
| CN111371595A (en) * | 2020-02-25 | 2020-07-03 | 深信服科技股份有限公司 | Network security deployment method, device, equipment and readable storage medium |
| CN111400720A (en) * | 2020-03-16 | 2020-07-10 | 深信服科技股份有限公司 | Terminal information processing method, system and device and readable storage medium |
| CN112217817A (en) * | 2020-10-10 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Network asset risk monitoring method and device and related equipment |
| CN113516337A (en) * | 2021-03-25 | 2021-10-19 | 中国雄安集团数字城市科技有限公司 | Method and device for monitoring data security operation |
| CN113608796A (en) * | 2021-06-30 | 2021-11-05 | 北京新氧科技有限公司 | Rule engine configuration and operation method and device, electronic equipment and storage medium |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114579980A (en) * | 2022-03-04 | 2022-06-03 | 福建中信网安信息科技有限公司 | Asset risk assessment method and terminal based on spatio-temporal data |
| CN114579980B (en) * | 2022-03-04 | 2022-11-04 | 福建中信网安信息科技有限公司 | Asset risk assessment method and terminal based on spatio-temporal data |
| CN114745166A (en) * | 2022-03-29 | 2022-07-12 | 烽台科技(北京)有限公司 | Industrial asset risk sensing method and device and electronic equipment |
| CN116545770A (en) * | 2023-07-03 | 2023-08-04 | 上海观安信息技术股份有限公司 | Scene detection method, device, medium and equipment |
| CN116545770B (en) * | 2023-07-03 | 2023-09-01 | 上海观安信息技术股份有限公司 | Scene detection method, device, medium and equipment |
| CN117910021A (en) * | 2024-03-19 | 2024-04-19 | 河北兰科网络工程集团有限公司 | Data security management method and device, electronic equipment and medium |
| CN117910021B (en) * | 2024-03-19 | 2024-05-17 | 河北兰科网络工程集团有限公司 | Data security management method and device, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11546364B2 (en) | Phishing data item clustering and analysis | |
| US11711374B2 (en) | Systems and methods for understanding identity and organizational access to applications within an enterprise environment | |
| EP3731166B1 (en) | Data clustering | |
| US10404741B2 (en) | Anonymized network data collection and network threat assessment and monitoring systems and methods | |
| US9965937B2 (en) | External malware data item clustering and analysis | |
| US10491630B2 (en) | System and method for providing data-driven user authentication misuse detection | |
| CN113965417A (en) | Asset risk detection method and device | |
| EP2942731B1 (en) | Identifying and securing sensitive data at its source | |
| US9401933B1 (en) | Classification of security policies across multiple security products | |
| US9531757B2 (en) | Management of security policies across multiple security products | |
| US20190089725A1 (en) | Deep Architecture for Learning Threat Characterization | |
| US20160212169A1 (en) | Security policy unification across different security products | |
| Bryant et al. | Improving SIEM alert metadata aggregation with a novel kill-chain based classification model | |
| TW201705034A (en) | System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms | |
| US9521167B2 (en) | Generalized security policy user interface | |
| US20180013783A1 (en) | Method of protecting a communication network | |
| US9641540B2 (en) | User interface driven translation, comparison, unification, and deployment of device neutral network security policies | |
| US11895137B2 (en) | Phishing data item clustering and analysis | |
| US11811587B1 (en) | Generating incident response action flows using anonymized action implementation data | |
| US20240028745A1 (en) | System and method for hunt, incident response, and forensic activities on an agnostic platform | |
| US20220053014A1 (en) | System and method for clustering security-related information | |
| Bissict | Augmenting security event information with contextual data to improve the detection capabilities of a SIEM | |
| WO2024039787A2 (en) | System and method for risk-based observability of a computing platform | |
| CN117014217A (en) | Abnormality detection method, abnormality detection device, electronic device, and storage medium | |
| Casassa Mont et al. | Threat Analytics and Visualization Solution for Big Security Data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220121 |
|
| RJ01 | Rejection of invention patent application after publication |