CN114692168A - Cloud service application program vulnerability analysis method and system based on attack big data - Google Patents
Cloud service application program vulnerability analysis method and system based on attack big data Download PDFInfo
- Publication number
- CN114692168A CN114692168A CN202210381428.XA CN202210381428A CN114692168A CN 114692168 A CN114692168 A CN 114692168A CN 202210381428 A CN202210381428 A CN 202210381428A CN 114692168 A CN114692168 A CN 114692168A
- Authority
- CN
- China
- Prior art keywords
- attack
- penetration
- entity
- activity
- attack activity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 95
- 230000000694 effects Effects 0.000 claims abstract description 840
- 230000035515 penetration Effects 0.000 claims abstract description 639
- 238000012038 vulnerability analysis Methods 0.000 claims abstract description 54
- 238000005457 optimization Methods 0.000 claims abstract description 14
- 230000008595 infiltration Effects 0.000 claims description 375
- 238000001764 infiltration Methods 0.000 claims description 375
- 239000013598 vector Substances 0.000 claims description 190
- 238000013507 mapping Methods 0.000 claims description 118
- 238000013508 migration Methods 0.000 claims description 90
- 230000005012 migration Effects 0.000 claims description 90
- 230000008569 process Effects 0.000 claims description 51
- 238000005259 measurement Methods 0.000 claims description 34
- 238000007405 data analysis Methods 0.000 claims description 31
- 238000009826 distribution Methods 0.000 claims description 21
- 230000008439 repair process Effects 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 8
- 230000000052 comparative effect Effects 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 4
- 238000011161 development Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 claims description 2
- 238000005065 mining Methods 0.000 claims description 2
- 230000035699 permeability Effects 0.000 description 45
- 230000015654 memory Effects 0.000 description 13
- 230000001960 triggered effect Effects 0.000 description 6
- 238000000605 extraction Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 238000012517 data analytics Methods 0.000 description 2
- 238000007418 data mining Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000001351 cycling effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application provides a cloud service application program vulnerability analysis method and system based on big attack data. After the vulnerability analysis is carried out, vulnerability analysis is carried out by combining the attack activity penetration states between the cloud service application program and other cooperative service application programs, vulnerability repairing optimization is carried out on a cloud application framework operated by the cloud service application program according to the vulnerability analysis, and the performance of cooperative vulnerability repairing optimization is enhanced.
Description
Technical Field
The application relates to the technical field of big data and cloud computing, in particular to a cloud service application program vulnerability analysis method and system based on big data attack.
Background
With the development of cloud computing technology, various professional cloud service application programs are distributed on the cloud, different business requirements can be provided for users through remote cloud services, and therefore for the cloud service application programs, stability and safety of the cloud service application programs need to be considered in a key mode by service providers, for example, the service providers need to know weak points of the cloud service application programs in time, and existing vulnerabilities are further analyzed for repairing and optimizing. For example, in the related art, for a cloud service application, the operation defect of the cloud service application is usually analyzed by attacking a big data log, and after various features are extracted, vulnerability analysis is performed, so that subsequent vulnerability repair service is performed. However, the attack activity penetration state between the cloud service application and other cooperative service applications is not further considered in the related art, so that the vulnerability repair optimization accuracy still needs to be improved.
Disclosure of Invention
In order to overcome at least the above disadvantages in the prior art, the present application aims to provide a cloud service application vulnerability analysis method and system based on big data attack.
In a first aspect, the present application provides a cloud service application vulnerability analysis method based on big data attack, applied to a security big data analysis system, the method including:
generating application program weak point distribution of a cloud service application program according to a cloud attack big data log of the cloud service application program;
generating cooperative vulnerability data of the cloud service application program according to the application program vulnerability distribution of the cloud service application program and attack activity penetration data between the cloud service application program and other cooperative service application programs;
and according to the cooperative vulnerability data of the cloud service application program, carrying out vulnerability repair optimization on a cloud application framework operated by the cloud service application program.
For some alternative embodiments, the step of generating collaborative vulnerability data of the cloud service application according to the application vulnerability profile of the cloud service application and attack activity penetration data between the cloud service application and other collaborative service applications includes:
acquiring target attack activity penetration data with a relationship vector with the distribution of the application program weak points of the cloud service application program from the attack activity penetration data between the cloud service application program and other cooperative service application programs, and acquiring penetration measurement parameters of attack activity penetration entities in the target attack activity penetration data;
determining a key attack activity penetration entity set from the target attack activity penetration data according to the penetration measurement parameters of the attack activity penetration entities;
combining the key attack activity penetration entity set to generate an attention attack activity penetration entity and a penetration effective value of the attention attack activity penetration entity in the target attack activity penetration data;
outputting a candidate attack activity penetration entity set in the target attack activity penetration data according to the attack activity penetration entities except the concerned attack activity penetration entity in the target attack activity penetration data and penetration cooperation information between the attack activity penetration entities;
combining the candidate attack activity penetration entity set and the concerned attack activity penetration entity to generate penetration effective values of all attack activity penetration entities in the candidate attack activity penetration entity set, and outputting cooperative vulnerability data of the cloud service application program according to the penetration effective values of all attack activity penetration entities in the candidate attack activity penetration entity set;
wherein the generated penetration effective value is used for generating collaborative vulnerability data associated with a corresponding attack activity penetration entity.
For some alternative embodiments, the obtaining the penetration metric parameter of each attack activity penetration entity in the target attack activity penetration data includes:
acquiring the target attack activity penetration data;
determining the connectivity of the connected attack activity penetration entities of all attack activity penetration entities in the target attack activity penetration data;
and taking the connectivity of the connected attack activity infiltration entities as the infiltration measurement parameters of the corresponding attack activity infiltration entities.
For some alternative embodiments, said determining a set of key attack activity penetration entities from said target attack activity penetration data in dependence on penetration metric parameters of said attack activity penetration entities comprises:
obtaining a set effective value, removing an attack activity infiltration entity with an infiltration measurement parameter less than or equal to the set effective value and infiltration cooperative information associated with the attack activity infiltration entity from the target attack activity infiltration data, and obtaining a key attack activity infiltration entity set according to the infiltration cooperative information between the component attack activity infiltration entity in the target attack activity infiltration data and the component attack activity infiltration entity.
For some alternative embodiments, the generating, in combination with the set of key attack activity infiltration entities, an attention attack activity infiltration entity and an infiltration effective value of the attention attack activity infiltration entity in the target attack activity infiltration data includes:
outputting the permeability measurement parameters of the attack activity permeable entities in the key attack activity permeable entity set according to the connectivity of the attack activity permeable entities in the key attack activity permeable entity set, and taking the permeability measurement parameters in the key attack activity permeable entity set as the initial current permeability effective values of the corresponding attack activity permeable entities;
the migration execution generates a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the key attack activity penetration entity set for each attack activity penetration entity in the key attack activity penetration entity set;
removing the attack activity penetration entity from the set of key attack activity penetration entities when the penetration concern value is less than or equal to a set effective value;
when the permeation attention value is larger than the set effective value and smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation attention value of the attack activity permeation entity, and stopping migration until the current permeation effective value of each attack activity permeation entity in the key attack activity permeation entity set in the current migration flow is not adjusted;
taking attack activity penetration entities in a key attack activity penetration entity set obtained when the migration is terminated as the concerned attack activity penetration entities, and taking the current penetration effective value of the concerned attack activity penetration entities when the migration is terminated as the penetration effective value associated with the concerned attack activity penetration entities;
wherein the method further comprises:
after the current round of wandering is terminated, extracting attack activity infiltration entities with adjusted current infiltration effective values in the current wandering flow;
when the extracted attack activity infiltration entity representation is triggered in the next migration, connecting the extracted attack activity infiltration entity in the key attack activity infiltration entity set to serve as a target attack activity infiltration entity needing to determine an infiltration concern value again in the next migration flow;
for each attack activity penetration entity in the key attack activity penetration entity set, generating a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the key attack activity penetration entity set, where the penetration concern value includes:
and for the target attack activity infiltration entity in the key attack activity infiltration entity set, generating an infiltration concern value associated with the target attack activity infiltration entity according to the current infiltration effective value of the target attack activity infiltration entity in the key attack activity infiltration entity set for communicating the attack activity infiltration entity.
For some alternative embodiments, the outputting a set of candidate attack activity penetration entities in the target attack activity penetration data according to the attack activity penetration entities in the target attack activity penetration data except for the attack activity penetration entity of interest and penetration coordination information between the attack activity penetration entities includes: removing the attack activity penetration entities of interest from the target attack activity penetration data; and outputting a candidate attack activity infiltration entity set according to the component attack activity infiltration entity after the concerned attack activity infiltration entity is removed and the infiltration cooperation information between the component attack activity infiltration entities.
For some alternative embodiments, the generating, by combining the candidate attack activity infiltration entity set and the attack activity of interest infiltration entity, an infiltration effective value of each attack activity infiltration entity in the candidate attack activity infiltration entity set includes:
resetting the current penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set according to the connectivity of each attack activity penetration entity in the candidate attack activity penetration entity set in the past target attack activity penetration data;
the migration execution generates a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the target attack activity penetration data for each attack activity penetration entity in the candidate attack activity penetration entity set;
when the permeation concern value is smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation concern value of the attack activity permeation entity until the current permeation effective value of each attack activity permeation entity in the candidate attack activity permeation entity set in the current migration flow is not adjusted, and terminating migration;
taking the current penetration effective value of the attack activity penetration entity when the migration is terminated as the penetration effective value associated with the attack activity penetration entity;
wherein the method further comprises:
after the current round of wandering is terminated, extracting attack activity infiltration entities with adjusted current infiltration effective values in the current wandering flow;
when the extracted attack activity infiltration entity representation is triggered in the next migration, connecting the extracted attack activity infiltration entity in the candidate attack activity infiltration entity set to serve as a target attack activity infiltration entity needing to determine an infiltration concern value again in the next migration flow;
for each attack activity penetration entity in the candidate attack activity penetration entity set, generating a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the target attack activity penetration data, including:
and for the target attack activity penetration entity in the candidate attack activity penetration entity set, generating a penetration concern value associated with the target attack activity penetration entity according to the current penetration effective value of the target attack activity penetration entity in the target attack activity penetration data, wherein the target attack activity penetration entity is connected with the attack activity penetration entity.
For some alternative embodiments, the determining an infiltration interest value associated with the attack activity infiltration entity comprises:
if the attack activity infiltration entity meets the condition that the current infiltration effective value of AT connected attack activity infiltration entities in the connected attack activity infiltration entities is greater than or equal to AT and does not meet the condition that the current infiltration effective value of AT +1 connected attack activity infiltration entities is greater than or equal to AT +1, determining the infiltration concern value associated with the attack activity infiltration entities as AT, wherein AT is a positive integer;
the method further comprises the following steps:
when the current walking process starts, resetting the adjusted times of the attack activity infiltration entities to be zero, wherein the adjusted times of the attack activity infiltration entities are used for extracting the connectivity of the attack activity infiltration entities of which the current infiltration effective values are adjusted in the current walking process;
the connectivity of the attack activity infiltration entities with the adjusted current infiltration effective values in the current walking process is counted;
optimizing the adjusted times of the attack activity penetration entity according to the connectivity;
when the current migration process is terminated, if the adjusted times of the attack activity infiltration entities are nonzero, continuing the next round of migration process;
and when the current wandering process is terminated, if the adjusted times of the attack activity infiltration entity are zero, the wandering is terminated.
In a second aspect, an embodiment of the present application further provides a big data security analysis system, where the big data security analysis system includes a processor and a machine-readable storage medium, where a computer program is stored in the machine-readable storage medium, and the computer program is loaded and executed according to the processor to implement the cloud service application vulnerability analysis method based on big data attack in the above first aspect.
According to the above aspects, according to the cloud attack big data log of the cloud service application program, the application program vulnerability distribution of the cloud service application program is generated, according to the application program vulnerability distribution of the cloud service application program and the attack activity penetration data between the cloud service application program and other collaborative service application programs, the collaborative vulnerability data of the cloud service application program is generated, and according to the collaborative vulnerability data of the cloud service application program, vulnerability repairing optimization is carried out on the cloud application framework operated by the cloud service application program. After the vulnerability analysis is carried out, vulnerability analysis is carried out by combining the attack activity penetration states between the cloud service application program and other cooperative service application programs, vulnerability repairing optimization is carried out on a cloud application framework operated by the cloud service application program according to the vulnerability analysis, and the performance of cooperative vulnerability repairing optimization is enhanced.
Drawings
Fig. 1 is a schematic flowchart of a cloud service application vulnerability analysis method based on big attack data according to an embodiment of the present application;
fig. 2 is a schematic block diagram of a structure of a security big data analysis system for implementing the cloud service application vulnerability analysis method based on big data attack provided in the embodiment of the present application.
Detailed Description
The architecture of the cloud service application vulnerability analysis system 10 based on big attack data according to an embodiment of the present application is described below, and the cloud service application vulnerability analysis system 10 based on big attack data may include a security big data analysis system 100 and a cloud service application platform 200 communicatively connected to the security big data analysis system 100. In this embodiment, the security big data analysis system 100 and the cloud service application platform 200 in the cloud service application vulnerability analysis system 10 based on the attack big data may execute the cloud service application vulnerability analysis method based on the attack big data described in the following method embodiments according to cooperation, and the specific execution steps of the security big data analysis system 100 and the cloud service application platform 200 may refer to fig. 1 and be described in detail in combination with the following method embodiments.
The Process110 generates application vulnerability distribution of the cloud service application according to the cloud attack big data log of the cloud service application.
The Process120 generates cooperative vulnerability data of the cloud service application program according to the application program vulnerability distribution of the cloud service application program and attack activity penetration data between the cloud service application program and other cooperative service application programs.
Wherein the attack activity penetration data can be used to represent penetration path data between the cloud service application and other co-service applications in an attack activity penetration state (for example).
The Process130 performs vulnerability repair optimization on the cloud application architecture operated by the cloud service application program according to the collaborative vulnerability data of the cloud service application program.
The cooperative vulnerability data represents attack activity penetration entities which represent that the cloud service application program has effective attack activity penetration, and the attack activity penetration entities can be used for representing program operation interfaces attacked by the attack activity when the cloud service application program and other cooperative service application programs are subjected to penetration attack, so that pre-downloaded vulnerability repair firmware data associated with the cooperative vulnerability data can be obtained, and vulnerability repair optimization is carried out on a cloud application framework operated by the cloud service application program based on the vulnerability repair firmware data.
By adopting the technical scheme of the embodiment, according to the cloud attack big data log of the cloud service application program, the application program weak point distribution of the cloud service application program is generated, the cooperative vulnerability data of the cloud service application program is generated according to the application program weak point distribution of the cloud service application program and the attack activity penetration data between the cloud service application program and other cooperative service application programs, and the vulnerability repair optimization is performed on the cloud application architecture operated by the cloud service application program according to the cooperative vulnerability data of the cloud service application program. After the vulnerability analysis is carried out, vulnerability analysis is carried out by combining the attack activity penetration states between the cloud service application program and other cooperative service application programs, vulnerability repairing optimization is carried out on a cloud application framework operated by the cloud service application program according to the vulnerability analysis, and the performance of cooperative vulnerability repairing optimization is enhanced.
In some non-limiting embodiments, an alternative implementation of the Process110 is as follows.
The Process101 acquires a cloud attack big data log of a cloud service application program.
In some non-limiting embodiments, the cloud attack big data log may be attack event data generated during service usage by a user, for example, attack event data of interest for a certain service plate.
And the Process102 carries out attack variable mining on the cloud attack big data log and outputs an attack event basic vector set and an attack event derived vector set.
In some non-limiting embodiments, the cloud attack big data log may be extracted as a storage architecture of an "attack event basis vector set + attack event derived vector set", where the attack event basis vector set represents a threat entity vector associated with an attack event indicated by the cloud attack big data log, and the attack event derived vector set represents a derived threat entity vector used for performing derived prediction on the threat entity vector associated with the attack event in the cloud attack big data log.
The Process103 obtains a first attack mapping vector set between the cloud attack big data log and the historical frequent item vulnerability variable, a second attack mapping vector set between the attack event basic vector set and the basic variable of the historical attack event frequent item, and a third attack mapping vector set between the attack event derived vector set and the derived variable of the historical attack event frequent item.
The historical frequent item vulnerability variables are vulnerability variables related to frequent item vulnerabilities in an application vulnerability distribution library, and the basic variables of the historical attack event frequent item and the derivative variables of the historical attack event frequent item are component variables forming the historical frequent item vulnerability variables. In some non-limiting embodiments, the vulnerability variables associated with frequent item vulnerabilities in the application vulnerability distribution library are standard vulnerability variables associated with application vulnerability distributions.
In some non-limiting embodiments, the application vulnerability analysis model includes a depth track feature point extraction branch formed by a target depth track feature point extraction network, and the cloud-side attack big data log, the attack event basic vector set and the attack event derived vector set perform feature extraction through the depth track feature point extraction branch to determine an attack mapping vector set.
For example, a first depth track characteristic point set corresponding to historical frequent item vulnerability variables, a second depth track characteristic point set associated with basic variables of historical attack event frequent items, and a third depth track characteristic point set associated with derivative variables of historical attack event frequent items are obtained; respectively combining the cloud attack big data log, the attack event basis vector set and the attack event derivative vector set with an attention mechanism to extract depth track characteristic points, and outputting a fourth depth track characteristic point set, a fifth depth track characteristic point set and a sixth depth track characteristic point set; combining the mapping relation information between the fourth depth track characteristic point set and the second depth track characteristic point set, and outputting a first attack mapping vector set; combining the mapping relation information between the fifth depth track characteristic point set and the second depth track characteristic point set, and outputting a second attack mapping vector set; and outputting a third attack mapping vector set by combining the mapping relation information between the sixth depth track characteristic point set and the third depth track characteristic point set.
For example, the set of attack mapping vectors may be generated by crossing mapping vectors between feature points, and may also be generated by cycling mapping vectors between feature points. For example, a first component attack mapping vector set is generated by combining mapping vectors between attack event cross feature points and weak cross feature points; generating a second component attack mapping vector set by combining mapping vectors between the attack event cycle characteristic points and the weak cycle characteristic points; and determining a first attack mapping vector set by the first component attack mapping vector set and the second component attack mapping vector set. Generating a first basic attack mapping vector set by combining the basic cross feature points and the mapping vectors between the basic cross feature points; generating a second basic attack mapping vector set by combining the basic cycle characteristic points and the mapping vectors between the basic cycle characteristic points; a second set of attack mapping vectors is determined from the first set of base attack mapping vectors and the second set of base attack mapping vectors. Generating a first derivative attack mapping vector set by combining the derivative cross characteristic points and mapping vectors between the derivative cross characteristic points; generating a second derivative attack mapping vector set by combining the derivative cycle characteristic points and the mapping vectors between the derivative cycle characteristic points; a third set of attack mapping vectors is determined from the first set of derived attack mapping vectors and the second set of derived attack mapping vectors.
And the Process104 determines the vulnerability confidence between the cloud attack big data log and the historical frequent item vulnerability variables by combining the first attack mapping vector set, the second attack mapping vector set and the third attack mapping vector set.
In some non-limiting embodiments, the application vulnerability analysis model further includes a target fully-connected output branch, and the target fully-connected output branch is used for predicting the confidence degree of the cloud attack big data log associated with each historical frequent vulnerability of the historical frequent vulnerability variables. For example, the first set of attack mapping vectors, the second set of attack mapping vectors, and the third set of attack mapping vectors are passed to the target fully-connected output branch, generating a vulnerability confidence.
And the Process105 transmits the cloud attack big data log to a target frequent item vulnerability variable in the historical frequent item vulnerability variables by combining the vulnerability confidence.
In some non-limiting embodiments, the historical frequent item weak point associated with the maximum confidence level may be used as the target historical frequent item weak point of the cloud attack big data log and the historical frequent item weak point variable, all the historical frequent item weak point variables are ranked according to the confidence level associated with the target historical frequent item weak point of the historical frequent item weak point variable, the historical frequent item weak point variable with the maximum confidence level is used as the target frequent item weak point variable, and the historical frequent item weak point between the cloud attack big data log and the target frequent item weak point variable is the target historical frequent item weak point.
By adopting the technical scheme of the embodiment, the vulnerability analysis method and the vulnerability analysis system of the cloud service application program based on the attack big data jointly determine the vulnerability confidence coefficient between the cloud attack big data log and the historical frequent item vulnerability variable through the first attack mapping vector set between the cloud attack big data log and the historical frequent item vulnerability variable, the second attack mapping vector set between the attack event basic vector set and the historical attack event frequent item basic variable, and the third attack mapping vector set between the attack event derived vector set and the historical attack event frequent item derived variable, so as to determine the target frequent item vulnerability variable from the historical frequent item vulnerability variable, wherein the attack event basic vector set and the attack event derived vector set are extracted from the cloud attack big data log. Namely, when the vulnerability confidence coefficient between the cloud attack big data log and the historical frequent item vulnerability variable is determined, the overall relation between the cloud attack big data log and the relation between the extracted data are considered, and the vulnerability analysis accuracy is improved.
The above embodiment is implemented by an application vulnerability analysis model, where the application vulnerability analysis model is output by adjusting model parameters through a basic vulnerability analysis model, the basic vulnerability analysis model includes a full-connection output branch, a basic vector output branch and a derivative vector output branch, and a model development process of the basic vulnerability analysis model is described below, which specifically includes:
the Process201 obtains the attack paradigm gathered data.
The collected data of the attack example corresponds to example weak point data, the collected data of the attack example comprises a reference cloud attack big data log, a reference attack event basic vector set and a reference attack event derived vector set, and the reference attack event basic vector set and the reference attack event derived vector set correspondingly express a characteristic vector of the reference cloud attack big data log.
In some non-limiting embodiments, the attack event base vector set and the attack event derived vector set in the attack case gathering data may be extracted in advance, so as to extract the cloud-based attack big data log as the reference attack event base vector set and the reference attack event derived vector set.
The above example vulnerability data characterizes standard vulnerability variables associated in the frequent item vulnerability database with reference to the cloud attack big data log, i.e., reference vulnerability variables that are also added to training. In some non-limiting embodiments, the training data is passed to the underlying vulnerability analysis model in the form of data pairs, e.g., < reference cloud attack big data log, reference attack event basis vector set, reference attack event derived vector set; referring to a vulnerability variable and an attack event basic variable; reference attack event derived variables >.
The Process202 obtains a first reference attack mapping vector set between a reference cloud attack big data log and historical frequent item vulnerability variables, a second reference attack mapping vector set between a reference attack event base vector set and historical attack event frequent item base variables, and a third reference attack mapping vector set between a reference attack event derived vector set and historical attack event frequent item derived variables.
The historical frequent item vulnerability variables are vulnerability variables related to frequent item vulnerabilities in an application vulnerability distribution library, and the attack event basic variables and the attack event derived variables are component variables forming the historical frequent item vulnerability variables.
And the Process203 generates the presumed weak point data by combining the first reference attack mapping vector set, the second reference attack mapping vector set and the third reference attack mapping vector set.
For example, a first reference attack mapping vector set, a second reference attack mapping vector set and a third reference attack mapping vector set are transmitted to a full-connection output branch, and a presumed vulnerability variable is output; transmitting the second reference attack mapping vector set to a basic vector output branch, and outputting a basic vector of the presumed attack event; and transmitting the third reference attack mapping vector set to a derivative vector output branch, and outputting a presumed attack event derivative vector, wherein the presumed vulnerability variable, the presumed attack event basic vector and the presumed attack event derivative vector form presumed vulnerability data.
And the Process204 adjusts the model parameters of the initialized vulnerability analysis model by combining the comparative cost value between the presumed vulnerability data and the example vulnerability data, and outputs an application vulnerability analysis model.
In some non-limiting embodiments, the first target cost value is generated in conjunction with a comparison cost value between the putative vulnerability variable and the reference vulnerability variable; generating a second target cost value by combining the comparative cost value between the basic vector of the presumed attack event and the basic variable of the reference attack event; generating a third target cost value by combining the comparative cost value between the presumed attack event derived vector and the reference attack event derived variable; and adjusting model parameters of the basic vulnerability analysis model by combining the first target cost value, the second target cost value and the third target cost value, and outputting the application program vulnerability analysis model.
By adopting the technical scheme of the embodiment, the reference attack event basic vector set and the reference attack event derived vector set after the characteristic extraction of the reference cloud attack big data log are taken as training data of the basic vulnerability analysis model together with the reference cloud attack big data log to respectively obtain the associated reference attack mapping vector sets, the model learning information is determined by referring to the first reference attack mapping vector set between the cloud attack big data log and the historical frequent vulnerability variable, the second reference attack vector mapping set between the reference attack event basic vector set and the historical attack event frequent basic variable and the third reference attack mapping vector set between the reference attack event derived vector set and the historical attack event frequent derivative variable, and finally the model learning information and the comparison cost value between the model learning information and the example vulnerability data associated with the reference cloud attack big data log are combined to initialize the vulnerability analysis model And adjusting parameters to obtain an application program vulnerability analysis model.
In some non-limiting embodiments, specific steps for determining the first set of attack mapping vectors, the second set of attack mapping vectors, and the third set of attack mapping vectors are described below.
The Process301 obtains an attack event cross feature point and an attack event cycle feature point associated with the cloud end attack big data log.
The Process302 acquires weak crossing feature points and weak circulation feature points corresponding to the historical frequent item weak point variables.
The Process303 generates a first component attack mapping vector set by combining the mapping vectors between the attack event cross feature points and the weak cross feature points.
The Process304 generates a second component attack mapping vector set by combining the mapping vectors between the attack event cycle characteristic points and the weak cycle characteristic points.
The Process305 determines a first set of attack mapping vectors from the first set of component attack mapping vectors and the second set of component attack mapping vectors.
In some non-limiting embodiments, the second set of attack mapping vectors is determined by a first set of base attack mapping vectors determined from base cross feature points and base cross feature points, and a second set of base attack mapping vectors determined from base loop feature points and base loop feature points, and the third set of attack mapping vectors is determined by a first set of derivative attack mapping vectors determined from derivative cross feature points and derivative cross feature points, and a second set of derivative attack mapping vectors determined from derivative loop feature points and derivative loop feature points, wherein the flow of execution between the base cross feature points and the flow of execution between the derivative cross feature points and the derivative cross feature points are the same as Process303, the flow of execution between the base loop feature points and the flow of execution between the derivative loop feature points and the derivative loop feature points are the same as Process304, and will not be described in detail herein.
In some non-limiting embodiments, an alternative implementation of the Process120 is as follows.
The Process301 obtains target attack activity penetration data having a relationship vector with the distribution of the application vulnerability of the cloud service application program from the attack activity penetration data between the cloud service application program and other collaborative service application programs, and obtains penetration measurement parameters of each attack activity penetration entity in the target attack activity penetration data.
In addition, the permeability measurement parameter of the attack activity permeability entity refers to the connectivity of the connected attack activity permeability entity associated with the attack activity permeability entity, and the connected attack activity permeability entity refers to the attack activity permeability entity having the permeability coordination information with the attack activity permeability entity.
The Process302 determines a set of key attack activity penetration entities from the target attack activity penetration data according to the penetration metric parameters of each attack activity penetration entity.
In some non-limiting embodiments, the infiltration effective value of each attack activity infiltration entity in the target attack activity infiltration data is mainly analyzed. The penetration effective value is one of indexes used for judging penetration states of the attack activity penetration entities in the whole target attack activity penetration data. A P-group attack activity penetration entity set of attack activity penetration data refers to a candidate attack activity penetration entity set after repeatedly removing attack activity penetration entities with penetration measurement parameters less than or equal to P from the attack activity penetration data, in other words, all attack activity penetration entities with penetration measurement parameters less than P in the attack activity penetration data L are removed to obtain an attack activity penetration entity set M; and removing all attack activity penetration entities with penetration measurement parameters smaller than P in the attack activity penetration data M to obtain a new attack activity penetration entity set Mt, …, and the like until the penetration measurement parameters of each attack activity penetration entity in the component attack activity penetration entity set are larger than P, and obtaining a P group attack activity penetration entity set of the attack activity penetration data L. The infiltration effective value of an attack activity infiltration entity is defined as the maximum set of attack activity infiltration entities associated with the attack activity infiltration entity, i.e. if an attack activity infiltration entity exists in the y set of attack activity infiltration entities and is removed in the (y + 1) set of attack activity infiltration entities, then the infiltration effective value of the attack activity infiltration entity is y.
For example, the 2 groups of attack activity penetration entity sets are obtained by removing all attack activity penetration entities with penetration metric parameters smaller than 2 from attack activity penetration data, then removing attack activity penetration entities with penetration metric parameters smaller than 2 from the rest attack activity penetration data, and so on until the attack activity penetration entities cannot be removed; and 3 groups are that all attack activity penetration entities with penetration measurement parameters smaller than 3 are removed from the attack activity penetration data, then attack activity penetration entities with penetration measurement parameters smaller than 3 are removed from the rest attack activity penetration data, and the like until the attack activity penetration data cannot be removed, so that 3 groups of attack activity penetration entity sets of the attack activity penetration data are obtained. If an attacking activity permeant entity is in 5 attack activity permeant entity sets at most and not in 6 attack activity permeant entity sets, then the permeant effective value of the attacking activity permeant entity is 5.
From the above analysis, it can be seen that an attacking activity permeant entity having a permeance effective value greater than P must have a permeance metric parameter greater than P. Therefore, original target attack activity penetration data can be summarized into a key attack activity penetration entity set and a candidate attack activity penetration entity set according to the penetration measurement parameter of each attack activity penetration entity and the set effective value by setting a set effective value, and then the penetration effective value of each attack activity penetration entity is sequentially analyzed. The penetration measurement parameter of each attack activity penetration entity in the key attack activity penetration entity set is necessarily greater than the set effective value, but the attack activity penetration entity whose penetration measurement parameter is greater than the set effective value in the target attack activity penetration data does not necessarily exist in the key attack activity penetration entity set.
In some non-limiting embodiments, determining a set of key attack activity infiltration entities from the target attack activity infiltration data according to the infiltration metric parameter and the set effective value of each attack activity infiltration entity includes: acquiring a set effective value; and removing the attack activity penetration entity with the penetration measurement parameter less than or equal to the set effective value and penetration cooperation information related to the attack activity penetration entity from the target attack activity penetration data, and obtaining a key attack activity penetration entity set according to the penetration cooperation information between the component attack activity penetration entity and the component attack activity penetration entity in the target attack activity penetration data.
In some non-limiting embodiments, an attack activity penetration entity with a penetration metric parameter smaller than a set effective value and equal to the set effective value is filtered from historical target attack activity penetration data according to the set effective value, that is, a key attack activity penetration entity set is obtained, and the output penetration metric parameters of all attack activity penetration entities in the key attack activity penetration entity set are all larger than the set effective value.
The Process303 generates the penetration entity of the concerned attack activity and the penetration effective value of the penetration entity of the concerned attack activity in the target attack activity penetration data by combining the key attack activity penetration entity set.
Wherein, the concerned attack activity infiltration entity is the attack activity infiltration entity which has the infiltration effective value larger than the set effective value and is analyzed from the key attack activity infiltration entity set. After determining a key attack activity infiltration entity set from target attack activity infiltration data, the security big data analysis system firstly analyzes the key attack activity infiltration entity set to generate an attention attack activity infiltration entity and an attention attack activity infiltration effective value of the attention attack activity infiltration entity.
In some non-limiting embodiments, since the permeability measurement parameter of each attack activity permeability entity in the candidate attack activity permeability entity set is smaller than the set effective value, each attack activity permeability entity in the candidate attack activity permeability entity set does not affect the permeability effective value of each attack activity permeability entity in the key attack activity permeability entity set, so the security big data analysis system may directly concern the key attack activity permeability entity set, analyze the key attack activity permeability entity set, determine the permeability effective value of each attack activity permeability entity according to the permeability measurement parameter of each attack activity permeability entity in the key attack activity permeability entity set, and take the attack activity permeability entity whose permeability effective value is greater than the set effective value as the attack activity permeability entity concerned in the target attack activity permeability data.
In some non-limiting embodiments, the security big data analysis system may directly perform data mining on the key attack activity infiltration entity set, and analyze the concerned attack activity infiltration entity with an infiltration effective value greater than a set effective value from the key attack activity infiltration entity set. In some non-limiting embodiments, according to P =1, P =2, …, where P is equal to a set effective value, repeatedly removing attack activity infiltration entities with infiltration metric parameters less than or equal to P from the key attack activity infiltration entity set to obtain P groups of attack activity infiltration entity sets, thereby determining an attack activity infiltration entity set with a maximum infiltration effective value of each attack activity infiltration entity in the key attack activity infiltration entity set, thereby determining an infiltration effective value of each attack activity infiltration entity, and using the attack activity infiltration entity whose infiltration effective value is greater than the set effective value as the attack activity infiltration entity of interest.
In some non-limiting embodiments, when the set of key attack activity infiltration entities is walked, the security big data analysis system may adjust, in the current walking process, an infiltration effective value of the current walking process of the corresponding attack activity infiltration entity according to the infiltration concern values of the connected attack activity infiltration entities after the previous walking of the attack activity infiltration entity. Moreover, since one attacking activity infiltration entity does not affect the determination of the infiltration effective value of other attacking activity infiltration entities with the infiltration effective value larger than that of the attacking activity infiltration entity, after the current round of wandering optimization is performed on the infiltration effective values of the attacking activity infiltration entities, the security big data analysis system can further enable the attacking activity infiltration entities with the optimized infiltration effective values larger than the set effective value to continue to participate in the next wandering, and the attacking activity infiltration entities with the optimized infiltration effective values smaller than or equal to the set effective value do not participate in the next wandering, so that the attacking activity infiltration entities with the key attacking activity infiltration entity concentrated infiltration effective values larger than the set effective value can be analyzed.
In some non-limiting embodiments, the infiltration interest values of all connected attack activity infiltration entities of an attack activity infiltration entity may be AT coefficients, and if an AT coefficient of an attack activity infiltration entity is AT, it indicates that the attack activity infiltration entity has AT least AT connected attack activity infiltration entities, and the infiltration metric parameters of the AT connected attack activity infiltration entities are not less than AT. For example, if the attack activity penetration entity satisfies that the current penetration effective value of AT connected attack activity penetration entities is greater than or equal to AT and does not satisfy that the current penetration effective value of AT +1 connected attack activity penetration entities is greater than or equal to AT +1, determining that the penetration concern value associated with the attack activity penetration entity is AT, where AT is a positive integer.
In some non-limiting embodiments, generating the penetration effective values of the penetration entity of the attack activity of interest and the penetration effective value of the penetration entity of the attack activity of interest in the target penetration data in combination with the set of penetration entities of the attack activity of interest may be performed by alternative embodiments as described below.
The Process401 outputs the permeability measurement parameters of each attack activity permeability entity in the key attack activity permeability entity set according to the connectivity of each attack activity permeability entity in the key attack activity permeability entity set, and takes the permeability measurement parameters in the key attack activity permeability entity set as the initial current permeability effective value of the corresponding attack activity permeability entity.
In some non-limiting embodiments, when analyzing the set of key attack activity infiltration entities, the security big data analysis system may reset the infiltration effective value of each attack activity infiltration entity in the set of key attack activity infiltration entities according to the infiltration metric parameter of each attack activity infiltration entity in the set of key attack activity infiltration entities, as the initial current infiltration effective value.
The Process402 generates a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the key attack activity penetration entity set for each attack activity penetration entity in the key attack activity penetration entity set by the wandering execution; removing attack activity infiltration entities from the key attack activity infiltration entity set when the infiltration interest value is less than or equal to the set effective value; and when the permeation attention value is larger than the set effective value and smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation attention value of the attack activity permeation entity, and stopping the migration until the current permeation effective values of all attack activity permeation entities in the key attack activity permeation entity set in the current migration process are not adjusted.
In some non-limiting embodiments, the security big data analysis system needs to process each attack activity infiltration entity in the set of key attack activity infiltration entities in each round of the migration flow. For each attack activity infiltration entity in the key attack activity infiltration entity set, generating an infiltration concern value associated with the attack activity infiltration entity according to a current infiltration effective value of the penetration entity of the connected attack activity, namely the infiltration effective values of all the penetration entities of the connected attack activity after the previous round of wandering process, wherein if the infiltration concern value of the attack activity infiltration entity is less than or equal to a set effective value, the attack activity infiltration entity does not influence the determination that the infiltration effective value is greater than the penetration effective values of other attack activity infiltration entities of the attack activity infiltration entity, the attack activity infiltration entity does not need to participate in the subsequent wandering process, and the attack activity infiltration entity can be removed from the key attack activity infiltration entity set; if the permeation concern value of the attack activity permeation entity is larger than the set effective value and smaller than the current permeation effective value of the attack activity permeation entity, the current permeation effective value of the attack activity permeation entity is adjusted according to the permeation concern value, and the attack activity permeation entity also needs to continuously participate in the subsequent migration flow.
And the migration termination condition is that the current effective penetration values of all the attack activity penetration entities in the key attack activity penetration entity set are unchanged in the current migration flow. For example, when the permeation attention value determined according to the permeation effective value of the connected attack activity permeation entity of the attack activity permeation entity in the previous migration is consistent with the current permeation effective value of the attack activity permeation entity, the permeation effective value of the attack activity permeation entity is not adjusted, and if the current permeation effective values of all the attack activity permeation entities remaining in the key attack activity permeation entity set are not adjusted in the current migration flow, the migration is terminated.
Wherein, because the attack activity infiltration entity with the infiltration interest value less than or equal to the set effective value in each round of the walk process is removed, the key attack activity infiltration entity set in the walk process is also dynamically changed, so that the connected attack activity infiltration entity of each attack activity infiltration entity in the key attack activity infiltration entity set is also continuously changed, when the infiltration interest value of each attack activity infiltration entity is determined according to the current infiltration effective value of the connected attack activity infiltration entity, the infiltration interest value is determined according to the current infiltration effective value of the connected attack activity infiltration entity of the attack activity infiltration entity in the current key attack activity infiltration entity set, but not according to the current infiltration effective value of the connected attack activity infiltration entity of the attack activity infiltration entity in the initial key attack activity infiltration entity set, the computational effort can be further reduced.
In some non-limiting embodiments, if the calculated penetration interest value of the attack activity penetration entity after the current round of migration is less than or equal to the set effective value, the security big data analysis system may summarize the attack activity penetration entity as a non-attention attack activity penetration entity, and then the attack activity penetration entity summarized as the non-attention attack activity penetration entity will not participate in the next migration process.
In some non-limiting embodiments, the method further comprises: after the current round of wandering is terminated, extracting attack activity infiltration entities with adjusted current infiltration effective values in the current wandering flow; when the extracted attack activity infiltration entity representation is triggered in the next migration, the extracted attack activity infiltration entity is used as a target attack activity infiltration entity needing to determine an infiltration concern value again in the next migration process, wherein the attack activity infiltration entity is connected with the attack activity infiltration entity in the key attack activity infiltration entity set; for each attack activity infiltration entity in the key attack activity infiltration entity set, generating an infiltration interest value associated with the attack activity infiltration entity according to a current infiltration effective value of the attack activity infiltration entity in the key attack activity infiltration entity set, wherein the infiltration interest value comprises: and for the target attack activity infiltration entity in the key attack activity infiltration entity set, generating an infiltration concern value associated with the target attack activity infiltration entity according to the current infiltration effective value of the target attack activity infiltration entity in the key attack activity infiltration entity set for communicating the attack activity infiltration entity.
In some non-limiting embodiments, by extracting the attack activity infiltration entity whose current infiltration effective value is adjusted in the current migration flow, the attack activity infiltration entity whose infiltration effective value needs to be determined again in the next migration flow can be directly determined. When the penetration effective value of a certain attack activity penetration entity is adjusted, the attack activity penetration entity can influence the determination of the penetration effective value of the connected attack activity penetration entity, therefore, after the current wandering process is terminated, the attack activity penetration entities with the adjusted penetration effective values are extracted, when the next wandering is triggered, the connected attack activity penetration entities of the attack activity penetration entities are wandered out from the attack activity penetration entities which are candidates in the key attack activity penetration entity set, and the connected attack activity penetration entities serve as the attack activity penetration entities of which the penetration effective values need to be determined again in the next wandering process, so that the penetration effective values can be prevented from being determined again for all the attack activity penetration entities in the key attack activity penetration entity set, and the analysis efficiency is improved. Wherein the connected attack activity penetration entities of the attack activity penetration entities for which these current penetration valid values are adjusted do not include attack activity penetration entities that have been removed from the set of critical attack activity penetration entities.
In some non-limiting embodiments, the method further comprises: when the current walking process starts, resetting the adjusted times of the attack activity infiltration entities to be zero, wherein the adjusted times of the attack activity infiltration entities are used for extracting the connectivity of the attack activity infiltration entities of which the current infiltration effective values are adjusted in the current walking process; the connectivity of the attack activity infiltration entities with the adjusted current infiltration effective values in the current walking process is counted; optimizing the adjusted times of the attack activity penetration entity according to the connectivity; when the current migration flow is terminated, if the adjusted times of attacking the active infiltration entities are nonzero, continuing the next round of migration flow; when the current wandering flow is terminated, the adjusted times of attacking the activity infiltration entity are zero, and then the wandering is terminated.
In some non-limiting embodiments, in the process of analyzing the set of key attack activity infiltration entities, the connectivity of the attack activity infiltration entities with the current infiltration effective value adjusted in the current migration flow may be extracted according to a flag. The security big data analysis system may set a connectivity for extracting an attack activity infiltration entity with an adjusted effective infiltration value in each round of migration process, and set the flag to 0 when the current migration process starts, and for an attack activity infiltration entity participating in the current round of migration, whenever the effective infiltration value of an attack activity infiltration entity is adjusted, the flag is +1, then after the current round of migration is terminated, if the flag is not 0, it indicates that an attack activity infiltration entity with an adjusted effective infiltration value exists in the current round of migration process, it is necessary to continue the migration, and if the flag is 0, it indicates that no attack activity infiltration entity with an adjusted effective infiltration value exists in the entire process of the current round of migration, and the entire migration process ends.
The Process403 takes an attack activity penetration entity in the key attack activity penetration entity set obtained when the migration is terminated as an attention attack activity penetration entity, and takes a current penetration effective value of the attention attack activity penetration entity when the migration is terminated as a penetration effective value associated with the attention attack activity penetration entity.
After the migration is completed, the penetration effective values of the attack activity penetration entities candidate in the key attack activity penetration entity set are all greater than the set effective value, so these attack activity penetration entities may be referred to as concerned attack activity penetration entities. And the penetration effective value of the concerned attack activity penetration entity is the penetration effective value of the attack activity penetration entity in the whole historical target attack activity penetration data.
In some non-limiting embodiments, the process of generating the penetration effective value for each attack activity penetration entity in the set of key attack activity penetration entities is as follows:
1) generating permeability measurement parameters of the attack activity permeable entities in the key attack activity permeable entity set according to the connectivity of the attack activity permeable entities in the key attack activity permeable entity set to the attack activity permeable entities, and resetting the current permeability effective value of each attack activity permeable entity by using the permeability measurement parameters;
2) resetting Connected with zero, wherein the Connected represents the connectivity of the attack activity infiltration entity with the infiltration effective value adjusted in each round of wandering;
3) and determining a penetration concern value for each attack activity penetration entity in the key attack activity penetration entity set according to the current penetration effective value of the connected attack activity penetration entity, wherein the connected attack activity penetration entity of the attack activity penetration entity is the attack activity penetration entity of which the attack activity penetration entity is in the key attack activity penetration entity set and of which the non-concern state is filtered out. When the penetration concern value is less than or equal to the set effective value, taking the penetration result of the attack activity as a non-concern state; when the osmosis concern value is larger than the set effective value and smaller than the current osmosis effective value of the attack activity osmosis entity, adjusting the current osmosis effective value of the attack activity osmosis entity according to the osmosis concern value, and Connected + 1;
4) when Connected is not 0, repeating the steps 2) to 3); otherwise, stopping the migration, wherein the current penetration effective value of the attack activity penetration entity of which the key attack activity penetration entity centralized state is not summarized as the non-attention state is the penetration effective value of the attack activity penetration entity in the whole historical target attack activity penetration data, and the attack activity penetration entity of which the key attack activity penetration entity centralized state is not summarized as the attention attack activity penetration entity in the target attack activity penetration data.
In some non-limiting embodiments, the penetration effective value of each attack activity penetration entity in the key attack activity penetration entity set is determined by combining a penetration concern value, the penetration effective value determined by each wandering is compared with a set effective value, the attack activity penetration entity continues to wander only when the penetration effective value determined by the wandering is greater than the set effective value, otherwise, the attack activity penetration entity does not participate in subsequent wandering, and the analysis efficiency of the key attack activity penetration entity set can be improved.
The Process304 outputs a candidate attack activity penetration entity set in the target attack activity penetration data according to the attack activity penetration entities except the concerned attack activity penetration entity in the target attack activity penetration data and the penetration cooperation information between the attack activity penetration entities.
In some non-limiting embodiments, after the security big data analysis system determines the concerned attack activity penetration entities in the target attack activity penetration data, the penetration effective value of the component attack activity penetration entities in the target attack activity penetration data, except the concerned attack activity penetration entities, is less than or equal to the set effective value, and these attack activity penetration entities and the penetration cooperative information formed therebetween are referred to as a candidate attack activity penetration entity set.
In some non-limiting embodiments, outputting a set of candidate attack activity penetration entities in the target attack activity penetration data according to the attack activity penetration entities in the target attack activity penetration data except the concerned attack activity penetration entity and penetration cooperation information between the attack activity penetration entities, includes: removing an attack activity penetration entity of interest from the target attack activity penetration data; and outputting a candidate attack activity infiltration entity set according to the component attack activity infiltration entity after the concerned attack activity infiltration entity is removed and the infiltration cooperation information between the component attack activity infiltration entities.
The Process305 generates a penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set by combining the candidate attack activity penetration entity set and the concerned attack activity penetration entity.
The determination of the permeation effective value associated with each attack activity permeation entity in the candidate attack activity permeation entity set also follows the method of permeation interest value migration, but since the attack activity permeation entity concerned affects the determination of the permeation effective value of each attack activity permeation entity in the candidate attack activity permeation entity set, the change value of the permeation effective value of the attack activity permeation entity concerned to the candidate attack activity permeation entity set by the attack activity permeation entity concerned needs to be considered in the migration flow. After obtaining the candidate attack activity penetration entity set and the attention attack activity penetration entity in the target attack activity penetration data, the security big data analysis system can determine penetration effective values of all attack activity penetration entities in the candidate attack activity penetration entity set by combining the candidate attack activity penetration entity set and the attention attack activity penetration entity.
In some non-limiting embodiments, the security big data analysis system may perform data mining on the candidate attack activity penetration entity set, and analyze the penetration effective value of each attack activity penetration entity from the candidate attack activity penetration entity set. In some non-limiting embodiments, according to P =1, P =2, …, where P is equal to a set effective value, the attack activity infiltration entities with the infiltration metric parameter less than or equal to P are repeatedly removed from the candidate attack activity infiltration entity set to obtain P groups of attack activity infiltration entity sets, so as to determine an attack activity infiltration entity set with a maximum infiltration effective value of each attack activity infiltration entity in the candidate attack activity infiltration entity set, and thus determine the infiltration effective value of each attack activity infiltration entity.
In some non-limiting embodiments, when the candidate attack activity penetration entity set is walked, the security big data analysis system may further adjust, in the current walking process, the penetration effective value of the current walking process of the corresponding attack activity penetration entity according to the penetration concern value of each connected attack activity penetration entity in the target attack activity penetration data of the attack activity penetration entity after the previous walking of the attack activity penetration entity.
In some non-limiting embodiments, the infiltration interest values of all connected attack activity infiltration entities of an attack activity infiltration entity may be AT coefficients, and if an AT coefficient of an attack activity infiltration entity is AT, it indicates that the attack activity infiltration entity has AT least AT connected attack activity infiltration entities, and the infiltration metric parameters of the AT connected attack activity infiltration entities are not less than AT. For example, if the attack activity penetration entity satisfies that the current penetration effective value of AT connected attack activity penetration entities is greater than or equal to AT and does not satisfy that the current penetration effective value of AT +1 connected attack activity penetration entities is greater than or equal to AT +1, determining that the penetration concern value associated with the attack activity penetration entity is AT, where AT is a positive integer.
In some non-limiting embodiments, the generating of the penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set by combining the candidate attack activity penetration entity set and the attack activity penetration entity of interest may be performed by the following alternative embodiments.
The Process501 resets the current penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set according to the connectivity of each attack activity penetration entity in the candidate attack activity penetration entity set in the historical target attack activity penetration data.
In some non-limiting embodiments, when analyzing the candidate attack activity penetration entity set, the security big data analysis system may reset the penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set according to the penetration metric parameter of each attack activity penetration entity in the historical target attack activity penetration data, as the initial current penetration effective value.
For example, when determining the penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set, in each round of the walk process, not only the influence of the attack activity penetration entity in the candidate attack activity penetration entity set on the penetration effective value but also the influence of the attack activity penetration entity on the penetration effective value need to be considered, so the magnitude of the variation value of the penetration metric parameter of the attack activity penetration entity concerned on the penetration metric entity concerned needs to be considered, in other words, the sum of the penetration metric parameter of the attack activity penetration entity in the candidate attack activity penetration entity set and the connectivity of the attack activity penetration entity concerned with the attack activity penetration entity needs to be considered to reset the current penetration effective value of the attack activity penetration entity, in other words, the penetration metric parameter of the attack activity penetration entity in the historical target attack activity penetration data.
In some non-limiting embodiments, according to the foregoing solution, the penetration effective values of the penetration entities of the attack activity interest are determined, the penetration effective values of the penetration entities of the attack activity interest are all greater than the set effective value, and the penetration effective values of the penetration entities of the attack activity interest in the candidate attack activity penetration entity set are all less than or equal to the set effective value, so when determining the penetration effective values of the penetration entities of the attack activity interest in the candidate attack activity penetration entity set, if the penetration effective values of the penetration entities of the attack activity interest are needed, the penetration effective values of the penetration entities of the attack activity interest may all be set as the set effective value, or may be set as any value greater than the set effective value, or the penetration effective values of the penetration entities of the attack activity interest determined in the previous steps may be directly used, and the setting in the different manners does not affect the determination of the penetration effective values of the penetration entities of the attack activity interest in the candidate attack activity penetration entity set And (6) obtaining the result.
The Process502 performs wandering execution on each attack activity penetration entity in the candidate attack activity penetration entity set, and generates a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the target attack activity penetration data; and when the permeation concern value is smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation concern value of the attack activity permeation entity, and stopping the migration until the current permeation effective value of each attack activity permeation entity in the candidate attack activity permeation entity set in the current migration flow is not adjusted.
In some non-limiting embodiments, the security big data analysis system needs to process each attack activity infiltration entity in the candidate set of attack activity infiltration entities in each round of the migration flow. And for each attack activity infiltration entity in the candidate attack activity infiltration entity set, generating an infiltration concern value associated with the attack activity infiltration entity according to the current infiltration effective value of the connected attack activity infiltration entity in the target attack activity infiltration data, namely the infiltration effective values of all the connected attack activity infiltration entities after the previous round of walk process. If the connected attack activity penetration entity comprises the concerned attack activity penetration entity, the penetration effective value of the concerned attack activity penetration entity is determined in the previous step, so that the penetration effective value of the concerned attack activity penetration entity does not need to participate in updating in the walk process of the candidate attack activity penetration entity set. And if the permeation concern value of the attack activity permeation entity is smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation concern value.
And the migration termination condition is that the current effective penetration values of all the attack activity penetration entities in the candidate attack activity penetration entity set are not changed in the current migration flow. For example, when the penetration concern value determined according to the penetration effective value of the connected attack activity penetration entity of the attack activity penetration entity in the previous migration is consistent with the current penetration effective value of the attack activity penetration entity, the penetration effective value of the attack activity penetration entity is not adjusted, and if the current penetration effective values of all the attack activity penetration entities in the candidate attack activity penetration entity set are not adjusted in the current migration flow, the migration is terminated.
In some non-limiting embodiments, the method further comprises: after the current round of wandering is terminated, extracting attack activity infiltration entities with adjusted current infiltration effective values in the current wandering flow; when the extracted characterization of the attack activity penetration entity is triggered in the next migration, the extracted connected attack activity penetration entity of the attack activity penetration entity in the candidate attack activity penetration entity set is used as a target attack activity penetration entity of which the penetration concern value needs to be determined again in the next migration flow; for each attack activity penetration entity in the candidate attack activity penetration entity set, generating a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the target attack activity penetration data, wherein the penetration concern value comprises: and for the target attack activity infiltration entities in the candidate attack activity infiltration entity set, generating an infiltration concern value associated with the target attack activity infiltration entities according to the current infiltration effective value of the target attack activity infiltration entities in the target attack activity infiltration data.
In some non-limiting embodiments, by extracting the attack activity infiltration entity whose current infiltration effective value is adjusted in the current migration flow, the attack activity infiltration entity whose infiltration effective value needs to be determined again in the next migration flow can be directly determined. When the penetration effective value of a certain attack activity penetration entity is adjusted, the attack activity penetration entity can influence the determination of the penetration effective value of the connected attack activity penetration entity, therefore, after the current migration process is terminated, the attack activity penetration entities with the adjusted penetration effective values are extracted, when the next migration is triggered, the connected attack activity penetration entities of the attack activity penetration entities are intensively migrated out of the candidate attack activity penetration entities to serve as the attack activity penetration entities with the penetration effective values needing to be determined again in the next migration process, the penetration effective values can be prevented from being determined again for all the attack activity penetration entities in the candidate attack activity penetration entity set, and the analysis efficiency is improved. After the connected attack activity infiltration entity of the attack activity infiltration entity with the current infiltration effective value adjusted is generated, if the connected attack activity infiltration entity comprises the concerned attack activity infiltration entity, the concerned attack activity infiltration entity does not need to determine the infiltration effective value again.
In some non-limiting embodiments, the method further comprises: when the current walking process starts, resetting the adjusted times of the attack activity infiltration entities to be zero, wherein the adjusted times of the attack activity infiltration entities are used for extracting the connectivity of the attack activity infiltration entities of which the current infiltration effective values are adjusted in the current walking process; the connectivity of the attack activity infiltration entities with the adjusted current infiltration effective values in the current walking process is counted; optimizing the adjusted times of the attack activity penetration entity according to the connectivity; when the current migration flow is terminated, if the adjusted times of attacking the active infiltration entities are nonzero, continuing the next round of migration flow; when the current wandering flow is terminated, the adjusted times of attacking the activity infiltration entity are zero, and then the wandering is terminated.
In some non-limiting embodiments, in the process of analyzing the candidate attack activity infiltration entity set, the connectivity of the attack activity infiltration entity with the current infiltration effective value adjusted in the current migration flow may be extracted according to a flag. The security big data analysis system may set a connectivity for extracting an attack activity infiltration entity with an adjusted effective infiltration value in each round of migration process, and set the flag to 0 when the current migration process starts, and for an attack activity infiltration entity participating in the current round of migration, whenever the effective infiltration value of an attack activity infiltration entity is adjusted, the flag is +1, then after the current round of migration is terminated, if the flag is not 0, it indicates that an attack activity infiltration entity with an adjusted effective infiltration value exists in the current round of migration process, it is necessary to continue the migration, and if the flag is 0, it indicates that no attack activity infiltration entity with an adjusted effective infiltration value exists in the entire process of the current round of migration, and the entire migration process ends.
And the Process503 takes the current penetration effective value of the attack activity penetration entity at the time of stopping the walk as the penetration effective value associated with the attack activity penetration entity.
And after the migration is finished, the penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set is the penetration effective value of the attack activity penetration entity in the whole historical target attack activity penetration data.
In some non-limiting embodiments, the process of generating a penetration valid value for each attack activity penetration entity in the candidate set of attack activity penetration entities is as follows:
a1, determining the penetration measurement parameters of each attack activity penetration entity in the candidate attack activity penetration entity set;
a2, counting the number q of the attack activity penetration entities connected with the concerned attack activity penetration entity for each attack activity penetration entity in the candidate attack activity penetration entity set, and resetting the current penetration effective value of the attack activity penetration entity by the sum of the q value and the penetration measurement parameter thereof;
a3, resetting Connected with zero, wherein Connected represents the connectivity of the attack activity infiltration entity of which the infiltration effective value is adjusted in each round of wandering;
and A4, for each attack activity infiltration entity in the candidate attack activity infiltration entity set, determining an infiltration concern value according to the current infiltration effective value of the connected attack activity infiltration entity. The association set herein refers to the connected attack activity penetration entities that attack activity penetration entities in the historical target attack activity penetration data, for example, the connected attack activity penetration entities include not only attack activity penetration entities in the candidate attack activity penetration entity set, but also attack activity penetration entities of concern. And when the infiltration concern value is smaller than the current infiltration effective value of the attack activity infiltration entity, adjusting the current infiltration effective value of the attack activity infiltration entity according to the infiltration concern value, and connecting + 1.
A5, when Connected is not 0, repeating A3-A4; otherwise, stopping the migration, and at this time, the penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set is the penetration effective value of each attack activity penetration entity in the whole historical target attack activity penetration data.
Since each attack activity infiltration entity in the candidate attack activity infiltration entity set does not affect the attack activity infiltration entity in the key attack activity infiltration entity set, the infiltration effective value associated with the attack activity attention infiltration entity and the attack activity attention infiltration entity in the key attack activity infiltration entity set is directly determined, then the candidate attack activity infiltration entity set is formed by the candidate part of the target attack activity infiltration data except the infiltration cooperation information between the attack activity attention infiltration entity and the attack activity attention infiltration entity, and the attack activity attention infiltration entity in the key attack activity infiltration entity set is determined according to the attack activity attention infiltration entity in the candidate attack activity infiltration entity set and the attack activity attention infiltration entity in the key attack activity infiltration entity set in consideration of the influence of the attack activity attention infiltration entity in the key attack activity infiltration entity set on the attack activity attack penetration entity in the candidate attack activity infiltration entity set The penetration effective value of the penetration entity of each attack activity in the system. After the penetration effective value of each attack activity penetration entity in the target attack activity penetration data is analyzed, the penetration effective value can be used as the characteristic of the corresponding attack activity penetration entity to generate corresponding collaborative vulnerability data for other business processing analysis.
In some non-limiting embodiments, the information security processing method for the cloud computing environment may include the following steps.
And the Process601 acquires target attack activity penetration data.
And the Process602 generates the connectivity of the connected attack activity penetration entities of each attack activity penetration entity in the target attack activity penetration data.
And the Process603 takes the connectivity of the connected attack activity penetration entity as a penetration measurement parameter of the corresponding attack activity penetration entity.
The Process604 acquires a set valid value.
The Process605 removes the attack activity penetration entity of which the penetration measurement parameter is less than or equal to the set effective value and the penetration cooperation information associated with the attack activity penetration entity from the target attack activity penetration data, and obtains a key attack activity penetration entity set according to the penetration cooperation information between the component attack activity penetration entity and the component attack activity penetration entity in the target attack activity penetration data.
The Process606 outputs the permeability measurement parameters of the attack activity permeable entities in the key attack activity permeable entity set according to the connectivity of the attack activity permeable entities in the key attack activity permeable entity set, and takes the permeability measurement parameters in the key attack activity permeable entity set as the initial current permeability effective values of the corresponding attack activity permeable entities.
The Process607 performs wandering execution on each attack activity infiltration entity in the key attack activity infiltration entity set, and generates an infiltration concern value associated with the attack activity infiltration entity according to a current infiltration effective value of the attack activity infiltration entity in the key attack activity infiltration entity set; removing attack activity infiltration entities from the key attack activity infiltration entity set when the infiltration interest value is less than or equal to the set effective value; and when the permeation attention value is larger than the set effective value and smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation attention value of the attack activity permeation entity, and stopping the migration until the current permeation effective values of all attack activity permeation entities in the key attack activity permeation entity set in the current migration process are not adjusted.
The Process608 takes an attack activity penetration entity in the key attack activity penetration entity set obtained when the migration is terminated as an attention attack activity penetration entity, and takes a current penetration effective value of the attention attack activity penetration entity when the migration is terminated as a penetration effective value associated with the attention attack activity penetration entity.
The Process609 removes the attack activity of interest infiltration entity from the target attack activity infiltration data.
The Process610 outputs a candidate attack activity penetration entity set according to the component attack activity penetration entity after the attack activity penetration entity concerned is removed and the penetration cooperation information between the component attack activity penetration entities.
The Process611 resets the current penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set according to the connectivity of each attack activity penetration entity in the candidate attack activity penetration entity set in the historical target attack activity penetration data.
The Process612, performing wandering execution on each attack activity penetration entity in the candidate attack activity penetration entity set, and generating a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the target attack activity penetration data; and when the permeation concern value is smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation concern value of the attack activity permeation entity, and stopping the migration until the current permeation effective value of each attack activity permeation entity in the candidate attack activity permeation entity set in the current migration flow is not adjusted.
The Process613 takes the current penetration effective value of the attack activity penetration entity at the time of stopping the walk as the penetration effective value associated with the attack activity penetration entity.
And the Process614 generates the cooperative vulnerability data associated with the attack activity penetration entities according to the penetration effective value of each attack activity penetration entity.
And the Process615 outputs the attack activity penetration entity according to the cooperative vulnerability data of the attack activity penetration entity.
In some non-limiting embodiments, collaborative vulnerability data associated with the attack activity penetration entity may be generated according to the penetration effective value, and the collaborative vulnerability data is used for outputting potential attention to the attack activity penetration entity.
Fig. 2 illustrates a hardware structural diagram of a security big data analysis system 100 for implementing the above method for analyzing vulnerabilities of a cloud service application based on attack big data according to an embodiment of the present application, and as shown in fig. 2, the security big data analysis system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.
In one possible design, the secure big data analysis system 100 may be a single server or a group of servers. The server group may be centralized or distributed (e.g., the security big data analysis system 100 may be a distributed system). In some embodiments, the secure big data analysis system 100 may be local or remote. For example, secure big data analytics system 100 may access information and/or data stored in machine-readable storage medium 120 via a network. As another example, secure big data analysis system 100 may be directly connected to machine-readable storage medium 120 to access stored information and/or data. In some embodiments, secure big data analytics system 100 may be implemented on a cloud platform. By way of example only, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-tiered cloud, and the like, or any combination thereof.
Machine-readable storage medium 120 may store data and/or instructions. In some embodiments, the machine-readable storage medium 120 may store data obtained from an external terminal. In some embodiments, machine-readable storage medium 120 may store data and/or instructions for use by secure big data analysis system 100 to perform or use to perform the example methods described in this application. In some embodiments, the machine-readable storage medium 120 may include mass storage, removable storage, volatile read-write memory, read-only memory (ROM), and the like, or any combination thereof. Exemplary mass storage devices may include magnetic disks, optical disks, solid state disks, and the like. Exemplary removable memory may include flash drives, floppy disks, optical disks, memory cards, compact disks, magnetic tape, and the like. Exemplary volatile read and write memories can include Random Access Memory (RAM). Exemplary RAM may include active random access memory (DRAM), double data rate synchronous active random access memory (DDR SDRAM), passive random access memory (SRAM), thyristor random access memory (T-RAM), and zero capacitance random access memory (Z-RAM), among others. Exemplary read-only memories may include mask read-only memory (MROM), programmable read-only memory (PROM), erasable programmable read-only memory (perrom), electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM), digital versatile disc read-only memory, and the like. In some embodiments, the machine-readable storage medium 120 may be implemented on a cloud platform. By way of example only, the cloud platform may include a private cloud, a public cloud, a hybrid cloud, a community cloud, a distributed cloud, an internal cloud, a multi-tiered cloud, and the like, or any combination thereof.
In a specific implementation process, the one or more processors 110 execute the computer executable instructions stored in the machine-readable storage medium 120, so that the processors 110 may perform the cloud service application vulnerability analysis method based on big attack data according to the above method embodiment, the processors 110, the machine-readable storage medium 120, and the communication unit 140 are connected by the bus 130, and the processors 110 may be configured to control the transceiving action of the communication unit 140.
For a specific implementation process of the processor 110, reference may be made to the above-mentioned method embodiments executed by the big security data analysis system 100, and implementation principles and technical effects thereof are similar, and details of this embodiment are not described herein again.
In addition, an embodiment of the present application further provides a readable storage medium, where a computer-executable instruction is preset in the readable storage medium, and when a processor executes the computer-executable instruction, the cloud service application vulnerability analysis method based on the attack big data is implemented.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, where the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium may be at least one of the following media: various media that can store program codes, such as Read-only Memory (ROM), RAM, magnetic disk, or optical disk.
Each embodiment in the present specification is described in a progressive manner, and the same and similar parts in each embodiment are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (10)
1. A cloud service application program vulnerability analysis method based on big attack data is applied to the security big data analysis system, and the method comprises the following steps:
generating application program weak point distribution of a cloud service application program according to a cloud attack big data log of the cloud service application program;
generating cooperative vulnerability data of the cloud service application program according to the application program vulnerability distribution of the cloud service application program and attack activity penetration data between the cloud service application program and other cooperative service application programs;
and according to the cooperative vulnerability data of the cloud service application program, carrying out vulnerability repair optimization on a cloud application framework operated by the cloud service application program.
2. The cloud service application vulnerability analysis method based on big data attack according to claim 1, wherein the step of generating cooperative vulnerability data of the cloud service application according to the application vulnerability profile of the cloud service application and attack activity penetration data between the cloud service application and other cooperative service applications comprises:
acquiring target attack activity penetration data with a relationship vector with the distribution of the application program weak points of the cloud service application program from the attack activity penetration data between the cloud service application program and other cooperative service application programs, and acquiring penetration measurement parameters of attack activity penetration entities in the target attack activity penetration data;
determining a key attack activity penetration entity set from the target attack activity penetration data according to the penetration measurement parameters of the attack activity penetration entities;
according to the connectivity of each attack activity infiltration entity in the key attack activity infiltration entity set to the attack activity infiltration entity, outputting the infiltration measurement parameters of each attack activity infiltration entity in the key attack activity infiltration entity set, and taking the infiltration measurement parameters in the key attack activity infiltration entity set as the initial current infiltration effective value of the corresponding attack activity infiltration entity;
the migration execution generates a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the key attack activity penetration entity set for each attack activity penetration entity in the key attack activity penetration entity set;
removing the attack activity penetration entity from the set of key attack activity penetration entities when the penetration concern value is less than or equal to a set effective value;
when the permeation attention value is larger than the set effective value and smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation attention value of the attack activity permeation entity, and stopping migration until the current permeation effective value of each attack activity permeation entity in the key attack activity permeation entity set in the current migration flow is not adjusted;
taking attack activity infiltration entities in a key attack activity infiltration entity set obtained when the migration is terminated as the concerned attack activity infiltration entities, and taking the current infiltration effective value of the concerned attack activity infiltration entities when the migration is terminated as the infiltration effective value associated with the concerned attack activity infiltration entities;
outputting a candidate attack activity penetration entity set in the target attack activity penetration data according to the attack activity penetration entities except the concerned attack activity penetration entity in the target attack activity penetration data and penetration cooperation information between the attack activity penetration entities;
resetting the current penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set according to the connectivity of each attack activity penetration entity in the candidate attack activity penetration entity set in the past target attack activity penetration data;
the migration execution generates a penetration concern value associated with the attack activity penetration entity according to a current penetration effective value of the attack activity penetration entity in the target attack activity penetration data for each attack activity penetration entity in the candidate attack activity penetration entity set;
when the permeation concern value is smaller than the current permeation effective value of the attack activity permeation entity, adjusting the current permeation effective value of the attack activity permeation entity according to the permeation concern value of the attack activity permeation entity until the current permeation effective value of each attack activity permeation entity in the candidate attack activity permeation entity set in the current migration flow is not adjusted, and terminating migration;
taking the current penetration effective value of the attack activity penetration entity when the migration is stopped as the penetration effective value associated with the attack activity penetration entity, and outputting the cooperative vulnerability data of the cloud service application program according to the penetration effective value of each attack activity penetration entity in the candidate attack activity penetration entity set;
wherein the generated penetration effective value is used for generating collaborative vulnerability data associated with a corresponding attack activity penetration entity.
3. The cloud service application vulnerability analysis method based on big data attack according to claim 1, wherein the step of generating the application vulnerability distribution of the cloud service application according to the cloud attack big data log of the cloud service application comprises:
acquiring a cloud attack big data log of a cloud service application program;
carrying out attack variable mining on the cloud attack big data log, and outputting an attack event basic vector set and an attack event derived vector set, wherein the attack event basic vector set represents threat entity vectors associated with the attack events indicated by the cloud attack big data log, and the attack event derived vector set represents derived threat entity vectors used for carrying out derived prediction on the threat entity vectors associated with the attack events in the cloud attack big data log;
acquiring a first attack mapping vector set between the cloud attack big data log and historical frequent item vulnerability variables, a second attack mapping vector set between the attack event basic vector set and basic variables of historical attack event frequent items, and a third attack mapping vector set between the attack event derived vector set and derived variables of historical attack event frequent items, wherein the historical frequent item vulnerability variables are vulnerability variables related to frequent item vulnerabilities in an application program vulnerability distribution library, and the basic variables of the historical attack event frequent items and the derived variables of the historical attack event frequent items are component variables forming the historical frequent item vulnerability variables;
determining a vulnerability confidence between the cloud attack big data log and the historical frequent item vulnerability variables by combining the first attack mapping vector set, the second attack mapping vector set and the third attack mapping vector set;
and transmitting the cloud attack big data log to a target frequent item vulnerability variable in the historical frequent item vulnerability variables in combination with the vulnerability confidence, and outputting the latest vulnerability distribution corresponding to the target frequent item vulnerability variable as the application vulnerability distribution of the cloud service application program.
4. The cloud service application program vulnerability analysis method based on big data attack according to claim 3, wherein the method is realized through an application program vulnerability analysis model, and the model development process of the application program vulnerability analysis model is specifically as follows:
acquiring collected data of an attack case, wherein the collected data of the attack case correspond to example weak point data, the collected data of the attack case comprise a reference cloud attack big data log, a reference attack event basic vector set and a reference attack event derived vector set, and the reference attack event basic vector set and the reference attack event derived vector set correspondingly express a feature vector of the reference cloud attack big data log;
acquiring a first reference attack mapping vector set between the reference cloud attack big data log and the historical frequent item vulnerability variable, a second reference attack mapping vector set between the reference attack event basic vector set and the basic variable of the historical attack event frequent item, and a third reference attack mapping vector set between the reference attack event derived vector set and the derived variable of the historical attack event frequent item;
combining the first reference attack mapping vector set, the second reference attack mapping vector set and the third reference attack mapping vector set, and transmitting the combination to an initialized vulnerability analysis model to generate presumed vulnerability data;
and adjusting model parameters of the initialized vulnerability analysis model by combining the comparative cost value between the estimated vulnerability data and the example vulnerability data, and outputting the application program vulnerability analysis model.
5. The cloud service application vulnerability analysis method based on attack big data according to claim 4, wherein the application vulnerability analysis model is output by a basic vulnerability analysis model with model parameter adjustment, the basic vulnerability analysis model comprises a full connection output branch, a basic vector output branch and a derivative vector output branch;
the generating of the presumed vulnerability data by combining the first reference attack mapping vector set, the second reference attack mapping vector set and the third reference attack mapping vector set and transferring the presumed vulnerability data to an initialized vulnerability analysis model includes:
transmitting the first reference attack mapping vector set, the second reference attack mapping vector set and the third reference attack mapping vector set to the full-connection output branch, and outputting a presumed vulnerability variable;
transmitting the second reference attack mapping vector set to the basic vector output branch, and outputting a basic vector of a presumed attack event;
and transmitting the third reference attack mapping vector set to the derivative vector output branch, and outputting a presumed attack event derivative vector, wherein the presumed vulnerability variable, the presumed attack event base vector and the presumed attack event derivative vector form the presumed vulnerability data.
6. The cloud service application vulnerability analysis method based on attack big data of claim 5, wherein the example vulnerability data includes reference vulnerability variables, reference attack event base variables and reference attack event derivative variables associated with the reference cloud attack big data log;
the step of performing model parameter adjustment on the initialized vulnerability analysis model in combination with the comparison cost value between the estimated vulnerability data and the example vulnerability data, and outputting the application vulnerability analysis model comprises:
generating a first target cost value in conjunction with a comparison cost value between the putative vulnerability variable and the reference vulnerability variable;
generating a second target cost value by combining the comparative cost value between the basic vector of the presumed attack event and the basic variable of the reference attack event;
generating a third target cost value in combination with the comparison cost value between the putative attack event derived vector and the reference attack event derived variable;
and performing model parameter adjustment on the basic vulnerability analysis model by combining the first target cost value, the second target cost value and the third target cost value, and outputting an application program vulnerability analysis model.
7. The cloud service application vulnerability analysis method based on attack big data according to claim 6, wherein the determining vulnerability confidence between the cloud attack big data log and the historical frequent item vulnerability variables in combination with the first attack mapping vector set, the second attack mapping vector set and the third attack mapping vector set comprises:
and transmitting the first attack mapping vector set, the second attack mapping vector set and the third attack mapping vector set to a target full-connection output branch to generate the vulnerability confidence, wherein the target full-connection output branch is subjected to model parameter adjustment and output by the full-connection output branch in the basic vulnerability analysis model, and is used for predicting the confidence of the association between the cloud attack big data log and each historical frequent item vulnerability of the historical frequent item vulnerability variables.
8. The cloud service application program vulnerability analysis method based on big attack data according to any one of claims 3 to 7, wherein the obtaining of a first attack mapping vector set between the cloud attack big data log and historical frequent item vulnerability variables, a second attack mapping vector set between the attack event basis vector set and historical attack event frequent item basis variables, and a third attack mapping vector set between the attack event derived vector set and historical attack event frequent item derived variables comprises:
acquiring a first depth track characteristic point set corresponding to the historical frequent item vulnerability variable, a second depth track characteristic point set associated with the basic variable of the historical attack event frequent item, and a third depth track characteristic point set associated with the derivative variable of the historical attack event frequent item;
respectively combining the cloud attack big data log, the attack event basic vector set and the attack event derived vector set with an attention mechanism to extract depth track characteristic points, and outputting a fourth depth track characteristic point set, a fifth depth track characteristic point set and a sixth depth track characteristic point set;
combining the mapping relation information between the fourth depth track characteristic point set and the second depth track characteristic point set, and outputting the first attack mapping vector set;
combining the mapping relationship information between the fifth depth track feature point set and the second depth track feature point set, and outputting the second attack mapping vector set;
and outputting the third attack mapping vector set by combining the mapping relation information between the sixth depth track characteristic point set and the third depth track characteristic point set.
9. The cloud service application vulnerability analysis method based on big data of attack according to claim 8, wherein the fourth depth track feature point set comprises attack event cross feature points and attack event cycle feature points, and the second depth track feature point set comprises weak cross feature points and weak cycle feature points;
the outputting the first attack mapping vector set by combining the mapping relationship information between the fourth depth track feature point set and the second depth track feature point set includes:
generating a first component attack mapping vector set by combining the mapping vectors between the attack event cross feature points and the weak cross feature points;
combining the mapping vectors between the attack event cycle characteristic points and the weak cycle characteristic points to generate a second component attack mapping vector set;
determining the first set of attack mapping vectors from the first set of component attack mapping vectors and the second set of component attack mapping vectors.
10. A big data security analysis system, comprising a processor and a machine-readable storage medium, wherein the machine-readable storage medium stores a computer program, and the computer program is loaded and executed in conjunction with the processor to implement the cloud service application vulnerability analysis method based on big data attack according to any one of claims 1 to 9.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211365991.4A CN115618361A (en) | 2022-04-13 | 2022-04-13 | Application program vulnerability analysis method and system based on big attack data |
| CN202210381428.XA CN114692168B (en) | 2022-04-13 | 2022-04-13 | Cloud service application program vulnerability analysis method and system based on attack big data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210381428.XA CN114692168B (en) | 2022-04-13 | 2022-04-13 | Cloud service application program vulnerability analysis method and system based on attack big data |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211365991.4A Division CN115618361A (en) | 2022-04-13 | 2022-04-13 | Application program vulnerability analysis method and system based on big attack data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114692168A true CN114692168A (en) | 2022-07-01 |
| CN114692168B CN114692168B (en) | 2023-01-13 |
Family
ID=82143863
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210381428.XA Active CN114692168B (en) | 2022-04-13 | 2022-04-13 | Cloud service application program vulnerability analysis method and system based on attack big data |
| CN202211365991.4A Withdrawn CN115618361A (en) | 2022-04-13 | 2022-04-13 | Application program vulnerability analysis method and system based on big attack data |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211365991.4A Withdrawn CN115618361A (en) | 2022-04-13 | 2022-04-13 | Application program vulnerability analysis method and system based on big attack data |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN114692168B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116467717A (en) * | 2023-04-12 | 2023-07-21 | 广东南华工商职业学院 | Cloud service application program vulnerability analysis method and system based on attack big data |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110119627A (en) * | 2019-05-22 | 2019-08-13 | 刘士刚 | Automate artificial intelligence leakage location |
| CN111783092A (en) * | 2020-06-22 | 2020-10-16 | 湖南大学 | Malicious attack detection method and system for communication mechanism between android applications |
| CN112906010A (en) * | 2021-05-07 | 2021-06-04 | 北京安普诺信息技术有限公司 | Automatic attack testing method and automatic safety testing method based on same |
| CN114143059A (en) * | 2021-11-25 | 2022-03-04 | 潍坊安芯智能科技有限公司 | Safety protection index optimization method based on big data information safety and AI system |
-
2022
- 2022-04-13 CN CN202210381428.XA patent/CN114692168B/en active Active
- 2022-04-13 CN CN202211365991.4A patent/CN115618361A/en not_active Withdrawn
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110119627A (en) * | 2019-05-22 | 2019-08-13 | 刘士刚 | Automate artificial intelligence leakage location |
| CN111783092A (en) * | 2020-06-22 | 2020-10-16 | 湖南大学 | Malicious attack detection method and system for communication mechanism between android applications |
| CN112906010A (en) * | 2021-05-07 | 2021-06-04 | 北京安普诺信息技术有限公司 | Automatic attack testing method and automatic safety testing method based on same |
| CN114143059A (en) * | 2021-11-25 | 2022-03-04 | 潍坊安芯智能科技有限公司 | Safety protection index optimization method based on big data information safety and AI system |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116467717A (en) * | 2023-04-12 | 2023-07-21 | 广东南华工商职业学院 | Cloud service application program vulnerability analysis method and system based on attack big data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115618361A (en) | 2023-01-17 |
| CN114692168B (en) | 2023-01-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111565205B (en) | Network attack identification method and device, computer equipment and storage medium | |
| US10031836B2 (en) | Systems and methods for automatically generating message prototypes for accurate and efficient opaque service emulation | |
| CN109889538B (en) | User abnormal behavior detection method and system | |
| CN111949803B (en) | Knowledge graph-based network abnormal user detection method, device and equipment | |
| US20190065738A1 (en) | Detecting anomalous entities | |
| CN106899440B (en) | Network intrusion detection method and system for cloud computing | |
| CN109818961B (en) | Network intrusion detection method, device and equipment | |
| WO2016022720A2 (en) | Method and apparatus of identifying a transaction risk | |
| CN113676484B (en) | Attack tracing method and device and electronic equipment | |
| CN111339436B (en) | Data identification method, device, equipment and readable storage medium | |
| US11675799B2 (en) | Anomaly detection system | |
| CN107070940B (en) | Method and device for judging malicious login IP address from streaming login log | |
| CN113221104B (en) | Detection method of abnormal behavior of user and training method of user behavior reconstruction model | |
| CN109446816A (en) | A kind of user behavior analysis method based on big data platform audit log | |
| CN111598711A (en) | Target user account identification method, computer equipment and storage medium | |
| CN114692168B (en) | Cloud service application program vulnerability analysis method and system based on attack big data | |
| CN112380531A (en) | Black product group partner identification method, device, equipment and storage medium | |
| CN110209562A (en) | A kind of log analysis method and Analysis server | |
| CN111327466B (en) | Alarm analysis method, system, equipment and medium | |
| US11652650B1 (en) | Externally validated proof of work for appending a block record to a blockchain with a commitment database server | |
| CN112070161A (en) | Network attack event classification method, device, terminal and storage medium | |
| CN113783862B (en) | Method and device for checking data in edge cloud cooperation process | |
| CN115604032A (en) | Complex multi-step attack detection method and system for power system | |
| CN114581086A (en) | Phishing account detection method and system based on dynamic time sequence network | |
| CN110197066B (en) | Virtual machine monitoring method and system in cloud computing environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220905 Address after: No. 78, Minyi Street, Nangang District, Harbin City, Heilongjiang Province, 150000 Applicant after: Pu Jiahong Address before: 150000 No. 607, floor 6, No. 41, Hanguang street, Nangang District, Harbin City, Heilongjiang Province Applicant before: Harbin SHANGZHAN Technology Development Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20221223 Address after: 100097 908, block a, 8th floor, 116 Zizhuyuan Road, Haidian District, Beijing Applicant after: ZHONGZI DATA CO.,LTD. Applicant after: CHINA HIGHWAY ENGINEERING CONSULTING Corp. Address before: No. 78, Minyi Street, Nangang District, Harbin City, Heilongjiang Province, 150000 Applicant before: Pu Jiahong |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |