CN115907802A - Security assessment method and system - Google Patents

Security assessment method and system Download PDF

Info

Publication number
CN115907802A
CN115907802A CN202211548834.7A CN202211548834A CN115907802A CN 115907802 A CN115907802 A CN 115907802A CN 202211548834 A CN202211548834 A CN 202211548834A CN 115907802 A CN115907802 A CN 115907802A
Authority
CN
China
Prior art keywords
credit investigation
evaluated
subsystem
domain name
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211548834.7A
Other languages
Chinese (zh)
Inventor
孙皓恒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Knownsec Information Technology Co ltd
Original Assignee
Chengdu Knownsec Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Knownsec Information Technology Co ltd filed Critical Chengdu Knownsec Information Technology Co ltd
Priority to CN202211548834.7A priority Critical patent/CN115907802A/en
Publication of CN115907802A publication Critical patent/CN115907802A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a security assessment method and a security assessment system, which belong to the field of network security, a domain name server determines all domain names corresponding to all to-be-assessed IPs in a received query request, historical network malicious behaviors of each domain name are obtained, the domain name server obtains malicious levels of the to-be-assessed IPs according to all the historical network malicious behaviors of the to-be-assessed IPs aiming at each to-be-assessed IP, credit investigation labels corresponding to the malicious levels are added to the to-be-assessed IPs and then sent to a checking subsystem, after the checking subsystem determines associated users of the to-be-assessed IPs, identity labels corresponding to the associated users are added to the to-be-assessed IPs and then sent to the credit investigation subsystem, so that the credit investigation subsystem carries out credit investigation assessment on the associated users according to the credit investigation labels of the to-be-assessed IPs, the network security behaviors of the assessed users are considered in the credit investigation, and the security risk of credit investigation result can be greatly reduced.

Description

Security assessment method and system
Technical Field
The invention relates to the field of network security, in particular to a security assessment method and a security assessment system.
Background
The personal credit investigation refers to the activities of collecting and processing personal credit information by a personal credit investigation institution established by law, and providing personal credit information inquiry and evaluation service according to the requirements of users. The personal credit report is the personal credit history record provided by legal information inquirers after the information collected by the legal law is processed and arranged by the credit investigation institution according to the law.
The individual credit investigation is an effective way for fundamentally relieving financial risk and ensuring effective benefits. However, with the development of network technology and network security, the evaluation direction is single when the current credit investigation security evaluation method carries out credit investigation evaluation, resulting in a larger security risk of the credit investigation evaluation result.
Disclosure of Invention
In view of the above, the present invention provides a security assessment method and system, which can solve the problem that the traditional credit investigation security assessment method has a single assessment direction and results in a large security risk of the credit investigation assessment result.
In order to achieve the above purpose, the embodiment of the present invention adopts the following technical solutions:
in a first aspect, an embodiment of the present invention provides a security assessment method, which is applied to a security assessment system, where the security assessment system includes a domain name server, a check subsystem, and a credit investigation subsystem, the credit investigation subsystem and the check subsystem are both in communication connection with the domain name server, and the domain name server is in communication connection with multiple clients, and the method includes:
when the domain name server receives a query request sent by any client, determining all domain names corresponding to each IP to be evaluated in the query request, and acquiring historical network malicious behaviors of each domain name;
aiming at each IP to be evaluated, the domain name server obtains the malicious level of the IP to be evaluated and a credit investigation label corresponding to the malicious level according to the historical network malicious behaviors of all domain names of the IP to be evaluated, and sends the IP to be evaluated to the verification subsystem after adding the credit investigation label;
when receiving the IP to be evaluated sent by the domain name server, the verification subsystem processes the IP to be evaluated and determines a related user of the IP to be evaluated;
and the verification subsystem adds the credit investigation label to the identity information of the associated user based on the credit investigation label of the IP to be evaluated and then sends the credit investigation label to the credit investigation subsystem, so that the credit investigation subsystem carries out credit investigation evaluation on the associated user according to the credit investigation label of the IP to be evaluated.
Further, the step of obtaining the malicious level of the IP to be evaluated and the credit investigation label corresponding to the malicious level according to the historical network malicious behaviors of all domain names of the IP to be evaluated includes:
determining all credit investigation malicious behaviors from the historical network malicious behaviors of all domain names of the IP to be evaluated based on credit investigation items in a preset credit investigation table;
and evaluating all credit investigation malicious behaviors according to a preset credit investigation evaluation rule to obtain a malicious level, and determining a credit investigation label corresponding to the malicious level.
Furthermore, the domain name server is also in communication connection with a threat intelligence subsystem;
the step of obtaining the historical network malicious behavior of each domain name includes:
putting all domain names of the IP to be evaluated into an intelligence query request, and sending the intelligence query request to the threat intelligence subsystem;
and when receiving the intelligence query request, the threat intelligence subsystem queries the historical network malicious behaviors corresponding to each domain name from a threat intelligence library, and packs and returns the historical malicious behaviors corresponding to all the domain names to the domain name server.
Further, the step of processing the to-be-evaluated IP and determining the associated user of the to-be-evaluated IP includes:
monitoring the IP to be evaluated, and acquiring and storing all identity authentication information of the IP to be evaluated;
and when the monitoring time of the IP to be evaluated reaches a preset time length, carrying out user decision according to all the acquired identity authentication information, and determining the associated user of the IP to be evaluated.
Further, the method further comprises:
and the checking subsystem sends a cyclic monitoring instruction to the domain name server and the checking subsystem based on the IP to be evaluated and the associated user so as to periodically and cyclically update the malicious level of the IP to be evaluated, the credit investigation label corresponding to the malicious level, the associated user of the IP to be evaluated and the identity information of the associated user.
Further, the step of making a user decision according to all the obtained identity authentication information and determining the associated user of the IP to be evaluated includes:
determining an authentication user and authentication time corresponding to each identity authentication information;
and determining the associated users of the IP to be evaluated according to all the authentication users and the authentication time based on a preset decision rule.
Further, the method further comprises:
and when the credit investigation subsystem receives the identity information, updating or recording the credit investigation grade of the credit investigation user corresponding to the identity information according to the credit investigation label of the identity information.
In a second aspect, the security assessment system in the embodiment of the present invention includes a domain name server, a checking subsystem and a credit investigation subsystem, where the credit investigation subsystem and the checking subsystem are both in communication connection with the domain name server, and the domain name server is in communication connection with multiple clients;
the domain name server is used for determining all domain names corresponding to each IP to be evaluated in the query request and acquiring the historical network malicious behavior of each domain name when receiving the query request sent by any client;
the domain name server is further configured to obtain, for each to-be-evaluated IP, a malicious level of the to-be-evaluated IP and a credit investigation label corresponding to the malicious level according to historical network malicious behaviors of all domain names of the to-be-evaluated IP, add the credit investigation label to the to-be-evaluated IP, and send the to-be-evaluated IP to the verification subsystem;
the verification subsystem is used for processing the IP to be evaluated when receiving the IP to be evaluated sent by the domain name server and determining a related user of the IP to be evaluated;
the verification subsystem is further configured to add the credit investigation label to the identity information of the associated user based on the credit investigation label of the to-be-evaluated IP, and then send the added credit investigation label to the credit investigation subsystem, so that the credit investigation subsystem performs credit investigation evaluation on the associated user according to the credit investigation label of the to-be-evaluated IP.
Further, the domain name server is further configured to:
determining all credit investigation malicious behaviors from the historical network malicious behaviors of all domain names of the IP to be evaluated based on credit investigation items in a preset credit investigation table;
and evaluating all credit investigation malicious behaviors according to a preset credit investigation evaluation rule to obtain a malicious level, and determining a credit investigation label corresponding to the malicious level.
Further, the verification subsystem is further configured to:
monitoring the IP to be evaluated, and acquiring and storing all identity authentication information of the IP to be evaluated;
and when the monitoring time of the IP to be evaluated reaches a preset time length, carrying out user decision according to all the acquired identity authentication information, and determining the associated user of the IP to be evaluated.
According to the safety assessment method and the safety assessment system, a domain name server determines all domain names corresponding to all to-be-assessed IPs in a received query request, historical network malicious behaviors of each domain name are obtained, for each to-be-assessed IP, the domain name server obtains malicious levels of the to-be-assessed IPs according to all the historical network malicious behaviors of the to-be-assessed IPs, credit investigation labels corresponding to the malicious levels are added to the to-be-assessed IPs and then sent to a checking subsystem, the checking subsystem determines related users of the to-be-assessed IPs and then sends identity labels corresponding to the related users to the to-be-assessed IPs and then the identity labels to the to-be-assessed IPs to a credit investigation subsystem, so that the credit investigation subsystem carries out credit investigation assessment on the related users according to the credit investigation labels of the to-be-assessed IPs, network safety behaviors of evaluated users can be considered in the credit investigation assessment, and safety risks of credit investigation assessment results can be greatly reduced.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a block diagram illustrating a security assessment system according to an embodiment of the present invention.
Fig. 2 shows one of the flow diagrams of the security assessment method according to the embodiment of the present invention.
Fig. 3 is a second flowchart of the security assessment method according to the embodiment of the present invention.
Fig. 4 shows a schematic flow diagram of a part of the sub-steps of step S11 in fig. 2 or 3.
Fig. 5 shows a schematic flow diagram of a part of the sub-steps of step S13 in fig. 2 or 3.
Fig. 6 shows a schematic flow diagram of a part of the sub-steps of step S15 in fig. 2 or 3.
Fig. 7 shows a schematic flow chart of a part of the sub-steps of step S152 in fig. 6.
Fig. 8 is a block diagram of an electronic device provided in an embodiment of the present invention.
Reference numerals: 100-a security assessment system; 110-domain name server; 120-a verification subsystem; 121-a verification server; 130-credit investigation subsystem; 131-credit investigation server; 140-threat intelligence subsystem; 141-a secure server; 150-a client; 160-electronic device.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The individual credit investigation is an effective way for fundamentally relieving financial risk and guaranteeing effective benefits. However, with the development of network technology and network security, an attacker may attack a financial system such as a bank through network attack, resulting in a great amount of economic loss. However, the current credit investigation security assessment method has a single assessment direction when assessing credit, resulting in a larger security risk of the credit investigation assessment result.
Meanwhile, although there is a restriction of a network security method, it is often the case that an attacker maliciously attacks a website or a system by using the IP of the smart device. For example, the financial industry and the like belong to high-risk industries of network security and are constantly under network attack. The network attack causes the damage of the bank industry and the client interests, and greatly influences the satisfaction degree of the security service client.
Based on the above consideration, the embodiment of the invention provides a security assessment method, which can solve the problem that the traditional credit investigation security assessment method has a single assessment direction, resulting in a larger security risk of the credit investigation assessment result.
The security assessment method provided by the embodiment of the present invention may be applied to the security assessment system 100 shown in fig. 1, where the security assessment system 100 may include a domain name server 110, a check subsystem 120, and a credit investigation subsystem 130, the domain name server 110 may be in communication connection with a plurality of clients 150 through a network, and both the credit investigation subsystem 130 and the check subsystem 120 may be in communication connection with the domain name server 110 through a network.
The verification subsystem 120 may include a verification server 121, and the verification server 121 may be communicatively coupled to the domain name server 110 and the plurality of clients 150 via a network.
The credit investigation subsystem 130 may comprise a credit investigation server 131, and the credit investigation server 131 may be communicatively connected with the verification server 121 and the plurality of clients 150 through a network.
The domain name server 110 is configured to, when receiving a query request sent by any client 150, determine all domain names corresponding to each to-be-evaluated IP in the query request, and obtain a historical network malicious behavior of each domain name.
The domain name server 110 is further configured to, for each to-be-evaluated IP, obtain a malicious level of the to-be-evaluated IP and a credit investigation label corresponding to the malicious level according to the historical network malicious behaviors of all domain names of the to-be-evaluated IP, add the credit investigation label to the to-be-evaluated IP, and send the to-be-evaluated IP to the verification subsystem 120.
And the verification subsystem 120 is configured to, when receiving the to-be-evaluated IP sent by the domain name server 110, process the to-be-evaluated IP, and determine a user associated with the to-be-evaluated IP.
The verification subsystem 120 is further configured to add a credit investigation label to the identity information of the associated user based on the credit investigation label of the IP to be evaluated, and then send the added credit investigation label to the credit investigation subsystem 130.
And the credit investigation subsystem 130 is used for receiving and storing the identity information and performing credit investigation evaluation on the associated user according to the credit investigation label of the identity information.
Further, security evaluation system 100 may further include a threat intelligence subsystem 140, threat intelligence subsystem 140 may include a security server 141 communicatively coupled to domain name server 110 via a network, and security server 141 may also be communicatively coupled to a plurality of clients 150 via a network.
The security server 141 is configured to monitor network behaviors of the clients 150, determine an attack behavior from the network behaviors of the clients 150 based on a preset attack behavior detection rule, and store the attack behavior and attack data thereof as a historical network malicious behavior.
The domain name server 110 is also configured to: determining all credit investigation malicious behaviors from historical network malicious behaviors of all domain names of the IP to be evaluated based on credit investigation items in a preset credit investigation table; and evaluating all credit investigation malicious behaviors according to a preset credit investigation evaluation rule to obtain a malicious level, and determining a credit investigation label corresponding to the malicious level.
Further, the verification subsystem 120 is further configured to: monitoring the IP to be evaluated, and acquiring and storing all identity authentication information of the IP to be evaluated; and when the monitoring time of the IP to be evaluated reaches a preset duration, making a user decision according to all the acquired identity authentication information, and determining the associated user of the IP to be evaluated.
In the security assessment system 100, the domain name server 110, the threat intelligence subsystem 140, the verification subsystem 120 and the credit investigation subsystem 130 cooperate to take the network security behavior of the assessed person (malicious level corresponding to the historical network malicious behavior) as a basis for consideration in the credit investigation assessment, so that the security risk of the credit investigation assessment result caused by the network attack of the assessed person can be greatly reduced. Meanwhile, the network security behavior is used as a credit investigation evaluation basis, so that restriction or restriction can be performed on a network attacker to a certain extent, and reduction of network malicious behaviors (network attack events) is facilitated.
In one possible implementation, an embodiment of the present invention provides a security assessment method, and referring to fig. 2, the method may include the following steps. In the present embodiment, the security evaluation method is applied to the security evaluation system 100 in fig. 1 for example.
S11, when receiving a query request sent by any client, the domain name server determines all domain names corresponding to each IP to be evaluated in the query request, and acquires the historical network malicious behavior of each domain name.
And S13, aiming at each IP to be evaluated, the domain name server obtains the malicious level of the IP to be evaluated and the credit investigation label corresponding to the malicious level according to the historical network malicious behaviors of all domain names of the IP to be evaluated, and sends the IP to be evaluated to the verification subsystem after adding the credit investigation label.
And S15, when receiving the IP to be evaluated sent by the domain name server, the checking subsystem processes the IP to be evaluated and determines the associated user of the IP to be evaluated.
And S17, the verification subsystem adds the credit investigation label to the identity information of the associated user based on the credit investigation label of the IP to be evaluated and then sends the credit investigation label to the credit investigation subsystem.
And S19, the credit investigation subsystem receives and stores the identity information and carries out credit investigation evaluation of the associated user according to the credit investigation label of the identity information.
Any client 150 (which may be a client 150 of a banking worker or a client 150 of an assessed credit investigation person) initiates a query request to the domain name server 110, wherein the query request may include one or more IPs to be assessed. After receiving the query request, the domain name server 110 determines all domain names corresponding to each to-be-evaluated IP in the query request from the mapping table about the IP and the domain names. For each IP to be evaluated, domain name server 110 may send a intelligence query request for all domain names for the IP to be evaluated to threat intelligence subsystem 140.
After receiving the intelligence query request, the threat intelligence subsystem 140 extracts the historical network malicious behaviors of all domain names in the query request from all stored historical network malicious behaviors, and packages and sends the historical network malicious behaviors to the domain name server 110.
After receiving the historical network malicious behaviors of all domain names of the to-be-evaluated IP returned by the threat intelligence subsystem 140, the domain name server 110 analyzes the historical network malicious behaviors of the to-be-evaluated IP according to a certain evaluation rule for each to-be-evaluated IP to obtain the malicious level of the to-be-evaluated IP and the credit investigation label corresponding to the malicious level. Further, the credit investigation tag is added to the IP to be evaluated and then sent to the verification subsystem 120.
After receiving the IP to be evaluated, the verification subsystem 120 processes the IP to be evaluated to determine a user associated with the IP to be evaluated, adds a credit investigation tag of the IP to be evaluated to the identity information of the associated user, and then sends the identity information to the credit investigation subsystem 130.
The credit investigation subsystem 130 receives and stores the identity information, and further can perform credit investigation evaluation on the associated user according to the credit investigation tag of the identity information in combination with other credit investigation information (e.g., fund flow, historical credit information, etc.).
Compared with the traditional credit investigation security evaluation method, the security evaluation method provided by the embodiment of the invention takes the network security behavior (malicious level corresponding to the historical network malicious behavior) of the evaluated person as a basis for consideration in credit investigation evaluation, and can greatly reduce the security risk of the credit investigation evaluation result caused by the network attack of the evaluated person. Meanwhile, the network security behavior is used as a credit investigation evaluation basis, so that restriction or restriction can be performed on a network attacker to a certain extent, and reduction of network malicious behaviors (network attack events) is facilitated.
In one possible implementation, when receiving the identity information, the credit investigation subsystem 130 may update or record the credit investigation level of the credit investigation user corresponding to the identity information according to the credit investigation tag of the identity information.
Further, in order to facilitate fast acquisition of historical network malicious behaviors of each domain name of an IP to be evaluated, a threat intelligence subsystem 140 for monitoring network behaviors of the clients 150 is introduced into the security evaluation system 100. Specifically, referring to fig. 3, the security assessment method provided in the embodiment of the present invention further includes the following steps.
And S10, monitoring the network behaviors of the clients by the threat intelligence subsystem, determining attack behaviors from the network behaviors of the clients based on a preset attack behavior detection rule, and storing the attack behaviors and attack data thereof as historical network malicious behaviors.
All historical network malicious activities may be stored in a mapping relationship with the corresponding domain name in the threat intelligence repository of the security server 141 of the threat intelligence subsystem 140.
Network malicious behaviors (attacks) include, but are not limited to: phishing behavior, malicious scanning behavior, exploit history, and the like.
The preset attack behavior detection rules include all network attack detection rules, and the network attack detection rules are mature at present, so detailed description is not given in this embodiment.
In other embodiments, threat intelligence subsystem 140 may receive cyber attack information sent by any detection device or detection server and store the cyber attack information in a threat intelligence repository. For example, any organization, industry, or company security detection device may send detected cyber attack information to threat intelligence subsystem 140 for storage in a threat intelligence repository.
On the basis of the above, referring to fig. 4, the manner of acquiring the historical network malicious behavior of each domain name in step S11 may be further implemented as the following steps.
And S111, putting all domain names of the IP to be evaluated of the domain name server into an intelligence query request, and sending the intelligence query request to a threat intelligence subsystem.
S112, when receiving the information inquiry request, the threat information subsystem inquires the historical network malicious behaviors corresponding to each domain name from the threat information library, and packs the historical malicious behaviors corresponding to all domain names back to the domain name server.
Through the steps S10 and S111-S112, the attack behavior in the network behavior of each client 150 can be quickly detected, so that all historical network malicious behaviors of each IP to be evaluated can be conveniently determined.
The manner of obtaining the malicious level of the IP to be evaluated and the credit investigation label corresponding to the malicious level can be flexibly selected, for example, the evaluation can be performed by using a neural network, or the evaluation can be performed according to any preset rule.
In order to quickly obtain the malicious level and credit investigation label of the IP to be evaluated, in a possible manner, the domain name server 110 may store a credit investigation table in advance, where a plurality of credit investigation items are recorded in the credit investigation table, and the credit investigation item represents a network attack behavior to be considered in credit investigation. Referring to fig. 5, the above step S13 may be further implemented as the following step.
S131, determining all credit investigation malicious behaviors from the historical network malicious behaviors of all domain names of the IP to be evaluated based on the credit investigation items in the preset credit investigation table.
S132, evaluating all credit investigation malicious behaviors according to a preset credit investigation evaluation rule to obtain a malicious level, and determining a credit investigation label corresponding to the malicious level.
If one historical network malicious behavior of the IP to be evaluated is matched with any credit investigation item in the credit investigation table, the historical network malicious behavior is the credit investigation malicious behavior, and accordingly all the credit investigation malicious behaviors are determined. And then, according to a preset credit investigation evaluation rule, evaluating to obtain a malicious level.
It should be noted that the credit assessment rule may be adjusted according to actual situations, for example, the malicious level may be determined by the number of attacks, the malicious level may be determined by an attack object, the malicious level may be determined by a loss caused by an attack action, or the malicious level may be determined by combining a plurality of considerations, which is not specifically limited in this embodiment.
After the domain name server 110 obtains the malicious level of the IP to be evaluated, the credit investigation label corresponding to the malicious level can be used as the credit investigation label of the IP to be evaluated.
The method for determining the associated user of the IP to be evaluated may be flexibly selected, for example, the associated user may be determined in an IP-subscriber matching manner, or the associated user may be determined by monitoring the IP to be evaluated, which is not specifically limited in this embodiment.
To improve the accuracy of associating users, in one possible implementation, referring to fig. 6, the verification subsystem 120 may further implement step S15 as the following step.
And S151, monitoring the IP to be evaluated, and acquiring and storing all identity authentication information of the IP to be evaluated.
S152, when the monitoring time of the IP to be evaluated reaches the preset time length, making a user decision according to all the acquired identity authentication information, and determining the associated user of the IP to be evaluated.
The verification subsystem 120 may monitor the internet access behavior of the IP to be evaluated after passing authentication (obtaining the monitoring authority of the IP to be evaluated by the relevant department), and extract the authentication information related to the authentication, such as face recognition, fingerprint recognition, pupil comparison, short message verification, and the like when the user logs in the website or APP.
When the monitoring duration reaches the preset duration, identifying each piece of identity authentication information acquired in the monitoring duration, and determining a user corresponding to the identity authentication information, for example, if the user is a user corresponding to a fingerprint, acquiring the user corresponding to the fingerprint, and if the user is a user face, acquiring the user corresponding to the face.
In one possible embodiment, the verification subsystem 120 may communicate with an authority server (the authority server is an authenticated qualified server) storing the user information, send the feature information (for example, any one or more of the information such as name, mobile phone number, and identification number) in each identity authentication information to the authority server, and the authority server obtains the corresponding user according to the feature information and sends the user to the verification subsystem 120.
In a possible implementation manner, referring to fig. 7, in step S152, a user decision is made according to all the obtained authentication information, and a manner of determining an associated user of the IP to be evaluated may be further implemented as the following steps.
And S152A, determining an authentication user and authentication time corresponding to each identity authentication information.
And S152B, determining the associated users of the IP to be evaluated according to all the authentication users and the authentication time based on a preset decision rule.
For example, according to the difference of the authentication time, the weight corresponding to the authentication time is configured for each authenticated authentication user, and then the authentication user with the highest score is determined from all the authenticated users after the weight is configured as the associated user.
The steps S152A-S152B can quickly and accurately determine the associated users of the IP to be evaluated.
Consider that the network security attack behavior of each associated user of the IP to be evaluated is dynamically changing, and will change as time progresses. In a possible implementation manner, in order to enable more accurate network credit assessment of the associated user regarding network security attack, a loop monitoring is introduced in the security assessment method provided by the embodiment of the present invention.
Specifically, after the checking subsystem 120 determines the associated user of the IP to be evaluated, the checking subsystem 120 may generate a cycle monitoring instruction (the cycle monitoring instruction may include the IP to be evaluated and/or the associated user), and send the cycle monitoring instruction to the domain name server 110 and the checking subsystem 120.
After receiving the cyclic monitoring instruction, the verification subsystem 120 monitors the to-be-evaluated IP for a long time, acquires and stores all the identity authentication information of the to-be-evaluated IP, and further performs user decision making according to all the identity authentication information of the to-be-evaluated IP acquired in the monitoring period when the monitoring time reaches a preset time length, so as to determine a related user of the to-be-evaluated IP. And when the newly determined associated user is inconsistent with the original associated user, updating the associated user of the IP to be evaluated.
After receiving the loop monitoring instruction, the domain name server 110 interacts with the threat intelligence subsystem 140 based on the to-be-evaluated IP to periodically obtain the historical network malicious behaviors of all domain names of the to-be-evaluated IP from the threat intelligence subsystem 140, further determines the credit investigation label of the to-be-evaluated IP according to the historical network malicious behaviors, and sends the credit investigation label to the verification subsystem 120 after updating the credit investigation label on the to-be-evaluated IP. The verification subsystem 120 determines the associated user of the IP to be evaluated by the method of steps S151 to S152, and sends the credit investigation label of the IP to be evaluated to the credit investigation subsystem 130 after adding the credit investigation label to the associated user.
According to the safety evaluation method provided by the embodiment of the invention, the credit investigation label related to the malicious attack behavior is obtained by evaluating the historical network malicious behavior of the IP to be evaluated, and the IP to be evaluated is monitored for a long time to determine the associated user of the IP to be evaluated, so that the credit investigation label is added to the identity information of the associated user and then is sent to the credit investigation subsystem, the malicious behavior is considered by the credit investigation subsystem when the credit investigation evaluation is carried out, information identity verification and automatic batch monitoring are realized, the credit investigation problem in network safety can be combined with the actual identity credit investigation problem, the credit investigation grade of a trusted person can be more accurately evaluated, the financial risk is greatly reduced, and the financial risk guarantee is fundamentally and effectively relieved.
Meanwhile, the computer industry and the financial industry are combined, the behavior of network security is listed in credit investigation evaluation standards, so that the method is beneficial to restraining from the source and reducing the occurrence of network security events, the financial field has more comprehensive evaluation criteria for credit investigation, and the financial risk is reduced.
In one embodiment, an electronic device 160 is provided, and the electronic device 160 may be a server, and the internal structure thereof may be as shown in fig. 8. The electronic device 160 includes a processor, memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the electronic device 160 is configured to provide computing and control capabilities. The memory of the electronic device 160 includes a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the electronic device 160 is used for performing wired or wireless communication with an external terminal, and the wireless communication may be implemented through WIFI, an operator network, near Field Communication (NFC), or other technologies. The computer program is executed by a processor to implement a security assessment method.
The configuration shown in fig. 8 is a block diagram of only a portion of the configuration associated with the inventive arrangements, and does not constitute a limitation on the electronic device 160 to which the inventive arrangements are applied, and a particular electronic device 160 may include more or fewer components than those shown in fig. 8, or may combine certain components, or have a different arrangement of components.
In one embodiment, steps S11-S19 and their sub-steps provided by the present invention may be implemented in the form of a computer program that is executable on an electronic device 160 as shown in fig. 8.
For example, the electronic device 160 shown in FIG. 8 may perform steps S11-S13 and their sub-steps by a processor. The electronic device 160 may perform steps S15 and S17 and their sub-steps by a processor. The electronic device 160 may perform step S19 and its associated sub-steps by the processor. The electronic device 160 may perform step S10 by the processor.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative and, for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the present invention or a part thereof which substantially contributes to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A safety assessment method is applied to a safety assessment system, the safety assessment system comprises a domain name server, a check subsystem and a credit investigation subsystem, the credit investigation subsystem and the check subsystem are both in communication connection with the domain name server, the domain name server is in communication connection with a plurality of clients, and the method comprises the following steps:
when the domain name server receives a query request sent by any client, determining all domain names corresponding to each IP to be evaluated in the query request, and acquiring historical network malicious behaviors of each domain name;
aiming at each IP to be evaluated, the domain name server obtains the malicious level of the IP to be evaluated and a credit investigation label corresponding to the malicious level according to the historical network malicious behaviors of all domain names of the IP to be evaluated, and sends the credit investigation label to the IP to be evaluated after adding the credit investigation label;
when receiving the IP to be evaluated sent by the domain name server, the verification subsystem processes the IP to be evaluated and determines the associated user of the IP to be evaluated;
and the verification subsystem adds the credit investigation label to the identity information of the associated user based on the credit investigation label of the IP to be evaluated and then sends the added credit investigation label to the credit investigation subsystem, so that the credit investigation subsystem carries out credit investigation evaluation on the associated user according to the credit investigation label of the IP to be evaluated.
2. The security assessment method according to claim 1, wherein the step of obtaining the malicious level of the IP to be assessed and the credit investigation label corresponding to the malicious level according to the historical network malicious behaviors of all domain names of the IP to be assessed comprises:
determining all credit investigation malicious behaviors from the historical network malicious behaviors of all domain names of the IP to be evaluated based on credit investigation items in a preset credit investigation table;
and evaluating all credit investigation malicious behaviors according to a preset credit investigation evaluation rule to obtain a malicious level, and determining a credit investigation label corresponding to the malicious level.
3. The security assessment method according to claim 1 or 2, wherein said domain name server is further in communication connection with a threat intelligence subsystem;
the step of obtaining the historical network malicious behavior of each domain name includes:
putting all domain names of the IP to be evaluated into an intelligence query request, and sending the intelligence query request to the threat intelligence subsystem;
and when receiving the intelligence query request, the threat intelligence subsystem queries the historical network malicious behaviors corresponding to each domain name from a threat intelligence library, and packs and returns the historical malicious behaviors corresponding to all the domain names to the domain name server.
4. The security assessment method according to claim 1, wherein the step of processing the IP to be assessed to determine the associated user of the IP to be assessed comprises:
monitoring the IP to be evaluated, and acquiring and storing all identity authentication information of the IP to be evaluated;
and when the monitoring time of the IP to be evaluated reaches a preset time length, carrying out user decision according to all the acquired identity authentication information, and determining the associated user of the IP to be evaluated.
5. The security assessment method of claim 4, wherein said method further comprises:
and the checking subsystem sends a cyclic monitoring instruction to the domain name server and the checking subsystem based on the IP to be evaluated and the associated user so as to periodically and cyclically update the malicious level of the IP to be evaluated, the credit investigation label corresponding to the malicious level, the associated user of the IP to be evaluated and the identity information of the associated user.
6. The security assessment method according to claim 4, wherein the step of making a user decision according to all the obtained identity authentication information and determining the associated user of the IP to be assessed comprises:
determining an authentication user and authentication time corresponding to each identity authentication information;
and determining the associated users of the IP to be evaluated according to all the authentication users and the authentication time based on a preset decision rule.
7. The security assessment method of claim 1, wherein said method further comprises:
and when the credit investigation subsystem receives the identity information, updating or recording the credit investigation grade of the credit investigation user corresponding to the identity information according to the credit investigation label of the identity information.
8. A safety assessment system is characterized by comprising a domain name server, a checking subsystem and a credit investigation subsystem, wherein the credit investigation subsystem and the checking subsystem are in communication connection with the domain name server, and the domain name server is in communication connection with a plurality of clients;
the domain name server is used for determining all domain names corresponding to each IP to be evaluated in the query request and acquiring the historical network malicious behavior of each domain name when receiving the query request sent by any client;
the domain name server is further configured to obtain, for each to-be-evaluated IP, a malicious level of the to-be-evaluated IP and a credit investigation label corresponding to the malicious level according to historical network malicious behaviors of all domain names of the to-be-evaluated IP, add the credit investigation label to the to-be-evaluated IP, and send the to-be-evaluated IP to the verification subsystem;
the verification subsystem is used for processing the IP to be evaluated when receiving the IP to be evaluated sent by the domain name server, and determining a related user of the IP to be evaluated;
the verification subsystem is further configured to add the credit investigation label to the identity information of the associated user based on the credit investigation label of the to-be-evaluated IP, and then send the added credit investigation label to the credit investigation subsystem, so that the credit investigation subsystem performs credit investigation evaluation on the associated user according to the credit investigation label of the to-be-evaluated IP.
9. The security assessment system of claim 8, wherein the domain name server is further configured to:
determining all credit investigation malicious behaviors from the historical network malicious behaviors of all domain names of the IP to be evaluated based on credit investigation items in a preset credit investigation table;
and according to a preset credit investigation evaluation rule, evaluating all credit investigation malicious behaviors to obtain a malicious level, and determining a credit investigation label corresponding to the malicious level.
10. The security assessment system of claim 8, wherein said verification subsystem is further configured to:
monitoring the IP to be evaluated, and acquiring and storing all identity authentication information of the IP to be evaluated;
and when the monitoring time of the IP to be evaluated reaches a preset time length, carrying out user decision according to all the acquired identity authentication information, and determining the associated user of the IP to be evaluated.
CN202211548834.7A 2022-12-05 2022-12-05 Security assessment method and system Pending CN115907802A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211548834.7A CN115907802A (en) 2022-12-05 2022-12-05 Security assessment method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211548834.7A CN115907802A (en) 2022-12-05 2022-12-05 Security assessment method and system

Publications (1)

Publication Number Publication Date
CN115907802A true CN115907802A (en) 2023-04-04

Family

ID=86487896

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211548834.7A Pending CN115907802A (en) 2022-12-05 2022-12-05 Security assessment method and system

Country Status (1)

Country Link
CN (1) CN115907802A (en)

Similar Documents

Publication Publication Date Title
CN110399925B (en) Account risk identification method, device and storage medium
US11184380B2 (en) Security weakness and infiltration detection and repair in obfuscated website content
EP3345117B1 (en) Systems and methods for detecting and preventing spoofing
JP6068506B2 (en) System and method for dynamic scoring of online fraud detection
CN105590055B (en) Method and device for identifying user credible behaviors in network interaction system
US8635691B2 (en) Sensitive data scanner
CN113489713A (en) Network attack detection method, device, equipment and storage medium
CN112685774B (en) Payment data processing method based on big data and block chain finance and cloud server
US11968184B2 (en) Digital identity network alerts
Yang et al. Collaborative RFID intrusion detection with an artificial immune system
CN114579636A (en) Data security risk prediction method, device, computer equipment and medium
KR102143510B1 (en) Risk management system for information cecurity
CN115018505A (en) Payment request processing method, device, equipment and storage medium
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
CN116738369A (en) Traffic data classification method, device, equipment and storage medium
CN115907802A (en) Security assessment method and system
CN114357403A (en) User login request processing method and device based on equipment credibility and equipment
CN116094847B (en) Honeypot identification method, honeypot identification device, computer equipment and storage medium
Sharma Automated Anomaly Detection in Database Management Systems Using Machine Learning
CN115758352A (en) Software identification method and device and nonvolatile storage medium
JP2022002057A (en) Risk evaluation system and risk evaluation method
WO2024188477A1 (en) A machine-learning-based cyber-attack susceptibility detection and/or monitoring system providing quantitative measures for a system's cyber-attack susceptibility and method thereof
CN117349857A (en) Virtual account generation method, device, equipment and medium
CN116384742A (en) Transaction risk detection method, device and server
CN110827139A (en) Behavior feature-based bank hacker user identification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination