CN114598504B - Risk assessment method and device, electronic equipment and readable storage medium - Google Patents
Risk assessment method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN114598504B CN114598504B CN202210158163.7A CN202210158163A CN114598504B CN 114598504 B CN114598504 B CN 114598504B CN 202210158163 A CN202210158163 A CN 202210158163A CN 114598504 B CN114598504 B CN 114598504B
- Authority
- CN
- China
- Prior art keywords
- information
- attacked
- type
- asset
- service type
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000012502 risk assessment Methods 0.000 title claims abstract description 18
- 230000006399 behavior Effects 0.000 claims description 58
- 238000004590 computer program Methods 0.000 claims description 20
- 238000011156 evaluation Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035699 permeability Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The application provides a risk assessment method, a risk assessment device, electronic equipment and a readable storage medium. The method comprises the following steps: acquiring scanning data and alarm log information of an asset; identifying the asset according to the scanning data to obtain attribute information of the asset, wherein the attribute information comprises equipment type and service type; determining the resource output and the corresponding importance of each equipment type or each service type according to the attribute information; according to the alarm log information, counting the attacked information of each equipment type or each service type, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior; determining risk scores of each equipment type or each service type according to the resource yield, the importance and the attacked information; the corresponding risk score is obtained by combining the asset quantity, importance and attacked information of each equipment type or each service type, so that the safety condition of the asset can be evaluated, the user can be protected from the asset, and the safety condition of each asset can be accurately known.
Description
Technical Field
The application belongs to the technical field of network security, and particularly relates to a risk assessment method, a risk assessment device, electronic equipment and a readable storage medium.
Background
At present, the basic equipment and technology of the internet industry are rapidly developed, the number of equipment and services is increased, and meanwhile, holes are increased more and network attacks are new, so that network security problems are continuously emerging and continuously evolving, and the security condition of the internet is increasingly tense, so that the evaluation demands for reflecting the security condition of the equipment and services are increasingly strong.
Disclosure of Invention
The embodiment of the application provides a risk assessment method, a risk assessment device, electronic equipment and a readable storage medium, which can solve the problem that equipment and service safety conditions cannot be assessed.
In a first aspect, an embodiment of the present application provides a risk assessment method, including:
acquiring scanning data and alarm log information of an asset;
identifying the asset according to the scanning data to obtain attribute information of the asset, wherein the attribute information comprises equipment type and service type;
determining the resource output and the corresponding importance of each equipment type or each service type according to the attribute information;
according to the alarm log information, counting the attacked information of each equipment type or each service type, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior;
and determining the risk score of each equipment type or each service type according to the resource yield, the importance and the attacked information.
Further, the scan data includes ip information, port information, fingerprint information, and region information of the asset;
the identifying the asset according to the scan data to obtain attribute information of the asset comprises:
and identifying the asset according to the port information and the fingerprint information to obtain the attribute information of the asset.
Further, the attribute information further includes version information;
the method further comprises the steps of:
and searching target vulnerability information corresponding to the attribute information in a vulnerability database according to the equipment type, the service type and the version information.
Further, the alarm log information is collected by the trap;
and counting the attacked information of each equipment type or each service type according to the alarm log information, wherein the method comprises the following steps:
calculating average attacked quantity according to the number of the traps and the attacked trap information in the alarm log information aiming at each preset trap type, and obtaining the attacked quantity of the equipment type or the service type corresponding to the trap type;
calculating the total attack amount according to the attack ip information in the alarm log information to obtain the attacked scale of the equipment type or the service type corresponding to the trap type;
and determining the highest attack behavior grade according to the attack behavior grade in the alarm log information, and taking the highest attack behavior grade as the attack behavior of the equipment type or the service type corresponding to the trap type.
Further, the calculating a risk score of each device type according to the resource yield, the importance and the attacked information includes:
calculating a first risk score of each equipment type or each service type according to the resource yield and the importance;
calculating a second risk score of each equipment type or each service type according to the attacked quantity, the attacked scale and the attack behavior;
and calculating the final risk score of each equipment type or each service type according to the first risk score and the second risk score.
Further, the method further comprises:
and displaying the attribute information, the target vulnerability information, the alarm log information, the first risk score, the second risk score and the final risk score of each equipment type or each service type.
Further, the alarm log information includes attack ip information, an attacked port, attacked service or attacked device, an attack protocol, whether to utilize a vulnerability, an attack behavior level, an attack load, attacked trapper information, and attack ip geographic information.
In a second aspect, an embodiment of the present application provides a risk assessment apparatus, including:
the acquisition unit is used for acquiring the scanning data and the alarm log information of the asset;
the identification unit is used for identifying the asset according to the scanning data to obtain attribute information of the asset, wherein the attribute information comprises equipment type and service type;
the evaluation unit is used for determining the resource output and the corresponding importance of each equipment type or each service type according to the attribute information;
the method comprises the steps of counting the attacked information of each equipment type or each service type according to the alarm log information, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior;
and determining a risk score of each device type or each service type according to the resource yield, the importance and the attacked information.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, the processor implementing the method according to any one of the first aspects when executing the computer program.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by a processor, implements a method as in any of the first aspects above.
In a fifth aspect, embodiments of the present application provide a computer program product for, when run on an electronic device, causing the electronic device to perform the method of any one of the first aspects.
It will be appreciated that the advantages of the second to fifth aspects may be found in the relevant description of the first aspect, and are not described here again.
Compared with the prior art, the embodiment of the application has the beneficial effects that:
the embodiment of the application obtains the scanning data and the alarm log information of the asset; identifying the asset according to the scanning data to obtain attribute information of the asset, wherein the attribute information comprises equipment type and service type; determining the resource output and the corresponding importance of each equipment type or each service type according to the attribute information; according to the alarm log information, counting the attacked information of each equipment type or each service type, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior; determining risk scores of each equipment type or each service type according to the resource yield, the importance and the attacked information; the corresponding risk score is obtained by combining the asset quantity, importance and attacked information of each equipment type or each service type, and the safety condition of each equipment type or each service type can be evaluated so as to protect the asset by a user and accurately acquire the safety condition of each equipment type or each service type.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments or the description of the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a risk assessment method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a risk assessment apparatus according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as the particular system architecture, techniques, etc., in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in the present description and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
Furthermore, the terms "first," "second," "third," and the like in the description of the present specification and in the appended claims, are used for distinguishing between descriptions and not necessarily for indicating or implying a relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
With the development of the internet, network attacks present some new features: the degree of automation and the attack speed of the attack are faster and faster, the attack tool is more and more complex, the discovery speed of security holes is faster and faster, the permeability of the firewall is higher and the threat to the infrastructure is greater and bigger.
As more and more assets are exposed to the internet, such as devices, services, and vulnerabilities are increasing. The network security problem is continuously emerging and continuously evolving, so that the security condition of the Internet is increasingly tense. Therefore, the embodiment of the application provides a risk assessment method, a risk assessment device, an electronic device and a readable storage medium, so that risks of equipment and services can be assessed, and safety conditions of the equipment and the services are obtained, so that a user can master safety threat information of the Internet to support and ensure safety defense of the user to the Internet, and the user can clearly know the safety conditions of the user's own assets, and can protect the assets.
Fig. 1 is a flowchart of a risk assessment method according to an embodiment of the application. By way of example and not limitation, as shown in fig. 1, the method includes:
s101: and acquiring the scanning data and alarm log information of the asset.
Wherein the assets include devices, services.
For example, an asset surviving the internet may be detected by a scanning crawler, and then scan data of the asset may be obtained by the scanning crawler, the scan data including asset information, the scan data including specifically ip information, port information, fingerprint information, and region information of the asset. The scan data of the asset may also be stored to meet subsequent requirements for scan data processing, analysis.
Wherein a scanning crawler management policy may be set to detect internet surviving assets from a specified area or at specified time intervals.
For example, different assets can be simulated by setting the trap to trap network attacks, when the trap is attacked, alarm log information is correspondingly generated, and the alarm log information comprises attack ip information, attacked ports, attacked services or attacked devices, attack protocols, whether to utilize vulnerabilities, attack behavior grades, attack loads, attacked trap information and attack ip geographic information. Alarm log information of the asset may also be stored to meet subsequent needs for alarm log information processing, analysis.
Wherein a trap management policy may be set to simulate assets according to different scenarios to trap attacks. The trap may select an internet honeypot.
By scanning the data and the alarm log information, a user can grasp the security threat information of the Internet.
S102: and identifying the asset according to the scanning data to obtain attribute information of the asset, wherein the attribute information comprises equipment type and service type.
Specifically, the asset is identified according to the port information and the fingerprint information, and the attribute information of the asset is obtained.
S103: and determining the resource output and the corresponding importance of each equipment type or each service type according to the attribute information.
Specifically, according to the equipment types in the attribute information, calculating the resource output and the corresponding importance of each equipment type; and counting the resource output and the corresponding importance of each service type according to the service type in the attribute information.
For example, the plurality of resource yields are divided first, importance is set according to the corresponding asset amount, the largest asset amount is first, second, third and fourth, the least is third, the importance of the first and second resource yields is high importance, the importance of the third resource yield is medium importance, and the importance of the fourth resource yield is low importance.
And acquiring scanning data of 1000 mysql services, and counting the resource output of the mysql services to be three-level and the importance to be medium-level according to the service type mysql services in the attribute information.
S104: and according to the alarm log information, counting the attacked information of each equipment type or each service type, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior.
Specifically, first, for each preset trap type, based on the preset number of traps and the attacked trap information in the alarm log information, an average attacked amount is calculated, and the attacked amount of the device type or the service type corresponding to the trap type is obtained.
For example, a plurality of attacked amounts are divided firstly, the highest attacked amount is first level, then second level, then third level, and the least four levels, and the attacked amount is obtained according to the average attacked amount.
The trap type is mysql type honeypots, the number of preset mysql type honeypots is 3, the corresponding attacked trap information is mysql type honeypots, 600 attacks are captured in total, 600 pieces of alarm log information are obtained, 200 times of average attacked quantity is calculated according to the average attacked quantity = alarm log information total quantity/trap quantity, and the attacked quantity of the service type of the corresponding mysql type honeypots is determined to be 200 times and is two-level.
And then, calculating the total attack amount according to the attack ip information in the alarm log information to obtain the attacked scale of the equipment type or the service type corresponding to the trap type.
For example, a plurality of attacked scales are divided firstly, the maximum attacked scale is first level, then second level, then third level, and finally fourth level, and the attacked scale is obtained according to the total attack amount.
The 3 mysql type honeypots capture 600 attacks, 30 ip attacks in total, the total amount of the attacks is 30, and the scale of the attack of the service type corresponding to the mysql type honeypots is 30 and is two-level.
And then, determining the highest attack behavior grade according to the attack behavior grade in the alarm log information, and taking the highest attack behavior grade as the attack behavior of the equipment type or the service type corresponding to the trap type.
For example, a plurality of attack behavior classes are firstly divided according to the behavior risk degree, attack behaviors which can control a server, start and stop a service and are of a virus type are set as high-risk behaviors, attack behaviors which affect normal operation of equipment and the service are set as medium-risk behaviors, attack behaviors detected by scanning are set as low-risk behaviors, and unknown attack behaviors are set as unknown behaviors.
And 600 attacks are captured by the 3 mysql type honeypots, wherein medium-risk behaviors are 50 times and low-risk behaviors are 550 times, the highest attack behavior level is determined to be the medium-risk behavior, and the attack behavior of the service type corresponding to the mysql type honeypots is obtained to be the medium-risk behavior.
S105: and determining the risk score of each equipment type or each service type according to the resource yield, the importance and the attacked information.
Specifically, first, calculating a first risk score of each equipment type or each service type according to the resource yield and the importance;
by way of example, the score for primary asset yield is set to 100, the score for secondary asset yield is set to 75, the score for tertiary asset yield is set to 50, the score for quaternary asset yield is set to 25, the score for high importance is set to 100, the score for medium importance is set to 50, and the score for low importance is set to 10. First risk score=asset quantity class score =first index coefficient+importance score =second index coefficient, wherein the first index coefficient is 50% and the second index coefficient is 50%.
According to the mysql service, the resource yield is three-level, the importance is intermediate, and the formula is substituted: 50 x 50% +50 x 50% = 50.
Then, calculating a second risk score of each equipment type or each service type according to the attacked quantity, the attacked scale and the attack behavior;
by way of example, the score of the first-level attacked quantity is set to be 100, the score of the second-level attacked quantity is set to be 75, the third-level attacked quantity is set to be 50, and the fourth-level attacked quantity is set to be 25; the score of the first-level attacked scale is 100, the score of the second-level attacked scale is 50, the score of the third-level attacked scale is 25, and the score of the fourth-level attacked scale is 10; the score of high risk behavior is 100, the score of medium risk behavior is 50, the score of low risk behavior is 10, and the score of unknown behavior is 25. Setting a second risk score=a third index coefficient of the attacked volume score+a fourth index coefficient of the attacked scale score+a fifth index coefficient of the attacked behavior score, wherein the third index coefficient is 40%, the fourth index coefficient is 30%, and the fifth index coefficient is 40%. And after determining the attacked quantity, the attacked scale and the score of the attack behavior, substituting a second risk score formula to calculate a second risk score.
According to the second level of the attacked quantity of the mysql type honeypot, the second level of the attacked scale and the medium risk of the attack behavior, substituting the formula: 75 x 40% +50 x 30% +50 x 40% = 65.
And then, calculating the final risk score of each device type or each service type according to the first risk score and the second risk score.
For example, a final risk score = (first risk score + second risk score) is set, with a total coefficient of 0.5. After the first risk score and the second risk score are obtained, substituting the first risk score and the second risk score into a formula: (50+65) 0.5=57.5.
The embodiment of the application obtains the scanning data and the alarm log information of the asset; identifying the asset according to the scanning data to obtain attribute information of the asset, wherein the attribute information comprises equipment type and service type; determining the resource output and the corresponding importance of each equipment type or each service type according to the attribute information; according to the alarm log information, counting the attacked information of each equipment type or each service type, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior; determining risk scores of each equipment type or each service type according to the resource yield, the importance and the attacked information; the corresponding risk score is obtained by combining the asset quantity, importance and attacked information of each equipment type or each service type, and the safety condition of each equipment type or each service type can be evaluated so as to protect the asset by a user and accurately acquire the safety condition of each equipment type or each service type.
In another embodiment, the attribute information further includes version information;
the method further comprises the steps of:
and searching target vulnerability information corresponding to the attribute information in the vulnerability database according to the equipment type, the service type and the version information.
By way of example, the asset' S device type S7-1000, service type S7, version information v1.0.0, and corresponding target vulnerability information cve-2016-2200 and cve-2016-2201 are found in the vulnerability library.
According to the embodiment, accurate and complete vulnerability information is found through the equipment type, the service type and the version information, so that a user can master security threat information of the Internet, and security defense of the user to the Internet is supported and ensured.
In another embodiment, the method further comprises:
and displaying attribute information, target vulnerability information, alarm log information, first risk score, second risk score and final risk score of each equipment type or each service type.
Wherein the attribute information further includes a discovery time, a latest survival time.
For example, attribute information, target vulnerability information, alarm log information, first risk score, second risk score, and final risk score of each device type or each service type may be displayed through a display screen or a mobile terminal.
The attribute information, the target vulnerability information, the alarm log information, the first risk score, the second risk score and the final risk score of each equipment type or each service type are displayed so that a user can check the attribute information, the target vulnerability information, the alarm log information and the first risk score.
In another embodiment, the method further comprises:
and displaying the first risk score trend information, the second risk score trend information and the final risk score trend information of each equipment type or each service type.
For example, according to a preset time period, the first risk score trend information, the second risk score trend information and the final risk score trend information of each equipment type or each service type are displayed.
According to the method and the device, the first risk score trend information, the second risk score trend information and the final risk score trend information of each equipment type or each service type are displayed, so that a user can better protect the asset.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
Corresponding to the methods described in the above embodiments, only those relevant to the embodiments of the present application are shown for convenience of explanation.
Fig. 2 is a schematic structural diagram of a risk assessment apparatus according to an embodiment of the present application. By way of example and not limitation, as shown in fig. 2, the apparatus includes:
an acquisition unit 10 for acquiring scan data and alarm log information of an asset;
an identification unit 11, configured to identify an asset according to the scan data, to obtain attribute information of the asset, where the attribute information includes a device type and a service type;
an evaluation unit 12 for determining the resource amount and the corresponding importance of each equipment type or each service type according to the attribute information;
the method comprises the steps of counting the attacked information of each equipment type or each service type according to alarm log information, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior;
for determining a risk score for each device type or each service type based on asset yield, importance, and attacked information.
In another embodiment, the identification unit is specifically configured to identify the asset according to the port information and the fingerprint information, so as to obtain attribute information of the asset.
In another embodiment, the apparatus further comprises:
the query unit is used for searching target vulnerability information corresponding to the attribute information in the vulnerability database according to the equipment type, the service type and the version information.
In another embodiment, the evaluation unit is specifically configured to calculate, for each preset trap type, an average attacked quantity based on the preset number of traps and the attacked trap information in the alarm log information, to obtain a attacked quantity of a device type or a service type corresponding to the trap type;
according to the attack ip information in the alarm log information, calculating the total attack amount to obtain the attacked scale of the equipment type or the service type corresponding to the trap type;
and determining the highest attack behavior grade according to the attack behavior grade in the alarm log information, and taking the highest attack behavior grade as the attack behavior of the equipment type or the service type corresponding to the trap type.
In another embodiment, the evaluation unit is specifically configured to calculate a first risk score for each device type or each service type according to the resource yield, importance;
calculating a second risk score of each equipment type or each service type according to the attacked quantity, the attacked scale and the attack behavior;
and calculating the final risk score of each equipment type or each service type according to the first risk score and the second risk score.
In another embodiment, the apparatus further comprises:
the display unit is used for displaying attribute information, target vulnerability information, alarm log information, first risk score, second risk score and final risk score of each equipment type or each service type.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the application. As shown in fig. 3, the electronic apparatus 2 of this embodiment includes: at least one processor 20 (only one shown in fig. 3), a memory 21 and a computer program 22 stored in the memory 21 and executable on the at least one processor 20, the processor 20 implementing the steps in any of the various method embodiments described above when executing the computer program 22.
The electronic device 2 may be a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud server, etc. The electronic device 2 may include, but is not limited to, a processor 20, a memory 21. It will be appreciated by those skilled in the art that fig. 3 is merely an example of the electronic device 2 and is not meant to be limiting of the electronic device 2, and may include more or fewer components than shown, or may combine certain components, or different components, such as may also include input-output devices, network access devices, etc.
The processor 20 may be a central processing unit (Central Processing Unit, CPU), and the processor 20 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 21 may in some embodiments be an internal storage unit of the electronic device 2, such as a hard disk or a memory of the electronic device 2. The memory 21 may in other embodiments also be an external storage device of the electronic device 2, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the electronic device 2. Further, the memory 21 may also include both an internal storage unit and an external storage device of the electronic device 2. The memory 21 is used for storing an operating system, application programs, boot loader (BootLoader), data, other programs, etc., such as program codes of the computer program. The memory 21 may also be used for temporarily storing data that has been output or is to be output.
It should be noted that, because the content of information interaction and execution process between the above devices/units is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to in the method embodiment section, and will not be described herein.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
Embodiments of the present application also provide a computer readable storage medium storing a computer program which, when executed by a processor, performs the steps of the respective method embodiments described above.
Embodiments of the present application provide a computer program product which, when run on an electronic device, causes the electronic device to perform the steps of the method embodiments described above.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing device/terminal apparatus, recording medium, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/network device and method may be implemented in other manners. For example, the apparatus/network device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (9)
1. A risk assessment method, comprising:
acquiring scanning data and alarm log information of an asset;
identifying the asset according to the scanning data to obtain attribute information of the asset, wherein the attribute information comprises equipment type and service type;
determining the resource output and the corresponding importance of each equipment type or each service type according to the attribute information;
according to the alarm log information, counting the attacked information of each equipment type or each service type, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior, and the method comprises the following steps:
calculating average attacked quantity according to the number of the traps and the attacked trap information in the alarm log information aiming at each preset trap type, and obtaining the attacked quantity of the equipment type or the service type corresponding to the trap type;
calculating the total attack amount according to the attack ip information in the alarm log information to obtain the attacked scale of the equipment type or the service type corresponding to the trap type;
determining the highest attack behavior grade according to the attack behavior grade in the alarm log information, and taking the highest attack behavior grade as the attack behavior of the equipment type or the service type corresponding to the trap type, wherein the alarm log information is collected by the trap;
and determining the risk score of each equipment type or each service type according to the resource yield, the importance and the attacked information.
2. The method of claim 1, wherein the scan data includes ip information, port information, fingerprint information, and region information of the asset;
the identifying the asset according to the scan data to obtain attribute information of the asset comprises:
and identifying the asset according to the port information and the fingerprint information to obtain the attribute information of the asset.
3. The method of claim 1, wherein the attribute information further includes version information;
the method further comprises the steps of:
and searching target vulnerability information corresponding to the attribute information in a vulnerability database according to the equipment type, the service type and the version information.
4. The method of claim 1, wherein said calculating a risk score for each device type based on said asset quantity, said importance, and said attacked information comprises:
calculating a first risk score for each device type or each service type according to the asset volume and the importance;
calculating a second risk score of each equipment type or each service type according to the attacked quantity, the attacked scale and the attack behavior;
and calculating the final risk score of each equipment type or each service type according to the first risk score and the second risk score.
5. A method as recited in claim 3, further comprising:
and displaying the attribute information, the target vulnerability information, the alarm log information, the first risk score, the second risk score and the final risk score of each equipment type or each service type.
6. The method of claim 1, wherein the alert log information includes attack ip information, attacked ports, attacked services or attacked devices, attack protocols, whether vulnerabilities are utilized, attack behavior classes, attack loads, attacked trap information, attack ip geographic information.
7. A risk assessment apparatus, comprising:
the acquisition unit is used for acquiring the scanning data and the alarm log information of the asset;
the identification unit is used for identifying the asset according to the scanning data to obtain attribute information of the asset, wherein the attribute information comprises equipment type and service type;
the evaluation unit is used for determining the resource output and the corresponding importance of each equipment type or each service type according to the attribute information;
the method is used for counting the attacked information of each equipment type or each service type according to the alarm log information, wherein the attacked information comprises the attacked quantity, the attacked scale and the attack behavior, and comprises the following steps:
calculating average attacked quantity according to the number of the traps and the attacked trap information in the alarm log information aiming at each preset trap type, and obtaining the attacked quantity of the equipment type or the service type corresponding to the trap type;
calculating the total attack amount according to the attack ip information in the alarm log information to obtain the attacked scale of the equipment type or the service type corresponding to the trap type;
determining the highest attack behavior grade according to the attack behavior grade in the alarm log information, and taking the highest attack behavior grade as the attack behavior of the equipment type or the service type corresponding to the trap type, wherein the alarm log information is collected by the trap;
and determining a risk score of each device type or each service type according to the resource yield, the importance and the attacked information.
8. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 6 when executing the computer program.
9. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210158163.7A CN114598504B (en) | 2022-02-21 | 2022-02-21 | Risk assessment method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210158163.7A CN114598504B (en) | 2022-02-21 | 2022-02-21 | Risk assessment method and device, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114598504A CN114598504A (en) | 2022-06-07 |
| CN114598504B true CN114598504B (en) | 2023-11-03 |
Family
ID=81806227
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210158163.7A Active CN114598504B (en) | 2022-02-21 | 2022-02-21 | Risk assessment method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114598504B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318824A (en) * | 2023-01-09 | 2023-06-23 | 广州云峰信息科技有限公司 | Web attack trapping system |
| CN115964256B (en) * | 2023-03-16 | 2023-06-16 | 北京锐服信科技有限公司 | Alarm method and system in asset management scene |
| CN116595554B (en) * | 2023-05-18 | 2024-01-19 | 北京长河数智科技有限责任公司 | Method and device for realizing government affair data security analysis based on multiple dimensions |
| CN116599765B (en) * | 2023-06-29 | 2023-12-08 | 软极网络技术(北京)有限公司 | Honeypot deployment method |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882884A (en) * | 2012-10-13 | 2013-01-16 | 山东电力集团公司电力科学研究院 | Honeynet-based risk prewarning system and method in information production environment |
| CN106878316A (en) * | 2017-02-28 | 2017-06-20 | 新华三技术有限公司 | A kind of risk quantification method and device |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN109495502A (en) * | 2018-12-18 | 2019-03-19 | 北京威努特技术有限公司 | A kind of safe and healthy Index Assessment method and apparatus of industry control network |
| CN109660401A (en) * | 2018-12-20 | 2019-04-19 | 中国电子科技集团公司第三十研究所 | A kind of distributed network assets detection method |
| CN110851839A (en) * | 2019-11-12 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Risk-based asset scoring method and system |
| CN111565184A (en) * | 2020-04-29 | 2020-08-21 | 杭州安恒信息技术股份有限公司 | Network security assessment device, method, equipment and medium |
| CN111859393A (en) * | 2020-07-20 | 2020-10-30 | 交通运输信息安全中心有限公司 | Risk assessment system and method based on situation awareness alarm |
| WO2020261262A1 (en) * | 2019-06-24 | 2020-12-30 | Cymotive Technologies Ltd. | Systems and methods for assessing risk in networked vehicle components |
| CN112163753A (en) * | 2020-09-22 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Asset risk assessment method, device, computer equipment and storage medium |
| CN112351021A (en) * | 2020-10-30 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Asset risk detection method and device, readable storage medium and computer equipment |
| CN113672935A (en) * | 2021-08-20 | 2021-11-19 | 中国电信股份有限公司 | Security alarm risk assessment method and device, electronic equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20090037538A (en) * | 2007-10-12 | 2009-04-16 | 한국정보보호진흥원 | Method for risk analysis using information asset modelling |
| US9426169B2 (en) * | 2012-02-29 | 2016-08-23 | Cytegic Ltd. | System and method for cyber attacks analysis and decision support |
-
2022
- 2022-02-21 CN CN202210158163.7A patent/CN114598504B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102882884A (en) * | 2012-10-13 | 2013-01-16 | 山东电力集团公司电力科学研究院 | Honeynet-based risk prewarning system and method in information production environment |
| CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
| CN106878316A (en) * | 2017-02-28 | 2017-06-20 | 新华三技术有限公司 | A kind of risk quantification method and device |
| CN109495502A (en) * | 2018-12-18 | 2019-03-19 | 北京威努特技术有限公司 | A kind of safe and healthy Index Assessment method and apparatus of industry control network |
| CN109660401A (en) * | 2018-12-20 | 2019-04-19 | 中国电子科技集团公司第三十研究所 | A kind of distributed network assets detection method |
| WO2020261262A1 (en) * | 2019-06-24 | 2020-12-30 | Cymotive Technologies Ltd. | Systems and methods for assessing risk in networked vehicle components |
| CN110851839A (en) * | 2019-11-12 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Risk-based asset scoring method and system |
| CN111565184A (en) * | 2020-04-29 | 2020-08-21 | 杭州安恒信息技术股份有限公司 | Network security assessment device, method, equipment and medium |
| CN111859393A (en) * | 2020-07-20 | 2020-10-30 | 交通运输信息安全中心有限公司 | Risk assessment system and method based on situation awareness alarm |
| CN112163753A (en) * | 2020-09-22 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Asset risk assessment method, device, computer equipment and storage medium |
| CN112351021A (en) * | 2020-10-30 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Asset risk detection method and device, readable storage medium and computer equipment |
| CN113672935A (en) * | 2021-08-20 | 2021-11-19 | 中国电信股份有限公司 | Security alarm risk assessment method and device, electronic equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 大数据技术在信息网络威胁情报中的运用研究;孙辉;罗双春;李余彪;;信息技术与网络安全(05);全文 * |
| 网站漏洞挖掘与安全评估技术综述;冯冰彬;王娟;;网络安全技术与应用(08);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114598504A (en) | 2022-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114598504B (en) | Risk assessment method and device, electronic equipment and readable storage medium | |
| CN111178760B (en) | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium | |
| EP3287927B1 (en) | Non-transitory computer-readable recording medium storing cyber attack analysis support program, cyber attack analysis support method, and cyber attack analysis support device | |
| CN110351280B (en) | Method, system, equipment and readable storage medium for extracting threat information | |
| CN110535702B (en) | Alarm information processing method and device | |
| CN107786564B (en) | Attack detection method and system based on threat intelligence and electronic equipment | |
| CN112003838B (en) | Network threat detection method, device, electronic device and storage medium | |
| CN110933101A (en) | Security event log processing method, device and storage medium | |
| CN112669138B (en) | Data processing method and related equipment | |
| CN111683084B (en) | Intelligent contract intrusion detection method and device, terminal equipment and storage medium | |
| CN110912884A (en) | Detection method, detection equipment and computer storage medium | |
| CN114915475B (en) | Method, device, equipment and storage medium for determining attack path | |
| JP2018196054A (en) | Evaluation program, evaluation method and information processing device | |
| JP2019159431A (en) | Evaluation program, evaluation method, and evaluation device | |
| CN116055102A (en) | Method for updating necessary repair loopholes, method for scanning necessary repair loopholes and related equipment | |
| CN112153062B (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN116595554B (en) | Method and device for realizing government affair data security analysis based on multiple dimensions | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN116248397A (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| CN116032576A (en) | Uncertainty attack-based resource map construction method and system | |
| CN107844702B (en) | Website trojan backdoor detection method and device based on cloud protection environment | |
| CN111967043B (en) | Method, device, electronic equipment and storage medium for determining data similarity | |
| CN116708036B (en) | Scoring method and scoring system for alarm data and electronic equipment | |
| CN117201193B (en) | Virus detection method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |