CN114301647A - Prediction defense method, device and system for vulnerability information in situation awareness - Google Patents
Prediction defense method, device and system for vulnerability information in situation awareness Download PDFInfo
- Publication number
- CN114301647A CN114301647A CN202111561939.1A CN202111561939A CN114301647A CN 114301647 A CN114301647 A CN 114301647A CN 202111561939 A CN202111561939 A CN 202111561939A CN 114301647 A CN114301647 A CN 114301647A
- Authority
- CN
- China
- Prior art keywords
- network
- vulnerability
- information
- attack
- defense
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000007123 defense Effects 0.000 title claims abstract description 58
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000004458 analytical method Methods 0.000 claims description 11
- 241000700605 Viruses Species 0.000 claims description 9
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 5
- 238000005336 cracking Methods 0.000 claims description 4
- 238000002347 injection Methods 0.000 claims description 4
- 239000007924 injection Substances 0.000 claims description 4
- 230000006855 networking Effects 0.000 claims 1
- 239000002699 waste material Substances 0.000 abstract description 2
- 238000001514 detection method Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000013519 translation Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000001364 causal effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method, a device and a system for predicting and defending vulnerability information in situation awareness, and relates to the technical field of network security. The method comprises the following steps: carrying out vulnerability scanning on a network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities; determining the type of the network vulnerability; judging whether other target nodes in the network environment of the target node have the same type of network loopholes; if so, all target nodes with the same type of network vulnerabilities are obtained, the security information of the target nodes is analyzed together to predict attack steps corresponding to the network vulnerabilities, and corresponding prediction defense steps are given. According to the method and the device, the network vulnerability information of the target node is obtained through vulnerability scanning, and the same type of network vulnerabilities in the network environment are collected and analyzed, so that the global prediction defense of the network environment on the same type of network vulnerabilities is effectively realized, and the waste of network resources caused by repeated vulnerability scanning is avoided.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a prediction defense method for vulnerability information in situation awareness.
Background
A network vulnerability refers to a defect in the specific implementation of hardware, software, protocols, or system security policies, thereby enabling an attacker to access or destroy a system without authorization. It exists in computer network systems and can be a nuisance to all elements of the composition and data in the system.
In the prior art, network vulnerability information in a network can be obtained through vulnerability scanning operation, and the network vulnerability information is processed, analyzed and predicted through a situation awareness system, so that the attack path, attack mode and other operations of an attacker attacking the network vulnerability are predicted, and corresponding prediction defense operation is provided.
However, in actual operation, since attackers tend to be more sophisticated, network vulnerabilities of a plurality of network devices are exploited, resulting in a breach of network security. Therefore, a defender against network attacks needs to comprehensively consider the device security of the whole network so as to realize the global network security.
Therefore, a method, a device and a system for predicting and defending vulnerability information in situation awareness are provided to solve the technical problem that network vulnerability information of a target node is obtained through vulnerability scanning, and the same type of network vulnerabilities in a network environment are comprehensively collected and analyzed, so that global prediction and defense of the network environment to the same type of network vulnerabilities are effectively achieved, network resource waste caused by repeated vulnerability scanning is avoided, and the method, the device and the system are urgently needed to solve at present.
Disclosure of Invention
The invention aims to: the invention overcomes the defects of the prior art and provides a method, a device and a system for predicting and defending vulnerability information in situation awareness, and the method, the device and the system can be used for carrying out vulnerability scanning on a network environment to which network nodes belong to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability; extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database, and determining the type of the network vulnerability; judging whether other target nodes in the network environment of the target node have the same type of network loopholes; and if so, acquiring all target nodes with the same type of network vulnerabilities, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
In order to solve the prior technical problem, the invention provides the following technical scheme:
a prediction defense method of vulnerability information in situation awareness is characterized by comprising the following steps,
carrying out vulnerability scanning on a network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability;
extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database, and determining the type of the network vulnerability;
judging whether other target nodes in the network environment of the target node have the same type of network loopholes;
and if so, acquiring all target nodes with the same type of network vulnerabilities, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
Further, the security information of the target node comprises the type of the operating system, the running service and the version of the service software.
Further, the network vulnerability information includes discovery time, vulnerability name, hazard level, asset IP, scanning task name, data source, status, handling priority, operation.
Further, the types of network vulnerabilities include buffer overflow, cross site scripting, DOS attacks, scanning, SQL injection, trojan backdoor, virus worm, Web attacks, zombie networks, cross site request forgery, file containment, file reading, directory traversal attacks, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, upload vulnerability exploitation, Webshell exploitation, misconfiguration/error, logic/involvement/error, unauthorized access/permission bypass, URL hopping, protocol exceptions, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, pirate trojans, port scanning, black market tools, email, computer viruses, network worms, file downloading, permission and access control, and Webshell upload.
Further, predicting to obtain an attack step corresponding to the network vulnerability specifically includes: acquiring access request information of a network node to the target node; judging the type of the network vulnerability which is possibly attacked by the target node based on the access request information; and matching the attack mode of an attacker according to the type of the network vulnerability.
Further, the attack mode comprises a plurality of attack steps, and the attack steps correspond to the sequence of the prediction defense steps.
Further, the attack order of the attack steps is verified based on a time axis, and the defense order of the predicted defense steps is adjusted correspondingly.
Further, carrying out data integrity analysis on the data information stored in the target node; the storage comprises data backup of the data information of the target node.
A prediction defense device for vulnerability information in situation awareness is characterized by comprising a structure:
the vulnerability scanning unit is used for carrying out vulnerability scanning on the network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability;
the vulnerability determining unit is used for extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database and determining the type of the network vulnerability;
the vulnerability judging unit is used for judging whether other target nodes in the network environment to which the target node belongs have the same type of network vulnerability;
and the vulnerability prediction defense unit is used for acquiring all target nodes with the same type of network vulnerabilities when the vulnerability prediction defense unit judges that the vulnerability prediction defense unit is positive, analyzing the security information of the target nodes together to predict the attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
A prediction defense system for vulnerability information in situation awareness is characterized by comprising:
a network node for transceiving data;
the situation awareness system periodically scans the network environment to determine the network vulnerability and performs security analysis on the security information of the network node to which the network vulnerability belongs;
the system server is connected with the network node and the situation awareness system;
the system server is configured to: carrying out vulnerability scanning on a network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability; extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database, and determining the type of the network vulnerability; judging whether other target nodes in the network environment of the target node have the same type of network loopholes; and if so, acquiring all target nodes with the same type of network vulnerabilities, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
Based on the advantages and positive effects, the invention has the advantages that: carrying out vulnerability scanning on a network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability; extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database, and determining the type of the network vulnerability; judging whether other target nodes in the network environment of the target node have the same type of network loopholes; and if so, acquiring all target nodes with the same type of network vulnerabilities, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
Further, predicting to obtain an attack step corresponding to the network vulnerability specifically includes: acquiring access request information of a network node to the target node; judging the type of the network vulnerability which is possibly attacked by the target node based on the access request information; and matching the attack mode of an attacker according to the type of the network vulnerability.
Further, the attack mode comprises a plurality of attack steps, and the attack steps correspond to the sequence of the prediction defense steps.
Further, the attack order of the attack steps is verified based on a time axis, and the defense order of the predicted defense steps is adjusted correspondingly.
Drawings
Fig. 1 is a flowchart provided in an embodiment of the present invention.
Fig. 2 is another flow chart provided by the embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a system according to an embodiment of the present invention.
Description of reference numerals:
the device 200 comprises a vulnerability scanning unit 201, a vulnerability determining unit 202, a vulnerability judging unit 203 and a vulnerability prediction defense unit 204;
system 300, network node 301, situational awareness system 302, system server 303.
Detailed Description
The following describes a method, an apparatus, and a system for predicting and defending vulnerability information in situational awareness according to the present invention in further detail with reference to the accompanying drawings and specific embodiments. It should be noted that technical features or combinations of technical features described in the following embodiments should not be considered as being isolated, and they may be combined with each other to achieve better technical effects. In the drawings of the embodiments described below, the same reference numerals appearing in the respective drawings denote the same features or components, and may be applied to different embodiments. Thus, once an item is defined in one drawing, it need not be further discussed in subsequent drawings.
It should be noted that the structures, proportions, sizes, and other dimensions shown in the drawings and described in the specification are only for the purpose of understanding and reading the present disclosure, and are not intended to limit the scope of the invention, which is defined by the claims, and any modifications of the structures, changes in the proportions and adjustments of the sizes and other dimensions, should be construed as falling within the scope of the invention unless the function and objectives of the invention are affected. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be executed out of order from that described or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present invention.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate. In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, a flow chart provided by the present invention is shown. The implementation step S100 of the method is as follows:
s101, carrying out vulnerability scanning on a network environment to which a network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the security information comprises the characteristic information of the network vulnerability.
The network node refers to a terminal having an independent network address and data processing function in a network environment, and the data processing function includes, but is not limited to, a function of transmitting data, receiving data, and/or analyzing data.
The network nodes may be workstations, clients, network users or personal computers, servers, printers and other network-connected devices. The whole network environment comprises a plurality of network nodes, and the network nodes are connected through communication lines to form a network topology structure. The communication line may be a wired communication system or a wireless communication system.
The vulnerability scanning can scan network nodes in a network environment and data transmission protocols among the network nodes based on vulnerability scanning rules preset in a vulnerability database to determine the network vulnerabilities.
By way of example and not limitation, the vulnerability scanning may preferably obtain a network vulnerability by scanning access operations of network nodes, i.e., a network vulnerability is considered to exist when an access operation of a network node conflicts with a security policy of the system.
The vulnerability scanning includes, but is not limited to, network node vulnerability scanning, Web application vulnerability scanning, APK system scanning, and the like.
The vulnerability scanning of the network nodes can perform security scanning on a system and a network in an evaluation range in a remote scanning mode through an evaluation tool, discover security risks, vulnerabilities and threats existing in security object targets such as a network structure, network equipment, a server host, data, user accounts/passwords and the like through scanning, and perform manual verification on detected weak passwords and high-risk vulnerabilities.
The Web application vulnerability scanning method has the advantages that various website vulnerabilities are rapidly scanned, various vulnerability risks in a network are efficiently and comprehensively detected, professional and effective security analysis and repair suggestions are provided, the repair effect is audited by combining a security management process, the attacked surface is reduced to the maximum extent, the accuracy of results is ensured, the Web application vulnerabilities are comprehensively evaluated, and the Web security defense capability of enterprises is improved.
The APK system scans, and utilizes static tools such as apktool, dex2jar, jd-gui and smali2dex to perform decompiling scanning analysis on the application, so as to provide Android component detection, authority management, dex protection, data security (transmission, storage and output) detection, detect common vulnerability risks such as dangerous debugging information and the like, and detect vulnerabilities which are omitted, ignored and can be utilized in the development process.
The network vulnerability refers to a defect existing in hardware, software, specific implementation of a protocol or a system security policy, so that an attacker can access or destroy the system without authorization. It exists in computer network systems for all factors that can cause damage to the composition and data in the system.
The network vulnerability information includes, but is not limited to, time, source area, event, compromised asset, target node, and attack type.
The security information includes, but is not limited to, sequence number, merge number, event name, event digest, event classification, collection type, level, network protocol, network application protocol, source name, source MAC address, source translation IP address, source port, source translation port, destination name, destination MAC, destination address, destination translation IP address, destination port, destination translation port, user name, program name, operation, object, result, device name, device address, device type, generation time, event reception time, collector IP address, original level, transmission traffic, reception traffic, duration, original type, request content, and so on.
The feature information of the network vulnerability includes, but is not limited to, state information of the target node and state information of a port of the running target node.
And S102, extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database, and determining the type of the network vulnerability.
Types of the network vulnerabilities include, but are not limited to, buffer overflows, cross site scripting, DOS attacks, scanning, SQL injection, trojan backdoors, viruses and worms, Web attacks, botnet, cross site request forgery, file containment, file reading, directory traversal attacks, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, upload vulnerability exploitation, Webshell exploitation, misconfiguration/error, logic/involvement errors, unauthorized access/permission circumvention, URL jumps, protocol exceptions, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, pirate trojans, port scans, civic, email, computer viruses, network worms, file downloads, permission and access control, Webshell upload, and the like.
S103, judging whether other target nodes in the network environment of the target node have the same type of network loopholes.
The operation of judging whether the network environment to which the target node belongs has the same type of network vulnerability may be obtained by performing vulnerability scanning on all network nodes in the network environment according to the characteristics of the network vulnerability.
When other target nodes exist, the security information of all the target nodes of the same type can be collected, and the security information of the target nodes is analyzed and predicted.
And S104, when the judgment result is yes, acquiring all target nodes with the same type of network vulnerabilities, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and providing corresponding prediction defense steps corresponding to the attack steps.
The prediction refers to predicting the attack possibly suffered by the network vulnerability and the attack steps, attack modes and attack paths of an attack party based on the safety information of the target node according to the prediction capability of the situation awareness system.
The prediction defense step refers to an attack step, an attack mode and an attack path of the attack and the attacker possibly suffered by the network vulnerability obtained based on prediction so as to provide a corresponding defense step.
It should be noted that the predicted defense step exists in the existing defense scheme of the vulnerability database as a backup defense scheme, and when the attack, the attack step, the attack mode or the attack path is actually detected, the situation awareness system calls the predicted defense step corresponding to the attack, the attack step, the attack mode or the attack path to form the defense scheme adapted to the attack, the attack step, the attack mode or the attack path.
Preferably, the security information of the target node includes an operating system type, a running service and a version of service software.
Preferably, the network vulnerability information includes discovery time, vulnerability name, hazard level, asset IP, scanning task name, data source, status, treatment priority, and operation.
Preferably, the types of network vulnerabilities include buffer overflow, cross site scripting, DOS attack, scanning, SQL injection, trojan backdoor, virus worm, Web attack, zombie network, cross site request forgery, file containment, file reading, directory traversal attack, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, upload vulnerability exploitation, Webshell exploitation, misconfiguration/error, logic/involvement/error, unauthorized access/permission bypass, URL jump, protocol exception, phishing, malicious advertisements, network spoofing, spyware, browser hijacking, keyboard logging, pirate horse, port scanning, black market tools, email, computer virus, network worm, file download, permission and access control, and Webshell upload.
The Denial of Service (DoS) attack destroys the normal operation of the network by denying Service access, and finally blocks the network connection, or the server crashes the related Service of the server system and exhausts the system resources because the server processes the data packet sent by the attacker.
In addition, the types of the network vulnerabilities further include network message sniffing, IP address spoofing, password attacks, distributed denial of service, and the like.
The network message sniffing is a technology for intercepting and capturing a data message of a target computer by using a network interface of the computer through a sniffer.
The IP address spoofing attack attacks the target by impersonating the IP address of the trusted host.
The cryptographic attack may be implemented in a number of different ways, including but not limited to a brute force attack, a trojan horse program, and the like.
The Distributed Denial of Service (DDoS) is a Distributed and cooperative large-scale Denial of Service attack based on a special form of DoS, and several or even more than ten Denial attacks of different services are simultaneously implemented, so that network connection is blocked, or a server crashes related services of a server system and system resources are exhausted due to the fact that the server processes data packets sent by an attacker.
It is noted that when the type of the aforementioned network vulnerability is detected at a certain network node, it may be preferable to consider that a network attack exists or that an attacker is attempting to exploit the network vulnerability to launch a network attack on the network node. At the moment, the attack characteristics are correspondingly matched to predict the attack step of the attacker.
Referring to fig. 2, a flow chart provided by the present invention is shown. The method specifically comprises the following steps of S110:
and S111, acquiring the access request information of the network node to the target node.
The access request information comprises but is not limited to a request line, a request header and request data, and the access request information is subjected to real-time association analysis and path tracking so as to realize dynamic analysis of network security.
And S112, judging the type of the network vulnerability which the target node is possibly attacked based on the access request information.
By way of example and not limitation, when a certain network node a makes an access request to the target node B, that is, the feedback of the access request information by the target node B indicates that the access of the network node a exceeds the access right, it may be obtained that the type of the network vulnerability of the target node may be attacked is unauthorized access.
And S113, matching the attack mode of the attacker according to the type of the network vulnerability.
Due to the existence of the network vulnerability in the network node, a certain association relationship exists between the network vulnerability of the network node utilized by an attacker for carrying out network attack, and the association relationship includes but is not limited to a causal relationship, a progressive relationship and the like. Therefore, the attack mode of the attacker can be determined according to the type of the network vulnerability.
Preferably, the attack mode includes a plurality of attack steps, and the attack steps correspond to the order of the predicted defense steps.
By way of example and not limitation, when there is a network attack, an attacker splits the network attack into multiple steps to avoid monitoring of network security, and the attack manner predicted by the situation awareness system corresponds to attack step 1, attack step 2, and attack step N (N is a positive integer greater than or equal to 2), and correspondingly, the predicted defense steps are sequentially set as predicted defense step 1, predicted defense step 2, and predicted defense step N (N is a positive integer greater than or equal to 2).
In addition, the predicted defense step may be arranged in reverse order or out of order in response to the attack step.
It should be noted that each target node has different corresponding roles due to different positions of the target node in the network environment, so that the comprehensive situation of each target node needs to be considered for analysis when performing defense.
Preferably, the attack order of the attack step is verified based on a time axis, and the defense order of the predicted defense step is adjusted accordingly.
Preferably, data integrity analysis is performed on the data information stored in the target node; the storage comprises data backup of the data information of the target node.
The advantage of performing data integrity analysis on the data information stored in the target node is that the specific condition that the data information of the target node is lost or leaked can be obtained, and defensive measures can be taken in time to avoid greater network security risks.
Other technical features are referred to in the previous embodiments and are not described herein.
Referring to fig. 3, an embodiment of the present invention further provides a device 200 for predicting and defending vulnerability information in situational awareness, which is characterized by comprising:
a vulnerability scanning unit 201, configured to perform vulnerability scanning on a network environment to which a network node belongs, so as to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the security information comprises the characteristic information of the network vulnerability.
The vulnerability determining unit 202 is configured to extract feature information of the network vulnerability, match the feature information with a network vulnerability in an existing vulnerability database, and determine a type of the network vulnerability.
The vulnerability determination unit 203 is configured to determine whether other target nodes in the network environment to which the target node belongs have the same type of network vulnerability.
And the vulnerability prediction defense unit 204 is used for acquiring all target nodes with the same type of network vulnerabilities when the judgment result is yes, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
In addition, referring to fig. 4, an embodiment of the present invention provides a system 300 for predicting and defending vulnerability information in situational awareness, which is characterized by comprising:
the network node 301 is configured to transmit and receive data.
The situation awareness system 302 periodically scans the network environment to determine the network vulnerability, and performs security analysis on the security information of the network node to which the network vulnerability belongs.
The situation awareness system integrates a plurality of data information systems such as anti-virus software, a firewall, a network management system, an intrusion monitoring system, a security audit system and the like to complete the evaluation of the current network environment condition and the prediction of the future change trend of the network environment.
The regular detection may set a detection time or a detection time period, and the regular detection includes, but is not limited to, webpage tamper resistance, process abnormal behavior, abnormal login, malicious process, abnormal network connection, abnormal account, virus detection, Web application threat detection, and the like.
A system server 303, said system server 303 connecting the network node 301 and the situational awareness system 302.
The system server 303 is configured to: carrying out vulnerability scanning on a network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability; extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database, and determining the type of the network vulnerability; judging whether other target nodes in the network environment of the target node have the same type of network loopholes; and if so, acquiring all target nodes with the same type of network vulnerabilities, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
Other technical features are referred to in the previous embodiment and are not described in detail herein.
In the description above, the various components may be selectively and operatively combined in any number within the intended scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be interpreted as inclusive or open-ended, rather than exclusive or closed-ended, by default, unless explicitly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs unless defined otherwise. Common terms found in dictionaries should not be interpreted too ideally or too realistically in the context of related art documents unless the present disclosure expressly limits them to that.
While exemplary aspects of the present disclosure have been described for illustrative purposes, those skilled in the art will appreciate that the foregoing description is by way of description of the preferred embodiments of the present disclosure only, and is not intended to limit the scope of the present disclosure in any way, which includes additional implementations in which functions may be performed out of the order of presentation or discussion. Any changes and modifications of the present invention based on the above disclosure will be within the scope of the appended claims.
Claims (10)
1. A prediction defense method of vulnerability information in situation awareness is characterized by comprising the following steps,
carrying out vulnerability scanning on a network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability;
extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database, and determining the type of the network vulnerability;
judging whether other target nodes in the network environment of the target node have the same type of network loopholes;
and if so, acquiring all target nodes with the same type of network vulnerabilities, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
2. The method of claim 1, wherein the security information of the target node comprises an operating system type, running services, and version of service software.
3. The method of claim 1, wherein the network vulnerability information includes discovery time, vulnerability name, hazard level, asset IP, scan task name, data source, status, disposal priority, operation.
4. The method of claim 1, types of the network vulnerabilities include buffer overflow, cross-site scripting, DOS attacks, scanning, SQL injection, trojan backdoor, virus worm, Web attack, zombie networking, cross-site request forgery, file containment, file reading, directory traversal attack, sensitive information leakage, brute force cracking, code execution vulnerabilities, command execution, weak passwords, upload vulnerability exploitation, Webshell exploitation, misconfiguration/errors, logic/involvement errors, unauthorized access/permission bypass, URL hopping, protocol exceptions, phishing, malicious advertisements, network spoofing, spy software, browser hijacking, keyboard logging, pirate trojans, port scanning, black market tools, email, computer viruses, network worm, file downloading, permission and access control, and Webshell upload.
5. The method according to claim 1, wherein the step of predicting the attack corresponding to the network vulnerability includes:
acquiring access request information of a network node to the target node;
judging the type of the network vulnerability which is possibly attacked by the target node based on the access request information;
and matching the attack mode of an attacker according to the type of the network vulnerability.
6. The method of claim 5, wherein the attack pattern comprises a plurality of attack steps, the attack steps corresponding to a sequence of predicted defense steps.
7. The method according to claim 5, wherein the attack order of the attack steps is verified based on a time axis, and the defense order of the predicted defense steps is adjusted accordingly.
8. The method of claim 1, wherein data integrity analysis is performed on the data information stored in the target node; the storage comprises data backup of the data information of the target node.
9. A device for the predictive defense of vulnerability information in situational awareness, comprising a method according to any one of claims 1-8, characterized in that it comprises the structure:
the vulnerability scanning unit is used for carrying out vulnerability scanning on the network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability;
the vulnerability determining unit is used for extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database and determining the type of the network vulnerability;
the vulnerability judging unit is used for judging whether other target nodes in the network environment to which the target node belongs have the same type of network vulnerability;
and the vulnerability prediction defense unit is used for acquiring all target nodes with the same type of network vulnerabilities when the vulnerability prediction defense unit judges that the vulnerability prediction defense unit is positive, analyzing the security information of the target nodes together to predict the attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
10. A system for the predictive defense of vulnerability information in situational awareness, comprising the method of any one of claims 1-8, characterized by comprising:
a network node for transceiving data;
the situation awareness system periodically scans the network environment to determine the network vulnerability and performs security analysis on the security information of the network node to which the network vulnerability belongs;
the system server is connected with the network node and the situation awareness system;
the system server is configured to:
carrying out vulnerability scanning on a network environment to which the network node belongs to obtain network vulnerability information; the network nodes comprise target nodes with network vulnerabilities in a network environment; the network vulnerability information comprises the security information of the target node; the safety information comprises the characteristic information of the network vulnerability; extracting the characteristic information of the network vulnerability, matching the characteristic information with the network vulnerability in the existing vulnerability database, and determining the type of the network vulnerability; judging whether other target nodes in the network environment of the target node have the same type of network loopholes; and if so, acquiring all target nodes with the same type of network vulnerabilities, analyzing the security information of the target nodes together to predict attack steps corresponding to the network vulnerabilities, and giving corresponding prediction defense steps corresponding to the attack steps.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111561939.1A CN114301647B (en) | 2021-12-20 | 2021-12-20 | Method, device and system for predicting and defending vulnerability information in situation awareness |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111561939.1A CN114301647B (en) | 2021-12-20 | 2021-12-20 | Method, device and system for predicting and defending vulnerability information in situation awareness |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114301647A true CN114301647A (en) | 2022-04-08 |
| CN114301647B CN114301647B (en) | 2024-05-10 |
Family
ID=80967684
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111561939.1A Active CN114301647B (en) | 2021-12-20 | 2021-12-20 | Method, device and system for predicting and defending vulnerability information in situation awareness |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301647B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116471124A (en) * | 2023-06-19 | 2023-07-21 | 长通智能(深圳)有限公司 | Computer network safety prediction system for analyzing based on big data information |
| CN117081864A (en) * | 2023-10-17 | 2023-11-17 | 天津市职业大学 | Network information security defense detection method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753562A (en) * | 2009-12-28 | 2010-06-23 | 成都市华为赛门铁克科技有限公司 | Detection methods, device and network security protecting device for botnet |
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
| CN112637207A (en) * | 2020-12-23 | 2021-04-09 | 中国信息安全测评中心 | Network security situation prediction method and device |
| CN112632555A (en) * | 2020-12-15 | 2021-04-09 | 国网河北省电力有限公司电力科学研究院 | Node vulnerability scanning method and device and computer equipment |
| CN113312625A (en) * | 2021-06-21 | 2021-08-27 | 深信服科技股份有限公司 | Attack path graph construction method, device, equipment and medium |
| CN113326514A (en) * | 2021-07-30 | 2021-08-31 | 紫光恒越技术有限公司 | Risk assessment method and device for network assets, switch, equipment and server |
| CN113810406A (en) * | 2021-09-15 | 2021-12-17 | 浙江工业大学 | Network space security defense method based on dynamic defense graph and reinforcement learning |
-
2021
- 2021-12-20 CN CN202111561939.1A patent/CN114301647B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101753562A (en) * | 2009-12-28 | 2010-06-23 | 成都市华为赛门铁克科技有限公司 | Detection methods, device and network security protecting device for botnet |
| CN104468632A (en) * | 2014-12-31 | 2015-03-25 | 北京奇虎科技有限公司 | Loophole attack prevention method, device and system |
| CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
| CN112632555A (en) * | 2020-12-15 | 2021-04-09 | 国网河北省电力有限公司电力科学研究院 | Node vulnerability scanning method and device and computer equipment |
| CN112637207A (en) * | 2020-12-23 | 2021-04-09 | 中国信息安全测评中心 | Network security situation prediction method and device |
| CN113312625A (en) * | 2021-06-21 | 2021-08-27 | 深信服科技股份有限公司 | Attack path graph construction method, device, equipment and medium |
| CN113326514A (en) * | 2021-07-30 | 2021-08-31 | 紫光恒越技术有限公司 | Risk assessment method and device for network assets, switch, equipment and server |
| CN113810406A (en) * | 2021-09-15 | 2021-12-17 | 浙江工业大学 | Network space security defense method based on dynamic defense graph and reinforcement learning |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116471124A (en) * | 2023-06-19 | 2023-07-21 | 长通智能(深圳)有限公司 | Computer network safety prediction system for analyzing based on big data information |
| CN116471124B (en) * | 2023-06-19 | 2023-11-21 | 国信金宏(成都)检验检测技术研究院有限责任公司 | Computer network safety prediction system for analyzing based on big data information |
| CN117081864A (en) * | 2023-10-17 | 2023-11-17 | 天津市职业大学 | Network information security defense detection method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114301647B (en) | 2024-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107888607B (en) | Network threat detection method and device and network management equipment | |
| US10587636B1 (en) | System and method for bot detection | |
| AU2003222180B2 (en) | System and method for detecting an infective element in a network environment | |
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| Cazorla et al. | Cyber stealth attacks in critical information infrastructures | |
| US8561177B1 (en) | Systems and methods for detecting communication channels of bots | |
| US8204984B1 (en) | Systems and methods for detecting encrypted bot command and control communication channels | |
| CN110659487B (en) | Method and system for protecting infrastructure from distributed denial of service attacks | |
| CN111641620A (en) | Novel cloud honeypot method and framework for detecting evolution DDoS attack | |
| CN114301647B (en) | Method, device and system for predicting and defending vulnerability information in situation awareness | |
| WO2017083435A1 (en) | System and method for threat risk scoring of security threats | |
| CN112583845A (en) | Access detection method and device, electronic equipment and computer storage medium | |
| Govil et al. | Criminology of botnets and their detection and defense methods | |
| KR20170091989A (en) | System and method for managing and evaluating security in industry control network | |
| Mirza et al. | A modular approach for implementation of honeypots in cyber security | |
| Stiawan et al. | Penetration testing and network auditing: Linux | |
| Bansal et al. | Analysis and Detection of various DDoS attacks on Internet of Things Network | |
| Mohammad et al. | DDoS attack mitigation using entropy in SDN-IoT environment | |
| Jhi et al. | PWC: A proactive worm containment solution for enterprise networks | |
| Singh et al. | Communication based vulnerabilities and script based solvabilities | |
| CN114189360B (en) | Situation-aware network vulnerability defense method, device and system | |
| Wang | Design and research on the test of internal network penetration test | |
| Ilavarasan et al. | A Survey on host-based Botnet identification | |
| Singh et al. | Vulnerabilities of Electronics Communication: solution mechanism through script | |
| Szczepanik et al. | Detecting New and Unknown Malwares Using Honeynet |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |