CN114428962B - Vulnerability risk priority processing method and device - Google Patents
Vulnerability risk priority processing method and device Download PDFInfo
- Publication number
- CN114428962B CN114428962B CN202210107047.2A CN202210107047A CN114428962B CN 114428962 B CN114428962 B CN 114428962B CN 202210107047 A CN202210107047 A CN 202210107047A CN 114428962 B CN114428962 B CN 114428962B
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- attack
- simulation
- network
- available
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 4
- 238000004088 simulation Methods 0.000 claims abstract description 69
- 238000000034 method Methods 0.000 claims abstract description 38
- 238000012545 processing Methods 0.000 claims description 7
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000012913 prioritisation Methods 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 4
- 238000011156 evaluation Methods 0.000 claims description 3
- 235000008694 Humulus lupulus Nutrition 0.000 claims 1
- 239000000126 substance Substances 0.000 claims 1
- 230000000977 initiatory effect Effects 0.000 description 23
- 238000007726 management method Methods 0.000 description 18
- 239000000523 sample Substances 0.000 description 17
- 230000004044 response Effects 0.000 description 10
- 238000004590 computer program Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000001514 detection method Methods 0.000 description 8
- 239000003999 initiator Substances 0.000 description 6
- 230000007123 defense Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 238000005259 measurement Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The embodiment of the disclosure provides a vulnerability risk priority processing method and device. The method comprises the steps of obtaining an available vulnerability in a network to be evaluated, the attack path depth of the available vulnerability and the safety protection measure effectiveness through attack simulation; acquiring the vulnerability risk level of the available vulnerability, the importance of the asset where the vulnerability is located and the vulnerability utilization heat degree; and calculating the vulnerability risk according to the danger level of the available vulnerability, the importance of the asset, the utilization heat, the attack path depth and the safety protection measure effectiveness. In this way, the real available vulnerabilities can be identified, the vulnerability attention range of a security administrator is narrowed, what vulnerabilities should be treated preferentially is determined, and how to treat the vulnerabilities is accurately determined.
Description
Technical Field
The present disclosure relates to the field of network security, and more particularly, to the field of vulnerability risk priority handling.
Background
At present, vulnerability management adopted by each enterprise detects vulnerabilities possibly existing in a network based on vulnerability scanning/detecting tools, scores vulnerability hazards based on CVSS and gives high-risk, medium-risk and low-risk ratings of the vulnerabilities.
At present, a vulnerability management mode based on a vulnerability scanning technology is mainly based on CVSS scoring and comprises a remote/local attack approach, attack complexity, authority requirements, user interaction, a scope of action, confidentiality influence, integrity impression and usability influence. However, this method is only for the vulnerability itself, and cannot determine whether the vulnerability really exists and can be utilized; nor can it help security administrators to make sure which part of the vulnerability in the network should be handled with priority; and whether the residual risk of the vulnerability can be accepted or not can not be judged by combining safety protection measures in a defense system.
Disclosure of Invention
The disclosure provides a method, a device, equipment and a storage medium for processing base vulnerability risk priority.
According to a first aspect of the present disclosure, a vulnerability risk priority handling method is provided. The method comprises the following steps: obtaining an available vulnerability in a network to be evaluated, an attack path depth of the available vulnerability and safety protection measure effectiveness through attack simulation; acquiring the vulnerability risk level of the available vulnerability, the importance of the asset where the vulnerability is located and the vulnerability utilization heat degree; and calculating the vulnerability risk according to the danger level of the available vulnerability, the importance of the asset, the utilization heat, the attack path depth and the safety protection measure effectiveness.
According to a second aspect of the present disclosure, there is provided a vulnerability risk priority handling apparatus. The device comprises: the attack simulation module is used for acquiring the available vulnerability in the network to be evaluated, the attack path depth of the available vulnerability and the safety protection measure effectiveness through attack simulation; the query module is used for acquiring the vulnerability risk level of the available vulnerability, the importance of the asset where the vulnerability is located and the vulnerability utilization heat degree; and the calculation module is used for calculating the vulnerability risk according to the danger level of the available vulnerability, the importance of the asset, the utilization heat, the depth of the attack path and the effectiveness of the safety protection measures.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: a memory having a computer program stored thereon and a processor implementing the method as described above when executing the program.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as described above.
It should be understood that what is described in this summary section is not intended to define key or essential features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented;
fig. 2 shows a flow chart of a vulnerability risk prioritization method according to an embodiment of the present disclosure;
fig. 3 shows a flowchart of a method for obtaining an available vulnerability in a network to be evaluated, an attack path depth of the available vulnerability, and an effectiveness of a security protection measure through attack simulation according to an embodiment of the present disclosure;
FIG. 4 shows a block diagram of a vulnerability risk priority handling apparatus, according to an embodiment of the present disclosure;
FIG. 5 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without inventive step, are intended to be within the scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing the association object, and means that there may be three kinds of relationships, for example, a and/or B, and may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
FIG. 1 illustrates a schematic diagram of an exemplary operating environment 100 in which embodiments of the present disclosure can be implemented. Attack simulation launch unit 102, asset 104, management platform 106 are included in runtime environment 100.
In some embodiments, assets 104 are deployed in a network under evaluation. Attack simulation initiator 102, asset 104 may be deployed in the same security domain of the network or may be deployed in different security domains. Management platform 106 may be deployed in the same security domain of the network as attack simulation initiator 102 or in a different security domain. Where assets 104 may be servers, websites, or the like, vulnerabilities may exist in assets 104.
In some embodiments, the management platform 106 is configured to control the attack simulation launching unit 102 to implement simulation attack on the assets 104 in the network to be attacked, and may further be configured to implement the vulnerability risk prioritization method of the embodiment of the present disclosure. In some embodiments, the vulnerability risk prioritization method of the disclosed embodiments may also be implemented by a separate server.
Fig. 2 shows a schematic diagram of a vulnerability risk prioritization method 200 according to an embodiment of the present disclosure. The method 200 may be performed by the management platform 106, or by other servers after the management platform 106 performs the operations of block 202.
At block 202, obtaining an available vulnerability in a network to be evaluated, an attack path depth of the available vulnerability and safety protection measure effectiveness through attack simulation;
in some embodiments, fig. 3 is a schematic diagram illustrating a method 300 for obtaining an available vulnerability in a network to be evaluated and an attack path depth of the available vulnerability and an effectiveness of a security measure through attack simulation according to an embodiment of the present disclosure.
At block 302, the management platform 106 sends an attack instruction to the attack simulation launching unit 102; so that the attack simulation initiating unit 102 performs vulnerability attack on the corresponding asset 104 according to the simulation attack information in the attack instruction when receiving the attack instruction.
In some embodiments, a vulnerability attack may be made to an attack-receiving unit deployed on asset 104, which may be deployed on any node of the network to be attacked, i.e., asset 104. In some embodiments, assets 104 are deployed on all nodes of the network to be attacked.
In some embodiments, the attack instruction is a packet request requesting the attack simulation initiation unit 102 to send an attack packet to the asset 104. The attack package is used to perform verification for the asset 104 for a certain vulnerability.
In some embodiments, the attack simulation launch unit 102 sends an attack package to the asset 104 for vulnerability scanning and attack simulation, including: automatic simulation sending of an attack load and judgment on success or failure of intrusion, POC (point of sale) verification automatic execution, network space asset mapping, protected data mixing, and directional/undirected leakage simulation (including data channels which are not protected to the greatest extent and data leakage caused by network protocol vulnerabilities).
In some embodiments, the simulated attack information in the attack instruction includes: address information of the asset 104, port information, payload (payload) taken by the attack, etc.
In some embodiments, the attack instruction may include address information for a plurality of assets 104 respectively disposed in different security domains of the network for network defense-in-depth risk assessment.
In some embodiments, the attack instruction may include a plurality of port information for vulnerability detection.
In some embodiments, any of the plurality of attack simulation initiators 102 deployed in the network, and any of the plurality of assets 104, may be selected for automated attack penetration testing by the management platform 106. For example, the corresponding attack simulation initiator 102 and asset 104 are selected according to network domain segmentation and scenario.
In some embodiments, the method 300 further comprises: the management platform 106 sends a package connect instruction to the asset 104; so that the asset 104 receives the attack packet sent by the attack simulation initiating unit 102 according to the packet receiving instruction when receiving the packet receiving instruction.
In some embodiments, the asset 104 may also automatically receive the attack package sent by the attack simulation launch unit 102 without receiving the package pickup instruction of the management platform 106.
In some embodiments, the packet receiving instruction includes: address information of the attack simulation initiation unit 102, a payload (payload) employed for the attack, and the like. So that the asset 104 receives the attack packet sent by the corresponding attack simulation initiating unit 102 according to the information and filters other data packets when receiving the packet receiving instruction.
In some embodiments, the running state attack protection of OWASP Top 10 is performed based on runtime protection for the package receiving service of the asset 104 and the package sending service of the attack simulation launching unit 102.
In block 304, the attack simulation initiating unit 102 generates a detection traffic according to the simulation attack information in the attack instruction and sends the detection traffic to the corresponding asset 104;
in some embodiments, when receiving an attack instruction sent by the management platform 106, the attack simulation initiating unit 102 generates an attack packet according to the simulation attack information in the attack instruction, and performs vulnerability attack on the corresponding asset 104.
At block 306, asset 104 receives and identifies probe traffic generated and sent by attack simulation initiation unit 102; sending response data for the probe traffic to the attack simulation initiating unit 102;
in some embodiments, asset 104 identifies the received data traffic, determines whether the received data traffic contains probe traffic generated and sent by attack simulation initiation unit 102, and if so, sends response data for the probe traffic to management platform 106. In some embodiments, if the vulnerability in the asset 104 for which the probe traffic is directed exists, response data for the probe traffic is sent to the management platform 106.
In some embodiments, asset 104 identifies the received data traffic, determines whether it contains probe traffic generated and sent by attack simulation initiator 102, and if so, sends response data for the probe traffic to attack simulation initiator 102.
In some embodiments, if the vulnerability targeted by the detection traffic exists in the asset 104, the response data targeted by the detection traffic is sent to the attack simulation initiating unit 102, and the attack simulation initiating unit 102 reports the response data targeted by the detection traffic to the management platform 106.
In some embodiments, the asset 104 receives the attack packet sent by the corresponding attack simulation initiating unit 102 according to the address information of the attack simulation initiating unit 102 and information such as a load (payload) used by the attack, which are included in the packet receiving instruction, and filters other data packets.
In block 308, the attack simulation initiating unit 102 reports the response data for the probe traffic sent by the asset 104 to the management platform 106
At block 310, the management platform 106 obtains an available vulnerability in the network to be evaluated, an attack path depth of the available vulnerability, and an effectiveness of a security measure according to the probe traffic generated and sent by the attack simulation initiating unit 102 and response data for the probe traffic sent by the asset 104 after receiving and identifying the probe traffic generated and sent by the attack simulation initiating unit 102.
In some embodiments, the management platform 106 may obtain the available vulnerabilities in the network to be evaluated and the attack path depths of the available vulnerabilities and the effectiveness of security measures by comparing the probe traffic generated and sent by the attack simulation launching unit 102 with the response data of the attack simulation launching unit 102 received and identified by the asset 104.
In some embodiments, the available port of the node where the asset 104 is located may be determined according to the port identifier carried by the probe traffic generated and sent by the attack simulation initiation unit 102 received and identified by the asset 104, or the port through which the probe traffic passes.
In some embodiments, since the asset 104 may be deployed on any node of the network to be attacked, by comparing the probe traffic generated and sent by the attack simulation initiation unit 102 with the response data sent by the asset 104, it may be obtained whether there is an available vulnerability on the node where the asset 104 is located. The attack path depth is determined according to the position of the node where the asset 104 is located in the network to be attacked, and the hop count from the attack simulation initiating unit 102 to the node where the asset 104 is located, that is, the number of passed results.
In some embodiments, the attack path depth may be set to 1 hop/2 hop/3 hop/4 hop or more, with values of 1.0/0.95/0.9/0.85, respectively.
In some embodiments, it is determined whether the node where the vulnerability is located is the best attack path to the critical asset or network area based on whether the vulnerability is exploited to cause harm such as privilege escalation, sideslip, information disclosure, and the like.
In some embodiments, the security devices deployed on the node where the asset 104 is located or on the attack path from the attack simulation initiation unit 102 to the node where the asset 104 is located are evaluated to determine the security effectiveness of the security devices against the vulnerability. For example, the asset 104 deployed on the previous-stage node of the security device receives the probe traffic generated and sent by the attack simulation initiation unit 102; and if the asset 104 deployed on the subsequent node of the security device does not receive the detection traffic generated and sent by the attack simulation initiating unit 102, it is considered that the security protection effectiveness of the security device on the vulnerability is very high, and if the security device shields the detection traffic for a part of vulnerabilities, the security protection effectiveness is further evaluated.
In some embodiments, the protection effectiveness of the safety device may be set to very high/medium/low/none, which is 1.0/0.75/0.5/0.25/0, respectively.
At block 204, acquiring the vulnerability risk level of the available vulnerability, the importance of the asset where the vulnerability is located and the vulnerability utilization heat;
in some embodiments, according to the identification of the available vulnerabilities, vulnerability risk levels of the available vulnerabilities, importance of assets where the vulnerabilities are located, and vulnerability exploitation heat degrees are obtained.
In some embodiments, the vulnerability risk level refers to a CVSS score, takes the CVSS as a basic score, and continues the scientificity of the CVSS score. According to three dimensions of basic measurement, time measurement and environment measurement, the score is calculated, the risk degree corresponding to the score can be divided into 5 grades of super-risk, high-risk, medium-risk, low-risk and no-risk, and the value is respectively 9.0-10.0/7.0-8.9/4.0-6.9/0.1-3.9/0.
In some embodiments, the importance of the asset where the vulnerability is located may be divided into 5 levels of core/important/general/low/extremely low according to the actual condition of the asset, and the values are 1.0/0.8/0/6/0.4/0.2 respectively.
In some embodiments, the exploit heat may determine a likelihood that an exploit is exploited in an enterprise network environment; based on vulnerability intelligence and POC verification results, the system is divided into 5 levels of high/medium/low/no according to the factors of whether EXP is disclosed, whether the EXP is added to an automatic utilization tool box, whether the EXP is added to malicious software, whether the EXP is added to Lesox virus, whether the APT organization is utilized and the like, and the values are respectively 1.0/0.75/0.5/0.25/0.
At block 206, vulnerability risk is calculated according to the risk level of the available vulnerability, the importance of the asset, the utilization heat, the attack path depth, and the security measure effectiveness.
In some embodiments, vulnerability risk (vulnerability fix priority) is calculated according to the following calculation:
vulnerability risk (vulnerability fix priority) = [ (vulnerability risk level (CVSS) × asset importance × vulnerability exploitation heat degree × attack path depth × (1-security protection effectiveness) ].
In some embodiments, the repair priority is divided into 5 grades of high, medium, low and no according to the vulnerability risk score, and the corresponding risk score values are respectively 9.0-10.0/7.0-8.9/4.0-6.9/0.1-3.9/0.
In some embodiments, the optimal attack path factor may also be considered in the above formula.
In some embodiments, the method further comprises: giving a preferential treatment and repair suggestion of the vulnerability by combining the calculation result of the vulnerability risk; meanwhile, the protection effectiveness of the safety protection means is integrated, and whether the enterprise can receive residual risks and repair suggestions or not is given.
According to the embodiment of the disclosure, the following technical effects are achieved:
the method can identify the real available loopholes and narrow the loophole range concerned by the security administrator;
in combination with the negative influence of the vulnerability on the overall network defense depth under the actual threat occurrence state, the probability of threat occurrence and whether the influence range give a score for important assets, and a security administrator determines what vulnerability should be treated preferentially;
and (4) integrating the effectiveness of the security defense means, and judging whether the threat corresponding to the vulnerability can be blocked by the defense equipment or not, so as to give an accurate residual risk receiving or not suggestion, and a security administrator can accurately judge how to dispose the vulnerability.
It should be noted that for simplicity of description, the above-mentioned method embodiments are described as a series of acts, but those skilled in the art should understand that the present disclosure is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present disclosure. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 4 illustrates a block diagram of a vulnerability risk priority handling apparatus 400 according to an embodiment of the present disclosure. As shown in fig. 4, the apparatus 400 includes:
the attack simulation module 402 is configured to obtain an available vulnerability in a network to be evaluated, an attack path depth of the available vulnerability, and an effectiveness of a security protection measure through attack simulation;
the query module 404 is configured to obtain a vulnerability risk level of the available vulnerability, an importance of an asset where the vulnerability is located, and a vulnerability exploitation heat degree;
and the calculating module 406 is used for calculating the vulnerability risk according to the risk level of the available vulnerability, the importance of the asset, the utilization heat, the attack path depth and the safety protection measure effectiveness.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
FIG. 5 shows a schematic block diagram of an electronic device 500 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic devices may also represent various forms of mobile devices, such as personal digital processors, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The device 500 comprises a computing unit 501 which may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 502 or a computer program loaded from a storage unit 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data required for the operation of the device 500 can also be stored. The calculation unit 501, the ROM 502, and the RAM 503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
A number of components in the device 500 are connected to the I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, or the like; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508, such as a magnetic disk, optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the device 500 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general-purpose and/or special-purpose processing components having processing and computing capabilities. Some examples of the computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The calculation unit 501 performs the respective methods and processes described above. For example, in some embodiments, the methods 200, 300 may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as the storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 500 via the ROM 502 and/or the communication unit 509. When the computer program is loaded into the RAM 503 and executed by the computing unit 501, one or more steps of the methods 200, 300 described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the methods 200, 300 in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above, reordering, adding or deleting steps, may be used. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (7)
1. A vulnerability risk priority processing method comprises the following steps:
acquiring an available vulnerability in a network to be evaluated, an attack path depth of the available vulnerability and safety protection measure effectiveness through attack simulation, wherein the attack simulation comprises bypass attack simulation and/or controllable intrusion simulation of the network to be evaluated, and the safety protection measure effectiveness is an evaluation result of safety equipment in the network to be evaluated, which is obtained through the bypass attack simulation and/or the controllable intrusion simulation of the network to be evaluated;
acquiring the vulnerability risk level of the available vulnerability, the importance of the asset where the vulnerability is located and the vulnerability utilization heat degree;
and calculating the vulnerability risk according to the danger level of the available vulnerability, the importance of the asset, the utilization heat, the attack path depth and the safety protection measure effectiveness.
2. The method of claim 1, wherein the attack path depth is the number of hops of an extranet attack obtained by performing a bypass attack simulation and/or a controlled intrusion simulation on the network to be evaluated.
3. The method according to claim 1, wherein the utilization heat is based on vulnerability intelligence and POC verification results.
4. The method of claim 1, wherein the method further comprises:
and judging whether the node where the available vulnerability is located is the best attack path leading to the key assets or the network area.
5. An vulnerability risk prioritization apparatus, comprising:
the system comprises an attack simulation module, a security protection measure module and a processing module, wherein the attack simulation module is used for acquiring an available vulnerability in a network to be evaluated, an attack path depth of the available vulnerability and the effectiveness of the security protection measure through attack simulation, the attack simulation comprises the bypass attack simulation and/or the controllable intrusion simulation of the network to be evaluated, and the effectiveness of the security protection measure is an evaluation result of security equipment in the network to be evaluated, which is obtained through the bypass attack simulation and/or the controllable intrusion simulation of the network to be evaluated;
the query module is used for acquiring the vulnerability risk level of the available vulnerability, the importance of the asset where the vulnerability is located and the vulnerability utilization heat degree;
and the calculation module is used for calculating the vulnerability risk according to the danger level of the available vulnerability, the importance of the asset, the utilization heat, the depth of the attack path and the effectiveness of the safety protection measures.
6. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-4.
7. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210107047.2A CN114428962B (en) | 2022-01-28 | 2022-01-28 | Vulnerability risk priority processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210107047.2A CN114428962B (en) | 2022-01-28 | 2022-01-28 | Vulnerability risk priority processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114428962A CN114428962A (en) | 2022-05-03 |
| CN114428962B true CN114428962B (en) | 2023-03-31 |
Family
ID=81312967
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210107047.2A Active CN114428962B (en) | 2022-01-28 | 2022-01-28 | Vulnerability risk priority processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114428962B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114915476B (en) * | 2022-05-19 | 2023-09-26 | 南京南瑞信息通信科技有限公司 | Attack deduction chart generation method and system based on network security assessment process |
| CN116032599A (en) * | 2022-12-26 | 2023-04-28 | 赵少川 | Network security vulnerability risk assessment method, device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791273A (en) * | 2016-02-24 | 2016-07-20 | 上海携程商务有限公司 | Web vulnerability scanning system |
| CN106817215A (en) * | 2016-12-07 | 2017-06-09 | 清华大学 | Supply network verification method on a kind of piece for bypass attack |
| CN107294782A (en) * | 2017-06-30 | 2017-10-24 | 西安电子科技大学 | Complex network path attack method based on multi-hop |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110191854A1 (en) * | 2010-01-29 | 2011-08-04 | Anastasios Giakouminakis | Methods and systems for testing and analyzing vulnerabilities of computing systems based on exploits of the vulnerabilities |
| CN104994109A (en) * | 2015-07-14 | 2015-10-21 | 天津大学 | Self-organizing network protocol security analysis method based on vulnerability attack |
| KR101893253B1 (en) * | 2016-07-14 | 2018-08-29 | 국방과학연구소 | Apparatus and Method for estimating automated network penetration path based on network reachability |
| CN106790190B (en) * | 2016-12-30 | 2019-11-19 | 北京神州绿盟信息安全科技股份有限公司 | A kind of Vulnerability Management system and method |
| CN109756478A (en) * | 2018-11-28 | 2019-05-14 | 国网江苏省电力有限公司南京供电分公司 | A kind of abnormal multistage standby blocking-up method of industrial control system attack considering priority |
| US20190138719A1 (en) * | 2018-12-27 | 2019-05-09 | Salmin Sultana | Methods and apparatus for detecting a side channel attack using a cache state |
| CN110138788B (en) * | 2019-05-20 | 2020-07-10 | 北京理工大学 | Vulnerability attack cost quantitative evaluation method based on depth index |
-
2022
- 2022-01-28 CN CN202210107047.2A patent/CN114428962B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791273A (en) * | 2016-02-24 | 2016-07-20 | 上海携程商务有限公司 | Web vulnerability scanning system |
| CN106817215A (en) * | 2016-12-07 | 2017-06-09 | 清华大学 | Supply network verification method on a kind of piece for bypass attack |
| CN107294782A (en) * | 2017-06-30 | 2017-10-24 | 西安电子科技大学 | Complex network path attack method based on multi-hop |
Non-Patent Citations (2)
| Title |
|---|
| Qianqian Wang 等.Transparent side channel trigger mechanism on analog circuits with PAAST hardware Trojans.《2018 IEEE International Symposium on Circuits and Systems (ISCAS)》.2018,第1-4页. * |
| 张继业 等.基于攻击图的渗透测试模型设计.《计算机安全》.2005,第10-13、17页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114428962A (en) | 2022-05-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114428962B (en) | Vulnerability risk priority processing method and device | |
| US9846775B2 (en) | Systems and methods for malware evasion management | |
| US20130096980A1 (en) | User-defined countermeasures | |
| US10063519B1 (en) | Automatically optimizing web application firewall rule sets | |
| CN111565184A (en) | Network security assessment device, method, equipment and medium | |
| KR102046262B1 (en) | Device and method for managing risk of mobile malware behavior in mobiel operating system, recording medium for performing the method | |
| US20190081970A1 (en) | Specifying system, specifying device, and specifying method | |
| CN111669365B (en) | Network security test method and device | |
| CN107733725B (en) | Safety early warning method, device, equipment and storage medium | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| CN112953938B (en) | Network attack defense method, device, electronic equipment and readable storage medium | |
| CN116628705A (en) | Data security processing method, system, electronic equipment and storage medium | |
| CN105141573A (en) | Security protection method and security protection system based on WEB access compliance auditing | |
| CN108183884B (en) | Network attack determination method and device | |
| CN106302347B (en) | A kind of network attack treating method and apparatus | |
| CN114386857A (en) | Security prevention and control method, device, equipment and storage medium | |
| KR102240514B1 (en) | Method for supporting analyzing degrees of risk of events happened to system by calculating event danger degree using event ruleset and threat intelligence and device using the same | |
| CN114124531B (en) | Network defense system risk assessment method based on bypass attack simulation, electronic equipment and storage medium | |
| Doynikova et al. | Enhancement of probabilistic attack graphs for accurate cyber security monitoring | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| CN115811421A (en) | Network security event monitoring method and device, electronic equipment and storage medium | |
| CN114143052B (en) | Network defense system risk assessment method, device and storage medium based on controllable intrusion simulation | |
| CN114124560A (en) | Method and device for detecting defect host, electronic equipment and storage medium | |
| CN110830518B (en) | Traceability analysis method and device, electronic equipment and storage medium | |
| CN114499961A (en) | Safety early warning method and device and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Priority disposal methods and devices for vulnerability risks Effective date of registration: 20231124 Granted publication date: 20230331 Pledgee: Bank of Nanjing Limited by Share Ltd. Beijing branch Pledgor: Beijing grayscale Technology Co.,Ltd. Registration number: Y2023110000489 |