CN114268446A - Data asset security assessment method, device and storage medium - Google Patents
Data asset security assessment method, device and storage medium Download PDFInfo
- Publication number
- CN114268446A CN114268446A CN202010969186.7A CN202010969186A CN114268446A CN 114268446 A CN114268446 A CN 114268446A CN 202010969186 A CN202010969186 A CN 202010969186A CN 114268446 A CN114268446 A CN 114268446A
- Authority
- CN
- China
- Prior art keywords
- data
- data asset
- attack
- evaluated
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000003860 storage Methods 0.000 title claims abstract description 13
- 238000009792 diffusion process Methods 0.000 claims abstract description 24
- 238000011156 evaluation Methods 0.000 claims abstract description 11
- 230000005540 biological transmission Effects 0.000 claims abstract description 10
- 238000004891 communication Methods 0.000 claims description 7
- 238000013480 data collection Methods 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 5
- 238000012546 transfer Methods 0.000 claims description 5
- 238000004422 calculation algorithm Methods 0.000 claims description 3
- 238000004590 computer program Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 20
- 238000004364 calculation method Methods 0.000 description 11
- 238000012545 processing Methods 0.000 description 9
- 238000004458 analytical method Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000005206 flow analysis Methods 0.000 description 2
- 230000000670 limiting effect Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 241001362551 Samba Species 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000010267 cellular communication Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010835 comparative analysis Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000013209 evaluation strategy Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000011158 quantitative evaluation Methods 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a data asset security assessment method, a data asset security assessment device and a storage medium. The invention discloses a data asset safety evaluation method, which is used for evaluating the safety of data assets transmitted in network nodes and comprises the following steps: obtaining information of the evaluated data assets; obtaining a set of the network nodes associated with the evaluated data assets; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets; acquiring a data diffusion state of the evaluated data asset; wherein the data flooding state comprises at least a transmission path from the server to the access node; determining the security of the evaluated data asset according to the attack cost aiming at the server and the access node.
Description
Technical Field
The present invention relates to a network information security technology, and more particularly, to a data asset security evaluation method, a data asset security evaluation device, and a storage medium.
Background
As a conventional Network threat assessment technique, a threat situation of a Network device (e.g., a server in a local area Network, etc.) is calculated by analyzing a Network Node association (NNC) with information such as an alarm, an error, a vulnerability, etc. as raw data. In combination with the importance of the service, the host itself and the organization structure of the network system, some calculation methods are proposed, for example: a hierarchical security threat situation quantitative evaluation model of a bottom-up, local-first-then-overall evaluation strategy and a corresponding calculation method are adopted. Fig. 1 is a diagram illustrating a conventional network system for evaluating cyber threats. As shown in FIG. 1, hosts 243, 24, 251 are considered to be potential targets for attack due to the installation of the compromised service software (e.g., software related to email, ftp (file transfer protocol), rpc (remote procedure call), telnet (remote login protocol), dns (domain name system), samba (information service block), www (world Wide Web)).
The prior network threat assessment technology has the following problems: the safety of a network host (or information systems such as system bugs, software bugs and the like) is researched, the threat generated after the host is provided with general service software is mainly concerned, and the data asset safety problem is not researched; and the attack behavior of the general system service software is preferentially analyzed.
In addition, as a conventional traffic analysis technique, unnecessary network connections can be reduced by accurately identifying traffic, and the risk of cyber attack can be avoided. And extracting flow data characteristics, performing trend analysis and comparative analysis, and paying attention to access sources, user characteristics, keywords, tracks and the like. The research improves the technical performance of network service flow identification.
However, the conventional flow rate analysis technique has the following problems: the flow information extraction technology is mainly concerned, error information, association of users and public data (commodities and public knowledge), shopping carts and the like are taken as main analysis targets, and the safety of the data asset information of enterprises is weakly related. Enterprise traffic analysis is biased to find network short boards, high network availability is achieved, but the security problem of data assets cannot be researched.
Disclosure of Invention
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. It should be understood, however, that this summary is not an exhaustive overview of the invention. It is not intended to identify key or critical elements of the invention or to delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description that is presented later.
Data Asset (Data Asset) refers to a Data resource, such as file material, electronic Data, etc., which is owned or controlled by an enterprise and can bring future economic benefits to the enterprise, recorded in a physical or electronic manner. The data assets are also objects to be protected, and the traffic analysis can clearly know the destination of the data assets. But the prior art cannot compute the overall security threat after the data assets are spread. For example, there are existing software or the like that crawls web page data directly, which may result in undesirable object access to data assets (i.e., files, information, etc. that should be protected or restricted).
The invention provides a data asset security assessment method, a data asset security assessment device and a storage medium, which can master the threat situation of flowing data assets in real time and provide a basis for further improving information security protection.
According to an aspect of the present invention, there is provided a data asset security assessment method for assessing the security of a data asset transmitted in a network node, comprising: obtaining information of the evaluated data assets; obtaining a set of the network nodes associated with the evaluated data assets; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets; acquiring a data diffusion state of the evaluated data asset; wherein the data flooding state comprises at least a transmission path from the server to the access node; determining the security of the evaluated data asset according to the attack cost aiming at the server and the access node.
In an embodiment of the present invention, determining the security of the evaluated data asset according to the attack cost for the access node and the server comprises: obtaining at least a subset of the set of network nodes, wherein a combination of network nodes in the subset provides full access to the evaluated data asset; calculating the minimum value of the sum of the attack costs of attacking all the network nodes in the subset as the attack cost corresponding to the subset; acquiring the minimum attack cost in the attack costs corresponding to each subset; and evaluating the security of the evaluated data asset according to the minimum attack cost.
In an embodiment of the present invention, calculating the minimum value of the sum of the attack costs to attack all the network nodes in the subset comprises: calculating the attack cost of each network node in the subset obtained by direct attack; calculating an attack cost for attacking one network node via another network node in the acquired subset; and planning an attack path so that the sum of attack costs for attacking all the network nodes in the acquired subset according to the attack path is the minimum value.
In an embodiment of the invention, calculating the attack cost of attacking one network node via another network node in the obtained subset is based on at least one of: vulnerability severity on the other network node; a degree of trust between the one network node and the another network node; a safeguard strength on the other network node; a degree of security of a communication link between the one network node and the another network node.
In an embodiment of the invention, the attack path of the network node is calculated based on Dijkstra's algorithm.
In an embodiment of the invention, the smaller the minimum attack cost, the lower the security of the evaluated data asset.
In an embodiment of the invention, the set of network nodes associated with the evaluated data asset and/or the data flooding status of the evaluated data asset is obtained by traffic data collection.
In an embodiment of the invention, the traffic data collection is based on hypertext transfer protocol data parsing.
In an embodiment of the invention, the weight of the access node is determined according to a proportion of the evaluated data assets accessed by the access node.
In an embodiment of the invention, the attack cost comprises at least one of time, cost, technology of obtaining the data asset by unauthorized means.
According to another aspect of the present invention, there is provided a data asset security assessment apparatus for assessing the security of a data asset transmitted in a network node, the data asset security assessment apparatus comprising: a data asset information acquisition unit configured to acquire information of an evaluated data asset; a network node set acquisition unit configured to acquire the set of network nodes associated with the evaluated data assets; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets; a data diffusion state acquisition unit configured to acquire a data diffusion state of the evaluated data asset; wherein the data flooding state comprises at least a transmission path from the server to the access node; and an evaluation unit configured to determine the security of the evaluated data asset according to an attack cost for the access node and the server.
According to still another aspect of the present invention, there is provided a data asset security assessment apparatus for assessing the security of a data asset transmitted in a network node, the data asset security assessment apparatus comprising: at least one processor; a memory having stored thereon computer-executable instructions that, when executed by the at least one processor, cause the at least one processor to: obtaining information of the evaluated data assets; obtaining a set of the network nodes associated with the evaluated data assets; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets; acquiring a data diffusion state of the evaluated data asset; wherein the data flooding state comprises at least a transmission path from the server to the access node; determining the security of the evaluated data asset according to the attack cost aiming at the server and the access node.
According to yet another aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the data asset security assessment method described above.
According to the embodiment of the invention, the threat situation of the flowing data assets can be mastered in real time, and a basis is provided for further improving information security protection.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings of the embodiments will be briefly described below, it being understood that the drawings described below relate only to some embodiments of the present invention and are not limiting thereof, wherein:
fig. 1 is a diagram illustrating a conventional network system for evaluating cyber threats.
FIG. 2 is an exemplary flow diagram of a method for data asset security assessment according to an embodiment of the present invention.
FIG. 3 is a more detailed exemplary block diagram of the data asset security assessment method shown in FIG. 2 according to an embodiment of the present invention.
FIG. 4(A) is the information obtained by http/https parsing; fig. 4(B) is a schematic diagram of request information in http/https parsing, and fig. 4(C) is a schematic diagram of return information in http/https parsing.
Fig. 5 is an illustration of a diffusion channel according to an embodiment of the present invention.
Fig. 6 is a weighted network graph as a data flooding network graph according to an embodiment of the present invention.
FIG. 7 is an exemplary flow diagram of sub-steps of a data asset security assessment method according to the present invention.
Fig. 8(a) is an example of a sub-network diagram of a network node according to an embodiment of the invention, and fig. 8(B) is an example of another sub-network diagram of a network node according to an embodiment of the invention.
FIG. 9 is an exemplary flowchart of further sub-steps of a data asset security assessment method according to an embodiment of the present invention.
Fig. 10 is a minimum attack cost trend graph over time periods, according to an embodiment of the invention.
FIG. 11 is an exemplary block diagram of a data asset security assessment device according to an embodiment of the present invention.
FIG. 12 is an exemplary configuration of a computing device in which embodiments in accordance with the invention may be implemented.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present invention and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the invention without any inventive step, also belong to the scope of protection of the invention.
The following embodiment of the invention provides a security threat assessment method for a flowing data asset by calculating a target node network graph of the flowing data asset of an enterprise application system through a flow analysis technology, combining a security threat calculation method of an enterprise network node and according to mathematical statistics of the graph and a network. The embodiment of the invention brings the data access node into the supervision range, calculates the maximum threat degree of the data assets flowing in the network in a specific time period, namely a possible attacker such as a hacker can steal the complete data assets at the minimum attack cost through the calculated attack path, can grasp the threat situation of the flowing data assets in real time, and provides a basis for further improving the information security protection.
FIG. 2 is an exemplary flow diagram of a method for data asset security assessment according to an embodiment of the present invention. The data asset security assessment method of the embodiment of the invention is used for assessing the security of data assets transmitted in network nodes and can comprise steps S31-S34.
As shown in fig. 2, in step S31, information of the evaluated data asset is acquired.
By way of example, a list of enterprise applications can be obtained via automated inventory/statistics of data assets, collecting data interfaces published by the applications, which data interfaces (e.g., associated APIs) are egress ports of the data assets and are objects that require close supervision. Assuming that there are m application systems (e.g., servers), the corresponding data interfaces may be represented as follows. The m system interfaces can be represented as: { a1, a2, A3.. Am } (where, for example, a1 ═ K11, K12, and K13.. K1m }). A1 may represent the interfaces that system 1 contains, while K11.. K1m represents the portions of the data asset content that flow out corresponding to that interface.
As shown in FIG. 2, in step S32, a set of network nodes associated with the evaluated data asset is obtained; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets.
In some embodiments, the set of network nodes associated with the evaluated data asset and/or the later-described data diffusion status of the evaluated data asset are obtained through traffic data collection.
In some embodiments, the traffic data collection is based on hypertext transfer protocol data parsing.
By way of example, the data assets being evaluated may be any selected portion of the data assets, such as some portion or all of the data provided by a particular interface, or a collection of portions or all of the data provided by multiple interfaces. A set of nodes that access the data interface (these nodes are the egress destination of the data asset for a certain period of time, are within regulatory scope, and are directly related to the security of the data asset) may be computed using traffic data collection techniques such as bypass traffic collection, http/https parsing.
For example, it may be found that there are n access source nodes in the system at a certain time period: n1, n2, n3.. For example, in a network, n4 serves as a server to provide one interface 1 (e.g., which may be denoted as A1). Through flow analysis, one or more access source nodes can be known to access the interface. For example n1 may have accessed this interface 1. It is further known which data portions provided by this interface (e.g., a certain contract record represented by K11) were queried by n 1.
As shown in fig. 2, in step S33, the data diffusion status of the evaluated data assets is acquired; wherein the data flooding state at least comprises a transmission path from the server to the access node.
From such a diffusion state, information relating to safety can also be known. For example, it is possible to know the respective nodes that can acquire the evaluated data asset because they are on the path of data forwarding/transmission of the evaluated data asset.
The data diffusion state will be described in detail with reference to fig. 5 and 6 described later.
As shown in fig. 2, in step S34, the security of the evaluated data asset is determined according to the attack cost of the access node to the server.
Regarding the attack cost, it will be described in detail by fig. 6 to 10 described later.
According to an embodiment of the present invention, it is proposed to evaluate security of a data asset based on information of a server providing a data asset access interface, an access node currently capable of accessing the data asset, and the like, with respect to the security evaluation of the data asset. The problem that the security evaluation obtained by only carrying out static evaluation on the server and the like cannot correctly reflect the security of the data asset is solved.
FIG. 3 is a more detailed exemplary block diagram of the data asset security assessment method shown in FIG. 2 according to an embodiment of the present invention.
As shown in fig. 3, some more exemplary details are shown on the basis of the steps shown in fig. 2. In particular, a streaming data asset may be data information streamed from a server to a client or the like. For example, if a source node (client) desires to access the human resources information, and the source node obtains a piece of human resources information, the piece of human resources information is the streaming data asset in the embodiment of the present invention. Streaming data detection may result in how data assets are streamed specifically, e.g., at which data packet is sent out, to which source node or nodes. With this information, data asset application status ranges, frequency, size, etc. can be determined/evaluated. The scope may be which specific kinds of data asset interfaces are accessed. The frequency may be the number of times the data asset is accessed and the size may be the amount of data accessed. If one or more of the range, frequency, and size has a large value, this may result in a high risk.
As shown in FIG. 3, the step of obtaining information for the evaluated data asset of step S31 may be a process of automating the inventory enterprise asset; in such a process, application system assets may be collected first, then the data asset interfaces extracted, and the streaming data asset catalog summarized. The extract data assets interface may be an evaluation of which data assets are opened by the server to other network nodes.
In the step of acquiring the set of network nodes in step S32, a related traffic collection analysis tool may be applied to perform flow data detection. http/https data parsing may be to discover which external hosts have acquired these valuable data asset interfaces.
Through the two measures, the analysis basis, namely the protection object (the flowed data asset) and the data access range/frequency/quantity are obtained, and a relational network diagram of the data asset server and the access node is drawn.
Then, in the step of obtaining the data diffusion status of the evaluated data assets of step S33, a data diffusion network graph may be calculated based on graph theory. In the step of determining the security of the evaluated data assets of step S34, a network graph of the streaming data threat may be computed, obtaining a minimum attack cost. The minimum attack cost may refer to a minimum cost (e.g., by a hacker or the like) to obtain the data asset by unauthorized means. For example, it may be a cost of attacking a server providing the data asset, or it may be an attack cost required to attack/control a network node having access to the data asset. Such an attack cost can be used to directly represent the security of the data asset. For example, the smaller the attack cost, the lower the security of the data asset; the higher the cost of the attack, the higher the security of the data asset.
Fig. 4(a), 4(B), and 4(C) are exemplary diagrams of interface interaction information of system applications related to data assets filtered out from the intranet streaming data acquisition process according to an embodiment of the present invention. For example, http/https parse information is shown in fig. 4(a), request information is shown in fig. 4(B), and return information is shown in fig. 4 (C). In fig. 4(a), a request web address, a request method, an inquiry parameter, a remote address, and the like, which request information, are shown. In fig. 4(B), 4(C), key information, for example, a user name, a network address, and the like are shown as requested information.
It should be appreciated that any parsing tool/software may be used to implement the above-described parsing of http/https information. The specific data extracted and analyzed and the manner thereof are not particularly limited, as long as the relevant information interfaces of which network nodes access the data assets of interest can be obtained.
In some embodiments, the access node's weight may also be determined based on the proportion of the evaluated data assets accessed by the access node.
As an example, the data interface content range (i.e., the information protection range) is computed as a weight of the network graph-related threat computation. The weights are for the content of the overall data asset. For example, data flowing from n4 to n1 accounts for one tenth of the total data assets. If the total data assets are divided into ten shares, there is a possibility that one share of the data assets will be leaked from n4 to n 1. In contrast, for a certain access node, if the more data it may leak, the higher the risk is, and the important attention needs to be paid.
Fig. 5 is an illustration of a diffusion channel according to an embodiment of the present invention. Fig. 6 is a weighted network graph as a data flooding network graph according to an embodiment of the present invention.
In the network shown in fig. 5, the data asset security assessment method provided by the embodiment of the invention shown in fig. 2 and fig. 3 can be implemented.
As shown in fig. 5, the exemplary network includes a database server (n4), an SFTP (Secure File Transfer Protocol) server (n5), and a WEB server (n 6). n4 provides an interface 1 which may provide data parts K11, K12, K13, K14, K22. n5 provides an interface 2 which may provide data parts K21, K22, K23. n6 provides an interface 3 which may provide data parts K36, K37, K23. It should be understood that different servers may also provide the same data portion.
In a certain production network there is an access source 2(n1) which has access to the data part: k21 from n5, K36 from n 6. In a certain data center there is an access source 3(n2) which has access to the data part: k21 from n5, K12 from n 4. In a certain management network there is an access source 1(n3) which has access to the data part: k12 from n4, K13, K37 from n 6.
As shown in fig. 6, the network structure as shown in fig. 5 is organized/simplified according to the methods shown in fig. 2 and 3, and a data diffusion network diagram for evaluating security is obtained. The data diffusion network graph can be obtained by further combining the weight values.
The access sources are n1, n2 and n3, and the servers are n4, n5 and n 6. According to the data flow direction, a diffusion state is obtained. For example, L11 represents the set of data assets for node n1 to access the n6 server, L11 is a subset of A3. R1-R6 are the minimum costs of being breached by n1, n2, n3, n4, n5, and n6, respectively.
As another example, returning to fig. 5, data assets K11, K12, K13, K14, K22 are streamed out from interface 1 of the database server as server n4, accessing data assets K12, K13, K37 as access source 1 of access node n3. L33 in fig. 6 may represent K12 and K13. L31 may represent K37 therein.
As an example, on the basis of the data flooding network graph shown in fig. 6, a network node threat degree calculation method is applied to calculate the cost of a network node or a collection of network nodes being breached (data threat network graph).
It should be appreciated that the cost at which a network node may be breached may be assessed in various ways. For example, as a simple example, a security vulnerability of software installed by the network node itself may be considered, which may be easily implemented by a vulnerability scanning or like tool. The more security holes, or the more easily some of them are exploited by hackers or other attackers (e.g., existing attack tools exist, etc.), the less costly the network node is to attack. Furthermore, the hardware security of the network node, or the security of the communication line connected to the network may be considered.
In the following more specific embodiments, the abnormal behavior hidden in the intranet can be analyzed by studying complex network channels in the data service network, monitoring the access dynamics of the application interface through the flow data, and evaluating the possible attack cost/threat degree in more detail.
The attack cost may be the cost that the network node needs to pay for being externally attacked. For example, the node n1 may contain 5 units of data assets, but the machine is well protected, and a hacker needs to copy data manually inside a company, so that the attack cost is very high, and the hacker implementing specific actions is very likely to be caught directly. In contrast, the other node (host computer) also contains 5 units of data assets, but this machine is accessible by the external network. If the data asset is accessed by an employee through the extranet, the employee also has the data asset on his computer, which can be brought outside the company and possibly protected from software updates in time, which can easily be leaked to other objects (e.g., hackers) that are not desired. In both cases, there is a different threat level, i.e., security, of data asset leakage.
Specifically, some of the calculations can be expressed using the following equations in general terms:
tn represents the sum of the costs of a certain n being broken, where Rin represents the cost of breaking a node n from a node i.
In the specific calculation, weights under different rights and the like can be considered. For example, more specifically, the following formula (1) can be used for calculation:
A(i,j)=a1*R1(i,j)+a2*R2(i,j)+a3*R3(i,j)+a4*R4(i,j)+a5*R5(i,j)+a6*R6(i,j)。
a (i, j) is the attack cost of the node i to the node j, namely a security threat metric value; ai is the percentage of the attack cost of accessing the source network node i under different rights (the weight of different rights), and a1+ a2+ a3+ a4+ a5+ a6 is 1; ri (i, j) is a threat metric value of the access source i to j under different rights, namely attack cost.
That is, the attack cost may be the sum of the cost (including time, cost, technology, etc.) required for the node i to successfully invade the node j if 1 attacker successfully invades the network node i. In network information systems, a (i, j) is generally determined by 4 main influencing factors: firstly, the severity degree H (j) of the vulnerability on the node j; (ii) a degree of trust W (i, j) between nodes i and j; ③ the intensity of the protective measure on the node j is C (j); and the safety degree L (i, j) of the communication link between the nodes i and j.
And (4) making corresponding grade scoring standards for the above 4 factors. H (j) is measured by the severity of technology or management class vulnerabilities present on the node; w (i → j) is measured by the strength of the access relationship between nodes, e.g., whether node i exists in the white list (white list) of node j; c (j) is measured by the effectiveness of various security measures (such as intrusion detection, access control, etc.) implemented on the node; l (i → j) is measured by the shareability of the link, whether it is easily wiretapped, whether VPN (virtual private network) authentication is employed, or the like.
And taking the above 4 factors as the attribute of the attack cost, and converting the attribute into a utility value of the attack cost. The calculation is performed by the following formula (2): r (i, j) ═ α U (h (j)) + β U (W (i, j)) + η U (c (j)) + λ U (L (i, j)). By the method, the threat value of the data service can be obtained. Alpha, beta, eta, lambda represent different weights. U denotes an arbitrary functional relationship for conversion, such as a multiplication calculation or the like.
As shown in fig. 5 and 6, the access sources are n1, n2, n 3; the data servers are n4, n5 and n 6. n1 contains a running set of data assets L11, L12; n2 contains a running set of data assets L22, L23; n3 contains a running set of data assets L31, L33. Suppose that the attack cost of n1, n2, n3 itself is 1,2, 3; n4, n5, n6 attack itself costs 2,2, 2. Further, according to the attack cost calculation method, the network graph may be represented as a weighting matrix as shown in the following table (1):
the attack cost of each node itself and the attack cost of attacking one node from another are shown in table (1).
Then, in some embodiments, the attack path of the network node may be calculated based on graph theory, in particular based on dijkstra's algorithm.
As an example, an attack path of a certain network node may be calculated according to a data flooding network diagram as shown in fig. 6. For example: the attack path for n1 is: path n1 from n1 itself; breaking the path ni of n1 from ni into n 1; breaking a path ni of n1 from ni through nj, wherein the path ni is not less than nj, and is not equal to n1 (i, j belongs to [2,6], i is not equal to j); a path ni- - > nj- - > nk- - > n1 of n1 is broken through nj and nk from ni, (i, j, k belongs to [2,6], i is not equal to j not equal to k); a path ni & ltj & gt & ltnj & gt & ltnk & gt & ltnm & gt 1 for breaking n1 from ni through nj, nk and nm, (i, j, k, m is in the form of [2,6], i & ltnot equal to j & ltnot equal to k & ltnot equal to m); the path ni & ltj & gt & ltj & gt & ltnk & gt & ltnm & gt & ltnn & gt & ltn & gt 1 for n1 broken through nj, nk, nm and nn from ni, (i, j, k, m, n belongs to [2,6], i & ltnot equal to j & gt, k & ltnot equal to m & ltnot equal to n).
As can be seen from the weighting matrix in table (1) and table (2), the attack cost of the path n1 attacked by n1 itself is 1; the attack cost of attacking the path ni- - > n1 of n1 from ni (n2, n3, n4, n5, n6) is 3,4,5,5, 5; an example of an attack cost of a path ni- - > nj- - > n1 from ni through nj to break n1 is, for example, n3- - > n2- - > n 1- - -3 (n3 itself) +5(n3- - > n2) +3(n2- - > n 1). According to the above calculation, the attack paths accessing the sources n1, n2, n3 and the attack costs thereof can be shown in the following table (2).
FIG. 7 is an exemplary flow diagram of sub-steps of a data asset security assessment method according to the present invention.
Since a large number of interconnected network nodes exist in a typical network, there may exist various combinations of access source nodes even for the same data asset. The attack costs for these combinations of access source nodes are also different. Evaluating some node combinations individually may not be comprehensive. Thus, further methods will be exemplarily provided below to evaluate, compare more node combinations as comprehensively as possible.
In some embodiments, as shown in fig. 7, step S34 may include steps S341 to S344.
As shown in fig. 7, in step S341, at least a subset of the set of network nodes is obtained, wherein the combination of network nodes in the subset provides full access to the evaluated data assets.
In step S342, the minimum value of the sum of the attack costs for attacking all the network nodes in the subset is calculated as the attack cost corresponding to the subset.
In step S343, the minimum attack cost among the attack costs corresponding to each subset is acquired.
As an example, each minimum value of the sum of the attack costs of all network nodes in each subset may be compared, with the smallest value as the smallest attack cost among the attack costs corresponding to each subset.
In step S344, the security of the evaluated data asset is evaluated according to the minimum attack cost.
The attacker can obtain the most complete flowing data asset through the minimum attack cost, namely the minimum attack cost can be used as the maximum security threat measurement standard of the flowing data asset.
In some embodiments, the smaller the minimum attack cost, the lower the security of the data asset being evaluated.
By strengthening protection on the maximum threat attack path of the data assets, the safety short board in the network can be effectively repaired, and the safety protection target is achieved.
According to the mode, the minimum attack cost, namely the subset of the nodes with the maximum threat can be found as far as possible, so that the risk degree of the data assets can be evaluated more accurately, and the safety measures of the nodes can be upgraded more pertinently.
Fig. 8(a) is an example of a sub-network diagram of a network node according to an embodiment of the invention, and fig. 8(B) is an example of another sub-network diagram of a network node according to an embodiment of the invention.
As shown in fig. 5 and fig. 8(a), it is assumed that the access sources n1, n2 can access the data assets (e.g., all or a part of L11, L12, L22, L23) provided on the servers n4, n5, n6 that need to be evaluated, and thus the access sources n1, n2 constitute a subset. As shown in fig. 5 and fig. 8(B), it is assumed that the access sources n1, n3 can also access the data assets to be evaluated (e.g., all or a part of L11, L12, L31, L33) provided on the servers n4, n5, n6, and that the same portions to be evaluated are included in (L11, L12, L22, L23) and (L11, L12, L31, L33). Thus, the access sources n1, n3 also constitute a subset.
The attack costs for these subsets will be further calculated and evaluated.
FIG. 9 is an exemplary flowchart of further sub-steps of a data asset security assessment method according to an embodiment of the present invention. As shown in fig. 9, step S342 may include steps S3421-S3423.
As shown in fig. 9, in step S3421, the attack cost of directly attacking each network node in the acquired subset is calculated; in step S3422, an attack cost of attacking one network node via another network node in the acquired subset is calculated; in step S3423, an attack path is planned such that the sum of attack costs for attacking all network nodes in the acquired subset according to the attack path is a minimum value.
For example, let L11, L12, L22, L23 contain the full streaming data asset, and access sources n1, n2 make up a subset. As can be seen from the attack path and the corresponding attack cost table of the subnetwork graph as a subset shown in table (2), the attack cost for directly attacking the access source n1 is 1, the attack cost for attacking n1 from n2 is 3, and the attack cost for attacking n1 from n3 is 4; the attack cost of directly attacking the access source n2 is 2, the attack cost of attacking n2 from n1 is 4, and the attack cost of attacking n2 from n3 is 5. Thus, the minimum of the sum of the attack costs of visiting source n1 and visiting source n2 in the subnet graph is calculated: MIN (n1+ n2) ═ 3. The thief can access all the liquidity data assets with only a cost of 3. With respect to n1, the attack cost of n3, MIN (n1+ n3) can be calculated in the same manner. Afterwards, MIN (n1+ n2) and MIN (n1+ n3) may be further compared.
Fig. 10 is a minimum attack cost trend graph over time periods, according to an embodiment of the invention. The corresponding minimum attack cost and the attack path sampling at different time points are shown in the following table (3).
In this manner, the security of the data asset may be dynamically assessed. That is, the security of the data asset can be reevaluated at any time according to changes in the network node currently accessing the data asset (changes in the node itself, changes in the access path, etc.). This may provide more accurate security information and facilitate targeted measures to improve security.
According to the embodiments of the present invention, the present invention has the following advantages and effects with respect to the related art. The invention provides a method for evaluating the safety of a host, a network and data after the system is deployed, which is static, does not consider the threat caused by the spread of data assets to other clients and cannot be used for evaluating the safety threat of flowing data assets.
FIG. 11 is an exemplary block diagram of a data asset security assessment device according to an embodiment of the present invention.
In some embodiments, the apparatus 1100 may include a processing circuit 1110. The processing circuitry 1110 of the device 1100 provides various functions for the device 1100. In some embodiments, the processing circuitry 1110 of the apparatus 1100 may be configured to perform the data asset security assessment method described above with reference to fig. 2.
Processing circuit 1110 may refer to various implementations of digital circuitry, analog circuitry, or mixed-signal (a combination of analog and digital) circuitry that perform functions in a computing system. The processing circuitry may include, for example, circuitry such as an Integrated Circuit (IC), an Application Specific Integrated Circuit (ASIC), portions or circuits of an individual processor core, an entire processor core, an individual processor, a programmable hardware device such as a Field Programmable Gate Array (FPGA), and/or a system including multiple processors.
In some embodiments, processing circuitry 1110 may include data asset information acquisition unit 1120, network node set acquisition unit 1130, data flooding state acquisition unit 1140, and evaluation unit 1150.
A data asset information acquisition unit 1120 configured to acquire information of an evaluated data asset; a network node set acquisition unit 1130 configured to acquire a set of network nodes associated with the evaluated data assets; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets; a data diffusion state acquisition unit 1140 configured to acquire a data diffusion state of the evaluated data assets; the data diffusion state at least comprises a transmission path from the server to the access node; an evaluation unit 1150 configured to determine the security of the evaluated data assets according to the attack cost for the server, the access node. The modules 1120-1140 may be configured to perform the steps S31-S34 of the data asset security assessment method shown in FIG. 2.
In some embodiments, the apparatus 1100 may also include a memory (not shown). The memory of the device 1100 may store information generated by the processing circuitry 1110 as well as programs and data for operation of the device 1100. The memory may be volatile memory and/or non-volatile memory. For example, memory may include, but is not limited to, Random Access Memory (RAM), Dynamic Random Access Memory (DRAM), Static Random Access Memory (SRAM), Read Only Memory (ROM), and flash memory. Additionally, the apparatus 1100 may be implemented at a chip level, or may also be implemented at a device level by including other external components.
It should be understood that the above modules are merely logic modules divided according to the specific functions implemented by the modules, and are not used for limiting the specific implementation manner. In actual implementation, the above modules may be implemented as separate physical entities, or may also be implemented by a single entity (e.g., a processor (CPU or DSP, etc.), an integrated circuit, etc.).
The data asset security assessment device provided by the embodiment of the invention and the data asset security assessment method provided by the embodiment of the invention belong to the same inventive concept, can execute the data asset security assessment method provided by any embodiment of the invention, and have the corresponding functional modules and beneficial effects of the data asset security assessment method. For details of the data asset security assessment method provided in the embodiment of the present invention, reference may be made to the technical details not described in detail in the embodiment of the present invention, which are not described herein again.
FIG. 11 illustrates an exemplary configuration of a computing device 1200 in which embodiments in accordance with the invention may be implemented. Computing device 1200 is an example of a hardware device in which the above-described aspects of the invention may be applied. Computing device 1200 may be any machine configured to perform processing and/or computing. Computing device 1200 may be, but is not limited to, a workstation, a server, a desktop computer, a laptop computer, a tablet computer, a Personal Data Assistant (PDA), a smart phone, an in-vehicle computer, or a combination thereof.
FIG. 12 is an exemplary configuration of a computing device in which embodiments in accordance with the invention may be implemented.
As shown in fig. 12, computing device 1200 may include one or more elements that may be connected to or communicate with bus 1202 via one or more interfaces. The bus 1202 may include, but is not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA (eisa) bus, a Video Electronics Standards Association (VESA) local bus, a Peripheral Component Interconnect (PCI) bus, and the like. Computing device 1200 may include, for example, one or more processors 1204, one or more input devices 1206, and one or more output devices 1208. The one or more processors 1204 may be any kind of processor and may include, but are not limited to, one or more general-purpose processors or special-purpose processors (such as special-purpose processing chips). The processor 1204 may be configured to implement the functions of the modules of the data asset security assessment apparatus of the present invention, for example. Input device 1206 may be any type of input device capable of inputting information to a computing device and may include, but is not limited to, a mouse, a keyboard, a touch screen, a microphone, and/or a remote control. Output device 1208 can be any type of device capable of presenting information and can include, but is not limited to, a display, speakers, a video/audio output terminal, a vibrator, and/or a printer.
The computing device 1200 may also include or be connected to a non-transitory storage device 1214, which non-transitory storage device 1214 may be any non-transitory and may implement a storage of data, and may include, but is not limited to, a disk drive, an optical storage device, a solid state memory, a floppy disk, a flexible disk, a hard disk, a magnetic tape, or any other magnetic medium, a compact disk, or any other optical medium, a cache memory, and/or any other memory chip or module, and/orA computer may read data, instructions and/or code from any other medium. Computing device 1200 may also include Random Access Memory (RAM)1210 and Read Only Memory (ROM) 1212. The ROM 1212 may store programs, utilities or processes to be executed in a non-volatile manner. The RAM 1210 may provide volatile data storage, and store instructions related to the operation of the computing device 1200. Computing device 1200 may also include a network/bus interface 1216 coupled to a data link 1218. Network/bus interface 1216 may be any kind of device or system capable of enabling communication with external apparatuses and/or networks, and may include, but is not limited to, a modem, a network card, an infrared communication device, a wireless communication device, and/or a chipset (such as bluetooth)TMDevices, 802.11 devices, WiFi devices, WiMax devices, cellular communications facilities, etc.).
It should be appreciated that reference throughout this specification to "an embodiment" or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases "in embodiments of the invention" and similar language throughout this specification do not necessarily all refer to the same embodiment.
In addition, those skilled in the art will appreciate that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing associated hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk, an optical disk, or the like.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.
Claims (13)
1. A data asset security assessment method for assessing the security of data assets transmitted in a network node, comprising:
obtaining information of the evaluated data assets;
obtaining a set of the network nodes associated with the evaluated data assets; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets;
acquiring a data diffusion state of the evaluated data asset; wherein the data flooding state comprises at least a transmission path from the server to the access node;
determining the security of the evaluated data asset according to the attack cost aiming at the server and the access node.
2. The data asset security assessment method of claim 1, wherein determining the security of the assessed data asset in accordance with an attack cost for the access node, the server, comprises:
obtaining at least a subset of the set of network nodes, wherein a combination of network nodes in the subset provides full access to the evaluated data asset;
calculating the minimum value of the sum of the attack costs of attacking all the network nodes in the subset as the attack cost corresponding to the subset;
acquiring the minimum attack cost in the attack costs corresponding to each subset; and
evaluating the security of the evaluated data asset according to the minimum attack cost.
3. The data asset security assessment method of claim 2, wherein calculating the minimum of the sum of the attack costs to attack all network nodes in the subset comprises:
calculating the attack cost of each network node in the subset obtained by direct attack;
calculating an attack cost for attacking one network node via another network node in the acquired subset;
and planning an attack path so that the sum of attack costs for attacking all the network nodes in the acquired subset according to the attack path is the minimum value.
4. The data asset security assessment method of claim 3, calculating an attack cost of attacking one network node via another network node in the obtained subset is based on at least one of:
vulnerability severity on the other network node;
a degree of trust between the one network node and the another network node;
a safeguard strength on the other network node;
a degree of security of a communication link between the one network node and the another network node.
5. The data asset security assessment method of claim 3,
and calculating the attack path of the network node based on the Dijkstra algorithm.
6. The data asset security assessment method of claim 1,
the smaller the minimum attack cost, the lower the security of the evaluated data asset.
7. The data asset security assessment method of claim 1,
obtaining, by traffic data collection, the set of network nodes associated with the evaluated data asset and/or obtaining a data diffusion status of the evaluated data asset.
8. The data asset security assessment method of claim 7,
the traffic data collection is based on hypertext transfer protocol data parsing.
9. The data asset security assessment method of claim 1,
determining a weight of the access node as a function of a proportion of the assessed data assets accessed by the access node.
10. The data asset security assessment method of claim 1,
the attack cost includes at least one of time, cost, technology to obtain the data asset by unauthorized means.
11. A data asset security assessment apparatus for assessing the security of a data asset transmitted in a network node, the data asset security assessment apparatus comprising:
a data asset information acquisition unit configured to acquire information of an evaluated data asset;
a network node set acquisition unit configured to acquire the set of network nodes associated with the evaluated data assets; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets;
a data diffusion state acquisition unit configured to acquire a data diffusion state of the evaluated data asset; wherein the data flooding state comprises at least a transmission path from the server to the access node; and
an evaluation unit configured to determine security of the evaluated data asset according to an attack cost for the access node, the server.
12. A data asset security assessment apparatus for assessing the security of a data asset transmitted in a network node, the data asset security assessment apparatus comprising:
at least one processor;
a memory having stored thereon computer-executable instructions that, when executed by the at least one processor, cause the at least one processor to:
obtaining information of the evaluated data assets;
obtaining a set of the network nodes associated with the evaluated data assets; wherein the network nodes include at least a server providing the evaluated data assets and an access node accessing at least a portion of the evaluated data assets;
acquiring a data diffusion state of the evaluated data asset; wherein the data flooding state comprises at least a transmission path from the server to the access node;
determining the security of the evaluated data asset according to the attack cost aiming at the server and the access node.
13. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the data asset security assessment method according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010969186.7A CN114268446A (en) | 2020-09-15 | 2020-09-15 | Data asset security assessment method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010969186.7A CN114268446A (en) | 2020-09-15 | 2020-09-15 | Data asset security assessment method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114268446A true CN114268446A (en) | 2022-04-01 |
Family
ID=80824160
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010969186.7A Pending CN114268446A (en) | 2020-09-15 | 2020-09-15 | Data asset security assessment method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114268446A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115086013A (en) * | 2022-06-13 | 2022-09-20 | 北京奇艺世纪科技有限公司 | Risk identification method, risk identification device, electronic equipment, storage medium and computer program product |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
| CN110472419A (en) * | 2019-07-18 | 2019-11-19 | 北京理工大学 | A kind of network security risk evaluation method based on loss effect |
-
2020
- 2020-09-15 CN CN202010969186.7A patent/CN114268446A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
| CN110472419A (en) * | 2019-07-18 | 2019-11-19 | 北京理工大学 | A kind of network security risk evaluation method based on loss effect |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115086013A (en) * | 2022-06-13 | 2022-09-20 | 北京奇艺世纪科技有限公司 | Risk identification method, risk identification device, electronic equipment, storage medium and computer program product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US11785040B2 (en) | Systems and methods for cyber security alert triage | |
| CN113302609B (en) | Detecting inappropriate activity in the presence of unauthenticated API requests using artificial intelligence | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US11546373B2 (en) | Cryptocurrency based malware and ransomware detection systems and methods | |
| US10735455B2 (en) | System for anonymously detecting and blocking threats within a telecommunications network | |
| EP2498198B1 (en) | Information system security based on threat vectors | |
| US20210360032A1 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| US20180034837A1 (en) | Identifying compromised computing devices in a network | |
| CN105917632A (en) | A method for scalable distributed network traffic analytics in telco | |
| US20230362200A1 (en) | Dynamic cybersecurity scoring and operational risk reduction assessment | |
| US20220014561A1 (en) | System and methods for automated internet-scale web application vulnerability scanning and enhanced security profiling | |
| US11968239B2 (en) | System and method for detection and mitigation of data source compromises in adversarial information environments | |
| Chen et al. | Exploring the global geography of cybercrime and its driving forces | |
| Riccardi et al. | A framework for financial botnet analysis | |
| US10951645B2 (en) | System and method for prevention of threat | |
| Shukla et al. | Entropy-based anomaly detection in a network | |
| Zhang et al. | Network security situational awareness model based on threat intelligence | |
| Khan et al. | Towards augmented proactive cyberthreat intelligence | |
| Feng et al. | Cj-sniffer: Measurement and content-agnostic detection of cryptojacking traffic | |
| do Nascimento et al. | A methodology for selecting hardware performance counters for supporting non-intrusive diagnostic of flood DDoS attacks on web servers | |
| CN114268446A (en) | Data asset security assessment method, device and storage medium | |
| Bezas et al. | Comparative analysis of open source security information & event management systems (SIEMs) | |
| Qin et al. | Symmetry degree measurement and its applications to anomaly detection | |
| Trieu-Do et al. | Characterizing and leveraging granger causality in cybersecurity: Framework and case study |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |