CN114579980B - Asset risk assessment method and terminal based on spatio-temporal data - Google Patents
Asset risk assessment method and terminal based on spatio-temporal data Download PDFInfo
- Publication number
- CN114579980B CN114579980B CN202210209481.1A CN202210209481A CN114579980B CN 114579980 B CN114579980 B CN 114579980B CN 202210209481 A CN202210209481 A CN 202210209481A CN 114579980 B CN114579980 B CN 114579980B
- Authority
- CN
- China
- Prior art keywords
- data
- asset
- determining
- asset data
- risk assessment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computing Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an asset risk assessment method and a terminal based on spatio-temporal data, which are used for identifying asset data of an object to be assessed and determining time parameters and space parameters corresponding to the asset data; determining a data flow direction corresponding to the asset data according to the time parameter and the space parameter corresponding to the asset data; analyzing the data flow direction, determining an application scene corresponding to the asset data, and performing risk assessment on the asset data according to the application scene; in the risk assessment process, the timeliness and the spatiality of the asset data are considered, on one hand, the data dimension is improved, the risk assessment considered factors are increased, on the other hand, the application scene where the asset data operates is determined, and the reality of the risk assessment is improved through the consideration of the application scene, so that the risk of the asset data can be assessed more fully, comprehensively and truly, and the accuracy of the risk assessment is improved.
Description
Technical Field
The invention relates to the field of asset data risk assessment, in particular to an asset risk assessment method and terminal based on spatio-temporal data.
Background
With the development of informatization, governments and enterprises have transferred a large amount of offline business to online, important core assets are being transferred from fixed assets to data assets, namely data assets, and asset data becomes the key of business stable operation of governments and enterprises. The database is used as a storage carrier of core data, and can be analogized to the heart of all business systems, and the safety and stability of the heart are directly related to the delivery and experience of foreground business. At present, the operation and maintenance of a service system and a database are single-point operation and maintenance, protection, operation and maintenance and safety belong to passive management, the capabilities of global monitoring, associated control and active defense are lacked, and an information isolated island is formed. Meanwhile, industries such as cloud computing, big data, mobile internet and the like present explosive development situations, enterprise and organization transformation promoted by technologies is irreversible, data on the cloud is heavier and higher in value, and the security risk challenge is more and more complex, and the security of asset data becomes the central importance of governments and enterprises and public institutions.
To ensure the safety of the asset data, the risk of the asset data needs to be accurately evaluated. However, the existing evaluation on the risk of the asset data is not satisfactory, and often has the problem of being inaccurate enough, so that the data risk which may occur cannot be prevented in time, and the asset data has potential safety hazards.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: the asset risk assessment method and terminal based on the spatio-temporal data can improve accuracy of risk assessment performed on asset data.
In order to solve the technical problems, the invention adopts a technical scheme that:
a method for asset risk assessment based on spatiotemporal data comprises the following steps:
identifying asset data of an object to be evaluated, and determining a time parameter and a space parameter corresponding to the asset data;
determining a data flow direction corresponding to the asset data according to the time parameter and the space parameter corresponding to the asset data;
analyzing the data flow direction, determining an application scene corresponding to the asset data, and performing risk assessment on the asset data according to the application scene.
Further, the identifying asset data of the object to be evaluated includes:
setting an asset analysis probe and a data behavior acquisition probe;
actively detecting account number assets and data assets of the object to be evaluated through the asset analysis probe, and generating a corresponding account number asset directory and a corresponding data asset directory;
carrying out flow monitoring on the object to be evaluated through the data behavior acquisition probe, identifying application assets and terminal assets of the object to be evaluated, and generating a corresponding application asset directory and a corresponding terminal asset directory;
and determining the asset data of the object to be evaluated according to the account number asset directory, the data asset directory, the application asset directory and the terminal asset directory.
Further, the determining the time parameter and the space parameter corresponding to the asset data includes:
each asset data is bound with a corresponding operation event and the occurrence time and the occurrence position of each operation event, and the operation events and the occurrence time and the occurrence positions thereof are stored in a directory corresponding to the asset data;
for each asset data, determining an asset directory where the asset data is located according to the type of the asset data, and searching all operation events corresponding to the asset data and the time and the position of all the operation events from the asset directory where the asset data is located;
and determining time parameters corresponding to the asset data according to the occurrence time of all the operation events, and determining space parameters corresponding to the asset data according to the occurrence positions of all the operation events, wherein the time parameters and the space parameters are in one-to-one correspondence.
Further, the method also comprises the following steps:
binding the time parameters and the space parameters which correspond to one another with the operation events corresponding to the time parameters and the space parameters;
the determining the data flow direction corresponding to the asset data according to the time parameter and the space parameter corresponding to the asset data comprises:
determining the operation events bound with each asset data according to the time parameters and the space parameters which correspond to the asset data one by one to obtain all the operation events corresponding to the asset data;
performing cluster analysis on all the operation events, and clustering the operation events belonging to the same operation process;
and arranging and combining the clustered operation events belonging to the same operation process according to the sequence of the corresponding time parameters, and associating the asset data corresponding to the arranged and combined operation events according to the corresponding positions to determine the data flow direction corresponding to the asset data.
Further, the analyzing the data flow direction and determining the application scenario corresponding to the asset data includes:
according to the data flow direction, determining the upward associated asset data of the data flow;
determining a target data access relation corresponding to the data flow direction according to the associated asset data and the data flow direction corresponding to the data flow direction;
and determining an application scene corresponding to the asset data according to the target data access relation.
Further, the determining, according to the target data access relationship, the application scenario corresponding to the asset data includes:
determining a data access relation which can be realized based on the asset data in advance according to all asset data types corresponding to the asset data to form a data access relation library;
determining a corresponding application scene according to each data access relation in the data access relation library;
searching a corresponding matching data access relation from the data access relation library according to the target data access relation;
and determining an application scene corresponding to the target data access relation according to the matching data access relation.
Further, the risk assessment of the asset data according to the application scenario includes:
determining a risk analysis strategy matched with the application scene according to the application scene;
determining vulnerability analysis, exposure face analysis and threat analysis corresponding to the asset data according to the matched risk analysis strategy;
determining a risk assessment for the asset data based on the vulnerability analysis, exposure area analysis, and threat analysis.
Further, the risk assessment of the asset data according to the application scenario includes:
determining a corresponding test case according to the application scene;
running the test case in a data flow direction corresponding to the asset data to test the asset data, and determining a vulnerability test result, an exposure surface test result and a threat test result of the asset data;
and determining the risk assessment of the asset data according to the vulnerability test result, the exposure surface test result and the threat test result.
In order to solve the technical problem, the invention adopts another technical scheme as follows:
an asset risk assessment terminal based on spatiotemporal data comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the steps of the asset risk assessment method based on spatiotemporal data.
The invention has the beneficial effects that: when the risk assessment is carried out on asset data, the asset data is firstly identified, time parameters and space parameters corresponding to the asset data are determined, data flow directions corresponding to the asset data are determined according to the time parameters and the space parameters, application scenes corresponding to the asset data are determined based on the data flow directions, finally, the risk assessment is carried out on the asset data according to the application scenes, the timeliness and the spatiality of the asset data are considered in the risk assessment process, the data flow directions corresponding to the asset data are determined from two dimensions of the asset data, the application scenes of the asset data are determined based on the data flow directions, the risk assessment is carried out on the asset data through the application scenes corresponding to the asset data, on one hand, the data dimensions are improved, the factors considered in the risk assessment are increased, on the other hand, the application scenes where the asset data operate are determined, the consideration of the application scenes improves the reality of the risk assessment, therefore, the risks of the asset data can be assessed more fully, comprehensively and truly, and the accuracy of the risk assessment is improved.
Drawings
FIG. 1 is a flow chart of the steps of a method for asset risk assessment based on spatiotemporal data in accordance with an embodiment of the present invention;
FIG. 2 is a flowchart illustrating the steps of asset discovery during an asset risk assessment process according to an embodiment of the present invention;
FIG. 3 is a schematic illustration of asset data according to an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating the flow of data access between asset data according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an asset risk assessment terminal based on spatiotemporal data according to an embodiment of the present invention.
Detailed Description
In order to explain the technical contents, the objects and the effects of the present invention in detail, the following description is made with reference to the accompanying drawings in combination with the embodiments.
The asset risk assessment method and the terminal based on the spatio-temporal data can be applied to any scene needing asset risk assessment and control, such as various online business systems of governments and enterprises and public institutions, and are described in the following through specific implementation modes:
in an alternative embodiment, referring to FIG. 1, a method for asset risk assessment based on spatiotemporal data includes the steps of:
s1, identifying asset data of an object to be evaluated, and determining a time parameter and a space parameter corresponding to the asset data;
wherein the identifying asset data of the object to be evaluated comprises:
as shown in fig. 2, an asset analysis probe and a data behavior acquisition probe are set;
actively detecting account number assets and data assets of the object to be evaluated through the asset analysis probe, and generating a corresponding account number asset directory and a corresponding data asset directory;
in this embodiment, the account assets may be accounts of various login systems, such as a database account, a user account of a user login system, and the like;
the data assets can include databases, views, tables, fields, triggers and the like, and the processing process of the data also belongs to the data assets, such as a data storage process, a data reading process and the like;
carrying out flow monitoring on the object to be evaluated through the data behavior acquisition probe, identifying application assets and terminal assets of the object to be evaluated, and generating a corresponding application asset directory and a corresponding terminal asset directory;
in an alternative embodiment, when performing asset discovery, a set time may be received, and asset discovery identification may be performed on assets within the time range based on the set time;
in this embodiment, the application assets include various types of web applications, API interfaces, SQL development management tools, and the like;
determining asset data of the object to be evaluated according to the account asset directory, the data asset directory, the application asset directory and the terminal asset directory;
that is, the asset data includes various types of assets, such as account asset, data asset, application asset, terminal asset, etc., and in the asset directory, each type of asset data is stored in the form of records, and each record includes various fields indicating its corresponding asset, as shown in fig. 3, which may include fields such as asset name, asset alias, asset type, host, affiliation, belonging management domain, etc.;
by the active detection and the flow monitoring of the asset data, all the existing asset data of the object to be evaluated can be comprehensively found and identified, on one hand, a good data base is laid for the subsequent asset evaluation, the accuracy of the subsequent asset evaluation is ensured through the comprehensive and accurate asset data, on the other hand, some asset data which are easy to ignore can be found in time, the blind spots of the asset data can be found, and therefore, a user can comprehensively master all the asset data conditions.
In addition, the operation events executed for each asset data and the time and position of the occurrence of the operation events are stored and bound with the corresponding asset data, after the binding is completed, all the operation events corresponding to each asset data and the time and position of the occurrence of the operation events are stored in the corresponding directory, for example, the asset data is a database, if the operation events include an addition record, the corresponding operation events are the addition record, the corresponding time is the time of the addition record, and the corresponding position is the host position where the addition record is located, in an optional embodiment, the position information of the host can be determined more accurately, for example, what storage position of the host is specifically; for another example, the asset data is a database account, if the operation event for the asset data is a login database account, the corresponding operation event is login, the corresponding time is the time when the user clicks the login, and the corresponding position is the host position where the user logs in the account;
in an optional embodiment, the determining the time parameter and the space parameter corresponding to the asset data includes:
for each asset data, determining an asset directory where the asset data is located according to the type of the asset data, and searching all operation events corresponding to the asset data and the time and the position of all the operation events from the asset directory where the asset data is located;
determining time parameters corresponding to the asset data according to the occurrence time of all operation events, and determining space parameters corresponding to the asset data according to the occurrence positions of all operation events, wherein the time parameters and the space parameters are in one-to-one correspondence;
for example, if the asset data is a database, searching all corresponding operation events from a directory where the asset data is located, assuming that all operation events include a record deletion operation O1, a record addition operation O2, a record modification operation O3, a record reading operation O4, and a record writing operation O5, the time parameters corresponding to all the operation events are T1, T2, T3, T4, and T5, respectively, and the spatial parameters corresponding to all the operation events are Adr1, adr2, adr3, adr4, and Adr5, respectively, then T1, T2, T3, T4, and T5 are respectively in one-to-one correspondence with Adr1, adr2, adr3, adr4, and Adr 5;
in the embodiment, the operation executed for each asset data and the time and the position corresponding to the operation are recorded, the time and the position corresponding to the operation form the time-space characteristics of the corresponding asset data, the time parameter and the space parameter of the asset data are formed, and the track of the asset data can be tracked or reappeared through the one-to-one correspondence of the time parameter and the space parameter, so that the data base for analyzing the asset data is enriched, the information of the asset data is further mined, and the subsequent asset risk assessment is facilitated.
S2, determining a data flow direction corresponding to the asset data according to the time parameter and the space parameter corresponding to the asset data;
s3, analyzing the data flow direction, determining an application scene corresponding to the asset data, and performing risk assessment on the asset data according to the application scene;
the time-space property of the corresponding asset data can be obtained through the time parameter and the space parameter, so that the data flow direction corresponding to the asset data can be determined based on the time-space property, the corresponding application scene can be conveniently determined after the data flow direction is obtained, the risk assessment is performed on the asset data based on the application scene, the one-sidedness of the existing asset risk assessment mode is avoided, and the risk assessment can be performed on the asset data more comprehensively and accurately.
In another optional embodiment, in step S1, the method further includes the step of:
binding the time parameters and the space parameters which correspond to one another with the operation events corresponding to the time parameters and the space parameters, and binding the operation time with the resource data corresponding to the operation events, so that the resource data, the operation events and the time parameters and the space parameters corresponding to the operation events have a mutual corresponding relation;
the determining the data flow direction corresponding to the asset data according to the time parameter and the space parameter corresponding to the asset data comprises:
determining the operation events bound with each asset data according to the time parameters and the space parameters which correspond to the asset data one by one to obtain all the operation events corresponding to the asset data;
performing cluster analysis on all the operation events, and clustering the operation events belonging to the same operation process;
and arranging and combining the clustered operation events belonging to the same operation process according to the sequence of the corresponding time parameters, and associating the asset data corresponding to the arranged and combined operation events according to the corresponding positions to determine the data flow direction corresponding to the asset data.
In specific implementation, aiming at an object to be evaluated, all service flows of the object are combed based on specific services of the object to be evaluated to form a service set, for example, for a school e-government system, the service set relates to various types of services, including course selection of students, webpage browsing of tourists, data downloading of tourists, score registration of teachers and the like;
generating corresponding service operation steps for each service, for example, for student course selection, the corresponding service operation steps are as follows:
the student end: the course selection account logs in-check course-submit check-log-out;
the administrator side: the course selection auditing account logs in, audits pass/fail, and the course selection auditing account logs out;
the operation steps belong to the same operation process, and each step represents an operation event;
in the service set, each operation event corresponding to each service has a unique identifier so as to distinguish the operation event from other operation events;
after all the operation events of the asset data are determined, clustering is carried out on all the operation events according to the service set, and the operation events belonging to the same service are aggregated to form different service groups, wherein the following mode can be adopted during clustering:
firstly, putting all operation events into a set to form an operation event set;
then, judging whether clustering is carried out for the first time or aggregation of a service group is completed, if clustering is carried out for the first time or aggregation of a service group is completed, selecting a target operation event from the operation event set, matching in the service set, determining a target service to which the target operation event belongs, adding the target operation event into a newly-built service group, and setting a corresponding service identifier for the newly-built service group according to the target service;
after determining a target service to which the target operation event belongs, determining other operation events except the target operation event based on the target service, matching the corresponding operation event in the operation event set based on the determined other operation events, adding the matched operation event into the newly-built service group until the operation event corresponding to the target service is traversed, and returning to execute the step of judging whether clustering is performed for the first time or one service group aggregation is completed until the operation event set is traversed;
after the aggregation of the operation events is finished, each operation event has a corresponding time parameter, and all operation events of each service group are sequenced and combined by taking the service group as a unit according to the sequence of the time parameters;
then, associating the asset data corresponding to the arranged and combined operation events according to the corresponding positions of the asset data to determine the data flow direction corresponding to the asset data;
taking the course selection of the students as an example, if the student end directly exits after logging in for the first time, the course selection is started after logging in for the second time, and the course selection is submitted for verification and finally exits; after logging in, the administrator executes the verification and logs out after the verification is passed, and based on the verification, the operation events related to the service comprise two lesson selection account logins, two lesson selection account logins quitting, one course check, one check pass and one lesson selection check account log out, so that a service group corresponding to the lesson selection service of the student is formed;
the following permutation and combination are obtained according to the time sequence permutation and combination:
the course selection account logs in, the course selection account logs out, the course selection account logs in, the course is checked, verification is submitted, and the course selection account logs out;
the course selection audit account logs in-audit is passed/not passed-the course selection audit account logs out;
and then determining asset data corresponding to each operation event:
the course selection account, the course database and the course selection account;
a course selection auditing account, a course database and a course selection auditing account;
and finally, performing association according to the position of each asset data to determine the data flow direction corresponding to the asset data:
the corresponding positions of the asset data are as follows:
student terminal host 1-course selection server-student terminal host1;
teacher terminal host 2-course selection server-teacher terminal host2;
therefore, the data flow corresponding to the asset data is obtained as follows: the student terminal host 1- > course selection server- > student terminal host1; teacher terminal host 2- > course selection server- > teacher terminal host2;
as shown in fig. 4, a data access flow diagram related to the examination of the hospitalization cost schedule in the hospital is shown, and as can be seen from the diagram, the business relates to asset data such as 20 access terminals, 7 business applications, 1 database account, 1 data table, 1 oracle server, 1 data service, and 1 instance, and the data access flow between the asset data is shown in the diagram;
in the embodiment, when determining the data flow direction corresponding to asset data, determining all operation events corresponding to the asset data according to the time parameter and the space parameter corresponding to the asset data to form an operation event set, and clustering all operation events based on a preset service set to form corresponding service groups, wherein each service group corresponds to one service and each service is formed by combining a plurality of operation events; when the operation events are clustered, matching corresponding services in a preset service set according to the operation events to be matched, and then searching the other operation events included in the services in the operation event set through the other operation events included in the matched corresponding services, thereby ensuring that all the operation events are clustered efficiently and accurately; after clustering is completed, the operation events in each service group are firstly arranged and combined according to the sequence of the time parameters corresponding to the operation events, and then the asset data are associated based on the positions of the asset data corresponding to the operation events, so that the data flow direction corresponding to the asset data is determined, and the accuracy of the determined data flow direction is ensured.
In another optional embodiment, the analyzing the data flow direction in step S3 and determining the application scenario corresponding to the asset data includes:
according to the data flow direction, determining the upward associated asset data of the data flow;
determining a target data access relation corresponding to the data flow direction according to the associated asset data and the data flow direction corresponding to the data flow direction;
determining an application scene corresponding to the asset data according to the target data access relation;
wherein the determining the application scene corresponding to the asset data according to the target data access relationship comprises:
determining a data access relation which can be realized based on the asset data in advance according to all asset data types corresponding to the asset data to form a data access relation library;
determining a corresponding application scene according to each data access relation in the data access relation library;
searching a corresponding matching data access relation from the data access relation library according to the target data access relation;
determining an application scene corresponding to the target data access relation according to the matching data access relation;
for example, the following data access relationships may be determined according to different asset data types: user-data access relationships, application-data access relationships, data-data access relationships, user-application-data access relationships, and the like;
determining a corresponding application scene based on the determined data access relation, for example, the application scene corresponding to the application-data access relation is a service access scene, the data-data access relation is a sharing distribution scene, the user-data access relation is a data analysis scene, and the user-application-data access relation is a development operation and maintenance scene;
the corresponding relation between the data access relation and the application scene can be adjusted and changed dynamically in real time, and the corresponding relation between the data access relation and the application scene can be changed, and the data access relation and the application scene can be updated.
After identifying the application scenario corresponding to the asset data, the risk of the asset data can be evaluated according to the specific application scenario, and when the risk evaluation is performed, the following two implementation manners can be provided:
the first realization mode is as follows:
determining a risk analysis strategy matched with the application scene according to the application scene;
determining vulnerability analysis, exposure face analysis and threat analysis corresponding to the asset data according to the matched risk analysis strategy;
determining a risk assessment for the asset data from the vulnerability analysis, exposure area analysis, and threat analysis;
the vulnerability analysis mainly analyzes the difficulty of cracking the account assets, for example, for the account assets, and mainly analyzes the difficulty of stealing data in the database, taking student course selection as an example, the vulnerability analysis mainly analyzes the difficulty of cracking the account assets, and can be expressed by specific numerical values for quantifying the vulnerability, wherein the numerical values are larger, the more vulnerable the vulnerability is, the easier the vulnerability is to be cracked, in an optional implementation mode, time limits can be set for cracking, such as time limits T1 and T2, the vulnerability is the largest when the vulnerability is cracked within a time less than T1 and is A1, the vulnerability is the smallest when the vulnerability is cracked within a time more than T2 and is A3, and the vulnerability is medium when the vulnerability is cracked between T1 and T2 and is A2, A1> A2> A3;
the method mainly analyzes the exposure face, namely, the exposure amount of effective information after being analyzed is the asset data is received, for example, the data sent between two hosts, if the asset data is intercepted, the data is analyzed, so that the effective information between the two hosts can be extracted, or for example, the student selects a course, the exposure face analysis mainly comprises that after the analysis student transmits the data selected by the student to a course selection server, the data is intercepted and analyzed in the middle of transmission, so that the effective information can be extracted, for example, what course the student specifically selects can be known, in an optional implementation manner, an effective information proportion range can be set, different proportion ranges correspond to different exposure face values, the larger the exposure face value is, the more the exposure information is, for example, the proportion value B of the acquired effective information in all effective information can be calculated, when B is larger than B2, the exposure face value is H1, when B is smaller than B1, the exposure face value is H3, when B is between B1 and B2, the exposure face value is H2, and H1> H2H 3;
threat analysis mainly analyzes threats existing in the asset data at present, for example, if the asset data is a terminal, the main analysis mainly analyzes missing, viruses, patches and the like existing in the asset data at present, corresponding threat values can be set according to the number of existing vulnerabilities, viruses and patches, the larger the number is, the larger the threat value is, for example, when the number N is greater than N2, the threat value is C1, when the number is less than N1, the threat value is C3, and when the number is between C1 and C2, the threat value is C2, and C1> C2> C3;
in this embodiment, different application scenarios have different risk analysis policies, and it is possible to flexibly determine corresponding risk analysis policies for different application scenarios, and in specific implementation, all asset data related to each application scenario may be determined first, and then the asset data may be classified according to characteristics of the application scenario, and different types of asset data employ different risk analysis methods, for example, some types of asset data only need to perform vulnerability analysis and threat analysis without performing exposure analysis; some asset data only need to be subjected to exposure surface analysis and threat analysis without performing vulnerability analysis; some assets have emphasis on vulnerability analysis, vulnerability analysis and threat analysis respectively, and different weights can be attached to the assets respectively; classifying all asset data in each application scene in such a way, performing risk analysis on the classified asset data by adopting respective corresponding risk analysis methods, and finally determining an asset risk assessment result of an object to be assessed according to the determined risk analysis results of all asset data in the application scene; in specific implementation, after determining the risk values corresponding to all the assets in a certain application scenario, normalizing the risk values of the assets, adding the normalized risk values, taking the finally obtained added value as a risk assessment result of the application scenario, and comparing the risk assessment value with a preset threshold, for example, when the sum is greater than a threshold TH1, the risk is high, when the sum is less than a threshold TH2, the risk is low, and when the sum is between TH1 and TH2, the risk is medium.
The asset risk assessment method described in this embodiment classifies asset data related to the application scene in a hierarchical manner, and then according to the hierarchical classification result, different types of asset data in the application scene adopt a risk assessment method adapted to the asset data, so that customized analysis of asset data of a specific asset type in a specific application scene is realized.
The second implementation manner is as follows:
determining a corresponding test case according to the application scene;
running the test case in a data flow direction corresponding to the asset data to test the asset data, and determining vulnerability test results, exposure surface test results and threat test results of all the asset data in the application scene;
determining a risk assessment of the asset data according to the vulnerability test result, the exposure surface test result and the threat test result;
in the implementation, test cases corresponding to different application scenes can be set in advance, the set test cases can be constructed according to the characteristics of asset data of different application scenes, for example, if some asset data in the application scenes do not need to be subjected to vulnerability analysis, the test cases related to the vulnerability analysis do not need to be constructed aiming at the asset data; and so on;
in the embodiment, when asset risk assessment is performed, real-time testing is performed on the basis of the test case adapted to asset data in a specific application scene, an asset assessment result is determined according to the real-time testing result, asset risk can be assessed more truly and reliably through the real-time testing, and accuracy of asset risk assessment is further improved.
In another alternative embodiment, referring to fig. 5, a terminal for asset risk assessment based on spatiotemporal data includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor executes the computer program to implement the steps of a method for asset risk assessment based on spatiotemporal data in any of the above embodiments.
In summary, according to the asset risk assessment method and terminal based on spatio-temporal data provided by the present invention, when performing risk assessment on asset data, asset data is identified, a time parameter and a space parameter corresponding to the asset data are determined, a data flow direction corresponding to the asset data is determined according to the time parameter and the space parameter, an application scenario corresponding to the asset data is determined based on the data flow direction, and finally, risk assessment is performed on the asset data according to the application scenario.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent changes made by using the contents of the present specification and the drawings, or applied directly or indirectly to the related technical fields, are included in the scope of the present invention.
Claims (4)
1. An asset risk assessment method based on spatiotemporal data is characterized by comprising the following steps:
identifying asset data of an object to be evaluated, and determining a time parameter and a space parameter corresponding to the asset data;
determining a data flow direction corresponding to the asset data according to the time parameter and the space parameter corresponding to the asset data;
analyzing the data flow direction, determining an application scene corresponding to the asset data, and performing risk assessment on the asset data according to the application scene;
the asset data identifying the object to be evaluated comprises:
setting an asset analysis probe and a data behavior acquisition probe;
actively detecting account number assets and data assets of the object to be evaluated through the asset analysis probe, and generating a corresponding account number asset directory and a corresponding data asset directory;
carrying out flow monitoring on the object to be evaluated through the data behavior acquisition probe, identifying application assets and terminal assets of the object to be evaluated, and generating a corresponding application asset directory and a corresponding terminal asset directory;
determining asset data of the object to be evaluated according to the account asset directory, the data asset directory, the application asset directory and the terminal asset directory;
the determining the time parameter and the space parameter corresponding to the asset data comprises:
each asset data is bound with a corresponding operation event and the occurrence time and the occurrence position of each operation event, and the operation events and the occurrence time and the occurrence positions thereof are stored in a directory corresponding to the asset data;
for each asset data, determining an asset directory where the asset data is located according to the type of the asset data, and searching all corresponding operation events and the time and the position of all the operation events from the asset directory where the asset data is located;
determining time parameters corresponding to the asset data according to the occurrence time of all operation events, and determining space parameters corresponding to the asset data according to the occurrence positions of all operation events, wherein the time parameters and the space parameters are in one-to-one correspondence;
further comprising the steps of:
binding the time parameters and the space parameters which correspond to one another with the operation events corresponding to the time parameters and the space parameters;
the determining the data flow direction corresponding to the asset data according to the time parameter and the space parameter corresponding to the asset data comprises:
determining the operation events bound with each asset data according to the time parameters and the space parameters which correspond to the asset data one by one to obtain all the operation events corresponding to the asset data;
performing cluster analysis on all the operation events, and clustering the operation events belonging to the same operation process;
arranging and combining the clustered operation events belonging to the same operation process according to the sequence of the corresponding time parameters, and associating the asset data corresponding to the arranged and combined operation events according to the corresponding positions to determine the data flow direction corresponding to the asset data;
the analyzing the data flow direction and determining the application scenario corresponding to the asset data comprises:
according to the data flow direction, determining the upward associated asset data of the data flow;
determining a target data access relation corresponding to the data flow direction according to the associated asset data and the data flow direction corresponding to the data flow direction;
determining an application scene corresponding to the asset data according to the target data access relation;
the determining the application scene corresponding to the asset data according to the target data access relationship comprises:
determining a data access relation which can be realized based on the asset data in advance according to all asset data types corresponding to the asset data to form a data access relation library;
determining a corresponding application scene according to each data access relation in the data access relation library;
searching a corresponding matching data access relation from the data access relation library according to the target data access relation;
and determining an application scene corresponding to the target data access relation according to the matching data access relation.
2. The method for asset risk assessment based on spatiotemporal data according to claim 1, wherein the risk assessment of the asset data according to the application scenario comprises:
determining a risk analysis strategy matched with the application scene according to the application scene;
determining vulnerability analysis, exposure face analysis and threat analysis corresponding to the asset data according to the matched risk analysis strategy;
determining a risk assessment for the asset data based on the vulnerability analysis, exposure area analysis, and threat analysis.
3. The asset risk assessment method based on spatiotemporal data according to claim 1, wherein said risk assessment of said asset data according to said application scenario comprises:
determining a corresponding test case according to the application scene;
running the test case in a data flow direction corresponding to the asset data to test the asset data, and determining a vulnerability test result, an exposure surface test result and a threat test result of the asset data;
and determining the risk assessment of the asset data according to the vulnerability test result, the exposure surface test result and the threat test result.
4. A spatiotemporal data-based asset risk assessment terminal comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program implements the steps of a spatiotemporal data-based asset risk assessment method according to any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210209481.1A CN114579980B (en) | 2022-03-04 | 2022-03-04 | Asset risk assessment method and terminal based on spatio-temporal data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210209481.1A CN114579980B (en) | 2022-03-04 | 2022-03-04 | Asset risk assessment method and terminal based on spatio-temporal data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114579980A CN114579980A (en) | 2022-06-03 |
| CN114579980B true CN114579980B (en) | 2022-11-04 |
Family
ID=81773405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210209481.1A Active CN114579980B (en) | 2022-03-04 | 2022-03-04 | Asset risk assessment method and terminal based on spatio-temporal data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114579980B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491930A (en) * | 2020-12-16 | 2021-03-12 | 平安养老保险股份有限公司 | System risk dynamic monitoring method, system, computer equipment and storage medium |
| CN113037766A (en) * | 2021-03-23 | 2021-06-25 | 中通服创发科技有限责任公司 | Comprehensive evaluation method for asset safety and health degree under multiple scenes |
| CN113709170A (en) * | 2021-09-01 | 2021-11-26 | 京东科技信息技术有限公司 | Asset safe operation system, method and device |
| CN113839817A (en) * | 2021-09-23 | 2021-12-24 | 北京天融信网络安全技术有限公司 | Network asset risk assessment method, device and system |
| CN113965417A (en) * | 2021-12-21 | 2022-01-21 | 北京微步在线科技有限公司 | Asset risk detection method and device |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9652813B2 (en) * | 2012-08-08 | 2017-05-16 | The Johns Hopkins University | Risk analysis engine |
| CN111507597A (en) * | 2020-04-10 | 2020-08-07 | 南京源堡科技研究院有限公司 | Network information security risk assessment model and method |
| CN113962656A (en) * | 2021-10-21 | 2022-01-21 | 广东电网有限责任公司 | Power grid data asset management method, system, equipment and storage medium |
| CN114049054B (en) * | 2022-01-13 | 2022-04-19 | 江苏通付盾科技有限公司 | Decision method and system applied to risk management and control |
-
2022
- 2022-03-04 CN CN202210209481.1A patent/CN114579980B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112491930A (en) * | 2020-12-16 | 2021-03-12 | 平安养老保险股份有限公司 | System risk dynamic monitoring method, system, computer equipment and storage medium |
| CN113037766A (en) * | 2021-03-23 | 2021-06-25 | 中通服创发科技有限责任公司 | Comprehensive evaluation method for asset safety and health degree under multiple scenes |
| CN113709170A (en) * | 2021-09-01 | 2021-11-26 | 京东科技信息技术有限公司 | Asset safe operation system, method and device |
| CN113839817A (en) * | 2021-09-23 | 2021-12-24 | 北京天融信网络安全技术有限公司 | Network asset risk assessment method, device and system |
| CN113965417A (en) * | 2021-12-21 | 2022-01-21 | 北京微步在线科技有限公司 | Asset risk detection method and device |
Non-Patent Citations (1)
| Title |
|---|
| 网络安全的风险分析;王桂娟等;《现代计算机》;20010830(第08期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114579980A (en) | 2022-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gottwalt et al. | CorrCorr: A feature selection method for multivariate correlation network anomaly detection techniques | |
| US11734233B2 (en) | Method for classifying an unmanaged dataset | |
| CN107454105B (en) | Multidimensional network security assessment method based on AHP and grey correlation | |
| US20220345460A1 (en) | Third-party access-control support using role history analysis | |
| Ahmed | Collective anomaly detection techniques for network traffic analysis | |
| US9680857B1 (en) | Cyber intelligence clearinghouse | |
| Tao et al. | Fine-grained big data security method based on zero trust model | |
| Sapegin et al. | Towards a system for complex analysis of security events in large-scale networks | |
| CN113132311A (en) | Abnormal access detection method, device and equipment | |
| Williams et al. | Perceptions of the eCrime controllers: Modelling the influence of cooperation and data source factors | |
| Li et al. | A framework for detecting deviations in complex event logs | |
| Folino et al. | An ensemble-based framework for user behaviour anomaly detection and classification for cybersecurity | |
| US10614225B2 (en) | System and method for tracing data access and detecting abnormality in the same | |
| CN112669039B (en) | Knowledge graph-based customer risk management and control system and method | |
| CN114579980B (en) | Asset risk assessment method and terminal based on spatio-temporal data | |
| Pangsuban et al. | A real-time risk assessment for information system with cicids2017 dataset using machine learning | |
| JP7241360B2 (en) | SECURITY POLICY AND AUDIT LOG BI-DIRECTIONAL LOOKUP, COMPARING AND TRACKING SYSTEM AND METHOD THEREOF} | |
| O'Keefe et al. | Comparison of Remote Analysis with Statistical Disclosure Control for Protecting the Confidentiality of Business Data. | |
| Rajendran | Intelligent intrusion detection system for private cloud environment | |
| Katano et al. | Prediction of infected devices using the quantification theory type 3 based on mitre att&ck technique | |
| Qi et al. | Privacy preserving via interval covering based subclass division and manifold learning based bi-directional obfuscation for effort estimation | |
| Dai et al. | Research on power mobile Internet security situation awareness model based on zero trust | |
| US10248924B2 (en) | Network change auditing system | |
| Parkash et al. | An Enhanced Secure Framework Using CSA for Cloud Computing Environments | |
| Kaur et al. | Insecurity Status and Vulnerability Density of Web Applications: A Quantitative Approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A method and terminal for asset risk assessment based on spatiotemporal data Effective date of registration: 20230831 Granted publication date: 20221104 Pledgee: CITIC Bank Limited by Share Ltd. Fuzhou branch Pledgor: FUJIAN ZHONGXIN WANG 'AN INFORMATION TECHNOLOGY CO.,LTD. Registration number: Y2023350000194 |