Detailed Description
The following describes an architecture of the vulnerability fix system 10 for big data security vulnerability discovery according to an embodiment of the present invention, where the vulnerability fix system 10 for big data security vulnerability discovery may include a vulnerability fix system 100 and a threat awareness server 200 communicatively connected to the vulnerability fix system 100. The vulnerability repair system 100 and the threat awareness server 200 in the vulnerability repair system 10 for big data security vulnerability mining may execute the vulnerability repair method for big data security vulnerability mining described in the following method embodiments in a matching manner, and the detailed description of the following method embodiments may be referred to in the execution steps of the vulnerability repair system 100 and the threat awareness server 200.
The vulnerability repair method for big data security vulnerability discovery provided in this embodiment may be executed by the vulnerability repair system 100, and the vulnerability repair method for big data security vulnerability discovery is described in detail below with reference to fig. 1.
The Process100 obtains a threat attack activity sequence from a target threat awareness event indicated by the vulnerability repair analysis task of the threat awareness server, and determines a reference security vulnerability distribution of a security protection Process corresponding to the target threat awareness event based on the threat attack activity sequence.
And the Process200 performs vulnerability repair on the security protection Process and the shared security protection Process corresponding to the security protection Process based on the reference security vulnerability distribution of the security protection Process corresponding to the target threat sensing event.
For example, after obtaining the reference security vulnerability distribution, a shared vulnerability repair instruction corresponding to the reference security vulnerability distribution may be extracted from a pre-specified shared vulnerability repair instruction library, and vulnerability repair may be performed on the security protection process and the shared security protection process corresponding to the security protection process based on the shared vulnerability repair instruction. Or, when the shared vulnerability repair instruction corresponding to the reference security vulnerability distribution is not extracted from the pre-specified shared vulnerability repair instruction library, outputting vulnerability location feature points (such as a process code position of each reference security vulnerability in the security protection process operation process) corresponding to the reference security vulnerability distribution to a developer terminal so as to prompt the developer terminal to perform targeted repair.
By adopting the technical scheme, the threat attack activity sequence is obtained from the target threat perception event indicated by the vulnerability repair analysis task of the threat perception server, and determines a reference security vulnerability distribution of a security protection process corresponding to the target threat awareness event based on the threat attack activity sequence, thereby performing vulnerability repair on the security protection process and the shared security protection process corresponding to the security protection process based on the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event, therefore, the security vulnerability mining is carried out by taking a single target threat perception event as a unit, the unified vulnerability repairing of a plurality of shared security protection processes is carried out, and compared with the mode of carrying out vulnerability analysis and repairing by using global threat perception events in the related technology, the method can provide a high-efficiency vulnerability repairing scheme with higher positioning performance.
For some exemplary design considerations, Process100 is described in detail below with reference to specific embodiments.
The Process110 obtains a sequence of threat attack activities from the target threat awareness events indicated by the vulnerability fix analysis task.
For any threat awareness event, the threat awareness event typically includes a large amount of threat attack activity, which may include one or several threat attack chain data; the threat attack chain data refers to path data formed by each threat attack node in the threat attack process.
Threat attack activities are used for describing attack behavior information related to threat perception events, and security vulnerability related characteristics of the threat perception events are used for making decisions on main attack behavior characteristics related to the threat perception events; it can be seen that there is a correlation between the threat attack activity in the threat awareness event and the security vulnerability related characteristics of the threat awareness event. Therefore, the technical scheme of determining the security vulnerability relevant characteristics of the threat awareness event can be realized through the threat attack activities included in the threat awareness event. For example, in response to a mining request for a threat context variable related to a targeted threat awareness event, the bug fix system 100 may obtain the targeted threat awareness event indicated by the bug fix analysis task. Thus, a sequence of threat attack activities may be obtained from the target threat awareness event; the sequence of threat attack activities herein may include a number of threat attack activities, and the number of threat attack activities includes threat attack chain data. For some possible design ideas, the vulnerability repair system 100 may analyze a threat attack activity of the target threat sensing event, and match a basic threat attack activity sequence obtained by the threat attack activity analysis with one or more time window network flow databases in the threat attack process, so as to obtain a basic threat attack activity contained in the basic threat attack activity sequence and located in one or more initial threat attack tracking maps by matching. And then, determining threat attack activities in the target threat perception event based on the basic threat attack activities obtained by matching, thereby establishing a threat attack activity sequence for obtaining the target threat perception event.
The Process120 establishes a threat attack relationship network for the target threat awareness event based on a number of threat attack activities.
For some possible design ideas, a threat attack relationship network of a target threat awareness event may include a number of network members; one network member maps one threat attack activity, and the threat attack activities mapped by the network members with network connection relations have threat attack cooperative behaviors in a target threat perception event. In other words, there are network members corresponding to two threat attack activities of the threat attack cooperative behavior in the target threat awareness event, and there is a network connection relationship in the threat attack relationship network. Wherein, the threat attack cooperative behavior mentioned herein may include any one of the following meanings:
for some possible design ideas, the above mentioned threat attack cooperative behavior may refer to: and in the process of carrying out threat attack coordination on the target threat perception event according to an external attack source, two threat attack activities are simultaneously present in the coordination activity in the external attack source. Setting up a number of threat attack activities includes: threat attack activity L, threat attack activity M, threat attack activity E, threat attack activity B … … assume that threat attack coordination behavior may exist for threat attack activity L and threat attack activity M in the target threat awareness event because threat attack activity L and threat attack activity M may occur simultaneously in the external attack source during the threat attack coordination process. Since the threat attack activity M and the threat attack activity E may occur simultaneously in the external attack source during the threat attack coordination process, the threat attack activity M and the threat attack activity E may be considered to have a threat attack coordination behavior in the target threat awareness event. Since threat attack activity E and threat attack activity B cannot occur in the external attack source at the same time, threat attack activity E and threat attack activity B may be considered to have no threat attack cooperative behavior in the target threat awareness event, and so on.
For other possible design ideas, the threat attack cooperative behavior may refer to: in the process of carrying out threat attack coordination on a target threat perception event according to an external attack source, two threat attack activities are simultaneously present in the external attack source, and the defense time-space domain correlation parameter between the two threat attack activities is larger than the relation of a preset correlation parameter value. The defense time-space domain correlation parameters between the two threat attack activities can be obtained by calculation based on threat attack path variables of the two threat attack activities; the defense time-space domain correlation parameter between the two threat attack activities can be used for mapping the defense time-space domain matching degree between the two threat attack activities, and the defense time-space domain correlation parameter is in direct proportion to the defense time-space domain matching degree; in other words, the greater the defense spatiotemporal-spatial domain correlation parameter between two threat attack activities, the greater the defense spatiotemporal-spatial domain matching between the two threat attack activities. For example, setting a preset associated parameter value as K, setting a defense time-space domain associated parameter between a threat attack activity L and a threat attack activity M as kLM, setting a defense time-space domain associated parameter between the threat attack activity M and a threat attack activity E as kME, and setting a defense time-space domain associated parameter between the threat attack activity E and a threat attack activity B as kEB; and kLM < K, kME > K, kEB < K. Still take over the above example: since the defense spatiotemporal correlation parameter (i.e., kLM) between threat attack activity L and threat attack activity M is less than the preset correlation parameter value (K), vulnerability repair system 100 may consider threat attack activity L and threat attack activity M to have no threat attack synergy in the target threat awareness event, although both may occur in external attack sources. Since the defense time-space domain correlation parameter (i.e., kME) between threat attack activity M and threat attack activity E is greater than the preset correlation parameter value (K), and threat attack activity M and threat attack activity E may occur in external attack sources at the same time, vulnerability repair system 100 may consider that threat attack activity M and threat attack activity E have threat attack cooperative behavior in the target threat awareness event, and so on. Therefore, when judging whether the two threat attack activities have the threat attack cooperative behavior in the target threat perception event, the embodiment not only considers the distance between the threat attack penetration intervals of the two threat attack activities in the target threat perception event through the external attack source, but also considers the defense time-space domain matching degree between the two threat attack activities, so that the judgment accuracy of the threat attack cooperative behavior can be effectively improved, and the accuracy of the threat attack relationship network is improved.
Based on the above technical solution, in the Process of implementing the Process120 specifically, the vulnerability repair system 100 may first establish a basic threat attack relationship network of a target threat perception event according to a plurality of threat attack activities; the basic threat attack relationship network comprises a plurality of network members, and each network member maps a threat attack activity. Second, the vulnerability fix system 100 may select a combination of at least one pair of coordinated threat attack activity instances from a number of threat attack activities, the combination of coordinated threat attack activity instances being a combination of two threat attack activity instances having threat attack coordination behavior in the target threat awareness event. The vulnerability fix system 100 may then traverse the combination of each pair of synergistic threat attack activity instances; for the combination of the currently traversed current coordinated threat attack activity instances, two network members for associating two threat attack activities in the combination of the current coordinated threat attack activity instances can be respectively connected in a basic threat attack relationship network; when the combination of each cooperative threat attack activity instance is traversed, a threat attack relationship network of the target threat perception event can be obtained. For example, it may be assumed that several threat attack activities include: threat attack activity L (recorded by network member L), threat attack activity M (recorded by network member M), threat attack activity E (recorded by network member E), threat attack activity B (recorded by network member B), threat attack activity E (recorded by network member E) … …; and the threat attack activities total 5 pairs of synergistic threat attack activity instances, which are respectively: (threat attack activity L, threat attack activity M), (threat attack activity L, threat attack activity B), (threat attack activity M, threat attack activity E) and (threat attack activity B, threat attack activity E). Then, the vulnerability repair system 100 may connect the network member L and the network member M, connect the network member L and the network member B, connect the network member M and the network member E, and connect the network member B and the network member E, respectively, in the basic threat attack relationship network, thereby obtaining the threat attack relationship network of the target threat perception event.
The Process130 generates threat attack participation of the threat attack activity mapped by each network member according to the threat attack coordination information among the network members in the threat attack relationship network.
For some possible design ideas, the threat attack cooperative behavior refers to a relationship that two threat attack activities appear in one external attack source at the same time, or refers to a relationship that two threat attack activities appear in one external attack source at the same time and a defense time-space domain associated parameter between the two threat attack activities is larger than a preset associated parameter value; it can therefore be seen that the more frequently threat attack activities with more threat attack synergistic behavior are in the target threat awareness event, the more risky threat attack activities that can be output with more threat attack synergistic behavior are. Therefore, when the vulnerability repair system 100 executes the Process130, for example, the threat attack coordination times of the threat attack coordination behaviors of each threat attack activity can be counted based on the threat attack coordination information between the network members in the threat attack relationship network, and the threat attack participation degrees of each threat attack activity can be determined based on the threat attack coordination times corresponding to each threat attack activity according to the principle that the threat attack coordination times and the threat attack participation degrees are in positive correlation.
For some possible design ideas, the threat attack cooperation times corresponding to each threat attack activity can be directly output as the threat attack participation of each threat attack activity. Or normalizing the threat attack coordination times corresponding to each threat attack activity, and outputting the threat attack participation of each threat attack activity. Or, the threat attack coordination times corresponding to each threat attack activity can be weighted according to the threat attack participation parameter, the threat attack participation of each threat attack activity is output, and the threat attack participation parameter can be set based on the actual service condition. For example, referring to the foregoing example, if a derived attack feature relationship exists between the network member L and the network member M, and a derived attack feature relationship exists between the network member L and the network member B, it may be statistically determined that the threat attack collaboration number of the threat attack collaboration behavior possessed by the threat attack activity L mapped by the network member L is 2; the threat attack coordination number may be directly output as the threat attack participation (i.e., the threat attack participation is 2) of the threat attack activity L, or the threat attack coordination number may be weighted according to a threat attack participation parameter (e.g., 1.5), and the threat attack participation (i.e., the threat attack participation is 3) of the threat attack activity L may be output, and so on.
In another possible design concept, research shows that if two threat attack activities have threat attack cooperative behavior in a target threat sensing event, since the two threat attack activities are simultaneously present, the threat attack engagement degrees of the two threat attack activities generally affect each other. Accordingly, when the vulnerability repair system 100 executes the Process130, the threat attack engagement degree of the threat attack activity of any network member can be calculated by combining the threat attack engagement degree of the threat attack activity mapped by the associated network member having a network connection relationship with the network member, so as to improve the accuracy of the threat attack engagement degree. Aiming at some possible design ideas, aiming at threat attack activities mapped by any network member, generating one or more associated network members having network connection relation with any network member according to threat attack collaboration information among the network members in the threat attack relation network; and then, determining the threat attack participation degree of the threat attack activity mapped by any network member based on the threat attack participation degree of the threat attack activity mapped by each associated network member.
The specific implementation of determining the threat attack engagement degree of the threat attack activity mapped by any network member based on the threat attack engagement degree of the threat attack activity mapped by each associated network member may include any one of the following:
the first implementation mode comprises the following steps: the vulnerability repair system 100 may determine to obtain an initial value of the threat attack activity mapped by any network member based on the threat attack coordination times of the threat attack coordination behavior of the threat attack activity mapped by any network member. Secondly, the times of the threat attack activity mapped by any network member and the times of the threat attack activity mapped by each associated network member appearing in an external attack source at the same time can be respectively counted, the counted times are respectively normalized, and the risk assessment information of each associated network member is output. For example, for a threat attack activity L mapped by network member L, network member L has two associated network members, network member M and network member B; if the times that the threat attack activity L and the threat attack activity M mapped by the network member M simultaneously appear in the external attack source are 15 times, the times that the threat attack activity L and the threat attack activity B mapped by the network member B simultaneously appear in the external attack source are 5 times; the risk assessment information of net member M is 15/(15+5) to 0.75, and the risk assessment information of net member B is 5/(15+5) to 0.25. After the risk evaluation information of each associated network member is obtained, weighted summation can be carried out on the threat attack participation of each associated network member according to the risk evaluation information of each associated network member; for example, assuming that the threat attack participation of the network member M is 0.4 and the threat attack participation of the network member B is 0.2, 0.4 × 0.75+0.2 × 0.25 ═ 0.35 may be performed. Then, the numerical value obtained by weighted summation and the initial value of the threat attack activity mapped by any network member can be subjected to summation operation, and the threat attack participation degree of the threat attack activity mapped by any network member is output.
The second embodiment: the vulnerability fix system 100 may also determine a threat attack engagement of the threat attack activity mapped by any of the associated network members based on the threat attack engagement of the threat attack activity mapped by the network members.
In addition to some possible design ideas, the defense spatio-temporal-spatial domain correlation parameter can represent the defense spatio-temporal-spatial domain matching degree between two threat attack activities, and research shows that for any threat attack activity, if the defense spatio-temporal domain matching degree between other threat attack activities and the any threat attack activity is larger, the influence of the threat attack participation degree of the other threat attack activities on the threat attack participation degree of the any threat attack activity is generally larger. Accordingly, when the vulnerability repair system 100 executes the Process130, for the threat attack activity mapped by any network member, the threat attack activity participation degree of the threat attack activity mapped by the associated network member having a network connection relationship with the any network member and the defense time-space domain correlation parameters between the threat attack activity mapped by the any network member and the threat attack activity mapped by each associated network member are combined to calculate the threat attack participation degree of the threat attack activity of the any network member, so as to further improve the precision of the threat attack participation degree. For some possible design ideas, for threat attack activities mapped by any network member, one or more associated network members having a network connection relationship with any network member may be generated according to threat attack collaboration information between network members in the threat attack relationship network. Then, calculating defense time-space domain correlation parameters between the threat attack activity mapped by any network member and the threat attack activity mapped by each correlation network member; and determining the threat attack participation degree of the threat attack activity mapped by any network member based on the defense time-space domain associated parameters and the threat attack participation degree of the threat attack activity mapped by each associated network member.
Wherein, based on the defense time-space domain correlation parameter and the threat attack engagement degree of the threat attack activity mapped by each correlation network member, the specific implementation mode for determining the threat attack engagement degree of the threat attack activity mapped by any network member may include any one of the following:
the first implementation mode comprises the following steps: the vulnerability repair system 100 may determine to obtain an initial value of the threat attack activity mapped by any network member based on the threat attack coordination number of the threat attack activity mapped by any network member. Secondly, the threat attack participation of each associated network member can be weighted and summed according to each defense time-space domain associated parameter. For example, for a threat attack activity L mapped by network member L, network member L has two associated network members, network member M and network member B; and the threat attack participation of the network member M is 0.4, and the threat attack participation of the network member B is 0.2. If the defense time-space domain correlation parameter between the threat attack activity L and the threat attack activity M mapped by the network member M is kLM, the defense time-space domain correlation parameter between the threat attack activity L and the threat attack activity B mapped by the network member B is kLB; 0.4 × kLM +0.2 × kLB may be performed. Then, the numerical value obtained by weighting calculation and the initial value of the threat attack activity mapped by any network member can be summed, and the threat attack participation degree of the threat attack activity mapped by any network member is output.
The second embodiment: the vulnerability repair system 100 may also determine a threat attack engagement degree of the threat attack activity mapped by any network member based on the defense time-space domain associated parameters and the threat attack engagement degree of the threat attack activity mapped by each associated network member.
The Process140 selects key threat attack chain data of the target threat perception event from the threat attack activity sequence based on the threat attack participation of each threat attack activity, and establishes vulnerability classification characteristics of the target threat perception event according to a threat attack path variable of the key threat attack chain data, wherein the vulnerability classification characteristics represent security vulnerability related characteristics of a security protection Process corresponding to the target threat perception event.
After obtaining the threat attack participation of each threat attack activity, the vulnerability repair system 100 may select the threat attack chain data with the largest threat attack participation from the threat attack activity sequence based on the threat attack participation of each threat attack activity and output the threat attack chain data as the key threat attack chain data of the target threat perception event. And then, establishing vulnerability classification characteristics of the target threat perception event according to threat attack path variables of the key threat attack chain data, wherein the vulnerability classification characteristics represent security vulnerability related characteristics of a security protection process corresponding to the target threat perception event.
One design idea for the vulnerability repair system 100 to select key threat attack chain data from the threat attack activity sequence may be: extracting each threat attack chain data included in the threat attack activity sequence, and then selecting the threat attack chain data with the maximum threat attack participation from the extracted threat attack chain data to output as the key threat attack chain data of the target threat perception event.
According to the method and the device, aiming at the target threat perception event indicated by the vulnerability repair analysis task, a plurality of threat attack activities can be obtained from the target threat perception event, and a threat attack relationship network of the target threat perception event is established according to the threat attack activities. Because threat attack activities mapped by network members with network connection relations in the threat attack relation network have threat attack cooperative behaviors in a target threat perception event, the more threat attack activities with the threat attack cooperative behaviors, the more risk exists; therefore, the threat attack participation degree of the threat attack activity mapped by each network member can be more accurately determined according to the threat attack cooperative information among the network members in the threat attack relationship network. And then, selecting key threat attack chain data of the target threat perception event from the threat attack activity sequence based on the threat attack participation of each threat attack activity, and establishing vulnerability classification characteristics representing security vulnerability relevant characteristics of a security protection process corresponding to the target threat perception event according to threat attack path variables of the key threat attack chain data. Therefore, the precision of the threat attack participation degree of each threat attack activity can be improved, so that the precision of the key threat attack chain data is effectively improved, and the precision of the related characteristics of the security vulnerability is improved; in addition, the security vulnerability related characteristics of the threat perception event can be automatically analyzed in the whole security vulnerability classification process, and the manual investigation process of the security vulnerability classification is reduced.
For further exemplary design considerations, Process100 is described in detail below with reference to another specific embodiment.
The Process210 obtains a sequence of threat attack activities from the target threat awareness events indicated by the vulnerability fix analysis task.
For some possible design ideas, the vulnerability repair system 100 may first perform threat attack activity analysis on a target threat awareness event indicated by a vulnerability repair analysis task, and output a basic threat attack activity sequence; the sequence of basic threat attack activities includes a plurality of basic threat attack activities, and each basic threat attack activity in the sequence of basic threat attack activities has time window network flow data in a threat attack flow process.
After obtaining the sequence of basic threat attack activities, the vulnerability repair system 100 may extract a number of seed threat attack activities from the sequence of basic threat attack activities based on one or more initial threat attack tracking maps; as referred to herein, a seed threat attack activity refers to a base threat attack activity that exists in one or more initial threat attack tracking maps, i.e., a seed threat attack activity refers to a threat attack activity that exists in both one or more initial threat attack tracking maps and a target threat perception event. For some possible design considerations, the vulnerability fix system 100 may extract a number of seed threat attack activities from a sequence of base threat attack activities directly based on one or more initial threat attack tracking maps; for example, for some possible design considerations, the vulnerability fix system 100 may traverse each of the basic threat attack activities in the basic threat attack activity sequence; matching the currently traversed basic threat attack activity with one or more initial threat attack tracking maps to detect whether the currently traversed basic threat attack activity exists in the one or more initial threat attack tracking maps; and if so, outputting the currently traversed basic threat attack activity as the seed threat attack activity.
Accordingly, when extracting a plurality of seed threat attack activities from the basic threat attack activity sequence based on one or more initial threat attack tracking maps, the vulnerability repair system 100 may first extract the basic threat attack activities of the time window network flow data in the target threat attack flow process from the basic threat attack activity sequence; the time window network flow data in the target threat attack flow process referred to herein may include at least one of: the type of attack type that occurs, the number of times each attack type occurs, and the probability of each attack type occurring up to the current time window. Then, the vulnerability repair system 100 may extract a plurality of seed threat attack activities from the basic threat attack activities of the time window network flow data in the target threat attack flow process based on one or more initial threat attack tracking maps, and the specific implementation manner thereof is similar to the specific implementation manner of the aforementioned step of "extracting a plurality of seed threat attack activities from the basic threat attack activity sequence directly based on one or more initial threat attack tracking maps", and is not described herein again.
After extracting the number of seed threat attack activities, a threat attack activity sequence (which may be represented in terms of M') of target threat awareness events may be established in terms of the number of seed threat attack activities. Aiming at some possible design ideas, a threat attack activity sequence of a target threat perception event can be directly established according to a plurality of seed threat attack activities; in this embodiment, the threat attack activity in the sequence of threat attack activities is the seed threat attack activity, and the statistical distribution amount of the threat attack activity is equal to the statistical distribution amount of the seed threat attack activity. For other possible design ideas, some seed threat attack activities which are adjacent to each other in the target threat perception event and have special meanings may exist in the extracted seed threat attack activities; for these seed threat attack activities, they will usually occur simultaneously in the initial threat attack tracking graph, and the threat attack activities composed after their attack granularities are linked together are of more mining value than the single seed threat attack activity. For example, for seed threat attack activities "L" and "M", which would typically occur simultaneously in the initial threat attack tracking graph, and "L + M" is more mining valuable than "L" and "M". In this case, the vulnerability repair system 100 may associate the attack granularities of the seed threat attack activities together, and output the threat attack activities associated with the attack granularities as threat attack activities, so as to improve the accuracy of subsequent topic identification. Accordingly, when the vulnerability repair system 100 establishes the threat attack activity sequence of the target threat perception event according to the plurality of seed threat attack activities, it may determine whether seed threat attack activities matching the attack granularity association requirement exist in the plurality of seed threat attack activities; attack granularity association requirements here may include: the threat attack penetration intervals in the target threat awareness event are matched and exist in the same initial threat attack tracking map. If the seed threat attack activities matching the attack granularity association requirement exist in the plurality of seed threat attack activities, performing attack granularity association processing on the seed threat attack activities matching the attack granularity association requirement; and outputting the threat attack activity sequence after the attack granularity association processing and the seed threat attack activity without the attack granularity association processing as threat attack activities to be added into the threat attack activity sequence of the target threat perception event. If the seed threat attack activity matching the attack granularity association requirement does not exist in the plurality of seed threat attack activities, the various seed threat attack activities can be output as threat attack activities and added to a threat attack activity sequence of the target threat perception event.
The Process220 establishes a threat attack relationship network for the target threat awareness event based on the plurality of threat attack activities.
For example, a basic threat attack relationship network of a target threat awareness event may be established first according to a number of threat attack activities; the basic threat attack relationship network comprises a plurality of network members, and each network member maps a threat attack activity. Second, a combination of at least one pair of coordinated threat attack activity instances, which is a combination of two threat attack activity instances having threat attack coordination behavior in the presence of a targeted threat awareness event, may be selected from a number of threat attack activities. One or more sub-networks of network members may then be determined from the underlying threat attack relationship network based on the combination of the at least one pair of synergistic threat attack activity instances, any of which may include: two network members of two threat attack activities in a combination of a pair of coordinated threat attack activity instances are recorded, respectively. Then, two network members in each network member sub-network can be respectively connected in the basic threat attack relationship network, and the threat attack relationship network of the target threat perception event is output.
The Process230 generates threat attack participation of the threat attack activity mapped by each network member according to the threat attack coordination information among the network members in the threat attack relationship network.
The Process240 selects a number of threat awareness intelligence for the target threat awareness event from the sequence of threat attack activities based on the threat attack engagement of each threat attack activity.
For some possible design ideas, the vulnerability repair system 100 may select threat attack activities in a preset sequence interval from the threat attack activity sequence according to the magnitude arrangement sequence of the threat attack participation degree, and output a plurality of threat perception intelligence of the target threat perception event. For some possible design considerations, the vulnerability fix system 100 may select a threat attack activity with a threat attack engagement degree greater than a preset engagement degree from the threat attack activity sequence and output a number of threat awareness intelligence for the target threat awareness event. Wherein the threat awareness intelligence includes one or more key threat attack chain data. For convenience of description, a threat attack activity of a preset order interval selected from a threat attack activity sequence by using a plurality of threat perception intelligence is taken as an example in the following.
The Process250 selects the key threat attack chain data with the largest threat attack participation degree from the one or more key threat attack chain data and outputs the key threat attack chain data as the key threat attack chain data of the target threat perception event.
And the Process260 establishes vulnerability classification characteristics of the target threat sensing event according to the threat attack path variable of the key threat attack chain data, and the vulnerability classification characteristics represent security vulnerability related characteristics of the security protection Process corresponding to the target threat sensing event.
For some possible design ideas, the vulnerability fix system 100 may first invoke a threat attack path variable generation model to extract threat attack path variables of the key threat attack chain data. For some possible design ideas, the threat attack path variable of the threat attack activity may be determined by combining forward path data and backward path data of the threat attack activity, or may be determined by combining functions of the threat attack activity in different dimensions, so that the threat attack activity may have the same threat attack path variable in different dimensions, which is not limited specifically.
After the threat attack path variable of the key threat attack chain data is obtained, vulnerability classification characteristics of the target threat perception event can be established according to the threat attack path variable of the key threat attack chain data. For some possible design ideas, derived threat attack chain data corresponding to the key threat attack chain data can be obtained from the threat attack activity sequence; the so-called derived threat attack chain data conforms to the following characteristics: in the threat attack relationship network, a derived attack feature relationship exists between a network member used for associating derived threat attack chain data and a network member used for associating key threat attack chain data. Secondly, threat attack path variables of the key threat attack chain data and threat attack path variables of the derived threat attack chain data can be extracted. And then, a threat attack path variable of the key threat attack chain data and a threat attack path variable of the derived threat attack chain data can be aggregated, and vulnerability classification characteristics of the target threat perception event are output.
And the Process270 obtains the threat attack path variable of each threat perception information, and determines the matching degree between the threat attack path variable of each threat perception information and the vulnerability classification characteristic.
And the Process280 selects vulnerability foundation information of a target threat perception event from a plurality of threat perception information based on the matching degree between the threat attack path variable of each threat perception information and the vulnerability classification characteristic.
The Process290 performs relevance configuration on the target threat awareness event and the vulnerability basic intelligence.
In a specific implementation, after the vulnerability foundation information of the target threat awareness event is selected by the vulnerability discovery system 100 through the processes 210 to 280, the target threat awareness event and the vulnerability foundation information can be configured in a correlated manner.
The vulnerability classification features mentioned above are overall AI decision features (i.e., main AI decision features) of the target threat awareness event, and the security vulnerability-related features are threat awareness intelligence features of the target threat awareness event. In an alternative embodiment, when the statistically distributed amount of key threat attack chain data obtained from the targeted threat awareness event is several, it is indicative that the targeted threat awareness event has several threat scenario variables. In this case, the vulnerability repair system 100 may also select key threat attack chain data of the target threat awareness event from the one or more key threat attack chain data, the threat attack participation of the key threat attack chain data being less than the threat attack participation of the key threat attack chain data. Secondly, an AI decision characteristic (namely a non-essential AI decision characteristic) of the threat perception situation of the target threat perception event can be established according to the threat attack path variable of the key threat attack chain data, and the AI decision characteristic of the threat perception situation of the target threat perception event represents the threat situation variable of the threat perception situation of the target threat perception event. Then, the target threat awareness event, the vulnerability classification characteristic, and the AI decision characteristic of the threat awareness situation may be loaded into an attack penetration evaluation program, so that when responding to an attack penetration evaluation instruction, attack penetration evaluation processing may be performed based on the vulnerability classification characteristic and the AI decision characteristic of the threat awareness situation.
For some possible design ideas, the vulnerability repair system 100 may further calculate the overall AI decision characteristics of other threat perception events and the AI decision characteristics of the threat perception situation according to the above method steps, and associate each calculated AI decision characteristic to the attack penetration evaluation program; that is, the attack penetration evaluation program further includes one or more other threat awareness events, and each other threat awareness event has a corresponding overall AI decision characteristic and a corresponding AI decision characteristic of the threat awareness situation. When the attack penetration evaluation instruction is responded, the vulnerability repair system 100 can obtain the attack penetration evaluation characteristics of the attack penetration evaluation information carried by the attack penetration evaluation instruction. Secondly, each threat awareness event in the attack penetration evaluation program and one or more AI decision characteristics of each threat awareness event can be obtained, each threat awareness event has a risk impact parameter, and the one or more AI decision characteristics of each threat awareness event include an overall AI decision characteristic of each threat awareness event and an AI decision characteristic of a threat awareness situation. Then, the matching degree between each AI decision characteristic and the attack penetration evaluation characteristic of each threat awareness event can be respectively calculated, and the risk influence parameters of each threat awareness event are optimized based on the matching degree. For some possible design considerations, for any threat awareness event, the AI decision feature with the highest matching degree may be determined from the one or more AI decision features of any threat awareness event based on the matching degree between each AI decision feature of any threat awareness event and the attack penetration evaluation feature. If the AI decision characteristic with the maximum matching degree is the integral AI decision characteristic of any threat perception event, the risk influence parameter of any threat perception event can be improved so as to update the risk influence parameter of any threat perception event; if the AI decision characteristic with the maximum matching degree is the AI decision characteristic of the threat perception situation of any threat perception event, the risk influence parameters of any threat perception event can be reduced so as to update the risk influence parameters of any threat perception event.
According to the method and the device, aiming at the target threat perception event indicated by the vulnerability repair analysis task, a plurality of threat attack activities can be obtained from the target threat perception event, and a threat attack relationship network of the target threat perception event is established according to the threat attack activities. Because threat attack activities mapped by network members with network connection relations in the threat attack relation network have threat attack cooperative behaviors in a target threat perception event, the more threat attack activities with the threat attack cooperative behaviors, the more risk exists; therefore, the threat attack participation degree of the threat attack activity mapped by each network member can be more accurately determined according to the threat attack cooperative information among the network members in the threat attack relationship network. And then, selecting key threat attack chain data of the target threat perception event from the threat attack activity sequence based on the threat attack participation of each threat attack activity, and establishing vulnerability classification characteristics representing security vulnerability relevant characteristics of a security protection process corresponding to the target threat perception event according to threat attack path variables of the key threat attack chain data. Therefore, the accuracy of the key threat attack chain data can be effectively improved by improving the accuracy of the threat attack participation degree of each threat attack activity, so that the accuracy of the related characteristics of the security vulnerability is improved; in addition, the security vulnerability related characteristics of the threat perception event can be automatically analyzed in the whole security vulnerability classification process, and the manual investigation process of the security vulnerability classification is reduced.
For some possible design considerations, the present application also provides that, in some embodiments, the bug fixing system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.
The processor 110 may perform various suitable actions and processes based on a program stored in the machine-readable storage medium 120, such as program instructions related to the vulnerability fix methods for large data security vulnerability mining described in the foregoing embodiments. The processor 110, the machine-readable storage medium 120, and the communication unit 140 perform signal transmission through the bus 130.
In particular, the processes described in the above exemplary flow diagrams may be implemented as computer software programs, according to embodiments of the present invention. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication unit 140, and when executed by the processor 110, performs the above-described functions defined in the methods of the embodiments of the present invention.
Yet another embodiment of the present invention further provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the computer-readable storage medium is configured to implement the vulnerability fixing method for big data security vulnerability mining according to any of the above embodiments.
Yet another embodiment of the present invention further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the vulnerability fixing method for big data security vulnerability mining according to any of the above embodiments.
It should be understood that although each operation step is indicated by an arrow in the flowchart of the embodiment of the present invention, the implementation order of the steps is not limited to the order indicated by the arrow. In some implementation scenarios of embodiments of the present invention, the implementation steps in the flowcharts may be performed in other sequences as desired, unless explicitly stated otherwise herein. In addition, some or all of the steps in each flowchart may include multiple sub-steps or multiple stages based on an actual implementation scenario. Some or all of these sub-steps or stages may be performed at the same time, or each of these sub-steps or stages may be performed at different times, respectively. In a scenario where the execution time is different, the execution sequence of the sub-steps or phases may be flexibly configured according to requirements, which is not limited in the embodiment of the present invention.
The foregoing is only an alternative embodiment of a part of implementation scenarios of the present invention, and it should be noted that, for those skilled in the art, other similar implementation means based on the technical idea of the present invention are also within the protection scope of the embodiment of the present invention without departing from the technical idea of the present invention.