Disclosure of Invention
The application provides a risk management method and a risk management measurement device, which can perform unified risk management on equipment, thereby improving the security of a network system.
In a first aspect, a risk management method is provided, including: acquiring device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored; monitoring the plurality of devices to be monitored based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the steps of collecting different monitoring data for the devices to be monitored of different device types; based on the monitoring data, performing risk analysis on the plurality of devices to be monitored to obtain a plurality of risk analysis results, wherein the plurality of risk analysis results are used for representing the risk level of each device to be monitored in the plurality of devices to be monitored, and the risk level comprises critical, high-risk, medium-risk and low-risk; and selecting a risk analysis result meeting a preset reporting rule from the multiple risk analysis results and reporting the risk analysis result.
In the application, the risk management device can obtain the monitoring data by monitoring the devices to be monitored, and perform risk analysis on the corresponding devices to be monitored based on the monitoring data to obtain and display a plurality of risk analysis results, wherein the plurality of risk analysis results are used for representing the risk grade of each device to be monitored in the plurality of devices to be monitored, namely, the application can perform unified risk management on the devices, thereby improving the security of a network system.
With reference to the first aspect, in some implementation manners of the first aspect, the preset reporting rule includes: preset IP address, preset time period, preset risk level, or preset data source.
With reference to the first aspect, in certain implementation manners of the first aspect, the monitoring data includes at least one of the following: CPU utilization, memory occupancy, disk utilization, system disk utilization, connection number, traffic, interface status, or device on-line status.
With reference to the first aspect, in certain implementations of the first aspect, the device types include at least one of: a network device, a security device, a host device, or a server.
In a second aspect, there is provided a risk management apparatus, including an acquisition module and a processing module, where the acquisition module is configured to: acquiring device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored; the processing module is used for: monitoring the plurality of devices to be monitored based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the steps of collecting different monitoring data for the devices to be monitored of different device types; based on the monitoring data, performing risk analysis on the plurality of devices to be monitored to obtain a plurality of risk analysis results, wherein the plurality of risk analysis results are used for representing the risk level of each device to be monitored in the plurality of devices to be monitored, and the risk level comprises critical, high-risk, medium-risk and low-risk; and selecting a risk analysis result meeting a preset reporting rule from the multiple risk analysis results and reporting the risk analysis result.
With reference to the second aspect, in some implementations of the second aspect, the preset reporting rule includes: preset IP address, preset time period, preset risk level, or preset data source.
With reference to the second aspect, in certain implementations of the second aspect, the monitoring data includes at least one of: CPU utilization, memory occupancy, disk utilization, system disk utilization, connection number, traffic, interface status, or device on-line status.
With reference to the second aspect, in certain implementations of the second aspect, the device types include at least one of: a network device, a security device, a host device, or a server.
In a third aspect, there is provided a processor comprising: input circuit, output circuit and processing circuit. The processing circuitry is configured to receive signals via the input circuitry and to transmit signals via the output circuitry such that the processor performs the method of any one of the possible implementations of the first aspect described above.
In a specific implementation process, the processor may be a chip, the input circuit may be an input pin, the output circuit may be an output pin, and the processing circuit may be a transistor, a gate circuit, a trigger, various logic circuits, and the like. The input signal received by the input circuit may be received and input by, for example and without limitation, a receiver, the output signal may be output by, for example and without limitation, a transmitter and transmitted by a transmitter, and the input circuit and the output circuit may be the same circuit, which functions as the input circuit and the output circuit, respectively, at different times. The embodiment of the application does not limit the specific implementation modes of the processor and various circuits.
In a fourth aspect, a processing apparatus is provided that includes a processor and a memory. The processor is configured to read instructions stored in the memory and to receive signals via the receiver and to transmit signals via the transmitter to perform the method of any one of the possible implementations of the first aspect.
Optionally, the processor is one or more and the memory is one or more.
Alternatively, the memory may be integrated with the processor or the memory may be separate from the processor.
In a specific implementation process, the memory may be a non-transient (non-transitory) memory, for example, a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
The processing means in the fourth aspect may be a chip, and the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor, implemented by reading software code stored in a memory, which may be integrated in the processor, or may reside outside the processor, and exist separately.
In a fifth aspect, there is provided a computer program product comprising: a computer program (which may also be referred to as code, or instructions) which, when executed, causes a computer to perform the method of any one of the possible implementations of the first aspect.
In a sixth aspect, a computer readable storage medium is provided, which stores a computer program (which may also be referred to as code, or instructions) which, when run on a computer, causes the computer to perform the method of any one of the possible implementations of the first aspect.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which are made by a person skilled in the art based on the embodiments of the application in light of the present disclosure, are intended to be within the scope of the application.
The new generation of information technology and entity economy are deeply fused, the vigorous development of the industrial Internet has become an important foundation for pushing the manufacturing of the China and the China of the network, but the importance and urgency of the information security work of the industrial Internet are more prominent due to the characteristics of opening, cross-domain and interconnection. Therefore, the industrial Internet security work is done, the industrial Internet security public service capability is enhanced, the industrial Internet security technological innovation and industrial development are promoted, and the industrial Internet security work is an important work for enhancing the national industrial Internet security guarantee.
Therefore, it is needed to provide a risk management method for performing unified risk management on devices in a network system to improve the security of the network system.
In view of the above, the present application provides a risk management method and a risk management apparatus, by monitoring devices to be monitored, obtaining monitoring data, performing risk analysis on corresponding devices to be monitored based on the monitoring data, and obtaining and displaying a plurality of risk analysis results, where the plurality of risk analysis results are used to represent risk levels of each device to be monitored in the plurality of devices to be monitored, so as to more clearly represent a security situation of a current network device, that is, the present application can perform unified risk management on devices, thereby improving security of a network system.
Before describing the risk management method and the risk management device provided by the embodiment of the application, the following description is made.
First, in the embodiments shown below, each term and english abbreviation are given as exemplary examples for convenience of description, and should not constitute any limitation on the present application. The present application does not exclude the possibility of defining other terms in existing or future protocols that perform the same or similar functions.
Second, the first, second and various numerical numbers in the embodiments shown below are merely for convenience of description and are not intended to limit the scope of the embodiments of the present application.
Third, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, and c may represent: a, b, or c, or a and b, or a and c, or b and c, or a, b and c, wherein a, b and c can be single or multiple.
In order to make the purpose and the technical scheme of the application clearer and more intuitive, the risk management method and the risk management device provided by the application are described in detail below with reference to the accompanying drawings and the embodiment. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
Fig. 1 is a schematic diagram of an application scenario 100 provided by the present application, and as shown in fig. 1, the application scenario 100 includes a risk management device 101, a device to be monitored 102, and a device to be monitored 103. The risk management device 101 is deployed with a risk management system, and may monitor the device to be monitored 102 and the device to be monitored 103, and obtain monitoring data corresponding to the device to be monitored 102 and the device to be monitored 103.
It should be understood that, in addition to the device to be monitored 102 and the device to be monitored 103, the application scenario 100 may further include a plurality of different devices to be monitored, which is not limited in this embodiment of the present application.
Fig. 2 is a schematic flow chart of a risk management method 200 provided by an embodiment of the present application. The method 200 may be applied to the application scenario 100 described above or may be applied to other application scenarios, which the present application is not limited to. As shown in fig. 2, the method 200 may include the steps of:
s201, the risk management device obtains device names and internet protocol (internet protocol, IP) addresses of a plurality of devices to be monitored.
It should be understood that the device to be monitored may include a network device, a security device, a host device, a server, and the like, which is not limited by the present application.
The plurality of devices to be monitored may be all devices in the network system, may be part of devices in the network system selected according to a preset rule, or may be devices manually set by a worker, which is not limited in the embodiment of the present application. The manner in which the worker manually sets is described below in conjunction with fig. 3.
Fig. 3 shows a display interface 300 of the risk management device. The worker inputs the device name "a" of the device to be monitored and the IP address "1095.xx1xx" of the device to be monitored, which indicates the device a whose monitoring IP address is "1095.xx1xx", in the display interface 300. The risk management device detects an input operation of a worker, and thereby obtains a device name and an internet protocol IP address of the device a according to the information in the input box.
S202, monitoring the plurality of devices to be monitored by the risk management device based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the step of collecting different monitoring data for the devices to be monitored of different device types.
It should be understood that the device type includes at least one of the following: a network device, a security device, a host device, or a server.
In one possible case, the plurality of devices to be monitored are devices of the same type, and the risk management device monitors the plurality of devices to be monitored of the same type to obtain monitoring data of the same type.
Taking the example that the device types of the plurality of devices to be monitored are network devices, and the plurality of devices to be monitored are specifically network device a, network device B, and network device C, fig. 4 shows another display interface 400 of the risk management device. As shown in fig. 4, the display interface 400 shows monitoring data corresponding to the network device a, the network device B, and the network device C, respectively. The monitoring data includes a central processing unit (central processing unit, CPU) usage, a memory occupancy, a disk usage, a connection number, a system disk usage, and a traffic corresponding to each network device.
In another possible implementation manner, the plurality of devices to be monitored include different types of devices, and the risk management device may monitor the plurality of different types of devices to be monitored to obtain different types of monitoring data.
Taking the example that the device types of the plurality of devices to be monitored include a network device and a security device, and the plurality of devices to be monitored are specifically a network device a, a network device B, and a security device D, fig. 5 shows yet another display interface 500 of the risk management device. As shown in fig. 5, the display interface 500 shows monitoring data corresponding to the network device a, the network device B, and the security device D, respectively. The category of monitoring data varies from device type to device type. The monitoring data of the network device A and the network device B comprise CPU utilization rate, memory occupancy rate, disk utilization rate, connection number and flow, and the monitoring data of the safety device D comprise CPU utilization rate, memory occupancy rate, disk utilization rate, connection number, system disk utilization rate, flow, interface state and device on-line state.
It should be understood that the risk management device may periodically obtain the monitoring data, or may flexibly obtain the monitoring data according to the needs of the staff, which is not limited in the present application.
Fig. 6 shows yet another display interface 600 of a risk management device, in which display interface 600 a worker may enter a device name "a" of the device to be monitored and an IP address "1095.xx1xx" of the device to be monitored, and a monitoring period 5, representing that monitoring data of device a with IP "1095.xx1xx" is acquired every 5 seconds. The risk management device detects an input operation of the worker, thereby acquiring the monitoring data of the device a with the IP address of "1095.xx1xx" at a period of 5 seconds based on the information in the input box.
It should be understood that the above monitoring data, such as CPU usage, memory occupancy, disk usage, connection number, system disk usage, flow, interface status, and on-line status of the device, may be preset in advance, or may be set according to a user requirement, which is not limited in the present application.
Fig. 7 shows a further display interface 700 of the risk management device, in which, in addition to the device name "a" of the device to be monitored and the IP address "1095.xx1xx" of the device to be monitored, and the monitoring period 5, the worker may set the category of the monitoring data, that is, the worker may input the CPU usage, the memory occupancy, the disk usage, the system disk usage, the connection number, and the flow rate, which means that the CPU usage, the memory occupancy, the disk usage, the system disk usage, the connection number, and the flow rate of the device a having the IP of "1095.xx1xx" are acquired at a period of 5 seconds in the monitoring process, and the risk management device detects the input operation of the worker, so that the monitoring data of the device a having the IP address "1095.xx1xx" is acquired at a period of 5 seconds, that is, the CPU usage, the memory occupancy, the disk usage, the connection number, and the flow rate according to the information in the input frame.
Optionally, after acquiring the monitoring data, the risk management device may clean, classify, store, merge, mark, etc. the monitoring data for subsequent risk analysis.
And S203, performing risk analysis on the plurality of devices to be monitored by the risk management device based on the monitoring data to obtain a plurality of risk analysis results, wherein the plurality of risk analysis results are used for representing the risk level of each device to be monitored in the plurality of devices to be monitored, and the risk level comprises critical, high-risk, medium-risk and low-risk.
Specifically, the risk management device may perform risk analysis on each device to be monitored in the multiple devices to be monitored based on the monitored data such as the CPU usage rate, the memory occupancy rate, the disk usage rate, the system disk usage rate, the connection number, the flow, the interface state, or the device on-line state, to obtain a risk level of each device to be monitored.
Alternatively, the risk management device may display the risk analysis result in a chart or a list, which is not limited by the present application.
S204, the risk management equipment selects a risk analysis result meeting a preset reporting rule from the multiple risk analysis results and reports the risk analysis result.
It should be understood that the preset reporting rules include: preset IP address, preset time period, preset risk level, or preset data source.
Taking the example that the preset risk level is the medium risk and the high risk as an example, in the example of fig. 4, it is assumed that the risk level of the network device a is the medium risk, the risk level of the network device B is low, the risk level of the network device C is the high risk, and the risk management device may report the risk level of the network device a and the risk of the network device C. For example, the risk management device may report the device names, IP addresses, and risk levels of the network device a and the network device C, respectively.
Optionally, the risk management device may further take corresponding measures to intervene based on the risk analysis result meeting the preset reporting rule, so as to reduce the security risk.
In the embodiment of the application, the risk management equipment can obtain the monitoring data by monitoring the equipment to be monitored, and perform risk analysis on the corresponding equipment to be monitored based on the monitoring data to obtain and display a plurality of risk analysis results, wherein the plurality of risk analysis results are used for representing the risk grade of each equipment to be monitored in the plurality of equipment to be monitored, namely the application can perform unified risk management on the equipment, thereby improving the security of a network system.
Optionally, the risk management device may further store log data generated in the monitoring process of the device to be monitored, so as to facilitate subsequent retrieval and use.
It should be understood that the risk management device may provide different ways of retrieving in the face of users of different roles, as the application is not limited in this regard.
For example, a non-security risk analyst may use an interactive shortcut search, such as through a selection, drag operation, to complete retrieval of log data. The security risk analysis personnel can use an advanced search mode, such as providing data analysis and data mining functions of structured query sentences (structured query language, SQL), so that the security risk analysis personnel can be effectively assisted to trace the source and draw a complete monitoring event portrait.
It should be understood that the sequence numbers of the above processes do not mean the order of execution, and the execution order of the processes should be determined by the functions and internal logic of the processes, and should not be construed as limiting the implementation process of the embodiments of the present application.
In order to implement the functions in the method provided by the embodiment of the present application, the risk management device may include a hardware structure and/or a software module, and implement the functions in the form of a hardware structure, a software module, or a hardware structure plus a software module. Some of the functions described above are performed in a hardware configuration, a software module, or a combination of hardware and software modules, depending on the specific application of the solution and design constraints.
The risk management method provided by the embodiment of the present application is described in detail above with reference to fig. 1 to fig. 7, and the risk management device provided by the embodiment of the present application is described in detail below with reference to fig. 8 and fig. 9.
Fig. 8 shows a risk management device 800 provided by an embodiment of the present application, including: an acquisition module 801 and a processing module 802.
Wherein, the acquisition module 801 is configured to: acquiring device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored; the processing module 802 is configured to: monitoring the plurality of devices to be monitored based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the steps of collecting different monitoring data for the devices to be monitored of different device types; based on the monitoring data, performing risk analysis on the plurality of devices to be monitored to obtain a plurality of risk analysis results, wherein the plurality of risk analysis results are used for representing the risk level of each device to be monitored in the plurality of devices to be monitored, and the risk level comprises critical, high-risk, medium-risk and low-risk; and selecting a risk analysis result meeting a preset reporting rule from the multiple risk analysis results and reporting the risk analysis result.
Optionally, the preset reporting rule includes: preset IP address, preset time period, preset risk level, or preset data source.
Optionally, the monitoring data includes at least one of: CPU utilization, memory occupancy, disk utilization, system disk utilization, connection number, traffic, interface status, or device on-line status.
Optionally, the above device types include at least one of: a network device, a security device, a host device, or a server.
It should be appreciated that the apparatus 800 herein is embodied in the form of functional modules. The term module herein may refer to an application specific integrated circuit (application specific integrated circuit, ASIC), an electronic circuit, a processor (e.g., a shared, dedicated, or group processor, etc.) and memory that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that support the described functionality. In an alternative example, it will be understood by those skilled in the art that the apparatus 800 may be specifically a risk management device in the foregoing embodiment, or the functions of the risk management device in the foregoing embodiment may be integrated in the apparatus 800, and the apparatus 800 may be configured to perform each flow and/or step corresponding to the risk management device in the foregoing method embodiment, so that repetition is avoided herein. The apparatus 800 has a function of implementing the corresponding steps performed by the risk management device in the method; the above functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.
In an embodiment of the present application, the apparatus 800 in fig. 8 may also be a chip or a chip system, for example: system on chip (SoC).
Fig. 9 illustrates another risk management device 900 provided by an embodiment of the present application. The apparatus 900 includes: processor 901, memory 902, communication interface 903, and bus 904. Wherein the memory 902 is configured to store instructions, and the processor 901 is configured to execute the instructions stored in the memory 902. The processor 901, the memory 902 and the communication interface 903 implement communication connection therebetween through the bus 904.
Wherein, the processor 901 is used for: acquiring device names and Internet Protocol (IP) addresses of a plurality of devices to be monitored; monitoring the plurality of devices to be monitored based on a preset monitoring rule to obtain monitoring data, wherein the preset monitoring rule comprises the steps of collecting different monitoring data for the devices to be monitored of different device types; based on the monitoring data, performing risk analysis on the plurality of devices to be monitored to obtain a plurality of risk analysis results, wherein the plurality of risk analysis results are used for representing the risk level of each device to be monitored in the plurality of devices to be monitored, and the risk level comprises critical, high-risk, medium-risk and low-risk; and selecting and reporting risk analysis results meeting preset reporting rules from the multiple risk analysis results.
Optionally, the preset reporting rule includes: preset IP address, preset time period, preset risk level, or preset data source.
Optionally, the monitoring data includes at least one of: CPU utilization, memory occupancy, disk utilization, system disk utilization, connection number, traffic, interface status, or device on-line status.
Optionally, the above device types include at least one of: a network device, a security device, a host device, or a server.
It should be understood that the apparatus 900 may be specifically a risk management device in the foregoing embodiment, or the functions of the risk management device in the foregoing embodiment may be integrated in the apparatus 900, and the apparatus 900 may be configured to perform the steps and/or flows corresponding to the risk management device in the foregoing method embodiment. The memory 903 may optionally include read-only memory and random access memory, and provide instructions and data to the processor. A portion of the memory may also include non-volatile random access memory. For example, the memory may also store information of the device type. The processor 901 may be configured to execute instructions stored in the memory, and when the processor executes the instructions, the processor may perform the steps and/or processes corresponding to the risk management device in the above-described method embodiments.
It should be appreciated that in embodiments of the present application, the processor may be a central processing unit (Central Processing Unit, CPU), the processor may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is located in a memory, and the processor executes instructions in the memory to perform the steps of the method described above in conjunction with its hardware. To avoid repetition, a detailed description is not provided herein.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.