CN114745171A - External attack surface visualization analysis method and system based on graph technology - Google Patents
External attack surface visualization analysis method and system based on graph technology Download PDFInfo
- Publication number
- CN114745171A CN114745171A CN202210366107.2A CN202210366107A CN114745171A CN 114745171 A CN114745171 A CN 114745171A CN 202210366107 A CN202210366107 A CN 202210366107A CN 114745171 A CN114745171 A CN 114745171A
- Authority
- CN
- China
- Prior art keywords
- graph
- data
- asset
- assets
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 39
- 238000005516 engineering process Methods 0.000 title claims abstract description 38
- 238000012800 visualization Methods 0.000 title claims abstract description 36
- 238000013507 mapping Methods 0.000 claims abstract description 35
- 238000000034 method Methods 0.000 claims abstract description 24
- 238000012545 processing Methods 0.000 claims abstract description 15
- 238000003032 molecular docking Methods 0.000 claims description 4
- 239000000725 suspension Substances 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 3
- 238000002372 labelling Methods 0.000 claims 2
- 230000000007 visual effect Effects 0.000 abstract description 8
- 230000007547 defect Effects 0.000 abstract description 5
- 238000012482 interaction analysis Methods 0.000 abstract description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000002776 aggregation Effects 0.000 abstract 1
- 238000004220 aggregation Methods 0.000 abstract 1
- 230000000875 corresponding effect Effects 0.000 description 12
- 230000008520 organization Effects 0.000 description 10
- 238000013461 design Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 239000011159 matrix material Substances 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 102000004169 proteins and genes Human genes 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
- 238000005211 surface analysis Methods 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/904—Browsing; Visualisation therefor
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method and a system for visual analysis of an external attack surface based on a graph technology, wherein the method comprises the following steps: acquiring asset data of an internal network and an external network and an association mapping relation corresponding to each asset; analyzing and processing the asset data and the association mapping relation to obtain node information and side information, thereby constructing an image model and storing the image model in a database; querying a graph database by utilizing predefined high-risk data and combining a plurality of graph relation query modes to query corresponding risk data; displaying the risk data to safety personnel in real time by adopting a force guide layout of G6 through a graph visualization technology so as to realize visual analysis; the beneficial effects are as follows: the graph technology is utilized to help users to quickly comb, so that the external attack surface is presented more macroscopically, deep interaction analysis is facilitated, the understanding, analysis and study and judgment of security personnel on multi-dimensional aggregation information are accelerated, and the defects of more data, non-intuition and difficult analysis of two-dimensional matrixes such as tables are overcome.
Description
Technical Field
The invention relates to the technical field of network information security, in particular to a method and a system for visual analysis of an external attack surface based on graph technology.
Background
Attack face management is regarded as one of the important directions of the future development of network security, and is more and more valued by security teams. The key content of the attack surface management is to manage and control the assets of the enterprise at risk by an external view angle, thereby realizing the overall management of the attack surface and reducing the probability of the enterprise being attacked in various activities.
At present, no standard definition, unified flow and analysis method exist for an external attack surface, and an internal security manufacturer shows an organization structure, service association, mapping relation of assets and internal and external networks, supply chain and other information data flows related to the external attack surface to security personnel based on a data table display mode. The presentation and interaction mode cannot well assist security personnel in carrying out rapid attack exposure surface analysis, vulnerability priority determination and other service scenes. In addition, the data organization and presentation mode of a two-dimensional matrix such as a table is not beneficial to mining and analyzing the association relation of the data, so that the defects of more data, no intuition and difficult analysis exist.
Disclosure of Invention
Aiming at the technical defects in the prior art, the embodiment of the invention aims to provide a method and a system for visual analysis of an external attack surface based on a graph technology, so as to overcome the defects of more data, non-intuition and difficult analysis in the prior art.
In order to achieve the above object, in a first aspect, an embodiment of the present invention provides a method for external attack surface visualization analysis based on graph technology, where the method includes:
acquiring asset data of an internal network and an external network and an association mapping relation corresponding to each asset; wherein the asset data comprises intranet and extranet assets, vulnerability data, organizational structure and asset attribution data;
analyzing and processing the asset data and the association mapping relation to obtain node information and side information, thereby constructing a graph model and storing the graph model in a graph database;
querying the graph database by utilizing predefined high-risk data and combining a plurality of graph relation query modes to query corresponding risk data;
and displaying the risk data to safety personnel in real time by adopting a force guide layout of G6 through a graph visualization technology so as to realize visualization analysis.
In a second aspect, an embodiment of the present invention further provides a system for external attack surface visualization analysis based on graph technology, where the system includes:
the system comprises an acquisition unit, a mapping unit and a mapping unit, wherein the acquisition unit is used for acquiring asset data of an internal network and an external network and an associated mapping relation corresponding to each asset; wherein the asset data comprises intranet and extranet assets, vulnerability data, organizational structure and asset attribution data;
the graph database construction unit is used for analyzing and processing the asset data and the associated mapping relation to obtain node information and side information, so that a graph model is constructed and stored in a graph database;
the query unit is used for querying the graph database by utilizing predefined high-risk data and combining a plurality of graph relation query modes so as to query corresponding risk data;
and the visualization unit is used for displaying the risk data to safety personnel in real time by adopting a force guide layout of G6 through a graph visualization technology so as to realize visualization analysis.
By implementing the embodiment of the invention, the graph technology is utilized to help the user to quickly comb and manage the external attack surface, and the quick convergence exposure surface is greatly improved; compared with a two-dimensional matrix table form such as a page table in the traditional technology, the external attack surface using the graph visualization technology is more macroscopic, and is convenient for deep interaction analysis; meanwhile, the understanding, analysis and study of the multidimensional aggregated information by security personnel are greatly accelerated, so that the historical problems of 'more data, non-intuition, difficult analysis' and the like of two-dimensional matrixes such as tables and the like are solved, and the visual management of external attack surfaces is realized.
Drawings
In order to more clearly illustrate the detailed description of the invention or the technical solutions in the prior art, the drawings that are needed in the detailed description of the invention or the prior art will be briefly described below.
FIG. 1 is a flow chart of a method for external attack surface visualization analysis based on graph technology according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a graph model provided in an embodiment of the present invention;
FIG. 3 is a logic flow diagram of an interactive query provided by an embodiment of the present invention;
FIG. 4 is a logic flow diagram for threat intelligence based provisioning according to an embodiment of the present invention;
fig. 5 is a schematic frame diagram of a system for external attack surface visualization analysis based on graph technology according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which the invention pertains.
Referring to fig. 1 to fig. 3, an embodiment of the present invention provides a method for external attack surface visualization analysis based on graph technology, where the method includes:
s101, acquiring asset data of an internal network and an external network and an association mapping relation corresponding to each asset; wherein the asset data comprises intranet and extranet assets, vulnerability data, organizational structure, and asset attribution data.
Specifically, in the embodiment, the detailed internal and external network assets, vulnerability data, asset attribution information and the like can be obtained by utilizing the mature network space mapping and related missing scanning technology to obtain and directly using related products to carry out internal and external network mapping; the related organization structure information can be obtained by manual import or docking with other systems (ldap);
the internal and external network assets mainly comprise internal and external network hosts and various opened ports and services and the like;
the vulnerability data mainly comprises vulnerabilities, high-risk ports and high-risk services existing in the internal and external network hosts;
the asset attribution information is the information of the main management responsible group or person of each unit asset;
the association mapping relationship is a variety of obtained association relationships, including a port mapping relationship between an internal network and an external network, a load balancing relationship between assets, a binding relationship of an elastic IP, a relationship between an asset and an organization architecture, a relationship between vulnerability data and an affected asset, and the like.
S102, analyzing and processing the asset data and the association mapping relation to obtain node information and side information, so that a graph model is constructed and stored in a graph database.
Specifically, the process of calculating according to the acquired asset data and the associated mapping relationship is as follows:
1. obtaining host data (which needs to contain IP, host name, operating system, physical address, asset attribution and organization structure information thereof, detailed information of developing port service and the like), domain name data (which needs to contain basic information such as domain name, mailbox and the like), vulnerability data (which needs to contain vulnerability name, CPE, vulnerability description, vulnerability grade, CVE, CNNVD, vulnerability located port or service information and the like), client application information (which contains a service interface used by application), port mapping, data of a port forwarding table and agent and load balancing information data of agents such as LVS, Nginx, HAproxy and the like;
2. analyzing a domain name in domain name data by utilizing a domain name analyzing technology to obtain an IP set, combining the IP set with host data, removing duplication, supplementing default values and deleting non-basic information to obtain a host node data set, and simultaneously recording a corresponding domain name analyzing relation in the process; similarly, a domain name set is obtained by analyzing the IP of the host data by using a reverse domain name analysis technology, then the domain name set and the domain name data are combined, duplicate removed, supplemented by default values and deleted by non-basic information to obtain a domain name node data set, and meanwhile, the corresponding IP domain name reverse analysis relation is recorded in the process; finally, combining the domain name resolution relationship and the domain name inverse resolution relationship in the two processes to generate a domain name-host side data set and a host-domain name side data set;
3. traversing host data to obtain a host-port edge data set of each open port of the host, sorting all port data to obtain a port node data set, and calculating by combining the host-port edge data set with the host-domain name edge data set to generate a domain name-port edge data set;
4. traversing host data to obtain an asset attribution group corresponding to each host, structure information of the group and a responsible person, and calculating to generate an asset group node data set, a responsible person node data set, a host-asset group side data set and an asset group-host side data set; analyzing the parent-child structure information of the asset group to obtain an asset group-asset group side data set, a responsible person-asset group side data set and an asset group-responsible person data set, and generating a domain name-asset group side data set and an asset group-domain name side data set through a host-domain name side data set and a host-asset group side data set;
5. generating a port-vulnerability edge data set and a vulnerability node data set by using vulnerability data and port or service information where the vulnerability is located to associate with port node data, and generating a vulnerability-host edge data set by combining a host-port edge data set;
6. generating a port-port edge data set by combining agent and load balancing information data of agents such as port mapping, port forwarding table data, LVS (logical volume server), Nginx (network address translation), HAproxy and the like with port node data, wherein two edge types exist, one is port forwarding, and the other is port mapping;
7. and generating an application node data set by using the client application information, and generating a PORT-service side data set by using a background service address (URL or IP: PORT) in the client application information.
The graph model of this embodiment includes seven main node types, which are Host (Host), Domain name (Domain), Port (Port, which includes service information), vulnerability (Vul), application (App), asset Group (Group), and asset responsible Person (Person);
there are sixteen associations (i.e., side information) that are respectively asset attribution related: a management, pointed to the host by the group of assets, indicating that the group of assets manages the host; management, pointed to the assets group by the host, indicating that the host is managed by the assets group; dmanage, directed by the asset group to the domain name, indicating that the asset group manages the domain name; dmanaged, directed to the property group by the domain name, indicating that the domain name is managed by the property group; continain, pointed to the asset group by the asset group, indicating that the starting asset group is contained by the destination asset group; an inchargeof, directed by a principal to a group of assets, indicating that the principal manages the group of assets; charged, directed by a group of assets to a responsible person, indicates that the group of assets is managed by the responsible person; and domain name correlation: backscheck, pointing to the domain name by the host, and showing that the host carries out reverse resolution to obtain the domain name; resolve, pointing to the host by the domain name, and representing the domain name to be resolved to obtain the host; releasing, pointing to a port by a domain name, and indicating that the domain name externally develops the port; port correlation: open, pointing to a port by a host, indicating that the port is externally developed by the host; forward, directed by a port to a port, indicating that the originating port is forwarded to the destination port; mapping, which points from a port to a port, indicates that the starting port is mapped to the destination port; has, pointing to the vulnerability from the port, and indicating that the port has the vulnerability; vulnerability correlation: hack, generated by open and has calculation, points to the host by the vulnerability, and represents that the vulnerability can be utilized to attack the host; application dependent: and the provider points to the application from the port, and indicates that the port service provides a basic service interface for the application.
S103, querying the graph database by utilizing predefined high-risk data and combining multiple graph relation query modes to query corresponding risk data.
Specifically, the obtained related data is sorted and generated according to the graph model structure and then imported into the graph database, so that various graph algorithms of the graph database can be used for querying. The current major query applications have the following aspects:
1. the external port, host and affected applications, and associated internal assets for which the vulnerability exists are queried.
Vulnerability data in the graph database all come from vulnerability scanning results in mapping, namely real vulnerabilities existing at present. Based on the existing real vulnerabilities and the relationship query of the graph, security personnel can quickly acquire external hosts, ports, services and application programs which can be utilized by attackers, and port mapping, flexible IP, load balancing and the like on the intranet hosts. In the graph model design of the invention, the query is mainly carried out through the graph query language GSQL, and the specific query logic is shown in FIG. 3.
2. The external hosts and associated internal assets for which high risk ports and high risk services exist are queried.
The high-risk data consists of a default high-risk port number and a high-risk component service list which are extracted and generated by experts through threat information; of course, the list can be modified by the security manager of the enterprise, and the whole system queries the external attack exposure surfaces with the high-risk port numbers and the high-risk service according to the high-risk port numbers and the high-risk component service list.
By adopting the method, the external attack surface risk points corresponding to the external high-risk port service set, the threat tag set, the high-medium-low vulnerability set and the like are inquired, and the upper organization architecture information and the intranet asset set are correlated and returned to the front end in real time.
And S104, displaying the risk data to safety personnel in real time by adopting a force guide layout of G6 through a graph visualization technology so as to realize visual analysis.
Specifically, in implementation, a force guide graph of G6 is used as a basis, which increases the concept of clustering while realizing the traditional force guide layout, and performs clustering division based on the risk data and threat intelligence when realizing the force guide layout; for example, high risk ports, vulnerabilities, threat intelligence, intranets, etc. are used to partition the clusters;
coulomb repulsion and hooke's elasticity are introduced into the cluster to realize the appearance of clustering; during presentation, only the external attacked risk points, namely the attacked assets under the view angle of an attacker, are displayed, the connection between the external and the intranet assets is displayed, and other related information such as the organization structure, the related domain name and the asset source of the assets and managers and the relation among the assets are displayed in a suspension mode; and interactive analysis functions such as node search, path query and asset marking are provided.
The embodiment of the invention mainly adopts graph technology to store all data elements (organization structure, association components, intranet and extranet assets and the like) related to an external attack surface into a graph database in a node form, then uses an edge form to express association relations (organization and asset mapping, intranet and extranet asset mapping, business related mapping and the like) among all element instances, and finally adopts graph visualization technology to draw an external attack surface graph to assist security personnel in analyzing, judging and deciding; the internal association between the element instances can be fully revealed by adopting the graph technology, and the macroscopic situation of the whole attack surface can be more intuitively presented. Through the addition of various graph algorithms, security management personnel can further sense and study and judge the attack face management service scene, so that the historical problems of 'more data, non-intuition, difficult analysis' and the like of two-dimensional matrixes such as tables and the like are solved.
Graph databases are relational databases that employ graph theory to store relationship information between entities; at present, a relational database is used for storing relational data, and the problems of complex query and low retrieval efficiency exist. The unique design of various rich high-efficiency graph operation technologies and algorithms built in the brand-new bottom layer design of the graph database just makes up the defect, and the graph database is mainly used for storing and inquiring data and data relations.
Meanwhile, graph visualization is a sub-field of information visualization, and helps a user to obtain the insight of data by displaying elements and relationships. It has been widely used in the presentation of relational data such as flow charts, social networks, the internet, protein networks, and the like. The invention mainly converts graph data inquired by a graph database into graphs or images through graph visualization to complete functions of information display, interaction and the like.
Further, to improve the real-time performance and the expansibility of threat processing, in another embodiment, on the basis of the above technical solution, the method further includes:
and docking threat intelligence generated in real time, and querying the graph database based on the threat intelligence to mark the affected assets.
Specifically, extracting key information in the threat intelligence;
and querying all assets containing the key information in the graph database according to the key information.
When the method is implemented, a processing chain from the threat information based on near real-time to the external attack surface is realized by butting the threat information platform, and the real-time processing flow is as follows: obtaining intelligence, processing the intelligence and extracting key information, querying a database by using the key information, and marking the affected assets.
Based on the same inventive concept, as shown in fig. 5, an embodiment of the present invention further provides a system for external attack surface visualization analysis based on graph technology, where the system includes:
the system comprises an acquisition unit, a mapping unit and a mapping unit, wherein the acquisition unit is used for acquiring asset data of an internal network and an external network and an associated mapping relation corresponding to each asset; the asset data comprises internal and external network assets, vulnerability data, organization architecture and asset attribution data;
the graph database construction unit is used for analyzing and processing the asset data and the associated mapping relation to obtain node information and side information, so that a graph model is constructed and stored in a graph database;
the query unit is used for querying the graph database by utilizing predefined high-risk data and combining a plurality of graph relation query modes so as to query corresponding risk data;
and the visualization unit is used for displaying the risk data to safety personnel in real time by adopting a force guide layout of G6 through a graph visualization technology so as to realize visualization analysis.
During application and force-oriented layout, cluster division is further carried out based on the risk data and threat intelligence;
coulomb repulsion and hooke's elasticity are introduced into the cluster to realize the appearance of clustering; during presentation, only risk points which can be attacked outside are presented, the contact between the outside and intranet assets is presented, and meanwhile, the assets, the organizational structure of management personnel and the relation among the assets are presented in a suspension mode;
the visual analysis includes node search, path query and asset tagging.
Further, in another embodiment, in order to improve the real-time performance and expansibility of threat processing, on the basis of the above technical solution, the system further includes a marking unit, and the marking unit is configured to interface threat intelligence generated in real time, and query the graph database based on the threat intelligence, so as to mark an affected asset.
When the method is implemented, a processing chain from the threat information to an external attack surface based on near real-time threat information is realized by butting the threat information platform. The main information real-time processing flow comprises the steps of acquiring information, processing the information, extracting key information, inquiring a database by using the key information and marking the affected assets; therefore, the high-risk external port and host and the associated intranet host which are influenced by the leakage query of the application and service codes based on the threat intelligence are realized.
It should be noted that, for a more specific workflow in the system embodiment, please refer to the description of the foregoing method embodiment, which is not repeated herein.
By the implementation of the scheme, the graph technology is utilized to help the user to quickly comb and manage the external attack surface, and the quick convergence exposure surface is greatly improved; compared with a two-dimensional matrix table form such as a page table in the traditional technology, the external attack surface using the graph visualization technology is more macroscopic, and is convenient for deep interaction analysis; meanwhile, the understanding, analysis and study of the multidimensional aggregated information by security personnel are greatly accelerated, so that the historical problems of 'more data, non-intuition, difficult analysis' and the like of two-dimensional matrixes such as tables and the like are solved, and the visual management of external attack surfaces is realized.
Those of ordinary skill in the art will appreciate that the various illustrative steps and elements described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided in the present application, it should be understood that the disclosed method and system may be implemented in other ways. For example, the above-described system embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another device or system, or some features may be omitted, or not executed.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention.
Claims (9)
1. A method for external attack surface visualization analysis based on graph technology, which is characterized by comprising the following steps:
acquiring asset data of an internal network and an external network and an association mapping relation corresponding to each asset; wherein the asset data comprises intranet and extranet assets, vulnerability data, organizational structure and asset attribution data;
analyzing and processing the asset data and the associated mapping relation to obtain node information and side information, thereby constructing an image model and storing the image model in a database;
querying the graph database by utilizing predefined high-risk data and combining a plurality of graph relation query modes to query corresponding risk data;
and displaying the risk data to safety personnel in real time by adopting a force guide layout of G6 through a graph visualization technology so as to realize visualization analysis.
2. The method for external attack surface visualization analysis based on graph technology as claimed in claim 1, wherein the method further comprises:
and docking threat intelligence generated in real time, and querying the graph database based on the threat intelligence to mark the affected assets.
3. The method according to claim 2, wherein said querying said graph database based on said threat intelligence comprises:
extracting key information in the threat information;
and querying all assets containing the key information in the graph database according to the key information.
4. The method for external attack surface visualization analysis based on graph technology as claimed in claim 2, wherein in force-oriented layout, clustering is further performed based on the risk data and threat intelligence;
coulomb repulsion and hooke's elasticity are introduced into the cluster to realize the appearance of clustering; during presentation, only risk points which can be attacked from the outside are shown, the contact between the outside and the intranet assets is shown, and meanwhile, the assets, the organizational structure of management personnel and the relation among the assets are shown in a suspension mode.
5. A system for external attack surface visualization analysis based on graph technology, the system comprising:
the device comprises an acquisition unit, a mapping unit and a mapping unit, wherein the acquisition unit is used for acquiring asset data of an internal network and an external network and an association mapping relation corresponding to each asset; wherein the asset data comprises intranet and extranet assets, vulnerability data, organizational structure and asset attribution data;
the graph database construction unit is used for analyzing and processing the asset data and the associated mapping relation to obtain node information and side information, so that a graph model is constructed and stored in a graph database;
the query unit is used for querying the graph database by utilizing predefined high-risk data and combining a plurality of graph relation query modes so as to query corresponding risk data;
and the visualization unit is used for displaying the risk data to safety personnel in real time by adopting a force guide layout of G6 through a graph visualization technology so as to realize visualization analysis.
6. The system according to claim 5, further comprising a labeling unit for docking threat intelligence generated in real time and for labeling affected assets by querying the graph database based on the threat intelligence.
7. The system according to claim 6, wherein said querying said graph database based on said threat intelligence comprises:
extracting key information in the threat intelligence;
and querying all assets containing the key information in the graph database according to the key information.
8. The system for external attack surface visualization analysis based on graph technology as claimed in claim 6, wherein in force-directed placement, clustering is further performed based on the risk data and threat intelligence;
coulomb repulsion and hooke's elasticity are introduced into the cluster to realize the appearance of clustering; during presentation, only risk points which can be attacked from the outside are shown, the contact between the outside and the intranet assets is shown, and meanwhile, the assets, the organizational structure of management personnel and the relation among the assets are shown in a suspension mode.
9. The system for external attack plane visualization analysis based on graph technology as claimed in claim 5, wherein the visualization analysis includes node search, path query and asset tagging.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210366107.2A CN114745171A (en) | 2022-04-08 | 2022-04-08 | External attack surface visualization analysis method and system based on graph technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210366107.2A CN114745171A (en) | 2022-04-08 | 2022-04-08 | External attack surface visualization analysis method and system based on graph technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114745171A true CN114745171A (en) | 2022-07-12 |
Family
ID=82279149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210366107.2A Pending CN114745171A (en) | 2022-04-08 | 2022-04-08 | External attack surface visualization analysis method and system based on graph technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745171A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453386A (en) * | 2016-11-09 | 2017-02-22 | 深圳市魔方安全科技有限公司 | Automatic internet asset monitoring and risk detecting method based on distributed technology |
| US20170289187A1 (en) * | 2016-03-29 | 2017-10-05 | The Mitre Corporation | System and method for visualizing and analyzing cyber-attacks using a graph model |
| US20200044939A1 (en) * | 2018-08-01 | 2020-02-06 | Futurewei Technologies, Inc. | Interactive system for visualizing and maintaining large networks |
| US20200177616A1 (en) * | 2018-12-03 | 2020-06-04 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
| CN112148834A (en) * | 2020-08-24 | 2020-12-29 | 北京工商大学 | Graph embedding-based high-risk food and hazard visual analysis method and system |
| CN113051575A (en) * | 2021-03-25 | 2021-06-29 | 深圳市联软科技股份有限公司 | Method and system for generating red and blue attack resisting exercise scheme based on graph database |
| CA3070685A1 (en) * | 2020-02-02 | 2021-08-02 | Jeremy L. Hurst | Cyber risk segmentation, quantification and visualization methodology |
| CN113222737A (en) * | 2021-05-25 | 2021-08-06 | 天津大学 | Risk visualization graph layout method for financial network |
| CN114257420A (en) * | 2021-11-29 | 2022-03-29 | 中国人民解放军63891部队 | Method for generating network security test based on knowledge graph |
-
2022
- 2022-04-08 CN CN202210366107.2A patent/CN114745171A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170289187A1 (en) * | 2016-03-29 | 2017-10-05 | The Mitre Corporation | System and method for visualizing and analyzing cyber-attacks using a graph model |
| CN106453386A (en) * | 2016-11-09 | 2017-02-22 | 深圳市魔方安全科技有限公司 | Automatic internet asset monitoring and risk detecting method based on distributed technology |
| US20200044939A1 (en) * | 2018-08-01 | 2020-02-06 | Futurewei Technologies, Inc. | Interactive system for visualizing and maintaining large networks |
| US20200177616A1 (en) * | 2018-12-03 | 2020-06-04 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
| CA3070685A1 (en) * | 2020-02-02 | 2021-08-02 | Jeremy L. Hurst | Cyber risk segmentation, quantification and visualization methodology |
| CN112148834A (en) * | 2020-08-24 | 2020-12-29 | 北京工商大学 | Graph embedding-based high-risk food and hazard visual analysis method and system |
| CN113051575A (en) * | 2021-03-25 | 2021-06-29 | 深圳市联软科技股份有限公司 | Method and system for generating red and blue attack resisting exercise scheme based on graph database |
| CN113222737A (en) * | 2021-05-25 | 2021-08-06 | 天津大学 | Risk visualization graph layout method for financial network |
| CN114257420A (en) * | 2021-11-29 | 2022-03-29 | 中国人民解放军63891部队 | Method for generating network security test based on knowledge graph |
Non-Patent Citations (3)
| Title |
|---|
| 刘念;刘宇;: "基于聚类分析算法的海量关系数据可视化技术研究", 电子设计工程, no. 10, 20 May 2018 (2018-05-20) * |
| 汤颖;盛风帆;秦绪佳;: "基于改进力导引图布局的层级视觉抽象方法", 计算机辅助设计与图形学学报, no. 04, 15 April 2017 (2017-04-15) * |
| 陈谊;张梦录;万玉钗;: "图的表示与可视化方法综述", 系统仿真学报, no. 07, 15 July 2020 (2020-07-15), pages 1232 - 1243 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rowe et al. | Automated social hierarchy detection through email network analysis | |
| US20200210423A1 (en) | Multi-party data joint query method, device, server and storage medium | |
| US6986138B1 (en) | Virtual work flow management method | |
| US7278156B2 (en) | System and method for enforcing security service level agreements | |
| JP5964027B2 (en) | System and method for business network management discovery and business network management aggregation | |
| CN105825094A (en) | Method and apparatus for managing identity data collected from network data flows | |
| CN109299044A (en) | A kind of secure visual analysis system based on intra-company's log | |
| Liao et al. | Management and application of mobile big data | |
| US20120179990A1 (en) | Capturing and Visualizing Data Lineage in Content Management System | |
| US11475013B2 (en) | System, method and computer program for ingesting, processing, storing, and searching technology asset data | |
| CN109542741A (en) | The automatic packet storage approach of log, device, computer equipment and storage medium | |
| CN106776823A (en) | A kind of time series data management method, equipment and device | |
| US10616171B2 (en) | Compact visualization into aggregated events in social collaboration programs | |
| CN109857833B (en) | Rule engine implementation method and device and electronic equipment | |
| CN104391992B (en) | For the data processing system of asset data | |
| Suominen et al. | Research themes in big data analytics for policymaking: Insights from a mixed‐methods systematic literature review | |
| US20230259500A1 (en) | Data storage and retrieval | |
| JP2014164618A (en) | Frequent pattern extraction device, frequent pattern extraction method, and program | |
| Khan et al. | Cloud forensics and digital ledger investigation: a new era of forensics investigation | |
| US11494408B2 (en) | Asynchronous row to object enrichment of database change streams | |
| CN105991789A (en) | Method for realizing virtual machine port mapping, servers and system | |
| CN107562858A (en) | A kind of method and apparatus of menu manager | |
| CN114745171A (en) | External attack surface visualization analysis method and system based on graph technology | |
| CN106682177A (en) | Dynamic display method of service record information | |
| CN107402748A (en) | Information processing method and device for communications applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |