CN115834219A - Network asset evaluation processing method, device, server and medium - Google Patents
Network asset evaluation processing method, device, server and medium Download PDFInfo
- Publication number
- CN115834219A CN115834219A CN202211507077.9A CN202211507077A CN115834219A CN 115834219 A CN115834219 A CN 115834219A CN 202211507077 A CN202211507077 A CN 202211507077A CN 115834219 A CN115834219 A CN 115834219A
- Authority
- CN
- China
- Prior art keywords
- address
- asset
- attack
- illegal
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域technical field
本申请涉及网络安全技术领域,尤其涉及一种网络资产评估处理方法、装置、服务器及介质。The present application relates to the technical field of network security, and in particular to a network asset assessment processing method, device, server and medium.
背景技术Background technique
随着互联网技术不断发展,网络安全风险迅速增加,及时了解网络资产地址的健康度,并对网络资产地址健康度进行评估可掌握服务器面临网络安全风险的情况。With the continuous development of Internet technology, network security risks are increasing rapidly. Knowing the health of network asset addresses in a timely manner and evaluating the health of network asset addresses can grasp the situation of servers facing network security risks.
现有技术中,大型企业通过在企业内网和公网间的网络边界处部署探针,获取企业内网与公网交互的安全日志,对安全日志进行监测,获取企业内网的网络资产地址健康状况,并对企业内网的网络资产地址健康状况进行评估。In the existing technology, large enterprises deploy probes at the network boundary between the enterprise intranet and the public network to obtain the security log of the interaction between the enterprise intranet and the public network, monitor the security log, and obtain the network asset address of the enterprise intranet Health status, and evaluate the health status of network asset addresses in the enterprise intranet.
但现有技术仅可评估企业内网的网络资产地址健康度进行评估,无法评估公网的威胁性,存在一定局限性。However, the existing technology can only evaluate the health of the network asset address of the enterprise intranet, and cannot evaluate the threat of the public network, which has certain limitations.
发明内容Contents of the invention
本申请提供一种网络资产评估处理方法、装置、服务器及介质,用以解决现有技术中仅能对内网的资产地址健康度进行评估的问题。The present application provides a network asset evaluation processing method, device, server and medium to solve the problem in the prior art that only the health of the asset address of the intranet can be evaluated.
第一方面,本申请提供一种网络资产评估处理方法,包括:In the first aspect, the present application provides a network asset evaluation processing method, including:
根据获取的待检测的网络设备的IP数据流信息中的源IP地址、源端口、目的IP地址和目的端口,从所述源端口中确定开放源端口和非开放源端口,并获取所述开放源端口对应的风险指标值。According to the source IP address, source port, destination IP address and destination port in the IP data flow information of the network equipment to be detected, determine the open source port and the non-open source port from the source port, and obtain the open source port The risk indicator value corresponding to the source port.
从所述目的IP地址和目的端口中,分别确定所述开放源端口对应的第一通连IP信息,以及所述非开放源端口对应的第二IP通连信息。From the destination IP address and destination port, respectively determine the first connection IP information corresponding to the open source port and the second IP connection information corresponding to the non-open source port.
查询预先配置的非法攻击库,分别获取所述第一通连IP信息对应的第一攻击特征和第一威胁系数,以及所述第二IP通连信息对应的第二攻击特征和第二威胁系数。Querying the pre-configured illegal attack library, respectively obtaining the first attack feature and the first threat factor corresponding to the first connection IP information, and the second attack feature and the second threat factor corresponding to the second IP connection information .
识别监测获取到的所述源IP地址对应的非法行为的类型和非法行为的次数,并根据所述非法行为的类型和非法行为的次数,以及所述第一通连IP信息对应的第一攻击特征和第一威胁系数,和/或所述第二通连IP信息对应的第二攻击特征和第二威胁系数,获取所述非法行为对应的指标值。Identifying the type of illegal behavior and the number of times of illegal behavior corresponding to the source IP address obtained through monitoring, and according to the type of illegal behavior and the number of times of illegal behavior, and the first attack corresponding to the first connected IP information The feature and the first threat factor, and/or the second attack feature and the second threat factor corresponding to the second connection IP information, acquire the index value corresponding to the illegal behavior.
根据所述开放源端口对应的风险指标值、所述非法行为对应的指标值,以及每个指标值对应的动态均值,获取资产动态基础值和资产动态值。According to the risk index value corresponding to the open source port, the index value corresponding to the illegal behavior, and the dynamic mean value corresponding to each index value, the asset dynamic basic value and the asset dynamic value are obtained.
根据获取的所述源IP地址对应的资产类型、等级以及历史漏洞信息,获取所述源IP地址对应的资产评估值。According to the obtained asset type, level and historical vulnerability information corresponding to the source IP address, the asset evaluation value corresponding to the source IP address is obtained.
根据所述资产动态基础值、资产动态值,以及资产评估值,获取所述待检测的网络设备的源IP地址对应的资产综合评估结果,以根据所述资产综合评估结果,对所述待检测的网络设备对应的网络进行相应的管理。According to the asset dynamic basic value, the asset dynamic value, and the asset evaluation value, obtain the asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected, so as to perform the asset comprehensive evaluation result according to the asset comprehensive evaluation result Manage the network corresponding to the network device.
在一种具体实施方式中,还包括:In a specific embodiment, it also includes:
获取全网资产信息,所述全网资产信息包括:IP地址和所述IP地址对应的参数信息。Obtaining network-wide asset information, where the network-wide asset information includes: an IP address and parameter information corresponding to the IP address.
对于每个IP地址,根据所述IP地址对应的参数信息,以及预设的攻击阈值,在确定所述IP地址为非法攻击地址时,获取所述IP地址对应的攻击特征和威胁系数,并将所述IP地址,以及所述IP地址对应的攻击特征和威胁系数存储到所述预先配置的非法攻击库中。For each IP address, according to the parameter information corresponding to the IP address and the preset attack threshold, when it is determined that the IP address is an illegal attack address, the attack characteristics and threat coefficient corresponding to the IP address are obtained, and the The IP address, and the attack feature and threat coefficient corresponding to the IP address are stored in the pre-configured illegal attack database.
在一种具体实施方式中,所述根据所述IP地址对应的参数信息,以及预设的攻击阈值,在确定所述IP地址为非法攻击地址时,获取所述IP地址对应的攻击特征和威胁系数,包括:In a specific implementation manner, according to the parameter information corresponding to the IP address and the preset attack threshold, when it is determined that the IP address is an illegal attack address, the attack characteristics and threats corresponding to the IP address are obtained. Coefficients, including:
在确定所述IP地址对应的参数信息中的ICMP比例大于第一资产探测阈值,被探测IP同C段数大于或等于第二资产探测阈值,且被探测IP同B段数大于或等于第三资产探测阈值时,确定所述IP地址为非法攻击地址,并获取所述IP地址对应的攻击特征为资产探测特征,且威胁系数为第一预设威胁系数。It is determined that the ICMP ratio in the parameter information corresponding to the IP address is greater than the first asset detection threshold, the number of detected IP and C segment is greater than or equal to the second asset detection threshold, and the detected IP and B segment number is greater than or equal to the third asset detection When the threshold is reached, it is determined that the IP address is an illegal attack address, and the attack feature corresponding to the IP address is acquired as an asset detection feature, and the threat factor is a first preset threat factor.
或者,or,
在确定所述IP地址对应的参数信息中的端口次数比大于第一全端口扫描阈值,或者端口数大于第二全端口扫描阈值时,确定所述IP地址为非法攻击地址,并获取所述IP地址对应的攻击特征为全端口扫描特征,且威胁系数为第二预设威胁系数。When it is determined that the port number ratio in the parameter information corresponding to the IP address is greater than the first full port scan threshold, or the number of ports is greater than the second full port scan threshold, determine that the IP address is an illegal attack address, and obtain the IP The attack feature corresponding to the address is a full port scan feature, and the threat factor is a second preset threat factor.
或者,or,
在确定所述IP地址对应的参数信息中的WEB端口占比大于第一WEB扫描及爬虫阈值,且平均包数大于第二WEB扫描及爬虫阈值时,确定所述IP地址为非法攻击地址,并获取所述IP地址对应的攻击特征为WEB扫描及爬虫特征,且威胁系数为第三预设威胁系数。When determining that the WEB port ratio in the parameter information corresponding to the IP address is greater than the first WEB scan and crawler threshold, and the average number of packets is greater than the second WEB scan and crawler threshold, determine that the IP address is an illegal attack address, and The attack feature corresponding to the acquired IP address is a WEB scanning and crawler feature, and the threat factor is a third preset threat factor.
在一种具体实施方式中,所述第一通连IP信息包括:第一通连IP地址和对应的第一通连端口;所述第二通连IP信息包括:第二通连IP地址和对应的第二通连端口。In a specific implementation manner, the first Connect IP information includes: the first Connect IP address and the corresponding first Connect port; the second Connect IP information includes: the second Connect IP address and The corresponding second communication port.
其中,所述第一通连IP地址为所述开放源端口对应的目的IP地址,所述第一通连端口为所述开放源端口对应的目的端口。Wherein, the first connection IP address is the destination IP address corresponding to the open source port, and the first connection port is the destination port corresponding to the open source port.
所述第二通连IP地址为所述非开放源端口对应的目的IP地址,所述第二通连端口为所述非开放源端口对应的目的端口。The second connection IP address is the destination IP address corresponding to the non-open source port, and the second connection port is the destination port corresponding to the non-open source port.
在一种具体实施方式中,所述识别监测获取到的所述源IP地址对应的非法行为的类型和非法行为的次数,并根据所述非法行为的类型和非法行为的次数,以及所述第一通连IP信息对应的第一攻击特征和第一威胁系数,和/或所述第二通连IP信息对应的第二攻击特征和第二威胁系数,获取所述非法行为对应的指标值,包括:In a specific implementation manner, the type of illegal behavior and the number of times of illegal behavior corresponding to the source IP address acquired by the identification monitoring, and according to the type of illegal behavior and the number of times of illegal behavior, and the first A first attack feature and a first threat coefficient corresponding to the connected IP information, and/or a second attack feature and a second threat coefficient corresponding to the second connected IP information, and obtaining an index value corresponding to the illegal behavior, include:
在识别监测获取到的所述源IP地址对应的非法行为的类型为攻击类型时,根据所述第一通连IP信息对应的第一攻击特征和第二通连IP信息对应的第二攻击特征,确定与所述攻击类型匹配的通连IP信息,并根据所述非法行为的次数,以及与所述攻击类型匹配的通连IP信息对应的威胁系数,获取攻击指标。When identifying the type of illegal behavior corresponding to the source IP address acquired through monitoring as an attack type, according to the first attack feature corresponding to the first connected IP information and the second attack feature corresponding to the second connected IP information , determining the communication IP information matching the attack type, and obtaining an attack index according to the number of times of the illegal actions and the threat coefficient corresponding to the communication IP information matching the attack type.
和/或,and / or,
在识别监测获取到的所述源IP地址对应的非法行为的类型为非法外联类型时,根据所述第一通连IP信息对应的第一攻击特征和第二通连IP信息对应的第二攻击特征,确定与所述非法外联类型匹配的通连IP信息,并根据所述非法行为的次数,以及与所述攻击类型匹配的通连IP信息对应的威胁系数,获取非法外联指标。When it is identified that the type of illegal behavior corresponding to the source IP address obtained through monitoring is an illegal outreach type, according to the first attack feature corresponding to the first communication IP information and the second attack characteristic corresponding to the second communication IP information, The attack feature determines the communication IP information matching the illegal outreach type, and obtains the illegal outreach indicator according to the number of times of the illegal actions and the threat coefficient corresponding to the communication IP information matching the attack type.
其中,攻击类型与所述攻击特征中的资产探测特征相匹配;非法外联类型与所述攻击特征中的WEB扫描及爬虫特征相匹配。Wherein, the attack type matches the asset detection feature in the attack feature; the illegal outreach type matches the WEB scanning and crawler feature in the attack feature.
在一种具体实施方式中,所述根据所述开放源端口对应的风险指标值、所述非法行为对应的指标值,以及每个指标值对应的动态均值,获取资产动态基础值和资产动态值,包括:In a specific implementation manner, according to the risk indicator value corresponding to the open source port, the indicator value corresponding to the illegal behavior, and the dynamic mean value corresponding to each indicator value, the asset dynamic basic value and asset dynamic value are obtained ,include:
对所述开放源端口对应的风险指标值、所述非法行为对应的指标值进行求和处理,获取所述资产动态基础值。The risk index value corresponding to the open source port and the index value corresponding to the illegal behavior are summed to obtain the dynamic basic value of the asset.
对于每个指标值,判断所述指标值是否大于所述指标值对应的动态均值,若大于,则对所述指标值进行修正处理,获取修正后的指标值。For each index value, it is judged whether the index value is greater than the dynamic mean value corresponding to the index value, and if greater, the index value is corrected to obtain the corrected index value.
根据不需要修正的指标值,以及所述修正后的指标值,获取所述资产动态值。The asset dynamic value is obtained according to the index value that does not need to be corrected and the corrected index value.
第二方面,本申请提供一种网络资产评估处理装置,包括:In a second aspect, the present application provides a network asset evaluation processing device, including:
获取模块,用于获取的待检测的网络设备的IP数据流信息中的源IP地址、源端口、目的IP地址和目的端口,从所述源端口中确定开放源端口和非开放源端口,并获取所述开放源端口对应的风险指标值。The obtaining module is used to obtain the source IP address, source port, destination IP address and destination port in the IP data flow information of the network device to be detected, determine the open source port and the non-open source port from the source port, and Obtain the risk indicator value corresponding to the open source port.
处理模块,用于从所述目的IP地址和目的端口中,分别确定所述开放源端口对应的第一通连IP信息,以及所述非开放源端口对应的第二IP通连信息。A processing module, configured to respectively determine first connection IP information corresponding to the open source port and second IP connection information corresponding to the non-open source port from the destination IP address and destination port.
所述获取模块,还用于查询预先配置的非法攻击库,分别获取所述第一通连IP信息对应的第一攻击特征和第一威胁系数,以及所述第二IP通连信息对应的第二攻击特征和第二威胁系数。The acquiring module is further configured to query a pre-configured illegal attack library, respectively acquire the first attack feature and the first threat coefficient corresponding to the first connection IP information, and the first attack characteristic and the first threat coefficient corresponding to the second IP connection information. Two attack characteristics and a second threat factor.
所述处理模块,还用于识别监测获取到的所述源IP地址对应的非法行为的类型和非法行为的次数,并根据所述非法行为的类型和非法行为的次数,以及所述第一通连IP信息对应的第一攻击特征和第一威胁系数,和/或所述第二通连IP信息对应的第二攻击特征和第二威胁系数,获取所述非法行为对应的指标值。The processing module is further configured to identify the type of illegal behavior and the number of times of illegal behavior corresponding to the source IP address acquired by monitoring, and according to the type of illegal behavior and the number of times of illegal behavior, and the first communication Connect the first attack feature and the first threat factor corresponding to the IP information, and/or the second attack feature and the second threat factor corresponding to the second link IP information, and acquire the index value corresponding to the illegal behavior.
所述处理模块,还用于根据所述开放源端口对应的风险指标值、所述非法行为对应的指标值,以及每个指标值对应的动态均值,获取资产动态基础值和资产动态值。The processing module is further configured to obtain an asset dynamic basic value and an asset dynamic value according to the risk indicator value corresponding to the open source port, the indicator value corresponding to the illegal behavior, and the dynamic mean value corresponding to each indicator value.
所述处理模块,还用于根据获取的所述源IP地址对应的资产类型、等级以及历史漏洞信息,获取所述源IP地址对应的资产评估值。The processing module is further configured to acquire an asset evaluation value corresponding to the source IP address according to the acquired asset type, level, and historical vulnerability information corresponding to the source IP address.
所述处理模块,还用于根据所述资产动态基础值、资产动态值,以及资产评估值,获取所述待检测的网络设备的源IP地址对应的资产综合评估结果,以根据所述资产综合评估结果,对所述待检测的网络设备对应的网络进行相应的管理。The processing module is further configured to obtain the asset comprehensive assessment result corresponding to the source IP address of the network device to be detected according to the asset dynamic basic value, the asset dynamic value, and the asset evaluation value, so as to obtain the asset comprehensive assessment result corresponding to the asset comprehensive As a result of the evaluation, corresponding management is performed on the network corresponding to the network device to be detected.
在一种具体实施方式中,所述获取模块还用于:In a specific implementation manner, the acquisition module is also used for:
获取全网资产信息,所述全网资产信息包括:IP地址和所述IP地址对应的参数信息。Obtaining network-wide asset information, where the network-wide asset information includes: an IP address and parameter information corresponding to the IP address.
对于每个IP地址,根据所述IP地址对应的参数信息,以及预设的攻击阈值,在确定所述IP地址为非法攻击地址时,获取所述IP地址对应的攻击特征和威胁系数,并将所述IP地址,以及所述IP地址对应的攻击特征和威胁系数存储到所述预先配置的非法攻击库中。For each IP address, according to the parameter information corresponding to the IP address and the preset attack threshold, when it is determined that the IP address is an illegal attack address, the attack characteristics and threat coefficient corresponding to the IP address are obtained, and the The IP address, and the attack feature and threat coefficient corresponding to the IP address are stored in the pre-configured illegal attack database.
在一种具体实施方式中,所述获取模块具体用于:In a specific implementation manner, the acquisition module is specifically used for:
在确定所述IP地址对应的参数信息中的ICMP比例大于第一资产探测阈值,被探测IP同C段数大于或等于第二资产探测阈值,且被探测IP同B段数大于或等于第三资产探测阈值时,确定所述IP地址为非法攻击地址,并获取所述IP地址对应的攻击特征为资产探测特征,且威胁系数为第一预设威胁系数。It is determined that the ICMP ratio in the parameter information corresponding to the IP address is greater than the first asset detection threshold, the number of detected IP and C segment is greater than or equal to the second asset detection threshold, and the detected IP and B segment number is greater than or equal to the third asset detection When the threshold is reached, it is determined that the IP address is an illegal attack address, and the attack feature corresponding to the IP address is acquired as an asset detection feature, and the threat factor is a first preset threat factor.
或者,or,
在确定所述IP地址对应的参数信息中的端口次数比大于第一全端口扫描阈值,或者端口数大于第二全端口扫描阈值时,确定所述IP地址为非法攻击地址,并获取所述IP地址对应的攻击特征为全端口扫描特征,且威胁系数为第二预设威胁系数。When it is determined that the port number ratio in the parameter information corresponding to the IP address is greater than the first full port scan threshold, or the number of ports is greater than the second full port scan threshold, determine that the IP address is an illegal attack address, and obtain the IP The attack feature corresponding to the address is a full port scan feature, and the threat factor is a second preset threat factor.
或者,or,
在确定所述IP地址对应的参数信息中的WEB端口占比大于第一WEB扫描及爬虫阈值,且平均包数大于第二WEB扫描及爬虫阈值时,确定所述IP地址为非法攻击地址,并获取所述IP地址对应的攻击特征为WEB扫描及爬虫特征,且威胁系数为第三预设威胁系数。When determining that the WEB port ratio in the parameter information corresponding to the IP address is greater than the first WEB scan and crawler threshold, and the average number of packets is greater than the second WEB scan and crawler threshold, determine that the IP address is an illegal attack address, and The attack feature corresponding to the acquired IP address is a WEB scanning and crawler feature, and the threat factor is a third preset threat factor.
在一种具体实施方式中,所述第一通连IP信息包括:第一通连IP地址和对应的第一通连端口;所述第二通连IP信息包括:第二通连IP地址和对应的第二通连端口。In a specific implementation manner, the first Connect IP information includes: the first Connect IP address and the corresponding first Connect port; the second Connect IP information includes: the second Connect IP address and The corresponding second communication port.
其中,所述第一通连IP地址为所述开放源端口对应的目的IP地址,所述第一通连端口为所述开放源端口对应的目的端口。Wherein, the first connection IP address is the destination IP address corresponding to the open source port, and the first connection port is the destination port corresponding to the open source port.
所述第二通连IP地址为所述非开放源端口对应的目的IP地址,所述第二通连端口为所述非开放源端口对应的目的端口。The second connection IP address is the destination IP address corresponding to the non-open source port, and the second connection port is the destination port corresponding to the non-open source port.
在一种具体实施方式中,所述处理模块具体用于:In a specific implementation manner, the processing module is specifically used for:
在识别监测获取到的所述源IP地址对应的非法行为的类型为攻击类型时,根据所述第一通连IP信息对应的第一攻击特征和第二通连IP信息对应的第二攻击特征,确定与所述攻击类型匹配的通连IP信息,并根据所述非法行为的次数,以及与所述攻击类型匹配的通连IP信息对应的威胁系数,获取攻击指标。When identifying the type of illegal behavior corresponding to the source IP address acquired through monitoring as an attack type, according to the first attack feature corresponding to the first connected IP information and the second attack feature corresponding to the second connected IP information , determining the communication IP information matching the attack type, and obtaining an attack index according to the number of times of the illegal actions and the threat coefficient corresponding to the communication IP information matching the attack type.
和/或,and / or,
在识别监测获取到的所述源IP地址对应的非法行为的类型为非法外联类型时,根据所述第一通连IP信息对应的第一攻击特征和第二通连IP信息对应的第二攻击特征,确定与所述非法外联类型匹配的通连IP信息,并根据所述非法行为的次数,以及与所述攻击类型匹配的通连IP信息对应的威胁系数,获取非法外联指标。When it is identified that the type of illegal behavior corresponding to the source IP address obtained through monitoring is an illegal outreach type, according to the first attack feature corresponding to the first communication IP information and the second attack characteristic corresponding to the second communication IP information, The attack feature determines the communication IP information matching the illegal outreach type, and obtains the illegal outreach indicator according to the number of times of the illegal actions and the threat coefficient corresponding to the communication IP information matching the attack type.
其中,攻击类型与所述攻击特征中的资产探测特征相匹配;非法外联类型与所述攻击特征中的WEB扫描及爬虫特征相匹配。Wherein, the attack type matches the asset detection feature in the attack feature; the illegal outreach type matches the WEB scanning and crawler feature in the attack feature.
在一种具体实施方式中,所述处理模块,具体用于:In a specific implementation manner, the processing module is specifically used for:
对所述开放源端口对应的风险指标值、所述非法行为对应的指标值进行求和处理,获取所述资产动态基础值。The risk index value corresponding to the open source port and the index value corresponding to the illegal behavior are summed to obtain the dynamic basic value of the asset.
对于每个指标值,判断所述指标值是否大于所述指标值对应的动态均值,若大于,则对所述指标值进行修正处理,获取修正后的指标值。For each index value, it is judged whether the index value is greater than the dynamic mean value corresponding to the index value, and if greater, the index value is corrected to obtain the corrected index value.
根据不需要修正的指标值,以及所述修正后的指标值,获取所述资产动态值。The asset dynamic value is obtained according to the index value that does not need to be corrected and the corrected index value.
第三方面,本申请提供一种服务器,包括:In a third aspect, the present application provides a server, including:
处理器,存储器,通信接口。processor, memory, communication interface.
所述存储器用于存储所述处理器可执行的可执行指令。The memory is used for storing executable instructions executable by the processor.
其中,所述处理器配置为经由执行所述可执行指令来执行如第一方面所述的网络资产评估处理方法。Wherein, the processor is configured to execute the network asset evaluation processing method according to the first aspect by executing the executable instructions.
第四方面,本申请提供一种可读存储介质,其上存储有计算机程序,在于,所述计算机程序被处理器执行时实现第一方面所述的网络资产评估处理方法。In a fourth aspect, the present application provides a readable storage medium on which a computer program is stored, wherein, when the computer program is executed by a processor, the network asset evaluation processing method described in the first aspect is implemented.
本申请提供一种网络资产评估处理方法、装置、服务器及介质,根据获取的待检测的网络设备的IP数据流信息中的源IP地址、源端口、目的IP地址和目的端口,从所述源端口中确定开放源端口和非开放源端口,并获取所述开放源端口对应的风险指标值;从所述目的IP地址和目的端口中,分别确定所述开放源端口对应的第一通连IP信息,以及所述非开放源端口对应的第二IP通连信息;查询预先配置的非法攻击库,分别获取所述第一通连IP信息对应的第一攻击特征和第一威胁系数,以及所述第二IP通连信息对应的第二攻击特征和第二威胁系数;识别监测获取到的所述源IP地址对应的非法行为的类型和非法行为的次数,并根据所述非法行为的类型和非法行为的次数,以及所述第一通连IP信息对应的第一攻击特征和第一威胁系数,和/或所述第二通连IP信息对应的第二攻击特征和第二威胁系数,获取所述非法行为对应的指标值;根据所述开放源端口对应的风险指标值、所述非法行为对应的指标值,以及每个指标值对应的动态均值,获取资产动态基础值和资产动态值;根据获取的所述源IP地址对应的资产类型、等级以及历史漏洞信息,获取所述源IP地址对应的资产评估值;根据所述资产动态基础值、资产动态值,以及资产评估值,获取所述待检测的网络设备的源IP地址对应的资产综合评估结果,以根据所述资产综合评估结果,对所述待检测的网络设备对应的网络进行相应的管理。相较于现有技术通过在内网和公网间的网络边界处部署探针,获取内网与公网交互的安全日志,对内网的网络资产地址健康度进行评估,本申请通过获取待检测的网络设备的开放源端口和非开放源端口的非法行为对应的指标值、开放源端口对应的风险指标值、各指标值对应的动态均值以及待检测的网络设备的源IP地址对应的资产评估值,获取待检测的网络设备的源IP地址对应的资产综合评估结果,适用于全网资产地址健康度评估,具有普适性,同时降低网络设备的源IP地址对应的资产的网络威胁风险,提升安全性。The present application provides a network asset evaluation processing method, device, server and medium, according to the source IP address, source port, destination IP address and destination port in the acquired IP data flow information of the network equipment to be detected, from the source Determine the open source port and the non-open source port in the port, and obtain the risk index value corresponding to the open source port; from the destination IP address and the destination port, respectively determine the first connection IP corresponding to the open source port information, and the second IP connection information corresponding to the non-open source port; query the pre-configured illegal attack library, and obtain the first attack characteristic and the first threat coefficient corresponding to the first connection IP information, and the The second attack feature and the second threat coefficient corresponding to the second IP connection information; identify the type of illegal behavior and the number of times of illegal behavior corresponding to the source IP address acquired by monitoring, and according to the type of illegal behavior and the number of times of illegal behavior The number of illegal acts, and the first attack feature and first threat factor corresponding to the first connected IP information, and/or the second attack feature and second threat factor corresponding to the second connected IP information, obtained The index value corresponding to the illegal behavior; according to the risk index value corresponding to the open source port, the index value corresponding to the illegal behavior, and the dynamic mean value corresponding to each index value, obtain the asset dynamic basic value and asset dynamic value; According to the obtained asset type, level and historical vulnerability information corresponding to the source IP address, obtain the asset evaluation value corresponding to the source IP address; according to the asset dynamic basic value, asset dynamic value, and asset evaluation value, obtain the asset evaluation value Describe the asset comprehensive assessment result corresponding to the source IP address of the network device to be detected, so as to perform corresponding management on the network corresponding to the network device to be detected according to the comprehensive asset assessment result. Compared with the existing technology, which deploys probes at the network boundary between the internal network and the public network, obtains the security log of the interaction between the internal network and the public network, and evaluates the health of the network asset address of the internal network. Index values corresponding to illegal behaviors of open source ports and non-open source ports of detected network devices, risk index values corresponding to open source ports, dynamic average values corresponding to each index value, and assets corresponding to source IP addresses of network devices to be detected Evaluation value, to obtain the comprehensive asset evaluation result corresponding to the source IP address of the network device to be detected, which is applicable to the evaluation of the health of the asset address of the entire network, has universal applicability, and at the same time reduces the network threat risk of the asset corresponding to the source IP address of the network device , to improve security.
附图说明Description of drawings
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are For some embodiments of the present application, those skilled in the art can also obtain other drawings based on these drawings without any creative work.
图1为本申请提供的一种网络资产评估处理方法实施例一的流程示意图;FIG. 1 is a schematic flowchart of Embodiment 1 of a network asset evaluation processing method provided by the present application;
图2为本申请提供的一种网络资产评估处理方法实施例二的流程示意图;FIG. 2 is a schematic flowchart of Embodiment 2 of a network asset evaluation processing method provided by the present application;
图3为本申请提供的一种网络资产评估处理装置实施例的结构示意图;FIG. 3 is a schematic structural diagram of an embodiment of a network asset evaluation processing device provided by the present application;
图4为本申请提供的一种服务器的结构示意图。FIG. 4 is a schematic structural diagram of a server provided by the present application.
通过上述附图,已示出本申请明确的实施例,后文中将有更详细的描述。这些附图和文字描述并不是为了通过任何方式限制本申请构思的范围,而是通过参考特定实施例为本领域技术人员说明本申请的概念。By means of the above drawings, specific embodiments of the present application have been shown, which will be described in more detail hereinafter. These drawings and text descriptions are not intended to limit the scope of the concept of the application in any way, but to illustrate the concept of the application for those skilled in the art by referring to specific embodiments.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在根据本实施例的启示下作出的所有其他实施例,都属于本申请保护的范围。In order to make the purposes, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments It is a part of the embodiments of this application, not all of them. Based on the embodiments in this application, all other embodiments made by persons of ordinary skill in the art under the inspiration of this embodiment fall within the protection scope of this application.
本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”“第四”等(如果存在)是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或服务器不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或服务器固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if any) in the description and claims of this application and the above drawings are used to distinguish similar objects and not necessarily Describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the application described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or server comprising a series of steps or elements is not necessarily limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or server.
技术术语说明:Explanation of technical terms:
资产:主要是计算机(或通讯)网络中使用的各种设备。主要包括主机、网络设备(路由器、交换机等)和安全设备(防火墙等)。在本申请中,资产指网络设备的IP地址。Assets: mainly various devices used in computer (or communication) networks. It mainly includes hosts, network devices (routers, switches, etc.) and security devices (firewalls, etc.). In this application, an asset refers to the IP address of a network device.
现有技术中,大型企业通过在企业内网和公网间的网络边界处部署探针,获取企业内网与公网交互的安全日志,对安全日志进行监测,获取企业内网的网络资产地址健康状况,并对企业内网的网络资产地址健康状况进行评估。但现有技术仅可评估企业内网的网络资产地址健康度进行评估,无法评估公网的威胁性,存在一定局限性。基于此,本申请技术构思在于如何对全网资产地址健康度进行评估。In the existing technology, large enterprises deploy probes at the network boundary between the enterprise intranet and the public network to obtain the security log of the interaction between the enterprise intranet and the public network, monitor the security log, and obtain the network asset address of the enterprise intranet Health status, and evaluate the health status of network asset addresses in the enterprise intranet. However, the existing technology can only evaluate the health of the network asset address of the enterprise intranet, and cannot evaluate the threat of the public network, which has certain limitations. Based on this, the technical idea of this application lies in how to evaluate the health of asset addresses in the entire network.
下面,通过具体实施例对本申请的技术方案进行详细说明。需要说明的是,下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例中不再赘述。Below, the technical solution of the present application will be described in detail through specific embodiments. It should be noted that the following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments.
图1为本申请提供的一种网络资产评估处理方法实施例一的流程示意图,如图1所示,该网络资产评估处理方法具体包括以下步骤:Fig. 1 is a schematic flowchart of Embodiment 1 of a network asset evaluation processing method provided by the present application. As shown in Fig. 1, the network asset evaluation processing method specifically includes the following steps:
步骤S101:根据获取的待检测的网络设备的IP数据流信息中的源IP地址、源端口、目的IP地址和目的端口,从源端口中确定开放源端口和非开放源端口,并获取开放源端口对应的风险指标值。Step S101: According to the source IP address, source port, destination IP address and destination port in the IP data flow information of the network device to be detected, determine the open source port and the non-open source port from the source port, and obtain the open source port The risk indicator value corresponding to the port.
在本实施例中,不同开放源端口可以对应其不同的风险指标值,具体的,开放源端口对应的风险指标值根据实际需求设置。In this embodiment, different open source ports may correspond to different risk index values. Specifically, the risk index values corresponding to the open source ports are set according to actual requirements.
步骤S102:从目的IP地址和目的端口中,分别确定开放源端口对应的第一通连IP信息,以及非开放源端口对应的第二IP通连信息。Step S102: From the destination IP address and the destination port, respectively determine the first connection IP information corresponding to the open source port and the second IP connection information corresponding to the non-open source port.
步骤S103:查询预先配置的非法攻击库,分别获取第一通连IP信息对应的第一攻击特征和第一威胁系数,以及第二IP通连信息对应的第二攻击特征和第二威胁系数。Step S103: Query the pre-configured illegal attack database, obtain the first attack signature and the first threat coefficient corresponding to the first IP connection information, and the second attack signature and second threat coefficient corresponding to the second IP connection information.
在本实施例中,不同攻击特征可以对应其不同的威胁系数,具体的,威胁系数根据实际需求设置。In this embodiment, different attack features may correspond to different threat coefficients. Specifically, the threat coefficients are set according to actual requirements.
步骤S104:识别监测获取到的源IP地址对应的非法行为的类型和非法行为的次数,并根据非法行为的类型和非法行为的次数,以及第一通连IP信息对应的第一攻击特征和第一威胁系数,和/或第二通连IP信息对应的第二攻击特征和第二威胁系数,获取非法行为对应的指标值。Step S104: Identify the type of illegal behavior and the number of times of illegal behavior corresponding to the source IP address obtained by monitoring, and according to the type of illegal behavior and the number of times of illegal behavior, and the first attack feature and the first attack characteristic corresponding to the first connected IP information A threat factor, and/or a second attack feature and a second threat factor corresponding to the second connection IP information, to obtain an index value corresponding to the illegal behavior.
在本实施例中,举例来说,非法行为对应的指标值至少包括攻击指标和非法外联指标。In this embodiment, for example, the indicator value corresponding to the illegal behavior includes at least an attack indicator and an illegal outreach indicator.
步骤S105:根据开放源端口对应的风险指标值、非法行为对应的指标值,以及每个指标值对应的动态均值,获取资产动态基础值和资产动态值。Step S105: According to the risk index value corresponding to the open source port, the index value corresponding to the illegal behavior, and the dynamic mean value corresponding to each index value, obtain the asset dynamic basic value and the asset dynamic value.
步骤S106:根据获取的源IP地址对应的资产类型、等级以及历史漏洞信息,获取源IP地址对应的资产评估值。Step S106: According to the obtained asset type, level and historical vulnerability information corresponding to the source IP address, obtain the asset evaluation value corresponding to the source IP address.
步骤S107:根据资产动态基础值、资产动态值,以及资产评估值,获取待检测的网络设备的源IP地址对应的资产综合评估结果,以根据资产综合评估结果,对待检测的网络设备对应的网络进行相应的管理。Step S107: According to the asset dynamic basic value, asset dynamic value, and asset evaluation value, obtain the asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected, so that according to the asset comprehensive evaluation result, the network device corresponding to the network device to be detected Manage accordingly.
在本实施例中,通过获取待检测的网络设备的开放源端口和非开放源端口的非法行为对应的指标值、开放源端口对应的风险指标值、各指标值对应的动态均值以及待检测的网络设备的源IP地址对应的资产评估值,获取待检测的网络设备的源IP地址对应的资产综合评估结果,相较于现有技术通过在企业内网和公网间的网络边界处部署探针,获取企业内网与公网交互的安全日志,对安全日志进行监测,获取企业内网的网络资产地址健康状况,并对企业内网的网络资产地址健康状况进行评估,本申请可对全网资产地址健康度进行评估,具有普适性,同时降低网络设备的源IP地址对应的资产的网络威胁风险,提升安全性。In this embodiment, by obtaining the index value corresponding to the illegal behavior of the open source port and the non-open source port of the network device to be detected, the risk index value corresponding to the open source port, the dynamic mean value corresponding to each index value, and the The asset evaluation value corresponding to the source IP address of the network device can obtain the comprehensive asset evaluation result corresponding to the source IP address of the network device to be detected. To obtain the security log of the interaction between the enterprise intranet and the public network, monitor the security log, obtain the health status of the network asset address of the enterprise intranet, and evaluate the health status of the network asset address of the enterprise intranet. It is universal to evaluate the health of network asset addresses, and at the same time reduces the risk of network threats to assets corresponding to the source IP addresses of network devices and improves security.
图2为本申请提供的一种网络资产评估处理方法实施例二的流程示意图,如图2所示,该网络资产评估处理方法具体包括以下步骤:Fig. 2 is a schematic flow diagram of Embodiment 2 of a network asset evaluation processing method provided by the present application. As shown in Fig. 2, the network asset evaluation processing method specifically includes the following steps:
步骤201:获取全网资产信息。Step 201: Obtain asset information of the entire network.
在本实施例中,全网资产信息包括:IP地址和IP地址对应的参数信息。In this embodiment, the asset information of the entire network includes: an IP address and parameter information corresponding to the IP address.
步骤202:对于每个IP地址,根据IP地址对应的参数信息,以及预设的攻击阈值,在确定IP地址为非法攻击地址时,获取IP地址对应的攻击特征和威胁系数,并将IP地址,以及IP地址对应的攻击特征和威胁系数存储到预先配置的非法攻击库中。Step 202: For each IP address, according to the parameter information corresponding to the IP address and the preset attack threshold, when the IP address is determined to be an illegal attack address, obtain the attack characteristics and threat coefficient corresponding to the IP address, and compare the IP address, And the attack characteristics and threat factors corresponding to the IP address are stored in the pre-configured illegal attack library.
在本实施例中,参考信息如表一参考信息所示。In this embodiment, the reference information is shown in Table 1 Reference Information.
表一参考信息Table 1 Reference information
在本实施例中,在确定IP地址对应的参数信息中的ICMP比例大于第一资产探测阈值,被探测IP同C段数大于或等于第二资产探测阈值,且被探测IP同B段数大于或等于第三资产探测阈值时,确定IP地址为非法攻击地址,并获取IP地址对应的攻击特征为资产探测特征,且威胁系数为第一预设威胁系数。In this embodiment, the ICMP ratio in the parameter information corresponding to the determined IP address is greater than the first asset detection threshold, the number of detected IP and C segments is greater than or equal to the second asset detection threshold, and the detected IP and B segment numbers are greater than or equal to When the third asset detection threshold is reached, the IP address is determined to be an illegal attack address, and the attack feature corresponding to the IP address is acquired as the asset detection feature, and the threat factor is the first preset threat factor.
具体的,第一资产探测阈值可以为0.6,第二资产探测阈值可以为1,第三资产探测阈值可以为3,第一预设威胁系数为0.1,其中,威胁系数根据专家经验获取。Specifically, the first asset detection threshold may be 0.6, the second asset detection threshold may be 1, the third asset detection threshold may be 3, and the first preset threat coefficient is 0.1, wherein the threat coefficient is obtained based on expert experience.
或者,在确定IP地址对应的参数信息中的端口次数比大于第一全端口扫描阈值,或者端口数大于第二全端口扫描阈值时,确定IP地址为非法攻击地址,并获取IP地址对应的攻击特征为全端口扫描特征,且威胁系数为第二预设威胁系数。Or, when it is determined that the port number ratio in the parameter information corresponding to the IP address is greater than the first full port scan threshold, or the number of ports is greater than the second full port scan threshold, determine that the IP address is an illegal attack address, and obtain the corresponding attack address of the IP address. The feature is a full port scanning feature, and the threat factor is a second preset threat factor.
具体的,第一全端口扫描阈值可以为0.2,第二全端口扫描阈值可以为10,第二预设威胁系数为0.2,其中,威胁系数根据专家经验获取。Specifically, the first full port scan threshold may be 0.2, the second full port scan threshold may be 10, and the second preset threat factor is 0.2, wherein the threat factor is obtained based on expert experience.
或者,在确定IP地址对应的参数信息中的WEB端口占比大于第一WEB扫描及爬虫阈值,且平均包数大于第二WEB扫描及爬虫阈值时,确定IP地址为非法攻击地址,并获取IP地址对应的攻击特征为WEB扫描及爬虫特征,且威胁系数为第三预设威胁系数。Or, when it is determined that the proportion of WEB ports in the parameter information corresponding to the IP address is greater than the first WEB scan and crawler threshold, and the average number of packets is greater than the second WEB scan and crawler threshold, determine that the IP address is an illegal attack address, and obtain the IP address. The attack feature corresponding to the address is a WEB scanning and crawler feature, and the threat factor is a third preset threat factor.
具体的,第一WEB扫描及爬虫阈值可以为0.8,第二WEB扫描及爬虫阈值可以为5,第三预设威胁系数为0.3,其中,威胁系数根据专家经验获取。Specifically, the first WEB scan and crawler threshold may be 0.8, the second WEB scan and crawler threshold may be 5, and the third preset threat factor is 0.3, wherein the threat factor is obtained based on expert experience.
具体的,非法攻击库如表二非法攻击库示例所示。Specifically, the illegal attack library is shown in the example of the illegal attack library in Table 2.
表二非法攻击库示例Table 2 Example of illegal attack library
步骤203:根据获取的待检测的网络设备的IP数据流信息中的源IP地址、源端口、目的IP地址和目的端口,从源端口中确定开放源端口和非开放源端口,并获取开放源端口对应的风险指标值。Step 203: Determine the open source port and the non-open source port from the source port according to the source IP address, source port, destination IP address and destination port in the IP data flow information of the network device to be detected, and obtain the open source port. The risk indicator value corresponding to the port.
举例来说,表三为待检测的网络设备IP为123.123.125.10的实时netflow信息。For example, Table 3 shows the real-time netflow information of the IP of the network device to be detected is 123.123.125.10.
表三待检测的网络设备IP为123.123.125.10的实时netflow信息Table 3 Real-time netflow information of the network device IP to be detected is 123.123.125.10
由表中可知开放源端口为80和443端口,非开放源端口为23241、24521、3425端口。其中,每个开放源端口对应唯一风险指标值,开放源端口对应的风险指标值由专家经验获得。具体的,80端口对应的风险指标值为2,443端口对应的风险指标值为1。It can be seen from the table that the open source ports are 80 and 443 ports, and the non-open source ports are 23241, 24521, and 3425 ports. Among them, each open source port corresponds to a unique risk index value, and the risk index value corresponding to the open source port is obtained from expert experience. Specifically, the risk index value corresponding to port 80 is 2, and the risk index value corresponding to port 443 is 1.
步骤S204:从目的IP地址和目的端口中,分别确定开放源端口对应的第一通连IP信息,以及非开放源端口对应的第二IP通连信息。Step S204: From the destination IP address and the destination port, respectively determine the first connection IP information corresponding to the open source port and the second IP connection information corresponding to the non-open source port.
在本实施例中,第一通连IP信息包括:第一通连IP地址和对应的第一通连端口;第二通连IP信息包括:第二通连IP地址和对应的第二通连端口。In this embodiment, the first communication IP information includes: the first communication IP address and the corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port; port.
其中,第一通连IP地址为开放源端口对应的目的IP地址,第一通连端口为开放源端口对应的目的端口。Wherein, the first connection IP address is the destination IP address corresponding to the open source port, and the first connection port is the destination port corresponding to the open source port.
第二通连IP地址为非开放源端口对应的目的IP地址,第二通连端口为非开放源端口对应的目的端口。The second connection IP address is the destination IP address corresponding to the non-open source port, and the second connection port is the destination port corresponding to the non-open source port.
由上文示例所知,开放源端口对应的目的IP地址、目的端口和非开放源端口对应的目的IP地址目的端口如表四目的IP地址和目的端口所示。From the above example, the destination IP address and destination port corresponding to the open source port and the destination IP address and destination port corresponding to the non-open source port are shown in Table 4 Destination IP address and destination port.
表四目的IP地址和目的端口Table 4 Destination IP address and destination port
步骤S205:查询预先配置的非法攻击库,分别获取第一通连IP信息对应的第一攻击特征和第一威胁系数,以及第二IP通连信息对应的第二攻击特征和第二威胁系数。Step S205: Query the pre-configured illegal attack database, obtain the first attack signature and the first threat coefficient corresponding to the first IP connection information, and the second attack signature and second threat coefficient corresponding to the second IP connection information.
在本实施例中,假设第一通连IP信息对应的第一攻击特征为资产探测,第一威胁系数为0.1,即开放源端口对应的目的IP地址1.1.1.10的攻击特征为资产探测,威胁系数为0.1;第二IP通连信息对应的第二攻击特征为WEB扫描及爬虫,第二威胁系数为0.3,即非开放源端口对应的目的IP地址1.1.1.20的攻击特征为WEB扫描及爬虫,威胁系数为0.3。In this embodiment, it is assumed that the first attack feature corresponding to the first connection IP information is asset detection, and the first threat coefficient is 0.1, that is, the attack feature of the destination IP address 1.1.1.10 corresponding to the open source port is asset detection, and the threat The coefficient is 0.1; the second attack feature corresponding to the second IP connection information is WEB scanning and crawler, and the second threat factor is 0.3, that is, the attack feature of the destination IP address 1.1.1.20 corresponding to the non-open source port is WEB scanning and crawler , the threat factor is 0.3.
步骤S206:识别监测获取到的源IP地址对应的非法行为的类型和非法行为的次数,并根据非法行为的类型和非法行为的次数,以及第一通连IP信息对应的第一攻击特征和第一威胁系数,和/或第二通连IP信息对应的第二攻击特征和第二威胁系数,获取非法行为对应的指标值。Step S206: Identify the type of illegal behavior and the number of times of illegal behavior corresponding to the source IP address obtained by monitoring, and according to the type of illegal behavior and the number of times of illegal behavior, as well as the first attack feature and the first attack characteristic corresponding to the first connected IP information A threat factor, and/or a second attack feature and a second threat factor corresponding to the second connection IP information, to obtain an index value corresponding to the illegal behavior.
在本实施例中,在识别监测获取到的源IP地址对应的非法行为的类型为攻击类型时,根据第一通连IP信息对应的第一攻击特征和第二通连IP信息对应的第二攻击特征,确定与攻击类型匹配的通连IP信息,并根据非法行为的次数,以及与攻击类型匹配的通连IP信息对应的威胁系数,获取攻击指标。In this embodiment, when identifying the type of illegal behavior corresponding to the source IP address obtained through monitoring as an attack type, according to the first attack feature corresponding to the first communication IP information and the second attack feature corresponding to the second communication IP information, Attack characteristics, determine the connected IP information that matches the attack type, and obtain attack indicators based on the number of illegal actions and the threat factor corresponding to the connected IP information that matches the attack type.
举例来说,根据上述示例,假设待检测的网络设备IP为123.123.125.10,与攻击类型匹配的通连IP信息可知,通联IP地址即目的IP为1.1.1.10,通联端口即目的端口为12312、12316、12245、23453端口,通联IP地址即目的IP为1.1.1.10对应的威胁系数为0.1,假设待检测的网络设备IP为123.123.125.10被攻击次数为20,根据第一公式获取攻击指标。For example, according to the above example, assuming that the IP of the network device to be detected is 123.123.125.10, and the communication IP information matching the attack type shows that the communication IP address, that is, the destination IP is 1.1.1.10, and the communication port, that is, the destination port is 12312, Ports 12316, 12245, and 23453, the associated IP address, that is, the destination IP is 1.1.1.10, and the corresponding threat factor is 0.1. Assume that the IP of the network device to be detected is 123.123.125.10 and the number of attacks is 20, and the attack index is obtained according to the first formula.
其中第一公式表示为:where the first formula is expressed as:
攻击指标=非法行为次数×威胁系数Attack index = number of illegal actions × threat factor
具体的,待检测的网络设备IP为123.123.125.10的攻击指标如表五非法行为次数与攻击指标所示。Specifically, the attack index of the network device IP to be detected is 123.123.125.10 as shown in Table 5, the number of times of illegal activities and the attack index.
表五非法行为次数与攻击指标Table 5 Number of Illegal Behaviors and Attack Indicators
和/或,在识别监测获取到的源IP地址对应的非法行为的类型为非法外联类型时,根据第一通连IP信息对应的第一攻击特征和第二通连IP信息对应的第二攻击特征,确定与非法外联类型匹配的通连IP信息,并根据非法行为的次数,以及与攻击类型匹配的通连IP信息对应的威胁系数,获取非法外联指标。And/or, when identifying the type of illegal behavior corresponding to the source IP address obtained through monitoring as an illegal outreach type, according to the first attack feature corresponding to the first communication IP information and the second attack feature corresponding to the second communication IP information Attack characteristics, determine the linking IP information that matches the type of illegal outreach, and obtain illegal outreach indicators based on the number of illegal actions and the threat coefficient corresponding to the linking IP information that matches the attack type.
举例来说,根据上述示例,假设待检测的网络设备IP为123.123.125.10,与非法外联类型匹配的通连IP信息可知,通联IP地址即目的IP为1.1.1.20,通联端口即目的端口为80端口,通联IP地址即目的IP为1.1.1.20对应的威胁系数为0.3,假设待检测的网络设备IP为123.123.125.10被攻击次数为20,根据第一公式获取非法外联指标。For example, according to the above example, assuming that the IP of the network device to be detected is 123.123.125.10, the communication IP information matching the illegal outreach type shows that the communication IP address, that is, the destination IP, is 1.1.1.20, and the communication port, that is, the destination port is Port 80, the communication IP address, that is, the destination IP is 1.1.1.20, the corresponding threat coefficient is 0.3, assuming that the IP of the network device to be detected is 123.123.125.10 and the number of attacks is 20, and the illegal outreach index is obtained according to the first formula.
具体的,待检测的网络设备IP为123.123.125.10的攻击指标如表六非法行为次数与非法外联指标所示。Specifically, the attack index of the network device IP to be detected is 123.123.125.10, as shown in Table 6, the number of times of illegal activities and the index of illegal outreach.
表六非法行为次数与非法外联指标Table 6 Number of Illegal Behaviors and Illegal Outreach Indicators
在本实施例中,攻击类型与攻击特征中的资产探测特征相匹配;非法外联类型与攻击特征中的WEB扫描及爬虫特征相匹配。In this embodiment, the attack type matches the asset detection feature in the attack feature; the illegal outreach type matches the WEB scan and crawler feature in the attack feature.
步骤S207:根据开放源端口对应的风险指标值、非法行为对应的指标值,以及每个指标值对应的动态均值,获取资产动态基础值和资产动态值。Step S207: According to the risk index value corresponding to the open source port, the index value corresponding to the illegal behavior, and the dynamic mean value corresponding to each index value, obtain the asset dynamic basic value and the asset dynamic value.
在本实施例中,对开放源端口对应的风险指标值、非法行为对应的指标值进行求和处理,获取资产动态基础值。In this embodiment, the risk index value corresponding to the open source port and the index value corresponding to the illegal behavior are summed to obtain the dynamic basic value of the asset.
根据上述示例,开放源端口为80和443端口,具体的,80端口对应的风险指标值为2,443端口对应的风险指标值为1,非法行为对应的指标值包括攻击指标和非法外联指标,其中攻击指标为2,非法外联指标为6,则资产动态基础值=2+1+2+6=11。According to the above example, the open source ports are 80 and 443 ports. Specifically, the risk index value corresponding to port 80 is 2, and the risk index value corresponding to port 443 is 1. The index values corresponding to illegal behavior include attack indicators and illegal outreach indicators. , where the attack index is 2, and the illegal outreach index is 6, then the asset dynamic base value=2+1+2+6=11.
其中,开放源端口对应的风险指标值之和为开放源端口威胁值。Among them, the sum of the risk indicator values corresponding to the open source ports is the threat value of the open source ports.
对于每个指标值,判断指标值是否大于指标值对应的动态均值,若大于,则对指标值进行修正处理,获取修正后的指标值。For each index value, it is judged whether the index value is greater than the dynamic mean value corresponding to the index value, and if greater, the index value is corrected to obtain the corrected index value.
具体的,假设开放源端口威胁值的动态均值为3,攻击指标的动态均值为2,非法外联指标的动态均值为2,其中非法外联指标值大于其动态均值,则需对非法外联指标值根据第二公式进行修正处理。Specifically, assuming that the dynamic mean value of the open source port threat value is 3, the dynamic mean value of the attack indicator is 2, and the dynamic mean value of the illegal outreach indicator is 2, and the illegal outreach indicator value is greater than the dynamic mean value, the illegal outreach The index value is corrected according to the second formula.
其中,第二公式表示为:Among them, the second formula is expressed as:
修正值=动态均值+溢出值/(溢出值+动态均值)×动态均值则非法外联指标值的修正值=2+6/(6+2)×2=3.5。Correction value = dynamic mean value + overflow value/(overflow value + dynamic mean value) × dynamic mean value, then the correction value of the illegal outreach index value = 2+6/(6+2)×2=3.5.
根据不需要修正的指标值,以及修正后的指标值,获取资产动态值。According to the indicator value that does not need to be corrected and the corrected indicator value, the dynamic value of the asset is obtained.
则根据上述示例,资产动态值=2+1+2+3.5=8.5。Then according to the above example, asset dynamic value=2+1+2+3.5=8.5.
步骤S208:根据获取的源IP地址对应的资产类型、等级以及历史漏洞信息,获取源IP地址对应的资产评估值。Step S208: According to the obtained asset type, grade and historical vulnerability information corresponding to the source IP address, obtain the asset evaluation value corresponding to the source IP address.
具体的,资产评估值可由表七评估指标及分数可知。Specifically, the asset evaluation value can be known from the evaluation indicators and scores in Table 7.
表七评估指标及分数Table 7 Evaluation Indicators and Scores
假设设备IP为123.123.125.10的待检测的网络由于开放WEB服务,资产类型得分35,等保3级得分30,曾经有中低危漏洞15,则其资产评估值=35+30+15=80。Assume that the network to be detected with the device IP 123.123.125.10 has an asset type score of 35 due to open WEB services, and a score of 30 for the security level 3. It once had medium and low risk vulnerabilities of 15, then its asset evaluation value = 35 + 30 + 15 = 80 .
步骤S209:根据资产动态基础值、资产动态值,以及资产评估值,获取待检测的网络设备的源IP地址对应的资产综合评估结果,以根据资产综合评估结果,对待检测的网络设备对应的网络进行相应的管理。Step S209: According to the asset dynamic basic value, asset dynamic value, and asset evaluation value, obtain the asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected, so that according to the asset comprehensive evaluation result, the network device corresponding to the network device to be detected Manage accordingly.
在本实施例中,资产综合评估结果由第三公式获取,其中,第三公式表示为:In this embodiment, the asset comprehensive assessment result is obtained by the third formula, where the third formula is expressed as:
资产综合评估=资产评估值×资产动态系数Asset comprehensive evaluation = asset evaluation value × asset dynamic coefficient
其中,资产动态系数由第四公式获取,第四公式表示为:Among them, the asset dynamic coefficient is obtained by the fourth formula, which is expressed as:
资产动态系数=动态均值加和/资产动态值Asset dynamic coefficient = dynamic mean sum / asset dynamic value
根据上文示例,待检测的网络设备IP为123.123.125.10的资产动态系数=(3+2+2)/8.5≈0.94。According to the above example, the asset dynamic coefficient of the IP of the network device to be detected is 123.123.125.10=(3+2+2)/8.5≈0.94.
其资产综合评估=80×0.94=75。Its asset comprehensive assessment = 80 × 0.94 = 75.
在本实施例中,通过获取待检测的网络设备的开放源端口和非开放源端口的非法行为对应的指标值、开放源端口对应的风险指标值、各指标值对应的动态均值以及待检测的网络设备的源IP地址对应的资产评估值,根据指标值对应的动态均值对超过动态均值的指标值进行修正,从而获取待检测的网络设备的源IP地址对应的资产综合评估结果,相较于现有技术通过在企业内网和公网间的网络边界处部署探针,获取企业内网与公网交互的安全日志,对安全日志进行监测,获取企业内网的网络资产地址健康状况,并对企业内网的网络资产地址健康状况进行评估,本申请可对全网资产地址健康度进行评估,具有普适性,同时降低网络设备的源IP地址对应的资产的网络威胁风险,提升安全性。In this embodiment, by obtaining the index value corresponding to the illegal behavior of the open source port and the non-open source port of the network device to be detected, the risk index value corresponding to the open source port, the dynamic mean value corresponding to each index value, and the According to the asset evaluation value corresponding to the source IP address of the network device, the index value exceeding the dynamic average value is corrected according to the dynamic mean value corresponding to the index value, so as to obtain the asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected. Compared with In the existing technology, by deploying probes at the network boundary between the enterprise intranet and the public network, the security log of the interaction between the enterprise intranet and the public network is obtained, the security log is monitored, and the health status of the network asset address of the enterprise intranet is obtained, and To evaluate the health status of network asset addresses in the enterprise intranet, this application can evaluate the health of asset addresses in the entire network, which is universal, and at the same time reduces the risk of network threats to assets corresponding to the source IP addresses of network devices and improves security .
图3为本申请提供的一种网络资产评估处理装置实施例的结构示意图,如图3所示,该网络资产评估处理装置30包括:获取模块31、处理模块32。其中,获取模块31,用于获取的待检测的网络设备的IP数据流信息中的源IP地址、源端口、目的IP地址和目的端口,从源端口中确定开放源端口和非开放源端口,并获取开放源端口对应的风险指标值;处理模块32,用于从目的IP地址和目的端口中,分别确定开放源端口对应的第一通连IP信息,以及非开放源端口对应的第二IP通连信息;获取模块31,还用于查询预先配置的非法攻击库,分别获取第一通连IP信息对应的第一攻击特征和第一威胁系数,以及第二IP通连信息对应的第二攻击特征和第二威胁系数;处理模块32,还用于识别监测获取到的源IP地址对应的非法行为的类型和非法行为的次数,并根据非法行为的类型和非法行为的次数,以及第一通连IP信息对应的第一攻击特征和第一威胁系数,和/或第二通连IP信息对应的第二攻击特征和第二威胁系数,获取非法行为对应的指标值;处理模块32,还用于根据开放源端口对应的风险指标值、非法行为对应的指标值,以及每个指标值对应的动态均值,获取资产动态基础值和资产动态值;处理模块32,还用于根据获取的源IP地址对应的资产类型、等级以及历史漏洞信息,获取源IP地址对应的资产评估值;处理模块32,还用于根据资产动态基础值、资产动态值,以及资产评估值,获取待检测的网络设备的源IP地址对应的资产综合评估结果,以根据资产综合评估结果,对待检测的网络设备对应的网络进行相应的管理。FIG. 3 is a schematic structural diagram of an embodiment of a network asset evaluation processing device provided by the present application. As shown in FIG. 3 , the network asset
本实施例中的网络资产评估处理装置可以执行上述图1所示的方法实例的,其实现原理和技术效果相类似,此处不再赘述。The apparatus for evaluating and processing network assets in this embodiment can execute the method example shown in FIG. 1 above, and its implementation principles and technical effects are similar, and will not be repeated here.
在一种可能的实施方案中,获取模块31还用于:In a possible implementation, the acquiring
获取全网资产信息,全网资产信息包括:IP地址和IP地址对应的参数信息。Obtain the asset information of the whole network. The asset information of the whole network includes: IP address and parameter information corresponding to the IP address.
对于每个IP地址,根据IP地址对应的参数信息,以及预设的攻击阈值,在确定IP地址为非法攻击地址时,获取IP地址对应的攻击特征和威胁系数,并将IP地址,以及IP地址对应的攻击特征和威胁系数存储到预先配置的非法攻击库中。For each IP address, according to the parameter information corresponding to the IP address and the preset attack threshold, when the IP address is determined to be an illegal attack address, the attack characteristics and threat coefficient corresponding to the IP address are obtained, and the IP address, and the IP address The corresponding attack characteristics and threat coefficients are stored in the pre-configured illegal attack library.
在一种可能的实施方案中,获取模块31具体用于:In a possible implementation, the
在确定IP地址对应的参数信息中的ICMP比例大于第一资产探测阈值,被探测IP同C段数大于或等于第二资产探测阈值,且被探测IP同B段数大于或等于第三资产探测阈值时,确定IP地址为非法攻击地址,并获取IP地址对应的攻击特征为资产探测特征,且威胁系数为第一预设威胁系数。When it is determined that the ICMP ratio in the parameter information corresponding to the IP address is greater than the first asset detection threshold, the number of detected IP and C segment is greater than or equal to the second asset detection threshold, and the detected IP and B segment number is greater than or equal to the third asset detection threshold , determine that the IP address is an illegal attack address, and obtain the attack feature corresponding to the IP address as an asset detection feature, and the threat factor is a first preset threat factor.
或者,在确定IP地址对应的参数信息中的端口次数比大于第一全端口扫描阈值,或者端口数大于第二全端口扫描阈值时,确定IP地址为非法攻击地址,并获取IP地址对应的攻击特征为全端口扫描特征,且威胁系数为第二预设威胁系数。Or, when it is determined that the port number ratio in the parameter information corresponding to the IP address is greater than the first full port scan threshold, or the number of ports is greater than the second full port scan threshold, determine that the IP address is an illegal attack address, and obtain the corresponding attack address of the IP address. The feature is a full port scanning feature, and the threat factor is a second preset threat factor.
或者,在确定IP地址对应的参数信息中的WEB端口占比大于第一WEB扫描及爬虫阈值,且平均包数大于第二WEB扫描及爬虫阈值时,确定IP地址为非法攻击地址,并获取IP地址对应的攻击特征为WEB扫描及爬虫特征,且威胁系数为第三预设威胁系数。Or, when it is determined that the proportion of WEB ports in the parameter information corresponding to the IP address is greater than the first WEB scan and crawler threshold, and the average number of packets is greater than the second WEB scan and crawler threshold, determine that the IP address is an illegal attack address, and obtain the IP address. The attack feature corresponding to the address is a WEB scanning and crawler feature, and the threat factor is a third preset threat factor.
在一种可能的实施方案中,第一通连IP信息包括:第一通连IP地址和对应的第一通连端口;第二通连IP信息包括:第二通连IP地址和对应的第二通连端口。In a possible implementation, the first link IP information includes: the first link IP address and the corresponding first link port; the second link IP information includes: the second link IP address and the corresponding first link port; Two-way connection port.
其中,第一通连IP地址为开放源端口对应的目的IP地址,第一通连端口为开放源端口对应的目的端口。Wherein, the first connection IP address is the destination IP address corresponding to the open source port, and the first connection port is the destination port corresponding to the open source port.
第二通连IP地址为非开放源端口对应的目的IP地址,第二通连端口为非开放源端口对应的目的端口。The second connection IP address is the destination IP address corresponding to the non-open source port, and the second connection port is the destination port corresponding to the non-open source port.
在一种可能的实施方案中,处理模块32具体用于:In a possible implementation, the
在识别监测获取到的源IP地址对应的非法行为的类型为攻击类型时,根据第一通连IP信息对应的第一攻击特征和第二通连IP信息对应的第二攻击特征,确定与攻击类型匹配的通连IP信息,并根据非法行为的次数,以及与攻击类型匹配的通连IP信息对应的威胁系数,获取攻击指标。When identifying the type of illegal behavior corresponding to the source IP address acquired by monitoring as the attack type, according to the first attack characteristic corresponding to the first connected IP information and the second attack characteristic corresponding to the second connected IP information, determine the According to the number of illegal actions and the threat factor corresponding to the connected IP information matching the attack type, the attack indicators are obtained.
和/或,在识别监测获取到的源IP地址对应的非法行为的类型为非法外联类型时,根据第一通连IP信息对应的第一攻击特征和第二通连IP信息对应的第二攻击特征,确定与非法外联类型匹配的通连IP信息,并根据非法行为的次数,以及与攻击类型匹配的通连IP信息对应的威胁系数,获取非法外联指标。And/or, when identifying the type of illegal behavior corresponding to the source IP address obtained through monitoring as an illegal outreach type, according to the first attack feature corresponding to the first communication IP information and the second attack feature corresponding to the second communication IP information Attack characteristics, determine the linking IP information that matches the type of illegal outreach, and obtain illegal outreach indicators based on the number of illegal actions and the threat coefficient corresponding to the linking IP information that matches the attack type.
其中,攻击类型与攻击特征中的资产探测特征相匹配;非法外联类型与攻击特征中的WEB扫描及爬虫特征相匹配。Among them, the attack type matches the asset detection feature in the attack feature; the illegal outreach type matches the WEB scan and crawler feature in the attack feature.
在一种可能的实施方案中,处理模块32,具体用于:In a possible implementation, the
对开放源端口对应的风险指标值、非法行为对应的指标值进行求和处理,获取资产动态基础值。The risk index value corresponding to the open source port and the index value corresponding to illegal behavior are summed to obtain the dynamic basic value of the asset.
对于每个指标值,判断指标值是否大于指标值对应的动态均值,若大于,则对指标值进行修正处理,获取修正后的指标值。For each index value, it is judged whether the index value is greater than the dynamic mean value corresponding to the index value, and if greater, the index value is corrected to obtain the corrected index value.
根据不需要修正的指标值,以及修正后的指标值,获取资产动态值。According to the indicator value that does not need to be corrected and the corrected indicator value, the dynamic value of the asset is obtained.
图4为本申请提供的一种服务器的结构示意图,如图4所示,该服务器40包括:处理器41,存储器42,以及通信接口43;其中,存储器42用于存储处理器41可执行的可执行指令;处理器41配置为经由执行可执行指令来执行前述任一方法实施例中的技术方案。FIG. 4 is a schematic structural diagram of a server provided by the present application. As shown in FIG. 4, the
可选的,存储器42既可以是独立的,也可以跟处理器41集成在一起。Optionally, the
可选的,当存储器42是独立于处理器41之外的器件时,服务器40还可以包括:总线,用于将上述器件连接起来。Optionally, when the
该服务器用于执行前述任一方法实施例中的技术方案,其实现原理和技术效果类似,在此不再赘述。The server is used to implement the technical solutions in any of the foregoing method embodiments, and its implementation principles and technical effects are similar, and will not be repeated here.
本申请实施例还提供一种可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现前述任一实施例提供的技术方案。The embodiment of the present application also provides a readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the technical solution provided by any one of the foregoing embodiments is implemented.
本领域普通技术人员可以理解:实现上述各方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成。前述的程序可以存储于一计算机可读取存储介质中。该程序在执行时,执行包括上述各方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for implementing the above method embodiments can be completed by program instructions and related hardware. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, it executes the steps including the above-mentioned method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.
需要说明的是,本申请所涉及的用户信息(包括但不限于用户设备信息、用户个人信息等)和数据(包括但不限于用于分析的数据、存储的数据、展示的数据等),均为经用户授权或者经过各方充分授权的信息和数据,并且相关数据的收集、使用和处理需要遵守相关国家和地区的相关法律法规和标准,并提供有相应的操作入口,供用户选择授权或者拒绝。It should be noted that the user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data used for analysis, stored data, displayed data, etc.) involved in this application are all It is information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of relevant data must comply with the relevant laws, regulations and standards of the relevant countries and regions, and provide corresponding operation entrances for users to choose authorization or reject.
最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或对其中部分或全部技术特征进行等同替换;而这些修改或替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and are not intended to limit it; although the application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present application. scope.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211507077.9A CN115834219B (en) | 2022-11-29 | 2022-11-29 | A network asset evaluation processing method, device, server and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211507077.9A CN115834219B (en) | 2022-11-29 | 2022-11-29 | A network asset evaluation processing method, device, server and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115834219A true CN115834219A (en) | 2023-03-21 |
| CN115834219B CN115834219B (en) | 2024-05-17 |
Family
ID=85532452
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211507077.9A Active CN115834219B (en) | 2022-11-29 | 2022-11-29 | A network asset evaluation processing method, device, server and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115834219B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140075564A1 (en) * | 2011-06-01 | 2014-03-13 | Anurag Singla | Network asset information management |
| US20150230091A1 (en) * | 2014-02-10 | 2015-08-13 | Qualcomm Incorporated | Methods and systems for handling malicious attacks in a wireless communication system |
| KR20160141457A (en) * | 2015-06-01 | 2016-12-09 | 주식회사 에스씨엘 | Risk assessment system for information security management system |
| CN111490970A (en) * | 2020-02-19 | 2020-08-04 | 西安交大捷普网络科技有限公司 | Tracing analysis method for network attack |
| WO2021082966A1 (en) * | 2019-10-31 | 2021-05-06 | 中兴通讯股份有限公司 | Asset vulnerability calculation method and device, storage medium, and server |
| CN113408948A (en) * | 2021-07-15 | 2021-09-17 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and medium |
| CN113468542A (en) * | 2021-07-07 | 2021-10-01 | 国家计算机网络与信息安全管理中心江苏分中心 | Exposed surface asset risk assessment method, device, equipment and medium |
| CN113542278A (en) * | 2021-07-16 | 2021-10-22 | 北京源堡科技有限公司 | Network security assessment method, system and device |
| CN114679338A (en) * | 2022-05-26 | 2022-06-28 | 山东林天信息科技有限责任公司 | Network risk assessment method based on network security situation awareness |
-
2022
- 2022-11-29 CN CN202211507077.9A patent/CN115834219B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140075564A1 (en) * | 2011-06-01 | 2014-03-13 | Anurag Singla | Network asset information management |
| US20150230091A1 (en) * | 2014-02-10 | 2015-08-13 | Qualcomm Incorporated | Methods and systems for handling malicious attacks in a wireless communication system |
| KR20160141457A (en) * | 2015-06-01 | 2016-12-09 | 주식회사 에스씨엘 | Risk assessment system for information security management system |
| WO2021082966A1 (en) * | 2019-10-31 | 2021-05-06 | 中兴通讯股份有限公司 | Asset vulnerability calculation method and device, storage medium, and server |
| CN111490970A (en) * | 2020-02-19 | 2020-08-04 | 西安交大捷普网络科技有限公司 | Tracing analysis method for network attack |
| CN113468542A (en) * | 2021-07-07 | 2021-10-01 | 国家计算机网络与信息安全管理中心江苏分中心 | Exposed surface asset risk assessment method, device, equipment and medium |
| CN113408948A (en) * | 2021-07-15 | 2021-09-17 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and medium |
| CN113542278A (en) * | 2021-07-16 | 2021-10-22 | 北京源堡科技有限公司 | Network security assessment method, system and device |
| CN114679338A (en) * | 2022-05-26 | 2022-06-28 | 山东林天信息科技有限责任公司 | Network risk assessment method based on network security situation awareness |
Non-Patent Citations (3)
| Title |
|---|
| ALEXANDER,G: "《Detecting TCP/IP Connections via IPID Hash Collisions》", 《 PROCEEDINGS ON PRIVACY ENHANCING TECHNOLOGIES》, 25 September 2020 (2020-09-25) * |
| 杨豪璞;邱辉;王坤;: "面向多步攻击的网络安全态势评估方法", 通信学报, no. 01, 25 January 2017 (2017-01-25) * |
| 胡浩;刘玉岭;张玉臣;张红旗;: "基于攻击图的网络安全度量研究综述", 网络与信息安全学报, no. 09, 15 September 2018 (2018-09-15) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115834219B (en) | 2024-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11637853B2 (en) | Operational network risk mitigation system and method | |
| CN110149350B (en) | A method and device for analyzing network attack events associated with alarm logs | |
| US8181252B2 (en) | Intrusion event correlation system | |
| JP4677569B2 (en) | Network abnormality detection method and network abnormality detection system | |
| US11895145B2 (en) | Systems and methods for automatically selecting an access control entity to mitigate attack traffic | |
| Noel et al. | Correlating intrusion events and building attack scenarios through attack graph distances | |
| CN100448203C (en) | Systems and methods for identifying and preventing malicious intrusions | |
| CN103258165B (en) | The treating method and apparatus of leak evaluation | |
| US11128670B2 (en) | Methods, systems, and computer readable media for dynamically remediating a security system entity | |
| US20100268818A1 (en) | Systems and methods for forensic analysis of network behavior | |
| Kuyama et al. | Method for detecting a malicious domain by using whois and dns features | |
| Sanjaya et al. | Information technology risk management using ISO 31000 based on issaf framework penetration testing (Case study: Election commission of x city) | |
| CN107347074B (en) | A method for determining the security of network equipment | |
| CN106453403B (en) | A kind of determining method and system of loophole rectification sequence based on attack chain | |
| CN106713358A (en) | Attack detection method and device | |
| CN113468542A (en) | Exposed surface asset risk assessment method, device, equipment and medium | |
| CN113923021A (en) | Sandbox-based encrypted traffic processing method, system, device and medium | |
| CN114221804A (en) | Honeypot identification method based on feature identification and interactive verification | |
| CN113987508A (en) | A vulnerability processing method, device, equipment and medium | |
| CN116170225B (en) | System testing method, device, equipment and storage medium based on network target range | |
| CN115834219A (en) | Network asset evaluation processing method, device, server and medium | |
| US20220407876A1 (en) | Method for detection of lateral movement of malware | |
| CN110493200A (en) | A kind of industrial control system risk quantification analysis method based on threat map | |
| CN115567237A (en) | Network security assessment method based on knowledge graph | |
| CN114372269A (en) | Risk assessment method based on system network topological structure |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |