CN115758376A - Threat identification method, apparatus, device, medium and program product - Google Patents
Threat identification method, apparatus, device, medium and program product Download PDFInfo
- Publication number
- CN115758376A CN115758376A CN202211396413.7A CN202211396413A CN115758376A CN 115758376 A CN115758376 A CN 115758376A CN 202211396413 A CN202211396413 A CN 202211396413A CN 115758376 A CN115758376 A CN 115758376A
- Authority
- CN
- China
- Prior art keywords
- service
- score
- evaluation
- nodes
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The disclosure provides a threat identification method, which can be applied to the technical field of information security. The threat identification method comprises the following steps: acquiring a service model tree, wherein the service model tree comprises a plurality of service nodes; scoring the service nodes based on a preset vulnerability scoring system to obtain an environment evaluation score; calculating the plurality of service nodes based on a random walk algorithm to obtain service occurrence probability; multiplying the environmental evaluation score by the service occurrence probability to obtain comprehensive evaluation; and determining the service node as a service node with potential threat under the condition that the comprehensive evaluation is greater than a preset threat identification threshold value. The present disclosure also provides a threat identification apparatus, a device, a storage medium, and a program product.
Description
Technical Field
The present disclosure relates to the field of computer technology, in particular to the field of information security technology, and more particularly to a threat identification method, apparatus, device, medium, and program product.
Background
Currently, a Common Vulnerability Scoring System (CVSS) is adopted for threat identification in business systems, and is an industry-disclosed standard, which calculates the severity of a vulnerability from different metrics and helps determine the urgency and importance of a required response.
The vulnerability scoring standard system adopts a general calculation mode to measure the vulnerability, so that the vulnerability scoring standard system cannot be completely fit in some specific service systems, particularly for the vulnerability of the service system in a complex service system, the danger degree of the vulnerability in the service system is difficult to reflect exactly, and further, the identification and the troubleshooting work of the threat in the complex service system is not facilitated.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a threat identification method, apparatus, device, medium, and program product that improve identification and troubleshooting accuracy.
According to a first aspect of the present disclosure, there is provided a threat identification method, comprising: acquiring a service model tree, wherein the service model tree comprises a plurality of service nodes; scoring the service nodes based on a preset vulnerability scoring system to obtain an environment evaluation score; calculating the plurality of service nodes based on a random walk algorithm to obtain service occurrence probability; multiplying the environmental evaluation value by the service occurrence probability to obtain comprehensive evaluation; and determining the service node as a service node with potential threat under the condition that the comprehensive evaluation is greater than a preset threat identification threshold value.
According to the embodiment of the present disclosure, the scoring the plurality of service nodes based on a preset vulnerability scoring system to obtain an environmental evaluation score includes: acquiring a usability degree evaluation index and an influence degree evaluation index; calculating based on the availability evaluation index to obtain an availability score; calculating based on the influence evaluation index to obtain an influence score; acquiring a life cycle evaluation index; calculating based on the availability score and the life cycle evaluation index to obtain a life cycle value; and calculating based on the availability score, the influence score and the life cycle value to obtain the environment evaluation score.
According to an embodiment of the present disclosure, wherein the calculating based on the availability score, the influence score and the lifecycle value, to obtain the environmental rating score comprises: calculating an initial environmental rating score based on the availability score and the impact score; and obtaining the environmental evaluation score based on the multiplication of the initial environmental evaluation score and the life cycle value.
According to the embodiment of the disclosure, the availability evaluation index includes attack complexity, attack influence, authority requirement and user interaction, the influence evaluation index includes scope, confidentiality influence, integrity influence and availability influence, and the life cycle evaluation index further includes patch level and report credibility.
According to an embodiment of the present disclosure, the calculating the service nodes based on the random walk algorithm to obtain the service occurrence probability includes: performing cyclic access on the service nodes in the service model tree based on the random walk algorithm to obtain root node access times and leaf node access times; and calculating the service occurrence probability based on the access times of the root node and the access times of the leaf nodes.
According to an embodiment of the present disclosure, the plurality of service nodes includes at least a first service node, and the access cutoff condition of the random walk algorithm includes: based on the random walk algorithm, circularly accessing the service nodes in the service model tree until preset iteration times; or based on the random walk algorithm, circularly accessing the service nodes in the service model tree until the access times of the first service node reach a preset access cut-off time.
According to an embodiment of the present disclosure, before the obtaining a service model tree, the method further includes: acquiring an original service model, wherein the original service model comprises a plurality of original service nodes; based on the plurality of service nodes, determining that the original service node selects a root node and a leaf node through a preset identification target; and forming the service model tree based on the preset root node and the preset leaf nodes.
In a second aspect of the present disclosure, there is provided a threat identification apparatus comprising: the service model tree acquisition module is used for acquiring a service model tree, and the service model tree comprises a plurality of service nodes; the environment evaluation value calculation module is used for grading the plurality of service nodes based on a preset vulnerability grading system to obtain environment evaluation values; the service occurrence probability calculation module is used for calculating the service nodes based on a random walk algorithm to obtain service occurrence probability; the comprehensive evaluation module is used for multiplying the environmental evaluation value and the service occurrence probability to obtain comprehensive evaluation; and the threat output module is used for determining the service node as a service node with potential threat under the condition that the comprehensive evaluation is greater than a preset threat identification threshold value.
According to the embodiment of the disclosure, the environment evaluation value calculation module is further configured to obtain a usability evaluation index and an influence evaluation index; calculating based on the availability evaluation index to obtain an availability score; calculating based on the influence evaluation index to obtain an influence score; acquiring a life cycle evaluation index; calculating based on the availability score and the life cycle evaluation index to obtain a life cycle value; and calculating based on the availability score, the influence score and the life cycle value to obtain the environment evaluation score.
According to the embodiment of the present disclosure, the environment evaluation value calculation module is further configured to calculate an initial environment evaluation value based on the availability value and the influence value; and multiplying the initial environmental evaluation score by the life cycle value to obtain the environmental evaluation score.
According to the embodiment of the disclosure, the availability evaluation indexes comprise attack complexity, attack influence, authority requirement and user interaction, the influence evaluation indexes comprise scope, confidentiality influence, integrity influence and availability influence, and the lifecycle evaluation index further comprises patch level and report credibility.
According to the embodiment of the present disclosure, the plurality of service nodes include a root node and a plurality of leaf nodes, and the service occurrence probability calculation module is further configured to perform cyclic access to the service nodes in the service model tree based on the random walk algorithm to obtain root node access times and leaf node access times; and calculating the service occurrence probability based on the root node access times and the leaf node access times.
According to an embodiment of the present disclosure, the plurality of service nodes includes at least a first service node, and the access cutoff condition of the random walk algorithm includes: circularly accessing the service nodes in the service model tree based on the random walk algorithm until the number of preset iterations is reached; or based on the random walk algorithm, circularly accessing the service nodes in the service model tree until the access frequency of the first service node reaches a preset access cut-off frequency.
According to the embodiment of the present disclosure, the apparatus further includes a service model tree building module, configured to obtain an original service model, where the original service model includes a plurality of original service nodes; based on the plurality of service nodes, determining that the original service node selects a root node and a leaf node through a preset identification target; and forming the business model tree based on the preset root node and the preset leaf nodes.
In a third aspect of the present disclosure, there is provided an electronic device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the threat identification method described above.
In a fourth aspect of the present disclosure, a computer-readable storage medium is also provided, having executable instructions stored thereon, which when executed by a processor, cause the processor to perform the above threat identification method.
In a fifth aspect of the disclosure, a computer program product is also provided, comprising a computer program which, when executed by a processor, implements the above-mentioned threat identification method.
In the embodiment of the disclosure, different service nodes in the application system are analyzed and identified through the service model tree, and the identified threat is subjected to the threat assessment of the whole life cycle through the CVSS threat, so that the bank application system safety in the system is comprehensively identified. And moreover, the occurrence probability of different nodes in the whole application system is ensured by combining a depth random walk algorithm. And the comprehensive and objective evaluation is carried out, so that the information safety risk existing in the system is identified, and a guiding function is played for eliminating the risk.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a threat identification method according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a threat identification method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a threat identification method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a business model determination method according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates vulnerability influencing factors of embodiments of the present disclosure;
FIG. 6A schematically illustrates a schematic diagram of a business model tree according to an embodiment of the present disclosure;
FIG. 6B schematically illustrates a schematic diagram of a business model tree according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a block diagram of a threat identification apparatus, in accordance with an embodiment of the present disclosure; and
FIG. 8 schematically illustrates a block diagram of an electronic device adapted to implement a threat identification method in accordance with an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs, unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B, and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, and C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.).
In order to solve the technical problems in the prior art, embodiments of the present disclosure provide a threat identification method, which obtains a service model tree, where the service model tree includes a plurality of service nodes; scoring the service nodes based on a preset vulnerability scoring system to obtain an environment evaluation score; calculating the plurality of service nodes based on a random walk algorithm to obtain service occurrence probability; multiplying the environmental evaluation value by the service occurrence probability to obtain comprehensive evaluation; and determining the service node as a service node with potential threat under the condition that the comprehensive evaluation is greater than a preset threat identification threshold value.
In the embodiment of the disclosure, different service nodes in the application system are analyzed and identified through the service model tree, and the identified threat is subjected to the threat assessment of the whole life cycle through the CVSS threat, so that the bank application system safety in the system is comprehensively identified. And moreover, the occurrence probability of different nodes in the whole application system is ensured by combining a depth random walk algorithm. And the comprehensive and objective evaluation is carried out, so that the information safety risk in the system is identified, and a guiding function is played for eliminating the risk.
Fig. 1 schematically shows an application scenario diagram of a threat identification method according to an embodiment of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include terminals 101, 102, 103, a network 104, and a server 105. Network 104 is the medium used to provide communication links between terminal devices 101, 102, 103 and server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may use terminal devices 101, 102, 103 to interact with a server 105 over a network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as shopping-like applications, web browser applications, search-like applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 105 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 101, 102, 103. The backend management server may analyze and process the received data such as the user request, and feed back a processing result (for example, a web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that the threat identification method provided by the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the threat identification apparatus provided by the embodiments of the present disclosure may be generally disposed in the server 105. The threat identification method provided by the embodiments of the present disclosure may also be performed by a server or a cluster of servers different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Accordingly, the threat identification apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 105 and capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation.
The threat identification method of the disclosed embodiment will be described in detail below with fig. 2 to 6B based on the scenario described in fig. 1.
FIG. 2 schematically illustrates a flow chart of a threat identification method according to an embodiment of the disclosure.
As shown in fig. 2, the threat identification method of this embodiment includes operations S210 to S250, and the threat identification method may be performed by the server 105.
In operation S210, a service model tree is obtained, the service model tree including a plurality of service nodes.
The service model tree is a tree-shaped service model, which includes a plurality of service nodes, each of which includes a root node and a plurality of leaf nodes, and can be understood as different service handling processes existing in a certain target service, wherein the target service is the root node, and the service handling processes include a plurality of leaf nodes. For example, in banking, the service model tree may be "transfer transaction", where the "transfer transaction" includes at least "transfer account" and "transfer account abroad", and on this basis, the service flow may be further subdivided or extended, which is not described herein again.
In operation S220, the plurality of service nodes are scored based on a preset vulnerability scoring system, so as to obtain an environmental evaluation score.
Specifically, the preset vulnerability scoring system is a vulnerability scoring system CVSS, and different service nodes are scored according to the standard of the system.
FIG. 3 schematically illustrates a flow chart of a threat identification method according to an embodiment of the disclosure.
As shown in fig. 3, the threat identification method of this embodiment includes operations S310 to S360, and the operations S310 to S360 may at least partially perform the operation S220.
In operation S310, a usability degree evaluation index and an influence degree evaluation index are acquired.
In operation S320, a calculation is performed based on the usability degree evaluation index to obtain a usability score.
In operation S330, a calculation is performed based on the influence degree evaluation index to obtain an influence degree score.
In operation S340, a life cycle evaluation index is acquired.
In operation S350, a life cycle value is calculated based on the availability score and the life cycle evaluation index.
In operation S360, the environment evaluation score is obtained by performing calculation based on the availability score, the influence score, and the lifecycle value.
According to an embodiment of the present disclosure, the calculating based on the availability score, the influence score, and the lifecycle value, to obtain the environmental rating score includes: calculating an initial environmental rating score based on the availability score and the impact score; and obtaining the environmental evaluation score based on the multiplication of the initial environmental evaluation score and the life cycle value.
According to the embodiment of the disclosure, the availability evaluation index includes attack complexity, attack influence, authority requirement and user interaction, the influence evaluation index includes scope, confidentiality influence, integrity influence and availability influence, and the life cycle evaluation index further includes patch level and report credibility. Fig. 5 schematically illustrates vulnerability influencing factors of an embodiment of the present disclosure.
As shown in fig. 5, a generic vulnerability scoring system (CVSS) is taken as an example, and analysis is performed on the intrinsic characteristics of the threat modeled and output in the bank application system threat analysis module based on the attack tree (i.e., the business model tree), which are threat characteristics that evaluate the threat vulnerability to remain unchanged over time and across the user environment. The evaluation group was mainly performed by two groups of indices: availability and influence. The corresponding relationship between the index value and the basic score is shown in the following table 1:
TABLE 1
Wherein, degree of influence evaluation (ISC): the impact rating reflects the direct consequences of a vulnerability being successfully exploited and represents the condition of the affected component.
Evaluation of availability (availability metrics): the availability evaluation reflects the availability of the available vulnerabilities and the difficulty of technical means. Representing the ease with which a vulnerable component (vulneable component) is attacked.
Scope of influence (Scope): an important attribute of CVSS version 3.0 computing reflects whether a vulnerability in a software component may affect or obtain rights to resources other than the vulnerability. This result is represented by the metric value authorized domain or a simple domain.
The value range is as follows: fixed unchanged (U): the exploited vulnerability can only affect resources managed by the same authority. In this case, the fragile component and the affected component are the same.
Change (C): the exploit may affect resources that exceed the vulnerable component's expected authorization rights. In this case, the fragile component and the affected component are not the same.
1. The evaluation of the degree of influence is mainly influenced by four indexes: scope, confidentiality impact, integrity impact, availability impact. The calculation formula is as follows:
scope = fixation: influence degree score =6.42 × ISCbase
Scope = change: influence volume score =7.52 × (ISCBase-0.029) -3.25 × (ISCBase-0.02) ^15
ISCBase is a temporary variable, ISCBase =1- [ (1-confidentiality influence) × (1-integrity influence) × (1-availability influence) ]
2. The availability evaluation is mainly affected by four indexes: attack complexity, attack impact, permission requirements, and user interaction. The calculation formula is as follows:
availability score =8.22 x attack approach x attack complexity x permission requirement x user interaction
3. And (3) life cycle evaluation: is used to analyze the state of a currently utilized technology or code threat, whether any patches or solutions exist, or the confidence of the threat report against a bank application system based on a business model tree (also referred to as an attack tree). The life cycle assessment must change over time. The calculation formula is as follows:
life cycle assessment = Roundup (base score x utilization x patch level x reported confidence)
When the degree of influence is < =0, the environmental rating score =0
When influence degree > 0 and no correction, environment evaluation score = Roundup (Min [ (m. Influence degree score + m. Availability score), 10 ]) × availability × patch level × reported reliability)
When the influence degree is greater than 0 and there is a correction: environment evaluation score = Roundup (Min [1.08 × (m. Influence score + m. Availability score), 10 ]) × utilization × patch level × reported reliability)
Wherein "Min" is the comparison of the two values before and after, and is selected as the small one; "M" is the score after correction, and if the corresponding item is not modified, it is the original value.
In operation S230, the plurality of service nodes are calculated based on a random walk algorithm, so as to obtain a service occurrence probability.
According to an embodiment of the present disclosure, the calculating the service nodes based on the random walk algorithm to obtain the service occurrence probability includes: performing cyclic access on the service nodes in the service model tree based on the random walk algorithm to obtain root node access times and leaf node access times; and calculating the service occurrence probability based on the access times of the root node and the access times of the leaf nodes.
According to an embodiment of the present disclosure, the plurality of service nodes includes at least a first service node, and the access cutoff condition of the random walk algorithm includes: circularly accessing the service nodes in the service model tree based on the random walk algorithm until the number of preset iterations is reached; or based on the random walk algorithm, circularly accessing the service nodes in the service model tree until the access frequency of the first service node reaches a preset access cut-off frequency.
In operation S240, the environmental evaluation score is multiplied by the service occurrence probability to obtain a comprehensive evaluation.
Specifically, the environmental score value and the service occurrence probability are used as relevant factors influencing the score of the comprehensive evaluation, and it can be understood that the score of the comprehensive evaluation is positively correlated with the environmental score value, and the score of the comprehensive evaluation is positively correlated with the service occurrence probability. For example, the score of the composite rating is equal to the product of the environmental rating value and the probability of occurrence of the service.
In operation S250, in case that the comprehensive evaluation is greater than a preset threat identification threshold, determining that the service node is a service node with a potential threat.
In the embodiment of the disclosure, different service nodes in the application system are analyzed and identified through the service model tree, and the identified threat is subjected to the threat assessment of the whole life cycle through the CVSS threat, so that the bank application system safety in the system is comprehensively identified. And the occurrence probability of different nodes in the whole application system is ensured by combining a depth random walk algorithm. And the comprehensive and objective evaluation is carried out, so that the information safety risk existing in the system is identified, and a guiding function is played for eliminating the risk.
FIG. 4 schematically shows a flow chart of a business model determination method according to an embodiment of the disclosure.
As shown in fig. 4, the business model determining method of this embodiment includes operations S410 to S430.
In operation S410, an original service model is obtained, wherein the original service model includes a plurality of original service nodes.
In operation S420, based on the plurality of service nodes, a root node and a leaf node selected by the original service node are determined through a preset identification target.
In operation S430, the traffic model tree is formed based on the preset root node and the leaf nodes.
For example, a bank application system bears the characteristics of the financial industry, mainly processes funds on a client, and is a key point of attention of a hacker, the client attacks the bank application system mainly for the purpose of fund stealing, and the attack target of fund stealing according to the characteristics threatens and withdraws the bank application system.
FIG. 6A schematically illustrates a schematic diagram of a business model tree according to an embodiment of the present disclosure.
As shown in fig. 6A, the generated business model tree by clipping the original business model includes: the root node is ' through purchasing customer funds ', and further, the next-level leaf nodes are ' acquiring customer purchase type passwords ' and ' inducing the customer to purchase ', wherein the ' acquiring customer purchase type passwords ' also exist in the next-level leaf nodes, and are respectively ' violently breaking the acquiring passwords ' and ' fishing the acquiring passwords ' one-level technical means to acquire the passwords ', and the ' inducing the customer to purchase ', and also exist in the next-level leaf nodes, and are respectively ' false purchase ' and ' false purchase '.
Fig. 6B schematically shows a schematic diagram of a traffic model tree according to an embodiment of the present disclosure.
As shown in fig. 6B, the random walk algorithm refers to traversing a graph starting from one or a series of vertices. At any vertex, the traverser walks to a neighbor vertex of the vertex with a probability 1-a, randomly jumps to any service node in the graph with a probability a, called as a jump occurrence probability, and obtains a probability distribution after each walk, wherein the probability distribution describes the probability that each vertex in the graph is visited. This probability distribution is used as input for the next walk and the process is iterated repeatedly. This probability distribution tends to converge when certain preconditions are met (i.e., the convergence condition of the random walk algorithm access iteration). After convergence, a smooth probability distribution can be obtained. Wherein, the above convergence condition may adopt a cycle access number (i.e. the above preset iteration number) of a limited random walk algorithm; or, the service occurrence probability of a certain service node in the service model may be limited, and when the service occurrence probability reaches a preset value, the access of the random walk algorithm is cut off. And when the convergence condition is triggered, the access probability of the service node is the final service occurrence probability.
As shown in fig. 6B, with a random walk of depth, each node is randomly shifted one unit to the left or right with a fixed probability starting from the vertex position x, the probability of reaching the y position is Ly = (1-a) × (1-B) ·. If the probability Ly value of the occurrence of the Y position is larger, the probability of the occurrence of the position is larger.
Based on the threat identification method, the disclosure also provides a threat identification device. The apparatus will be described in detail below with reference to fig. 7.
Fig. 7 schematically illustrates a block diagram of a threat identification apparatus according to an embodiment of the present disclosure.
As shown in fig. 7, the threat recognition apparatus 700 of this embodiment includes a business model tree acquisition module 710, an environmental rating value calculation module 720, a business occurrence probability calculation module 730, a comprehensive rating module 740, and a threat output module 750.
The service model tree obtaining module 710 is configured to obtain a service model tree, where the service model tree includes a plurality of service nodes. In an embodiment, the service model tree obtaining module 710 may be configured to perform the operation S210 described above, which is not described herein again.
The environment evaluation value calculation module 720 is configured to score the plurality of service nodes based on a preset vulnerability scoring system to obtain an environment evaluation score. In an embodiment, the environmental evaluation value calculating module 720 may be configured to perform the operation S220 described above, which is not described herein again.
The service occurrence probability calculating module 730 is configured to calculate the plurality of service nodes based on a random walk algorithm to obtain a service occurrence probability. In an embodiment, the service occurrence probability calculating module 730 may be configured to perform the operation S230 described above, which is not described herein again.
The comprehensive evaluation module 740 is configured to multiply the environmental evaluation score and the service occurrence probability to obtain a comprehensive evaluation. In an embodiment, the comprehensive evaluation module 740 may be configured to perform the operation S240 described above, which is not described herein again.
The threat output module 750 is configured to determine that the service node is a service node with a potential threat if the composite evaluation is greater than a preset threat identification threshold. In an embodiment, the threat output module 750 may be configured to perform the operation S250 described above, which is not described herein again.
In the embodiment of the disclosure, different service nodes in the application system are analyzed and identified through the service model tree, and the identified threat is subjected to the threat assessment of the whole life cycle through the CVSS threat, so that the bank application system safety in the system is comprehensively identified. And the occurrence probability of different nodes in the whole application system is ensured by combining a depth random walk algorithm. And the comprehensive and objective evaluation is carried out, so that the information safety risk existing in the system is identified, and a guiding function is played for eliminating the risk.
According to the embodiment of the disclosure, the environment evaluation value calculation module is further configured to obtain a usability degree evaluation index and an influence degree evaluation index; calculating based on the availability evaluation index to obtain an availability score; calculating based on the influence evaluation index to obtain an influence score; acquiring a life cycle evaluation index; calculating based on the availability score and the life cycle evaluation index to obtain a life cycle value; and calculating based on the availability score, the influence score and the life cycle value to obtain the environment evaluation score.
According to the embodiment of the disclosure, the environment evaluation value calculation module is further configured to calculate an initial environment evaluation value based on the availability value and the influence value; and multiplying the initial environmental evaluation score by the life cycle value to obtain the environmental evaluation score.
According to the embodiment of the disclosure, the availability evaluation index includes attack complexity, attack influence, authority requirement and user interaction, the influence evaluation index includes scope, confidentiality influence, integrity influence and availability influence, and the life cycle evaluation index further includes patch level and report credibility.
According to the embodiment of the present disclosure, the plurality of service nodes include a root node and a plurality of leaf nodes, and the service occurrence probability calculation module is further configured to perform cyclic access on the service nodes in the service model tree based on the random walk algorithm, so as to obtain a root node access frequency and a leaf node access frequency; and calculating the service occurrence probability based on the access times of the root node and the access times of the leaf nodes.
According to an embodiment of the present disclosure, the plurality of service nodes includes at least a first service node, and the access cutoff condition of the random walk algorithm includes: circularly accessing the service nodes in the service model tree based on the random walk algorithm until the number of preset iterations is reached; or based on the random walk algorithm, circularly accessing the service nodes in the service model tree until the access frequency of the first service node reaches a preset access cut-off frequency.
According to the embodiment of the present disclosure, the apparatus further includes a service model tree building module, configured to obtain an original service model, where the original service model includes a plurality of original service nodes; based on the plurality of service nodes, determining that the original service node selects a root node and a leaf node through a preset identification target; and forming the service model tree based on the preset root node and the preset leaf nodes.
According to the embodiment of the present disclosure, any plurality of the service model tree obtaining module 710, the environmental evaluation value calculating module 720, the service occurrence probability calculating module 730, the comprehensive evaluation module 740, and the threat output module 750 may be combined into one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to the embodiment of the present disclosure, at least one of the service model tree obtaining module 710, the environmental evaluation value calculating module 720, the service occurrence probability calculating module 730, the comprehensive evaluation module 740, and the threat output module 750 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementation manners of software, hardware, and firmware, or by a suitable combination of any several of them. Alternatively, at least one of the service model tree acquisition module 710, the environmental rating value calculation module 720, the service occurrence probability calculation module 730, the comprehensive rating module 740, and the threat output module 750 may be at least partially implemented as a computer program module, which, when executed, may perform a corresponding function.
FIG. 8 schematically illustrates a block diagram of an electronic device suitable for implementing a threat identification method in accordance with an embodiment of the disclosure.
As shown in fig. 8, an electronic device 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., application Specific Integrated Circuit (ASIC)), among others. The processor 801 may also include onboard memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing different actions of the method flows according to embodiments of the present disclosure.
In the RAM 803, various programs and data necessary for the operation of the electronic apparatus 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or RAM 803. Note that the programs may also be stored in one or more memories other than the ROM 802 and the RAM 803. The processor 801 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement a method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 802 and/or RAM 803 described above and/or one or more memories other than the ROM 802 and RAM 803.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 801. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, and the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via communication section 809, and/or installed from removable media 811. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program, when executed by the processor 801, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by a person skilled in the art that various combinations or/and combinations of features recited in the various embodiments of the disclosure and/or in the claims may be made, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (11)
1. A threat identification method, comprising:
acquiring a service model tree, wherein the service model tree comprises a plurality of service nodes;
scoring the service nodes based on a preset vulnerability scoring system to obtain an environment evaluation score;
calculating the plurality of service nodes based on a random walk algorithm to obtain service occurrence probability;
multiplying the environmental evaluation score by the service occurrence probability to obtain comprehensive evaluation; and
and under the condition that the comprehensive evaluation is greater than a preset threat identification threshold value, determining the service node as a service node with potential threat.
2. The method of claim 1, wherein scoring the plurality of service nodes based on a preset vulnerability scoring system to obtain environmental rating scores comprises:
acquiring a usability degree evaluation index and an influence degree evaluation index;
calculating based on the availability evaluation index to obtain an availability score;
calculating based on the influence evaluation index to obtain an influence score;
acquiring a life cycle evaluation index;
calculating based on the availability score and the life cycle evaluation index to obtain a life cycle value; and
and calculating based on the availability score, the influence score and the life cycle value to obtain the environment evaluation score.
3. The method of claim 2, wherein said calculating based on said availability score, said influence score, and said lifecycle value, resulting in said environmental rating score comprises:
calculating an initial environmental rating score based on the availability score and the impact score; and
and multiplying the initial environmental evaluation score by the life cycle value to obtain the environmental evaluation score.
4. The method of claim 2, wherein the availability evaluation metrics include attack complexity, attack impact, entitlement requirements, and user interaction, the impact evaluation metrics include scope, confidentiality impact, integrity impact, and availability impact, and the lifecycle evaluation metrics further include patch level and report confidence.
5. The method of any of claims 1-4, wherein the plurality of traffic nodes includes a root node and a plurality of leaf nodes,
the calculating the plurality of service nodes based on the random walk algorithm to obtain the service occurrence probability comprises the following steps:
performing cyclic access on the service nodes in the service model tree based on the random walk algorithm to obtain root node access times and leaf node access times; and
and calculating the service occurrence probability based on the access times of the root node and the access times of the leaf nodes.
6. The method of claim 5, wherein the plurality of service nodes includes at least a first service node,
the access cutoff condition of the random walk algorithm includes:
circularly accessing the service nodes in the service model tree based on the random walk algorithm until the number of preset iterations is reached; or
And circularly accessing the service nodes in the service model tree based on the random walk algorithm until the access frequency of the first service node reaches a preset access cut-off frequency.
7. The method of claim 1, wherein prior to said obtaining a business model tree, further comprising:
acquiring an original service model, wherein the original service model comprises a plurality of original service nodes;
based on the plurality of service nodes, determining that the original service node selects a root node and a leaf node through a preset identification target; and
and forming the business model tree based on the preset root node and the preset leaf nodes.
8. A threat identification apparatus comprising:
the service model tree acquisition module is used for acquiring a service model tree, and the service model tree comprises a plurality of service nodes;
the environment evaluation value calculation module is used for grading the plurality of service nodes based on a preset vulnerability grading system to obtain environment evaluation values;
the service occurrence probability calculation module is used for calculating the plurality of service nodes based on a random walk algorithm to obtain service occurrence probability;
the comprehensive evaluation module is used for multiplying the environmental evaluation value and the service occurrence probability to obtain comprehensive evaluation; and
and the threat output module is used for determining the service node as a service node with potential threat under the condition that the comprehensive evaluation is greater than a preset threat identification threshold value.
9. An electronic device, comprising:
one or more processors;
a storage device to store one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method recited in any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any one of claims 1 to 7.
11. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211396413.7A CN115758376A (en) | 2022-11-09 | 2022-11-09 | Threat identification method, apparatus, device, medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211396413.7A CN115758376A (en) | 2022-11-09 | 2022-11-09 | Threat identification method, apparatus, device, medium and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115758376A true CN115758376A (en) | 2023-03-07 |
Family
ID=85369246
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211396413.7A Pending CN115758376A (en) | 2022-11-09 | 2022-11-09 | Threat identification method, apparatus, device, medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115758376A (en) |
-
2022
- 2022-11-09 CN CN202211396413.7A patent/CN115758376A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12003534B2 (en) | Detecting and mitigating forged authentication attacks within a domain | |
| US11582207B2 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform | |
| US20200296137A1 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US11799900B2 (en) | Detecting and mitigating golden ticket attacks within a domain | |
| US10609079B2 (en) | Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management | |
| US20210297452A1 (en) | Rating organization cybersecurity using active and passive external reconnaissance | |
| US10248910B2 (en) | Detection mitigation and remediation of cyberattacks employing an advanced cyber-decision platform | |
| US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US20220377093A1 (en) | System and method for data compliance and prevention with threat detection and response | |
| US11818150B2 (en) | System and methods for detecting and mitigating golden SAML attacks against federated services | |
| US20180121657A1 (en) | Security risk evaluation | |
| US10999311B2 (en) | Risk score generation for assets of an enterprise system utilizing user authentication activity | |
| US10740411B2 (en) | Determining repeat website users via browser uniqueness tracking | |
| US20220060497A1 (en) | User and entity behavioral analysis with network topology enhancements | |
| US20220014561A1 (en) | System and methods for automated internet-scale web application vulnerability scanning and enhanced security profiling | |
| US11188667B2 (en) | Monitoring and preventing unauthorized data access | |
| US20210092160A1 (en) | Data set creation with crowd-based reinforcement | |
| US20220210202A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US11477245B2 (en) | Advanced detection of identity-based attacks to assure identity fidelity in information technology environments | |
| CN111581643A (en) | Penetration attack evaluation method and device, electronic equipment and readable storage medium | |
| US20230388278A1 (en) | Detecting and mitigating forged authentication object attacks in multi - cloud environments with attestation | |
| US20230319019A1 (en) | Detecting and mitigating forged authentication attacks using an advanced cyber decision platform | |
| US20230308459A1 (en) | Authentication attack detection and mitigation with embedded authentication and delegation | |
| CN115758376A (en) | Threat identification method, apparatus, device, medium and program product | |
| WO2019113492A1 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |