CN114189360A - Situation-aware network vulnerability defense method, device and system - Google Patents
Situation-aware network vulnerability defense method, device and system Download PDFInfo
- Publication number
- CN114189360A CN114189360A CN202111374774.7A CN202111374774A CN114189360A CN 114189360 A CN114189360 A CN 114189360A CN 202111374774 A CN202111374774 A CN 202111374774A CN 114189360 A CN114189360 A CN 114189360A
- Authority
- CN
- China
- Prior art keywords
- network
- vulnerability
- attack
- network nodes
- defense
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention provides a situation-aware network vulnerability defense method, device and system, and relates to the technical field of network security. The processing method comprises the following steps: carrying out vulnerability scanning operation on network nodes and associated network nodes, acquiring attack characteristic information of network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics; predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes; and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence. According to the attack detection method and the attack detection device, the attack characteristics of the network loophole are obtained, the attack sequence based on the time axis is determined corresponding to the attack characteristics, and the attack operation at the current time is defended correspondingly.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a situation-aware network vulnerability defense method.
Background
In the prior art, a situation awareness system integrates a plurality of data information systems such as antivirus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete the evaluation of the current network environment condition and the prediction of the future change trend of the network environment.
In order to guarantee the defense capability against network vulnerabilities in a network environment, the network security and the perception capability against potential network threats, a situation awareness system is selected to realize multi-system linkage defense, and the capability of defending the network vulnerabilities can be effectively improved.
In the process of actually defending the network vulnerability, the most main operations include finding the network vulnerability for repairing and monitoring the operation that an attacker utilizes the network vulnerability to attack the network node. The most important thing is to monitor the attack characteristics of the network node accessed by the attacker, grasp the attack path and the attack mode of the attacker through the attack characteristics, and provide accurate defense attack. However, in the prior art, it is difficult to obtain the attack order of the attacker through the historical data and the real-time data, and further to provide a corresponding defense scheme according to the accurate attack order.
Therefore, a situation-aware network vulnerability defense method, device and system are provided to solve the technical problems that the attack characteristics of the network vulnerability are acquired through situation awareness, the attack sequence based on the time axis is determined according to the attack characteristics, and the attack operation at the current time is correspondingly defended to realize network security defense, which are needed to be solved at present.
Disclosure of Invention
The invention aims to: the method, the device and the system can perform vulnerability scanning operation on network nodes and associated network nodes, acquire attack characteristic information of the network vulnerability, and determine the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics; predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system; and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
In order to solve the prior technical problem, the invention provides the following technical scheme:
a situation-aware network vulnerability defense method is characterized by comprising the steps of,
carrying out vulnerability scanning operation on network nodes and associated network nodes, acquiring attack characteristic information of network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics;
predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system;
and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
Further, the data selected in the vulnerability scanning operation comprises discovery time, vulnerability names, hazard levels, asset IP, scanning task names, data sources, states, handling priorities and operations.
Further, the types of network vulnerabilities include buffer overflow, cross site scripting, DOS attacks, scanning, SQL injection, trojan backdoor, virus worm, Web attack, zombie networking, cross site request forgery, file containment, file reading, directory traversal attack, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, upload vulnerability exploitation, Webshell exploitation, misconfiguration/error, logic/involvement error, unauthorized access/permission bypass, URL hopping, protocol exceptions, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, pirate horse, port scanning, black market tools, email, computer virus, network worm, file download, permission and access control, and Webshell upload.
Further, after the defense operation is carried out, continuously monitoring the network nodes corresponding to the network vulnerabilities, and setting a time period and a monitoring level for the continuous monitoring, wherein the time period and the monitoring level are matched with the damage level of the network vulnerabilities; when the network node and the communication connection between the network node and the associated network node meet the network security element, releasing the continuous monitoring setting; otherwise, the network node is scanned for bugs again to obtain the cause of the failure.
Further, the predicted influence range includes network nodes corresponding to the network vulnerabilities and communication connections between the network nodes and associated network nodes.
And further, fault processing is carried out on the alarm information caused by the corresponding network bug, wherein the fault processing comprises defending the corresponding network bug according to a preset bug defense scheme.
Further, the attack characteristic information also includes prompt characteristic information corresponding to the attack characteristic.
The method further comprises the steps of carrying out vulnerability scanning operation on the network nodes and the associated network nodes, obtaining attack characteristic information of the network vulnerability and prompt characteristic information corresponding to the attack characteristic, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristic and the prompt characteristic;
predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system;
and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
A situational aware network vulnerability defense apparatus, comprising a structure:
the vulnerability scanning unit is used for carrying out vulnerability scanning operation on the network nodes and the associated network nodes, acquiring attack characteristic information of the network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics;
the vulnerability influence determining unit is used for predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system;
and the vulnerability defense unit is used for acquiring an attack sequence which is executed on the network node by an attacker and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
A situational aware network vulnerability defense system, comprising:
a network node for transceiving data;
the situation awareness system is used for periodically detecting the network nodes with the network bugs and carrying out security analysis on the log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: carrying out vulnerability scanning operation on network nodes and associated network nodes, acquiring attack characteristic information of network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics; predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system; and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
Based on the advantages and positive effects, the invention has the advantages that: carrying out vulnerability scanning operation on network nodes and associated network nodes, acquiring attack characteristic information of network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics; predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system; and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
Further, the attack characteristic information also includes prompt characteristic information corresponding to the attack characteristic.
The method further comprises the steps of carrying out vulnerability scanning operation on the network nodes and the associated network nodes, obtaining attack characteristic information of the network vulnerability and prompt characteristic information corresponding to the attack characteristic, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristic and the prompt characteristic;
predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system;
and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
Drawings
Fig. 1 is a flowchart provided in an embodiment of the present invention.
Fig. 2 is another flow chart provided by the embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a system according to an embodiment of the present invention.
Description of reference numerals:
the device 200 comprises a vulnerability scanning unit 201, a vulnerability influence determining unit 202 and a vulnerability defense unit 203;
system 300, network node 301, situational awareness system 302, system server 303.
Detailed Description
The situation-aware network vulnerability defense method, device and system disclosed in the present invention are further described in detail with reference to the accompanying drawings and specific embodiments. It should be noted that technical features or combinations of technical features described in the following embodiments should not be considered as being isolated, and they may be combined with each other to achieve better technical effects. In the drawings of the embodiments described below, the same reference numerals appearing in the respective drawings denote the same features or components, and may be applied to different embodiments. Thus, once an item is defined in one drawing, it need not be further discussed in subsequent drawings.
It should be noted that the structures, proportions, sizes, and other dimensions shown in the drawings and described in the specification are only for the purpose of understanding and reading the present disclosure, and are not intended to limit the scope of the invention, which is defined by the claims, and any modifications of the structures, changes in the proportions and adjustments of the sizes and other dimensions, should be construed as falling within the scope of the invention unless the function and objectives of the invention are affected. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be executed out of order from that described or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present invention.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate. In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a flow chart provided by the present invention is shown. The implementation step S100 of the method is as follows:
s101, carrying out vulnerability scanning operation on the network nodes and the associated network nodes, obtaining attack characteristic information of the network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics.
The network node refers to a terminal having an independent network address and data processing function in a network environment, and the data processing function includes, but is not limited to, a function of transmitting data, receiving data, and/or analyzing data.
The network nodes may be workstations, clients, network users or personal computers, servers, printers and other network-connected devices. The whole network environment comprises a plurality of network nodes, and the network nodes are connected through communication lines to form a network topology structure. The communication line may be a wired communication system or a wireless communication system.
The associated network node refers to a network node having an association relationship with the aforementioned network node. The association includes, but is not limited to, a causal relationship, a progressive relationship, and the like.
The vulnerability scanning is to detect the security vulnerability of a designated remote or local computer system by means of automatic tool scanning and the like based on a vulnerability database, so as to find out a security detection behavior of the available vulnerability.
The vulnerability scanning can scan network nodes in a network environment and data transmission protocols among the network nodes based on vulnerability scanning rules preset in a vulnerability database to determine the network vulnerabilities.
By way of example and not limitation, the vulnerability scanning may preferably obtain a network vulnerability by scanning access operations of network nodes, i.e., a network vulnerability is considered to exist when an access operation of a network node conflicts with a security policy of the system.
The attack features include, but are not limited to, network packet sniffing, IP address spoofing, cryptographic attacks, denial of service attacks, distributed denial of service, and the like.
The network message sniffing is a technology for intercepting and capturing a data message of a target computer by using a network interface of the computer through a sniffer.
The IP address spoofing attack attacks the target by impersonating the IP address of the trusted host.
The cryptographic attack may be implemented in a number of different ways, including but not limited to a brute force attack, a trojan horse program, and the like.
The Denial of Service (DoS) attack destroys the normal operation of the network by denying Service access, and finally blocks the network connection, or the server crashes the related Service of the server system and exhausts the system resources due to the server's fatigue in processing the data packet sent by the attacker.
The Distributed Denial of Service (DDoS) is a Distributed and cooperative large-scale Denial of Service attack based on a special form of DoS, and several or even more than ten Denial attacks of different services are simultaneously implemented, so that network connection is blocked, or a server crashes related services of a server system and system resources are exhausted due to the fact that the server processes data packets sent by an attacker.
It should be noted that when a certain network node detects the existence of the attack feature, it can be preferably regarded that a network attack exists or an attacker is trying to launch a network attack on the network node by using a network vulnerability.
The types of network vulnerabilities include, but are not limited to, buffer overflows, cross site scripting, DOS attacks, scans, SQL injections, trojan backdoors, viruses and worms, Web attacks, botnets, cross site request forgeries, file containment, file reads, directory traversal attacks, sensitive information leaks, brute force cracking, code execution vulnerabilities, command executions, weak passwords, upload vulnerabilities, Webshell exploits, misconfigurations/errors, logic/involvement errors, unauthorized access/permission bypasses, URL hops, protocol exceptions, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, bugs, port scans, black market tools, emails, computer viruses, network worms, file downloads, permission and access control, Webshell uploads, and the like.
After the attack characteristics and the network vulnerability types are determined, a defense scheme corresponding to the attack characteristics and the network vulnerability types can be called from a preset network vulnerability database of the situation awareness system according to the attack characteristics and the network vulnerability types.
And S102, predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system.
The situation awareness system integrates a plurality of data information systems such as anti-virus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete the evaluation of the current network environment condition and the prediction of the future change trend of the network environment.
The influence range can be obtained based on the situation awareness ability of the aforementioned situation awareness system. The influence range relates to the network node with the network vulnerability information and the associated network node of the network node.
S103, acquiring an attack sequence based on a time axis, which is executed by an attacker on the network node, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a preset network vulnerability database of the situational awareness system according to time axis information for defense based on the attack sequence.
The timeline-based attack order may preferably be in order of the time of occurrence involved in the attack profile when accessing the network nodes.
For example, now five attack signatures are obtained through the vulnerability scanning operation, and at this time, the attack sequence may be attack signature 1, attack signature 2, attack signature 3, attack signature 4, through attack signature 5.
As a preferred implementation of this embodiment, network vulnerability information is obtained through vulnerability scanning operation, and an attack order of the five attack characteristics in the network environment in accessing the network node, two types of network vulnerabilities of the five attack characteristics corresponding to the network node and the associated network node, and an influence range of the network vulnerabilities on network node and associated network node predictions relate to one network node and two associated network nodes are obtained.
The five attack characteristics are attack characteristic 1, attack characteristic 2, attack characteristic 3, attack characteristic 4 and attack characteristic 5 respectively; the network vulnerability types of the attack characteristics corresponding to the network nodes and the associated network nodes are a network vulnerability type 1 and a network vulnerability type 2; and an influence range network node 1, an associated network node 1 and an associated network node 2.
Obtaining the attack sequence (namely attack characteristics 1, 2, 3, 4 to 5) based on the time axis, the network vulnerability types (namely the network vulnerability type 1 and the network vulnerability type 2) of the network nodes and the associated network nodes corresponding to the attack characteristics, and the influence ranges (namely the network nodes 1, the associated network nodes 1 and the associated network nodes 2) of the network vulnerabilities on the network nodes and the associated network nodes prediction.
And then, based on the attack sequence, calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a preset network vulnerability database of the situation awareness system according to the time axis information for defense.
For example, the result of matching the network vulnerability type and the influence range information corresponding to the attack operation at the current time may be that the network vulnerability type 1 and the network node 1 match the attack characteristics 1, the network vulnerability type 2 and the associated network node 1 match the attack characteristics 2, the network vulnerability type 2 and the associated network node 1 match the attack characteristics 3, the network vulnerability type 2 and the associated network node 2 match the attack characteristics 4, and the network vulnerability type 2 and the associated network node 2 match the attack characteristics 5.
The attack operation at the current time may correspond to any one of the attack features 1, 2, 3, 4, and 5.
And after the matching result is obtained, calling a defense sequence corresponding to the attack characteristics from a preset defense scheme of a network vulnerability database of the situation awareness system so as to perform defense.
The defense may be against hardware device failure in the network node, and may also be against software system failure in the network node, for example: network ports, network boards, network loops, broadcast storms, traffic occupancy, viruses, and the like.
Preferably, the data selected in the vulnerability scanning operation includes discovery time, vulnerability name, hazard level, asset IP, scanning task name, data source, status, handling priority, and operation.
Preferably, the types of network vulnerabilities include buffer overflow, cross site scripting, DOS attack, scanning, SQL injection, trojan backdoor, virus worm, Web attack, zombie network, cross site request forgery, file containment, file reading, directory traversal attack, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, upload vulnerability exploitation, Webshell exploitation, misconfiguration/error, logic/involvement error, unauthorized access/permission bypass, URL jump, protocol exception, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, pirate horse, port scanning, black market tools, email, computer virus, network worm, file download, permission and access control, and Webshell upload.
Preferably, after the defense operation is performed, continuously monitoring the network nodes corresponding to the network vulnerabilities, and setting a time period and a monitoring level for the continuous monitoring, wherein the time period and the monitoring level are matched with the damage level of the network vulnerabilities; when the network node and the communication connection between the network node and the associated network node meet the network security element, releasing the continuous monitoring setting; otherwise, the network node is scanned for bugs again to obtain the cause of the failure.
Preferably, the predicted influence range includes a network node corresponding to the network vulnerability and a communication connection between the network node and an associated network node.
Preferably, the alarm information caused by the corresponding network vulnerability is subjected to fault processing, wherein the fault processing comprises defending the corresponding network vulnerability according to a preset vulnerability defense scheme.
In a preferred implementation manner of this embodiment, the alarm is an event report, referred to as an alarm for short, for transmitting alarm information. It can be defined by the manufacturer or by the administrator in combination with alarms in the network. When an alarm occurs, the system receives an alarm signal to indicate that the alarm has occurred, and performs fault description in the form of alarm information, wherein the fault represents the reason why the equipment in the network environment generates the alarm. The alarm information includes, but is not limited to, information about the name of the faulty device, the faulty symptom, the location of occurrence, the time of occurrence, the cause of occurrence, and the like.
Optionally, data monitoring is performed on the input/output port of the network node having the network vulnerability information, and when the network environment changes abnormally, the operation executed on the network node is labeled and traced back.
When data monitoring is carried out, the situation awareness system can monitor ports and/or IP addresses which do not trigger alarms in network nodes with alarms, and the ports and/or the IP addresses are communicated in a multiplexing mode.
The IP address may be a uniform address format provided by an IP protocol followed by the user, and the IP address may assign a logical address to each network node in the network environment and the terminal device that the user requests for access, so that the situation awareness system tracks the access path of the user.
When the alarm is triggered, the alarm can display the port information of the network node aiming at the alarm triggered, and simultaneously, the execution operation of the ports of other network nodes which do not trigger the alarm is monitored, so that the real-time control of the network safety can be ensured, and the ports and/or IP addresses can be kept in normal communication and stable operation with other network nodes when the alarm is not triggered.
Optionally, data monitoring is performed on an input/output port of a network node in communication connection with the network node having the network vulnerability information, and when an abnormal change occurs in a network environment, an operation executed on the network node is labeled and traced back.
Optionally, data monitoring is performed on input/output ports of the network nodes having a causal relationship with the network nodes having the network vulnerability information, which are obtained based on the situation awareness capability, and when the network environment changes abnormally, the operations executed on the network nodes are labeled and traced.
Preferably, the attack characteristic information further includes prompt characteristic information corresponding to the attack characteristic.
Referring to fig. 2, another embodiment of the present invention specifically includes step S110:
and S111, carrying out vulnerability scanning operation on the network nodes and the associated network nodes, acquiring attack characteristic information of the network vulnerability and prompt characteristic information corresponding to the attack characteristic, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristic and the prompt characteristic.
The prompt feature may be a feature that the network node reminds or plays a role in warning a corresponding access operation behavior when sending the access request information.
The prompt feature can also perform corresponding reminding or warning for the attack feature.
By way of example and not limitation, the presentation form of the prompting feature may be, for example, that prompting feature information of "password should be 8 characters" appears in the case of inputting a user name and a password error when accessing a network node.
It should be noted that when a certain network node detects the existence of the attack feature and the prompt feature, it may be preferable to consider that a network attack exists or an attacker is trying to exploit a network vulnerability to launch a network attack on the network node.
And S112, predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on the situation awareness system.
S113, acquiring an attack sequence based on a time axis, which is executed by an attacker on the network node, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
As a preferred implementation of this embodiment, network vulnerability information is now obtained through vulnerability scanning operation, and an attack sequence of the five attack features and the three prompt features in the network environment in the visited network node is summarized, the five attack features correspond to two types of network vulnerabilities of the network node and the associated network node, and an influence range of the network vulnerability on the network node and the associated network node prediction relates to one network node and two associated network nodes.
The five attack characteristics are attack characteristic 1, attack characteristic 2, attack characteristic 3, attack characteristic 4 and attack characteristic 5 respectively; the three prompt characteristics are respectively prompt characteristic 1, prompt characteristic 2 and prompt characteristic 3; the two types of the network vulnerabilities corresponding to the network nodes and the associated network nodes are respectively a network vulnerability type 1 and a network vulnerability type 2; and an influence range network node 1, an associated network node 1 and an associated network node 2.
Acquiring the attack sequence (attack characteristic 1, prompt characteristic 1, attack characteristic 2, attack characteristic 3, prompt characteristic 2, attack characteristic 4, attack characteristic 5 to prompt characteristic 3) based on the time axis, the network vulnerability types (namely the network vulnerability type 1 and the network vulnerability type 2) of the network nodes and the associated network nodes corresponding to the attack characteristics, and the influence ranges (namely the network nodes 1, the associated network nodes 1 and the associated network nodes 2) of the network vulnerabilities on the network nodes and the associated network nodes.
And then, based on the attack sequence, calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a preset network vulnerability database of the situation awareness system according to the time axis information for defense.
For example, the result of matching the network vulnerability type and the influence range information corresponding to the attack operation at the current time may be that the network vulnerability type 1 and the network node 1 match the attack characteristic 1, and the network vulnerability type 1 and the network node 1 match the prompt characteristic 1; or the network vulnerability type 2 and the associated network node 1 are matched with the attack characteristics 2, the network vulnerability type 2 and the associated network node 1 are matched with the attack characteristics 3, and the network vulnerability type 2 and the associated network node 1 are matched with the prompt characteristics 2; the attack features 4 can be matched by the network vulnerability type 2 and the associated network nodes 2, the attack features 5 can be matched by the network vulnerability type 2 and the associated network nodes 2, and the prompt features 3 can be matched by the network vulnerability type 2 and the associated network nodes 2.
At this time, the attack operation at the current time may be an attack operation corresponding to any one of the attack features 1, 2, 3, 4, 5, 1, 2, and 3.
And after the matching result is obtained, calling a defense sequence corresponding to the attack characteristics from a preset defense scheme of a network vulnerability database of the situation awareness system so as to perform defense.
Other technical features are referred to in the previous embodiments and are not described herein.
Referring to fig. 3, an embodiment of the present invention provides a situation-aware network vulnerability defense apparatus 200, which is characterized by comprising:
the vulnerability scanning unit 201 is configured to perform vulnerability scanning operation on the network node and the associated network node, obtain attack characteristic information of the network vulnerability, and determine the network vulnerability type of the network node and the associated network node according to the attack characteristic.
The vulnerability influence determining unit 202 is configured to predict an influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system.
And the vulnerability defense unit 203 is used for acquiring an attack sequence which is executed on the network node by an attacker and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
In addition, referring to fig. 4, an embodiment of the present invention provides a situation-aware network vulnerability defense system 300, which is characterized by comprising:
the network node 301 is configured to transmit and receive data.
The situation awareness system 302 periodically detects a network node with a network vulnerability, and performs security analysis on log information of the network node.
The regular detection may set a detection time or a detection time period, and the regular detection may be items including, but not limited to, webpage tamper resistance, process abnormal behavior, abnormal login, and the like.
The log information of the network node refers to event records generated during operation of network equipment, systems, service programs and the like, wherein each row of log records descriptions of related operations such as date, time, users, actions and the like. The log information of the network node includes, but is not limited to, connection duration, protocol type, network service type of the target host, connection normal or error state, number of data bytes from the source host to the target host, number of data bytes from the target host to the source host, number of error segments, number of urgent packets, whether the connection is from the same host, whether there is the same port, and the like.
A system server 303, said system server 303 connecting the network node 301 and the situational awareness system 302.
The system server 303 is configured to: carrying out vulnerability scanning operation on network nodes and associated network nodes, acquiring attack characteristic information of network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics; predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system; and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
Other technical features are referred to in the previous embodiment and are not described in detail herein.
In the description above, the various components may be selectively and operatively combined in any number within the intended scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be interpreted as inclusive or open-ended, rather than exclusive or closed-ended, by default, unless explicitly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs unless defined otherwise. Common terms found in dictionaries should not be interpreted too ideally or too realistically in the context of related art documents unless the present disclosure expressly limits them to that.
While exemplary aspects of the present disclosure have been described for illustrative purposes, those skilled in the art will appreciate that the foregoing description is by way of description of the preferred embodiments of the present disclosure only, and is not intended to limit the scope of the present disclosure in any way, which includes additional implementations in which functions may be performed out of the order of presentation or discussion. Any changes and modifications of the present invention based on the above disclosure will be within the scope of the appended claims.
Claims (10)
1. A situation-aware network vulnerability defense method is characterized by comprising the steps of,
carrying out vulnerability scanning operation on network nodes and associated network nodes, acquiring attack characteristic information of network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics;
predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system;
and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
2. The method of claim 1, wherein the selected data in the vulnerability scanning operation includes discovery time, vulnerability name, hazard level, asset IP, scanning task name, data source, status, disposal priority, operation.
3. The method of claim 1, the types of network vulnerabilities include buffer overflow, cross-site scripting, DOS attacks, scanning, SQL injection, trojan backdoor, virus worms, Web attacks, botnets, cross-site request forgery, file containment, file reading, directory traversal attacks, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, upload vulnerability exploitation, Webshell exploitation, misconfiguration/errors, logic/involvement errors, unauthorized access/permission bypass, URL hopping, protocol exceptions, phishing, malicious advertisements, network spoofing, spy software, browser hijacking, keyboard logging, secret stealing trojans, port scanning, black market tools, email, computer viruses, network worms, file downloads, permission and access control, and Webshell upload.
4. The method according to claim 1, wherein after the defense operation, the network nodes corresponding to the network vulnerabilities are continuously monitored, and a time period and a monitoring level are set for the continuous monitoring, wherein the time period and the monitoring level are matched with the hazard level of the network vulnerabilities; when the network node and the communication connection between the network node and the associated network node meet the network security element, releasing the continuous monitoring setting; otherwise, the network node is scanned for bugs again to obtain the cause of the failure.
5. The method of claim 1, wherein the predicted impact range comprises network nodes corresponding to the network vulnerability and communication connections between the network nodes and associated network nodes.
6. The method of claim 1, wherein the alarm information caused by the corresponding network vulnerability is fault-processed, and the fault processing comprises defending the corresponding network vulnerability according to a preset vulnerability defense scheme.
7. The method according to claim 1, wherein the attack characteristic information further includes prompt characteristic information corresponding to the attack characteristic.
8. The method of claim 7, comprising the steps of,
carrying out vulnerability scanning operation on network nodes and associated network nodes, acquiring attack characteristic information of the network vulnerability and prompt characteristic information corresponding to the attack characteristic, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristic and the prompt characteristic;
predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system;
and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
9. A situation-aware network vulnerability defense apparatus, comprising the method of any one of claims 1-8, characterized by comprising the structure:
the vulnerability scanning unit is used for carrying out vulnerability scanning operation on the network nodes and the associated network nodes, acquiring attack characteristic information of the network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics;
the vulnerability influence determining unit is used for predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system;
and the vulnerability defense unit is used for acquiring an attack sequence which is executed on the network node by an attacker and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
10. A situation-aware network vulnerability defense system, comprising the method of any one of claims 1-8, characterized by comprising:
a network node for transceiving data;
the situation awareness system is used for periodically detecting the network nodes with the network bugs and carrying out security analysis on the log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: carrying out vulnerability scanning operation on network nodes and associated network nodes, acquiring attack characteristic information of network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics;
predicting the influence range of the network vulnerability type on the network nodes and the associated network nodes based on a situation awareness system;
and acquiring an attack sequence which is executed by an attacker on the network node and is based on a time axis, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information for defense based on the attack sequence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111374774.7A CN114189360B (en) | 2021-11-19 | 2021-11-19 | Situation-aware network vulnerability defense method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111374774.7A CN114189360B (en) | 2021-11-19 | 2021-11-19 | Situation-aware network vulnerability defense method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114189360A true CN114189360A (en) | 2022-03-15 |
| CN114189360B CN114189360B (en) | 2023-09-29 |
Family
ID=80602227
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111374774.7A Active CN114189360B (en) | 2021-11-19 | 2021-11-19 | Situation-aware network vulnerability defense method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114189360B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138925A1 (en) * | 2007-05-24 | 2010-06-03 | Bikash Barai | Method and system simulating a hacking attack on a network |
| US20150381649A1 (en) * | 2014-06-30 | 2015-12-31 | Neo Prime, LLC | Probabilistic Model For Cyber Risk Forecasting |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| US20180248893A1 (en) * | 2017-02-27 | 2018-08-30 | Microsoft Technology Licensing, Llc | Detecting Cyber Attacks by Correlating Alerts Sequences in a Cluster Environment |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN109257329A (en) * | 2017-07-13 | 2019-01-22 | 国网浙江省电力公司电力科学研究院 | A kind of website risk index computing system and method based on magnanimity Web log |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A kind of Java Web frame loophole attacks the method and system of general detection and positioning |
| CN110380896A (en) * | 2019-07-04 | 2019-10-25 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on attack graph |
| CN110912945A (en) * | 2019-12-31 | 2020-03-24 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
| CN111464507A (en) * | 2020-03-17 | 2020-07-28 | 南京航空航天大学 | APT detection method based on network alarm information |
| CN111741023A (en) * | 2020-08-03 | 2020-10-02 | 中国人民解放军国防科技大学 | Attack studying and judging method, system and medium for network attack and defense test platform |
| CN113660224A (en) * | 2021-07-28 | 2021-11-16 | 上海纽盾科技股份有限公司 | Situation awareness defense method, device and system based on network vulnerability scanning |
-
2021
- 2021-11-19 CN CN202111374774.7A patent/CN114189360B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138925A1 (en) * | 2007-05-24 | 2010-06-03 | Bikash Barai | Method and system simulating a hacking attack on a network |
| US20150381649A1 (en) * | 2014-06-30 | 2015-12-31 | Neo Prime, LLC | Probabilistic Model For Cyber Risk Forecasting |
| US20180248893A1 (en) * | 2017-02-27 | 2018-08-30 | Microsoft Technology Licensing, Llc | Detecting Cyber Attacks by Correlating Alerts Sequences in a Cluster Environment |
| CN109257329A (en) * | 2017-07-13 | 2019-01-22 | 国网浙江省电力公司电力科学研究院 | A kind of website risk index computing system and method based on magnanimity Web log |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A kind of Java Web frame loophole attacks the method and system of general detection and positioning |
| CN110380896A (en) * | 2019-07-04 | 2019-10-25 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on attack graph |
| CN110912945A (en) * | 2019-12-31 | 2020-03-24 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
| CN111464507A (en) * | 2020-03-17 | 2020-07-28 | 南京航空航天大学 | APT detection method based on network alarm information |
| CN111741023A (en) * | 2020-08-03 | 2020-10-02 | 中国人民解放军国防科技大学 | Attack studying and judging method, system and medium for network attack and defense test platform |
| CN113660224A (en) * | 2021-07-28 | 2021-11-16 | 上海纽盾科技股份有限公司 | Situation awareness defense method, device and system based on network vulnerability scanning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114189360B (en) | 2023-09-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11057422B2 (en) | System and method for strategic anti-malware monitoring | |
| US20210152520A1 (en) | Network Firewall for Mitigating Against Persistent Low Volume Attacks | |
| US10230761B1 (en) | Method and system for detecting network compromise | |
| Binde et al. | Assessing outbound traffic to uncover advanced persistent threat | |
| US7137145B2 (en) | System and method for detecting an infective element in a network environment | |
| US8561177B1 (en) | Systems and methods for detecting communication channels of bots | |
| US20130305340A1 (en) | Integrity monitoring to detect changes at network device for use in secure network access | |
| WO2009039434A2 (en) | System and method for detecting security defects in applications | |
| CN113839935B (en) | Network situation awareness method, device and system | |
| US20170070518A1 (en) | Advanced persistent threat identification | |
| KR100973076B1 (en) | System for depending against distributed denial of service attack and method therefor | |
| EP3374870A1 (en) | System and method for threat risk scoring of security threats | |
| CN112583845A (en) | Access detection method and device, electronic equipment and computer storage medium | |
| CN114301647A (en) | Prediction defense method, device and system for vulnerability information in situation awareness | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN114172881B (en) | Network security verification method, device and system based on prediction | |
| CN114189360B (en) | Situation-aware network vulnerability defense method, device and system | |
| CN114006722A (en) | Situation awareness verification method, device and system for discovering threats | |
| US8806211B2 (en) | Method and systems for computer security | |
| Singh | Intrusion detection system (IDS) and intrusion prevention system (IPS) for network security: a critical analysis | |
| Mirashe et al. | Notice of Retraction: 3Why we need the intrusion detection prevention systems (IDPS) in it company | |
| GB2574468A (en) | Detecting a remote exploitation attack | |
| Taylor | Practical Unix Security-Securing IBM's AIX. | |
| McDonald | A lightweight real-time host-based intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |