Disclosure of Invention
The application provides a risk management method and a risk management testing device, which can carry out unified risk management on equipment, thereby improving the safety of a network system.
In a first aspect, a risk management method is provided, including: acquiring device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored; monitoring the plurality of devices to be monitored based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the step of collecting different monitoring data for the devices to be monitored of different device types; performing risk analysis on the multiple devices to be monitored based on the monitoring data to obtain multiple risk analysis results, wherein the multiple risk analysis results are used for representing the risk level of each device to be monitored in the multiple devices to be monitored, and the risk levels comprise critical, high-risk, medium-risk and low-risk; and selecting the risk analysis result meeting a preset reporting rule from the plurality of risk analysis results and reporting the risk analysis result.
In the application, the risk management device can obtain the monitoring data by monitoring the devices to be monitored, perform risk analysis on the corresponding devices to be monitored based on the monitoring data, and obtain and display a plurality of risk analysis results, wherein the plurality of risk analysis results are used for representing the risk level of each device to be monitored in the plurality of devices to be monitored, that is, the application can perform unified risk management on the devices, thereby improving the security of the network system.
With reference to the first aspect, in some implementation manners of the first aspect, the preset reporting rule includes: the method comprises the steps of presetting an IP address, a preset time period, a preset risk level or a preset data source.
With reference to the first aspect, in certain implementations of the first aspect, the monitoring data includes at least one of: CPU usage, memory occupancy, disk usage, system disk usage, number of connections, traffic, interface status, or device online status.
With reference to the first aspect, in certain implementations of the first aspect, the device type includes at least one of: a network device, a security device, a host device, or a server.
In a second aspect, a risk management apparatus is provided, which includes an obtaining module and a processing module, where the obtaining module is configured to: acquiring device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored; the processing module is used for: monitoring the plurality of devices to be monitored based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the step of collecting different monitoring data for the devices to be monitored of different device types; performing risk analysis on the multiple devices to be monitored based on the monitoring data to obtain multiple risk analysis results, wherein the multiple risk analysis results are used for representing the risk level of each device to be monitored in the multiple devices to be monitored, and the risk levels comprise critical, high-risk, medium-risk and low-risk; and selecting the risk analysis result meeting a preset reporting rule from the plurality of risk analysis results and reporting the risk analysis result.
With reference to the second aspect, in some implementation manners of the second aspect, the preset reporting rule includes: the method comprises the steps of presetting an IP address, a preset time period, a preset risk level or a preset data source.
With reference to the second aspect, in certain implementations of the second aspect, the monitoring data includes at least one of: CPU usage, memory occupancy, disk usage, system disk usage, number of connections, traffic, interface status, or device online status.
With reference to the second aspect, in certain implementations of the second aspect, the device type includes at least one of: a network device, a security device, a host device, or a server.
In a third aspect, a processor is provided, including: input circuit, output circuit and processing circuit. The processing circuit is configured to receive a signal via the input circuit and transmit a signal via the output circuit, so that the processor performs the method of any one of the possible implementations of the first aspect.
In a specific implementation process, the processor may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a flip-flop, various logic circuits, and the like. The input signal received by the input circuit may be received and input by, for example and without limitation, a receiver, the signal output by the output circuit may be output to and transmitted by a transmitter, for example and without limitation, and the input circuit and the output circuit may be the same circuit that functions as the input circuit and the output circuit, respectively, at different times. The embodiment of the present application does not limit the specific implementation manner of the processor and various circuits.
In a fourth aspect, a processing apparatus is provided that includes a processor and a memory. The processor is configured to read instructions stored in the memory, and may receive signals via the receiver and transmit signals via the transmitter to perform the method of any one of the possible implementations of the first aspect.
Optionally, there are one or more processors and one or more memories.
Alternatively, the memory may be integrated with the processor, or provided separately from the processor.
In a specific implementation process, the memory may be a non-transient memory, such as a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
The processing device in the fourth aspect may be a chip, and the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated with the processor, located external to the processor, or stand-alone.
In a fifth aspect, there is provided a computer program product comprising: computer program (also called code, or instructions), which when executed, causes a computer to perform the method of any of the possible implementations of the first aspect described above.
In a sixth aspect, a computer-readable storage medium is provided, which stores a computer program (which may also be referred to as code or instructions) that, when executed on a computer, causes the computer to perform the method of any of the possible implementations of the first aspect described above.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments that can be made by one skilled in the art based on the embodiments in the present application in light of the present disclosure are within the scope of the present application.
The information technology of a new generation is deeply integrated with the economic performance of an entity, the rapid development of the industrial internet becomes an important basis for promoting and manufacturing the strong country and the network strong country, but the importance and the urgency of the information security work of the industrial internet are more prominent due to the characteristics of openness, cross-domain and interconnection. Therefore, the industrial internet safety work is well done, the industrial internet safety public service capacity is enhanced, the industrial internet safety technological innovation and the industrial development are promoted, and the method is an important work for enhancing the national industrial internet safety guarantee.
Therefore, it is desirable to provide a risk management method for performing unified risk management on devices in a network system to improve the security of the network system.
In view of this, the present application provides a risk management method and a risk management apparatus, where monitoring equipment to be monitored is monitored to obtain monitoring data, a corresponding equipment to be monitored is risk analyzed based on the monitoring data to obtain and display a plurality of risk analysis results, and the plurality of risk analysis results are used to indicate a risk level of each equipment to be monitored in the plurality of equipment to be monitored, so as to more clearly reflect a security situation of a current network device, that is, the present application can perform unified risk management on the equipment, thereby improving security of a network system.
Before describing the risk management method and the risk management apparatus provided in the embodiments of the present application, the following description is made.
First, in the embodiments shown below, each term and english abbreviation is an exemplary example given for convenience of description and should not constitute any limitation to the present application. This application is not intended to exclude the possibility that other terms may be defined in existing or future protocols to carry out the same or similar functions.
Second, the first, second and various numerical numbers in the embodiments shown below are merely for convenience of description and are not intended to limit the scope of the embodiments of the present application.
Third, "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, and c, may represent: a, or b, or c, or a and b, or a and c, or b and c, or a, b and c, wherein a, b and c can be single or multiple.
In order to make the purpose and technical solution of the present application more clear and intuitive, the risk management method and risk management apparatus provided in the present application will be described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Fig. 1 is a schematic diagram of an application scenario 100 provided in the present application, and as shown in fig. 1, the application scenario 100 includes a risk management device 101, a device to be monitored 102, and a device to be monitored 103. The risk management device 101 is deployed with a risk management system, and may monitor the device to be monitored 102 and the device to be monitored 103, and obtain monitoring data corresponding to the device to be monitored 102 and the device to be monitored 103.
It should be understood that besides the above-described device to be monitored 102 and device to be monitored 103, the application scenario 100 may also include a plurality of other different devices to be monitored, which is not limited in this embodiment of the application.
Fig. 2 is a schematic flow chart of a risk management method 200 provided in an embodiment of the present application. The method 200 may be applied to the application scenario 100 or may also be applied to other application scenarios, which is not limited in this application. As shown in fig. 2, the method 200 may include the following steps:
s201, the risk management device obtains device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored.
It should be understood that the device to be monitored may include a network device, a security device, a host device, a server, and the like, which is not limited in this application.
The plurality of devices to be monitored may be all devices in the network system, or may be some devices in the network system selected according to a preset rule, or may be devices manually set by a worker, which is not limited in this embodiment of the present application. The manner in which the worker manually sets the settings is described below with reference to fig. 3.
Fig. 3 shows one display interface 300 of the risk management device. The staff member inputs the device name "a" of the device to be monitored and the IP address "1095. XX1 XX" of the device to be monitored in the display interface 300, which indicates that the device a with the monitoring IP address "1095. XX1 XX" is monitored. The risk management device detects the input operation of the worker, and thus obtains the device name and the internet protocol IP address of the device a according to the information in the input box.
S202, monitoring the multiple devices to be monitored by the risk management device based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the step of collecting different monitoring data for the devices to be monitored of different device types.
It should be understood that the device types include at least one of: a network device, a security device, a host device, or a server.
In a possible case, the multiple devices to be monitored are devices of the same type, and the risk management device monitors the multiple devices to be monitored of the same type to obtain the monitoring data of the same type.
Taking the device types of the multiple devices to be monitored as network devices, and the multiple devices to be monitored are specifically network device a, network device B, and network device C as examples, fig. 4 shows another display interface 400 of the risk management device. As shown in fig. 4, the display interface 400 shows the monitoring data corresponding to the network device a, the network device B, and the network device C, respectively. The monitoring data includes a Central Processing Unit (CPU) usage rate, a memory occupancy rate, a disk usage rate, a connection number, a system disk usage rate, and a traffic corresponding to each network device.
In another possible implementation manner, the multiple devices to be monitored include devices of different types, and the risk management device may monitor the multiple devices to be monitored of different types to obtain monitoring data of different types.
Taking the device types of the multiple devices to be monitored including network devices and security devices, and the multiple devices to be monitored specifically being network device a, network device B, and security device D as an example, fig. 5 shows another display interface 500 of the risk management device. As shown in fig. 5, the display interface 500 shows the monitoring data corresponding to the network device a, the network device B, and the security device D, respectively. The types of monitoring data are different under different equipment types. The monitoring data of the network device A and the network device B comprise CPU utilization rate, memory occupancy rate, disk utilization rate, connection number and flow rate, and the monitoring data of the security device D comprise CPU utilization rate, memory occupancy rate, disk utilization rate, connection number, system disk utilization rate, flow rate, interface state and device online state.
It should be understood that the risk management device may periodically obtain the monitoring data, and may also flexibly obtain the monitoring data according to the requirement of the worker, which is not limited in the present application.
Fig. 6 shows yet another display interface 600 of the risk management device, in which display interface 600 the staff member can input the device name "a" of the device to be monitored and the IP address "1095. XX1 XX" of the device to be monitored, and a monitoring period 5, which indicates that monitoring data of the device a having an IP of "1095. XX1 XX" is acquired every 5 seconds. The risk management apparatus detects the input operation by the worker, and thus acquires the monitoring data of the apparatus a having the IP address "1095. XX1 XX" at a cycle of 5 seconds based on the information in the input box.
It should be understood that the monitoring data, such as CPU usage, memory usage, disk usage, connection number, system disk usage, flow, interface status, and device online status, may be preset in advance, or may be set according to user requirements, which is not limited in this application.
Fig. 7 shows another display interface 700 of the risk management device, in the display interface 700, in addition to the device name "a" of the device to be monitored and the IP address "1095, XX1 XX" of the device to be monitored, and the monitoring period 5, the staff may also set the category of the monitoring data, that is, the staff may input the CPU usage, the memory occupancy, the disk usage, the system disk usage, the number of connections, and the flow, which means that the CPU usage, the memory occupancy, the disk usage, the system disk usage, the number of connections, and the flow monitoring data of the device a whose IP is "1095, XX1 XX" are obtained at a period of 5 seconds during the monitoring process, and the risk management device detects the input operation of the staff, so that the monitoring data of the device a whose IP address is "1095, XX1 XX", that is the CPU usage, the memory occupancy, the system disk usage, the number of connections, and the flow monitoring data are obtained at a period of 5 seconds according to the information in the input frame, Memory occupancy, disk usage, system disk usage, number of connections, and traffic.
Optionally, after acquiring the monitoring data, the risk management device may perform cleaning, classifying, storing, merging, marking, and the like on the monitoring data, so as to perform risk analysis subsequently.
And S203, the risk management device performs risk analysis on the multiple devices to be monitored based on the monitoring data to obtain multiple risk analysis results, wherein the multiple risk analysis results are used for indicating the risk level of each device to be monitored in the multiple devices to be monitored, and the risk levels comprise critical, high-risk, medium-risk and low-risk.
Specifically, the risk management device may perform risk analysis on each device to be monitored in the multiple devices to be monitored respectively based on the monitored data such as the CPU usage rate, the memory occupancy rate, the disk usage rate, the system disk usage rate, the connection number, the traffic, the interface state, or the device online state, so as to obtain a risk level of each device to be monitored.
Optionally, the risk management device may display the risk analysis result in a form of a chart or a list, which is not limited in this application.
And S204, the risk management equipment selects a risk analysis result meeting a preset reporting rule from the plurality of risk analysis results and reports the risk analysis result.
It should be understood that the preset reporting rule includes: the method comprises the steps of presetting an IP address, a preset time period, a preset risk level or a preset data source.
Taking preset risk levels as medium risk and high risk as an example, in the example of fig. 4, assuming that the risk level of the network device a is medium risk, the risk level of the network device B is low, and the risk level of the network device C is high risk, the risk management device may report the risk level of the network device a and the risk of the network device C. For example, the risk management device may report information of the device name, the IP address, the risk level, and the like of the network device a and the network device C, respectively.
Optionally, the risk management device may further take a corresponding measure to intervene based on the risk analysis result meeting the preset reporting rule, so as to reduce the security risk.
In this embodiment of the application, the risk management device may obtain the monitoring data by monitoring the devices to be monitored, perform risk analysis on the corresponding devices to be monitored based on the monitoring data, and obtain and display a plurality of risk analysis results, where the plurality of risk analysis results are used to indicate a risk level of each device to be monitored in the plurality of devices to be monitored, that is, the application may perform uniform risk management on the devices, thereby improving the security of the network system.
Optionally, the risk management device may further store log data generated in the monitoring process of the device to be monitored, so as to be retrieved and used later.
It should be understood that the risk management device may provide different retrieval modes for users with different roles, which is not limited in this application.
Illustratively, the non-security risk analyst may use an interactive quick search mode, such as by selecting and dragging operations, to complete the retrieval of the log data. The security risk analyst can use an advanced search mode, such as providing data analysis and data mining functions of Structured Query Language (SQL), to effectively help the security risk analyst to trace the root and source and draw a complete monitoring event portrait.
It should be understood that the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
In order to implement the functions in the method provided by the embodiment of the present application, the risk management device may include a hardware structure and/or a software module, and the functions are implemented in the form of a hardware structure, a software module, or a hardware structure and a software module. Whether any of the above-described functions is implemented as a hardware structure, a software module, or a hardware structure plus a software module depends upon the particular application and design constraints imposed on the technical solution.
The risk management method provided by the embodiment of the present application is described in detail above with reference to fig. 1 to 7, and the risk management device provided by the embodiment of the present application is described in detail below with reference to fig. 8 and 9.
Fig. 8 illustrates a risk management apparatus 800 according to an embodiment of the present application, including: an acquisition module 801 and a processing module 802.
The obtaining module 801 is configured to: acquiring device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored; the processing module 802 is configured to: monitoring the plurality of devices to be monitored based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the step of collecting different monitoring data for the devices to be monitored of different device types; performing risk analysis on the multiple devices to be monitored based on the monitoring data to obtain multiple risk analysis results, wherein the multiple risk analysis results are used for representing the risk level of each device to be monitored in the multiple devices to be monitored, and the risk levels comprise critical, high-risk, medium-risk and low-risk; and selecting the risk analysis result meeting a preset reporting rule from the plurality of risk analysis results and reporting the risk analysis result.
Optionally, the preset reporting rule includes: the method comprises the steps of presetting an IP address, a preset time period, a preset risk level or a preset data source.
Optionally, the monitoring data includes at least one of: CPU usage, memory occupancy, disk usage, system disk usage, number of connections, traffic, interface status, or device online status.
Optionally, the device types include at least one of: a network device, a security device, a host device, or a server.
It should be appreciated that the apparatus 800 herein is embodied in the form of functional modules. The term module herein may refer to an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (e.g., a shared, dedicated, or group processor) and memory that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that support the described functionality. In an optional example, it may be understood by those skilled in the art that the apparatus 800 may be embodied as a risk management device in the foregoing embodiment, or functions of the risk management device in the foregoing embodiment may be integrated in the apparatus 800, and the apparatus 800 may be configured to execute each procedure and/or step corresponding to the risk management device in the foregoing method embodiment, and in order to avoid repetition, details are not described here again. The device 800 has the function of implementing the corresponding steps executed by the risk management equipment in the method; the above functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.
In an embodiment of the present application, the apparatus 800 in fig. 8 may also be a chip or a chip system, for example: system on chip (SoC).
Fig. 9 illustrates another risk management device 900 provided in an embodiment of the present application. The apparatus 900 includes: a processor 901, a memory 902, a communication interface 903, and a bus 904. Wherein the memory 902 is used for storing instructions, and the processor 901 is used for executing the instructions stored in the memory 902. The processor 901, the memory 902 and the communication interface 903 are communicatively connected to each other by a bus 904.
Wherein the processor 901 is configured to: acquiring device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored; monitoring the plurality of devices to be monitored based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the step of collecting different monitoring data for the devices to be monitored of different device types; performing risk analysis on the multiple devices to be monitored based on the monitoring data to obtain multiple risk analysis results, wherein the multiple risk analysis results are used for representing the risk level of each device to be monitored in the multiple devices to be monitored, and the risk levels comprise critical, high-risk, medium-risk and low-risk; and selecting and reporting the risk analysis result meeting a preset reporting rule from the plurality of risk analysis results.
Optionally, the preset reporting rule includes: the method comprises the steps of presetting an IP address, a preset time period, a preset risk level or a preset data source.
Optionally, the monitoring data includes at least one of: CPU usage, memory occupancy, disk usage, system disk usage, number of connections, traffic, interface status, or device online status.
Optionally, the device types include at least one of: a network device, a security device, a host device, or a server.
It should be understood that the apparatus 900 may be embodied as a risk management device in the foregoing embodiment, or the functions of the risk management device in the foregoing embodiment may be integrated in the apparatus 900, and the apparatus 900 may be configured to perform each step and/or flow corresponding to the risk management device in the foregoing method embodiment. Alternatively, the memory 903 may include both read-only memory and random access memory, and provides instructions and data to the processor. The portion of memory may also include non-volatile random access memory. For example, the memory may also store device type information. The processor 901 may be configured to execute the instructions stored in the memory, and when the processor executes the instructions, the processor may perform the steps and/or processes corresponding to the risk management device in the method embodiment described above.
It should be understood that, in the embodiments of the present application, the processor may be a Central Processing Unit (CPU), and the processor may also be other general processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software modules in a processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor executes instructions in the memory, in combination with hardware thereof, to perform the steps of the above-described method. To avoid repetition, it is not described in detail here.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.