CN115567237A - Network security assessment method based on knowledge graph - Google Patents

Network security assessment method based on knowledge graph Download PDF

Info

Publication number
CN115567237A
CN115567237A CN202210968515.5A CN202210968515A CN115567237A CN 115567237 A CN115567237 A CN 115567237A CN 202210968515 A CN202210968515 A CN 202210968515A CN 115567237 A CN115567237 A CN 115567237A
Authority
CN
China
Prior art keywords
entity
risk
result
threat
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210968515.5A
Other languages
Chinese (zh)
Inventor
刘昕林
刘威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Power Supply Bureau Co Ltd
Original Assignee
Shenzhen Power Supply Bureau Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Power Supply Bureau Co Ltd filed Critical Shenzhen Power Supply Bureau Co Ltd
Priority to CN202210968515.5A priority Critical patent/CN115567237A/en
Publication of CN115567237A publication Critical patent/CN115567237A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/288Entity relationship models
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Animal Behavior & Ethology (AREA)
  • Artificial Intelligence (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a network security assessment method based on a knowledge graph, which comprises the following steps: s1, collecting communication data, and constructing a threat knowledge graph based on the communication data, wherein the communication data comprises threat data, vulnerability data and countermeasure data; s2, respectively collecting event information, equipment information and equipment safety strategy information of a plurality of entity equipment with a safety detection function; s3, scanning the entity equipment based on the threat knowledge graph to obtain a first risk result; s4, analyzing the threat knowledge graph based on the equipment content information to obtain a second risk result; and S5, determining the network security risk level according to the first risk result and the second risk result of the entity equipment. The invention can enable an enterprise to accurately master the current safety risk situation of the network of the enterprise, thereby achieving the effect that the enterprise can evaluate the safety of the network of the enterprise.

Description

Network security assessment method based on knowledge graph
Technical Field
The invention relates to the technical field of network security, in particular to a network security assessment method based on a knowledge graph.
Background
In the operation process of a private network (such as an electric power network, an internet of things network, a private network, a signaling network and various enterprise group private networks), a network security technology is needed to prevent network attacks initiated by an attacker and guarantee the network security, so that the normal operation of private network transactions is guaranteed.
Disclosure of Invention
The invention aims to provide a network security assessment method based on a knowledge graph to solve the problems in the background technology.
The invention is realized by the following technical scheme: the network security assessment method based on the knowledge graph comprises the following steps:
s1, collecting communication data, and constructing a threat knowledge graph based on the communication data, wherein the communication data comprises threat data, vulnerability data and countermeasure data;
s2, respectively collecting event information, equipment information and equipment safety strategy information of a plurality of entity equipment with a safety detection function, and establishing a logical relationship among the equipment information, the event information and the equipment safety strategy information to form equipment content information;
s3, scanning entity equipment based on the threat knowledge graph to obtain a first risk result;
s4, analyzing the threat knowledge graph based on the equipment content information to obtain a second risk result;
and S5, determining the network security risk level according to the first risk result and the second risk result of the entity equipment.
Specifically, collecting communication data, and constructing a threat knowledge graph based on the communication data specifically includes:
s101, establishing a knowledge graph model, wherein the knowledge graph comprises entity nodes and relations among various entity node types, the relations comprise any one of inclusion, existence, utilization and use, and the entity node types comprise entity equipment, vulnerabilities, threats and countermeasures;
s102, extracting a plurality of entity nodes from a data source, wherein the entity nodes correspond to the entity node types;
s103, acquiring a second entity node having the relation with the first entity node and a third entity node having the relation with the second entity node from the entity nodes, connecting the third entity node to the corresponding second entity node, and connecting the second entity node to the corresponding first entity node;
s104, generating a data group according to the first entity node, the second entity node, the third entity node, the relation between the first entity node type and the second entity node type, and the relation between the second entity node type and the third entity node type, wherein a knowledge graph model containing the data group forms a threat knowledge graph.
Specifically, the first entity node type is entity equipment, the second entity node type is a vulnerability or a threat, and the third entity node type is a countermeasure.
Specifically, scanning the entity device based on the threat knowledge graph to obtain a first risk result includes:
s301, screening a first entity node matched with the entity equipment in the threat knowledge graph, and scanning the entity equipment according to vulnerability information in a corresponding second entity node to obtain a first evaluation result;
s302, screening a second entity node and a third entity node which are matched with the first vulnerability result in the threat knowledge graph, selecting vulnerability information which exists in the second entity node and corresponds to the entity equipment, and correspondingly selecting a countermeasure in the third node according to the vulnerability information which exists in the second entity node;
s303, comparing the corresponding measures with the security policy of the entity equipment, and obtaining a second evaluation result according to the consistency quantity of the corresponding measures and the security policy of the entity equipment;
s304, obtaining a first risk result according to the first evaluation result and the second evaluation result.
Specifically, analyzing the threat knowledge graph based on the device content information to obtain a second risk result includes:
s401, screening a corresponding first entity node in the threat knowledge graph according to equipment information, selecting entity equipment existing in the first entity node, screening threat information with the same IP address, domain name and URL as the event information in a second entity node of the threat knowledge graph according to the event information, and obtaining a third evaluation result based on the number of the threat information;
s402, based on the screened threat information, further screening a corresponding countermeasure in a second entity node in the threat knowledge graph, comparing the countermeasure with a security policy of the entity equipment, and obtaining a second evaluation result according to the consistency quantity of the countermeasure and the security policy of the entity equipment
And S403, obtaining a second risk result according to the third evaluation result and the fourth evaluation result.
Specifically, obtaining a first risk result according to the first evaluation result and the second evaluation result specifically includes: setting first weights of the first evaluation result and the second evaluation result, obtaining a corresponding first score according to the first evaluation result and the second evaluation result, and obtaining a corresponding first risk result according to the first score and the second weight.
Specifically, obtaining a second risk result according to the third evaluation result and the fourth evaluation result specifically includes: setting a second weight of the third evaluation result and the fourth evaluation result, obtaining a corresponding second score according to the third evaluation result and the fourth evaluation result, and obtaining a corresponding second risk result according to the second score and the second weight.
Specifically, determining the network security risk level according to the first risk result and the second risk result includes:
s501, obtaining a risk value according to the first risk result and the second risk result;
s502, establishing a mapping relation table, wherein the mapping relation table at least comprises: the security risk level, the risk value, and a mapping between the security risk level and the risk value;
s503, matching the risk values in the mapping relation table, and determining the risk level of the network security.
Specifically, a risk value is obtained according to a first risk result and a second risk result; the method specifically comprises the following steps: establishing a deep neural learning network and training, wherein a plurality of first risk results, a plurality of second risk results and a plurality of corresponding device information are used as input characteristics of the trained deep neural learning network, and the output characteristics of the deep neural learning network are the risk values.
Compared with the prior art, the invention has the following beneficial effects:
the network security assessment method based on the knowledge graph provided by the invention is characterized in that the threat knowledge graph is constructed based on threat data, vulnerability data and countermeasure data, vulnerability types and vulnerability feature information which possibly exist in corresponding equipment are determined in the threat knowledge graph based on the equipment content information, entity equipment is scanned based on the vulnerability feature information to obtain vulnerability results in the entity equipment, security policy comparison results in the entity equipment are determined according to the equipment content information and the vulnerability results, first risk results are obtained based on the vulnerability results and the security policy comparison results in the entity equipment, then threat information corresponding to the event information is screened in the threat knowledge graph based on event information in the equipment content information, second risk results are obtained based on the screened results, and finally, network security risk grades are obtained according to the first risk results and the second risk results of a plurality of entity equipment, so that the problem that the security of an enterprise network is difficult to assess in related technologies is solved. Therefore, the enterprise can accurately master the security risk status of the network, and the effect that the enterprise can evaluate the security of the network is achieved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only preferred embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.
FIG. 1 is an overall flowchart of a method for assessing security of a knowledge-graph-based network according to the present invention;
FIG. 2 is an overall flow chart for constructing a threat knowledge-graph as provided by the present invention;
FIG. 3 is an overall flow chart for obtaining a first risk result provided by the present invention;
FIG. 4 is an overall flow chart for obtaining a second risk result provided by the present invention
Fig. 5 is an overall flowchart for determining the network security risk level according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, exemplary embodiments according to the present invention will be described in detail below with reference to the accompanying drawings. It is to be understood that the described embodiments are merely a subset of embodiments of the invention and not all embodiments of the invention, with the understanding that the invention is not limited to the example embodiments described herein. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the invention described herein without inventive step, shall fall within the scope of protection of the invention.
In the following description, numerous specific details are set forth in order to provide a more thorough understanding of the present invention. It will be apparent, however, to one skilled in the art, that the present invention may be practiced without one or more of these specific details. In other instances, well-known features have not been described in order to avoid obscuring the present invention.
It is to be understood that the present invention may be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term "and/or" includes any and all combinations of the associated listed items.
In the following description, for the purposes of explanation, specific details are set forth in order to provide a thorough understanding of the present invention. Alternative embodiments of the invention are described in detail below, however, the invention may be practiced in other embodiments that depart from these specific details.
Referring to fig. 1 to 5, the method for evaluating network security based on knowledge-graph includes the following steps:
s1, collecting communication data, and constructing a threat knowledge graph based on the communication data, wherein the communication data comprises threat data, vulnerability data and countermeasure data;
s2, respectively collecting event information, equipment information and equipment safety strategy information of a plurality of entity equipment with a safety detection function, and establishing a logical relationship among the equipment information, the event information and the equipment safety strategy information to form equipment content information;
s3, scanning entity equipment based on the threat knowledge graph to obtain a first risk result;
s4, analyzing the threat knowledge graph based on the equipment content information to obtain a second risk result;
and S5, determining the network security risk level according to the first risk result and the second risk result of the plurality of entity devices.
In this embodiment, a threat knowledge graph is constructed based on threat data, vulnerability data, and countermeasure data, and information such as threatening IP addresses, domain names, URLs (Uniform resource locators), event evidences, and threat handling suggestions are mainly recorded in the threat data. The Threat Information data may be obtained by interacting with a Threat Information source via an STIX (Structured Threat Information eXpression) or a taiii (trusted automated exchange Information) protocol, obtained and written to a local database. At present, threat information sources commonly used in China are in microstep online, 360-degree security cloud and the like, feature data of different vulnerabilities are mainly recorded in vulnerability data, feature information of different vulnerabilities can be obtained in an interaction mode with a vulnerability library, countermeasures mainly record security strategies aiming at the threat data and the vulnerability data, and corresponding security strategies are usually recorded in the threat information sources and the vulnerability library, so that corresponding security strategies can be obtained while the threat information sources and the vulnerability library are interacted;
after the threat knowledge graph is obtained, device content information from different entity devices is further collected, where the different entity devices may include, for example, FW (Firewall), IPS (Intrusion Prevention System), operating systems (such as Windows), databases, AAA (Authentication, authorization, and accounting) servers, applications, and the like, a type of a possible vulnerability of a corresponding device and vulnerability characteristic information are determined in the threat knowledge graph based on the device content information, the entity devices are scanned based on the vulnerability characteristic information to obtain vulnerability results in the entity devices, security policy comparison results in the entity devices are determined according to the device content information and the vulnerability results, first risk results are obtained based on the vulnerability results and security policy comparison results in the entity devices, event information in the device content information is screened, threat information corresponding to the event information in the threat knowledge graph is obtained, second risk results are obtained based on the screening results, and finally, network risk levels are obtained according to the first risk results and the second risk results.
Further, a logical relationship between the device information and the event information and the device security policy information is established, that is, a logical relationship exists between the specific time information of the specific entity device and the device security policy, which is in one-to-one correspondence.
Specifically, collecting communication data, and constructing a threat knowledge graph based on the communication data specifically includes:
s101, establishing a knowledge graph model, wherein the knowledge graph comprises entity nodes and relations among entity node types, the relations comprise any one of inclusion, existence, utilization and use, and the entity node types comprise entity equipment, vulnerabilities, threats and countermeasures;
s102, extracting a plurality of entity nodes from a data source, wherein the entity nodes correspond to the entity node types;
s103, in the entity nodes, acquiring a second entity node having the relation with a first entity node and a third entity node having the relation with the second entity node, connecting the third entity node to the corresponding second entity node, and connecting the second entity node to the corresponding first entity node, wherein the first entity node is an entity device, the second entity node is a vulnerability or a threat, and the third entity node is a countermeasure;
s104, generating a data set according to the first entity node, the second entity node, the third entity node, the relationship between the first entity node type and the second entity node type, and the relationship between the second entity node type and the third entity node type, wherein a knowledge graph model containing the data set forms a threat knowledge graph.
In this embodiment, after the data is obtained through the threat intelligence source and the vulnerability database, the threat data and the vulnerability data exist based on the specific entity device, so that the specific entity device can be extracted as the first entity node, the threat data and the vulnerability data corresponding to the specific entity device are used as the second entity node, and the corresponding security policy of the threat data and the vulnerability data is used as the third entity node, so that the first entity node, the second entity node and the third entity node which are associated with each other form the threat knowledge graph
Specifically, scanning the entity device based on the threat knowledge graph to obtain a first risk result includes:
s301, screening first entity nodes matched with the entity equipment in the threat knowledge graph, determining the first entity nodes with the same models as the entity equipment, acquiring vulnerability information in second entity nodes associated with the first entity nodes, scanning the entity equipment according to the vulnerability information in the corresponding second entity nodes, wherein the scanning result is vulnerability number, and scoring is carried out according to the vulnerability number through a preset scoring table to obtain a first evaluation result;
s302, screening a second entity node and a third entity node which are matched with the first vulnerability result in the threat knowledge graph, selecting vulnerability information which exists in the second entity node and corresponds to the entity equipment, and correspondingly selecting a countermeasure in the third node according to the vulnerability information which exists in the second entity node;
and S303, comparing the countermeasures with the security policies of the entity equipment, and judging the difference between the security policy quantity of the entity equipment and the countermeasures quantity according to the consistency quantity of the countermeasures and the security policies of the entity equipment, wherein the difference is an obtained second evaluation result, and when the difference exists, the security policies of the entity equipment are not perfect and a vulnerability exists.
S304, obtaining a first risk result according to the first evaluation result and the second evaluation result.
Specifically, analyzing the threat knowledge graph based on the device content information to obtain a second risk result, specifically including:
s401, screening a corresponding first entity node in the threat knowledge graph according to equipment information, selecting entity equipment existing in the first entity node, screening threat information with the same IP address, domain name and URL as the event information in a second entity node of the threat knowledge graph according to event information, screening events related to the same IP address, the same domain name or the same URL from the event information through the IP address, the domain name and the URL recorded in threat data, marking the events as threat event information, and obtaining a third evaluation result based on the number of the threat event information;
s402, based on the screened threat information, further screening a corresponding countermeasure corresponding to the threat information at a second entity node in the threat knowledge graph, comparing the countermeasure with the security policy of the entity equipment, and judging the difference between the security policy quantity of the entity equipment and the countermeasure quantity according to the consistency quantity of the countermeasure and the security policy of the entity equipment, wherein the difference is an obtained fourth evaluation result.
And S403, obtaining a second risk result according to the third evaluation result and the fourth evaluation result.
Specifically, obtaining a first risk result according to the first evaluation result and the second evaluation result specifically includes: setting different first weights corresponding to the first evaluation result and the second evaluation result, presetting a scoring table, obtaining different first scores according to the first evaluation result and the second evaluation result, and obtaining a corresponding first risk result according to the first score and the second weight.
Specifically, obtaining a second risk result according to the third evaluation result and the fourth evaluation result specifically includes: and setting different second weights corresponding to the third evaluation result and the fourth evaluation result, obtaining different second scores according to the third evaluation result and the fourth evaluation result, and obtaining a corresponding second risk result according to the second scores and the second weights.
Specifically, determining the network security risk level according to the first risk result and the second risk result includes:
s501, obtaining a risk value according to the first risk result and the second risk result;
s502, establishing a mapping relation table, wherein the mapping relation table at least comprises: the security risk level, the risk value, and a mapping between the security risk level and the risk value;
s503, matching the risk values in the mapping relation table, and determining the risk level of the network security.
Specifically, the step 501 further includes: obtaining a risk value according to the first risk result and the second risk result; the method specifically comprises the following steps: establishing a deep neural learning network, training, and taking a plurality of first risk results, second risk results and a plurality of corresponding device information as input characteristics of the trained deep neural learning network, wherein the output characteristics of the deep neural learning network are the risk values.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (9)

1. The network security assessment method based on the knowledge graph is characterized by comprising the following steps:
s1, collecting communication data, and constructing a threat knowledge graph based on the communication data, wherein the communication data comprises threat data, vulnerability data and countermeasure data;
s2, respectively collecting event information, equipment information and equipment safety strategy information of a plurality of entity equipment with a safety detection function, and establishing a logical relationship among the equipment information, the event information and the equipment safety strategy information to form equipment content information;
s3, scanning entity equipment based on the threat knowledge graph to obtain a first risk result;
s4, analyzing the threat knowledge graph based on the equipment content information to obtain a second risk result;
and S5, determining the network security risk level according to the first risk result and the second risk result of the entity equipment.
2. The method for network security assessment based on knowledge-graph according to claim 1, characterized in that collecting communication data, constructing a threat knowledge-graph based on the communication data, specifically comprises:
s101, establishing a knowledge graph model, wherein the knowledge graph comprises entity nodes and relations among various entity node types, the relations comprise any one of inclusion, existence, utilization and use, and the entity node types comprise entity equipment, vulnerabilities, threats and countermeasures;
s102, extracting a plurality of entity nodes from a data source, wherein the entity nodes correspond to the entity node types;
s103, acquiring a second entity node having the relation with the first entity node and a third entity node having the relation with the second entity node from the entity nodes, connecting the third entity node to the corresponding second entity node, and connecting the second entity node to the corresponding first entity node;
s104, generating a data group according to the first entity node, the second entity node, the third entity node, the relation between the first entity node type and the second entity node type, and the relation between the second entity node type and the third entity node type, wherein a knowledge graph model containing the data group forms a threat knowledge graph.
3. The method of claim 2, wherein the first entity node type is an entity device, the second entity node type is a vulnerability or a threat, and the third entity node type is a countermeasure.
4. The method for cyber-security assessment based on a knowledge-graph as claimed in claim 3, wherein scanning entity devices based on the threat knowledge-graph to obtain a first risk result comprises:
s301, screening a first entity node matched with the entity equipment in the threat knowledge graph, and scanning the entity equipment according to vulnerability information in a corresponding second entity node to obtain a first evaluation result;
s302, screening a second entity node and a third entity node which are matched with the first vulnerability result in the threat knowledge graph, selecting vulnerability information which exists in the second entity node and corresponds to the entity equipment, and correspondingly selecting a countermeasure in the third node according to the vulnerability information which exists in the second entity node;
s303, comparing the corresponding measures with the security policy of the entity equipment, and obtaining a second evaluation result according to the consistency quantity of the corresponding measures and the security policy of the entity equipment;
s304, obtaining a first risk result according to the first evaluation result and the second evaluation result.
5. The method for cyber-security assessment based on a knowledge-graph of claim 4, wherein analyzing the threat knowledge-graph based on device content information to obtain a second risk result comprises:
s401, screening a corresponding first entity node in the threat knowledge graph according to equipment information, selecting entity equipment existing in the first entity node, screening threat information with the same IP address, domain name and URL (uniform resource locator) as the event information in a second entity node of the threat knowledge graph according to the event information, and obtaining a third evaluation result based on the number of the threat information;
s402, based on the screened threat information, further screening a corresponding countermeasure corresponding to the threat information at a second entity node in the threat knowledge graph, comparing the countermeasure with the security policy of the entity equipment, and obtaining a second evaluation result according to the consistency quantity of the countermeasure and the security policy of the entity equipment;
and S403, obtaining a second risk result according to the third evaluation result and the fourth evaluation result.
6. The method for network security assessment based on a knowledge-graph of claim 5, wherein obtaining a first risk result according to the first assessment result and the second assessment result specifically comprises: setting first weights of the first evaluation result and the second evaluation result, obtaining a corresponding first score according to the first evaluation result and the second evaluation result, and obtaining a corresponding first risk result according to the first score and the second weight.
7. The knowledge-graph-based network security assessment method according to claim 6, wherein obtaining a second risk result according to the third assessment result and the fourth assessment result specifically comprises: and setting a second weight of the third evaluation result and the fourth evaluation result, obtaining a corresponding second score according to the third evaluation result and the fourth evaluation result, and obtaining a corresponding second risk result according to the second score and the second weight.
8. The method of claim 7, wherein determining the cyber-security risk level according to the first risk result and the second risk result comprises:
s501, obtaining a risk value according to the first risk result and the second risk result;
s502, establishing a mapping relation table, wherein the mapping relation table at least comprises: the security risk level, the risk value, and a mapping between the security risk level and the risk value;
s503, matching the risk values in the mapping relation table, and determining the risk level of the network security.
9. The method for cyber-security assessment based on a knowledge graph according to claim 8, wherein a risk value is obtained according to the first risk result and the second risk result; the method specifically comprises the following steps: establishing a deep neural learning network, training, and taking a plurality of first risk results, second risk results and a plurality of corresponding device information as input characteristics of the trained deep neural learning network, wherein the output characteristics of the deep neural learning network are the risk values.
CN202210968515.5A 2022-08-12 2022-08-12 Network security assessment method based on knowledge graph Pending CN115567237A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210968515.5A CN115567237A (en) 2022-08-12 2022-08-12 Network security assessment method based on knowledge graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210968515.5A CN115567237A (en) 2022-08-12 2022-08-12 Network security assessment method based on knowledge graph

Publications (1)

Publication Number Publication Date
CN115567237A true CN115567237A (en) 2023-01-03

Family

ID=84739605

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210968515.5A Pending CN115567237A (en) 2022-08-12 2022-08-12 Network security assessment method based on knowledge graph

Country Status (1)

Country Link
CN (1) CN115567237A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117370987A (en) * 2023-10-13 2024-01-09 南京审计大学 Knowledge graph-based cloud service platform security audit vulnerability evaluation method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117370987A (en) * 2023-10-13 2024-01-09 南京审计大学 Knowledge graph-based cloud service platform security audit vulnerability evaluation method and system
CN117370987B (en) * 2023-10-13 2024-03-12 南京审计大学 Knowledge graph-based cloud service platform security audit vulnerability evaluation method and system

Similar Documents

Publication Publication Date Title
US10887330B2 (en) Data surveillance for privileged assets based on threat streams
Cvitić et al. Boosting-based DDoS detection in internet of things systems
US9667589B2 (en) Logical / physical address state lifecycle management
Li Using genetic algorithm for network intrusion detection
McHugh Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory
CN111245793A (en) Method and device for analyzing abnormity of network data
EP4152692A1 (en) Cyberanalysis workflow acceleration
CN112637220A (en) Industrial control system safety protection method and device
Shabut et al. Cyber attacks, countermeasures, and protection schemes—A state of the art survey
US11431741B1 (en) Detecting unmanaged and unauthorized assets in an information technology network with a recurrent neural network that identifies anomalously-named assets
Rout et al. A hybrid approach for network intrusion detection
CN114157484A (en) Data security storage system based on cloud computing
US7469418B1 (en) Deterring network incursion
Rizov Information sharing for cyber threats
CN111628961A (en) DNS (Domain name Server) anomaly detection method
CN117478433B (en) Network and information security dynamic early warning system
Labib Computer security and intrusion detection
Khan et al. Towards augmented proactive cyberthreat intelligence
CN115567237A (en) Network security assessment method based on knowledge graph
Simola Comparative research of cybersecurity information sharing models
CN114221804B (en) Honeypot identification method based on feature identification and interactive verification
Schumacher et al. Data mining in vulnerability databases
Kahraman Evaluating IT security performance with quantifiable metrics
Nilsson et al. Vulnerability scanners
Marinova-Boncheva Applying a data mining method for intrusion detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication