CN115001849A - Vulnerability repair method and vulnerability repair system for big data security vulnerability mining - Google Patents
Vulnerability repair method and vulnerability repair system for big data security vulnerability mining Download PDFInfo
- Publication number
- CN115001849A CN115001849A CN202210785740.5A CN202210785740A CN115001849A CN 115001849 A CN115001849 A CN 115001849A CN 202210785740 A CN202210785740 A CN 202210785740A CN 115001849 A CN115001849 A CN 115001849A
- Authority
- CN
- China
- Prior art keywords
- threat
- attack
- threat attack
- vulnerability
- activity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 111
- 230000008439 repair process Effects 0.000 title claims abstract description 73
- 238000005065 mining Methods 0.000 title claims abstract description 21
- 230000000694 effects Effects 0.000 claims abstract description 381
- 230000008447 perception Effects 0.000 claims abstract description 150
- 230000008569 process Effects 0.000 claims abstract description 73
- 238000004458 analytical method Methods 0.000 claims abstract description 20
- 238000012038 vulnerability analysis Methods 0.000 claims abstract description 5
- 230000007123 defense Effects 0.000 claims description 32
- 230000035515 penetration Effects 0.000 claims description 31
- 238000011156 evaluation Methods 0.000 claims description 18
- 230000011273 social behavior Effects 0.000 claims description 17
- 230000006399 behavior Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 8
- 230000004931 aggregating effect Effects 0.000 claims 1
- 238000013145 classification model Methods 0.000 claims 1
- 238000012163 sequencing technique Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 3
- 230000000875 corresponding effect Effects 0.000 description 32
- 238000013461 design Methods 0.000 description 26
- 235000019580 granularity Nutrition 0.000 description 11
- 238000004590 computer program Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 5
- 230000002195 synergetic effect Effects 0.000 description 5
- 238000012502 risk assessment Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The embodiment of the application provides a vulnerability repairing method and a vulnerability repairing system aiming at big data security vulnerability mining, by obtaining a sequence of threat attack activities from the target threat awareness events indicated by the vulnerability fix analysis tasks of the threat awareness server, and determining a reference security vulnerability distribution of a security protection process corresponding to the target threat awareness event based on the threat attack activity sequence, thereby performing vulnerability repair on the security protection process and the shared security protection process corresponding to the security protection process based on the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event, therefore, the security vulnerability mining is carried out by taking a single target threat perception event as a unit, the unified vulnerability repairing of a plurality of shared security protection processes is carried out, and compared with the mode of carrying out vulnerability analysis and repairing by using global threat perception events in the related technology, the method can provide a high-efficiency vulnerability repairing scheme with higher positioning performance.
Description
Technical Field
The application relates to the technical field of information security, in particular to a vulnerability repairing method and a vulnerability repairing system aiming at big data security vulnerability mining.
Background
A security hole is a defect in the hardware, software, specific implementation of a protocol, or system security policy, which may enable an attacker to access or destroy the system without authorization. Therefore, in order to ensure normal operation of internet services and to ensure user experience, security vulnerabilities need to be discovered and processed in time and targeted repair is performed. In the related art, vulnerability analysis and repair are generally performed by using global threat awareness events, but the method has difficulty in meeting the requirement of more localized and efficient vulnerability repair.
Disclosure of Invention
In order to overcome at least the above disadvantages in the prior art, the present application aims to provide a vulnerability repairing method and a vulnerability repairing system for big data security vulnerability mining.
In a first aspect, the application provides a vulnerability repair method for big data security vulnerability discovery, which is applied to a vulnerability repair system, wherein the vulnerability repair system is in communication connection with a plurality of threat perception servers, and the method comprises the following steps:
obtaining a threat attack activity sequence from a target threat perception event indicated by a vulnerability repair analysis task of the threat perception server, and determining reference security vulnerability distribution of a security protection process corresponding to the target threat perception event based on the threat attack activity sequence;
and performing vulnerability repair on the safety protection process and the shared safety protection process corresponding to the safety protection process based on the reference safety vulnerability distribution of the safety protection process corresponding to the target threat perception event.
In a second aspect, an embodiment of the present application further provides a vulnerability discovery system for big data security vulnerability discovery, where the vulnerability discovery system for big data security vulnerability discovery includes a vulnerability discovery system and a plurality of threat awareness servers in communication connection with the vulnerability discovery system;
the vulnerability fix system is used for:
obtaining a threat attack activity sequence from a target threat perception event indicated by a vulnerability repair analysis task of the threat perception server, and determining reference security vulnerability distribution of a security protection process corresponding to the target threat perception event based on the threat attack activity sequence;
and performing vulnerability repair on the safety protection process and the shared safety protection process corresponding to the safety protection process based on the reference safety vulnerability distribution of the safety protection process corresponding to the target threat perception event.
By adopting the technical scheme of any one aspect, the threat attack activity sequence is obtained from the target threat perception event indicated by the vulnerability repair analysis task of the threat perception server, and determines a reference security vulnerability distribution of a security protection process corresponding to the target threat awareness event based on the threat attack activity sequence, thereby performing vulnerability repair on the security protection process and the shared security protection process corresponding to the security protection process based on the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event, therefore, the security vulnerability mining is carried out by taking a single target threat perception event as a unit, the unified vulnerability repairing of a plurality of shared security protection processes is carried out, and compared with the mode of carrying out vulnerability analysis and repairing by using global threat perception events in the related technology, the method can provide a high-efficiency vulnerability repairing scheme with higher positioning performance.
Drawings
Fig. 1 shows threat attack activity of a flow of a vulnerability repair method for big data security vulnerability discovery according to an embodiment of the present invention.
Detailed Description
The following describes an architecture of the vulnerability fix system 10 for big data security vulnerability discovery according to an embodiment of the present invention, where the vulnerability fix system 10 for big data security vulnerability discovery may include a vulnerability fix system 100 and a threat awareness server 200 communicatively connected to the vulnerability fix system 100. The vulnerability repair system 100 and the threat awareness server 200 in the vulnerability repair system 10 for big data security vulnerability mining may execute the vulnerability repair method for big data security vulnerability mining described in the following method embodiments in a matching manner, and the detailed description of the following method embodiments may be referred to in the execution steps of the vulnerability repair system 100 and the threat awareness server 200.
The vulnerability repair method for big data security vulnerability discovery provided in this embodiment may be executed by the vulnerability repair system 100, and the vulnerability repair method for big data security vulnerability discovery is described in detail below with reference to fig. 1.
The Process100 obtains a threat attack activity sequence from a target threat awareness event indicated by the vulnerability repair analysis task of the threat awareness server, and determines a reference security vulnerability distribution of a security protection Process corresponding to the target threat awareness event based on the threat attack activity sequence.
And the Process200 performs vulnerability repair on the security protection Process and the shared security protection Process corresponding to the security protection Process based on the reference security vulnerability distribution of the security protection Process corresponding to the target threat sensing event.
For example, after obtaining the reference security vulnerability distribution, a shared vulnerability repair instruction corresponding to the reference security vulnerability distribution may be extracted from a pre-specified shared vulnerability repair instruction library, and vulnerability repair may be performed on the security protection process and the shared security protection process corresponding to the security protection process based on the shared vulnerability repair instruction. Or, when the shared vulnerability repair instruction corresponding to the reference security vulnerability distribution is not extracted from the pre-specified shared vulnerability repair instruction library, outputting vulnerability location feature points (such as a process code position of each reference security vulnerability in the security protection process operation process) corresponding to the reference security vulnerability distribution to a developer terminal so as to prompt the developer terminal to perform targeted repair.
By adopting the technical scheme, the threat attack activity sequence is obtained from the target threat perception event indicated by the vulnerability repair analysis task of the threat perception server, and determines a reference security vulnerability distribution of a security protection process corresponding to the target threat awareness event based on the threat attack activity sequence, thereby performing vulnerability repair on the security protection process and the shared security protection process corresponding to the security protection process based on the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event, therefore, the security vulnerability mining is carried out by taking a single target threat perception event as a unit, the unified vulnerability repairing of a plurality of shared security protection processes is carried out, and compared with the mode of carrying out vulnerability analysis and repairing by using global threat perception events in the related technology, the method can provide a high-efficiency vulnerability repairing scheme with higher positioning performance.
For some exemplary design considerations, Process100 is described in detail below with reference to specific embodiments.
The Process110 obtains a sequence of threat attack activities from the target threat awareness events indicated by the vulnerability fix analysis task.
For any threat awareness event, the threat awareness event typically includes a large amount of threat attack activity, which may include one or several threat attack chain data; the threat attack chain data refers to path data formed by each threat attack node in the threat attack process.
Threat attack activities are used for describing attack behavior information related to threat perception events, and security vulnerability related characteristics of the threat perception events are used for making decisions on main attack behavior characteristics related to the threat perception events; it can be seen that there is a correlation between the threat attack activity in the threat awareness event and the security vulnerability related characteristics of the threat awareness event. Therefore, the technical scheme of determining the security vulnerability relevant characteristics of the threat awareness event can be realized through the threat attack activities included in the threat awareness event. For example, in response to a mining request for a threat context variable related to a targeted threat awareness event, the bug fix system 100 may obtain the targeted threat awareness event indicated by the bug fix analysis task. Thus, a sequence of threat attack activities may be obtained from the target threat awareness event; the sequence of threat attack activities herein may include a number of threat attack activities, and the number of threat attack activities includes threat attack chain data. For some possible design ideas, the vulnerability repair system 100 may analyze a threat attack activity of the target threat sensing event, and match a basic threat attack activity sequence obtained by the threat attack activity analysis with one or more time window network flow databases in the threat attack process, so as to obtain a basic threat attack activity contained in the basic threat attack activity sequence and located in one or more initial threat attack tracking maps by matching. And then, determining threat attack activities in the target threat perception event based on the basic threat attack activities obtained by matching, thereby establishing a threat attack activity sequence for obtaining the target threat perception event.
The Process120 establishes a threat attack relationship network for the target threat awareness event based on a number of threat attack activities.
For some possible design ideas, a threat attack relationship network of a target threat awareness event may include a number of network members; one network member maps one threat attack activity, and the threat attack activities mapped by the network members with network connection relations have threat attack cooperative behaviors in a target threat perception event. In other words, there are network members corresponding to two threat attack activities of the threat attack cooperative behavior in the target threat awareness event, and there is a network connection relationship in the threat attack relationship network. Wherein, the threat attack cooperative behavior mentioned herein may include any one of the following meanings:
for some possible design ideas, the above mentioned threat attack cooperative behavior may refer to: and in the process of carrying out threat attack coordination on the target threat perception event according to an external attack source, two threat attack activities are simultaneously present in the coordination activity in the external attack source. Setting up a number of threat attack activities includes: threat attack activity L, threat attack activity M, threat attack activity E, threat attack activity B … … assume that threat attack coordination behavior may exist for threat attack activity L and threat attack activity M in the target threat awareness event because threat attack activity L and threat attack activity M may occur simultaneously in the external attack source during the threat attack coordination process. Since the threat attack activity M and the threat attack activity E may occur simultaneously in the external attack source during the threat attack coordination process, the threat attack activity M and the threat attack activity E may be considered to have a threat attack coordination behavior in the target threat awareness event. Since threat attack activity E and threat attack activity B cannot occur in the external attack source at the same time, threat attack activity E and threat attack activity B may be considered to have no threat attack cooperative behavior in the target threat awareness event, and so on.
For other possible design ideas, the threat attack cooperative behavior may refer to: in the process of carrying out threat attack coordination on a target threat perception event according to an external attack source, two threat attack activities are simultaneously present in the external attack source, and the defense time-space domain correlation parameter between the two threat attack activities is larger than the relation of a preset correlation parameter value. The defense time-space domain correlation parameters between the two threat attack activities can be obtained by calculation based on threat attack path variables of the two threat attack activities; the defense time-space domain correlation parameter between the two threat attack activities can be used for mapping the defense time-space domain matching degree between the two threat attack activities, and the defense time-space domain correlation parameter is in direct proportion to the defense time-space domain matching degree; in other words, the greater the defense spatiotemporal-spatial domain correlation parameter between two threat attack activities, the greater the defense spatiotemporal-spatial domain matching between the two threat attack activities. For example, setting a preset associated parameter value as K, setting a defense time-space domain associated parameter between a threat attack activity L and a threat attack activity M as kLM, setting a defense time-space domain associated parameter between the threat attack activity M and a threat attack activity E as kME, and setting a defense time-space domain associated parameter between the threat attack activity E and a threat attack activity B as kEB; and kLM < K, kME > K, kEB < K. Still take over the above example: since the defense spatiotemporal correlation parameter (i.e., kLM) between threat attack activity L and threat attack activity M is less than the preset correlation parameter value (K), vulnerability repair system 100 may consider threat attack activity L and threat attack activity M to have no threat attack synergy in the target threat awareness event, although both may occur in external attack sources. Since the defense time-space domain correlation parameter (i.e., kME) between threat attack activity M and threat attack activity E is greater than the preset correlation parameter value (K), and threat attack activity M and threat attack activity E may occur in external attack sources at the same time, vulnerability repair system 100 may consider that threat attack activity M and threat attack activity E have threat attack cooperative behavior in the target threat awareness event, and so on. Therefore, when judging whether the two threat attack activities have the threat attack cooperative behavior in the target threat perception event, the embodiment not only considers the distance between the threat attack penetration intervals of the two threat attack activities in the target threat perception event through the external attack source, but also considers the defense time-space domain matching degree between the two threat attack activities, so that the judgment accuracy of the threat attack cooperative behavior can be effectively improved, and the accuracy of the threat attack relationship network is improved.
Based on the above technical solution, in the Process of implementing the Process120 specifically, the vulnerability repair system 100 may first establish a basic threat attack relationship network of a target threat perception event according to a plurality of threat attack activities; the basic threat attack relationship network comprises a plurality of network members, and each network member maps a threat attack activity. Second, the vulnerability fix system 100 may select a combination of at least one pair of coordinated threat attack activity instances from a number of threat attack activities, the combination of coordinated threat attack activity instances being a combination of two threat attack activity instances having threat attack coordination behavior in the target threat awareness event. The vulnerability fix system 100 may then traverse the combination of each pair of synergistic threat attack activity instances; for the combination of the currently traversed current coordinated threat attack activity instances, two network members for associating two threat attack activities in the combination of the current coordinated threat attack activity instances can be respectively connected in a basic threat attack relationship network; when the combination of each cooperative threat attack activity instance is traversed, a threat attack relationship network of the target threat perception event can be obtained. For example, it may be assumed that several threat attack activities include: threat attack activity L (recorded by network member L), threat attack activity M (recorded by network member M), threat attack activity E (recorded by network member E), threat attack activity B (recorded by network member B), threat attack activity E (recorded by network member E) … …; and the threat attack activities total 5 pairs of synergistic threat attack activity instances, which are respectively: (threat attack activity L, threat attack activity M), (threat attack activity L, threat attack activity B), (threat attack activity M, threat attack activity E) and (threat attack activity B, threat attack activity E). Then, the vulnerability repair system 100 may connect the network member L and the network member M, connect the network member L and the network member B, connect the network member M and the network member E, and connect the network member B and the network member E, respectively, in the basic threat attack relationship network, thereby obtaining the threat attack relationship network of the target threat perception event.
The Process130 generates threat attack participation of the threat attack activity mapped by each network member according to the threat attack coordination information among the network members in the threat attack relationship network.
For some possible design ideas, the threat attack cooperative behavior refers to a relationship that two threat attack activities appear in one external attack source at the same time, or refers to a relationship that two threat attack activities appear in one external attack source at the same time and a defense time-space domain associated parameter between the two threat attack activities is larger than a preset associated parameter value; it can therefore be seen that the more frequently threat attack activities with more threat attack synergistic behavior are in the target threat awareness event, the more risky threat attack activities that can be output with more threat attack synergistic behavior are. Therefore, when the vulnerability repair system 100 executes the Process130, for example, the threat attack coordination times of the threat attack coordination behaviors of each threat attack activity can be counted based on the threat attack coordination information between the network members in the threat attack relationship network, and the threat attack participation degrees of each threat attack activity can be determined based on the threat attack coordination times corresponding to each threat attack activity according to the principle that the threat attack coordination times and the threat attack participation degrees are in positive correlation.
For some possible design ideas, the threat attack cooperation times corresponding to each threat attack activity can be directly output as the threat attack participation of each threat attack activity. Or normalizing the threat attack coordination times corresponding to each threat attack activity, and outputting the threat attack participation of each threat attack activity. Or, the threat attack coordination times corresponding to each threat attack activity can be weighted according to the threat attack participation parameter, the threat attack participation of each threat attack activity is output, and the threat attack participation parameter can be set based on the actual service condition. For example, referring to the foregoing example, if a derived attack feature relationship exists between the network member L and the network member M, and a derived attack feature relationship exists between the network member L and the network member B, it may be statistically determined that the threat attack collaboration number of the threat attack collaboration behavior possessed by the threat attack activity L mapped by the network member L is 2; the threat attack coordination number may be directly output as the threat attack participation (i.e., the threat attack participation is 2) of the threat attack activity L, or the threat attack coordination number may be weighted according to a threat attack participation parameter (e.g., 1.5), and the threat attack participation (i.e., the threat attack participation is 3) of the threat attack activity L may be output, and so on.
In another possible design concept, research shows that if two threat attack activities have threat attack cooperative behavior in a target threat sensing event, since the two threat attack activities are simultaneously present, the threat attack engagement degrees of the two threat attack activities generally affect each other. Accordingly, when the vulnerability repair system 100 executes the Process130, the threat attack engagement degree of the threat attack activity of any network member can be calculated by combining the threat attack engagement degree of the threat attack activity mapped by the associated network member having a network connection relationship with the network member, so as to improve the accuracy of the threat attack engagement degree. Aiming at some possible design ideas, aiming at threat attack activities mapped by any network member, generating one or more associated network members having network connection relation with any network member according to threat attack collaboration information among the network members in the threat attack relation network; and then, determining the threat attack participation degree of the threat attack activity mapped by any network member based on the threat attack participation degree of the threat attack activity mapped by each associated network member.
The specific implementation of determining the threat attack engagement degree of the threat attack activity mapped by any network member based on the threat attack engagement degree of the threat attack activity mapped by each associated network member may include any one of the following:
the first implementation mode comprises the following steps: the vulnerability repair system 100 may determine to obtain an initial value of the threat attack activity mapped by any network member based on the threat attack coordination times of the threat attack coordination behavior of the threat attack activity mapped by any network member. Secondly, the times of the threat attack activity mapped by any network member and the times of the threat attack activity mapped by each associated network member appearing in an external attack source at the same time can be respectively counted, the counted times are respectively normalized, and the risk assessment information of each associated network member is output. For example, for a threat attack activity L mapped by network member L, network member L has two associated network members, network member M and network member B; if the times that the threat attack activity L and the threat attack activity M mapped by the network member M simultaneously appear in the external attack source are 15 times, the times that the threat attack activity L and the threat attack activity B mapped by the network member B simultaneously appear in the external attack source are 5 times; the risk assessment information of net member M is 15/(15+5) to 0.75, and the risk assessment information of net member B is 5/(15+5) to 0.25. After the risk evaluation information of each associated network member is obtained, weighted summation can be carried out on the threat attack participation of each associated network member according to the risk evaluation information of each associated network member; for example, assuming that the threat attack participation of the network member M is 0.4 and the threat attack participation of the network member B is 0.2, 0.4 × 0.75+0.2 × 0.25 ═ 0.35 may be performed. Then, the numerical value obtained by weighted summation and the initial value of the threat attack activity mapped by any network member can be subjected to summation operation, and the threat attack participation degree of the threat attack activity mapped by any network member is output.
The second embodiment: the vulnerability fix system 100 may also determine a threat attack engagement of the threat attack activity mapped by any of the associated network members based on the threat attack engagement of the threat attack activity mapped by the network members.
In addition to some possible design ideas, the defense spatio-temporal-spatial domain correlation parameter can represent the defense spatio-temporal-spatial domain matching degree between two threat attack activities, and research shows that for any threat attack activity, if the defense spatio-temporal domain matching degree between other threat attack activities and the any threat attack activity is larger, the influence of the threat attack participation degree of the other threat attack activities on the threat attack participation degree of the any threat attack activity is generally larger. Accordingly, when the vulnerability repair system 100 executes the Process130, for the threat attack activity mapped by any network member, the threat attack activity participation degree of the threat attack activity mapped by the associated network member having a network connection relationship with the any network member and the defense time-space domain correlation parameters between the threat attack activity mapped by the any network member and the threat attack activity mapped by each associated network member are combined to calculate the threat attack participation degree of the threat attack activity of the any network member, so as to further improve the precision of the threat attack participation degree. For some possible design ideas, for threat attack activities mapped by any network member, one or more associated network members having a network connection relationship with any network member may be generated according to threat attack collaboration information between network members in the threat attack relationship network. Then, calculating defense time-space domain correlation parameters between the threat attack activity mapped by any network member and the threat attack activity mapped by each correlation network member; and determining the threat attack participation degree of the threat attack activity mapped by any network member based on the defense time-space domain associated parameters and the threat attack participation degree of the threat attack activity mapped by each associated network member.
Wherein, based on the defense time-space domain correlation parameter and the threat attack engagement degree of the threat attack activity mapped by each correlation network member, the specific implementation mode for determining the threat attack engagement degree of the threat attack activity mapped by any network member may include any one of the following:
the first implementation mode comprises the following steps: the vulnerability repair system 100 may determine to obtain an initial value of the threat attack activity mapped by any network member based on the threat attack coordination number of the threat attack activity mapped by any network member. Secondly, the threat attack participation of each associated network member can be weighted and summed according to each defense time-space domain associated parameter. For example, for a threat attack activity L mapped by network member L, network member L has two associated network members, network member M and network member B; and the threat attack participation of the network member M is 0.4, and the threat attack participation of the network member B is 0.2. If the defense time-space domain correlation parameter between the threat attack activity L and the threat attack activity M mapped by the network member M is kLM, the defense time-space domain correlation parameter between the threat attack activity L and the threat attack activity B mapped by the network member B is kLB; 0.4 × kLM +0.2 × kLB may be performed. Then, the numerical value obtained by weighting calculation and the initial value of the threat attack activity mapped by any network member can be summed, and the threat attack participation degree of the threat attack activity mapped by any network member is output.
The second embodiment: the vulnerability repair system 100 may also determine a threat attack engagement degree of the threat attack activity mapped by any network member based on the defense time-space domain associated parameters and the threat attack engagement degree of the threat attack activity mapped by each associated network member.
The Process140 selects key threat attack chain data of the target threat perception event from the threat attack activity sequence based on the threat attack participation of each threat attack activity, and establishes vulnerability classification characteristics of the target threat perception event according to a threat attack path variable of the key threat attack chain data, wherein the vulnerability classification characteristics represent security vulnerability related characteristics of a security protection Process corresponding to the target threat perception event.
After obtaining the threat attack participation of each threat attack activity, the vulnerability repair system 100 may select the threat attack chain data with the largest threat attack participation from the threat attack activity sequence based on the threat attack participation of each threat attack activity and output the threat attack chain data as the key threat attack chain data of the target threat perception event. And then, establishing vulnerability classification characteristics of the target threat perception event according to threat attack path variables of the key threat attack chain data, wherein the vulnerability classification characteristics represent security vulnerability related characteristics of a security protection process corresponding to the target threat perception event.
One design idea for the vulnerability repair system 100 to select key threat attack chain data from the threat attack activity sequence may be: extracting each threat attack chain data included in the threat attack activity sequence, and then selecting the threat attack chain data with the maximum threat attack participation from the extracted threat attack chain data to output as the key threat attack chain data of the target threat perception event.
According to the method and the device, aiming at the target threat perception event indicated by the vulnerability repair analysis task, a plurality of threat attack activities can be obtained from the target threat perception event, and a threat attack relationship network of the target threat perception event is established according to the threat attack activities. Because threat attack activities mapped by network members with network connection relations in the threat attack relation network have threat attack cooperative behaviors in a target threat perception event, the more threat attack activities with the threat attack cooperative behaviors, the more risk exists; therefore, the threat attack participation degree of the threat attack activity mapped by each network member can be more accurately determined according to the threat attack cooperative information among the network members in the threat attack relationship network. And then, selecting key threat attack chain data of the target threat perception event from the threat attack activity sequence based on the threat attack participation of each threat attack activity, and establishing vulnerability classification characteristics representing security vulnerability relevant characteristics of a security protection process corresponding to the target threat perception event according to threat attack path variables of the key threat attack chain data. Therefore, the precision of the threat attack participation degree of each threat attack activity can be improved, so that the precision of the key threat attack chain data is effectively improved, and the precision of the related characteristics of the security vulnerability is improved; in addition, the security vulnerability related characteristics of the threat perception event can be automatically analyzed in the whole security vulnerability classification process, and the manual investigation process of the security vulnerability classification is reduced.
For further exemplary design considerations, Process100 is described in detail below with reference to another specific embodiment.
The Process210 obtains a sequence of threat attack activities from the target threat awareness events indicated by the vulnerability fix analysis task.
For some possible design ideas, the vulnerability repair system 100 may first perform threat attack activity analysis on a target threat awareness event indicated by a vulnerability repair analysis task, and output a basic threat attack activity sequence; the sequence of basic threat attack activities includes a plurality of basic threat attack activities, and each basic threat attack activity in the sequence of basic threat attack activities has time window network flow data in a threat attack flow process.
After obtaining the sequence of basic threat attack activities, the vulnerability repair system 100 may extract a number of seed threat attack activities from the sequence of basic threat attack activities based on one or more initial threat attack tracking maps; as referred to herein, a seed threat attack activity refers to a base threat attack activity that exists in one or more initial threat attack tracking maps, i.e., a seed threat attack activity refers to a threat attack activity that exists in both one or more initial threat attack tracking maps and a target threat perception event. For some possible design considerations, the vulnerability fix system 100 may extract a number of seed threat attack activities from a sequence of base threat attack activities directly based on one or more initial threat attack tracking maps; for example, for some possible design considerations, the vulnerability fix system 100 may traverse each of the basic threat attack activities in the basic threat attack activity sequence; matching the currently traversed basic threat attack activity with one or more initial threat attack tracking maps to detect whether the currently traversed basic threat attack activity exists in the one or more initial threat attack tracking maps; and if so, outputting the currently traversed basic threat attack activity as the seed threat attack activity.
Accordingly, when extracting a plurality of seed threat attack activities from the basic threat attack activity sequence based on one or more initial threat attack tracking maps, the vulnerability repair system 100 may first extract the basic threat attack activities of the time window network flow data in the target threat attack flow process from the basic threat attack activity sequence; the time window network flow data in the target threat attack flow process referred to herein may include at least one of: the type of attack type that occurs, the number of times each attack type occurs, and the probability of each attack type occurring up to the current time window. Then, the vulnerability repair system 100 may extract a plurality of seed threat attack activities from the basic threat attack activities of the time window network flow data in the target threat attack flow process based on one or more initial threat attack tracking maps, and the specific implementation manner thereof is similar to the specific implementation manner of the aforementioned step of "extracting a plurality of seed threat attack activities from the basic threat attack activity sequence directly based on one or more initial threat attack tracking maps", and is not described herein again.
After extracting the number of seed threat attack activities, a threat attack activity sequence (which may be represented in terms of M') of target threat awareness events may be established in terms of the number of seed threat attack activities. Aiming at some possible design ideas, a threat attack activity sequence of a target threat perception event can be directly established according to a plurality of seed threat attack activities; in this embodiment, the threat attack activity in the sequence of threat attack activities is the seed threat attack activity, and the statistical distribution amount of the threat attack activity is equal to the statistical distribution amount of the seed threat attack activity. For other possible design ideas, some seed threat attack activities which are adjacent to each other in the target threat perception event and have special meanings may exist in the extracted seed threat attack activities; for these seed threat attack activities, they will usually occur simultaneously in the initial threat attack tracking graph, and the threat attack activities composed after their attack granularities are linked together are of more mining value than the single seed threat attack activity. For example, for seed threat attack activities "L" and "M", which would typically occur simultaneously in the initial threat attack tracking graph, and "L + M" is more mining valuable than "L" and "M". In this case, the vulnerability repair system 100 may associate the attack granularities of the seed threat attack activities together, and output the threat attack activities associated with the attack granularities as threat attack activities, so as to improve the accuracy of subsequent topic identification. Accordingly, when the vulnerability repair system 100 establishes the threat attack activity sequence of the target threat perception event according to the plurality of seed threat attack activities, it may determine whether seed threat attack activities matching the attack granularity association requirement exist in the plurality of seed threat attack activities; attack granularity association requirements here may include: the threat attack penetration intervals in the target threat awareness event are matched and exist in the same initial threat attack tracking map. If the seed threat attack activities matching the attack granularity association requirement exist in the plurality of seed threat attack activities, performing attack granularity association processing on the seed threat attack activities matching the attack granularity association requirement; and outputting the threat attack activity sequence after the attack granularity association processing and the seed threat attack activity without the attack granularity association processing as threat attack activities to be added into the threat attack activity sequence of the target threat perception event. If the seed threat attack activity matching the attack granularity association requirement does not exist in the plurality of seed threat attack activities, the various seed threat attack activities can be output as threat attack activities and added to a threat attack activity sequence of the target threat perception event.
The Process220 establishes a threat attack relationship network for the target threat awareness event based on the plurality of threat attack activities.
For example, a basic threat attack relationship network of a target threat awareness event may be established first according to a number of threat attack activities; the basic threat attack relationship network comprises a plurality of network members, and each network member maps a threat attack activity. Second, a combination of at least one pair of coordinated threat attack activity instances, which is a combination of two threat attack activity instances having threat attack coordination behavior in the presence of a targeted threat awareness event, may be selected from a number of threat attack activities. One or more sub-networks of network members may then be determined from the underlying threat attack relationship network based on the combination of the at least one pair of synergistic threat attack activity instances, any of which may include: two network members of two threat attack activities in a combination of a pair of coordinated threat attack activity instances are recorded, respectively. Then, two network members in each network member sub-network can be respectively connected in the basic threat attack relationship network, and the threat attack relationship network of the target threat perception event is output.
The Process230 generates threat attack participation of the threat attack activity mapped by each network member according to the threat attack coordination information among the network members in the threat attack relationship network.
The Process240 selects a number of threat awareness intelligence for the target threat awareness event from the sequence of threat attack activities based on the threat attack engagement of each threat attack activity.
For some possible design ideas, the vulnerability repair system 100 may select threat attack activities in a preset sequence interval from the threat attack activity sequence according to the magnitude arrangement sequence of the threat attack participation degree, and output a plurality of threat perception intelligence of the target threat perception event. For some possible design considerations, the vulnerability fix system 100 may select a threat attack activity with a threat attack engagement degree greater than a preset engagement degree from the threat attack activity sequence and output a number of threat awareness intelligence for the target threat awareness event. Wherein the threat awareness intelligence includes one or more key threat attack chain data. For convenience of description, a threat attack activity of a preset order interval selected from a threat attack activity sequence by using a plurality of threat perception intelligence is taken as an example in the following.
The Process250 selects the key threat attack chain data with the largest threat attack participation degree from the one or more key threat attack chain data and outputs the key threat attack chain data as the key threat attack chain data of the target threat perception event.
And the Process260 establishes vulnerability classification characteristics of the target threat sensing event according to the threat attack path variable of the key threat attack chain data, and the vulnerability classification characteristics represent security vulnerability related characteristics of the security protection Process corresponding to the target threat sensing event.
For some possible design ideas, the vulnerability fix system 100 may first invoke a threat attack path variable generation model to extract threat attack path variables of the key threat attack chain data. For some possible design ideas, the threat attack path variable of the threat attack activity may be determined by combining forward path data and backward path data of the threat attack activity, or may be determined by combining functions of the threat attack activity in different dimensions, so that the threat attack activity may have the same threat attack path variable in different dimensions, which is not limited specifically.
After the threat attack path variable of the key threat attack chain data is obtained, vulnerability classification characteristics of the target threat perception event can be established according to the threat attack path variable of the key threat attack chain data. For some possible design ideas, derived threat attack chain data corresponding to the key threat attack chain data can be obtained from the threat attack activity sequence; the so-called derived threat attack chain data conforms to the following characteristics: in the threat attack relationship network, a derived attack feature relationship exists between a network member used for associating derived threat attack chain data and a network member used for associating key threat attack chain data. Secondly, threat attack path variables of the key threat attack chain data and threat attack path variables of the derived threat attack chain data can be extracted. And then, a threat attack path variable of the key threat attack chain data and a threat attack path variable of the derived threat attack chain data can be aggregated, and vulnerability classification characteristics of the target threat perception event are output.
And the Process270 obtains the threat attack path variable of each threat perception information, and determines the matching degree between the threat attack path variable of each threat perception information and the vulnerability classification characteristic.
And the Process280 selects vulnerability foundation information of a target threat perception event from a plurality of threat perception information based on the matching degree between the threat attack path variable of each threat perception information and the vulnerability classification characteristic.
The Process290 performs relevance configuration on the target threat awareness event and the vulnerability basic intelligence.
In a specific implementation, after the vulnerability foundation information of the target threat awareness event is selected by the vulnerability discovery system 100 through the processes 210 to 280, the target threat awareness event and the vulnerability foundation information can be configured in a correlated manner.
The vulnerability classification features mentioned above are overall AI decision features (i.e., main AI decision features) of the target threat awareness event, and the security vulnerability-related features are threat awareness intelligence features of the target threat awareness event. In an alternative embodiment, when the statistically distributed amount of key threat attack chain data obtained from the targeted threat awareness event is several, it is indicative that the targeted threat awareness event has several threat scenario variables. In this case, the vulnerability repair system 100 may also select key threat attack chain data of the target threat awareness event from the one or more key threat attack chain data, the threat attack participation of the key threat attack chain data being less than the threat attack participation of the key threat attack chain data. Secondly, an AI decision characteristic (namely a non-essential AI decision characteristic) of the threat perception situation of the target threat perception event can be established according to the threat attack path variable of the key threat attack chain data, and the AI decision characteristic of the threat perception situation of the target threat perception event represents the threat situation variable of the threat perception situation of the target threat perception event. Then, the target threat awareness event, the vulnerability classification characteristic, and the AI decision characteristic of the threat awareness situation may be loaded into an attack penetration evaluation program, so that when responding to an attack penetration evaluation instruction, attack penetration evaluation processing may be performed based on the vulnerability classification characteristic and the AI decision characteristic of the threat awareness situation.
For some possible design ideas, the vulnerability repair system 100 may further calculate the overall AI decision characteristics of other threat perception events and the AI decision characteristics of the threat perception situation according to the above method steps, and associate each calculated AI decision characteristic to the attack penetration evaluation program; that is, the attack penetration evaluation program further includes one or more other threat awareness events, and each other threat awareness event has a corresponding overall AI decision characteristic and a corresponding AI decision characteristic of the threat awareness situation. When the attack penetration evaluation instruction is responded, the vulnerability repair system 100 can obtain the attack penetration evaluation characteristics of the attack penetration evaluation information carried by the attack penetration evaluation instruction. Secondly, each threat awareness event in the attack penetration evaluation program and one or more AI decision characteristics of each threat awareness event can be obtained, each threat awareness event has a risk impact parameter, and the one or more AI decision characteristics of each threat awareness event include an overall AI decision characteristic of each threat awareness event and an AI decision characteristic of a threat awareness situation. Then, the matching degree between each AI decision characteristic and the attack penetration evaluation characteristic of each threat awareness event can be respectively calculated, and the risk influence parameters of each threat awareness event are optimized based on the matching degree. For some possible design considerations, for any threat awareness event, the AI decision feature with the highest matching degree may be determined from the one or more AI decision features of any threat awareness event based on the matching degree between each AI decision feature of any threat awareness event and the attack penetration evaluation feature. If the AI decision characteristic with the maximum matching degree is the integral AI decision characteristic of any threat perception event, the risk influence parameter of any threat perception event can be improved so as to update the risk influence parameter of any threat perception event; if the AI decision characteristic with the maximum matching degree is the AI decision characteristic of the threat perception situation of any threat perception event, the risk influence parameters of any threat perception event can be reduced so as to update the risk influence parameters of any threat perception event.
According to the method and the device, aiming at the target threat perception event indicated by the vulnerability repair analysis task, a plurality of threat attack activities can be obtained from the target threat perception event, and a threat attack relationship network of the target threat perception event is established according to the threat attack activities. Because threat attack activities mapped by network members with network connection relations in the threat attack relation network have threat attack cooperative behaviors in a target threat perception event, the more threat attack activities with the threat attack cooperative behaviors, the more risk exists; therefore, the threat attack participation degree of the threat attack activity mapped by each network member can be more accurately determined according to the threat attack cooperative information among the network members in the threat attack relationship network. And then, selecting key threat attack chain data of the target threat perception event from the threat attack activity sequence based on the threat attack participation of each threat attack activity, and establishing vulnerability classification characteristics representing security vulnerability relevant characteristics of a security protection process corresponding to the target threat perception event according to threat attack path variables of the key threat attack chain data. Therefore, the accuracy of the key threat attack chain data can be effectively improved by improving the accuracy of the threat attack participation degree of each threat attack activity, so that the accuracy of the related characteristics of the security vulnerability is improved; in addition, the security vulnerability related characteristics of the threat perception event can be automatically analyzed in the whole security vulnerability classification process, and the manual investigation process of the security vulnerability classification is reduced.
For some possible design considerations, the present application also provides that, in some embodiments, the bug fixing system 100 may include a processor 110, a machine-readable storage medium 120, a bus 130, and a communication unit 140.
The processor 110 may perform various suitable actions and processes based on a program stored in the machine-readable storage medium 120, such as program instructions related to the vulnerability fix methods for large data security vulnerability mining described in the foregoing embodiments. The processor 110, the machine-readable storage medium 120, and the communication unit 140 perform signal transmission through the bus 130.
In particular, the processes described in the above exemplary flow diagrams may be implemented as computer software programs, according to embodiments of the present invention. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication unit 140, and when executed by the processor 110, performs the above-described functions defined in the methods of the embodiments of the present invention.
Yet another embodiment of the present invention further provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the computer-readable storage medium is configured to implement the vulnerability fixing method for big data security vulnerability mining according to any of the above embodiments.
Yet another embodiment of the present invention further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the vulnerability fixing method for big data security vulnerability mining according to any of the above embodiments.
It should be understood that although each operation step is indicated by an arrow in the flowchart of the embodiment of the present invention, the implementation order of the steps is not limited to the order indicated by the arrow. In some implementation scenarios of embodiments of the present invention, the implementation steps in the flowcharts may be performed in other sequences as desired, unless explicitly stated otherwise herein. In addition, some or all of the steps in each flowchart may include multiple sub-steps or multiple stages based on an actual implementation scenario. Some or all of these sub-steps or stages may be performed at the same time, or each of these sub-steps or stages may be performed at different times, respectively. In a scenario where the execution time is different, the execution sequence of the sub-steps or phases may be flexibly configured according to requirements, which is not limited in the embodiment of the present invention.
The foregoing is only an alternative embodiment of a part of implementation scenarios of the present invention, and it should be noted that, for those skilled in the art, other similar implementation means based on the technical idea of the present invention are also within the protection scope of the embodiment of the present invention without departing from the technical idea of the present invention.
Claims (10)
1. A vulnerability repair method aiming at big data security vulnerability mining is characterized by being applied to a vulnerability repair system, and comprises the following steps:
obtaining a threat attack activity sequence from a target threat perception event indicated by a vulnerability repair analysis task of the threat perception server, and determining reference security vulnerability distribution of a security protection process corresponding to the target threat perception event based on the threat attack activity sequence;
and performing vulnerability repair on the safety protection process and the shared safety protection process corresponding to the safety protection process based on the reference safety vulnerability distribution of the safety protection process corresponding to the target threat perception event.
2. The vulnerability fix method for big data security vulnerability discovery according to claim 1, wherein the step of obtaining a threat attack activity sequence from a target threat awareness event indicated by a vulnerability fix analysis task of the threat awareness server, and determining a reference security vulnerability distribution of a security protection process corresponding to the target threat awareness event based on the threat attack activity sequence comprises:
obtaining a threat attack activity sequence from a target threat perception event indicated by a vulnerability repair analysis task of the threat perception server, wherein the threat attack activity sequence comprises a plurality of threat attack activities, and the threat attack activities cover threat attack chain data;
establishing a threat attack relation network of the target threat perception event according to the threat attack activities, wherein the threat attack relation network comprises a plurality of network members; one network member maps one threat attack activity, and the threat attack activity mapped by each network member with network connection relation has a threat attack cooperative behavior in the target threat perception event;
generating threat attack participation of threat attack activities mapped by each network member according to threat attack cooperative information among the network members in the threat attack relationship network;
selecting key threat attack chain data of the target threat perception event from the threat attack activity sequence based on threat attack participation of each threat attack activity, establishing vulnerability classification characteristics of the target threat perception event according to threat attack path variables of the key threat attack chain data, loading the vulnerability classification characteristics into a security vulnerability classification model, and determining reference security vulnerability distribution of a security protection process corresponding to the target threat perception event, wherein the vulnerability classification characteristics represent security vulnerability relevant characteristics of a security protection process corresponding to the target threat perception event.
3. The vulnerability repair method for big data security vulnerability discovery according to claim 2, wherein the step of establishing vulnerability classification characteristics of the target threat awareness event according to the threat attack path variables of the key threat attack chain data specifically comprises:
obtaining derived threat attack chain data corresponding to the key threat attack chain data from the threat attack activity sequence, wherein the derived threat attack chain data conforms to the following characteristics: in the threat attack relationship network, a derivative attack characteristic relationship exists between a network member used for associating the derivative threat attack chain data and a network member used for associating the key threat attack chain data;
extracting threat attack path variables of the key threat attack chain data and threat attack path variables of the derived threat attack chain data;
and aggregating threat attack path variables of the key threat attack chain data and threat attack path variables of the derived threat attack chain data, and outputting vulnerability classification characteristics of the target threat perception event.
4. The vulnerability repair method for big data security vulnerability mining according to claim 2 or 3, wherein the step of selecting key threat attack chain data of the target threat perception event from the threat attack activity sequence based on the threat attack participation of each threat attack activity specifically comprises:
according to the size arrangement sequence of the threat attack participation, selecting threat attack activities in a preset sequence interval from the threat attack activity sequence and outputting a plurality of threat perception informations of the target threat perception event; or selecting threat attack activities with threat attack participation degree greater than preset participation degree from the threat attack activity sequence and outputting a plurality of threat perception informations serving as the target threat perception events, wherein the threat perception informations comprise one or more key threat attack chain data;
and selecting the key threat attack chain data with the maximum threat attack participation from the one or more key threat attack chain data, and outputting the key threat attack chain data as the key threat attack chain data of the target threat perception event.
5. The vulnerability fixing method for big data security vulnerability mining according to claim 4, wherein the method further comprises:
obtaining threat attack path variables of each threat perception intelligence, and determining the matching degree between the threat attack path variables of each threat perception intelligence and the vulnerability classification characteristics;
based on the matching degree between the threat attack path variable of each threat perception information and the vulnerability classification characteristic, vulnerability basic information of the target threat perception event is selected from the plurality of threat perception information, and the matching degree between the threat attack path variable of the vulnerability basic information and the vulnerability classification characteristic is larger than a set matching degree;
and performing relevance configuration on the target threat awareness event and the vulnerability basic intelligence so as to perform security vulnerability analysis on the target threat awareness event based on the vulnerability basic intelligence.
6. The vulnerability fix method for big data security vulnerability mining of claim 4, wherein the vulnerability classification characteristic is an overall AI decision characteristic of the target threat awareness event, and the security vulnerability related characteristic is a threat awareness intelligence characteristic of the target threat awareness event; the method further comprises the following steps:
selecting key threat attack chain data of the target threat perception event from the one or more key threat attack chain data, wherein the threat attack participation degree of the key threat attack chain data is smaller than that of the key threat attack chain data;
establishing AI decision characteristics of the threat perception situation of the target threat perception event according to the threat attack path variables of the key threat attack chain data, wherein the AI decision characteristics of the threat perception situation of the target threat perception event represent the threat situation variables of the threat perception situation of the target threat perception event;
loading the target threat perception event, the vulnerability classification characteristic and the AI decision characteristic of the threat perception situation into an attack penetration evaluation program so as to perform attack penetration evaluation processing based on the vulnerability classification characteristic and the AI decision characteristic of the threat perception situation when responding to an attack penetration evaluation instruction;
wherein the attack penetration evaluation program further comprises one or more other threat awareness events, and each other threat awareness event has a corresponding overall AI decision feature and an AI decision feature of a corresponding threat awareness situation; the method further comprises the following steps:
when an attack penetration evaluation instruction is responded, acquiring attack penetration evaluation characteristics of attack penetration evaluation information carried by the attack penetration evaluation instruction;
acquiring each threat perception event in the attack penetration evaluation program and one or more AI decision characteristics of each threat perception event, wherein each threat perception event has a risk influence parameter, and the one or more AI decision characteristics of each threat perception event comprise an overall AI decision characteristic of each threat perception event and an AI decision characteristic of a threat perception situation;
respectively calculating the matching degree between each AI decision characteristic of each threat perception event and the attack penetration evaluation characteristic, and optimizing the risk influence parameter of each threat perception event based on the matching degree;
according to the optimized risk influence parameters of each threat perception event, performing descending sequencing on each threat perception event;
selecting the threat perception event positioned at the head position to output as the threat perception event to be further mined;
wherein the step of optimizing the risk impact parameters of each threat awareness event based on the matching degree specifically includes:
for any threat awareness event, determining an AI decision feature with the highest matching degree from one or more AI decision features of the threat awareness event based on the matching degree between each AI decision feature of the threat awareness event and the attack penetration evaluation feature;
if the analyzed AI decision characteristic with the maximum matching degree is the integral AI decision characteristic of any threat perception event, improving the risk influence parameter of any threat perception event;
and if the analyzed AI decision characteristic with the maximum matching degree is the AI decision characteristic of the threat perception situation of any threat perception event, reducing the risk influence parameter of any threat perception event.
7. The vulnerability fix method for big data security vulnerability discovery according to claim 2 or 3, wherein the step of establishing the threat attack relationship network of the target threat awareness event according to the plurality of threat attack activities specifically comprises:
establishing a basic threat attack relation network of the target threat perception event according to the threat attack activities, wherein the basic threat attack relation network comprises a plurality of network members, and each network member maps one threat attack activity;
selecting a combination of at least one pair of coordinated threat attack activity instances from the plurality of threat attack activities, the combination of coordinated threat attack activity instances being a combination of threat attack activity instances consisting of two threat attack activities for which there is a threat attack coordinated behavior in the target threat awareness event;
determining one or more sub-networks of network members from the underlying network of threat attack relationships based on a combination of the at least one pair of coordinated threat attack activity instances, any sub-network of network members comprising:
recording two network members of two threat attack activities in a combination of a pair of coordinated threat attack activity instances respectively;
respectively connecting two network members in each network member sub-network in the basic threat attack relationship network, and outputting the threat attack relationship network of the target threat perception event;
wherein the step of selecting a combination of at least one pair of coordinated threat attack activity instances from the plurality of threat attack activities specifically comprises:
determining a first threat attack penetration interval of a first threat attack activity in the target threat awareness event, the first threat attack activity being any threat attack activity of the plurality of threat attack activities;
acquiring second threat attack activity from the plurality of threat attack activities based on a first threat attack penetration interval of the first threat attack activity, wherein the penetration interval intersection proportion of the second threat attack penetration interval of the second threat attack activity in the target threat perception event and the first threat attack penetration interval is larger than a set proportion;
calculating defense time-space domain correlation parameters between the first threat attack activity and the second threat attack activity, wherein the defense time-space domain correlation parameters represent defense time-space domain matching degrees between the first threat attack activity and the second threat attack activity;
and if the defense time-space domain correlation parameter between the first threat attack activity and the second threat attack activity is analyzed to be larger than a preset correlation parameter value, determining that the first threat attack activity and the second threat attack activity have the threat attack cooperative behavior in the target threat perception event, and establishing a pair of cooperative threat attack activity instance combination according to the first threat attack activity and the second threat attack activity.
8. The vulnerability repair method for big data security vulnerability discovery according to claim 2 or 3, wherein the step of generating threat attack participation degree of threat attack activity mapped by each network member according to threat attack coordination information between each network member in the threat attack relationship network specifically comprises:
aiming at threat attack activities mapped by any network member, generating one or more associated network members having network connection relation with any network member according to threat attack coordination information among the network members in the threat attack relation network;
calculating defense time-space domain correlation parameters between the threat attack activity mapped by any network member and the threat attack activity mapped by each associated network member;
and determining the threat attack participation degree of the threat attack activity mapped by any network member based on the defense time-space domain correlation parameter and the threat attack participation degree of the threat attack activity mapped by each correlation network member.
9. The vulnerability discovery method for big data security vulnerability discovery according to claim 2 or 3, wherein the step of obtaining a threat attack activity sequence from a target threat awareness event indicated by a vulnerability discovery analysis task of the threat awareness server specifically comprises:
carrying out threat attack activity analysis on a target threat perception event indicated by the vulnerability repair analysis task, and outputting a basic threat attack activity sequence, wherein the basic threat attack activity sequence comprises a plurality of basic threat attack activities;
extracting a number of seed threat attack activities from the sequence of base threat attack activities based on one or more initial threat attack tracking maps, the seed threat attack activities being base threat attack activities present in the one or more initial threat attack tracking maps;
establishing a threat attack activity sequence of the target threat perception event according to the seed threat attack activities;
wherein each basic threat attack activity in the basic threat attack activity sequence has time window network flow data in a threat attack flow process; the step of extracting a plurality of seed threat attack activities from the sequence of base threat attack activities based on one or more initial threat attack tracking maps specifically includes:
extracting basic threat attack activity of time window network flow data in a target threat attack flow process from the basic threat attack activity sequence, wherein the time window network flow data in the target threat attack flow process comprises at least one of the following items: the type of attack type, the frequency of each attack type and the probability of each attack type until the current time window;
extracting a plurality of seed threat attack activities from the base threat attack activities of time window network flow data in the target threat attack flow process based on one or more initial threat attack tracking atlases;
wherein the step of establishing a threat attack activity sequence of the target threat awareness event according to the seed threat attack activities specifically includes:
if the seed threat attack activities which are matched with the attack granularity association requirements exist in the plurality of seed threat attack activities, performing attack granularity association processing on the seed threat attack activities which are matched with the attack granularity association requirements;
outputting the threat attack activity sequence after the attack granularity association processing and the seed threat attack activity without the attack granularity association processing as threat attack activities to be added into the threat attack activity sequence of the target threat perception event;
if the seed threat attack activity matching the attack granularity association requirement does not exist in the plurality of seed threat attack activities, outputting all the seed threat attack activities as threat attack activities to be added to the threat attack activity sequence of the target threat perception event, wherein the attack granularity association requirement comprises: and threat attack penetration intervals in the target threat perception event are matched and exist in the same initial threat attack tracking map.
10. A vulnerability repair system comprising a machine readable storage medium having stored thereon executable code which when executed by the processor causes the processor to perform the vulnerability repair method for big data security vulnerability mining of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210785740.5A CN115001849B (en) | 2022-07-06 | 2022-07-06 | Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210785740.5A CN115001849B (en) | 2022-07-06 | 2022-07-06 | Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115001849A true CN115001849A (en) | 2022-09-02 |
| CN115001849B CN115001849B (en) | 2023-11-10 |
Family
ID=83020815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210785740.5A Active CN115001849B (en) | 2022-07-06 | 2022-07-06 | Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001849B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116094850A (en) * | 2023-04-11 | 2023-05-09 | 清华大学 | Network protocol vulnerability detection method and system based on system state tracking graph guidance |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107526971A (en) * | 2017-09-28 | 2017-12-29 | 北京计算机技术及应用研究所 | A kind of leak based on leak association distributed model finds method |
| US20180137288A1 (en) * | 2016-11-15 | 2018-05-17 | ERPScan B.V. | System and method for modeling security threats to prioritize threat remediation scheduling |
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN108985068A (en) * | 2018-06-26 | 2018-12-11 | 广东电网有限责任公司信息中心 | Loophole quick sensing, positioning and the method and system of verifying |
| CN113688400A (en) * | 2021-08-31 | 2021-11-23 | 杨馨 | Object output method based on big data vulnerability mining and big data mining system |
| CN114095273A (en) * | 2021-12-06 | 2022-02-25 | 青岛力口互联网科技有限公司 | Deep learning-based internet vulnerability mining method and big data mining system |
| CN114584361A (en) * | 2022-02-28 | 2022-06-03 | 苏春影 | Security vulnerability analysis method based on deep learning and big data and cloud computing system |
| CN114584360A (en) * | 2022-02-28 | 2022-06-03 | 苏春影 | Internet vulnerability optimization method based on big data mining and deep learning cloud system |
| US20220191230A1 (en) * | 2020-12-11 | 2022-06-16 | DeepSurface Security, Inc. | Diagnosing and managing network vulnerabilities |
-
2022
- 2022-07-06 CN CN202210785740.5A patent/CN115001849B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180137288A1 (en) * | 2016-11-15 | 2018-05-17 | ERPScan B.V. | System and method for modeling security threats to prioritize threat remediation scheduling |
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN107526971A (en) * | 2017-09-28 | 2017-12-29 | 北京计算机技术及应用研究所 | A kind of leak based on leak association distributed model finds method |
| CN108985068A (en) * | 2018-06-26 | 2018-12-11 | 广东电网有限责任公司信息中心 | Loophole quick sensing, positioning and the method and system of verifying |
| US20220191230A1 (en) * | 2020-12-11 | 2022-06-16 | DeepSurface Security, Inc. | Diagnosing and managing network vulnerabilities |
| CN113688400A (en) * | 2021-08-31 | 2021-11-23 | 杨馨 | Object output method based on big data vulnerability mining and big data mining system |
| CN114095273A (en) * | 2021-12-06 | 2022-02-25 | 青岛力口互联网科技有限公司 | Deep learning-based internet vulnerability mining method and big data mining system |
| CN114584361A (en) * | 2022-02-28 | 2022-06-03 | 苏春影 | Security vulnerability analysis method based on deep learning and big data and cloud computing system |
| CN114584360A (en) * | 2022-02-28 | 2022-06-03 | 苏春影 | Internet vulnerability optimization method based on big data mining and deep learning cloud system |
Non-Patent Citations (1)
| Title |
|---|
| 管磊;胡光俊;王专;: "基于大数据的网络安全态势感知技术研究" * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116094850A (en) * | 2023-04-11 | 2023-05-09 | 清华大学 | Network protocol vulnerability detection method and system based on system state tracking graph guidance |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115001849B (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108696473B (en) | Attack path restoration method and device | |
| Ghanem et al. | Reinforcement learning for intelligent penetration testing | |
| US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
| US10282542B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| CN112685682B (en) | Method, device, equipment and medium for identifying forbidden object of attack event | |
| US11966319B2 (en) | Identifying anomalies in a data center using composite metrics and/or machine learning | |
| US9680857B1 (en) | Cyber intelligence clearinghouse | |
| US11847216B2 (en) | Analysis device, analysis method and computer-readable recording medium | |
| Faiella et al. | A distributed framework for collaborative and dynamic analysis of android malware | |
| CN109246088A (en) | A kind of big data security system based on financial service management | |
| KR20210065687A (en) | Apparatus, method, storage medium of storing program and computer program for analyzing cyber assets damage using system operation status information | |
| Sokol et al. | Prediction of attacks against honeynet based on time series modeling | |
| CN115001849B (en) | Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining | |
| US20210243213A1 (en) | Information collection system, information collection method, medium, and information collection program | |
| CN114095232A (en) | Power information system dynamic threat quantitative analysis method based on hidden Markov | |
| CN116846619A (en) | Automatic network security risk assessment method, system and readable storage medium | |
| Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
| CN112860588A (en) | Fuzzy test method for intelligent contract cross-contract vulnerability | |
| Tamura et al. | Reliability analysis based on jump diffusion models for an open source cloud computing | |
| CN113098883B (en) | Block chain and big data based security protection method and block chain service system | |
| CN113297582A (en) | Safety portrait generation method based on information safety big data and big data system | |
| CN114884740B (en) | AI-based intrusion protection response data processing method and server | |
| CN115563657B (en) | Data information security processing method, system and cloud platform | |
| CN113032089B (en) | Distributed simulation service construction method based on API gateway | |
| CN109327433A (en) | Threat cognitive method and system based on Run-time scenario analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230508 Address after: 657000 No. 19, changwan group, tielu village committee, Yanyuan Township, Zhenxiong County, Zhaotong City, Yunnan Province Applicant after: Wang Guozheng Address before: 250000 No. 5 Jiao Tong Road, Tianqiao District, Shandong, Ji'nan Applicant before: Jinan Lutong Huiyuan Electronic Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20231020 Address after: 443000 Rooms 1-9, Floor 3, Building 12, No. 35, Zhongnan Road, Wujiagang District, Yichang, Hubei Province Applicant after: Hubei Jifang Technology Co.,Ltd. Address before: 657000 No. 19, changwan group, tielu village committee, Yanyuan Township, Zhenxiong County, Zhaotong City, Yunnan Province Applicant before: Wang Guozheng |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |