CN114584342B - Network vulnerability recognition and detection system based on data analysis - Google Patents
Network vulnerability recognition and detection system based on data analysis Download PDFInfo
- Publication number
- CN114584342B CN114584342B CN202210048478.6A CN202210048478A CN114584342B CN 114584342 B CN114584342 B CN 114584342B CN 202210048478 A CN202210048478 A CN 202210048478A CN 114584342 B CN114584342 B CN 114584342B
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- network
- loopholes
- vulnerabilities
- influence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 64
- 238000007405 data analysis Methods 0.000 title claims abstract description 12
- 238000004458 analytical method Methods 0.000 claims abstract description 27
- 238000012423 maintenance Methods 0.000 claims description 60
- 238000012216 screening Methods 0.000 claims description 42
- 238000012795 verification Methods 0.000 claims description 36
- 238000005457 optimization Methods 0.000 claims description 25
- 238000012544 monitoring process Methods 0.000 claims description 18
- 238000012038 vulnerability analysis Methods 0.000 claims description 15
- 238000000034 method Methods 0.000 claims description 14
- 238000010219 correlation analysis Methods 0.000 claims description 6
- 230000006854 communication Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 claims description 3
- 238000012163 sequencing technique Methods 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The invention discloses a network vulnerability identification detection system based on data analysis, relates to the technical field of network vulnerability identification detection, and solves the technical problem that the occurrence risk of network vulnerabilities cannot be controlled due to incapability of carrying out relevance analysis on the network vulnerabilities in the prior art, and carries out detection and identification on the network vulnerabilities, thereby improving the accuracy of network vulnerability detection and identification and reducing the influence of the network vulnerabilities on network data; carrying out relevance analysis on each network vulnerability and judging whether each network vulnerability is relevant or not, thereby judging whether the network vulnerability can appear successively, improving the predictability of the network vulnerability, effectively reducing the influence caused by burst network vulnerability and simultaneously reducing the risk of the network vulnerability on network data; and detecting the environment of the current network, and judging whether the current network is normal or not, so as to analyze the occurrence probability of the network vulnerability and the influence of the network vulnerability on the network.
Description
Technical Field
The invention relates to the technical field of network vulnerability identification and detection, in particular to a network vulnerability identification and detection system based on data analysis.
Background
Network vulnerabilities can generally be understood as defects in the specific implementation of hardware, software, protocols, etc., or in the security policies of the system, which can enable an attacker to access or destroy the system without authorization. Popular descriptive definitions are everything that exists in computer network systems that can cause damage to the components and data in the system, etc.;
in the prior art, however, in the network vulnerability detection and identification process, correlation analysis cannot be performed on the network vulnerability, so that the occurrence risk of the network vulnerability cannot be controlled, and the potential safety hazard of the network environment is increased;
in view of the above technical drawbacks, a solution is now proposed.
Disclosure of Invention
The invention aims to solve the problem by providing a network vulnerability identification detection system based on data analysis, which is used for detecting and identifying network vulnerabilities, so that the accuracy of network vulnerability detection and identification is improved, and the influence of the network vulnerabilities on network data is reduced; carrying out relevance analysis on each network vulnerability and judging whether each network vulnerability is relevant or not, thereby judging whether the network vulnerability can appear successively, improving the predictability of the network vulnerability, effectively reducing the influence caused by burst network vulnerability and simultaneously reducing the risk of the network vulnerability on network data; and detecting the environment of the current network, and judging whether the current network is normal or not, so as to analyze the occurrence probability of the network vulnerability and the influence of the network vulnerability on the network.
The aim of the invention can be achieved by the following technical scheme:
the network vulnerability identification detection system based on the data analysis comprises a network vulnerability detection and identification platform, wherein a server is arranged in the network vulnerability detection and identification platform and is in communication connection with a vulnerability relevance analysis unit, a network environment detection unit, a verification task allocation optimization unit and a database;
the network vulnerability detection and recognition platform is used for detecting and recognizing network vulnerabilities, the server generates relevance analysis signals and sends the relevance analysis signals to the vulnerability relevance analysis unit, and relevance analysis is carried out on each network vulnerability through the vulnerability relevance analysis unit; the server generates a network environment detection signal and sends the network environment detection signal to a network environment detection unit, and the network environment detection unit detects the environment of the current network; the server generates a verification task allocation optimization signal and sends the verification task allocation optimization signal to the verification task allocation optimization unit, and maintenance personnel are reasonably matched through verification of the verification task allocation optimization unit on network vulnerabilities.
As a preferred embodiment of the present invention, the vulnerability correlation analysis unit has the following vulnerability correlation analysis process:
marking a network building time as an initial time, constructing a vulnerability analysis time period according to the current time and the initial time, collecting network vulnerabilities appearing in the vulnerability analysis time period, and collecting vulnerability data corresponding to the network vulnerabilities appearing in the vulnerability analysis time period, wherein the vulnerability data comprises influence duration, influence network speed floating values and influence data downloading flow of the vulnerabilities, marking the network vulnerabilities appearing in the vulnerability analysis time period as historical vulnerabilities, setting the labels i and i as natural numbers larger than 1, marking the vulnerability data corresponding to the historical vulnerabilities as influence factors, marking the influence of the influence factors on the network data as influence features, and the influence features are represented as increase of the influence duration of the vulnerabilities, increase of the network speed floating values or decrease of the data downloading flow;
sequencing the collected historical vulnerabilities according to the sequence of the vulnerability analysis time period, constructing a historical vulnerability set, collecting the difference value of the occurrence interval duration of the historical vulnerabilities corresponding to adjacent subsets and the influence duration of the historical vulnerabilities corresponding to the adjacent subsets in the historical vulnerability set, and comparing the difference value of the occurrence interval duration of the historical vulnerabilities corresponding to the adjacent subsets and the influence duration of the historical vulnerabilities corresponding to the adjacent subsets with an interval duration threshold and an influence duration difference value respectively:
if the occurrence interval time length of the historical vulnerabilities corresponding to the adjacent subsets is smaller than the interval time length threshold value and the influence time length difference value of the historical vulnerabilities corresponding to the adjacent subsets is smaller than the influence time length difference value threshold value, binding the historical vulnerabilities corresponding to the adjacent subsets, and marking the bound historical vulnerabilities as preset associated vulnerabilities; if the occurrence interval time length of the historical vulnerabilities corresponding to the adjacent subsets is larger than the interval time length threshold value and the influence time length difference value of the historical vulnerabilities corresponding to the adjacent subsets is larger than the influence time length difference value threshold value, binding the historical vulnerabilities corresponding to the adjacent subsets, and marking the bound historical vulnerabilities as preset unassociated vulnerabilities;
comparing the influence factors and the influence characteristics of the preset association loopholes with those of the preset non-association loopholes, and marking the corresponding preset association loopholes as selected association loopholes if the influence factors and the influence characteristics of the preset association loopholes are consistent; if the influence factors and the influence characteristics of the preset association loopholes are inconsistent in comparison, marking the corresponding preset association loopholes as risk association loopholes; if the influence factors and the influence characteristics of the preset non-associated loopholes are consistent in comparison, marking the corresponding preset non-associated loopholes as monitoring associated loopholes; if the comparison of the influence factors and the influence features of the preset non-associated loopholes is inconsistent, marking the corresponding preset non-associated loopholes as selected non-associated loopholes;
sending the selected associated vulnerability, the risk associated vulnerability, the monitoring associated vulnerability and the selected non-associated vulnerability to a server; the server receives the selected association vulnerability, the risk association vulnerability, the monitoring association vulnerability and the non-association vulnerability, then forwards the selected association vulnerability and the non-association vulnerability to the database for storage, meanwhile, detects the risk association vulnerability and the monitoring association vulnerability, and if the number of successive occurrences of the corresponding risk association vulnerability and the monitoring association vulnerability exceeds a corresponding number of times threshold, judges the risk association vulnerability or the monitoring association vulnerability as the selected association vulnerability.
As a preferred embodiment of the present invention, the network environment detection process of the network environment detection unit is as follows:
setting a network environment detection time period, collecting network vulnerability screening frequency and the number of network vulnerabilities in a network vulnerability screening period in the network environment detection time period, and comparing the network vulnerability screening frequency and the number of network vulnerabilities in the network vulnerability screening period with a network vulnerability screening frequency threshold and a network vulnerability occurrence number threshold respectively:
if the network vulnerability screening frequency exceeds the network vulnerability screening frequency threshold in the network environment detection time period and the number of times of occurrence of the network vulnerabilities in the network vulnerability screening period does not exceed the network vulnerability occurrence number threshold, judging that the corresponding network environment is safe, generating a network environment safety signal and sending the network environment safety signal to a server; if the network vulnerability screening frequency does not exceed the network vulnerability screening frequency threshold in the network environment detection time period and the number of times of occurrence of the network vulnerabilities in the network vulnerability screening period exceeds the network vulnerability occurrence number threshold, judging that the corresponding network environment is unsafe, generating a network environment risk signal and sending the network environment risk signal to a server.
As a preferred embodiment of the present invention, the verification task allocation optimization procedure of the verification task allocation optimization unit is as follows:
collecting network loopholes appearing in real time, marking the network loopholes as real-time loopholes, comparing the real-time loopholes with historical loopholes in a database, if the comparison is consistent, acquiring the selected association loopholes of the real-time loopholes and the longest maintenance time corresponding to the selected association loopholes, and comparing the selected association loopholes of the real-time loopholes and the longest maintenance time corresponding to the selected association loopholes with a selected association loophole number threshold and a longest maintenance time threshold respectively:
if the number of the selected associated loopholes of the real-time loopholes exceeds the threshold value of the number of the selected associated loopholes or the longest maintenance duration corresponding to the selected associated loopholes exceeds the threshold value of the longest maintenance duration, marking the corresponding loopholes as first-level known loopholes; if the number of the selected associated loopholes of the real-time loopholes does not exceed the threshold value of the number of the selected associated loopholes and the longest maintenance duration corresponding to the selected associated loopholes does not exceed the threshold value of the longest maintenance duration, marking the corresponding loopholes as secondary known loopholes;
if the comparison is inconsistent, comparing the duration of the influence characteristic corresponding to the real-time vulnerability and the quantity of the influence factors with a duration threshold and a quantity threshold of the influence factors respectively:
if the duration of the real-time vulnerability corresponding influence features exceeds the duration threshold and the number of influence factors exceeds the influence factor number threshold, marking the corresponding network vulnerability as a first-level unknown vulnerability; if the duration of the real-time vulnerability corresponding influence features does not exceed the duration threshold and the number of influence factors does not exceed the influence factor number threshold, marking the corresponding network vulnerability as a secondary unknown vulnerability;
dividing the real-time idle maintenance personnel according to the maintenance times, and marking the corresponding real-time idle maintenance personnel as real-time primary personnel if the corresponding maintenance times of the real-time idle maintenance personnel exceed a maintenance times threshold value; if the corresponding maintenance times of the maintenance personnel which are idle in real time do not exceed the maintenance times threshold value, marking the maintenance personnel which are idle in real time as real-time secondary personnel;
matching a first-stage known vulnerability and a first-stage unknown vulnerability to real-time first-stage personnel, and matching a second-stage known vulnerability and a second-stage unknown vulnerability to real-time second-stage personnel; and sending the matched maintainers and network vulnerabilities to a server.
Compared with the prior art, the invention has the beneficial effects that:
in the invention, the network loopholes are detected and identified, thereby improving the accuracy of detecting and identifying the network loopholes and reducing the influence of the network loopholes on the network data; carrying out relevance analysis on each network vulnerability and judging whether each network vulnerability is relevant or not, thereby judging whether the network vulnerability can appear successively, improving the predictability of the network vulnerability, effectively reducing the influence caused by burst network vulnerability and simultaneously reducing the risk of the network vulnerability on network data; detecting the environment of the current network, and judging whether the current network is normal or not, so as to analyze the occurrence probability of network vulnerabilities and the influence of the network vulnerabilities on the network; the verification of the network loopholes reasonably matches with maintenance personnel, so that the verification task allocation is optimized according to the loophole information, the importance and the work task information of the verification personnel, the verification efficiency is improved, the high efficiency of the loophole maintenance is improved, and the influence of the network environment of the loopholes is reduced.
Drawings
The present invention is further described below with reference to the accompanying drawings for the convenience of understanding by those skilled in the art.
Fig. 1 is a functional block diagram of the present invention.
Detailed Description
The technical solutions of the present invention will be clearly and completely described in connection with the embodiments, and it is obvious that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, a network vulnerability identification detection system based on data analysis includes a network vulnerability detection and identification platform, wherein a server is arranged in the network vulnerability detection and identification platform, and the server is in communication connection with a vulnerability correlation analysis unit, a network environment detection unit, a verification task allocation optimization unit and a database; the server is in bidirectional communication connection with the vulnerability association analysis unit, the network environment detection unit, the verification task allocation optimization unit and the database;
the network vulnerability detection and identification platform is used for detecting and identifying network vulnerabilities, so that accuracy of network vulnerability detection and identification is improved, influence of the network vulnerabilities on network data is reduced, a server generates relevance analysis signals and sends the relevance analysis signals to a vulnerability relevance analysis unit, the vulnerability relevance analysis unit is used for carrying out relevance analysis on each network vulnerability, judging whether each network vulnerability is relevant or not, judging whether the network vulnerabilities can appear successively or not, improving predictability of the network vulnerabilities, effectively reducing influence caused by sudden network vulnerabilities, reducing risks of the network vulnerabilities on the network data, and the specific vulnerability relevance analysis process is as follows:
marking a network building time as an initial time, constructing a vulnerability analysis time period according to the current time and the initial time, collecting network vulnerabilities appearing in the vulnerability analysis time period, and collecting vulnerability data corresponding to the network vulnerabilities appearing in the vulnerability analysis time period, wherein the vulnerability data comprises influence duration, influence network speed floating values and influence data downloading flow of the vulnerabilities, marking the network vulnerabilities appearing in the vulnerability analysis time period as historical vulnerabilities, setting the labels i and i as natural numbers larger than 1, marking the vulnerability data corresponding to the historical vulnerabilities as influence factors, marking the influence of the influence factors on the network data as influence features, and the influence features are represented as increase of the influence duration of the vulnerabilities, increase of the network speed floating values or decrease of the data downloading flow;
sequencing the collected historical vulnerabilities according to the sequence of the vulnerability analysis time period, constructing a historical vulnerability set, collecting the difference value of the occurrence interval duration of the historical vulnerabilities corresponding to adjacent subsets and the influence duration of the historical vulnerabilities corresponding to the adjacent subsets in the historical vulnerability set, and comparing the difference value of the occurrence interval duration of the historical vulnerabilities corresponding to the adjacent subsets and the influence duration of the historical vulnerabilities corresponding to the adjacent subsets with an interval duration threshold and an influence duration difference value respectively:
if the occurrence interval time length of the historical vulnerabilities corresponding to the adjacent subsets is smaller than the interval time length threshold value and the influence time length difference value of the historical vulnerabilities corresponding to the adjacent subsets is smaller than the influence time length difference value threshold value, binding the historical vulnerabilities corresponding to the adjacent subsets, and marking the bound historical vulnerabilities as preset associated vulnerabilities; if the occurrence interval time length of the historical vulnerabilities corresponding to the adjacent subsets is larger than the interval time length threshold value and the influence time length difference value of the historical vulnerabilities corresponding to the adjacent subsets is larger than the influence time length difference value threshold value, binding the historical vulnerabilities corresponding to the adjacent subsets, and marking the bound historical vulnerabilities as preset unassociated vulnerabilities;
comparing the influence factors and the influence characteristics of the preset association loopholes with those of the preset non-association loopholes, and marking the corresponding preset association loopholes as selected association loopholes if the influence factors and the influence characteristics of the preset association loopholes are consistent; if the influence factors and the influence characteristics of the preset association loopholes are inconsistent in comparison, marking the corresponding preset association loopholes as risk association loopholes; if the influence factors and the influence characteristics of the preset non-associated loopholes are consistent in comparison, marking the corresponding preset non-associated loopholes as monitoring associated loopholes; if the comparison of the influence factors and the influence features of the preset non-associated loopholes is inconsistent, marking the corresponding preset non-associated loopholes as selected non-associated loopholes;
sending the selected associated vulnerability, the risk associated vulnerability, the monitoring associated vulnerability and the selected non-associated vulnerability to a server; the server receives the selected association vulnerability, the risk association vulnerability, the monitoring association vulnerability and the non-association vulnerability, then forwards the selected association vulnerability and the non-association vulnerability to the database for storage, and detects the risk association vulnerability and the monitoring association vulnerability at the same time, and if the occurrence frequency of the corresponding risk association vulnerability and the monitoring association vulnerability exceeds the corresponding frequency threshold value, the risk association vulnerability or the monitoring association vulnerability is judged to be the selected association vulnerability; in the method, the selected associated loopholes, the risk associated loopholes, the monitored associated loopholes and the selected non-associated loopholes are distinguished, the loopholes appearing in the network are divided, and when the network appears the loopholes in real time, the associated loopholes, the non-associated loopholes and the like can be definitely determined, so that the risk coefficient of the real-time loopholes and the targeted maintenance loopholes are accurately judged, and the maintenance efficiency of the loopholes is ensured;
the server generates a network environment detection signal and sends the network environment detection signal to the network environment detection unit, the network environment detection unit is used for detecting the environment of the current network and judging whether the current network is normal or not, so that the occurrence probability of network vulnerabilities and the influence of the network vulnerabilities on the network are analyzed, and the specific network environment detection process is as follows:
setting a network environment detection time period, collecting network vulnerability screening frequency and the number of network vulnerabilities in a network vulnerability screening period in the network environment detection time period, and comparing the network vulnerability screening frequency and the number of network vulnerabilities in the network vulnerability screening period with a network vulnerability screening frequency threshold and a network vulnerability occurrence number threshold respectively:
if the network vulnerability screening frequency exceeds the network vulnerability screening frequency threshold in the network environment detection time period and the number of times of occurrence of the network vulnerabilities in the network vulnerability screening period does not exceed the network vulnerability occurrence number threshold, judging that the corresponding network environment is safe, generating a network environment safety signal and sending the network environment safety signal to a server; if the network vulnerability screening frequency does not exceed the network vulnerability screening frequency threshold in the network environment detection time period and the number of times of occurrence of the network vulnerabilities in the network vulnerability screening period exceeds the network vulnerability occurrence number threshold, judging that the corresponding network environment is unsafe, generating a network environment risk signal and sending the network environment risk signal to a server; the network vulnerability screening frequency and the number of times of occurrence of the network vulnerability in the network vulnerability screening period can show the state of the network environment, and when the network vulnerability screening frequency and the number of times of occurrence of the network vulnerability in the network vulnerability screening period are not in direct proportion, the condition that the corresponding network environment is abnormal is shown; such as: when the network vulnerability screening frequency is once every ten days and the number of vulnerability occurrence times in the screening frequency once every ten days is ten, judging that the network environment is abnormal;
the server generates a verification task allocation optimization signal and sends the verification task allocation optimization signal to the verification task allocation optimization unit, and the verification task allocation optimization unit is used for reasonably matching maintenance personnel for verification of network vulnerabilities, so that verification task allocation is optimized according to vulnerability information, importance and work task information of the verification personnel, verification efficiency is improved, vulnerability maintenance efficiency is improved, influence of network environments of vulnerabilities is reduced, and the specific verification task allocation optimization process is as follows:
collecting network loopholes appearing in real time, marking the network loopholes as real-time loopholes, comparing the real-time loopholes with historical loopholes in a database, if the comparison is consistent, acquiring the selected association loopholes of the real-time loopholes and the longest maintenance time corresponding to the selected association loopholes, and comparing the selected association loopholes of the real-time loopholes and the longest maintenance time corresponding to the selected association loopholes with a selected association loophole number threshold and a longest maintenance time threshold respectively:
if the number of the selected associated loopholes of the real-time loopholes exceeds the threshold value of the number of the selected associated loopholes or the longest maintenance duration corresponding to the selected associated loopholes exceeds the threshold value of the longest maintenance duration, marking the corresponding loopholes as first-level known loopholes; if the number of the selected associated loopholes of the real-time loopholes does not exceed the threshold value of the number of the selected associated loopholes and the longest maintenance duration corresponding to the selected associated loopholes does not exceed the threshold value of the longest maintenance duration, marking the corresponding loopholes as secondary known loopholes; the loopholes are classified, so that the loopholes can be effectively and reasonably detected and maintained;
if the comparison is inconsistent, comparing the duration of the influence characteristic corresponding to the real-time vulnerability and the quantity of the influence factors with a duration threshold and a quantity threshold of the influence factors respectively:
if the duration of the real-time vulnerability corresponding influence features exceeds the duration threshold and the number of influence factors exceeds the influence factor number threshold, marking the corresponding network vulnerability as a first-level unknown vulnerability; if the duration of the real-time vulnerability corresponding influence features does not exceed the duration threshold and the number of influence factors does not exceed the influence factor number threshold, marking the corresponding network vulnerability as a secondary unknown vulnerability;
dividing the real-time idle maintenance personnel according to the maintenance times, and marking the corresponding real-time idle maintenance personnel as real-time primary personnel if the corresponding maintenance times of the real-time idle maintenance personnel exceed a maintenance times threshold value; if the corresponding maintenance times of the maintenance personnel which are idle in real time do not exceed the maintenance times threshold value, marking the maintenance personnel which are idle in real time as real-time secondary personnel;
matching a first-stage known vulnerability and a first-stage unknown vulnerability to real-time first-stage personnel, and matching a second-stage known vulnerability and a second-stage unknown vulnerability to real-time second-stage personnel; and sending the matched maintainers and network vulnerabilities to a server.
When the system is used, the network vulnerability detection and identification platform is used for detecting and identifying network vulnerabilities, the server generates relevance analysis signals and sends the relevance analysis signals to the vulnerability relevance analysis unit, and relevance analysis is carried out on each network vulnerability through the vulnerability relevance analysis unit; the server generates a network environment detection signal and sends the network environment detection signal to a network environment detection unit, and the network environment detection unit detects the environment of the current network; the server generates a verification task allocation optimization signal and sends the verification task allocation optimization signal to the verification task allocation optimization unit, and maintenance personnel are reasonably matched through verification of the verification task allocation optimization unit on network vulnerabilities.
The preferred embodiments of the invention disclosed above are intended only to assist in the explanation of the invention. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise form disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best understand and utilize the invention. The invention is limited only by the claims and the full scope and equivalents thereof.
Claims (5)
1. The network vulnerability identification and detection system based on the data analysis is characterized by comprising a network vulnerability detection and identification platform, wherein a server is arranged in the network vulnerability detection and identification platform and is in communication connection with a vulnerability relevance analysis unit, a network environment detection unit, a verification task allocation optimization unit and a database;
the network vulnerability detection and recognition platform is used for detecting and recognizing network vulnerabilities, the server generates relevance analysis signals and sends the relevance analysis signals to the vulnerability relevance analysis unit, and relevance analysis is carried out on each network vulnerability through the vulnerability relevance analysis unit; the server generates a network environment detection signal and sends the network environment detection signal to a network environment detection unit, and the network environment detection unit detects the environment of the current network; the server generates a verification task allocation optimization signal and sends the verification task allocation optimization signal to a verification task allocation optimization unit, and maintenance personnel are reasonably matched through verification of the verification task allocation optimization unit on network vulnerabilities;
the vulnerability correlation analysis process of the vulnerability correlation analysis unit is as follows:
marking a network building time as an initial time, constructing a vulnerability analysis time period according to the current time and the initial time, collecting network vulnerabilities appearing in the vulnerability analysis time period, and collecting vulnerability data corresponding to the network vulnerabilities appearing in the vulnerability analysis time period, wherein the vulnerability data comprises influence duration, influence network speed floating values and influence data downloading flow of the vulnerabilities, marking the network vulnerabilities appearing in the vulnerability analysis time period as historical vulnerabilities, setting the labels i and i as natural numbers larger than 1, marking the vulnerability data corresponding to the historical vulnerabilities as influence factors, marking the influence of the influence factors on the network data as influence features, and the influence features are represented as increase of the influence duration of the vulnerabilities, increase of the network speed floating values or decrease of the data downloading flow;
sequencing the collected historical vulnerabilities according to the sequence of the vulnerability analysis time period, constructing a historical vulnerability set, collecting the difference value of the occurrence interval duration of the historical vulnerabilities corresponding to adjacent subsets and the influence duration of the historical vulnerabilities corresponding to the adjacent subsets in the historical vulnerability set, and comparing the difference value of the occurrence interval duration of the historical vulnerabilities corresponding to the adjacent subsets and the influence duration of the historical vulnerabilities corresponding to the adjacent subsets with an interval duration threshold and an influence duration difference value respectively;
the comparison process of the difference value of the occurrence interval time length of the historical vulnerabilities corresponding to the adjacent subsets and the difference value of the influence time length with the interval time length threshold value and the influence time length difference value respectively is as follows:
if the occurrence interval time length of the historical vulnerabilities corresponding to the adjacent subsets is smaller than the interval time length threshold value and the influence time length difference value of the historical vulnerabilities corresponding to the adjacent subsets is smaller than the influence time length difference value threshold value, binding the historical vulnerabilities corresponding to the adjacent subsets, and marking the bound historical vulnerabilities as preset associated vulnerabilities; if the occurrence interval time length of the historical vulnerabilities corresponding to the adjacent subsets is larger than the interval time length threshold value and the influence time length difference value of the historical vulnerabilities corresponding to the adjacent subsets is larger than the influence time length difference value threshold value, binding the historical vulnerabilities corresponding to the adjacent subsets, and marking the bound historical vulnerabilities as preset unassociated vulnerabilities;
comparing the influence factors and the influence characteristics of the preset association loopholes with those of the preset non-association loopholes, and marking the corresponding preset association loopholes as selected association loopholes if the influence factors and the influence characteristics of the preset association loopholes are consistent; if the influence factors and the influence characteristics of the preset association loopholes are inconsistent in comparison, marking the corresponding preset association loopholes as risk association loopholes; if the influence factors and the influence characteristics of the preset non-associated loopholes are consistent in comparison, marking the corresponding preset non-associated loopholes as monitoring associated loopholes; if the comparison of the influence factors and the influence features of the preset non-associated loopholes is inconsistent, marking the corresponding preset non-associated loopholes as selected non-associated loopholes;
sending the selected associated vulnerability, the risk associated vulnerability, the monitoring associated vulnerability and the selected non-associated vulnerability to a server; the server receives the selected association vulnerability, the risk association vulnerability, the monitoring association vulnerability and the non-association vulnerability, then forwards the selected association vulnerability and the non-association vulnerability to the database for storage, meanwhile, detects the risk association vulnerability and the monitoring association vulnerability, and if the number of successive occurrences of the corresponding risk association vulnerability and the monitoring association vulnerability exceeds a corresponding number of times threshold, judges the risk association vulnerability or the monitoring association vulnerability as the selected association vulnerability.
2. The system for identifying and detecting network vulnerabilities based on data analysis of claim 1, wherein the network environment detection process of the network environment detection unit is as follows:
setting a network environment detection time period, collecting network vulnerability screening frequency and the number of network vulnerabilities in a network vulnerability screening period in the network environment detection time period, and comparing the network vulnerability screening frequency and the number of network vulnerabilities in the network vulnerability screening period with a network vulnerability screening frequency threshold and a network vulnerability occurrence number threshold respectively.
3. The system for identifying and detecting network vulnerabilities based on data analysis according to claim 2, wherein the comparison process of the network vulnerability screening frequency and the number of times of occurrence of the network vulnerabilities in the network vulnerability screening period with the network vulnerability screening frequency threshold and the number of times of occurrence of the network vulnerabilities threshold in the network environment detection period is as follows:
if the network vulnerability screening frequency exceeds the network vulnerability screening frequency threshold in the network environment detection time period and the number of times of occurrence of the network vulnerabilities in the network vulnerability screening period does not exceed the network vulnerability occurrence number threshold, judging that the corresponding network environment is safe, generating a network environment safety signal and sending the network environment safety signal to a server; if the network vulnerability screening frequency does not exceed the network vulnerability screening frequency threshold in the network environment detection time period and the number of times of occurrence of the network vulnerabilities in the network vulnerability screening period exceeds the network vulnerability occurrence number threshold, judging that the corresponding network environment is unsafe, generating a network environment risk signal and sending the network environment risk signal to a server.
4. The network vulnerability identification detection system based on data analysis of claim 1, wherein the verification task allocation optimization process of the verification task allocation optimization unit is as follows:
collecting network loopholes appearing in real time, marking the network loopholes as real-time loopholes, comparing the real-time loopholes with historical loopholes in a database, if the comparison is consistent, acquiring the selected association loopholes of the real-time loopholes and the longest maintenance time corresponding to the selected association loopholes, and comparing the selected association loopholes of the real-time loopholes and the longest maintenance time corresponding to the selected association loopholes with a selected association loophole number threshold and a longest maintenance time threshold respectively:
if the number of the selected associated loopholes of the real-time loopholes exceeds the threshold value of the number of the selected associated loopholes or the longest maintenance duration corresponding to the selected associated loopholes exceeds the threshold value of the longest maintenance duration, marking the corresponding loopholes as first-level known loopholes; if the number of the selected associated loopholes of the real-time loopholes does not exceed the threshold value of the number of the selected associated loopholes and the longest maintenance duration corresponding to the selected associated loopholes does not exceed the threshold value of the longest maintenance duration, marking the corresponding loopholes as secondary known loopholes;
if the comparison is inconsistent, the duration of the influence characteristic corresponding to the real-time vulnerability and the quantity of the influence factors are respectively compared with a duration threshold and a quantity threshold of the influence factors.
5. The system for identifying and detecting network vulnerabilities based on data analysis of claim 4, wherein the comparison process of the duration of the corresponding impact feature of the real-time vulnerabilities and the number of impact factors with the duration threshold and the number of impact factors threshold, respectively, is as follows:
if the duration of the real-time vulnerability corresponding influence features exceeds the duration threshold and the number of influence factors exceeds the influence factor number threshold, marking the corresponding network vulnerability as a first-level unknown vulnerability; if the duration of the real-time vulnerability corresponding influence features does not exceed the duration threshold and the number of influence factors does not exceed the influence factor number threshold, marking the corresponding network vulnerability as a secondary unknown vulnerability;
dividing the real-time idle maintenance personnel according to the maintenance times, and marking the corresponding real-time idle maintenance personnel as real-time primary personnel if the corresponding maintenance times of the real-time idle maintenance personnel exceed a maintenance times threshold value; if the corresponding maintenance times of the maintenance personnel which are idle in real time do not exceed the maintenance times threshold value, marking the maintenance personnel which are idle in real time as real-time secondary personnel;
matching a first-stage known vulnerability and a first-stage unknown vulnerability to real-time first-stage personnel, and matching a second-stage known vulnerability and a second-stage unknown vulnerability to real-time second-stage personnel; and sending the matched maintainers and network vulnerabilities to a server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210048478.6A CN114584342B (en) | 2022-01-17 | 2022-01-17 | Network vulnerability recognition and detection system based on data analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210048478.6A CN114584342B (en) | 2022-01-17 | 2022-01-17 | Network vulnerability recognition and detection system based on data analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114584342A CN114584342A (en) | 2022-06-03 |
| CN114584342B true CN114584342B (en) | 2024-02-06 |
Family
ID=81772743
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210048478.6A Active CN114584342B (en) | 2022-01-17 | 2022-01-17 | Network vulnerability recognition and detection system based on data analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114584342B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618176A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website security detection method and device |
| CN104836855A (en) * | 2015-04-30 | 2015-08-12 | 国网四川省电力公司电力科学研究院 | Web application safety situation assessment system based on multi-source data fusion |
| CN106649429A (en) * | 2016-08-25 | 2017-05-10 | 北京知道未来信息技术有限公司 | Method and device for rapidly evaluating vulnerability hazard level based on multi-dimensional statistics |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
| WO2019047346A1 (en) * | 2017-09-11 | 2019-03-14 | 平安科技(深圳)有限公司 | Website vulnerability scanning method, device, computer device, and storage medium |
| CN109600371A (en) * | 2018-12-08 | 2019-04-09 | 公安部第三研究所 | A kind of network layer leakage location and method |
| CN110417751A (en) * | 2019-07-10 | 2019-11-05 | 腾讯科技(深圳)有限公司 | A kind of network safety pre-warning method, device and storage medium |
-
2022
- 2022-01-17 CN CN202210048478.6A patent/CN114584342B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104618176A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website security detection method and device |
| CN104836855A (en) * | 2015-04-30 | 2015-08-12 | 国网四川省电力公司电力科学研究院 | Web application safety situation assessment system based on multi-source data fusion |
| CN106649429A (en) * | 2016-08-25 | 2017-05-10 | 北京知道未来信息技术有限公司 | Method and device for rapidly evaluating vulnerability hazard level based on multi-dimensional statistics |
| WO2019047346A1 (en) * | 2017-09-11 | 2019-03-14 | 平安科技(深圳)有限公司 | Website vulnerability scanning method, device, computer device, and storage medium |
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
| CN109600371A (en) * | 2018-12-08 | 2019-04-09 | 公安部第三研究所 | A kind of network layer leakage location and method |
| CN110417751A (en) * | 2019-07-10 | 2019-11-05 | 腾讯科技(深圳)有限公司 | A kind of network safety pre-warning method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114584342A (en) | 2022-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111669375B (en) | Online safety situation assessment method and system for power industrial control terminal | |
| CN112114995B (en) | Terminal abnormality analysis method, device, equipment and storage medium based on process | |
| CN110912884A (en) | Detection method, detection equipment and computer storage medium | |
| CN107682317B (en) | method for establishing data detection model, data detection method and equipment | |
| CN112953971A (en) | Network security traffic intrusion detection method and system | |
| CN113486343A (en) | Attack behavior detection method, device, equipment and medium | |
| CN109547496B (en) | Host malicious behavior detection method based on deep learning | |
| CN112787984A (en) | Vehicle-mounted network anomaly detection method and system based on correlation analysis | |
| CN112333168B (en) | Attack identification method, device, equipment and computer readable storage medium | |
| CN111784404B (en) | Abnormal asset identification method based on behavior variable prediction | |
| CN114584342B (en) | Network vulnerability recognition and detection system based on data analysis | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| CN117336055A (en) | Network abnormal behavior detection method and device, electronic equipment and storage medium | |
| CN116389297A (en) | Network security event handling and evaluating system | |
| Xiao et al. | Alert verification based on attack classification in collaborative intrusion detection | |
| CN104933357A (en) | Flooding attack detection system based on data mining | |
| CN112565246A (en) | Network anti-attack system and method based on artificial intelligence | |
| CN116319021B (en) | Lateral movement detection method and device, electronic equipment and storage medium | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium | |
| CN114780956B (en) | Big data analysis-based tracing system | |
| CN117648689B (en) | Automatic response method for industrial control host safety event based on artificial intelligence | |
| CN115022097B (en) | Public information safety monitoring method and system | |
| CN113239331B (en) | Risk account anti-intrusion identification method and system based on big data | |
| CN116260640B (en) | Information interception control method and system for big data analysis based on artificial intelligence | |
| CN117473475B (en) | Big data security protection method, system and medium based on trusted computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |