CN115834219B - Network asset evaluation processing method, device, server and medium - Google Patents

Network asset evaluation processing method, device, server and medium Download PDF

Info

Publication number
CN115834219B
CN115834219B CN202211507077.9A CN202211507077A CN115834219B CN 115834219 B CN115834219 B CN 115834219B CN 202211507077 A CN202211507077 A CN 202211507077A CN 115834219 B CN115834219 B CN 115834219B
Authority
CN
China
Prior art keywords
address
attack
asset
illegal
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211507077.9A
Other languages
Chinese (zh)
Other versions
CN115834219A (en
Inventor
于城
孟祥森
周凯
史炳荣
王鑫妍
李思聪
李金玲
肖召红
吴朋
孙文雪
曹文涛
李阳
杜佳鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Unicom Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, Unicom Digital Technology Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202211507077.9A priority Critical patent/CN115834219B/en
Publication of CN115834219A publication Critical patent/CN115834219A/en
Application granted granted Critical
Publication of CN115834219B publication Critical patent/CN115834219B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a network asset evaluation processing method, a device, a server and a medium, comprising the following steps: according to the IP data flow information of the network equipment to be detected, an open source port, a non-open source port and corresponding risk index values are obtained, according to an illegal attack library, a first attack characteristic and a first threat coefficient corresponding to the open source port, a second attack characteristic and a second threat coefficient corresponding to the non-open source port are obtained, according to the type of illegal behaviors and the number of illegal behaviors corresponding to the source IP address of the network equipment to be detected, an index value corresponding to the illegal behaviors is obtained, according to the index value corresponding to the illegal behaviors and a dynamic average value corresponding to each index value, an asset dynamic basic value and an asset dynamic value are obtained, and according to the asset evaluation value, the asset dynamic basic value and the asset dynamic value corresponding to the source IP address, an asset comprehensive evaluation result corresponding to the source IP address is obtained. The method solves the problem that only the asset health degree of the enterprise intranet can be evaluated in the prior art.

Description

Network asset evaluation processing method, device, server and medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a server, and a medium for processing network asset evaluation.
Background
With the continuous development of internet technology, the network security risk is rapidly increased, the health degree of the network asset address is known in time, and the condition that the server faces the network security risk can be mastered by evaluating the health degree of the network asset address.
In the prior art, a large enterprise obtains a security log of interaction between an enterprise intranet and a public network by deploying probes at a network boundary between the enterprise intranet and the public network, monitors the security log, obtains the health condition of a network asset address of the enterprise intranet, and evaluates the health condition of the network asset address of the enterprise intranet.
However, the prior art only can evaluate the health degree of the network asset address of the enterprise intranet, cannot evaluate the threat of the public network, and has certain limitation.
Disclosure of Invention
The application provides a network asset evaluation processing method, a device, a server and a medium, which are used for solving the problem that only the health degree of an asset address of an intranet can be evaluated in the prior art.
In a first aspect, the present application provides a network asset assessment processing method, including:
And determining an open source port and a non-open source port from the source ports according to the source IP address, the source port, the destination IP address and the destination port in the acquired IP data flow information of the network equipment to be detected, and acquiring a risk index value corresponding to the open source port.
And respectively determining the first communication IP information corresponding to the open source port and the second communication IP information corresponding to the non-open source port from the destination IP address and the destination port.
Inquiring a preconfigured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information.
Identifying and monitoring the type and the times of illegal actions corresponding to the obtained source IP address, and obtaining index values corresponding to the illegal actions according to the type and the times of illegal actions, the first attack characteristics and the first threat coefficients corresponding to the first communication IP information, and/or the second attack characteristics and the second threat coefficients corresponding to the second communication IP information.
And acquiring an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic average value corresponding to each index value.
And acquiring an asset evaluation value corresponding to the source IP address according to the acquired asset type, grade and history vulnerability information corresponding to the source IP address.
And acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to perform corresponding management on the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result.
In one specific embodiment, the method further comprises:
Acquiring whole network asset information, wherein the whole network asset information comprises: the IP address and the parameter information corresponding to the IP address.
And for each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, acquiring the attack characteristic and the threat coefficient corresponding to the IP address, and storing the IP address, the attack characteristic and the threat coefficient corresponding to the IP address into the preset illegal attack library.
In a specific embodiment, the obtaining, according to the parameter information corresponding to the IP address and the preset attack threshold, the attack feature and the threat coefficient corresponding to the IP address when determining that the IP address is an illegal attack address includes:
When the ICMP proportion in the parameter information corresponding to the IP address is determined to be larger than a first asset detection threshold, the number of detected IP and C sections is larger than or equal to a second asset detection threshold, and the number of detected IP and B sections is larger than or equal to a third asset detection threshold, determining the IP address as an illegal attack address, acquiring an attack characteristic corresponding to the IP address as an asset detection characteristic, and the threat coefficient as a first preset threat coefficient.
Or alternatively
And when the port number ratio in the parameter information corresponding to the IP address is determined to be larger than a first full-port scanning threshold value or the port number is determined to be larger than a second full-port scanning threshold value, determining the IP address as an illegal attack address, acquiring that the attack characteristic corresponding to the IP address is a full-port scanning characteristic and the threat coefficient is a second preset threat coefficient.
Or alternatively
And when the WEB port ratio in the parameter information corresponding to the IP address is determined to be larger than a first WEB scanning and crawling threshold value and the average packet number is larger than a second WEB scanning and crawling threshold value, determining the IP address as an illegal attack address, acquiring attack characteristics corresponding to the IP address as WEB scanning and crawling characteristics and threat coefficients as third preset threat coefficients.
In a specific embodiment, the first communication IP information includes: a first communication IP address and a corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port.
The first communication IP address is a destination IP address corresponding to the open source port, and the first communication port is a destination port corresponding to the open source port.
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
In a specific embodiment, the identifying and monitoring the obtained type of the illegal action and the obtained number of times of the illegal action corresponding to the source IP address, and obtaining the index value corresponding to the illegal action according to the type of the illegal action and the number of times of the illegal action, and the first attack feature and the first threat coefficient corresponding to the first communication IP information, and/or the second attack feature and the second threat coefficient corresponding to the second communication IP information, includes:
when the type of illegal actions corresponding to the source IP address obtained through monitoring is identified as an attack type, determining the communication IP information matched with the attack type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining an attack index according to the times of illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type.
And/or the number of the groups of groups,
When the type of illegal actions corresponding to the source IP address obtained through monitoring is identified as an illegal external connection type, determining communication IP information matched with the illegal external connection type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining illegal external connection indexes according to the times of illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type.
Wherein the attack type is matched with an asset detection feature in the attack features; and the illegal external connection type is matched with the WEB scanning and crawler characteristics in the attack characteristics.
In a specific embodiment, the obtaining an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action, and the dynamic average value corresponding to each index value includes:
And summing the risk index value corresponding to the open source port and the index value corresponding to the illegal action to obtain the asset dynamic basic value.
And judging whether each index value is larger than a dynamic average value corresponding to the index value, and if so, carrying out correction processing on the index value to obtain a corrected index value.
And acquiring the dynamic value of the asset according to the index value which does not need to be corrected and the index value after correction.
In a second aspect, the present application provides a network asset assessment processing apparatus, including:
the system comprises an acquisition module, a detection module and a control module, wherein the acquisition module is used for acquiring a source IP address, a source port, a destination IP address and a destination port in IP data flow information of network equipment to be detected, determining an open source port and a non-open source port from the source ports, and acquiring a risk index value corresponding to the open source port.
And the processing module is used for respectively determining the first communication IP information corresponding to the open source port and the second IP communication information corresponding to the non-open source port from the destination IP address and the destination port.
The acquisition module is further configured to query a preconfigured illegal attack library, and respectively acquire a first attack feature and a first threat coefficient corresponding to the first communication IP information, and a second attack feature and a second threat coefficient corresponding to the second IP communication information.
The processing module is further configured to identify a type of illegal action and a number of times of illegal action corresponding to the obtained source IP address, and obtain an index value corresponding to the illegal action according to the type of illegal action and the number of times of illegal action, and the first attack feature and the first threat coefficient corresponding to the first communication IP information, and/or the second attack feature and the second threat coefficient corresponding to the second communication IP information.
The processing module is further configured to obtain an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action, and the dynamic average value corresponding to each index value.
The processing module is further configured to obtain an asset evaluation value corresponding to the source IP address according to the obtained asset type, level and history vulnerability information corresponding to the source IP address.
The processing module is further configured to obtain an asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected according to the asset dynamic base value, the asset dynamic value, and the asset evaluation value, so as to perform corresponding management on a network corresponding to the network device to be detected according to the asset comprehensive evaluation result.
In a specific embodiment, the obtaining module is further configured to:
Acquiring whole network asset information, wherein the whole network asset information comprises: the IP address and the parameter information corresponding to the IP address.
And for each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, acquiring the attack characteristic and the threat coefficient corresponding to the IP address, and storing the IP address, the attack characteristic and the threat coefficient corresponding to the IP address into the preset illegal attack library.
In one embodiment, the obtaining module is specifically configured to:
When the ICMP proportion in the parameter information corresponding to the IP address is determined to be larger than a first asset detection threshold, the number of detected IP and C sections is larger than or equal to a second asset detection threshold, and the number of detected IP and B sections is larger than or equal to a third asset detection threshold, determining the IP address as an illegal attack address, acquiring an attack characteristic corresponding to the IP address as an asset detection characteristic, and the threat coefficient as a first preset threat coefficient.
Or alternatively
And when the port number ratio in the parameter information corresponding to the IP address is determined to be larger than a first full-port scanning threshold value or the port number is determined to be larger than a second full-port scanning threshold value, determining the IP address as an illegal attack address, acquiring that the attack characteristic corresponding to the IP address is a full-port scanning characteristic and the threat coefficient is a second preset threat coefficient.
Or alternatively
And when the WEB port ratio in the parameter information corresponding to the IP address is determined to be larger than a first WEB scanning and crawling threshold value and the average packet number is larger than a second WEB scanning and crawling threshold value, determining the IP address as an illegal attack address, acquiring attack characteristics corresponding to the IP address as WEB scanning and crawling characteristics and threat coefficients as third preset threat coefficients.
In a specific embodiment, the first communication IP information includes: a first communication IP address and a corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port.
The first communication IP address is a destination IP address corresponding to the open source port, and the first communication port is a destination port corresponding to the open source port.
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
In one embodiment, the processing module is specifically configured to:
when the type of illegal actions corresponding to the source IP address obtained through monitoring is identified as an attack type, determining the communication IP information matched with the attack type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining an attack index according to the times of illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type.
And/or the number of the groups of groups,
When the type of illegal actions corresponding to the source IP address obtained through monitoring is identified as an illegal external connection type, determining communication IP information matched with the illegal external connection type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining illegal external connection indexes according to the times of illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type.
Wherein the attack type is matched with an asset detection feature in the attack features; and the illegal external connection type is matched with the WEB scanning and crawler characteristics in the attack characteristics.
In a specific embodiment, the processing module is specifically configured to:
And summing the risk index value corresponding to the open source port and the index value corresponding to the illegal action to obtain the asset dynamic basic value.
And judging whether each index value is larger than a dynamic average value corresponding to the index value, and if so, carrying out correction processing on the index value to obtain a corrected index value.
And acquiring the dynamic value of the asset according to the index value which does not need to be corrected and the index value after correction.
In a third aspect, the present application provides a server comprising:
processor, memory, communication interface.
The memory is for storing executable instructions executable by the processor.
Wherein the processor is configured to perform the network asset assessment processing method of the first aspect via execution of the executable instructions.
In a fourth aspect, the present application provides a readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the network asset assessment processing method of the first aspect.
The application provides a network asset evaluation processing method, a device, a server and a medium, which are used for determining an open source port and a non-open source port from a source port according to a source IP address, a source port, a destination IP address and a destination port in IP data flow information of network equipment to be detected, and acquiring a risk index value corresponding to the open source port; respectively determining first IP communication information corresponding to the open source port and second IP communication information corresponding to the non-open source port from the destination IP address and the destination port; inquiring a preconfigured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information; identifying and monitoring the type and the times of illegal actions corresponding to the obtained source IP address, and obtaining index values corresponding to the illegal actions according to the type and the times of illegal actions, and the first attack characteristics and the first threat coefficients corresponding to the first communication IP information and/or the second attack characteristics and the second threat coefficients corresponding to the second communication IP information; acquiring an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic average value corresponding to each index value; acquiring an asset evaluation value corresponding to the source IP address according to the acquired asset type, grade and history vulnerability information corresponding to the source IP address; and acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to perform corresponding management on the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result. Compared with the prior art, by deploying probes at the network boundary between the intranet and the public network, the method and the device for evaluating the health of the network asset address of the intranet and the public network, disclosed by the application, the comprehensive evaluation result of the asset corresponding to the source IP address of the network device to be detected is obtained by obtaining the index value corresponding to the illegal behaviors of the open source port and the non-open source port of the network device to be detected, the risk index value corresponding to the open source port, the dynamic average value corresponding to each index value and the asset evaluation value corresponding to the source IP address of the network device to be detected, so that the method and the device are suitable for evaluating the health of the asset address of the whole network, have universality, and simultaneously reduce the network threat risk of the asset corresponding to the source IP address of the network device to be detected, and improve the safety.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the application, and other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a first embodiment of a network asset evaluation processing method provided by the present application;
fig. 2 is a schematic flow chart of a second embodiment of a network asset evaluation processing method provided by the present application;
FIG. 3 is a schematic diagram of an embodiment of a network asset evaluation processing device according to the present application;
fig. 4 is a schematic structural diagram of a server according to the present application.
Specific embodiments of the present application have been shown by way of the above drawings and will be described in more detail below. The drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but rather to illustrate the inventive concepts to those skilled in the art by reference to the specific embodiments.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which are made by a person skilled in the art based on the embodiments of the application in light of the present disclosure, are intended to be within the scope of the application.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or server.
Description of technical terms:
Assets: mainly various devices used in computer (or communication) networks. Mainly including hosts, network devices (routers, switches, etc.) and security devices (firewalls, etc.). In the present application, an asset refers to an IP address of a network device.
In the prior art, a large enterprise obtains a security log of interaction between an enterprise intranet and a public network by deploying probes at a network boundary between the enterprise intranet and the public network, monitors the security log, obtains the health condition of a network asset address of the enterprise intranet, and evaluates the health condition of the network asset address of the enterprise intranet. However, the prior art only can evaluate the health degree of the network asset address of the enterprise intranet, cannot evaluate the threat of the public network, and has certain limitation. Based on this, the technical idea of the application is how to evaluate the health of the whole network asset address.
The technical scheme of the application is described in detail through specific embodiments. It should be noted that the following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a schematic flow chart of a first embodiment of a network asset evaluation processing method provided by the present application, and as shown in fig. 1, the network asset evaluation processing method specifically includes the following steps:
Step S101: according to the acquired source IP address, source port, destination IP address and destination port in the IP data flow information of the network equipment to be detected, determining an open source port and a non-open source port from the source ports, and acquiring a risk index value corresponding to the open source port.
In this embodiment, different open source ports may correspond to different risk index values thereof, and specifically, the risk index value corresponding to the open source port is set according to actual requirements.
Step S102: and respectively determining the first IP communication information corresponding to the open source port and the second IP communication information corresponding to the non-open source port from the destination IP address and the destination port.
Step S103: inquiring a preconfigured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information.
In this embodiment, different attack features may correspond to different threat coefficients thereof, and specifically, the threat coefficients are set according to actual requirements.
Step S104: identifying and monitoring the type and the times of illegal behaviors corresponding to the obtained source IP address, and obtaining index values corresponding to the illegal behaviors according to the type and the times of illegal behaviors, and the first attack characteristics and the first threat coefficients corresponding to the first communication IP information and/or the second attack characteristics and the second threat coefficients corresponding to the second communication IP information.
In this embodiment, for example, the index values corresponding to the illegal actions include at least an attack index and an illegal external connection index.
Step S105: and acquiring an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic average value corresponding to each index value.
Step S106: and acquiring an asset evaluation value corresponding to the source IP address according to the acquired asset type, grade and history vulnerability information corresponding to the source IP address.
Step S107: and acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to perform corresponding management on the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result.
In this embodiment, by acquiring index values corresponding to illegal behaviors of an open source port and a non-open source port of a network device to be detected, risk index values corresponding to the open source port, dynamic average values corresponding to the index values, and asset evaluation values corresponding to source IP addresses of the network device to be detected, an asset comprehensive evaluation result corresponding to the source IP addresses of the network device to be detected is acquired.
Fig. 2 is a schematic flow chart of a second embodiment of a network asset evaluation processing method provided by the present application, and as shown in fig. 2, the network asset evaluation processing method specifically includes the following steps:
Step 201: and acquiring the whole network asset information.
In this embodiment, the full-network asset information includes: the IP address and the parameter information corresponding to the IP address.
Step 202: and for each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, acquiring the attack characteristic and the threat coefficient corresponding to the IP address, and storing the IP address, the attack characteristic and the threat coefficient corresponding to the IP address into a preset illegal attack library.
In this embodiment, the reference information is shown in table one.
List of reference information
In this embodiment, when it is determined that the ICMP ratio in the parameter information corresponding to the IP address is greater than the first asset detection threshold, the number of detected IP and C segments is greater than or equal to the second asset detection threshold, and the number of detected IP and B segments is greater than or equal to the third asset detection threshold, the IP address is determined to be an illegal attack address, the attack feature corresponding to the IP address is obtained to be an asset detection feature, and the threat coefficient is a first preset threat coefficient.
Specifically, the first asset detection threshold may be 0.6, the second asset detection threshold may be 1, the third asset detection threshold may be 3, and the first preset threat coefficient is 0.1, where the threat coefficient is obtained according to expert experience.
Or when the port number ratio in the parameter information corresponding to the IP address is determined to be larger than a first full-port scanning threshold value or the port number is determined to be larger than a second full-port scanning threshold value, determining the IP address as an illegal attack address, acquiring the attack characteristic corresponding to the IP address as a full-port scanning characteristic, and the threat coefficient as a second preset threat coefficient.
Specifically, the first full-port scan threshold may be 0.2, the second full-port scan threshold may be 10, and the second preset threat coefficient is 0.2, where the threat coefficient is obtained according to expert experience.
Or when the WEB port ratio in the parameter information corresponding to the IP address is determined to be larger than the first WEB scanning and crawling threshold value and the average packet number is larger than the second WEB scanning and crawling threshold value, determining the IP address as an illegal attack address, acquiring attack characteristics corresponding to the IP address as WEB scanning and crawling characteristics and threat coefficients as third preset threat coefficients.
Specifically, the first WEB scan and crawler threshold may be 0.8, the second WEB scan and crawler threshold may be 5, and the third preset threat coefficient is 0.3, where the threat coefficient is obtained according to expert experience.
Specifically, the illegal attack library is shown as an example of a table two illegal attack library.
Table two illegal attack library example
Illegal attack address Attack features Threat coefficient
1.1.1.10 Asset detection 0.1
1.1.1.2 Full port scanning 0.2
1.1.1.20 WEB scan and crawler 0.3
Step 203: according to the acquired source IP address, source port, destination IP address and destination port in the IP data flow information of the network equipment to be detected, determining an open source port and a non-open source port from the source ports, and acquiring a risk index value corresponding to the open source port.
For example, table three is real-time netflow information with network device IP to be detected being 123.123.125.10.
Real-time netflow information with network equipment IP to be detected of table III being 123.123.125.10
The open source ports are shown as 80 and 443 ports, and the non-open source ports are shown as 23241, 24521 and 3425 ports. Each open source port corresponds to a unique risk index value, and the risk index value corresponding to the open source port is obtained through expert experience. Specifically, the risk index value corresponding to the 80 ports is 2, and the risk index value corresponding to the 443 ports is 1.
Step S204: and respectively determining the first IP communication information corresponding to the open source port and the second IP communication information corresponding to the non-open source port from the destination IP address and the destination port.
In this embodiment, the first communication IP information includes: a first communication IP address and a corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port.
The first communication IP address is a destination IP address corresponding to the open source port, and the first communication port is a destination port corresponding to the open source port.
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
As known from the above example, the destination IP address corresponding to the open source port, the destination port, and the destination IP address corresponding to the non-open source port are shown in table four.
Table four destination IP address and destination port
Destination IP Destination port
1.1.1.10 12312、12316、12245、23453
1.1.1.20 80
Step S205: inquiring a preconfigured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and a second attack characteristic and a second threat coefficient corresponding to the second IP communication information.
In this embodiment, it is assumed that the first attack feature corresponding to the first communication IP information is asset detection, the first threat coefficient is 0.1, that is, the attack feature of the destination IP address 1.1.1.10 corresponding to the open source port is asset detection, and the threat coefficient is 0.1; the second attack characteristic corresponding to the second IP communication information is WEB scan and crawler, the second threat coefficient is 0.3, that is, the attack characteristic of the destination IP address 1.1.1.20 corresponding to the non-open source port is WEB scan and crawler, and the threat coefficient is 0.3.
Step S206: identifying and monitoring the type and the times of illegal behaviors corresponding to the obtained source IP address, and obtaining index values corresponding to the illegal behaviors according to the type and the times of illegal behaviors, and the first attack characteristics and the first threat coefficients corresponding to the first communication IP information and/or the second attack characteristics and the second threat coefficients corresponding to the second communication IP information.
In this embodiment, when the type of illegal action corresponding to the source IP address obtained by monitoring is identified as an attack type, the communication IP information matched with the attack type is determined according to the first attack feature corresponding to the first communication IP information and the second attack feature corresponding to the second communication IP information, and the attack index is obtained according to the number of illegal actions and the threat coefficient corresponding to the communication IP information matched with the attack type.
For example, according to the above example, assuming that the network device IP to be detected is 123.123.125.10, the IP address of the communication, i.e. the destination IP, is 1.1.1.10, the IP addresses of the communication, i.e. the destination ports are 12312, 12316, 12245, 23453, the threat coefficient corresponding to the IP address of the communication, i.e. the destination IP, is 1.1.1.10 is 0.1, and assuming that the IP of the network device to be detected is 123.123.125.10, the number of times of attacks is 20, and the attack index is obtained according to the first formula.
Wherein the first formula is expressed as:
Attack index = number of illegal acts x threat coefficient
Specifically, the attack index of 123.123.125.10 of the network device IP to be detected is shown as the number of illegal actions and attack index in table five.
Table five illegal action times and attack index
Network equipment IP to be detected Number of illegal acts Attack index
123.123.125.10 20 2
And/or when the type of illegal actions corresponding to the source IP address obtained by monitoring is an illegal external connection type, determining the communication IP information matched with the illegal external connection type according to the first attack characteristic corresponding to the first communication IP information and the second attack characteristic corresponding to the second communication IP information, and obtaining the illegal external connection index according to the times of illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type.
For example, according to the above example, assuming that the network device IP to be detected is 123.123.125.10, as known from the communication IP information matched with the illegal external connection type, the communication IP address, that is, the destination IP, is 1.1.1.20, the communication port, that is, the destination port is 80, the threat coefficient corresponding to the communication IP address, that is, the destination IP, is 1.1.1.20 is 0.3, assuming that the number of times of attack of the network device IP to be detected is 123.123.125.10 is 20, the illegal external connection index is obtained according to the first formula.
Specifically, the attack index of 123.123.125.10 of the network device IP to be detected is shown as the number of illegal actions and illegal external connection index in table six.
List six illegal action times and illegal external connection index
Network equipment IP to be detected Number of illegal acts Illegal external connection index
123.123.125.10 20 6
In this embodiment, the attack type matches the asset detection feature in the attack feature; the illegal external connection type is matched with the WEB scanning and crawler characteristics in the attack characteristics.
Step S207: and acquiring an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic average value corresponding to each index value.
In this embodiment, the risk index value corresponding to the open source port and the index value corresponding to the illegal action are summed to obtain the asset dynamic base value.
According to the above example, the open source ports are 80 and 443 ports, specifically, the risk index value corresponding to the 80 ports is 2, the risk index value corresponding to the 443 ports is 1, the index value corresponding to the illegal action includes an attack index and an illegal external connection index, where the attack index is 2, the illegal external connection index is 6, and then the dynamic basic value of the asset=2+1+2+6=11.
And the sum of the risk index values corresponding to the open source ports is an open source port threat value.
And judging whether the index value is larger than the corresponding dynamic average value of the index values for each index value, and if so, carrying out correction processing on the index value to obtain the corrected index value.
Specifically, assuming that the dynamic average value of the threat value of the open source port is 3, the dynamic average value of the attack index is 2, and the dynamic average value of the illegal external connection index is 2, wherein the illegal external connection index value is greater than the dynamic average value, the illegal external connection index value is required to be corrected according to a second formula.
Wherein the second formula is expressed as:
Correction value=dynamic average value+overflow value/(overflow value+dynamic average value) ×dynamic average value then correction value of illegal externally connected index value=2+6/(6+2) ×2=3.5.
And acquiring the dynamic value of the asset according to the index value which does not need to be corrected and the index value after correction.
Then, according to the example above, the asset dynamics value = 2+1+2+3.5 = 8.5.
Step S208: and acquiring an asset evaluation value corresponding to the source IP address according to the acquired asset type, grade and history vulnerability information corresponding to the source IP address.
Specifically, the asset evaluation value may be known from the table seven evaluation index and the score.
Table seven evaluation index and score
Assuming that the network to be detected with the device IP 123.123.125.10 has a medium-low risk vulnerability 15 due to the open WEB service, the asset type score 35, the class 3 score 30, the asset evaluation value=35+30+15=80.
Step S209: and acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to perform corresponding management on the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result.
In this embodiment, the asset integrated assessment result is obtained by a third formula, where the third formula is expressed as:
Asset comprehensive assessment = asset assessment value x asset dynamic coefficient
Wherein the asset dynamics coefficients are obtained by a fourth formula, which is expressed as:
asset dynamic coefficient = dynamic mean addition/asset dynamic value
According to the above example, the network device IP to be detected is the asset dynamic coefficient= (3+2+2)/8.5≡0.94 of 123.123.125.10.
Its asset aggregate rating=80×0.94=75.
In this embodiment, by acquiring index values corresponding to illegal behaviors of an open source port and a non-open source port of a network device to be detected, risk index values corresponding to the open source port, dynamic averages corresponding to the index values, and asset evaluation values corresponding to source IP addresses of the network device to be detected, correcting index values exceeding the dynamic averages according to the dynamic averages corresponding to the index values, thereby acquiring an asset comprehensive evaluation result corresponding to the source IP addresses of the network device to be detected.
Fig. 3 is a schematic structural diagram of an embodiment of a network asset evaluation processing apparatus according to the present application, and as shown in fig. 3, the network asset evaluation processing apparatus 30 includes: an acquisition module 31 and a processing module 32. The acquiring module 31 is configured to acquire a source IP address, a source port, a destination IP address, and a destination port in IP data flow information of a network device to be detected, determine an open source port and a non-open source port from the source ports, and acquire a risk index value corresponding to the open source port; a processing module 32, configured to determine, from the destination IP address and the destination port, first IP communication information corresponding to the open source port and second IP communication information corresponding to the non-open source port, respectively; the obtaining module 31 is further configured to query a preconfigured illegal attack library, and obtain a first attack feature and a first threat coefficient corresponding to the first IP communication information, and a second attack feature and a second threat coefficient corresponding to the second IP communication information, respectively; the processing module 32 is further configured to identify and monitor a type of an illegal action and a number of times of the illegal action corresponding to the obtained source IP address, and obtain an index value corresponding to the illegal action according to the type of the illegal action and the number of times of the illegal action, and a first attack feature and a first threat coefficient corresponding to the first communication IP information, and/or a second attack feature and a second threat coefficient corresponding to the second communication IP information; the processing module 32 is further configured to obtain an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action, and the dynamic average value corresponding to each index value; the processing module 32 is further configured to obtain an asset evaluation value corresponding to the source IP address according to the obtained asset type, level and history vulnerability information corresponding to the source IP address; the processing module 32 is further configured to obtain an asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected according to the asset dynamic base value, the asset dynamic value, and the asset evaluation value, so as to perform corresponding management on the network corresponding to the network device to be detected according to the asset comprehensive evaluation result.
The network asset evaluation processing device in this embodiment may execute the method example shown in fig. 1, and its implementation principle and technical effects are similar, and will not be described herein.
In one possible embodiment, the acquisition module 31 is further configured to:
acquiring whole network asset information, wherein the whole network asset information comprises: the IP address and the parameter information corresponding to the IP address.
And for each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, acquiring the attack characteristic and the threat coefficient corresponding to the IP address, and storing the IP address, the attack characteristic and the threat coefficient corresponding to the IP address into a preset illegal attack library.
In one possible embodiment, the obtaining module 31 is specifically configured to:
When the ICMP proportion in the parameter information corresponding to the IP address is determined to be larger than a first asset detection threshold, the number of detected IP and C sections is larger than or equal to a second asset detection threshold, and the number of detected IP and B sections is larger than or equal to a third asset detection threshold, the IP address is determined to be an illegal attack address, the attack characteristic corresponding to the IP address is obtained to be an asset detection characteristic, and the threat coefficient is a first preset threat coefficient.
Or when the port number ratio in the parameter information corresponding to the IP address is determined to be larger than a first full-port scanning threshold value or the port number is determined to be larger than a second full-port scanning threshold value, determining the IP address as an illegal attack address, acquiring the attack characteristic corresponding to the IP address as a full-port scanning characteristic, and the threat coefficient as a second preset threat coefficient.
Or when the WEB port ratio in the parameter information corresponding to the IP address is determined to be larger than the first WEB scanning and crawling threshold value and the average packet number is larger than the second WEB scanning and crawling threshold value, determining the IP address as an illegal attack address, acquiring attack characteristics corresponding to the IP address as WEB scanning and crawling characteristics and threat coefficients as third preset threat coefficients.
In one possible embodiment, the first communication IP information includes: a first communication IP address and a corresponding first communication port; the second communication IP information includes: the second communication IP address and the corresponding second communication port.
The first communication IP address is a destination IP address corresponding to the open source port, and the first communication port is a destination port corresponding to the open source port.
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
In one possible embodiment, the processing module 32 is specifically configured to:
When the type of illegal actions corresponding to the source IP address obtained through monitoring is identified as an attack type, determining the communication IP information matched with the attack type according to the first attack characteristic corresponding to the first communication IP information and the second attack characteristic corresponding to the second communication IP information, and obtaining an attack index according to the times of illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type.
And/or when the type of illegal actions corresponding to the source IP address obtained by monitoring is an illegal external connection type, determining the communication IP information matched with the illegal external connection type according to the first attack characteristic corresponding to the first communication IP information and the second attack characteristic corresponding to the second communication IP information, and obtaining the illegal external connection index according to the times of illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type.
Wherein the attack type is matched with the asset detection feature in the attack features; the illegal external connection type is matched with the WEB scanning and crawler characteristics in the attack characteristics.
In one possible embodiment, the processing module 32 is specifically configured to:
and summing the risk index value corresponding to the open source port and the index value corresponding to the illegal action to obtain the dynamic basic value of the asset.
And judging whether the index value is larger than the corresponding dynamic average value of the index values for each index value, and if so, carrying out correction processing on the index value to obtain the corrected index value.
And acquiring the dynamic value of the asset according to the index value which does not need to be corrected and the index value after correction.
Fig. 4 is a schematic structural diagram of a server according to the present application, as shown in fig. 4, the server 40 includes: a processor 41, a memory 42, and a communication interface 43; wherein the memory 42 is used for storing executable instructions executable by the processor 41; the processor 41 is configured to perform the technical solutions of any of the method embodiments described above via execution of executable instructions.
Alternatively, the memory 42 may be separate or integrated with the processor 41.
Alternatively, when the memory 42 is a device separate from the processor 41, the server 40 may further include: and a bus for connecting the devices.
The server is used for executing the technical scheme in any of the method embodiments, and the implementation principle and the technical effect are similar, and are not repeated here.
The embodiment of the application also provides a readable storage medium, on which a computer program is stored, which when executed by a processor implements the technical solution provided by any of the foregoing embodiments.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer readable storage medium. The program, when executed, performs steps including the method embodiments described above; and the aforementioned storage medium includes: various media that can store program code, such as ROM, RAM, magnetic or optical disks.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region, and provide corresponding operation entries for the user to select authorization or rejection.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features can be replaced equivalently; such modifications and substitutions do not depart from the spirit of the application.

Claims (10)

1. A method for processing network asset assessment, comprising:
According to the acquired source IP address, source port, destination IP address and destination port in the IP data stream information of the network equipment to be detected, determining an open source port and a non-open source port from the source ports, and acquiring a risk index value corresponding to the open source port;
Respectively determining first communication IP information corresponding to the open source port and second communication IP information corresponding to the non-open source port from the destination IP address and the destination port;
Inquiring a preconfigured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information and a second attack characteristic and a second threat coefficient corresponding to the second communication IP information;
Identifying and monitoring the type and the times of illegal actions corresponding to the obtained source IP address, and obtaining index values corresponding to the illegal actions according to the type and the times of illegal actions, and the first attack characteristics and the first threat coefficients corresponding to the first communication IP information and/or the second attack characteristics and the second threat coefficients corresponding to the second communication IP information; the illegal behavior types are attack types and illegal external connection types;
acquiring an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic average value corresponding to each index value;
Acquiring an asset evaluation value corresponding to the source IP address according to the acquired asset type, grade and history vulnerability information corresponding to the source IP address;
And acquiring an asset comprehensive evaluation result corresponding to the source IP address of the network equipment to be detected according to the asset dynamic basic value, the asset dynamic value and the asset evaluation value, so as to perform corresponding management on the network corresponding to the network equipment to be detected according to the asset comprehensive evaluation result.
2. The method as recited in claim 1, further comprising:
Acquiring whole network asset information, wherein the whole network asset information comprises: the IP address and the parameter information corresponding to the IP address;
and for each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, acquiring the attack characteristic and the threat coefficient corresponding to the IP address, and storing the IP address, the attack characteristic and the threat coefficient corresponding to the IP address into the preset illegal attack library.
3. The method according to claim 2, wherein the obtaining the attack characteristic and the threat coefficient corresponding to the IP address when determining that the IP address is an illegal attack address according to the parameter information corresponding to the IP address and a preset attack threshold includes:
When the ICMP proportion in the parameter information corresponding to the IP address is determined to be larger than a first asset detection threshold, the number of detected IP and C sections is larger than or equal to a second asset detection threshold, and the number of detected IP and B sections is larger than or equal to a third asset detection threshold, determining the IP address as an illegal attack address, acquiring an attack characteristic corresponding to the IP address as an asset detection characteristic, and the threat coefficient as a first preset threat coefficient;
Or alternatively
When the port number ratio in the parameter information corresponding to the IP address is determined to be larger than a first full-port scanning threshold or the port number is determined to be larger than a second full-port scanning threshold, determining the IP address as an illegal attack address, acquiring that the attack characteristic corresponding to the IP address is a full-port scanning characteristic and the threat coefficient is a second preset threat coefficient;
Or alternatively
And when the WEB port ratio in the parameter information corresponding to the IP address is determined to be larger than a first WEB scanning and crawling threshold value and the average packet number is larger than a second WEB scanning and crawling threshold value, determining the IP address as an illegal attack address, acquiring attack characteristics corresponding to the IP address as WEB scanning and crawling characteristics and threat coefficients as third preset threat coefficients.
4. A method according to any one of claims 1 to 3, wherein the first communication IP information comprises: a first communication IP address and a corresponding first communication port; the second communication IP information includes: a second communication IP address and a corresponding second communication port;
The first communication IP address is a destination IP address corresponding to the open source port, and the first communication port is a destination port corresponding to the open source port;
The second communication IP address is a destination IP address corresponding to the non-open source port, and the second communication port is a destination port corresponding to the non-open source port.
5. The method according to claim 4, wherein the identifying monitors the obtained type of the illegal action and the obtained number of times of the illegal action corresponding to the source IP address, and obtains the index value corresponding to the illegal action according to the type of the illegal action and the number of times of the illegal action, and the first attack feature and the first threat coefficient corresponding to the first communication IP information, and/or the second attack feature and the second threat coefficient corresponding to the second communication IP information, and includes:
When the type of illegal actions corresponding to the source IP address obtained by monitoring is identified as an attack type, determining communication IP information matched with the attack type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining attack indexes according to the times of illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type;
And/or the number of the groups of groups,
When the type of illegal actions corresponding to the source IP address obtained by monitoring is identified as an illegal external connection type, determining communication IP information matched with the illegal external connection type according to a first attack characteristic corresponding to the first communication IP information and a second attack characteristic corresponding to the second communication IP information, and obtaining illegal external connection indexes according to the times of the illegal actions and threat coefficients corresponding to the communication IP information matched with the attack type;
wherein the attack type is matched with an asset detection feature in the attack features; and the illegal external connection type is matched with the WEB scanning and crawler characteristics in the attack characteristics.
6. The method of claim 5, wherein the obtaining the asset dynamic base value and the asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action, and the dynamic average value corresponding to each index value comprises:
summing the risk index value corresponding to the open source port and the index value corresponding to the illegal action to obtain the asset dynamic basic value;
Judging whether each index value is larger than a dynamic average value corresponding to the index value, if so, carrying out correction processing on the index value to obtain a corrected index value;
and acquiring the dynamic value of the asset according to the index value which does not need to be corrected and the index value after correction.
7. A network asset assessment processing apparatus, comprising:
The acquisition module is used for acquiring a source IP address, a source port, a destination IP address and a destination port in the IP data flow information of the network equipment to be detected, determining an open source port and a non-open source port from the source ports, and acquiring a risk index value corresponding to the open source port;
The processing module is used for respectively determining the first communication IP information corresponding to the open source port and the second communication IP information corresponding to the non-open source port from the destination IP address and the destination port;
The acquisition module is further used for inquiring a preconfigured illegal attack library, and respectively acquiring a first attack characteristic and a first threat coefficient corresponding to the first communication IP information, and a second attack characteristic and a second threat coefficient corresponding to the second communication IP information;
The processing module is further configured to identify and monitor a type of an illegal action and a number of times of the illegal action corresponding to the obtained source IP address, and obtain an index value corresponding to the illegal action according to the type of the illegal action and the number of times of the illegal action, and a first attack feature and a first threat coefficient corresponding to the first communication IP information, and/or a second attack feature and a second threat coefficient corresponding to the second communication IP information; the illegal behavior types are attack types and illegal external connection types;
The processing module is further used for obtaining an asset dynamic basic value and an asset dynamic value according to the risk index value corresponding to the open source port, the index value corresponding to the illegal action and the dynamic average value corresponding to each index value;
The processing module is further configured to obtain an asset evaluation value corresponding to the source IP address according to the obtained asset type, level and history vulnerability information corresponding to the source IP address;
The processing module is further configured to obtain an asset comprehensive evaluation result corresponding to the source IP address of the network device to be detected according to the asset dynamic base value, the asset dynamic value, and the asset evaluation value, so as to perform corresponding management on a network corresponding to the network device to be detected according to the asset comprehensive evaluation result.
8. The apparatus of claim 7, wherein the acquisition module is further configured to:
Acquiring whole network asset information, wherein the whole network asset information comprises: the IP address and the parameter information corresponding to the IP address;
and for each IP address, according to the parameter information corresponding to the IP address and a preset attack threshold value, when the IP address is determined to be an illegal attack address, acquiring the attack characteristic and the threat coefficient corresponding to the IP address, and storing the IP address, the attack characteristic and the threat coefficient corresponding to the IP address into the preset illegal attack library.
9. A server, comprising:
A processor, a memory, a communication interface;
the memory is used for storing executable instructions executable by the processor;
Wherein the processor is configured to perform the network asset assessment processing method of any of claims 1 to 6 via execution of the executable instructions.
10. A readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the network asset assessment processing method of any of claims 1 to 6.
CN202211507077.9A 2022-11-29 2022-11-29 Network asset evaluation processing method, device, server and medium Active CN115834219B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211507077.9A CN115834219B (en) 2022-11-29 2022-11-29 Network asset evaluation processing method, device, server and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211507077.9A CN115834219B (en) 2022-11-29 2022-11-29 Network asset evaluation processing method, device, server and medium

Publications (2)

Publication Number Publication Date
CN115834219A CN115834219A (en) 2023-03-21
CN115834219B true CN115834219B (en) 2024-05-17

Family

ID=85532452

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211507077.9A Active CN115834219B (en) 2022-11-29 2022-11-29 Network asset evaluation processing method, device, server and medium

Country Status (1)

Country Link
CN (1) CN115834219B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160141457A (en) * 2015-06-01 2016-12-09 주식회사 에스씨엘 Risk assessment system for information security management system
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack
WO2021082966A1 (en) * 2019-10-31 2021-05-06 中兴通讯股份有限公司 Asset vulnerability calculation method and device, storage medium, and server
CN113408948A (en) * 2021-07-15 2021-09-17 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and medium
CN113468542A (en) * 2021-07-07 2021-10-01 国家计算机网络与信息安全管理中心江苏分中心 Exposed surface asset risk assessment method, device, equipment and medium
CN113542278A (en) * 2021-07-16 2021-10-22 北京源堡科技有限公司 Network security assessment method, system and device
CN114679338A (en) * 2022-05-26 2022-06-28 山东林天信息科技有限责任公司 Network risk assessment method based on network security situation awareness

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103563302B (en) * 2011-06-01 2016-09-14 惠普发展公司,有限责任合伙企业 Networked asset information management
US9344894B2 (en) * 2014-02-10 2016-05-17 Qualcomm Incorporated Methods and systems for handling malicious attacks in a wireless communication system

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20160141457A (en) * 2015-06-01 2016-12-09 주식회사 에스씨엘 Risk assessment system for information security management system
WO2021082966A1 (en) * 2019-10-31 2021-05-06 中兴通讯股份有限公司 Asset vulnerability calculation method and device, storage medium, and server
CN111490970A (en) * 2020-02-19 2020-08-04 西安交大捷普网络科技有限公司 Tracing analysis method for network attack
CN113468542A (en) * 2021-07-07 2021-10-01 国家计算机网络与信息安全管理中心江苏分中心 Exposed surface asset risk assessment method, device, equipment and medium
CN113408948A (en) * 2021-07-15 2021-09-17 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and medium
CN113542278A (en) * 2021-07-16 2021-10-22 北京源堡科技有限公司 Network security assessment method, system and device
CN114679338A (en) * 2022-05-26 2022-06-28 山东林天信息科技有限责任公司 Network risk assessment method based on network security situation awareness

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
《Detecting TCP/IP Connections via IPID Hash Collisions》;Alexander,G;《 Proceedings on Privacy Enhancing Technologies》;20200925;全文 *
基于攻击图的网络安全度量研究综述;胡浩;刘玉岭;张玉臣;张红旗;;网络与信息安全学报;20180915(第09期);全文 *
面向多步攻击的网络安全态势评估方法;杨豪璞;邱辉;王坤;;通信学报;20170125(第01期);全文 *

Also Published As

Publication number Publication date
CN115834219A (en) 2023-03-21

Similar Documents

Publication Publication Date Title
US11637853B2 (en) Operational network risk mitigation system and method
CN108696473B (en) Attack path restoration method and device
CN113595790B (en) Security access evaluation method and device for power terminal equipment
CN108259473A (en) Web server scan protection method
CN109756480B (en) DDoS attack defense method, device, electronic equipment and medium
CN113468542A (en) Exposed surface asset risk assessment method, device, equipment and medium
CN111159702B (en) Process list generation method and device
CN1578231A (en) Technique of detecting denial of service attacks
Kim et al. A framework for event prioritization in cyber network defense
CN113778806A (en) Method, device, equipment and storage medium for processing safety alarm event
CN115834219B (en) Network asset evaluation processing method, device, server and medium
Wang et al. A Network Security Risk Assessment Method Based on a B_NAG Model.
CN115021983B (en) Permeation path determining method and system based on absorption Markov chain
CN115567237A (en) Network security assessment method based on knowledge graph
CN116015800A (en) Scanner identification method and device, electronic equipment and storage medium
CN114372269A (en) Risk assessment method based on system network topological structure
Sivabalan et al. Detecting IoT zombie attacks on web servers
CN115603997B (en) Industrial firewall policy planning method and system and electronic equipment
CN114024736B (en) Threat source relevance identification processing method and device, electronic equipment and storage medium
Lekkas et al. Handling and reporting security advisories: A scorecard approach
Alsaleh et al. Objective metrics for firewall security: A holistic view
CN114884740B (en) AI-based intrusion protection response data processing method and server
CN114500024B (en) Network asset management method, device, equipment and storage medium
US20240039890A1 (en) Detecting shadowed domains
Caltagirone et al. ADAM: Active defense algorithm and model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant