CN114615016B - Enterprise network security assessment method and device, mobile terminal and storage medium - Google Patents
Enterprise network security assessment method and device, mobile terminal and storage medium Download PDFInfo
- Publication number
- CN114615016B CN114615016B CN202210122613.7A CN202210122613A CN114615016B CN 114615016 B CN114615016 B CN 114615016B CN 202210122613 A CN202210122613 A CN 202210122613A CN 114615016 B CN114615016 B CN 114615016B
- Authority
- CN
- China
- Prior art keywords
- index
- assessment
- risk index
- data
- enterprise
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses an enterprise network security assessment method, an enterprise network security assessment device, a mobile terminal and a storage medium, wherein the enterprise network security assessment method comprises the following steps: acquiring basic data of an enterprise to be evaluated; according to the basic data, after carrying out flow situation assessment, asset situation assessment, internal threat risk assessment and external threat risk assessment by combining with the deep learning unit, respectively generating a flow risk index, an asset situation index, an internal threat risk index and an external threat risk index; and carrying out network security assessment on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index. By adopting the embodiment of the invention, the accuracy of the enterprise network security assessment result can be improved.
Description
Technical Field
The present invention relates to the field of data processing, and in particular, to an enterprise network security assessment method, an enterprise network security assessment device, a mobile terminal, and a storage medium.
Background
Networks are the product of the information age and currently cover almost all important areas of the world. As network scale continues to expand, network attacks and vandalism are increasingly frequent, and network security situations become more severe. In order to form the network safety active protection capability, firstly, the internal and external threat and the overall safety state of the network are required to be known, then, the factors influencing the safety in the network are subjected to deep comprehensive processing analysis by a network safety situation assessment technology, the overall safety condition of the network is assessed in real time, and guidance is provided for network safety management command and decision.
However, the factors referred to by the method for evaluating the network security of the enterprise in the prior art are not comprehensive enough, and the accuracy of the evaluation result is not high.
Disclosure of Invention
The embodiment of the invention provides an enterprise network security assessment method, an enterprise network security assessment device, a mobile terminal and a storage medium, which improve the accuracy of an enterprise network security assessment result.
A first aspect of an embodiment of the present application provides an enterprise network security assessment method, including:
acquiring basic data of an enterprise to be evaluated;
according to the basic data, after carrying out flow situation assessment, asset situation assessment, internal threat risk assessment and external threat risk assessment by combining with the deep learning unit, respectively generating a flow risk index, an asset situation index, an internal threat risk index and an external threat risk index;
and carrying out network security assessment on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index.
In a possible implementation manner of the first aspect, the traffic situation assessment is performed, specifically:
acquiring flow packet data of an enterprise to be evaluated; wherein the base data comprises traffic packet data;
when the number of the traffic packets belonging to the same source address in the first preset period is judged to be larger than a first preset threshold value according to the traffic packet data, confirming that the source address is a malicious address and the traffic packets are malicious traffic packets; wherein the first preset period of time includes: a first period and a second period;
after the total number of malicious flow packets in the first time period and the second time period is calculated, the total number is respectively recorded as a first total number and a second total number;
calculating the probability of occurrence of the malicious address in the second period of time, and marking the probability as the first probability;
and inputting the first total number, the second total number and the first probability into a deep learning unit so that the deep learning unit carries out flow situation assessment and generates a flow risk index.
In a possible implementation manner of the first aspect, the asset situation assessment is performed, specifically:
acquiring asset data of an enterprise to be evaluated; wherein the base data includes asset data;
after carrying out security grade division and importance grade division according to the asset data, obtaining the number of alarm events and the number of loopholes according to the division result;
and inputting the number of alarm events and the number of loopholes into the deep learning unit so that the deep learning unit carries out asset situation assessment and generates asset situation indexes.
In a possible implementation manner of the first aspect, the internal threat risk assessment is performed, specifically:
acquiring intranet data of an enterprise to be evaluated; wherein the basic data comprises intranet data;
acquiring abnormal condition data in a second preset period according to intranet data; wherein the abnormal situation data comprises: illegal equipment access times, the number of intranet illegal wifi hotspots, the number of illegal user access times, the number of internal malicious requests, the number of loopholes and the number of infected viruses;
and inputting the abnormal condition data into the deep learning unit so that the deep learning unit carries out internal threat risk assessment and generates an internal threat risk index.
In a possible implementation manner of the first aspect, the external threat risk assessment is performed, specifically:
acquiring external threat situation data of an enterprise to be evaluated in a third preset period; wherein the base data includes external threat situation data, the external threat situation data including: the external attack frequency, the intrusion success frequency and the intrusion interception frequency information;
and inputting the external threat condition data into the deep learning unit so that the deep learning unit carries out external threat risk assessment and generates an external threat risk index.
In one possible implementation manner of the first aspect, the network security assessment is performed on the enterprise to be assessed according to the traffic risk index, the asset situation index, the internal threat risk index and the external threat risk index, specifically:
calculating subjective weights of flow risk indexes, asset situation indexes, internal threat risk indexes and external threat risk indexes by adopting an analytic hierarchy process;
calculating objective weights of flow risk indexes, asset situation indexes, internal threat risk indexes and external threat risk indexes by adopting an entropy weight method;
calculating comprehensive weights according to the subjective weights and the objective weights;
and calculating to obtain the overall network risk score of the enterprise to be evaluated according to the comprehensive weight, the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index, and carrying out network security evaluation according to the overall network risk score.
In a possible implementation manner of the first aspect, basic data of the enterprise to be evaluated is obtained, specifically:
and acquiring basic data according to the security equipment data, the system log data, the network flow data, the terminal flow data and the service flow data of the enterprise to be evaluated.
A second aspect of an embodiment of the present application provides an enterprise network security assessment apparatus, including: the system comprises an acquisition module, a generation module and an evaluation module;
the acquisition module is used for acquiring basic data of an enterprise to be evaluated;
the generation module is used for respectively generating a flow risk index, an asset situation index, an internal threat risk index and an external threat risk index after carrying out flow situation assessment, asset situation assessment, internal threat risk assessment and external threat risk assessment by combining the deep learning unit according to the basic data;
the evaluation module is used for carrying out network security evaluation on the enterprise to be evaluated according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index.
A third aspect of the embodiments of the present application provides a mobile terminal, including a processor and a memory, where the memory stores computer readable program code, and the processor implements the steps of an enterprise network security assessment method described above when executing the computer readable program code.
A fourth aspect of the embodiments of the present application provides a storage medium storing computer readable program code which when executed performs the steps of an enterprise network security assessment method described above.
Compared with the prior art, the method, the device, the mobile terminal and the storage medium for evaluating the enterprise network security provided by the embodiment of the invention comprise the following steps: acquiring basic data of an enterprise to be evaluated; according to the basic data, after carrying out flow situation assessment, asset situation assessment, internal threat risk assessment and external threat risk assessment by combining with the deep learning unit, respectively generating a flow risk index, an asset situation index, an internal threat risk index and an external threat risk index; and carrying out network security assessment on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index.
The beneficial effects are that: according to the embodiment of the invention, after the flow situation assessment, the asset situation assessment, the internal threat risk assessment and the external threat risk assessment are carried out through the basic data of the enterprise and the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index are respectively generated, the network security assessment is carried out on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index, the network risk of the enterprise to be assessed can be considered in multiple aspects, and the comprehensive network security assessment is carried out on the enterprise to be assessed, so that the accuracy of the network security assessment result is improved. In addition, the embodiment of the invention calculates the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index through the deep learning unit, and can improve the accuracy and efficiency of index calculation, thereby further improving the accuracy and the evaluation efficiency of the network security evaluation result.
Furthermore, the situation display layer is improved to visually display the results of the application service layer and the big data analysis layer, so that the network security assessment results can be intuitively and dynamically reflected; the user can also check through each application portal established by the application service layer, so that the look and feel and experience of the user are improved, the operation is simple and quick, and the user can be ensured to obtain the network security assessment result conveniently.
Drawings
FIG. 1 is a flow chart of an enterprise network security assessment method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an enterprise network security assessment apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an enterprise network security assessment system according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, a flow chart of an enterprise network security assessment method according to an embodiment of the present invention includes S101-S103:
s101: and obtaining basic data of the enterprise to be evaluated.
In this embodiment, the obtaining basic data of the enterprise to be evaluated specifically includes:
and acquiring the basic data according to the security equipment data, the system log data, the network flow data, the terminal flow data and the service flow data of the enterprise to be evaluated.
S102: according to the basic data, after flow situation assessment, asset situation assessment, internal threat risk assessment and external threat risk assessment are carried out by combining the deep learning unit, flow risk indexes, asset situation indexes, internal threat risk indexes and external threat risk indexes are respectively generated.
In this embodiment, the flow situation evaluation is specifically:
acquiring flow packet data of the enterprise to be evaluated; wherein the base data includes the traffic packet data;
when the number of the traffic packets belonging to the same source address in a first preset period is judged to be larger than a first preset threshold value according to the traffic packet data, confirming that the source address is a malicious address and the traffic packets are malicious traffic packets; wherein the first preset period of time includes: a first period and a second period;
after the total number of the malicious flow packets in the first time period and the second time period is calculated, the total number is respectively recorded as a first total number and a second total number;
calculating the probability of occurrence of the malicious address in the second period of time, and recording the probability as a first probability;
and inputting the first total number, the second total number and the first probability into the deep learning unit so that the deep learning unit carries out flow situation assessment and generates the flow risk index.
In a specific embodiment, the method further comprises:
in a first period, classifying and aggregating the flow packets based on the flow packet source addresses in the flow packet data to obtain an aggregation result; the aggregation result is the source address of the flow packet and the attribution of the flow packet.
In this embodiment, the asset situation assessment is specifically:
acquiring asset data of the enterprise to be evaluated; wherein the base data includes the asset data;
after carrying out security grade division and importance grade division according to the asset data, obtaining the number of alarm events and the number of loopholes according to the division result;
and inputting the alarm event number and the vulnerability number into the deep learning unit so that the deep learning unit performs asset situation assessment and generates the asset situation index.
In a specific embodiment, the asset data includes hardware assets and software assets, the importance/security evaluation is scored for each hardware asset or software asset according to expert scoring, the asset data is classified according to scoring results, and the classifying results are the asset data with different security levels/different importance levels, and the different alarm event numbers include: the number of alarm events in the asset data of different importance levels and the number of alarm events in the asset data of different security levels; the vulnerability number includes: the number of vulnerabilities in asset data of different importance levels and the number of vulnerabilities in asset data of different security levels.
In this embodiment, the internal threat risk assessment is specifically:
acquiring intranet data of the enterprise to be evaluated; wherein the base data comprises the intranet data;
acquiring abnormal condition data in a second preset period according to the intranet data; wherein the abnormal-condition data includes: illegal equipment access times, the number of intranet illegal wifi hotspots, the number of illegal user access times, the number of internal malicious requests, the number of loopholes and the number of infected viruses;
and inputting the abnormal condition data into the deep learning unit so that the deep learning unit carries out internal threat risk assessment and generates the internal threat risk index.
In this embodiment, the external threat risk assessment is specifically:
acquiring external threat situation data of the enterprise to be evaluated in a third preset period; wherein the base data includes the external threat situation data, the external threat situation data including: the external attack frequency, the intrusion success frequency and the intrusion interception frequency information;
and inputting the external threat situation data into the deep learning unit so that the deep learning unit carries out external threat risk assessment and generates the external threat risk index.
Preferably, the deep learning unit is a deep learning unit based on a long-term and short-term memory artificial intelligent network, and the deep learning unit comprises: the system comprises a first deep learning unit, a second deep learning unit, a third deep learning unit and a fourth deep learning unit.
When the flow situation assessment is carried out, the flow situation assessment is carried out through the first deep learning unit, and a flow risk index is generated; when the asset situation assessment is carried out, carrying out asset situation assessment through a second deep learning unit to generate an asset situation index; when the internal threat risk assessment is carried out, the internal threat risk assessment is carried out through the deep learning unit, and an internal threat risk index is generated; and when the external threat risk assessment is carried out, carrying out the external threat risk assessment through the deep learning unit, and generating an external threat risk index.
S103: and carrying out network security assessment on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index.
In this embodiment, the network security evaluation is performed on the enterprise to be evaluated according to the traffic risk index, the asset situation index, the internal threat risk index, and the external threat risk index, which specifically is:
calculating subjective weights of the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index by adopting an analytic hierarchy process;
calculating objective weights of the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index by adopting an entropy weight method;
calculating comprehensive weights according to the subjective weights and the objective weights;
and calculating to obtain an overall network risk score of the enterprise to be evaluated according to the comprehensive weight, the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index, and carrying out network security evaluation according to the overall network risk score.
In one embodiment, the process of calculating the integrated weights may be represented by the following formula:
W=α*W1+β*W2;
wherein, W is comprehensive weight, W1 is subjective weight, W2 is objective weight, alpha is the relative importance of the analytic hierarchy process, and beta is the relative importance of the entropy weight process.
In one embodiment, the overall network risk score for an enterprise under evaluation may be calculated by the following formula:
B=A1*W+A2*W+A3*W+A4*W
wherein B is the overall network risk score of the enterprise to be evaluated, A1 is the flow risk index, A2 is the asset situation index, A3 is the internal threat risk index, and A4 is the external threat risk index.
In one embodiment, the subjective weight W1 is calculated by using an analytic hierarchy process, specifically:
establishing an evaluation index, wherein the evaluation index comprises: flow risk indicators, asset situation indicators, internal threat risk indicators, and external threat risk indicators.
Establishing a judgment matrix, judging the relative importance of each evaluation index in the same layer by comparing the evaluation indexes in pairs, and listing the judgment matrix A as follows:
V i :V j =a ij ;
A=(a ij ) n*m ;
wherein V is i V as an evaluation index j A is another evaluation index ij Is a scale.
When the scale is 1, the two indexes are of equal importance; when the scale is 3, it represents V i Ratio V j Slightly important; when the scale is 5, it represents V i Ratio V j Is obviously important; when the scale is 7, it represents V i Ratio V j Is of great importance; when the scale is 9, it represents V i Ratio V j Is extremely important.
Calculating a feature vector of the maximum feature root of the judgment matrix A, namely a weight vector W1, substituting the weight vector W1 into a basic data value, and calculating to obtain:
W1=[0.4659 0.2009 0.1555 0.0598] T 。
in a specific embodiment, the objective weight W2 is calculated by using a layer entropy weight method, which is specifically as follows:
establishing an evaluation index, wherein the evaluation index comprises: flow risk indicators, asset situation indicators, internal threat risk indicators, and external threat risk indicators.
Calculating the specific gravity P of the jth evaluation index under the ith factor ij :
Wherein r is ij For the eigenvalue of the normalized matrix, n is the value under a single evaluation index.
Calculating the entropy value e of the ith factor i :
Where k is a constant.
Calculating the difference coefficient g of the ith factor i : for a given entropy value e i The larger the factor evaluation value is, the smaller the difference is, the smaller the factor plays in the comprehensive evaluation, and thus, the difference coefficient g can be defined i =1-e i Then when factor g i The larger the factor, the larger the effect the factor plays in the comprehensive evaluation;
defining weights w ij :
Wherein w is ij The objective weight determined by the entropy weight method, namely a weight vector W2, is calculated to obtain:
W2=[0.3581 0.2463 0.2149 0.0421] T 。
in one embodiment, the process of calculating the integrated weights may be represented by the following formula:
W=α*W1+β*W2;
wherein alpha is the relative importance degree of the analytic hierarchy process, and the value of alpha is 0.5; beta is the relative importance degree of the entropy weight method, and the value can be 0.5, and then the following steps are obtained:
W=[0.1796 0.10045 0.1834 0.0691] T 。
further, the overall network risk score B for the enterprise under evaluation is as follows:
B=A1*0.1796+A2*0.10045+A3*0.1834+A4*0.0691。
after the overall network risk score of the enterprise to be evaluated is obtained, network security evaluation can be performed on the enterprise to be evaluated according to the overall network risk score of the enterprise to be evaluated.
For further explanation of the enterprise network security assessment apparatus, please refer to fig. 2, fig. 2 is a schematic diagram of an enterprise network security assessment apparatus according to an embodiment of the present invention, which includes: an acquisition module 201, a generation module 202 and an evaluation module 203;
the acquiring module 201 is configured to acquire basic data of an enterprise to be evaluated;
the generating module 202 is configured to generate a traffic risk indicator, an asset situation indicator, an internal threat risk indicator, and an external threat risk indicator respectively after performing traffic situation assessment, asset situation assessment, internal threat risk assessment, and external threat risk assessment by combining a deep learning unit according to the basic data;
the evaluation module 203 is configured to perform network security evaluation on the enterprise to be evaluated according to the traffic risk indicator, the asset situation indicator, the internal threat risk indicator, and the external threat risk indicator.
An embodiment of the present invention provides a mobile terminal, including a processor and a memory, where the memory stores computer readable program code, and the processor implements the steps of an enterprise network security assessment method when executing the computer readable program code.
A specific embodiment of the present invention provides a storage medium storing computer readable program code which when executed performs the steps of an enterprise network security assessment method described above.
To further illustrate the overall flow of enterprise network security assessment, please refer to fig. 3, fig. 3 is a schematic diagram of an enterprise network security assessment system according to an embodiment of the present invention, which includes: a data acquisition layer 301, a big data analysis layer 302, an application service layer 303 and a situation presentation layer 304.
The data collection layer 301 is configured to collect basic data of an enterprise user, where the basic data is derived from security device data, system log data, network traffic data, terminal traffic data, and service traffic data of an enterprise to be evaluated.
Specifically, the data acquisition layer 301 has the following functions:
(1) Hardware assets on an enterprise user's network are discovered and categorized and summarized, including servers, storage, network devices, security devices, virtualization platforms, backup devices, end hosts, and the like.
(2) Software assets on the enterprise user's network are discovered and summarized, including host operating systems and versions, middleware, web services, databases and versions, and so forth.
(3) Asset information is collected, including IP address, name, make, model, category, description, location, responsible person, responsible department.
(4) And (5) collecting logs. The system and the method support the acquisition of syslog and flow logs of various security devices and network devices, support a linux and windows dual-platform, and provide omnibearing acquisition for system logs, database logs, middleware logs and other text logs. And consider a scheme for interfacing with an existing Sifodi log audit system.
(5) And (5) collecting flow. And restoring session behaviors, transactions and application actions in the network traffic by using special traffic acquisition equipment, forming relevant logs, entering a storage and analysis link, and completely restoring all traffic behaviors. And the traffic of the HTTPS protocol in the acquisition network is supported and can be automatically decrypted and analyzed.
(6) And (5) terminal behavior acquisition. Various terminal behavior logs are collected, including behavior logs of terminal processes, flow behaviors, terminal file behaviors, U disk file transmission, mail file transmission, IM file transmission and the like, and support is provided for the whole threat discovery and backtracking process.
The big data analysis layer 302 is configured to perform evaluation analysis according to the basic data, obtain risk indexes of a plurality of sub-items, and calculate an overall network risk score of the enterprise based on the risk indexes of the sub-items.
Specifically, the risk indicators of the sub-items include: flow risk indicators, asset situation indicators, internal threat risk indicators, and external threat risk indicators.
The application service layer 303 is used for building a unified security monitoring service portal, providing applications such as asset management, security analysis, early warning disposition, threat management, situation presentation and the like, and realizing efficient security monitoring and response.
The situation display layer 304 is an extension of the application service layer, and is used for visually displaying the results of the application service layer and the big data analysis layer, and performing network security assessment.
According to the method, basic data of an enterprise to be evaluated is acquired through an acquisition module; then, according to basic data, a generating module is used for carrying out flow situation assessment, asset situation assessment, internal threat risk assessment and external threat risk assessment by combining with a deep learning unit, and then respectively generating a flow risk index, an asset situation index, an internal threat risk index and an external threat risk index; and finally, carrying out network security assessment on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index by an assessment module.
According to the embodiment of the invention, after the flow situation assessment, the asset situation assessment, the internal threat risk assessment and the external threat risk assessment are carried out through the basic data of the enterprise and the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index are respectively generated, the network security assessment is carried out on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index, the network risk of the enterprise to be assessed can be considered in multiple aspects, and the comprehensive network security assessment is carried out on the enterprise to be assessed, so that the accuracy of the network security assessment result is improved. In addition, the embodiment of the invention calculates the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index through the deep learning unit, and can improve the accuracy and efficiency of index calculation, thereby further improving the accuracy and the evaluation efficiency of the network security evaluation result.
Furthermore, the situation display layer is improved to visually display the results of the application service layer and the big data analysis layer, so that the network security assessment results can be intuitively and dynamically reflected; the user can also check through each application portal established by the application service layer, so that the look and feel and experience of the user are improved, the operation is simple and quick, and the user can be ensured to obtain the network security assessment result conveniently.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that changes and modifications may be made without departing from the principles of the invention, such changes and modifications are also intended to be within the scope of the invention.
Claims (9)
1. A method for evaluating security of an enterprise network, comprising:
acquiring basic data of an enterprise to be evaluated;
according to the basic data, after carrying out flow situation assessment, asset situation assessment, internal threat risk assessment and external threat risk assessment by combining a deep learning unit, respectively generating a flow risk index, an asset situation index, an internal threat risk index and an external threat risk index; the network security assessment is carried out on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index, specifically: calculating subjective weights of the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index by adopting an analytic hierarchy process; calculating objective weights of the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index by adopting an entropy weight method; calculating comprehensive weights according to the subjective weights and the objective weights; calculating to obtain an overall network risk score of the enterprise to be evaluated according to the comprehensive weight, the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index, and carrying out network security evaluation according to the overall network risk score;
and carrying out network security assessment on the enterprise to be assessed according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index.
2. The enterprise network security assessment method according to claim 1, wherein the traffic situation assessment is specifically:
acquiring flow packet data of the enterprise to be evaluated; wherein the base data includes the traffic packet data;
when the number of the traffic packets belonging to the same source address in a first preset period is judged to be larger than a first preset threshold value according to the traffic packet data, confirming that the source address is a malicious address and the traffic packets are malicious traffic packets; wherein the first preset period of time includes: a first period and a second period;
after the total number of the malicious flow packets in the first time period and the second time period is calculated, the total number is respectively recorded as a first total number and a second total number;
calculating the probability of occurrence of the malicious address in the second period of time, and recording the probability as a first probability;
and inputting the first total number, the second total number and the first probability into the deep learning unit so that the deep learning unit carries out flow situation assessment and generates the flow risk index.
3. The enterprise network security assessment method according to claim 1, wherein the performing asset situation assessment specifically comprises:
acquiring asset data of the enterprise to be evaluated; wherein the base data includes the asset data;
after carrying out security grade division and importance grade division according to the asset data, obtaining the number of alarm events and the number of loopholes according to the division result;
and inputting the alarm event number and the vulnerability number into the deep learning unit so that the deep learning unit performs asset situation assessment and generates the asset situation index.
4. The enterprise network security assessment method of claim 1, wherein the performing the internal threat risk assessment comprises:
acquiring intranet data of the enterprise to be evaluated; wherein the base data comprises the intranet data;
acquiring abnormal condition data in a second preset period according to the intranet data; wherein the abnormal-condition data includes: illegal equipment access times, the number of intranet illegal wifi hotspots, the number of illegal user access times, the number of internal malicious requests, the number of loopholes and the number of infected viruses;
and inputting the abnormal condition data into the deep learning unit so that the deep learning unit carries out internal threat risk assessment and generates the internal threat risk index.
5. The enterprise network security assessment method of claim 1, wherein the performing the external threat risk assessment comprises:
acquiring external threat situation data of the enterprise to be evaluated in a third preset period; wherein the base data includes the external threat situation data, the external threat situation data including: the external attack frequency, the intrusion success frequency and the intrusion interception frequency information;
and inputting the external threat situation data into the deep learning unit so that the deep learning unit carries out external threat risk assessment and generates the external threat risk index.
6. The method for evaluating enterprise network security according to claim 1, wherein the obtaining basic data of the enterprise to be evaluated specifically includes:
and acquiring the basic data according to the security equipment data, the system log data, the network flow data, the terminal flow data and the service flow data of the enterprise to be evaluated.
7. An enterprise network security assessment apparatus, comprising: the system comprises an acquisition module, a generation module and an evaluation module;
the acquisition module is used for acquiring basic data of an enterprise to be evaluated;
the generation module is used for respectively generating a flow risk index, an asset situation index, an internal threat risk index and an external threat risk index after carrying out flow situation assessment, asset situation assessment, internal threat risk assessment and external threat risk assessment by combining the deep learning unit according to the basic data; the generating module is further configured to: calculating subjective weights of the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index by adopting an analytic hierarchy process; calculating objective weights of the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index by adopting an entropy weight method; calculating comprehensive weights according to the subjective weights and the objective weights; calculating to obtain an overall network risk score of the enterprise to be evaluated according to the comprehensive weight, the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index, and carrying out network security evaluation according to the overall network risk score;
the evaluation module is used for carrying out network security evaluation on the enterprise to be evaluated according to the flow risk index, the asset situation index, the internal threat risk index and the external threat risk index.
8. A mobile terminal comprising a processor and a memory, the memory storing computer readable program code, the processor implementing the steps of an enterprise network security assessment method as claimed in any one of claims 1 to 6 when the computer readable program code is executed by the processor.
9. A storage medium storing computer readable program code which when executed implements the steps of an enterprise network security assessment method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210122613.7A CN114615016B (en) | 2022-02-09 | 2022-02-09 | Enterprise network security assessment method and device, mobile terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210122613.7A CN114615016B (en) | 2022-02-09 | 2022-02-09 | Enterprise network security assessment method and device, mobile terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114615016A CN114615016A (en) | 2022-06-10 |
| CN114615016B true CN114615016B (en) | 2023-08-01 |
Family
ID=81858328
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210122613.7A Active CN114615016B (en) | 2022-02-09 | 2022-02-09 | Enterprise network security assessment method and device, mobile terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114615016B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174420A (en) * | 2022-07-05 | 2022-10-11 | 中信百信银行股份有限公司 | Safe operation method, system, terminal device and storage medium based on index measurement |
| CN115225384B (en) * | 2022-07-19 | 2024-01-23 | 天翼安全科技有限公司 | Network threat degree evaluation method and device, electronic equipment and storage medium |
| CN115357910B (en) * | 2022-10-20 | 2023-03-31 | 中孚安全技术有限公司 | Network risk situation analysis method and system based on spatial relationship |
| CN116567062B (en) * | 2023-07-07 | 2023-09-26 | 北京安博通科技股份有限公司 | Method, device, electronic equipment and medium for discovering assets based on flow logs |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN102624696A (en) * | 2011-12-27 | 2012-08-01 | 中国航天科工集团第二研究院七〇六所 | Network security situation evaluation method |
| CN108632081A (en) * | 2018-03-26 | 2018-10-09 | 中国科学院计算机网络信息中心 | Network Situation appraisal procedure, device and storage medium |
| CN110380896A (en) * | 2019-07-04 | 2019-10-25 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on attack graph |
| CN110417721A (en) * | 2019-03-07 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Safety risk estimating method, device, equipment and computer readable storage medium |
| CN111212067A (en) * | 2019-12-31 | 2020-05-29 | 南京联成科技发展股份有限公司 | Industrial network security risk assessment system based on threat prediction |
| CN111865982A (en) * | 2020-07-20 | 2020-10-30 | 交通运输信息安全中心有限公司 | Threat assessment system and method based on situation awareness alarm |
| CN111859393A (en) * | 2020-07-20 | 2020-10-30 | 交通运输信息安全中心有限公司 | Risk assessment system and method based on situation awareness alarm |
| CN112511351A (en) * | 2020-12-01 | 2021-03-16 | 北京理工大学 | Security situation prediction method and system based on MES identification data intercommunication system |
| CN112651006A (en) * | 2020-12-07 | 2021-04-13 | 中国电力科学研究院有限公司 | Power grid security situation perception platform framework |
| CN113242267A (en) * | 2021-07-12 | 2021-08-10 | 深圳市永达电子信息股份有限公司 | Situation perception method based on brain-like calculation |
| CN113780443A (en) * | 2021-09-16 | 2021-12-10 | 中国民航大学 | Network security situation assessment method oriented to threat detection |
| CN113839817A (en) * | 2021-09-23 | 2021-12-24 | 北京天融信网络安全技术有限公司 | Network asset risk assessment method, device and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200412767A1 (en) * | 2015-10-28 | 2020-12-31 | Qomplx, Inc. | Hybrid system for the protection and secure data transportation of convergent operational technology and informational technology networks |
| US20210136120A1 (en) * | 2015-10-28 | 2021-05-06 | Qomplx, Inc. | Universal computing asset registry |
-
2022
- 2022-02-09 CN CN202210122613.7A patent/CN114615016B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN102624696A (en) * | 2011-12-27 | 2012-08-01 | 中国航天科工集团第二研究院七〇六所 | Network security situation evaluation method |
| CN108632081A (en) * | 2018-03-26 | 2018-10-09 | 中国科学院计算机网络信息中心 | Network Situation appraisal procedure, device and storage medium |
| CN110417721A (en) * | 2019-03-07 | 2019-11-05 | 腾讯科技(深圳)有限公司 | Safety risk estimating method, device, equipment and computer readable storage medium |
| CN110380896A (en) * | 2019-07-04 | 2019-10-25 | 湖北央中巨石信息技术有限公司 | Network security situation awareness model and method based on attack graph |
| CN111212067A (en) * | 2019-12-31 | 2020-05-29 | 南京联成科技发展股份有限公司 | Industrial network security risk assessment system based on threat prediction |
| CN111865982A (en) * | 2020-07-20 | 2020-10-30 | 交通运输信息安全中心有限公司 | Threat assessment system and method based on situation awareness alarm |
| CN111859393A (en) * | 2020-07-20 | 2020-10-30 | 交通运输信息安全中心有限公司 | Risk assessment system and method based on situation awareness alarm |
| CN112511351A (en) * | 2020-12-01 | 2021-03-16 | 北京理工大学 | Security situation prediction method and system based on MES identification data intercommunication system |
| CN112651006A (en) * | 2020-12-07 | 2021-04-13 | 中国电力科学研究院有限公司 | Power grid security situation perception platform framework |
| CN113242267A (en) * | 2021-07-12 | 2021-08-10 | 深圳市永达电子信息股份有限公司 | Situation perception method based on brain-like calculation |
| CN113780443A (en) * | 2021-09-16 | 2021-12-10 | 中国民航大学 | Network security situation assessment method oriented to threat detection |
| CN113839817A (en) * | 2021-09-23 | 2021-12-24 | 北京天融信网络安全技术有限公司 | Network asset risk assessment method, device and system |
Non-Patent Citations (2)
| Title |
|---|
| network security assessment traffic asset internal threat deep learning;Niloofar Bayat, Weston Jackson, Derrick Liu;《Arxiv》;全文 * |
| 网络安全态势感知中的威胁情报技术;尹彦,张红斌,刘滨,赵冬梅;《河北科技大学学报》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114615016A (en) | 2022-06-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114615016B (en) | Enterprise network security assessment method and device, mobile terminal and storage medium | |
| US20220124108A1 (en) | System and method for monitoring security attack chains | |
| CN110620759B (en) | Multi-dimensional association-based network security event hazard index evaluation method and system | |
| CA2641656C (en) | Methods and system for determining performance of filters in a computer intrusion prevention detection system | |
| CN107579956B (en) | User behavior detection method and device | |
| CN111859393B (en) | Risk assessment system and method based on situation awareness alarm | |
| JP2018530066A (en) | Security incident detection due to unreliable security events | |
| US9674210B1 (en) | Determining risk of malware infection in enterprise hosts | |
| CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN111865982B (en) | Threat assessment system and method based on situation awareness alarm | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| Sathya et al. | Discriminant analysis based feature selection in kdd intrusion dataset | |
| CN110620696A (en) | Grading method and device for enterprise network security situation awareness | |
| US20150172302A1 (en) | Interface for analysis of malicious activity on a network | |
| US20200244693A1 (en) | Systems and methods for cybersecurity risk assessment of users of a computer network | |
| CN107944293B (en) | Fictitious assets guard method, system, equipment and storage medium | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN113055362B (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
| Arıkan et al. | A Data Mining Based System for Automating Creation of Cyber Threat Intelligence | |
| CN113312519A (en) | Enterprise network data anomaly detection method based on time graph algorithm, system computer equipment and storage medium | |
| CN115098602B (en) | Data processing method, device and equipment based on big data platform and storage medium | |
| CN114172707B (en) | Fast-Flux botnet detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |