CN114189360B - Situation-aware network vulnerability defense method, device and system - Google Patents
Situation-aware network vulnerability defense method, device and system Download PDFInfo
- Publication number
- CN114189360B CN114189360B CN202111374774.7A CN202111374774A CN114189360B CN 114189360 B CN114189360 B CN 114189360B CN 202111374774 A CN202111374774 A CN 202111374774A CN 114189360 B CN114189360 B CN 114189360B
- Authority
- CN
- China
- Prior art keywords
- network
- vulnerability
- network node
- attack
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a situation-aware network vulnerability defense method, device and system, and relates to the technical field of network security. The processing method comprises the following steps: performing vulnerability scanning operation on a network node and an associated network node, acquiring attack characteristic information of the network vulnerability, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic; predicting the influence range of the network vulnerability type on the network node and the associated network node; and acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend. According to the method, the attack characteristics of the network loopholes are obtained, the attack sequence based on the time axis is determined corresponding to the attack characteristics, and corresponding defense is carried out on the attack operation under the current time.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a situation-aware network vulnerability defense method.
Background
In the prior art, the situation awareness system integrates a plurality of data information systems such as antivirus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete evaluation of the current network environment condition and prediction of the future change trend of the network environment.
In order to ensure the defending capability of network vulnerabilities in a network environment, network security and the perception capability of potential network threats, a situation perception system is selected to realize multi-system linkage defending capability of effectively improving the defending capability of the network vulnerabilities.
In the actual process of defending against network vulnerabilities, the most important operations include finding out the network vulnerabilities for repair and monitoring the attack of an attacker to network nodes by utilizing the network vulnerabilities. The most important is that the attack characteristics of the attacker accessing the network node are monitored, the attack path and the attack mode of the attacker are mastered through the attack characteristics, and accurate defense attack is given. However, in the prior art, it is also difficult to acquire the attack order of the attacker through the historical data and the real-time data, and further provide a corresponding defending scheme according to the accurate attack order.
Therefore, the network vulnerability defense method, device and system for situation awareness are provided to solve the technical problems that the attack characteristics of network vulnerabilities are acquired through situation awareness, the attack sequence based on a time axis is determined corresponding to the attack characteristics, and the attack operation at the current time is correspondingly defended to realize network security defense, which are currently needed to be solved.
Disclosure of Invention
The invention aims at: the invention can perform vulnerability scanning operation on network nodes and associated network nodes, acquire attack characteristic information of the network vulnerabilities, and determine the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics; predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system; acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
In order to solve the existing technical problems, the invention provides the following technical scheme:
a situation-aware network vulnerability defense method is characterized by comprising the steps of,
performing vulnerability scanning operation on a network node and an associated network node, acquiring attack characteristic information of the network vulnerability, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic;
predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system;
acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
Further, the data selected in the vulnerability scanning operation comprises discovery time, vulnerability name, hazard level, asset IP, scanning task name, data source, state, treatment priority and operation.
Further, the network vulnerability types include buffer overflow, cross-site scripting, DOS attacks, scanning, SQL injection, trojan backdoors, virus worms, web attacks, botnets, cross-site request forgery, file containment, file reading, directory traversal attacks, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, uploading exploitation, webshell exploitation, misconfiguration/errors, logic/involvement errors, unauthorized access/permission bypass, URL jumps, protocol anomalies, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, steal trojans, port scanning, black market tools, email, computer viruses, network worms, file downloads, permission and access control, and Webshell uploading.
Further, after the defending operation is performed, continuously monitoring the network node corresponding to the network vulnerability, and setting a time period and a monitoring level for the continuous monitoring, wherein the time period and the monitoring level are matched with the hazard level of the network vulnerability; when the network node and the communication connection between the network node and the associated network node meet the network security element, releasing the setting of the continuous monitoring; otherwise, performing vulnerability scanning on the network node again to obtain a fault reason.
Further, the predicted impact range includes a network node corresponding to the network vulnerability and a communication connection between the network node and an associated network node.
Further, fault processing is performed on the alarm information caused by the corresponding network vulnerability, wherein the fault processing comprises the step of defending the corresponding network vulnerability according to a preset vulnerability defending scheme.
Further, the attack characteristic information also comprises prompt characteristic information corresponding to the attack characteristic.
Further, the method comprises the steps of performing vulnerability scanning operation on the network node and the associated network node, obtaining attack characteristic information of the network vulnerability and prompt characteristic information corresponding to the attack characteristic, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic and the prompt characteristic;
predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system;
acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
A situation-aware network vulnerability defense device comprising the structure:
the vulnerability scanning unit is used for performing vulnerability scanning operation on the network nodes and the associated network nodes, acquiring attack characteristic information of the network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics;
the vulnerability influence determining unit is used for predicting the influence range of the network vulnerability type on the network node and the associated network node based on the situation awareness system;
the vulnerability defense unit is used for acquiring a time-axis-based attack sequence executed by an attacker on the network node, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time-axis information based on the attack sequence to defend.
A situation aware network vulnerability defense system comprising:
a network node for receiving and transmitting data;
the situation awareness system regularly detects network nodes with network vulnerabilities, and carries out security analysis on log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: performing vulnerability scanning operation on a network node and an associated network node, acquiring attack characteristic information of the network vulnerability, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic; predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system; acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
Based on the advantages and positive effects, the invention has the following advantages: performing vulnerability scanning operation on a network node and an associated network node, acquiring attack characteristic information of the network vulnerability, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic; predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system; acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
Further, the attack characteristic information also comprises prompt characteristic information corresponding to the attack characteristic.
Further, the method comprises the steps of performing vulnerability scanning operation on the network node and the associated network node, obtaining attack characteristic information of the network vulnerability and prompt characteristic information corresponding to the attack characteristic, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic and the prompt characteristic;
predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system;
acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
Drawings
Fig. 1 is a flowchart provided in an embodiment of the present invention.
Fig. 2 is another flowchart provided in an embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a system according to an embodiment of the present invention.
Reference numerals illustrate:
the device 200, the vulnerability scanning unit 201, the vulnerability impact determining unit 202, the vulnerability defending unit 203;
system 300, network node 301, situation awareness system 302, system server 303.
Detailed Description
The situation-aware network vulnerability defense method, device and system disclosed by the invention are further described in detail below with reference to the accompanying drawings and specific embodiments. It should be noted that the technical features or combinations of technical features described in the following embodiments should not be regarded as being isolated, and they may be combined with each other to achieve a better technical effect. In the drawings of the embodiments described below, like reference numerals appearing in the various drawings represent like features or components and are applicable to the various embodiments. Thus, once an item is defined in one drawing, no further discussion thereof is required in subsequent drawings.
It should be noted that the structures, proportions, sizes, etc. shown in the drawings are merely used in conjunction with the disclosure of the present specification, and are not intended to limit the applicable scope of the present invention, but rather to limit the scope of the present invention. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be performed out of the order described or discussed, including in a substantially simultaneous manner or in an order that is reverse, depending on the function involved, as would be understood by those of skill in the art to which embodiments of the present invention pertain.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but should be considered part of the specification where appropriate. In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a flowchart is provided for the present invention. The implementation step S100 of the method is as follows:
s101, performing vulnerability scanning operation on the network nodes and the associated network nodes, acquiring attack characteristic information of the network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics.
The network node refers to a terminal having independent network addresses and data processing functions in a network environment, including, but not limited to, functions of transmitting data, receiving data, and/or analyzing data.
The network node may be a workstation, a client, a network user or a personal computer, or may be a server, a printer or other network-connected device. The whole network environment comprises a plurality of network nodes which are connected through communication lines to form a network topology structure. The communication line may be a wired communication system or a wireless communication system.
The associated network node refers to a network node having an association relationship with the network node. Including but not limited to causal relationships, progressive relationships, and the like.
The vulnerability scanning refers to detecting the security vulnerability of a specified remote or local computer system by means of automatic tool scanning and the like based on a vulnerability database, so as to find a security detection behavior of the available vulnerabilities.
The vulnerability scanning can scan network nodes in a network environment and data transmission protocols among the network nodes based on vulnerability scanning rules preset in a vulnerability database to determine network vulnerabilities.
By way of example and not limitation, the vulnerability scanning may preferably acquire a network vulnerability by scanning access operations of the network nodes, i.e., when access operations of the network nodes conflict with security policies of the system, a network vulnerability is considered to exist.
Including but not limited to network message sniffing, IP address spoofing, cryptographic attacks, denial of service attacks, distributed denial of service, and the like.
The network message sniffs through sniffer to utilize the network interface of the computer to intercept the data message of the destination computer.
The IP address spoofing attack attacks the target by spoofing the IP address of the trusted host.
The cryptographic attack is implemented in a number of different ways, including but not limited to a brute force attack, a trojan horse program, etc.
The denial of service (Denial of Service, doS) attack breaks down the normal operation of the network by denying service access, eventually blocking the network connection, or the server crashes the relevant services of the server system and depletes the system resources by fatigue in processing data packets sent by the attacker.
The distributed denial of service (Distributed Denial of Service, abbreviated as DDoS) is a DoS-based special form of distributed and collaborative large-scale denial of service attack, and by implementing several, even more than ten, denial of service attacks of different services at the same time, network connection is blocked, or relevant services of a server system collapse and system resources are exhausted due to the fact that the server is tired to process data packets sent by an attacker.
It is noted that when the existence of the foregoing attack feature is detected at a certain network node, it may be preferable to consider that a network attack exists or that an attacker is attempting to launch a network attack on a network node using a network vulnerability.
The network vulnerability types include, but are not limited to, buffer overflow, cross-site scripting, DOS attacks, scanning, SQL injection, trojan backdoors, virus worms, web attacks, botnets, cross-site request forging, file containment, file reading, directory traversal attacks, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, upload exploitation, webshell exploitation, misconfiguration/error, logic/involvement error, unauthorized access/permission bypass, URL skipping, protocol anomalies, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, steal trojans, port scanning, black market tools, email, computer viruses, network worms, file downloading, permission and access control, webshell uploading, and the like.
After the attack characteristics and the network vulnerability types are determined, a defending scheme corresponding to the attack characteristics and the network vulnerability types can be called from a network vulnerability database of a preset situation awareness system according to the attack characteristics and the network vulnerability types.
S102, predicting the influence scope of the network vulnerability type on the network node and the associated network node based on a situation awareness system.
The situation awareness system integrates a plurality of data information systems such as antivirus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like so as to complete evaluation of the current network environment condition and forecast of the future change trend of the network environment.
The impact range can be obtained based on the situational awareness capabilities of the aforesaid situational awareness system. The scope of influence relates to a network node with the aforementioned network vulnerability information and an associated network node of the network node.
S103, acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
The time-axis based attack order may preferably be in order of the time of occurrence involved in the attack feature when accessing the network node.
For example, five attack features are now acquired through the vulnerability scanning operation, at this time, the attack order may be attack feature 1, attack feature 2, attack feature 3, attack feature 4, to attack feature 5.
As a preferred implementation manner of the embodiment, network vulnerability information is acquired through vulnerability scanning operation, and an attack sequence of the five attack features in the network environment in the access network node, two network vulnerability types of the network node and the associated network node corresponding to the five attack features are obtained, and an influence range of the network vulnerability on network node and associated network node prediction relates to one network node and two associated network nodes.
The five attack features are respectively an attack feature 1, an attack feature 2, an attack feature 3, an attack feature 4 and an attack feature 5; the network vulnerability types of the network nodes and the associated network nodes corresponding to the attack characteristics are a network vulnerability type 1 and a network vulnerability type 2; and, an influence range network node 1, an associated network node 1 and an associated network node 2.
The attack sequence (namely attack feature 1, attack feature 2, attack feature 3, attack feature 4 to attack feature 5) based on the time axis, the network vulnerability types (namely network vulnerability type 1 and network vulnerability type 2) of the network node and the associated network node corresponding to the attack feature, and the predicted influence range (namely network node 1, associated network node 1 and associated network node 2) of the network vulnerability to the network node and the associated network node are obtained.
And then, based on the attack sequence, according to the time axis information, a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time is called from a network vulnerability database of a preset situation awareness system to defend.
For example, the matching result of the network vulnerability type and the influence range information corresponding to the attack operation at the current time may be that the network vulnerability type 1 and the network node 1 match the attack feature 1, the network vulnerability type 2 and the associated network node 1 match the attack feature 2, the network vulnerability type 2 and the associated network node 1 match the attack feature 3, the network vulnerability type 2 and the associated network node 2 match the attack feature 4, and the network vulnerability type 2 and the associated network node 2 match the attack feature 5.
The attack operation at the current time may correspond to any of the attack operations of attack feature 1, attack feature 2, attack feature 3, attack feature 4, and attack feature 5 described above.
And after the matching result is obtained, a defending sequence corresponding to the attack characteristic is called from a defending scheme of a network vulnerability database of a preset situation awareness system so as to defend.
The foregoing defenses may be directed to hardware device failures in the network node, or may be directed to software system failures in the network node, for example: network ports, network cards, network loops, broadcast storms, traffic occupancy, viruses, etc.
Preferably, the data selected in the vulnerability scanning operation includes discovery time, vulnerability name, hazard level, asset IP, scanning task name, data source, status, treatment priority and operation.
Preferably, the network vulnerability types include buffer overflow, cross-site scripting, DOS attacks, scanning, SQL injection, trojan backdoors, virus worms, web attacks, botnet, cross-site request forgery, file containment, file reading, directory traversal attacks, sensitive information disclosure, brute force cracking, code execution vulnerabilities, command execution, weak passwords, uploading exploitation, webshell exploitation, misconfiguration/error, logic/involvement error, unauthorized access/permission bypass, URL jump, protocol anomaly, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, steal trojan, port scanning, black market tools, email, computer viruses, network worms, file downloading, permission and access control, and Webshell uploading.
Preferably, after the defending operation is performed, continuously monitoring the network node corresponding to the network vulnerability, and setting a time period and a monitoring level for the continuous monitoring, wherein the time period and the monitoring level are matched with the hazard level of the network vulnerability; when the network node and the communication connection between the network node and the associated network node meet the network security element, releasing the setting of the continuous monitoring; otherwise, performing vulnerability scanning on the network node again to obtain a fault reason.
Preferably, the predicted impact range includes a network node corresponding to the network vulnerability, and a communication connection between the network node and an associated network node.
Preferably, fault processing is performed on alarm information caused by a corresponding network vulnerability, and the fault processing includes defending the corresponding network vulnerability according to a preset vulnerability defending scheme.
In a preferred implementation manner of this embodiment, the alarm is an event report for transmitting alarm information, which is called an alarm for short. It may be well defined by the manufacturer or by an administrator in combination with alarms in the network. When an alarm occurs, the system receives an alarm signal to indicate that an alarm has occurred, and performs fault description in the form of alarm information, wherein the fault represents the reason for generating the alarm by equipment in the network environment. The alarm information includes, but is not limited to, information about the name of the fault device, symptoms of the fault, the location of occurrence, time of occurrence, reason of occurrence, etc.
Optionally, the data monitoring is performed on the input/output ports of the network nodes with the network vulnerability information, and when the network environment is abnormally changed, the operation performed on the network nodes is marked and traced.
When data monitoring is performed, the situation awareness system can monitor ports and/or IP addresses which do not trigger alarms in the network node where the alarms occur, and the ports and/or the IP addresses communicate in a multiplexing mode.
The IP address may be in a unified address format provided according to an IP protocol adhered to by the user, and may allocate a logical address to each network node in the network environment and a terminal device to which the user applies for access, so that the situation awareness system tracks an access path of the user.
When an alarm is triggered, the alarm can display port information of the network node for triggering the alarm, and meanwhile, the execution operation of ports of other network nodes which do not trigger the alarm is monitored, so that real-time network security control can be ensured, and the ports and/or IP addresses can keep normal communication and stable operation with other network nodes when the alarm is not triggered.
Optionally, the data monitoring is performed on the input/output port of the network node having communication connection with the network node having the network vulnerability information, and when the network environment is abnormally changed, the operation performed on the network node is marked and traced.
Optionally, data monitoring is performed on an input/output port of a network node with causal relation with the network node with network vulnerability information obtained based on situation awareness capability, and when abnormal change occurs in a network environment, labeling and tracing are performed on the operation performed by the network node.
Preferably, the attack characteristic information further includes prompt characteristic information corresponding to the attack characteristic.
Referring to fig. 2, another embodiment of the present invention specifically includes step S110:
s111, performing vulnerability scanning operation on the network node and the associated network node, obtaining attack characteristic information of the network vulnerability and prompt characteristic information corresponding to the attack characteristic, and determining the network vulnerability types of the network node and the associated network node according to the attack characteristic and the prompt characteristic.
The prompting feature may be a feature that when the network node sends out the access request information, the network node reminds or plays a role in warning the corresponding access operation behavior.
The prompting feature can also carry out corresponding prompting or warning aiming at the attack feature.
By way of example and not limitation, the presentation of the prompt feature may preferably be, for example, prompt feature information that "password should be 8 characters" in the event of a user name and password error entered when accessing the network node.
It should be noted that when the existence of the foregoing attack feature and the foregoing hint feature is detected at a network node, it may be preferable to consider that a network attack exists or that an attacker is attempting to launch a network attack on the network node using a network vulnerability.
S112, predicting the influence scope of the network vulnerability type on the network node and the associated network node based on the situation awareness system.
S113, acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
As a preferred implementation manner of the embodiment, network vulnerability information is acquired through vulnerability scanning operation, and the attack sequences of the five attack features and the three prompt features in the network environment in the access network nodes, the two network vulnerability types of the network nodes and the associated network nodes corresponding to the five attack features are summarized, and the predicted influence range of the network vulnerability on the network nodes and the associated network nodes relates to one network node and two associated network nodes.
The five attack features are respectively an attack feature 1, an attack feature 2, an attack feature 3, an attack feature 4 and an attack feature 5; the three prompting characteristics are respectively a prompting characteristic 1, a prompting characteristic 2 and a prompting characteristic 3; the two network vulnerability types corresponding to the network node and the associated network node are respectively a network vulnerability type 1 and a network vulnerability type 2; and, an influence range network node 1, an associated network node 1 and an associated network node 2.
The attack sequence (attack feature 1, prompt feature 1, attack feature 2, attack feature 3, prompt feature 2, attack feature 4, attack feature 5 to prompt feature 3) based on the time axis, the network vulnerability types (namely network vulnerability type 1 and network vulnerability type 2) of the network node and the associated network node corresponding to the attack features, and the influence range (namely network node 1, associated network node 1 and associated network node 2) of the network vulnerability on the network node and the associated network node are obtained.
And then, based on the attack sequence, according to the time axis information, a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time is called from a network vulnerability database of a preset situation awareness system to defend.
For example, the matching result of the network vulnerability type corresponding to the attack operation at the current time and the influence range information may be that the network vulnerability type 1 and the network node 1 match the attack feature 1, and the network vulnerability type 1 and the network node 1 match the prompt feature 1; the attack characteristic 2 can be matched by the network vulnerability type 2 and the associated network node 1, the attack characteristic 3 can be matched by the network vulnerability type 2 and the associated network node 1, and the prompt characteristic 2 can be matched by the network vulnerability type 2 and the associated network node 1; it is also possible to match the attack feature 4 by the network vulnerability type 2 and the associated network node 2, the attack feature 5 by the network vulnerability type 2 and the associated network node 2, and the hint feature 3 by the network vulnerability type 2 and the associated network node 2.
At this time, the attack operation at the current time may be any attack operation corresponding to the foregoing attack feature 1, attack feature 2, attack feature 3, attack feature 4, attack feature 5, hint feature 1, hint feature 2, and hint feature 3.
And after the matching result is obtained, a defending sequence corresponding to the attack characteristic is called from a defending scheme of a network vulnerability database of a preset situation awareness system so as to defend.
Other technical features are referred to the previous embodiments and will not be described here again.
Referring to fig. 3, the present invention further provides an embodiment of a situation-aware network vulnerability defense device 200, which is characterized by comprising the following structure:
the vulnerability scanning unit 201 is configured to perform vulnerability scanning operation on a network node and an associated network node, obtain attack feature information of the network vulnerability, and determine network vulnerability types of the network node and the associated network node according to the attack feature.
The vulnerability impact determination unit 202 is configured to predict an impact range of the network vulnerability type on the network node and the associated network node based on the situation awareness system.
The vulnerability defense unit 203 is configured to obtain a time-axis-based attack order executed by an attacker on the network node, and retrieve a defense scheme matching with the network vulnerability type and the scope of influence information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time-axis information based on the attack order.
In addition, referring to fig. 4, the present invention further provides an embodiment of a situation aware network vulnerability defense system 300, which is characterized by comprising:
the network node 301 is configured to transmit and receive data.
The situation awareness system 302 periodically detects network nodes with network vulnerabilities, and performs security analysis on log information of the network nodes.
The periodic detection may set a detection time or a detection time period, and the periodic detection may be an item including, but not limited to, web page tamper resistance, abnormal process behavior, abnormal login, etc.
The log information of the network node refers to event records generated during operation of network equipment, a system, a service program and the like, wherein each row of log records the description of related operations such as date, time, users, actions and the like. The log information of the network node includes, but is not limited to, duration of connection, protocol type, network service type of the target host, status of normal or erroneous connection, number of data bytes from source host to target host, number of data bytes from target host to source host, number of erroneous segments, number of urgent packets, whether the connection is from the same host, whether there is the same port, etc.
A system server 303, said system server 303 connecting the network node 301 and the situation awareness system 302.
The system server 303 is configured to: performing vulnerability scanning operation on a network node and an associated network node, acquiring attack characteristic information of the network vulnerability, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic; predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system; acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
Other technical features are referred to the previous embodiments and will not be described here again.
In the above description, the components may be selectively and operatively combined in any number within the scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be construed by default as inclusive or open-ended, rather than exclusive or closed-ended, unless expressly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Common terms found in dictionaries should not be too idealized or too unrealistically interpreted in the context of the relevant technical document unless the present disclosure explicitly defines them as such.
Although the exemplary aspects of the present disclosure have been described for illustrative purposes, those skilled in the art will appreciate that the foregoing description is merely illustrative of preferred embodiments of the invention and is not intended to limit the scope of the invention in any way, including additional implementations in which functions may be performed out of the order of presentation or discussion. Any alterations and modifications of the present invention, which are made by those of ordinary skill in the art based on the above disclosure, are intended to be within the scope of the appended claims.
Claims (7)
1. A situation-aware network vulnerability defense method is characterized by comprising the steps of,
performing vulnerability scanning operation on a network node and an associated network node, acquiring attack characteristic information of the network vulnerability, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic information; the attack characteristic information also comprises prompt characteristic information corresponding to the attack characteristic information; when performing vulnerability scanning operation on a network node and an associated network node, acquiring attack characteristic information of the network vulnerability and prompt characteristic information corresponding to the attack characteristic information, and determining network vulnerability types of the network node and the associated network node according to the prompt characteristic information in the attack characteristic information; predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system; acquiring a time-axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend;
after the matching result is obtained, a defending sequence corresponding to the attack characteristic is called from a defending scheme of a network vulnerability database of a preset situation awareness system to defend; after the defending operation is carried out, continuously monitoring the network node corresponding to the network vulnerability, and setting a time period and a monitoring level for the continuous monitoring, wherein the time period and the monitoring level are matched with the hazard level of the network vulnerability; when the network node and the communication connection between the network node and the associated network node meet the network security element, releasing the setting of the continuous monitoring; otherwise, performing vulnerability scanning on the network node again to obtain a fault reason.
2. The method of claim 1, wherein the data selected in the vulnerability scanning operation comprises a discovery time, a vulnerability name, a hazard level, an asset IP, a scanning task name, a data source, a status, a treatment priority, an operation.
3. The method of claim 1, wherein the network vulnerability types include buffer overflow, cross-site scripting, DOS attacks, scanning, SQL injection, trojan backdoors, virus worms, web attacks, botnets, cross-site request forgery, file containment, file reading, directory traversal attacks, sensitive information disclosure, brute force cracking, code execution vulnerabilities, command execution, weak password, upload exploitation, webshell exploitation, misconfiguration/error, logic/involvement error, unauthorized access/permission bypass, URL jump, protocol anomalies, phishing, malicious advertising, network spoofing, spyware, browser hijacking, keyboard logging, steal trojan, port scanning, black market tools, email, computer viruses, network worms, file downloading, permission permissions and access control, and Webshell upload.
4. The method of claim 1, wherein the predicted impact range includes network nodes corresponding to the network vulnerabilities and communication connections between the network nodes and associated network nodes.
5. The method of claim 1, wherein the fault handling is performed on the alarm information caused by the corresponding network vulnerability, and the fault handling includes defending the corresponding network vulnerability according to a preset vulnerability defense scheme.
6. A situation-aware network vulnerability defense apparatus comprising the method of any one of claims 1-5, characterized by comprising the structure:
the vulnerability scanning unit is used for performing vulnerability scanning operation on the network nodes and the associated network nodes, acquiring attack characteristic information of the network vulnerabilities, and determining the network vulnerability types of the network nodes and the associated network nodes according to the attack characteristics;
the vulnerability influence determining unit is used for predicting the influence range of the network vulnerability type on the network node and the associated network node based on the situation awareness system;
the vulnerability defense unit is used for acquiring a time-axis-based attack sequence executed by an attacker on the network node, and calling a defense scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time-axis information based on the attack sequence to defend.
7. A situation-aware network vulnerability defense system comprising the method of any one of claims 1-5, comprising:
a network node for receiving and transmitting data;
the situation awareness system regularly detects network nodes with network vulnerabilities, and carries out security analysis on log information of the network nodes;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: performing vulnerability scanning operation on a network node and an associated network node, acquiring attack characteristic information of the network vulnerability, and determining network vulnerability types of the network node and the associated network node according to the attack characteristic;
predicting the influence range of the network vulnerability type on the network node and the associated network node based on a situation awareness system;
acquiring a time axis-based attack sequence executed by an attacker on the network node, and calling a defending scheme matched with the network vulnerability type and the influence range information corresponding to the attack operation at the current time from a network vulnerability database of a preset situation awareness system according to time axis information based on the attack sequence to defend.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111374774.7A CN114189360B (en) | 2021-11-19 | 2021-11-19 | Situation-aware network vulnerability defense method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111374774.7A CN114189360B (en) | 2021-11-19 | 2021-11-19 | Situation-aware network vulnerability defense method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114189360A CN114189360A (en) | 2022-03-15 |
| CN114189360B true CN114189360B (en) | 2023-09-29 |
Family
ID=80602227
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111374774.7A Active CN114189360B (en) | 2021-11-19 | 2021-11-19 | Situation-aware network vulnerability defense method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114189360B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN109257329A (en) * | 2017-07-13 | 2019-01-22 | 国网浙江省电力公司电力科学研究院 | A kind of website risk index computing system and method based on magnanimity Web log |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A kind of Java Web frame loophole attacks the method and system of general detection and positioning |
| CN110380896A (en) * | 2019-07-04 | 2019-10-25 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on attack graph |
| CN110912945A (en) * | 2019-12-31 | 2020-03-24 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
| CN111464507A (en) * | 2020-03-17 | 2020-07-28 | 南京航空航天大学 | APT detection method based on network alarm information |
| CN111741023A (en) * | 2020-08-03 | 2020-10-02 | 中国人民解放军国防科技大学 | Attack studying and judging method, system and medium for network attack and defense test platform |
| CN113660224A (en) * | 2021-07-28 | 2021-11-16 | 上海纽盾科技股份有限公司 | Situation awareness defense method, device and system based on network vulnerability scanning |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008142710A2 (en) * | 2007-05-24 | 2008-11-27 | Iviz Techno Solutions Pvt. Ltd | Method and system for simulating a hacking attack on a network |
| US9680855B2 (en) * | 2014-06-30 | 2017-06-13 | Neo Prime, LLC | Probabilistic model for cyber risk forecasting |
| US10474966B2 (en) * | 2017-02-27 | 2019-11-12 | Microsoft Technology Licensing, Llc | Detecting cyber attacks by correlating alerts sequences in a cluster environment |
-
2021
- 2021-11-19 CN CN202111374774.7A patent/CN114189360B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109257329A (en) * | 2017-07-13 | 2019-01-22 | 国网浙江省电力公司电力科学研究院 | A kind of website risk index computing system and method based on magnanimity Web log |
| CN107888607A (en) * | 2017-11-28 | 2018-04-06 | 新华三技术有限公司 | A kind of Cyberthreat detection method, device and network management device |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN110266669A (en) * | 2019-06-06 | 2019-09-20 | 武汉大学 | A kind of Java Web frame loophole attacks the method and system of general detection and positioning |
| CN110380896A (en) * | 2019-07-04 | 2019-10-25 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on attack graph |
| CN110912945A (en) * | 2019-12-31 | 2020-03-24 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
| CN111294345A (en) * | 2020-01-20 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Vulnerability detection method, device and equipment |
| CN111464507A (en) * | 2020-03-17 | 2020-07-28 | 南京航空航天大学 | APT detection method based on network alarm information |
| CN111741023A (en) * | 2020-08-03 | 2020-10-02 | 中国人民解放军国防科技大学 | Attack studying and judging method, system and medium for network attack and defense test platform |
| CN113660224A (en) * | 2021-07-28 | 2021-11-16 | 上海纽盾科技股份有限公司 | Situation awareness defense method, device and system based on network vulnerability scanning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114189360A (en) | 2022-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11405359B2 (en) | Network firewall for mitigating against persistent low volume attacks | |
| US10587636B1 (en) | System and method for bot detection | |
| Binde et al. | Assessing outbound traffic to uncover advanced persistent threat | |
| US8561177B1 (en) | Systems and methods for detecting communication channels of bots | |
| US8375120B2 (en) | Domain name system security network | |
| US8966631B2 (en) | Detecting malicious behaviour on a computer network | |
| US8302198B2 (en) | System and method for enabling remote registry service security audits | |
| JP2020515962A (en) | Protection against APT attacks | |
| US20160014081A1 (en) | System, apparatus, and method for protecting a network using internet protocol reputation information | |
| CN111917705B (en) | System and method for automatic intrusion detection | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| US20030084321A1 (en) | Node and mobile device for a mobile telecommunications network providing intrusion detection | |
| CN113839935B (en) | Network situation awareness method, device and system | |
| US9253153B2 (en) | Anti-cyber hacking defense system | |
| EP2203860A2 (en) | System and method for detecting security defects in applications | |
| US20170070518A1 (en) | Advanced persistent threat identification | |
| CN113660224A (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| KR100973076B1 (en) | System for depending against distributed denial of service attack and method therefor | |
| CN114301647B (en) | Method, device and system for predicting and defending vulnerability information in situation awareness | |
| CN112583845A (en) | Access detection method and device, electronic equipment and computer storage medium | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN114006722B (en) | Situation awareness verification method, device and system for detecting threat | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN114172881B (en) | Network security verification method, device and system based on prediction |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |