CN114491561A - Method and device for evaluating security vulnerability processing priority - Google Patents

Method and device for evaluating security vulnerability processing priority Download PDF

Info

Publication number
CN114491561A
CN114491561A CN202210106545.5A CN202210106545A CN114491561A CN 114491561 A CN114491561 A CN 114491561A CN 202210106545 A CN202210106545 A CN 202210106545A CN 114491561 A CN114491561 A CN 114491561A
Authority
CN
China
Prior art keywords
level
carrier
target
target carrier
security vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210106545.5A
Other languages
Chinese (zh)
Inventor
孙祥明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202210106545.5A priority Critical patent/CN114491561A/en
Publication of CN114491561A publication Critical patent/CN114491561A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The application provides a method and a device for evaluating security vulnerability processing priority, wherein the method is applied to evaluating the security vulnerability processing priority in an enterprise intranet, and comprises the steps of obtaining the self risk level of a security vulnerability to be evaluated; acquiring the exposure path risk level of the target carrier; acquiring an opening coefficient of a target port; and determining the processing priority of the security vulnerability to be evaluated according to the self risk level, the exposure path risk level and the target port opening coefficient. When the method is used for evaluating the processing priority of the security vulnerabilities, not only the risk level of the vulnerabilities is considered, but also the exposure path risk level of a target carrier where the security vulnerabilities are located in the network structure of each intranet of the enterprises and the port opening condition of the security vulnerabilities on the target carrier are considered, so that a network administrator can concentrate on the security vulnerabilities forming the maximum risk to the network, and the possibility of being attacked is reduced.

Description

Method and device for evaluating security vulnerability processing priority
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for evaluating security vulnerability processing priority.
Background
A security hole is a defect in the hardware, software, specific implementation of a protocol, or system security policy, which may enable an attacker to access or destroy the system without authorization. Often behind a significant network attack, there are one or more vulnerabilities that are not fixed. Therefore, timely and accurate processing of security vulnerabilities is crucial to identifying and reducing network risks.
And a network administrator scans the enterprise network by adopting a vulnerability scanning tool, acquires the security vulnerability information in the enterprise intranet and then repairs the security vulnerability. However, as the network is expanded and diversified, the number of vulnerabilities detected by the vulnerability scanning tool often exceeds the operation and maintenance processing capability of the network administrator. Therefore, the repair processing is carried out in a targeted manner according to the danger degree of the security loophole.
Currently, CVSS (Common virtualization Scoring System) is generally used to evaluate the risk level of a security breach and determine a corresponding processing priority. But the CVSS rating only considers the technical risks that the security vulnerabilities may introduce, neglects other factors such as the importance of the assets where the security vulnerabilities are located, the network area, the development port, the exposure surface, etc., so that the network administrator cannot concentrate on the security vulnerabilities that constitute the greatest risk to the present network when dealing with the security vulnerabilities.
Disclosure of Invention
In order to solve the problem that in the prior art, only the technical risk possibly introduced by a security vulnerability is considered when evaluating the processing priority of the security vulnerability, and other factors such as the importance of a carrier where the security vulnerability is located, a network area, an open port and an exposed surface are ignored, so that a network administrator cannot concentrate on the security vulnerability forming the maximum risk to the network when processing the security vulnerability, the application provides a method and a device for evaluating the processing priority of the security vulnerability through the following aspects.
The first aspect of the application provides a method for evaluating security vulnerability processing priority, which is applied to evaluating the security vulnerability processing priority in an enterprise intranet and comprises the steps of obtaining the self risk level of a security vulnerability to be evaluated; acquiring the exposure path risk level of the target carrier; the target carrier is a carrier where the security vulnerabilities to be evaluated are located; acquiring an opening coefficient of a target port; the target port opening coefficient is determined according to the opening condition of a port aiming at the security vulnerability to be evaluated on a target carrier; and determining the processing priority of the security vulnerability to be evaluated according to the risk level of the security vulnerability, the risk level of the exposed path and the target port opening coefficient.
Optionally, obtaining the risk level of the security vulnerability to be evaluated includes: acquiring a CVSS (variable value service) score of the security vulnerability to be evaluated, and converting to obtain the vulnerability level of the security vulnerability to be evaluated; acquiring the carrier importance level of the target carrier; wherein, the importance level of the carrier is determined according to the importance degree of the service or application carried by the target carrier; and determining the risk level of the user according to the vulnerability level and the carrier importance level.
Optionally, obtaining the target port opening coefficient includes: when a port aiming at the security vulnerability to be evaluated on the target carrier is opened, setting the opening coefficient of the target port as 1; and when the port aiming at the security vulnerability to be evaluated on the target carrier is closed, the target port opening coefficient is set to be 0.4.
Optionally, obtaining the exposure path risk level of the target carrier includes: determining each access path between the source object and the target carrier according to the address range of the source object and the address of the target carrier; wherein the source object is an external carrier allowing access to the target carrier; acquiring a single path risk value of each access path; and calculating according to the risk values of all the single paths to obtain the exposure path risk level of the target carrier.
Optionally, obtaining a single path risk value of each access path includes: determining the loose grade of the source object according to the address range of the source object; determining the loose grade of the target carrier according to the port number of the target carrier; obtaining an access path loose grade according to the source object loose grade and the target carrier loose grade; determining the inter-domain risk level of the access path according to the region where the source object is located; and obtaining a single path risk value according to the inter-domain risk level and the loose level of the access path.
A second aspect of the present application provides an apparatus for evaluating security vulnerability handling priority, which is used to implement the steps of the method for evaluating security vulnerability handling priority of the first aspect of the present application, and the apparatus includes: the self risk level obtaining module is used for obtaining the self risk level of the security vulnerability to be evaluated; the exposure path risk level acquisition module is used for acquiring the exposure path risk level of the target carrier; the target carrier is a carrier where the security vulnerability to be evaluated is located; the target port opening coefficient acquisition module is used for acquiring a target port opening coefficient; the target port opening coefficient is determined according to the opening condition of a port aiming at the security vulnerability to be evaluated on a target carrier; and the processing priority evaluation module is used for determining the processing priority of the security vulnerability to be evaluated according to the risk level of the processing priority evaluation module, the risk level of the exposed path and the target port opening coefficient.
Optionally, the risk level obtaining module of the mobile terminal comprises a vulnerability level obtaining unit, a carrier importance level obtaining unit and a first calculating unit; the vulnerability level obtaining unit is used for obtaining and converting a CVSS (constant value classification) score of the security vulnerability to be evaluated to obtain a vulnerability level of the security vulnerability to be evaluated; the carrier importance level acquiring unit is used for acquiring the carrier importance level of the target carrier; the first computing unit is used for determining the risk level of the first computing unit according to the vulnerability level and the carrier importance level.
Optionally, the target port opening coefficient obtaining module is configured to perform the following functions: when a port aiming at the security vulnerability to be evaluated on the target carrier is opened, the opening coefficient of the target port is equal to 1; and when the port aiming at the security vulnerability to be evaluated on the target carrier is closed, the target port opening coefficient is equal to 0.4.
Optionally, the exposure path risk level obtaining module includes an access path obtaining unit, a single path risk value calculating unit, and a second calculating unit; the access path acquiring unit is used for determining each access path between the source object and the target carrier according to the address range of the source object and the address of the target carrier; wherein, the source object is an external address allowing to access the target carrier; the single path risk value calculation unit is used for acquiring a single path risk value of each access path; and the second calculating unit is used for calculating according to all the single path risk values to obtain the exposure path risk level of the target carrier.
Optionally, the single path risk value calculating unit includes a source object loose grade obtaining subunit, a target carrier loose grade obtaining subunit, an access path inter-domain risk grade obtaining subunit, and a third calculating unit; the source object loose grade acquiring subunit is used for determining the loose grade of the source object according to the address range of the source object; the target carrier loose grade acquiring subunit is used for determining the target carrier loose grade according to the port number of the target carrier; the access path loose grade obtaining subunit is used for obtaining an access path loose grade according to the source object loose grade and the target carrier loose grade; the inter-access path risk level acquiring subunit is used for determining the inter-access path risk level according to the area where the source object is located; and the third calculation unit is used for obtaining a single path risk value according to the access path inter-domain risk level and the access path loose level.
The application provides a method and a device for evaluating security vulnerability processing priority, wherein the method is applied to evaluating the security vulnerability processing priority in an enterprise intranet, and comprises the steps of obtaining the self risk level of a security vulnerability to be evaluated; acquiring the exposure path risk level of the target carrier; acquiring an opening coefficient of a target port; and determining the processing priority of the security vulnerability to be evaluated according to the self risk level, the exposure path risk level and the target port opening coefficient. When the method is used for evaluating the processing priority of the security vulnerabilities, not only the risk level of the vulnerabilities is considered, but also the exposure path risk level of a target carrier where the security vulnerabilities are located in the network structure of each intranet of the enterprises and the port opening condition of the security vulnerabilities on the target carrier are considered, so that a network administrator can concentrate on the security vulnerabilities forming the maximum risk to the network, and the possibility of being attacked is reduced.
Drawings
Fig. 1 is a schematic workflow diagram of a method for evaluating security vulnerability processing priority according to an embodiment of the present application;
fig. 2 is a schematic view of a workflow for determining a risk level of a security vulnerability processing priority in a method for evaluating a security vulnerability processing priority according to an embodiment of the present application;
fig. 3 is a schematic view of a workflow for obtaining a risk level of an exposure path of a target carrier in a method for evaluating a security vulnerability processing priority according to an embodiment of the present application;
fig. 4 is a schematic diagram of a workflow for obtaining a single path risk value in a method for evaluating security vulnerability processing priority according to an embodiment of the present application;
fig. 5 is a schematic diagram illustrating a calculation process of a method for evaluating security vulnerability processing priority according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus for evaluating security vulnerability processing priority according to an embodiment of the present disclosure.
Detailed Description
To facilitate the description of the technical solutions of the present application, some concepts related to the present application will be described below.
The carrier where the security vulnerability is located refers to all network-connected devices in the intranet; according to the specific situation of the enterprise, the system may be a host computer in an intranet of the enterprise, or a server, or a network security device, which is not specifically limited in this application.
In order to solve the problem that in the prior art, only the technical risk possibly introduced by a security vulnerability is considered when evaluating the processing priority of the security vulnerability, and other factors such as the importance of a carrier where the security vulnerability is located, a network area, an open port and an exposed surface are ignored, so that a network administrator cannot concentrate on the security vulnerability forming the maximum risk to the network when processing the security vulnerability, the method and the device for evaluating the processing priority of the security vulnerability are provided through the following aspects.
Please refer to fig. 1, which schematically illustrates a flowchart corresponding to a method for evaluating security vulnerability processing priority according to a first embodiment of the present application. As shown in fig. 1, the method is applied to evaluating the processing priority of a security vulnerability in an intranet, and specifically includes steps 1 to 4.
Step 1, obtaining the self risk level of the security vulnerability to be evaluated. In one implementation mode, the risk level of the security vulnerability to be evaluated is determined according to the CVSS value of the security vulnerability to be evaluated and the importance degree of the carrier where the security vulnerability to be evaluated is located. The higher the CVSS value of the security vulnerability is, the higher the importance degree of the carrier is, the higher the self risk level of the security vulnerability to be evaluated is, and vice versa. As shown in fig. 2, step 1 further comprises steps 101-103.
Step 101, obtaining and converting the CVSS score of the security vulnerability to be evaluated to obtain the vulnerability level of the security vulnerability to be evaluated. And acquiring list information of the security vulnerabilities in the intranet by using a vulnerability scanning tool, wherein the list information comprises CVSS (content security service) scores of the security vulnerabilities. The CVSS is a common vulnerability level assessment standard in the field of computer network security. In which security vulnerabilities are scored from three dimensions, a base measure, a time measure, and an environmental measure. According to the latest CVSS version 3.0, the score of the CVSS score of the security hole ranges from 0 to 10.
In the embodiment, the score of the vulnerability level is divided into 1-5, so the CVSS score is converted. As shown in table 1, the correspondence between CVSS scores and vulnerability levels in the method is exemplarily given. When the CVSS score is 0, the vulnerability has no risk, and the corresponding vulnerability level is 1; when the CVSS score is 0.1-3.9, the vulnerability is a low-risk vulnerability, and the corresponding vulnerability grade is 2; when the CVSS score is 4.0-6.9, the vulnerability is a medium-risk vulnerability, and the corresponding vulnerability grade is 3; when the CVSS score is 7.0-8.9, the vulnerability is a high-risk vulnerability, and the corresponding vulnerability grade is 4; when the CVSS score is 9.0-10.0, the vulnerability is an ultra-dangerous vulnerability, and the corresponding vulnerability grade is 5.
Table 1: example of correspondence of CVSS score to vulnerability level
CVSS score Degree of danger Vulnerability classes
0 WindlessDanger (Risk) 1
0.1-3.9 Low risk 2
4.0-6.9 Middle-risk 3
7.0-8.9 High risk 4
9.0-10.0 Super danger 5
And 102, acquiring the carrier importance level of the target carrier. For different enterprises, the importance levels of the bearers are different, and a general network administrator determines the importance of the service or application carried by the bearer when adding the bearer. In this example, the carrier importance rating is given in 1-5 points. Illustratively, in a network system of a banking enterprise, the importance level of a host used by a banking business core system is the highest, the importance level of a corresponding carrier is set to 5, the importance levels of mail and office systems are sequentially set to 4 and 3, the importance level of a carrier used by an internal forum is set to 2, and the importance levels of carriers of other carriers are set to 1.
And 103, determining the self risk level according to the vulnerability level and the carrier importance level. In this embodiment, the vulnerability grade is multiplied by the carrier importance grade, the obtained result (the result score interval is 1-25 points) is divided into one grade every 5, and the result is converted into 1-5 points to obtain the self risk grade. Exemplarily, the self risk level of the security vulnerability to be evaluated is 1 to 5 points, which represents low risk; the risk grade of the security vulnerability to be evaluated is 2 according to the 6-10 points, which represents general; the self risk grade of the security loophole to be evaluated is 3 according to the 11-15 points, and medium danger is represented; the risk grade of the 16-20 points corresponding to the security loophole to be evaluated is 4 points, which represents high risk; the 21-25 points correspond to the 5 points of the self risk level of the security loophole to be evaluated, and represent ultra-high risk. In other embodiments, the vulnerability level and the carrier importance level can be calculated by other mathematical methods to obtain the vulnerability self risk level. The present application does not specifically limit the calculation method.
And 2, step: and acquiring the exposure path risk level of the target carrier. And the target carrier is the carrier where the security vulnerability to be evaluated is located. In one implementation, the exposure path risk level of a carrier depends on the network location of the target carrier, the number of ports on the carrier, the address range of the source object, the area in which the source object is located, and so on, in the enterprise-wide environment. The source object is an external carrier allowing access to the target carrier and can be obtained through calculation of a network simulation environment. As shown in fig. 3, step 2 further comprises step 201 and step 203.
Step 201, determining each access path between a source object and a target carrier according to an address range of the source object and an address of the target carrier.
In this embodiment, by extracting the relevant configuration of the three-layer network device that affects the network access path and the data flow passing through in the current network environment of the enterprise, and by using the big data analysis technology, the connection and mutual access relationship between the network devices is automatically constructed, so as to form a set of network-wide simulation environment consistent with the network configuration and access control relationship of the current network environment. And analyzing the network simulation environment to obtain the address of the source object. And determining each access path between the source object and the target carrier according to the address range of the source object and the address of the target carrier.
Step 202, obtaining a single path risk value of each access path. The single path risk value depends on factors such as the address range of the source object, the number of ports on the target carrier, and the area where the source object is located. As shown in FIG. 4, step 202 further includes step 2021-2025.
Step 2021, determine the loose grade of the source object according to the address range of the source object. In one implementation, when determining the loose level of the source object, the loose level of the source object may be determined according to an address range of the source object and a corresponding relationship between the address range and the loose level. The wider the address range of the source object, the higher the degree of damage and the attack possibility of the source object to the target carrier, and the higher the degree of looseness of the source object.
As shown in table 2, an example of the correspondence between the address range of the source object and the loose level of the source object is shown. When the address range of the source object is 1, the corresponding loose grade of the source object is 1 level; when the address range of the source object is less than or equal to 32, the corresponding loose grade of the source object is level 2; when the address range of the source object is less than or equal to 128, the corresponding loose grade of the source object is 3 grade; when the address range of the source object is less than or equal to the C-type address field, the corresponding loose grade of the source object is level 4; when the address range of the source object is larger than or equal to the address range of the source object, the corresponding loose level of the source object is 5 levels.
Table 2: example of correspondence between Address Range of Source object and Loose level of Source object
Address range of source object Source object relaxed level
1 1
≤32 2
≤128 3
Class C address field not more than 4
Class > C address segment 5
Step 2022, determining the target carrier loose grade according to the port number of the target carrier. In one implementation, in determining the target carrier loose level, the loose level of the target carrier may be determined according to the port number of the target carrier and the corresponding relationship between the port number and the target carrier loose level.
As shown in table 3, an example of the correspondence between the number of ports of the target bearer and the target bearer loose grade is shown. When the port number of the target carrier is less than or equal to 4, the corresponding target carrier loose grade is level 1; when the port number of the target carrier is more than 4 and less than or equal to 8, the corresponding target carrier loose grade is 2 grade; when the port number of the target carrier is more than 8 and less than or equal to 16, the corresponding loose grade is 3 grade; when the port number of the target carrier is more than 16 and less than or equal to 32, the corresponding target carrier loose grade is 4 grade; when the number of ports of the target carrier is more than 32, the corresponding target carrier loose grade is 5 grades.
Table 3: example of correspondence of port number of target carrier and loose level of target carrier
Number of ports of target carrier Relaxed grade of target vector
(0,4] 1
(4,8] 2
(8,16] 3
(16,32] 4
(32,+∞) 5
Step 2023, obtaining an access path loose grade according to the source object loose grade and the target carrier loose grade. In this embodiment, the loose degree of the source object is multiplied by the loose degree of the target carrier, the obtained result (the result score interval is 1-25 points) is divided into one grade every 5, and the result is converted into 1-5 points to obtain the loose degree of the access path. The loose grade of the source object and the loose grade of the target carrier can be calculated by other mathematical methods to obtain the loose grade of the access path. The present application does not specifically limit the calculation method.
Step 2024, determining the risk level between access path domains according to the region where the source object is located. And determining the risk level between the access path domains by analyzing the region where the source object is located. Illustratively, if the region of the source object is out, the inter-domain risk level of the access path is set to 5, and if the originally corresponding region to which the source object belongs is an intranet, the inter-domain risk level of the access path is set to 1. The method can be specifically set according to the specific conditions of the enterprise, and the application is not limited. In the embodiment, the inter-access path risk level is 1 to 5.
Step 2025, obtaining a single path risk value according to the access path inter-domain risk level and the access path loose level. In the embodiment, the risk level between access path domains is multiplied by the loose level of the access paths, the obtained result (the result score interval is 1-25 points) is divided into one level every 5, and the result is converted into 1-5 points, so that the risk value of a single path is obtained. In other embodiments, the inter-domain risk level of the access path and the loose level of the access path may also be used, the obtained result (with a result score interval of 1-10 points) is divided into one level every 2 points, and the result is converted into a 1-5 point system to obtain a single path risk value. And calculating the risk level between the access paths and the loose level of the access paths by other mathematical methods to obtain the risk value of the single path. The present application does not specifically limit the calculation method.
And 203, calculating according to all the single path risk values to obtain the exposure path risk level of the target carrier. In this embodiment, the risk values of all the single paths are summed up, and the obtained result is converted to obtain the exposure path risk level of the target carrier with 1-5 divisions.
And step 3, acquiring the opening coefficient of the target port. The target port opening coefficient is determined according to the opening condition of a port aiming at the security vulnerability to be evaluated on the target carrier; in practical application, the opening condition of the port aiming at the security vulnerability to be evaluated on the target carrier can be obtained from the vulnerability list information obtained by the vulnerability scanning system. In this embodiment, when a port for the security vulnerability to be evaluated on the target carrier is opened, the target port opening coefficient is set to 1; and when the port aiming at the security vulnerability to be evaluated on the target carrier is closed, setting the target port opening coefficient to be 0.4. In other embodiments, when the port for the security vulnerability to be evaluated on the target carrier is closed, the target port opening coefficient may also be set to other values smaller than 1 and greater than 0, which is not specifically limited in this application.
It should be noted that, in this embodiment, the sequence of steps 1-3 is not fixed, and step 1 may be executed first, step 2 may be executed, step 3 may be executed, and step 4 may be executed according to the result of steps 1-3; or step 2, step 3, step 1 and step 4 according to the results of steps 1, 2 and 3. It is sufficient that steps 1, 2 and 3 are performed before step 4.
And 4, determining the processing priority of the security vulnerability to be evaluated according to the self risk level, the exposure path risk level and the target port opening coefficient. In this embodiment, the self risk level of the security vulnerability to be evaluated, the exposure path risk level and the target port opening coefficient are multiplied, and the obtained result is distributed in a region with a value of 1-5 levels. The processing priorities that correspond to the zones with evaluated security holes in order from low to high are low risk (level 1, corresponding to 0-5 points), general (level 2, corresponding to 6-10 points), medium risk (level 3, corresponding to 11-15 points), high risk (level 4, corresponding to 16-20 points), and severe (level 5, corresponding to 21-25 points). In other embodiments, the self risk level, the exposure path risk level, and the target port opening coefficient may also be calculated by other mathematical methods, so as to obtain the processing priority of the security vulnerability to be evaluated. The present application does not specifically limit the calculation method.
As shown in table 4, an example of processing priority evaluation results in two different enterprise networks for the same security hole. For the scene 1, because the exposure path risk level of the security vulnerability is low, the vulnerability priority evaluation result is low-risk; for scenario 2, because the exposure path risk level of the security vulnerability is higher, the vulnerability priority evaluation result is at high risk.
Table 4: example of processing priority evaluation results of the same security vulnerability in two different enterprise networks
Application scenarios Self risk rating Exposure path risk rating Target port opening coefficient Evaluation results
Scene 1 High risk (4) Low (1) Open (1.0) Low risk (4X 1)
Scene 2 High risk (4) High (5) Open (1.0) High risk (4X 5X 1)
Therefore, the processing priority of the same vulnerability on the same target carrier is different in different enterprises or different network areas. According to the method provided by the embodiment, the processing priority of the security vulnerabilities in the enterprise network is reevaluated, so that a network administrator can concentrate on processing the security vulnerabilities forming the maximum risk to the network, and the possibility that the enterprise network is attacked more is reduced.
Referring to fig. 5, an example of the calculation process of the embodiment is to quantize the scores of the influencing factors influencing the processing priority of the security vulnerability to be evaluated to 1-5 levels. In other embodiments, the influencing factors may be quantified to other numerical ranges, which is not specifically limited in this application.
The embodiment provides a method for evaluating security vulnerability processing priority. The method is applied to the evaluation of the processing priority of the security vulnerabilities in the enterprise intranet, and comprises the steps of obtaining the self risk level of the security vulnerabilities to be evaluated; acquiring the exposure path risk level of the target carrier; acquiring an opening coefficient of a target port; and determining the processing priority of the security vulnerability to be evaluated according to the self risk level, the exposure path risk level and the target port opening coefficient. When the method is used for evaluating the processing priority of the security vulnerabilities, not only the risk level of the vulnerabilities is considered, but also the exposure path risk level of a target carrier where the security vulnerabilities are located in the network structure of each enterprise intranet is combined with the exposure path risk level of the target carrier, and the port opening condition of the security vulnerabilities on the target carrier are considered, so that a network administrator can concentrate on the security vulnerabilities forming the maximum risk to the network, and the possibility that the enterprise network is attacked more is reduced.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Fig. 6 is a schematic structural diagram illustrating an apparatus for evaluating security vulnerability processing priority according to a second embodiment of the present application. As shown in fig. 6, the apparatus has a function of implementing the above method for evaluating security vulnerability processing priority, and the function may be implemented by hardware, or may be implemented by hardware executing corresponding software. The apparatus may include: the system comprises a self risk level acquisition module, an exposure path risk level acquisition module, a target port opening coefficient acquisition module and a processing priority evaluation module.
The self risk level obtaining module is used for obtaining the self risk level of the security vulnerability to be evaluated.
The exposure path risk level acquisition module is used for acquiring the exposure path risk level of the target carrier; and the target carrier is the carrier where the security vulnerability to be evaluated is located.
The target port opening coefficient acquisition module is used for acquiring a target port opening coefficient; and the target port opening coefficient is determined according to the opening condition of the port aiming at the security vulnerability to be evaluated on the target carrier.
And the processing priority evaluation module is used for determining the processing priority of the security vulnerability to be evaluated according to the self risk level, the exposure path risk level and the target port opening coefficient.
Further, the risk level obtaining module comprises a vulnerability level obtaining unit, a carrier importance level obtaining unit and a first calculating unit.
The vulnerability level obtaining unit is used for obtaining and converting the CVSS score of the security vulnerability to be evaluated to obtain the vulnerability level of the security vulnerability to be evaluated.
The carrier importance level acquiring unit is used for acquiring the carrier importance level of the target carrier.
The first computing unit is used for determining the self risk level according to the vulnerability level and the carrier importance level.
Further, the target port opening coefficient obtaining module is configured to perform the following functions: when a port aiming at the security vulnerability to be evaluated on the target carrier is opened, the opening coefficient of the target port is equal to 1; and when the port aiming at the security vulnerability to be evaluated on the target carrier is closed, the target port opening coefficient is equal to 0.4.
Further, the exposure path risk level obtaining module comprises an access path obtaining unit, a single path risk value calculating unit and a second calculating unit.
The access path acquiring unit is used for determining each access path between a source object and the target carrier according to the address range of the source object and the address of the target carrier; wherein the source object is an external carrier allowing access to the target carrier.
The single path risk value calculation unit is used for acquiring a single path risk value of each access path.
And the second calculating unit is used for calculating according to all the single path risk values to obtain the exposure path risk level of the target carrier.
Further, the single path risk value calculation unit includes a source object loose grade acquisition subunit, a target carrier loose grade acquisition subunit, an access path inter-domain risk grade acquisition subunit, and a third calculation unit.
The source object loose grade obtaining subunit is configured to determine a source object loose grade according to the address of the source object.
And the target carrier loose grade obtaining subunit is used for determining the target carrier loose grade according to the port number of the target carrier.
And the access path loose grade obtaining subunit is used for obtaining an access path loose grade according to the source object loose grade and the target carrier loose grade.
And the inter-access path domain risk level acquiring subunit is used for determining the inter-access path domain risk level according to the region where the source object is located.
And the third calculation unit is used for obtaining a single path risk value according to the inter-domain risk level of the access path and the loose level of the access path.
The present application has been described in detail with reference to specific embodiments and illustrative examples, but the description is not intended to limit the application. Those skilled in the art will appreciate that various equivalent substitutions, modifications or improvements may be made to the presently disclosed embodiments and implementations thereof without departing from the spirit and scope of the present disclosure, and these fall within the scope of the present disclosure. The protection scope of this application is subject to the appended claims.

Claims (10)

1. A method for evaluating security vulnerability processing priority is applied to evaluating the security vulnerability processing priority in an enterprise intranet, and comprises the following steps:
acquiring the self risk level of the security vulnerability to be evaluated;
acquiring the exposure path risk level of the target carrier; the target carrier is a carrier where the security vulnerability to be evaluated is located;
acquiring an opening coefficient of a target port; the target port opening coefficient is determined according to the opening condition of a port aiming at the security vulnerability to be evaluated on the target carrier;
and determining the processing priority of the security vulnerability to be evaluated according to the self risk level, the exposure path risk level and the target port opening coefficient.
2. The method according to claim 1, wherein the obtaining of the self risk level of the security vulnerability to be evaluated comprises:
acquiring the CVSS value of the security vulnerability to be evaluated and converting the CVSS value to obtain the vulnerability level of the security vulnerability to be evaluated;
acquiring the carrier importance level of the target carrier; wherein, the importance level of the carrier is determined according to the importance degree of the service or application carried by the target carrier;
and determining the self risk level according to the vulnerability level and the carrier importance level.
3. The method of claim 1, wherein obtaining the target port opening coefficient comprises:
when a port aiming at the security vulnerability to be evaluated on the target carrier is opened, setting the opening coefficient of the target port to be 1;
and when the port aiming at the security vulnerability to be evaluated on the target carrier is closed, setting the target port opening coefficient to be 0.4.
4. The method of claim 1, wherein obtaining the exposure path risk level of the object carrier comprises:
determining each access path between a source object and a target carrier according to the address range of the source object and the address of the target carrier; wherein the source object is an external carrier allowing access to the target carrier;
acquiring a single path risk value of each access path;
and calculating according to all the single path risk values to obtain the exposure path risk level of the target carrier.
5. The method of claim 4, wherein obtaining the single path risk value for each access path comprises:
determining the loose grade of the source object according to the address of the source object;
determining the target carrier loose grade according to the port number of the target carrier;
obtaining an access path loose grade according to the source object loose grade and the target carrier loose grade;
determining the inter-domain risk level of the access path according to the region where the source object is located;
and obtaining a single path risk value according to the inter-domain risk level of the access path and the loose level of the access path.
6. An apparatus for evaluating security vulnerability processing priority, for implementing the steps of the method for evaluating security vulnerability processing priority of claims 1-5, the apparatus comprising:
the self risk level obtaining module is used for obtaining the self risk level of the security vulnerability to be evaluated;
the exposure path risk level acquisition module is used for acquiring the exposure path risk level of the target carrier; the target carrier is a carrier where the security vulnerability to be evaluated is located;
the target port opening coefficient acquisition module is used for acquiring a target port opening coefficient; the target port opening coefficient is determined according to the opening condition of a port aiming at the security vulnerability to be evaluated on the target carrier;
and the processing priority evaluation module is used for determining the processing priority of the security vulnerability to be evaluated according to the self risk level, the exposure path risk level and the target port opening coefficient.
7. The apparatus according to claim 6, wherein the self risk level obtaining module includes a vulnerability level obtaining unit, a carrier importance level obtaining unit and a first calculating unit;
the vulnerability level obtaining unit is used for obtaining and converting the CVSS score of the security vulnerability to be evaluated to obtain the vulnerability level of the security vulnerability to be evaluated;
the carrier importance level acquiring unit is used for acquiring the carrier importance level of the target carrier;
the first computing unit is used for determining the self risk level according to the vulnerability level and the carrier importance level.
8. The apparatus of claim 6, wherein the target port opening coefficient obtaining module is configured to perform the following functions:
when a port aiming at the security vulnerability to be evaluated on the target carrier is opened, the opening coefficient of the target port is equal to 1;
and when the port aiming at the security vulnerability to be evaluated on the target carrier is closed, the target port opening coefficient is equal to 0.4.
9. The apparatus of claim 6, wherein the exposure path risk level obtaining module comprises an access path obtaining unit, a single path risk value calculating unit, and a second calculating unit; wherein the content of the first and second substances,
the access path acquiring unit is used for determining each access path between a source object and the target carrier according to the address range of the source object and the address of the target carrier; wherein the source object is an external address allowing access to the target carrier;
the single path risk value calculation unit is used for acquiring a single path risk value of each access path;
and the second calculating unit is used for calculating according to all the single path risk values to obtain the exposure path risk level of the target carrier.
10. The apparatus of claim 9, wherein the single path risk value calculation unit comprises a source object loose level obtaining sub-unit, a destination carrier loose level obtaining sub-unit, an access path inter-domain risk level obtaining sub-unit, and a third calculation unit; wherein the content of the first and second substances,
the source object loose grade obtaining subunit is used for determining a source object loose grade according to the address of the source object;
the target carrier loose grade obtaining subunit is used for determining a target carrier loose grade according to the port number of the target carrier;
the access path loose grade obtaining subunit is configured to obtain an access path loose grade according to the source object loose grade and the target carrier loose grade;
the access path inter-domain risk level obtaining subunit is used for determining an access path inter-domain risk level according to the region where the source object is located;
and the third calculation unit is used for obtaining a single path risk value according to the inter-domain risk level of the access path and the loose level of the access path.
CN202210106545.5A 2022-01-28 2022-01-28 Method and device for evaluating security vulnerability processing priority Pending CN114491561A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210106545.5A CN114491561A (en) 2022-01-28 2022-01-28 Method and device for evaluating security vulnerability processing priority

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210106545.5A CN114491561A (en) 2022-01-28 2022-01-28 Method and device for evaluating security vulnerability processing priority

Publications (1)

Publication Number Publication Date
CN114491561A true CN114491561A (en) 2022-05-13

Family

ID=81477689

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210106545.5A Pending CN114491561A (en) 2022-01-28 2022-01-28 Method and device for evaluating security vulnerability processing priority

Country Status (1)

Country Link
CN (1) CN114491561A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781426A (en) * 2023-08-21 2023-09-19 北京安天网络安全技术有限公司 Port repairing method and device, storage medium and electronic equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116781426A (en) * 2023-08-21 2023-09-19 北京安天网络安全技术有限公司 Port repairing method and device, storage medium and electronic equipment
CN116781426B (en) * 2023-08-21 2023-11-10 北京安天网络安全技术有限公司 Port repairing method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
US11637853B2 (en) Operational network risk mitigation system and method
EP3128459B1 (en) System and method of utilizing a dedicated computer security service
RU2536663C2 (en) System and method of protecting cloud infrastructure from illegal use
US20170155683A1 (en) Remedial action for release of threat data
US20210234889A1 (en) Reachability graph-based safe remediations for security of on-premise and cloud computing environments
Hu et al. Method for cyberincidents network-centric monitoring in critical information infrastructure
US9729505B2 (en) Security threat analysis
Banga Why is cybersecurity not a human-scale problem anymore?
CN114491561A (en) Method and device for evaluating security vulnerability processing priority
EP4327220A1 (en) Automated contextual understanding of unstructured security documents
US8646025B2 (en) Automated local exception rule generation system, method and computer program product
Mohaisen et al. Rethinking information sharing for actionable threat intelligence
Leahovcenco Cybersecurity as a fundamental element of the digital economy.
CN115567237A (en) Network security assessment method based on knowledge graph
CN116132132A (en) Network asset management method, device, electronic equipment and medium
CN114697052B (en) Network protection method and device
CN112487419A (en) Computer network information security event processing method
US11811823B2 (en) Complete data exfiltration profile and model (CODAEX)
US11750371B1 (en) Web domain correlation hashing method
CN115065509B (en) Risk identification method and device for statistical inference attack based on deviation function
Kumazaki et al. Cyber Attack Stage Tracing System based on Attack Scenario Comparison.
Shalabi et al. Enhancing financial system resilience against cyber threats via SWIFT customer security framework
CN111724261B (en) Multi-user asset virtualization management method and system
CN114598509B (en) Method and device for determining vulnerability result
CN116260637B (en) Path planning method and device for penetration test, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination