CN115834219A - Network asset evaluation processing method, device, server and medium - Google Patents

Network asset evaluation processing method, device, server and medium Download PDF

Info

Publication number
CN115834219A
CN115834219A CN202211507077.9A CN202211507077A CN115834219A CN 115834219 A CN115834219 A CN 115834219A CN 202211507077 A CN202211507077 A CN 202211507077A CN 115834219 A CN115834219 A CN 115834219A
Authority
CN
China
Prior art keywords
address
asset
attack
illegal
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202211507077.9A
Other languages
Chinese (zh)
Other versions
CN115834219B (en
Inventor
于城
孟祥森
周凯
史炳荣
王鑫妍
李思聪
李金玲
肖召红
吴朋
孙文雪
曹文涛
李阳
杜佳鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, Unicom Digital Technology Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202211507077.9A priority Critical patent/CN115834219B/en
Publication of CN115834219A publication Critical patent/CN115834219A/en
Application granted granted Critical
Publication of CN115834219B publication Critical patent/CN115834219B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a network asset evaluation processing method, a device, a server and a medium, comprising the following steps: the method comprises the steps of obtaining an open source port, a non-open source port and corresponding risk index values according to IP data flow information of the to-be-detected network device, obtaining a first attack characteristic and a first threat coefficient corresponding to the open source port and a second attack characteristic and a second threat coefficient corresponding to the non-open source port according to an illegal attack library, obtaining index values corresponding to illegal behaviors according to the type and the number of times of the illegal behaviors corresponding to a source IP address of the to-be-detected network device, obtaining an asset dynamic basic value and an asset dynamic value according to the index values corresponding to the illegal behaviors and a dynamic mean value corresponding to each index value, and obtaining an asset comprehensive evaluation result corresponding to the source IP address according to an asset evaluation value, an asset dynamic basic value and an asset dynamic value corresponding to the source IP address. The problem that in the prior art, only the asset health degree of an enterprise intranet can be evaluated is solved.

Description

Network asset evaluation processing method, device, server and medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a server, and a medium for evaluating and processing network assets.
Background
With the continuous development of internet technology, the network security risk is rapidly increased, the health degree of the network asset address is known in time, and the health degree of the network asset address is evaluated to master the condition that the server faces the network security risk.
In the prior art, a large enterprise acquires a security log of interaction between an intranet and a public network by deploying a probe at a network boundary between the intranet and the public network, monitors the security log, acquires a health condition of a network asset address of the intranet, and evaluates the health condition of the network asset address of the intranet.
However, the prior art can only evaluate the health degree of the network asset address of the intranet of the enterprise for evaluation, and cannot evaluate the threat of the public network, so that certain limitations exist.
Disclosure of Invention
The application provides a network asset evaluation processing method, a device, a server and a medium, which are used for solving the problem that only the asset address health degree of an intranet can be evaluated in the prior art.
In a first aspect, the present application provides a network asset assessment processing method, including:
according to the source IP address, the source port, the destination IP address and the destination port in the obtained IP data flow information of the network equipment to be detected, determining an open source port and a non-open source port from the source port, and obtaining a risk index value corresponding to the open source port.
And respectively determining first connection IP information corresponding to the open source port and second connection IP information corresponding to the non-open source port from the destination IP address and the destination port.
And inquiring a pre-configured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information.
And identifying and monitoring the type of the obtained illegal behavior corresponding to the source IP address and the number of times of the illegal behavior, and obtaining an index value corresponding to the illegal behavior according to the type of the illegal behavior and the number of times of the illegal behavior, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information.
And acquiring an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic mean value corresponding to each index value.
And acquiring an asset evaluation value corresponding to the source IP address according to the acquired asset type, the acquired level and the acquired historical vulnerability information corresponding to the source IP address.
And acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to correspondingly manage the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result.
In a specific embodiment, the method further comprises the following steps:
acquiring the asset information of the whole network, wherein the asset information of the whole network comprises the following steps: and the IP address and the parameter information corresponding to the IP address.
For each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, obtaining attack characteristics and threat coefficients corresponding to the IP address, and storing the IP address, the attack characteristics and the threat coefficients corresponding to the IP address into the preset illegal attack library.
In a specific implementation manner, the obtaining, according to the parameter information corresponding to the IP address and a preset attack threshold, the attack feature and the threat coefficient corresponding to the IP address when the IP address is determined to be an illegal attack address includes:
and when the ICMP proportion in the parameter information corresponding to the IP address is determined to be larger than a first asset detection threshold, the number of the detected IP and the C section is determined to be larger than or equal to a second asset detection threshold, and the number of the detected IP and the B section is determined to be larger than or equal to a third asset detection threshold, determining that the IP address is an illegal attack address, acquiring the attack characteristic corresponding to the IP address as an asset detection characteristic, and setting the threat coefficient as a first preset threat coefficient.
Or,
and when the port frequency ratio in the parameter information corresponding to the IP address is larger than a first full port scanning threshold value or the port number is larger than a second full port scanning threshold value, determining that the IP address is an illegal attack address, and acquiring that the attack characteristic corresponding to the IP address is a full port scanning characteristic and the threat coefficient is a second preset threat coefficient.
Or,
and when determining that the WEB port occupation ratio in the parameter information corresponding to the IP address is greater than a first WEB scanning and crawler threshold value and the average packet number is greater than a second WEB scanning and crawler threshold value, determining that the IP address is an illegal attack address, and acquiring attack characteristics corresponding to the IP address as WEB scanning and crawler characteristics, wherein the threat coefficient is a third preset threat coefficient.
In a specific embodiment, the first connection IP information includes: a first communication IP address and a corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port.
The first connection IP address is a destination IP address corresponding to the open source port, and the first connection port is a destination port corresponding to the open source port.
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
In a specific embodiment, the identifying and monitoring the type of the obtained illegal action corresponding to the source IP address and the number of times of the illegal action, and obtaining an index value corresponding to the illegal action according to the type of the illegal action and the number of times of the illegal action, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information includes:
when the type of the illegal behavior corresponding to the source IP address obtained through identification and monitoring is an attack type, determining the communication IP information matched with the attack type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining an attack index according to the times of the illegal behavior and a threat coefficient corresponding to the communication IP information matched with the attack type.
And/or the presence of a gas in the gas,
when the type of the illegal action corresponding to the source IP address is identified and monitored to be an illegal external connection type, determining the connection IP information matched with the illegal external connection type according to a first attack characteristic corresponding to the first connection IP information and a second attack characteristic corresponding to the second connection IP information, and acquiring an illegal external connection index according to the times of the illegal action and a threat coefficient corresponding to the connection IP information matched with the attack type.
Wherein an attack type is matched with an asset detection feature in the attack features; and matching the illegal external connection type with WEB scanning and crawler characteristics in the attack characteristics.
In a specific embodiment, the obtaining an asset dynamic basic value and an asset dynamic value according to a risk index value corresponding to the open source port, an index value corresponding to the illegal action, and a dynamic mean value corresponding to each index value includes:
and summing the risk index value corresponding to the open source port and the index value corresponding to the illegal action to obtain the asset dynamic basic value.
And judging whether the index value is larger than the dynamic mean value corresponding to the index value or not for each index value, and if so, correcting the index value to obtain the corrected index value.
And acquiring the asset dynamic value according to the index value which does not need to be corrected and the corrected index value.
In a second aspect, the present application provides a network asset assessment processing apparatus, comprising:
and the acquisition module is used for acquiring a source IP address, a source port, a destination IP address and a destination port in the IP data flow information of the network equipment to be detected, determining an open source port and a non-open source port from the source port and acquiring a risk index value corresponding to the open source port.
And the processing module is used for respectively determining first communication IP information corresponding to the open source port and second IP communication information corresponding to the non-open source port from the destination IP address and the destination port.
The obtaining module is further configured to query a preconfigured illegal attack library, and obtain a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and a second attack characteristic and a second threat coefficient corresponding to the second communication IP information, respectively.
The processing module is further configured to identify and monitor the type of the obtained illegal action corresponding to the source IP address and the number of times of the illegal action, and obtain an index value corresponding to the illegal action according to the type of the illegal action and the number of times of the illegal action, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information.
And the processing module is further configured to obtain an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action, and the dynamic mean value corresponding to each index value.
The processing module is further configured to obtain an asset evaluation value corresponding to the source IP address according to the obtained asset type, the obtained level, and the obtained historical vulnerability information corresponding to the source IP address.
The processing module is further configured to obtain an asset comprehensive evaluation result corresponding to the source IP address of the to-be-detected network device according to the asset dynamic basic value, the asset dynamic value, and the asset evaluation value, so as to perform corresponding management on the network corresponding to the to-be-detected network device according to the asset comprehensive evaluation result.
In a specific embodiment, the obtaining module is further configured to:
acquiring the asset information of the whole network, wherein the asset information of the whole network comprises the following steps: and the IP address and the parameter information corresponding to the IP address.
For each IP address, according to parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, obtaining attack characteristics and a threat coefficient corresponding to the IP address, and storing the IP address, the attack characteristics and the threat coefficient corresponding to the IP address into the preset illegal attack library.
In a specific embodiment, the obtaining module is specifically configured to:
and when the ICMP proportion in the parameter information corresponding to the IP address is determined to be larger than a first asset detection threshold, the number of the detected IP and the C section is determined to be larger than or equal to a second asset detection threshold, and the number of the detected IP and the B section is determined to be larger than or equal to a third asset detection threshold, determining that the IP address is an illegal attack address, acquiring the attack characteristic corresponding to the IP address as an asset detection characteristic, and setting the threat coefficient as a first preset threat coefficient.
Or,
when the port number ratio in the parameter information corresponding to the IP address is larger than a first full port scanning threshold value or the port number is larger than a second full port scanning threshold value, the IP address is determined to be an illegal attack address, the attack characteristic corresponding to the IP address is acquired to be a full port scanning characteristic, and the threat coefficient is a second preset threat coefficient.
Or,
and when determining that the WEB port occupation ratio in the parameter information corresponding to the IP address is greater than a first WEB scanning and crawler threshold value and the average packet number is greater than a second WEB scanning and crawler threshold value, determining that the IP address is an illegal attack address, and acquiring attack characteristics corresponding to the IP address as WEB scanning and crawler characteristics, wherein the threat coefficient is a third preset threat coefficient.
In a specific embodiment, the first connection IP information includes: a first communication IP address and a corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port.
The first connection IP address is a destination IP address corresponding to the open source port, and the first connection port is a destination port corresponding to the open source port.
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
In a specific embodiment, the processing module is specifically configured to:
when the type of the illegal behavior corresponding to the source IP address obtained through identification and monitoring is an attack type, determining the communication IP information matched with the attack type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining an attack index according to the times of the illegal behavior and a threat coefficient corresponding to the communication IP information matched with the attack type.
And/or the presence of a gas in the gas,
when the type of the illegal action corresponding to the source IP address is identified and monitored to be an illegal external connection type, determining the connection IP information matched with the illegal external connection type according to a first attack characteristic corresponding to the first connection IP information and a second attack characteristic corresponding to the second connection IP information, and acquiring an illegal external connection index according to the times of the illegal action and a threat coefficient corresponding to the connection IP information matched with the attack type.
Wherein an attack type is matched with an asset detection feature in the attack features; and matching the illegal external connection type with WEB scanning and crawler characteristics in the attack characteristics.
In a specific embodiment, the processing module is specifically configured to:
and summing the risk index value corresponding to the open source port and the index value corresponding to the illegal action to obtain the asset dynamic basic value.
And judging whether the index value is larger than the dynamic mean value corresponding to the index value or not for each index value, and if so, correcting the index value to obtain the corrected index value.
And acquiring the asset dynamic value according to the index value which does not need to be corrected and the corrected index value.
In a third aspect, the present application provides a server, comprising:
processor, memory, communication interface.
The memory is used for storing executable instructions executable by the processor.
Wherein the processor is configured to perform the network asset assessment processing method of the first aspect via execution of the executable instructions.
In a fourth aspect, the present application provides a readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the network asset assessment processing method of the first aspect.
The application provides a network asset evaluation processing method, a device, a server and a medium, wherein according to a source IP address, a source port, a destination IP address and a destination port in IP data flow information of network equipment to be detected, an open source port and a non-open source port are determined from the source port, and a risk index value corresponding to the open source port is obtained; respectively determining first connection IP information corresponding to the open source port and second connection IP information corresponding to the non-open source port from the destination IP address and the destination port; inquiring a pre-configured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information; identifying and monitoring the type of the obtained illegal behavior corresponding to the source IP address and the number of times of the illegal behavior, and obtaining an index value corresponding to the illegal behavior according to the type of the illegal behavior and the number of times of the illegal behavior, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information; acquiring an asset dynamic basic value and an asset dynamic value according to a risk index value corresponding to the open source port, an index value corresponding to the illegal action and a dynamic mean value corresponding to each index value; acquiring an asset evaluation value corresponding to the source IP address according to the acquired asset type, the acquired level and the acquired historical vulnerability information corresponding to the source IP address; and acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to correspondingly manage the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result. Compared with the prior art that a probe is deployed at a network boundary between an internal network and a public network to obtain a security log of interaction of the internal network and the public network and evaluate the health degree of a network asset address of the internal network, the method and the system for evaluating the health degree of the network asset address of the internal network acquire an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected by acquiring index values corresponding to illegal behaviors of an open source port and a non-open source port of the network equipment to be detected, risk index values corresponding to the open source port, dynamic mean values corresponding to the index values and an asset evaluation value corresponding to the source IP address of the network equipment to be detected, are suitable for evaluating the health degree of the whole network asset address, have universality, reduce the risk of network threats of assets corresponding to the source IP address of the network equipment and improve the safety.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the description below are some embodiments of the present application, and those skilled in the art can obtain other drawings based on the drawings without inventive labor.
Fig. 1 is a schematic flowchart of a first embodiment of a network asset assessment processing method provided in the present application;
fig. 2 is a schematic flowchart of a second embodiment of a network asset assessment processing method provided in the present application;
FIG. 3 is a schematic structural diagram of an embodiment of a network asset assessment processing apparatus provided in the present application;
fig. 4 is a schematic structural diagram of a server provided in the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. The drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the concepts of the application by those skilled in the art with reference to specific embodiments.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments that can be made by one skilled in the art based on the embodiments in the present application in light of the present disclosure are within the scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and claims of this application and in the preceding drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or server.
Description of technical terms:
asset: mainly various devices used in computer (or communication) networks. The system mainly comprises a host, network equipment (a router, a switch and the like) and security equipment (a firewall and the like). In this application, an asset refers to an IP address of a network device.
In the prior art, a large enterprise acquires a security log of interaction between an intranet and a public network by deploying a probe at a network boundary between the intranet and the public network, monitors the security log, acquires a health condition of a network asset address of the intranet, and evaluates the health condition of the network asset address of the intranet. However, the prior art can only evaluate the health degree of the network asset address of the intranet of the enterprise for evaluation, and cannot evaluate the threat of the public network, so that certain limitations exist. Based on this, the technical idea of the application lies in how to evaluate the health degree of the whole network asset address.
The technical solution of the present application will be described in detail below with reference to specific examples. It should be noted that the following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a schematic flow chart of a first embodiment of a network asset assessment processing method provided in the present application, and as shown in fig. 1, the network asset assessment processing method specifically includes the following steps:
step S101: and determining an open source port and a non-open source port from the source port according to the source IP address, the source port, the destination IP address and the destination port in the obtained IP data flow information of the network equipment to be detected, and obtaining a risk index value corresponding to the open source port.
In this embodiment, different open source ports may correspond to different risk index values thereof, and specifically, the risk index value corresponding to the open source port is set according to an actual requirement.
Step S102: and respectively determining first IP communication information corresponding to the open source port and second IP communication information corresponding to the non-open source port from the destination IP address and the destination port.
Step S103: and inquiring a pre-configured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information.
In this embodiment, different attack characteristics may correspond to different threat coefficients thereof, and specifically, the threat coefficients are set according to actual requirements.
Step S104: and identifying and monitoring the type of the illegal action corresponding to the obtained source IP address and the frequency of the illegal action, and obtaining an index value corresponding to the illegal action according to the type of the illegal action and the frequency of the illegal action, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information.
In this embodiment, for example, the index value corresponding to the illegal action at least includes an attack index and an illegal external connection index.
Step S105: and acquiring an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic mean value corresponding to each index value.
Step S106: and acquiring an asset evaluation value corresponding to the source IP address according to the asset type, the level and the historical vulnerability information corresponding to the acquired source IP address.
Step S107: and acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to correspondingly manage the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result.
In this embodiment, an asset comprehensive evaluation result corresponding to a source IP address of the network device to be detected is obtained by obtaining an index value corresponding to an illegal behavior of an open source port and a non-open source port of the network device to be detected, a risk index value corresponding to the open source port, a dynamic mean value corresponding to each index value, and an asset evaluation value corresponding to the source IP address of the network device to be detected.
Fig. 2 is a schematic flow chart of a second embodiment of a network asset assessment processing method provided by the present application, and as shown in fig. 2, the network asset assessment processing method specifically includes the following steps:
step 201: and acquiring the asset information of the whole network.
In this embodiment, the network-wide asset information includes: and the IP address and the parameter information corresponding to the IP address.
Step 202: and for each IP address, acquiring attack characteristics and threat coefficients corresponding to the IP address when the IP address is determined to be an illegal attack address according to the parameter information corresponding to the IP address and a preset attack threshold value, and storing the IP address, the attack characteristics and the threat coefficients corresponding to the IP address into a pre-configured illegal attack library.
In the present embodiment, the reference information is shown in table one reference information.
Table-reference information
Figure BDA0003969496140000101
Figure BDA0003969496140000111
In this embodiment, when it is determined that the ICMP ratio in the parameter information corresponding to the IP address is greater than the first asset detection threshold, the number of detected IP and C segments is greater than or equal to the second asset detection threshold, and the number of detected IP and B segments is greater than or equal to the third asset detection threshold, it is determined that the IP address is an illegal attack address, and the attack characteristic corresponding to the IP address is obtained as an asset detection characteristic, and the threat coefficient is the first preset threat coefficient.
Specifically, the first asset detection threshold may be 0.6, the second asset detection threshold may be 1, the third asset detection threshold may be 3, and the first preset threat coefficient is 0.1, where the threat coefficient is obtained according to expert experience.
Or when the port number ratio in the parameter information corresponding to the IP address is larger than a first full-port scanning threshold value or the port number is larger than a second full-port scanning threshold value, the IP address is determined to be an illegal attack address, the attack characteristic corresponding to the IP address is acquired to be a full-port scanning characteristic, and the threat coefficient is a second preset threat coefficient.
Specifically, the first full-port scanning threshold may be 0.2, the second full-port scanning threshold may be 10, and the second preset threat coefficient is 0.2, where the threat coefficient is obtained according to expert experience.
Or when the WEB port occupation ratio in the parameter information corresponding to the IP address is determined to be greater than a first WEB scanning and crawler threshold value and the average packet number is greater than a second WEB scanning and crawler threshold value, determining that the IP address is an illegal attack address, and acquiring attack characteristics corresponding to the IP address as WEB scanning and crawler characteristics, wherein the threat coefficient is a third preset threat coefficient.
Specifically, the first WEB scanning and crawler threshold may be 0.8, the second WEB scanning and crawler threshold may be 5, and the third preset threat coefficient is 0.3, where the threat coefficient is obtained according to expert experience.
Specifically, the illegal attack library is shown in table two illegal attack library examples.
Table two illegal attack library example
Illegal attack address Attack features Coefficient of threat
1.1.1.10 Asset detection 0.1
1.1.1.2 Full port scanning 0.2
1.1.1.20 WEB scanning and crawling 0.3
Step 203: and determining an open source port and a non-open source port from the source port according to the source IP address, the source port, the destination IP address and the destination port in the obtained IP data flow information of the network equipment to be detected, and obtaining a risk index value corresponding to the open source port.
For example, table three is the real-time netflow information of the network device to be detected with IP of 123.123.125.10.
Table three real-time netflow information of network device to be detected with IP 123.123.125.10
Figure BDA0003969496140000121
Figure BDA0003969496140000131
From the table, the open source ports are 80 and 443 ports, and the non-open source ports are 23241, 245255 and 3425 ports. And each open source port corresponds to a unique risk index value, and the risk index value corresponding to the open source port is obtained by expert experience. Specifically, the risk index value corresponding to 80 ports is 2, and the risk index value corresponding to 443 ports is 1.
Step S204: and respectively determining first connection IP information corresponding to the open source port and second IP connection information corresponding to the non-open source port from the destination IP address and the destination port.
In this embodiment, the first connection IP information includes: a first communication IP address and a corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port.
The first connection IP address is a destination IP address corresponding to the open source port, and the first connection port is a destination port corresponding to the open source port.
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
As known from the above example, the destination IP address corresponding to the open source port, the destination IP address corresponding to the destination port and the destination port corresponding to the non-open source port are shown in table four.
Table four destination IP address and destination port
Destination IP Destination port
1.1.1.10 12312、12316、12245、23453
1.1.1.20 80
Step S205: and querying a pre-configured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information.
In this embodiment, it is assumed that the first attack characteristic corresponding to the first communication IP information is asset detection, and the first threat coefficient is 0.1, that is, the attack characteristic of the destination IP address 1.1.1.10 corresponding to the open source port is asset detection, and the threat coefficient is 0.1; the second attack characteristic corresponding to the second IP connection information is WEB scanning and crawler, the second threat coefficient is 0.3, that is, the attack characteristic of the destination IP address 1.1.1.20 corresponding to the non-open source port is WEB scanning and crawler, and the threat coefficient is 0.3.
Step S206: and identifying and monitoring the type of the illegal action corresponding to the obtained source IP address and the frequency of the illegal action, and obtaining an index value corresponding to the illegal action according to the type of the illegal action and the frequency of the illegal action, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information.
In this embodiment, when the type of the illegal behavior corresponding to the source IP address obtained through monitoring is identified and monitored as an attack type, the access IP information matched with the attack type is determined according to the first attack feature corresponding to the first access IP information and the second attack feature corresponding to the second access IP information, and the attack index is obtained according to the number of times of the illegal behavior and the threat coefficient corresponding to the access IP information matched with the attack type.
For example, according to the above example, assuming that the IP of the network device to be detected is 123.123.125.10, the communication IP information matched with the attack type may know that the destination IP, which is the communication IP address, is 1.1.1.10, the destination ports, which are the communication ports, are 12312, 12316, 12245, and 23453, the threat coefficient corresponding to the destination IP, which is the communication IP address, is 1.1.1.10 is 0.1, and assuming that the number of times of attack on the network device to be detected is 123.123.125.10 is 20, the attack index is obtained according to the first formula.
Wherein the first formula is represented as:
attack indicator = number of illegal actions x threat coefficient
Specifically, the attack index of the network device to be detected with an IP of 123.123.125.10 is shown in table five illegal action times and attack index.
Table five illegal action times and attack index
Examination ofMeasured network equipment IP Number of illegal actions Attack indicators
123.123.125.10 20 2
And/or when the type of the illegal behavior corresponding to the source IP address obtained by the identification and monitoring is an illegal external connection type, determining the communication IP information matched with the illegal external connection type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining an illegal external connection index according to the times of the illegal behavior and a threat coefficient corresponding to the communication IP information matched with the attack type.
For example, according to the above example, assuming that the IP of the network device to be detected is 123.123.125.10, the communication IP information matched with the illegal external connection type indicates that the destination IP, which is the communication IP address, is 1.1.1.20, the destination port, which is the communication port, is 80 ports, the threat coefficient corresponding to the destination IP, which is the communication IP address, is 1.1.1.20, is 0.3, and assuming that the number of times of attack on the network device to be detected is 123.123.125.10 is 20, the illegal external connection index is obtained according to the first formula.
Specifically, the attack index of the network device to be detected with an IP of 123.123.125.10 is shown in table six illegal action times and illegal external connection indexes.
Table six illegal action times and illegal external connection index
Network equipment IP to be detected Illegal actNumber of times Illegal external connection index
123.123.125.10 20 6
In this embodiment, the attack type matches the asset detection features in the attack features; the illegal external connection type is matched with WEB scanning and crawler characteristics in the attack characteristics.
Step S207: and acquiring an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic mean value corresponding to each index value.
In this embodiment, a risk index value corresponding to the open source port and an index value corresponding to the illegal action are summed to obtain an asset dynamic basic value.
According to the above example, the open source ports are 80 and 443 ports, specifically, the risk index value corresponding to the 80 port is 2, the risk index value corresponding to the 443 port is 1, the index value corresponding to the illegal action includes an attack index and an illegal external connection index, where the attack index is 2 and the illegal external connection index is 6, and then the asset dynamic basic value =2+1+2+6=11.
And the sum of the risk index values corresponding to the open source port is the threat value of the open source port.
And judging whether the index value is larger than the dynamic mean value corresponding to the index value or not for each index value, and if so, correcting the index value to obtain the corrected index value.
Specifically, assuming that the dynamic mean of the threat value of the open source port is 3, the dynamic mean of the attack index is 2, and the dynamic mean of the illegal external connection index is 2, wherein the illegal external connection index value is greater than the dynamic mean thereof, the illegal external connection index value needs to be modified according to a second formula.
Wherein the second formula is represented as:
correction value = dynamic mean value + overflow value/(overflow value + dynamic mean value) × dynamic mean value then correction value for illegal extrinsic indicator value =2+ 6/(6 + 2) × 2=3.5.
And acquiring the asset dynamic value according to the index value which does not need to be corrected and the corrected index value.
Then the asset dynamic value =2+1+2+3.5=8.5 according to the above example.
Step S208: and acquiring an asset evaluation value corresponding to the source IP address according to the asset type, the level and the historical vulnerability information corresponding to the acquired source IP address.
Specifically, the asset assessment value can be known from the seven assessment indicators and scores in the table.
TABLE seven evaluation index and score
Figure BDA0003969496140000161
Assuming that a network to be detected with an equipment IP of 123.123.125.10 has a middle-low risk vulnerability 15 due to open WEB service, an asset type score of 35, and a guaranteed level 3 score of 30, the asset assessment value =35+30+15=80.
Step S209: and acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to correspondingly manage the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result.
In this embodiment, the result of the comprehensive evaluation of assets is obtained by a third formula, wherein the third formula is expressed as:
asset integrated valuation = asset valuation value x asset dynamics coefficient
Wherein the asset dynamics coefficient is obtained by a fourth formula, the fourth formula being represented as:
asset dynamics coefficient = dynamic mean sum/asset dynamics value
According to the above example, the network device IP to be detected is asset dynamic coefficient = (3 + 2)/8.5 ≈ 0.94 of 123.123.125.10.
Its comprehensive assessment of assets =80 × 0.94=75.
In this embodiment, by obtaining an index value corresponding to an illegal action of an open source port and a non-open source port of a network device to be detected, a risk index value corresponding to the open source port, a dynamic mean value corresponding to each index value, and an asset evaluation value corresponding to a source IP address of the network device to be detected, and modifying the index value exceeding the dynamic mean value according to the dynamic mean value corresponding to the index value, an asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected is obtained.
Fig. 3 is a schematic structural diagram of an embodiment of a network asset assessment processing device provided in the present application, and as shown in fig. 3, the network asset assessment processing device 30 includes: an acquisition module 31 and a processing module 32. The acquiring module 31 is configured to determine an open source port and a non-open source port from a source port, and acquire a risk index value corresponding to the open source port, where the source IP address, the source port, the destination IP address, and the destination port are included in the IP data flow information of the network device to be detected; a processing module 32, configured to determine, from the destination IP address and the destination port, first communication IP information corresponding to the open source port and second communication IP information corresponding to the non-open source port, respectively; the obtaining module 31 is further configured to query a preconfigured illegal attack library, and obtain a first attack feature and a first threat coefficient corresponding to the first communication IP information, and a second attack feature and a second threat coefficient corresponding to the second communication IP information, respectively; the processing module 32 is further configured to identify and monitor the type of the obtained illegal action corresponding to the source IP address and the number of times of the illegal action, and obtain an index value corresponding to the illegal action according to the type of the illegal action and the number of times of the illegal action, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information; the processing module 32 is further configured to obtain an asset dynamic basic value and an asset dynamic value according to a risk index value corresponding to the open source port, an index value corresponding to the illegal action, and a dynamic mean value corresponding to each index value; the processing module 32 is further configured to obtain an asset evaluation value corresponding to the source IP address according to the asset type, the level, and the historical vulnerability information corresponding to the obtained source IP address; the processing module 32 is further configured to obtain an asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected according to the asset dynamic basic value, the asset dynamic value, and the asset evaluation value, so as to perform corresponding management on a network corresponding to the network device to be detected according to the asset comprehensive evaluation result.
The network asset assessment processing apparatus in this embodiment may execute the method example shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
In a possible embodiment, the obtaining module 31 is further configured to:
acquiring the asset information of the whole network, wherein the asset information of the whole network comprises the following steps: and the IP address and the parameter information corresponding to the IP address.
And for each IP address, acquiring attack characteristics and threat coefficients corresponding to the IP address when the IP address is determined to be an illegal attack address according to the parameter information corresponding to the IP address and a preset attack threshold value, and storing the IP address, the attack characteristics and the threat coefficients corresponding to the IP address into a pre-configured illegal attack library.
In a possible implementation, the obtaining module 31 is specifically configured to:
when the ICMP proportion in the parameter information corresponding to the IP address is larger than a first asset detection threshold, the number of the detected IP and the C section is larger than or equal to a second asset detection threshold, and the number of the detected IP and the B section is larger than or equal to a third asset detection threshold, the IP address is determined to be an illegal attack address, the attack characteristic corresponding to the IP address is acquired to be an asset detection characteristic, and the threat coefficient is a first preset threat coefficient.
Or when the port number ratio in the parameter information corresponding to the IP address is larger than a first full-port scanning threshold value or the port number is larger than a second full-port scanning threshold value, the IP address is determined to be an illegal attack address, the attack characteristic corresponding to the IP address is acquired to be a full-port scanning characteristic, and the threat coefficient is a second preset threat coefficient.
Or when the WEB port occupation ratio in the parameter information corresponding to the IP address is determined to be greater than a first WEB scanning and crawler threshold value and the average packet number is greater than a second WEB scanning and crawler threshold value, determining that the IP address is an illegal attack address, and acquiring attack characteristics corresponding to the IP address as WEB scanning and crawler characteristics, wherein the threat coefficient is a third preset threat coefficient.
In one possible embodiment, the first connectivity IP information comprises: a first communication IP address and a corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port.
The first connection IP address is a destination IP address corresponding to the open source port, and the first connection port is a destination port corresponding to the open source port.
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
In one possible embodiment, the processing module 32 is specifically configured to:
when the type of the illegal behavior corresponding to the source IP address obtained through identification and monitoring is an attack type, determining the communication IP information matched with the attack type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining an attack index according to the times of the illegal behavior and a threat coefficient corresponding to the communication IP information matched with the attack type.
And/or when the type of the illegal behavior corresponding to the source IP address acquired by the identification and monitoring is an illegal external connection type, determining the connected IP information matched with the illegal external connection type according to a first attack characteristic corresponding to the first connected IP information and a second attack characteristic corresponding to the second connected IP information, and acquiring an illegal external connection index according to the times of the illegal behavior and the threat coefficient corresponding to the connected IP information matched with the attack type.
Wherein the attack type matches an asset detection feature in the attack features; the illegal external connection type is matched with WEB scanning and crawler characteristics in the attack characteristics.
In a possible embodiment, the processing module 32 is specifically configured to:
and summing the risk index value corresponding to the open source port and the index value corresponding to the illegal action to obtain the asset dynamic basic value.
And judging whether the index value is larger than the dynamic mean value corresponding to the index value or not for each index value, and if so, correcting the index value to obtain the corrected index value.
And acquiring the asset dynamic value according to the index value which does not need to be corrected and the corrected index value.
Fig. 4 is a schematic structural diagram of a server provided in the present application, and as shown in fig. 4, the server 40 includes: a processor 41, a memory 42, and a communication interface 43; wherein, the memory 42 is used for storing executable instructions executable by the processor 41; processor 41 is configured to perform the solution of any of the method embodiments described above via execution of executable instructions.
Alternatively, the memory 42 may be separate or integrated with the processor 41.
Optionally, when the memory 42 is a device independent from the processor 41, the server 40 may further include: and the bus is used for connecting the devices.
The server is configured to execute the technical solution in any of the foregoing method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
The embodiment of the present application further provides a readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the technical solutions provided by any of the foregoing embodiments.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) referred to in the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the relevant laws and regulations and standards of the relevant country and region, and are provided with corresponding operation entrances for the user to choose authorization or denial.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. A network asset assessment processing method, comprising:
determining an open source port and a non-open source port from the source port according to a source IP address, a source port, a destination IP address and a destination port in the obtained IP data flow information of the network equipment to be detected, and obtaining a risk index value corresponding to the open source port;
respectively determining first connection IP information corresponding to the open source port and second connection IP information corresponding to the non-open source port from the destination IP address and the destination port;
inquiring a pre-configured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information;
identifying and monitoring the type of the obtained illegal behavior corresponding to the source IP address and the number of times of the illegal behavior, and obtaining an index value corresponding to the illegal behavior according to the type of the illegal behavior and the number of times of the illegal behavior, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information;
acquiring an asset dynamic basic value and an asset dynamic value according to a risk index value corresponding to the open source port, an index value corresponding to the illegal action and a dynamic mean value corresponding to each index value;
acquiring an asset evaluation value corresponding to the source IP address according to the acquired asset type, the acquired level and the acquired historical vulnerability information corresponding to the source IP address;
and acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to correspondingly manage the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result.
2. The method of claim 1, further comprising:
acquiring the asset information of the whole network, wherein the asset information of the whole network comprises the following steps: IP address and parameter information corresponding to the IP address;
for each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, obtaining attack characteristics and threat coefficients corresponding to the IP address, and storing the IP address, the attack characteristics and the threat coefficients corresponding to the IP address into the preset illegal attack library.
3. The method according to claim 2, wherein the obtaining of the attack characteristics and the threat coefficients corresponding to the IP address when determining that the IP address is an illegal attack address according to the parameter information corresponding to the IP address and a preset attack threshold value comprises:
when the ICMP proportion in the parameter information corresponding to the IP address is determined to be larger than a first asset detection threshold, the number of the detected IP and the C section is larger than or equal to a second asset detection threshold, and the number of the detected IP and the B section is larger than or equal to a third asset detection threshold, determining that the IP address is an illegal attack address, acquiring an attack characteristic corresponding to the IP address as an asset detection characteristic, and setting a threat coefficient as a first preset threat coefficient;
or,
when the port number ratio in the parameter information corresponding to the IP address is larger than a first full port scanning threshold value or the port number is larger than a second full port scanning threshold value, determining that the IP address is an illegal attack address, and acquiring that the attack characteristic corresponding to the IP address is a full port scanning characteristic and the threat coefficient is a second preset threat coefficient;
or,
and when determining that the WEB port occupation ratio in the parameter information corresponding to the IP address is greater than a first WEB scanning and crawler threshold value and the average packet number is greater than a second WEB scanning and crawler threshold value, determining that the IP address is an illegal attack address, and acquiring attack characteristics corresponding to the IP address as WEB scanning and crawler characteristics, wherein the threat coefficient is a third preset threat coefficient.
4. The method according to any of claims 1 to 3, wherein the first connectivity IP information comprises: a first communication IP address and a corresponding first communication port; the second communication IP information includes: a second communication IP address and a corresponding second communication port;
the first communication IP address is a destination IP address corresponding to the open source port, and the first communication port is a destination port corresponding to the open source port;
the second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
5. The method according to claim 4, wherein the identifying and monitoring the type of the obtained illegal action corresponding to the source IP address and the number of times of the illegal action, and obtaining an index value corresponding to the illegal action according to the type of the illegal action and the number of times of the illegal action, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information, includes:
when the type of the illegal behavior corresponding to the source IP address obtained through monitoring is identified and monitored as an attack type, determining the communication IP information matched with the attack type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining an attack index according to the times of the illegal behavior and a threat coefficient corresponding to the communication IP information matched with the attack type;
and/or the presence of a gas in the gas,
when the type of the illegal behavior corresponding to the source IP address is identified and monitored to be an illegal external connection type, determining the connection IP information matched with the illegal external connection type according to a first attack characteristic corresponding to the first connection IP information and a second attack characteristic corresponding to the second connection IP information, and acquiring an illegal external connection index according to the times of the illegal behavior and a threat coefficient corresponding to the connection IP information matched with the attack type;
wherein an attack type is matched with an asset detection feature in the attack features; and matching the illegal external connection type with WEB scanning and crawler characteristics in the attack characteristics.
6. The method of claim 5, wherein the obtaining the dynamic basic value and the dynamic value of the asset according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action, and the dynamic mean value corresponding to each index value comprises:
summing the risk index value corresponding to the open source port and the index value corresponding to the illegal action to obtain the asset dynamic basic value;
for each index value, judging whether the index value is larger than the dynamic mean value corresponding to the index value, if so, correcting the index value to obtain a corrected index value;
and acquiring the asset dynamic value according to the index value which does not need to be corrected and the corrected index value.
7. A network asset assessment processing apparatus, comprising:
an obtaining module, configured to obtain a source IP address, a source port, a destination IP address, and a destination port in IP data flow information of a network device to be detected, determine an open source port and a non-open source port from the source port, and obtain a risk index value corresponding to the open source port;
a processing module, configured to determine, from the destination IP address and the destination port, first communication IP information corresponding to the open source port and second communication IP information corresponding to the non-open source port, respectively;
the acquisition module is further configured to query a preconfigured illegal attack library, and respectively acquire a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information;
the processing module is further configured to identify and monitor the type of the obtained illegal behavior corresponding to the source IP address and the number of times of the illegal behavior, and obtain an index value corresponding to the illegal behavior according to the type of the illegal behavior and the number of times of the illegal behavior, a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and/or a second attack characteristic and a second threat coefficient corresponding to the second communication IP information;
the processing module is further configured to obtain an asset dynamic basic value and an asset dynamic value according to a risk index value corresponding to the open source port, an index value corresponding to the illegal action, and a dynamic mean value corresponding to each index value;
the processing module is further configured to obtain an asset evaluation value corresponding to the source IP address according to the obtained asset type, the obtained level and the obtained historical vulnerability information corresponding to the source IP address;
the processing module is further configured to obtain an asset comprehensive evaluation result corresponding to the source IP address of the to-be-detected network device according to the asset dynamic basic value, the asset dynamic value, and the asset evaluation value, so as to perform corresponding management on the network corresponding to the to-be-detected network device according to the asset comprehensive evaluation result.
8. The apparatus of claim 7, wherein the obtaining module is further configured to:
acquiring the asset information of the whole network, wherein the asset information of the whole network comprises the following steps: IP address and parameter information corresponding to the IP address;
for each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, obtaining attack characteristics and threat coefficients corresponding to the IP address, and storing the IP address, the attack characteristics and the threat coefficients corresponding to the IP address into the preset illegal attack library.
9. A server, comprising:
a processor, a memory, a communication interface;
the memory is used for storing executable instructions executable by the processor;
wherein the processor is configured to perform the network asset assessment processing method of any of claims 1 to 6 via execution of the executable instructions.
10. A readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the network asset assessment processing method of any one of claims 1 to 6.
CN202211507077.9A 2022-11-29 2022-11-29 Network asset evaluation processing method, device, server and medium Active CN115834219B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211507077.9A CN115834219B (en) 2022-11-29 2022-11-29 Network asset evaluation processing method, device, server and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211507077.9A CN115834219B (en) 2022-11-29 2022-11-29 Network asset evaluation processing method, device, server and medium

Publications (2)

Publication Number Publication Date
CN115834219A true CN115834219A (en) 2023-03-21
CN115834219B CN115834219B (en) 2024-05-17

Family

ID=85532452

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211507077.9A Active CN115834219B (en) 2022-11-29 2022-11-29 Network asset evaluation processing method, device, server and medium

Country Status (1)

Country Link
CN (1) CN115834219B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140075564A1 (en) * 2011-06-01 2014-03-13 Anurag Singla Network asset information management
US20150230091A1 (en) * 2014-02-10 2015-08-13 Qualcomm Incorporated Methods and systems for handling malicious attacks in a wireless communication system
KR20160141457A (en) * 2015-06-01 2016-12-09 주식회사 에스씨엘 Risk assessment system for information security management system
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack
WO2021082966A1 (en) * 2019-10-31 2021-05-06 中兴通讯股份有限公司 Asset vulnerability calculation method and device, storage medium, and server
CN113408948A (en) * 2021-07-15 2021-09-17 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and medium
CN113468542A (en) * 2021-07-07 2021-10-01 国家计算机网络与信息安全管理中心江苏分中心 Exposed surface asset risk assessment method, device, equipment and medium
CN113542278A (en) * 2021-07-16 2021-10-22 北京源堡科技有限公司 Network security assessment method, system and device
CN114679338A (en) * 2022-05-26 2022-06-28 山东林天信息科技有限责任公司 Network risk assessment method based on network security situation awareness

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140075564A1 (en) * 2011-06-01 2014-03-13 Anurag Singla Network asset information management
US20150230091A1 (en) * 2014-02-10 2015-08-13 Qualcomm Incorporated Methods and systems for handling malicious attacks in a wireless communication system
KR20160141457A (en) * 2015-06-01 2016-12-09 주식회사 에스씨엘 Risk assessment system for information security management system
WO2021082966A1 (en) * 2019-10-31 2021-05-06 中兴通讯股份有限公司 Asset vulnerability calculation method and device, storage medium, and server
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack
CN113468542A (en) * 2021-07-07 2021-10-01 国家计算机网络与信息安全管理中心江苏分中心 Exposed surface asset risk assessment method, device, equipment and medium
CN113408948A (en) * 2021-07-15 2021-09-17 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and medium
CN113542278A (en) * 2021-07-16 2021-10-22 北京源堡科技有限公司 Network security assessment method, system and device
CN114679338A (en) * 2022-05-26 2022-06-28 山东林天信息科技有限责任公司 Network risk assessment method based on network security situation awareness

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
ALEXANDER,G: "《Detecting TCP/IP Connections via IPID Hash Collisions》", 《 PROCEEDINGS ON PRIVACY ENHANCING TECHNOLOGIES》, 25 September 2020 (2020-09-25) *
杨豪璞;邱辉;王坤;: "面向多步攻击的网络安全态势评估方法", 通信学报, no. 01, 25 January 2017 (2017-01-25) *
胡浩;刘玉岭;张玉臣;张红旗;: "基于攻击图的网络安全度量研究综述", 网络与信息安全学报, no. 09, 15 September 2018 (2018-09-15) *

Also Published As

Publication number Publication date
CN115834219B (en) 2024-05-17

Similar Documents

Publication Publication Date Title
CN108696473B (en) Attack path restoration method and device
TWI595375B (en) Anomaly detection using adaptive behavioral profiles
CN112184091B (en) Industrial control system security threat assessment method, device and system
CN107360118B (en) Advanced persistent threat attack protection method and device
CN113595790B (en) Security access evaluation method and device for power terminal equipment
CN110365636B (en) Method and device for judging attack data source of industrial control honeypot
CN111181978B (en) Abnormal network traffic detection method and device, electronic equipment and storage medium
CN112822223B (en) DNS hidden tunnel event automatic detection method and device and electronic equipment
CN108234426B (en) APT attack warning method and APT attack warning device
CN115733646A (en) Network security threat assessment method, device, equipment and readable storage medium
CN113468542A (en) Exposed surface asset risk assessment method, device, equipment and medium
Kim et al. A framework for event prioritization in cyber network defense
CN110598959A (en) Asset risk assessment method and device, electronic equipment and storage medium
CN112153062A (en) Multi-dimension-based suspicious terminal equipment detection method and system
CN114172699A (en) Industrial control network security event correlation analysis method
CN110430199B (en) Method and system for identifying internet of things botnet attack source
CN111885011A (en) Method and system for analyzing and mining safety of service data network
CN115834219A (en) Network asset evaluation processing method, device, server and medium
CN116170225A (en) System testing method, device, equipment and storage medium based on network target range
CN111767571B (en) Detection method for medical data leakage
JP2005175714A (en) Evaluation device, method, and system for maliciousness of access in network
CN115603997B (en) Industrial firewall policy planning method and system and electronic equipment
Xu et al. A flexible approach to intrusion alert anonymization and correlation
EP4398140A1 (en) Privacy knowledge base
CN118590314B (en) Network threat detection method, system and medium based on artificial intelligence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant