Description of the embodiments
The architecture of the vulnerability restoration system for big data security vulnerability mining provided by the embodiment of the invention is described below, and the vulnerability restoration system for big data security vulnerability mining can comprise the vulnerability restoration system and a threat perception server in communication connection with the vulnerability restoration system. The vulnerability restoration system and the threat perception server in the vulnerability restoration system for big data security vulnerability mining can cooperate to execute the vulnerability restoration method for big data security vulnerability mining described in the following method embodiments, and the execution steps of the specific vulnerability restoration system and the threat perception server can be partially described in detail in the following method embodiments.
The vulnerability restoration method for big data security vulnerability discovery provided by the embodiment can be executed by a vulnerability restoration system, and is described in detail below with reference to fig. 1.
And the Process100 obtains a threat attack activity sequence from a target threat perception event indicated by a vulnerability restoration analysis task of the threat perception server, and determines a reference security vulnerability distribution of a security protection Process corresponding to the target threat perception event based on the threat attack activity sequence.
And the Process200 performs vulnerability restoration on the security protection Process and the shared security protection Process corresponding to the security protection Process based on the reference security vulnerability distribution of the security protection Process corresponding to the target threat awareness event.
For example, after the reference security hole distribution is obtained, a shared hole repair instruction corresponding to the reference security hole distribution may be extracted from a pre-designated shared hole repair instruction library, and hole repair may be performed on the security protection process and the shared security protection process corresponding to the security protection process based on the shared hole repair instruction. Or when the shared bug repair instruction corresponding to the reference security bug distribution is not extracted from the pre-designated shared bug repair instruction library, outputting bug positioning feature points (such as process code positions of each reference security bug in the security protection process operation process) corresponding to the reference security bug distribution to the developer terminal so as to prompt the developer terminal to perform targeted repair.
By adopting the technical scheme, the threat attack activity sequence is obtained from the target threat perception event indicated by the threat restoration analysis task of the threat perception server, and the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event is determined based on the threat attack activity sequence, so that the security protection process and the shared security protection process corresponding to the security protection process are subjected to vulnerability restoration based on the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event, and therefore, the security vulnerability is mined by taking a single target threat perception event as a unit, and unified vulnerability restoration of a plurality of shared security protection processes is performed, and compared with the mode of performing vulnerability analysis and restoration by using a global threat perception event in the related art, the high-efficiency vulnerability restoration scheme with higher localization can be provided.
For some exemplary design considerations, the Process100 is described in detail below in connection with specific embodiments.
And the Process110 obtains a threat attack activity sequence from the target threat awareness event indicated by the vulnerability restoration analysis task.
For any threat-aware event, the threat-aware event typically includes a large number of threat attack activities, which may include one or several threat attack chain data; the threat attack chain data refers to path data formed by each threat attack node in the threat attack process.
The threat attack activities are used for describing attack behavior information related to threat perception events, and the security vulnerability related features of the threat perception events are used for making decisions on main attack behavior features related to the threat perception events; it can be seen that there is a correlation between threat attack activity in threat-aware events and security vulnerability-related features of threat-aware events. Therefore, the technical scheme of the security vulnerability related characteristics of the threat awareness event can be determined through the threat attack activities included in the threat awareness event. For example, in response to a mining request for threat scenario variables regarding a target threat awareness event, the vulnerability remediation system may obtain the target threat awareness event indicated by the vulnerability remediation analysis task. Thus, a threat attack activity sequence may be obtained from the target threat awareness event; several threat attack activities may be included in the threat attack activity sequence herein, and the threat attack chain data is covered in the several threat attack activities. For some possible design ideas, the vulnerability restoration system can analyze threat attack activities of target threat perception events, and match a basic threat attack activity sequence obtained by threat attack activity analysis with a time window network flow database in one or more threat attack processes to obtain basic threat attack activities contained in the basic threat attack activity sequence and located in one or more initial threat attack tracking patterns. Then, based on the basic threat attack activities obtained by matching, threat attack activities in the target threat perception event are determined, so that a threat attack activity sequence for obtaining the target threat perception event is established.
The Process120 establishes a threat attack relationship network for the target threat awareness event in accordance with the plurality of threat attack activities.
For some possible design ideas, a threat attack relationship network for a target threat awareness event may include several network members; one threat attack activity is mapped by one network member, and threat attack activities mapped by the network members with network connection relations have threat attack cooperative behaviors in a target threat perception event. In other words, there are two threat attack activities corresponding to the threat attack cooperative behavior in the target threat awareness event, and there is a network connection relationship in the threat attack relationship network. Among other things, the threat attack synergy referred to herein may include any of the following meanings:
for some possible design considerations, the threat attack synergy mentioned above may refer to: in the process of threat attack collaboration on a target threat awareness event according to an external attack source, two threat attack activities simultaneously appear in the collaboration activities in the external attack source. The set of threat attack activities includes: threat attack activity L, threat attack activity M, threat attack activity E, threat attack activity B … … assume that threat attack co-action exists in the target threat awareness event due to the fact that threat attack activity L and threat attack activity M may occur simultaneously in the external attack source during the threat attack co-action. Since the threat attack activity M and the threat attack activity E may occur in the external attack source at the same time in the threat attack collaboration process, it may be considered that the threat attack activity M and the threat attack activity E have threat attack collaboration behaviors in the target threat awareness event. Since threat attack activity E and threat attack activity B cannot occur simultaneously in this external attack source, threat attack activity E and threat attack activity B may be considered to have no threat attack cooperative behavior in the target threat awareness event, and so on.
For other possible design considerations, threat attack synergy may refer to: in the process of threat attack collaboration on a target threat perception event according to an external attack source, two threat attack activities are simultaneously presented in the external attack source, and the defending time-space domain association parameter between the two threat attack activities is greater than the relation of the preset association parameter value. The defending time-space domain association parameter between the two threat attack activities can be calculated based on threat attack path variables of the two threat attack activities; the defending time-space domain association parameter between the two threat attack activities can be used for mapping defending time-space domain matching degree between the two threat attack activities, and the defending time-space domain association parameter is in direct proportion to the defending time-space domain matching degree; in other words, if the defending time-space domain association parameter between two threat attack activities is larger, the defending time-space domain matching degree between the two threat attack activities is larger. For example, a preset association parameter value is set to be K, a defending time-space domain association parameter between a threat attack activity L and a threat attack activity M is set to be kLM, a defending time-space domain association parameter between the threat attack activity M and a threat attack activity E is set to be kME, and a defending time-space domain association parameter between the threat attack activity E and a threat attack activity B is set to be kEB; and kLM < K, kME > K, kEB < K. Still taking the above example: since the defensive time-space domain correlation parameter (i.e., kLM) between the threat attack activity L and the threat attack activity M is smaller than the preset correlation parameter value (K), the vulnerability restoration system may consider that the threat attack activity L and the threat attack activity M do not have threat attack cooperative behavior in the target threat perception event, although the threat attack activity L and the threat attack activity M may simultaneously occur in an external attack source. Because the defending time-space domain association parameter (kME) between the threat attack activity M and the threat attack activity E is greater than the preset association parameter value (K), and the threat attack activity M and the threat attack activity E can simultaneously appear in an external attack source, the vulnerability restoration system can consider that the threat attack activity M and the threat attack activity E have threat attack cooperative behaviors in a target threat perception event, and the like. Therefore, when judging whether the two threat attack activities have threat attack cooperative behaviors in the target threat sensing event, the embodiment not only considers the distance between the threat attack penetration intervals of the two threat attack activities in the target threat sensing event through the external attack source, but also considers the defending time-space domain matching degree between the two threat attack activities, so that the judgment accuracy of the threat attack cooperative behaviors can be effectively improved, and the precision of the threat attack relation network is improved.
Based on the above technical solution, in the Process of implementing the Process120, the vulnerability restoration system may first establish a basic threat attack relationship network of the target threat perception event according to a plurality of threat attack activities; the basic threat attack relationship network includes a plurality of network members, each of which maps a threat attack activity. Secondly, the vulnerability restoration system may select at least one pair of combinations of cooperative threat attack activity instances from a plurality of threat attack activities, where the combinations of cooperative threat attack activity instances refer to combinations of threat attack activity instances composed of two threat attack activities having threat attack cooperative behavior in a target threat awareness event. Then, the vulnerability remediation system can traverse the combination of the collaborative threat attack activity instances of each pair; for the combination of the current collaborative threat attack activity examples traversed currently, two network members for associating two threat attack activities in the combination of the current collaborative threat attack activity examples can be respectively connected in a basic threat attack relationship network; when the combination of all the cooperative threat attack activity examples is traversed, a threat attack relation network of the target threat perception event can be obtained. For example, it may be assumed that several threat attack activities include: threat attack activity L (recorded by network member L), threat attack activity M (recorded by network member M), threat attack activity E (recorded by network member E), threat attack activity B (recorded by network member B), threat attack activity E (recorded by network member E) … …; and there are a total of 5 pairs of combinations of collaborative threat attack activity instances in the several threat attack activities, which are respectively: (threat attack activity L, threat attack activity M), (threat attack activity L, threat attack activity B), (threat attack activity M, threat attack activity E) and (threat attack activity B, threat attack activity E). Then, the vulnerability restoration system may connect the network member L and the network member M, connect the network member L and the network member B, connect the network member M and the network member E, and connect the network member B and the network member E in the basic threat attack relationship network, so as to obtain a threat attack relationship network of the target threat perception event.
And the Process130 generates threat attack participation of the threat attack activities mapped by the network members according to the threat attack cooperative information among the network members in the threat attack relationship network.
For some possible design ideas, because the threat attack cooperative behavior refers to a relationship that two threat attack activities are simultaneously present in one external attack source, or refers to a relationship that two threat attack activities are simultaneously present in one external attack source and a defending time-space domain association parameter between the two threat attack activities is greater than a preset association parameter value; therefore, the more threat attack activities with more threat attack cooperative behaviors are more frequent in the target threat sensing event, the more threat attack activities with more threat attack cooperative behaviors can be output, and the more risks are brought. Thus, when executing the Process130, the vulnerability repairing system may, for example, count the threat attack coordination times of the threat attack coordination behaviors of each threat attack activity based on the threat attack coordination information between the network members in the threat attack relationship network, and determine the threat attack participation degree of each threat attack activity based on the threat attack coordination times corresponding to each threat attack activity according to the principle that the threat attack coordination times and the threat attack participation degree are positively correlated.
For some possible design ideas, the threat attack coordination times corresponding to the threat attack activities can be directly output as threat attack participation degrees of the threat attack activities. Or, normalizing the threat attack coordination times corresponding to the threat attack activities, and outputting the threat attack participation degree of the threat attack activities. Or, the threat attack cooperative times corresponding to the threat attack activities can be weighted according to the threat attack participation degree parameters, the threat attack participation degree of the threat attack activities is output, and the threat attack participation degree parameters can be set based on actual service conditions. For example, referring to the foregoing example, if the network member L and the network member M have a derivative attack feature relationship, and the network member L and the network member B have a derivative attack feature relationship, it may be statistically determined that the threat attack coordination number of threat attack coordination behaviors of the threat attack activities L mapped by the network member L is 2; the threat attack coordination number may be directly output as the threat attack engagement of the threat attack activity L (i.e., the threat attack engagement is 2), or the threat attack coordination number may be weighted according to a threat attack engagement parameter (e.g., 1.5), the threat attack engagement of the threat attack activity L may be output (i.e., the threat attack engagement is 3), or the like.
In addition, for some possible design ideas, research shows that if two threat attack activities have threat attack cooperative behaviors in a target threat perception event, threat attack participations of the two threat attack activities usually affect each other because the two threat attack activities occur simultaneously. Accordingly, when executing the Process130, the vulnerability repairing system can calculate and obtain the threat attack participation degree of the threat attack activity of any network member by combining the threat attack participation degree of the threat attack activity mapped by the associated network member having the network connection relation with any network member, so as to improve the accuracy of the threat attack participation degree. For some possible design ideas, for threat attack activities mapped by any network member, one or more associated network members having a network connection relationship with the any network member can be generated according to threat attack cooperative information among the network members in the threat attack relationship network; then, based on the threat attack engagement of the threat attack activity mapped by each associated network member, determining the threat attack engagement of the threat attack activity mapped by any network member.
Wherein, based on the threat attack engagement of the threat attack activity mapped by each associated network member, the specific implementation manner of determining the threat attack engagement of the threat attack activity mapped by any network member may include any one of the following:
embodiment one: the vulnerability restoration system can determine and obtain the initial value of the threat attack activity mapped by any network member based on the threat attack coordination times of the threat attack coordination behaviors of the threat attack activities mapped by any network member. Secondly, the number of times that the threat attack activity mapped by any network member and the threat attack activity mapped by each associated network member are simultaneously appeared in an external attack source can be counted respectively, the counted times are normalized respectively, and risk assessment information of each associated network member is output. For example, for a threat attack activity L mapped by a network member L, the network member L has two associated network members, network member M and network member B; if the number of times that the threat attack activity L and the threat attack activity M mapped by the network member M are simultaneously present in the external attack source is 15 times, the number of times that the threat attack activity L and the threat attack activity B mapped by the network member B are simultaneously present in the external attack source is 5 times; the risk assessment information of network member M is 15/(15+5) =0.75, and the risk assessment information of network member B is 5/(15+5) =0.25. After the risk assessment information of each associated network member is obtained, weighting and summing threat attack participation degrees of each associated network member according to the risk assessment information of each associated network member; for example, assuming that the threat attack engagement of network member M is 0.4 and the threat attack engagement of network member B is 0.2, 0.4×0.75+0.2×0.25=0.35 may be performed. And then, carrying out summation operation on the numerical value obtained by the weighted summation and the initial value of the threat attack activity mapped by any network member, and outputting the threat attack participation degree of the threat attack activity mapped by any network member.
Embodiment two: the vulnerability remediation system may also determine threat attack engagement of threat attack activities mapped by each associated network member based on threat attack engagement of threat attack activities mapped by the associated network member.
In addition, for some possible design ideas, since the defending time-space domain association parameters can represent defending time-space domain matching degree between two threat attack activities, researches show that for any threat attack activity, if the defending time-space domain matching degree between other threat attack activities and any threat attack activity is larger, the influence of the threat attack participation degree of the other threat attack activities on the threat attack participation degree of the any threat attack activity is generally larger. Accordingly, when executing the Process130, the vulnerability repairing system can calculate the threat attack participation degree of the threat attack activity of any network member by combining the threat attack participation degree of the threat attack activity mapped by the associated network member having the network connection relation with any network member and the defending time-space domain association parameters between the threat attack activity mapped by any network member and the threat attack activity mapped by each associated network member, so as to further improve the accuracy of the threat attack participation degree. For some possible design ideas, for threat attack activities mapped by any network member, one or more associated network members having a network connection relationship with any network member may be generated according to threat attack cooperative information between network members in the threat attack relationship network. Then, the defending time-space domain association parameters between the threat attack activities mapped by any network member and the threat attack activities mapped by each associated network member can be calculated; and determining the threat attack participation degree of the threat attack activity mapped by any network member based on the defending time-space domain association parameter and the threat attack participation degree of the threat attack activity mapped by each associated network member.
The specific implementation method for determining the threat attack participation degree of the threat attack activity mapped by any network member based on the defending time-space domain association parameter and the threat attack participation degree of the threat attack activity mapped by each associated network member may include any one of the following:
embodiment one: the vulnerability restoration system can determine and obtain the initial value of the threat attack activity mapped by any network member based on the threat attack coordination times of the threat attack activity mapped by any network member. And secondly, weighting and summing threat attack participation degrees of all the associated network members according to all the defending time-space domain associated parameters. For example, for a threat attack activity L mapped by a network member L, the network member L has two associated network members, network member M and network member B; and the threat attack participation degree of the network member M is 0.4, and the threat attack participation degree of the network member B is 0.2. If the defending time-space domain association parameter between the threat attack activity L and the threat attack activity M mapped by the network member M is kLM, the defending time-space domain association parameter between the threat attack activity L and the threat attack activity B mapped by the network member B is kLB; then 0.4 x kLM +0.2 x kLB may be performed. The weighted calculated value and the initial value of the threat attack activity mapped by any network member can be summed, and the threat attack engagement of the threat attack activity mapped by any network member is output.
Embodiment two: the vulnerability restoration system can also determine the threat attack participation degree of the threat attack activity mapped by any network member based on the defending time-space domain association parameters and the threat attack participation degree of the threat attack activity mapped by each associated network member.
And a Process140, selecting key threat attack chain data of the target threat perception event from the threat attack activity sequence based on threat attack participation of each threat attack activity, and establishing vulnerability classification features of the target threat perception event according to threat attack path variables of the key threat attack chain data, wherein the vulnerability classification features represent security vulnerability related features of a security protection Process corresponding to the target threat perception event.
After the threat attack participation degree of each threat attack activity is obtained by the vulnerability restoration system, threat attack chain data with the largest threat attack participation degree can be selected from the threat attack activity sequence based on the threat attack participation degree of each threat attack activity, and the threat attack chain data is output as key threat attack chain data of a target threat perception event. Then, vulnerability classification features of the target threat perception event can be established according to threat attack path variables of the key threat attack chain data, and the vulnerability classification features represent security vulnerability related features of security protection processes corresponding to the target threat perception event.
The vulnerability restoration system selects the key threat attack chain data from the threat attack activity sequence, and one design thought can be as follows: firstly extracting all threat attack chain data included in a threat attack activity sequence, and then selecting threat attack chain data with the greatest threat attack participation degree from the extracted threat attack chain data to output the threat attack chain data as key threat attack chain data of a target threat perception event.
Aiming at a target threat perception event indicated by a bug fix analysis task, the embodiment of the application can obtain a plurality of threat attack activities from the target threat perception event, and establish a threat attack relation network of the target threat perception event according to the plurality of threat attack activities. Because threat attack activities mapped by network members with network connection relations in the threat attack relation network have threat attack cooperative behaviors in the target threat perception event, the threat attack activities with more threat attack cooperative behaviors have risks; therefore, the threat attack participation degree of the threat attack activities mapped by the network members can be more accurately determined according to the threat attack cooperative information among the network members in the threat attack relation network. Then, key threat attack chain data of the target threat perception event can be selected from the threat attack activity sequence based on threat attack participation degree of each threat attack activity, and vulnerability classification characteristics of security vulnerability related characteristics of security protection processes corresponding to the target threat perception event are established according to threat attack path variables of the key threat attack chain data. Therefore, the embodiment of the application can effectively improve the precision of the key threat attack chain data by improving the precision of the threat attack participation degree of each threat attack activity, thereby improving the precision of the relevant characteristics of the security vulnerabilities; and the relevant characteristics of the security vulnerabilities of threat perception events can be automatically analyzed in the whole security vulnerabilities classification flow, so that the manual investigation flow of security vulnerabilities classification is reduced.
For further exemplary design considerations, the Process100 is described in detail below in connection with another specific embodiment.
And the Process210 obtains a threat attack activity sequence from the target threat awareness event indicated by the vulnerability restoration analysis task.
For some possible design ideas, the vulnerability repair system can analyze threat attack activities of target threat sensing events indicated by a vulnerability repair analysis task and output a basic threat attack activity sequence; the basic threat attack activity sequence comprises a plurality of basic threat attack activities, and each basic threat attack activity in the basic threat attack activity sequence has time window network flow data in the threat attack process.
After the basic threat attack activity sequence is obtained, the vulnerability restoration system can extract a plurality of seed threat attack activities from the basic threat attack activity sequence based on one or more initial threat attack tracking patterns; reference herein to a seed threat attack activity refers to a base threat attack activity that is present in one or more initial threat attack tracking profiles, i.e., a seed threat attack activity refers to a threat attack activity that is present in both one or more initial threat attack tracking profiles and a target threat awareness event. For some possible design ideas, the vulnerability restoration system may directly extract a number of seed threat attack activities from the base threat attack activity sequence based on one or more initial threat attack tracking profiles; for example, for some possible design considerations, the vulnerability remediation system may traverse each base threat attack activity in the sequence of base threat attack activities; matching the currently traversed basic threat attack activities with one or more initial threat attack tracking maps to detect whether the currently traversed basic threat attack activities exist in the one or more initial threat attack tracking maps; if so, outputting the currently traversed basic threat attack activity as a seed threat attack activity.
According to the method, when a plurality of seed threat attack activities are extracted from a basic threat attack activity sequence based on one or more initial threat attack tracking patterns, the vulnerability repair system can firstly extract basic threat attack activities of time window network flow data in the process of a target threat attack flow from the basic threat attack activity sequence; the time window network flow data during the target threat attack procedure referred to herein may include at least one of: the type of attack type, the number of times each attack type occurs, and the probability of each attack type occurring until the current time window. Then, the vulnerability restoration system may extract a plurality of seed threat attack activities from the base threat attack activities of the time window network flow data in the target threat attack process based on one or more initial threat attack tracking patterns, and the specific embodiment of the vulnerability restoration system is similar to the specific embodiment of the step of extracting a plurality of seed threat attack activities from the base threat attack activity sequence directly based on one or more initial threat attack tracking patterns, which is described in detail herein.
After extracting the plurality of seed threat attack activities, a threat attack activity sequence (which may be represented by M') of the target threat awareness event may be established in accordance with the plurality of seed threat attack activities. For some possible design ideas, a threat attack activity sequence of a target threat perception event can be established directly according to a plurality of seed threat attack activities; in this embodiment, the threat attack activity in the sequence of threat attack activities is the seed threat attack activity, and the statistical distribution of threat attack activities is equal to the statistical distribution of seed threat attack activities. Other possible design ideas, as some seed threat attack activities which are adjacent in the target threat perception event and have special meaning may exist in the extracted seed threat attack activities; for these seed threat attack activities, they will typically appear simultaneously in the initial threat attack tracking profile, and the threat attack activities that are composed after their attack granularity is related together are more mining value than the individual seed threat attack activities. For example, for seed threat attack activities "L" and "M" they will typically appear in the initial threat attack tracking profile at the same time, and "l+m" is more mined than "L" and "M". Under the condition, the vulnerability restoration system can correlate the seed threat attack activity attack granularities together and output threat attack activities with the correlated attack granularities as threat attack activities so as to improve the accuracy of the follow-up topic identification. According to the method, when a threat attack activity sequence of a target threat perception event is established according to a plurality of seed threat attack activities, the vulnerability repair system can judge whether seed threat attack activities matching attack granularity association requirements exist in the plurality of seed threat attack activities; the attack granularity association requirements here may include: the threat attack penetration intervals in the target threat perception event are matched and exist in the same initial threat attack tracking map. If the seed threat attack activities with the matching attack granularity association requirements exist in the plurality of seed threat attack activities, carrying out attack granularity association processing on the seed threat attack activities with the matching attack granularity association requirements; and outputting the threat attack activity sequence subjected to attack granularity association processing and the seed threat attack activity which is not subjected to attack granularity association processing as threat attack activities, and adding the threat attack activities into the threat attack activity sequence of the target threat perception event. If the seed threat attack activities matching the attack granularity association requirement do not exist in the plurality of seed threat attack activities, outputting the seed threat attack activities as threat attack activities and adding the threat attack activities into a threat attack activity sequence of the target threat perception event.
The Process220 establishes a threat attack relationship network for the target threat awareness event in accordance with the plurality of threat attack activities.
For example, a basic threat attack relationship network for a target threat awareness event may be established in accordance with a number of threat attack activities; the basic threat attack relationship network includes a plurality of network members, each of which maps a threat attack activity. Second, a combination of at least one pair of collaborative threat attack activity instances, which refers to a combination of threat attack activity instances consisting of two threat attack activities that have threat attack collaborative behavior in a target threat awareness event, may be selected from a number of threat attack activities. Next, one or more network member subnetworks may be determined from the underlying threat attack relationship network based on a combination of the at least one pair of collaborative threat attack activity instances, any of which may include: two network members of two threat attack activities in a combination of a pair of collaborative threat attack activity instances are separately recorded. Then, two network members in each network member sub-network can be respectively connected in the basic threat attack relationship network, and the threat attack relationship network of the target threat perception event is output.
And the Process230 generates threat attack participation of the threat attack activities mapped by the network members according to the threat attack cooperative information among the network members in the threat attack relationship network.
The Process240 selects a number of threat awareness intelligence for the target threat awareness event from the sequence of threat attack activities based on the threat attack engagement of each threat attack activity.
For some possible design ideas, the vulnerability repairing system can select threat attack activities in a preset sequence interval from the threat attack activity sequence according to the order of threat attack participation, and output a plurality of threat perception informations of target threat perception events. In addition, aiming at some possible design ideas, the vulnerability repairing system can select threat attack activities with threat attack participation degree larger than the preset participation degree from the threat attack activity sequences to output a plurality of threat perception informations of target threat perception events. Wherein the plurality of threat awareness intelligence includes one or more key threat attack chain data. For convenience of explanation, threat attack activities in a preset sequence interval selected from the threat attack activity sequence according to the threat attack engagement degree ranking sequence are taken as examples of a plurality of threat perception informations in the follow-up.
And the Process250 selects the key threat attack chain data with the greatest threat attack participation degree from one or more key threat attack chain data, and outputs the key threat attack chain data as the key threat attack chain data of the target threat perception event.
And a Process260, establishing vulnerability classification characteristics of the target threat perception event according to threat attack path variables of the key threat attack chain data, wherein the vulnerability classification characteristics represent security vulnerability related characteristics of the security protection Process corresponding to the target threat perception event.
For some possible design ideas, the vulnerability repair system may first invoke a threat attack path variable generation model to extract threat attack path variables of the key threat attack chain data. For some possible design ideas, the threat attack path variable of the threat attack activity may be determined by combining forward path data and backward path data of the threat attack activity, or the threat attack path variable of the threat attack activity may be determined by combining functions of the threat attack activity in different dimensions, so that the threat attack activity may have the same threat attack path variable in different dimensions, which is not particularly limited.
After the threat attack path variable of the key threat attack chain data is obtained, the vulnerability classification characteristic of the target threat perception event can be established according to the threat attack path variable of the key threat attack chain data. For some possible design ideas, derived threat attack chain data corresponding to the key threat attack chain data can be obtained from the threat attack activity sequence; so-called derived threat attack chain data meets the following characteristics: in a threat attack relationship network, a derivative attack signature relationship exists between a network member for associating derivative threat attack chain data and a network member for associating critical threat attack chain data. And secondly, extracting threat attack path variables of the key threat attack chain data and threat attack path variables of the derivative threat attack chain data. Then, the threat attack path variable of the key threat attack chain data and the threat attack path variable of the derivative threat attack chain data can be aggregated, and vulnerability classification characteristics of the target threat perception event are output.
The Process270 obtains threat attack path variables of the threat awareness intelligence, and determines a degree of matching between the threat attack path variables of the threat awareness intelligence and the vulnerability classification feature.
And a Process280 for selecting vulnerability basic information of the target threat perception event from the plurality of threat perception information based on the matching degree between the threat attack path variable of each threat perception information and the vulnerability classification feature.
And the Process290 performs association configuration on the target threat awareness event and the vulnerability basic information.
In a specific implementation, after the vulnerability restoration system selects the vulnerability basic information of the target threat sensing event through the Process210-Process280, the target threat sensing event and the vulnerability basic information can be configured in a correlation manner.
The above mentioned vulnerability classification feature is the overall AI decision feature (i.e. the main AI decision feature) of the target threat perception event, and the security vulnerability related feature is the threat perception intelligence feature of the target threat perception event. In an alternative embodiment, the target threat awareness event is indicated to have a number of threat scenario variables when the number of statistical distributions of key threat attack chain data obtained from the target threat awareness event is a number. In this case, the vulnerability remediation system may further select the critical threat attack chain data of the target threat awareness event from one or more critical threat attack chain data, the threat attack engagement of the critical threat attack chain data being less than the threat attack engagement of the critical threat attack chain data. Secondly, the AI decision feature (i.e. the non-main AI decision feature) of the threat perception situation of the target threat perception event can be established according to the threat attack path variable of the key threat attack chain data, and the AI decision feature of the threat perception situation of the target threat perception event characterizes the threat scenario variable of the threat perception situation of the target threat perception event. Then, the target threat perception event, the vulnerability classification feature and the AI decision feature of the threat perception situation can be loaded into the attack penetration evaluation program, so that when an attack penetration evaluation instruction is responded, attack penetration evaluation processing can be performed based on the vulnerability classification feature and the AI decision feature of the threat perception situation.
For some possible design ideas, the vulnerability restoration system can also calculate the overall AI decision characteristics of other threat perception events and the AI decision characteristics of threat perception situations according to the steps of the method, and associate each calculated AI decision characteristic into an attack penetration evaluation program; that is, the attack penetration assessment program also includes one or more other threat awareness events, and each other threat awareness event has a corresponding overall AI decision feature and AI decision feature for a corresponding threat awareness situation. And when responding to the attack penetration evaluation instruction, the vulnerability restoration system can acquire the attack penetration evaluation characteristics of the attack penetration evaluation information carried by the attack penetration evaluation instruction. And secondly, acquiring each threat perception event in the attack penetration evaluation program and one or more AI decision features of each threat perception event, wherein each threat perception event has a risk influence parameter, and the one or more AI decision features of each threat perception event comprise the overall AI decision feature of each threat perception event and the AI decision feature of the threat perception situation. Then, the matching degree between the AI decision characteristics and the attack penetration evaluation characteristics of each threat perception event can be calculated respectively, and the risk influence parameters of each threat perception event are optimized based on the matching degree. For some possible design ideas, for any threat awareness event, the AI decision feature with the greatest degree of matching may be determined from one or more AI decision features of any threat awareness event based on the degree of matching between each AI decision feature of any threat awareness event and the attack penetration evaluation feature. If the AI decision feature with the largest matching degree is the overall AI decision feature of any threat perception event, the risk influence parameter of any threat perception event can be improved so as to update the risk influence parameter of any threat perception event; if the AI decision feature with the largest matching degree is the AI decision feature of the threat perception situation of any threat perception event, the risk influence parameter of any threat perception event can be reduced, so as to update the risk influence parameter of any threat perception event.
Aiming at a target threat perception event indicated by a bug fix analysis task, the embodiment of the application can obtain a plurality of threat attack activities from the target threat perception event, and establish a threat attack relation network of the target threat perception event according to the plurality of threat attack activities. Because threat attack activities mapped by network members with network connection relations in the threat attack relation network have threat attack cooperative behaviors in the target threat perception event, the threat attack activities with more threat attack cooperative behaviors have risks; therefore, the threat attack participation degree of the threat attack activities mapped by the network members can be more accurately determined according to the threat attack cooperative information among the network members in the threat attack relation network. Then, key threat attack chain data of the target threat perception event can be selected from the threat attack activity sequence based on threat attack participation degree of each threat attack activity, and vulnerability classification characteristics of security vulnerability related characteristics of security protection processes corresponding to the target threat perception event are established according to threat attack path variables of the key threat attack chain data. Therefore, the embodiment of the application can effectively improve the precision of the key threat attack chain data by improving the precision of the threat attack participation degree of each threat attack activity, thereby improving the precision of the relevant characteristics of the security vulnerabilities; and the relevant characteristics of the security vulnerabilities of threat perception events can be automatically analyzed in the whole security vulnerabilities classification flow, so that the manual investigation flow of security vulnerabilities classification is reduced.
For some possible design considerations, in some embodiments, the vulnerability remediation system may include a processor, a machine-readable storage medium, a bus, and a communication unit.
The processor may perform various suitable actions and processes based on programs stored in the machine-readable storage medium, such as program instructions associated with the vulnerability repair method for big data security vulnerability mining described in the foregoing embodiments. The processor, the machine-readable storage medium, and the communication unit communicate signals over the bus.
In particular, the processes described in the above exemplary flowcharts may be implemented as computer software programs, in accordance with embodiments of the present invention. For example, embodiments of the present invention include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via a communication unit, which, when being executed by a processor, performs the above-mentioned functions defined in the method of the embodiment of the invention.
Still another embodiment of the present invention provides a computer readable storage medium, where computer executable instructions are stored, where the computer executable instructions are used to implement the bug fix method for big data security hole mining according to any of the foregoing embodiments when executed by a processor.
Yet another embodiment of the present invention provides a computer program product, including a computer program, which when executed by a processor implements the vulnerability restoration method for big data security vulnerability mining as in any of the above embodiments.
It should be understood that, although each operation step is indicated by an arrow in the flowchart of the embodiment of the present invention, the order in which the steps are performed is not limited to the order indicated by the arrow. In some implementations of embodiments of the invention, the implementation steps in the flowcharts may be performed in other orders as desired, unless explicitly stated herein. Furthermore, some or all of the steps in the flowcharts may include multiple sub-steps or multiple stages based on the actual implementation scenario. Some or all of these sub-steps or phases may be performed at the same time, or each of these sub-steps or phases may be performed at different times, respectively. In the case of different execution time, the execution sequence of the sub-steps or stages can be flexibly configured according to the requirement, which is not limited by the embodiment of the present invention.
The foregoing is merely an optional implementation manner of some of the implementation scenarios of the present invention, and it should be noted that, for those skilled in the art, other similar implementation manners based on the technical ideas of the present invention are adopted without departing from the technical idea of the solution of the present invention, which is also included in the protection scope of the embodiments of the present invention.