CN116340414A - Knowledge graph-based attack surface visual modeling method and device - Google Patents
Knowledge graph-based attack surface visual modeling method and device Download PDFInfo
- Publication number
- CN116340414A CN116340414A CN202310632307.2A CN202310632307A CN116340414A CN 116340414 A CN116340414 A CN 116340414A CN 202310632307 A CN202310632307 A CN 202310632307A CN 116340414 A CN116340414 A CN 116340414A
- Authority
- CN
- China
- Prior art keywords
- attack surface
- entity
- surface data
- knowledge
- structured
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 230000000007 visual effect Effects 0.000 title claims abstract description 21
- 238000013507 mapping Methods 0.000 claims abstract description 21
- 238000004140 cleaning Methods 0.000 claims abstract description 17
- 238000004458 analytical method Methods 0.000 claims abstract description 10
- 238000000605 extraction Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 10
- 238000005516 engineering process Methods 0.000 claims description 9
- 230000004927 fusion Effects 0.000 claims description 5
- 238000013135 deep learning Methods 0.000 claims description 4
- 239000000284 extract Substances 0.000 claims 1
- 230000008439 repair process Effects 0.000 abstract description 2
- 230000008520 organization Effects 0.000 description 14
- 238000004590 computer program Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000001514 detection method Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000003032 molecular docking Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000032683 aging Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000000630 rising effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/26—Visual data mining; Browsing structured data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
- G06F16/215—Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
- G06F16/288—Entity relationship models
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Animal Behavior & Ethology (AREA)
- Computational Linguistics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Quality & Reliability (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The embodiment of the disclosure provides a knowledge-graph-based attack surface visual modeling method and device; the method is applied to the technical field of network security. The method comprises the following steps: acquiring attack surface data; cleaning, de-duplication, analysis and mapping operation are carried out on the attack surface data, and the attack surface data is stored in a graph database; extracting structured information from the semi-structured and unstructured attack surface data in the graph database; carrying out entity connection and knowledge combination on the structured information; associating different entities to form a netlike association relationship; and visually displaying the association relation of the entity. In this way, the intricate and complex attack surface data can accurately, logically and visually show the association relation of each entity through the knowledge graph, so that a security team can conveniently and rapidly locate and evaluate risks, converge the exposed surface and repair the weak point information of the attack surface.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to an attack surface visual modeling method and device based on a knowledge graph.
Background
With the rapid development of informatization technology, various industries comprehensively enter into a digital transformation era. In recent years, due to the rising of a remote office mode, the attack surface of an organization is rapidly expanded, but the security team of each enterprise is difficult to keep pace with the rapid expansion and continuous change of a digital environment, and the traditional management mode is difficult to cover all asset dead areas, so that the greatest challenges are presented at present in how to rapidly and accurately inventory the organization asset and comb the attack surface in the face of a complicated asset environment and different threat warning information.
In the prior art, threat data of external attack surface and internal attack surface assets and different structures are managed through an Excel table and a Mysql database, and the following defects mainly exist:
(1) Easily neglect blind spots, manual mode can't count ageing asset, shadow asset in the organization asset fast, and often this part of asset is most easily utilized attack. (2) The accuracy is low and it is difficult for manual means to quickly locate threats in complex asset environments. (3) Threat assessment is difficult, and in the face of a large amount of threat alert information, manual handling by security personnel is impractical, and often some real attack events are inundated. (4) It is difficult to present, and it is difficult for the traditional approach to visually inventory the organization assets.
Disclosure of Invention
The disclosure provides a knowledge-graph-based attack surface visual modeling method and device.
According to a first aspect of the present disclosure, a knowledge-graph-based attack surface visual modeling method is provided. The method comprises the following steps:
acquiring attack surface data;
cleaning, de-duplication, analysis and mapping operation are carried out on the attack surface data, and the attack surface data is stored in a graph database;
extracting structured information from the semi-structured and unstructured attack surface data in the graph database;
carrying out entity connection and knowledge combination on the structured information;
associating different entities to form a netlike association relationship;
and visually displaying the association relation of the entities.
In some implementations of the first aspect, the attack surface data is divided into an internal attack surface and an external attack surface at a service perspective latitude; and is divided into an attack surface and an exposure surface on the digital type latitude.
In some implementations of the first aspect, acquiring attack surface data includes acquiring through data acquisition, acquiring through API interfacing, and acquiring through a scan tool.
In some implementations of the first aspect, cleaning, deduplicating, analyzing, and mapping the attack surface data includes:
and (5) cleaning, de-duplicating, analyzing and mapping structured, semi-structured and unstructured data in the attack surface data.
In some implementations of the first aspect, structured information is extracted from semi-structured and unstructured attack surface data in a graph database, including entity extraction, relationship extraction, and attribute extraction;
specifically: entity extraction, namely automatically identifying named entities from text data sets of semi-structured and unstructured data in a graph database by using an NLP technology;
extracting relations, namely extracting association relations among entities from related corpus of the text data set, and connecting the entities through the relations to form a net knowledge structure to obtain semantic information;
and extracting the attribute, and acquiring attribute information of the undetermined entity from different attack surface data of the graph database.
In some implementations of the first aspect, the entity connection is a connection to an entity item extracted by an entity, including: judging whether entity items obtained by extracting entities with the same name in the knowledge base represent different meanings or not and whether other named entities exist in the knowledge base and the entity items obtained by extracting the entities represent the same meanings, and connecting entity index items obtained by extracting the entities to corresponding entities in the knowledge base after confirming the corresponding correct entity objects in the knowledge base;
in some implementations of the first aspect, knowledge merging is field mapping, merging of structured data in a graph database.
In some implementations of the first aspect, associating different entities to form a mesh-like association relationship includes:
and organizing the association relation of attack surface data through a knowledge expression relation reasoning technology and deep learning relation reasoning, and associating different entities to obtain a netlike association relation.
According to a second aspect of the present disclosure, an attack surface visualization modeling apparatus based on a knowledge-graph is provided. The device comprises:
the attack surface data acquisition module is used for acquiring attack surface data;
the attack surface data processing and storing module is used for carrying out cleaning, deduplication, analysis and mapping operations on attack surface data and storing the attack surface data into the graph database;
the attack surface data knowledge extraction module is used for extracting structured information from the semi-structured and unstructured attack surface data in the graph database;
the attack face knowledge fusion module is used for carrying out entity connection and knowledge combination on the structured information;
the attack face knowledge reasoning module is used for associating different entities to form a netlike association relation;
and the attack surface visual display module is used for visually displaying the association relation of the entity.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
According to a fourth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method as described above.
According to a fifth aspect of the present disclosure, the disclosed embodiments provide a computer program product comprising a computer program which, when executed by a processor, implements a method as described above.
In the method, firstly, attack surface data is obtained, then cleaning, de-duplication, analysis and mapping operations are carried out on the attack surface data based on a knowledge graph method, the attack surface data is stored in a graph database, then structured information is extracted from semi-structured and unstructured attack surface data in the graph database, then entity connection and knowledge combination are carried out on the structured information, then association is carried out on different entities to form a netlike association relationship, and finally the association relationship of the entities is visually displayed. The realization of the visual modeling of the attack surface can lead the complicated attack surface data to be accurate, have logic and visually show the association relation of each entity, thereby being convenient for a security team to quickly locate and evaluate risks, converge the exposed surface and repair the weak point information of the attack surface.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. For a better understanding of the present disclosure, and without limiting the disclosure thereto, the same or similar reference numerals denote the same or similar elements, wherein:
fig. 1 shows a flowchart of an attack surface visual modeling method based on a knowledge graph according to an embodiment of the present disclosure;
fig. 2 shows a block diagram of an attack surface visual modeling apparatus based on a knowledge graph according to an embodiment of the present disclosure;
fig. 3 is a diagram illustrating a mesh association relationship of different entities provided by an embodiment of the present disclosure;
fig. 4 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to be within the scope of this disclosure.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Aiming at the problems in the background art, the embodiment of the disclosure provides an attack surface visual modeling method and device based on a knowledge graph. Specifically, firstly, attack surface data is obtained, then, cleaning, de-duplication, analysis and mapping operations are carried out on the attack surface data based on a knowledge graph method, the attack surface data is stored in a graph database, then, structured information is extracted from semi-structured and unstructured attack surface data in the graph database, then, entity connection and knowledge combination are carried out on the structured information, then, association is carried out on different entities to form a netlike association relationship, and finally, the association relationship of the entities is visually displayed. The realization of the visual modeling of the attack surface ensures that the complicated attack surface data is accurate, has logic and visually displays the association relation of each entity, is convenient for a security team to quickly locate and evaluate risks, converges the exposed surface and restores the weak point information of the attack surface.
The method and the device for visualizing and modeling the attack surface based on the knowledge graph, which are provided by the embodiment of the disclosure, are described in detail through specific embodiments below with reference to the accompanying drawings.
Fig. 1 shows a flowchart of an attack surface visual modeling method based on a knowledge graph according to an embodiment of the disclosure, where the modeling method 100 includes the following steps:
s110, acquiring attack surface data.
In some embodiments, the attack surface data is divided into an internal attack surface and an external attack surface in terms of business perspective latitude; the method comprises the steps of dividing the digital type latitude into an attack surface and an exposure surface, wherein the attack surface comprises the following steps: vulnerability, unsafe configuration, high-risk port, etc., the exposed surface includes: web exposure side, mobile application exposure side, sensitive data exposure side, IP exposure side, domain name exposure side, personnel organization information, code files, supply chains, risk level rules, and the like.
In some embodiments, acquiring attack surface data includes acquiring through data acquisition, acquiring through API interfacing, and acquiring through a scan tool.
Specifically, through data acquisition, acquiring action tracks of bidding information, suppliers, cooperation units, news and organizing personnel friend circles exposed in the Internet and open source information of an organization; obtaining contents including obtaining organization domain name, IP, mobile application registration information and the like through API docking; the acquisition of the information through the scanning tool comprises acquisition of the information such as IP, domain name, vulnerability, unsafe configuration, high-risk ports and the like through detection of security engine tools such as asset detection and vulnerability scanning.
S120, cleaning, de-duplication, analysis and mapping operations are carried out on the attack surface data, and the attack surface data is stored in a graph database.
In some embodiments, the operations of cleaning, deduplicating, analyzing, and mapping attack surface data include: and cleaning, de-duplicating, analyzing and mapping the structured, semi-structured and unstructured data in the attack surface data.
S130, extracting structured information from the semi-structured and unstructured attack surface data in the graph database.
In some embodiments, structured information is extracted from semi-structured and unstructured attack surface data in a graph database, including entity extraction, relationship extraction, and attribute extraction;
specifically, the entity extraction, through NLP technology, automatically identifies named entities from text data sets of semi-structured and unstructured data in a graph database, and the entity comprises: IP, domain name, sample, URL, mobile application, mailbox, SSL certificate, geographic location, vulnerability, port, host, name, organization name, etc.;
extracting relations, namely extracting association relations among entities from related corpus of the text data set, and connecting the entities through the relations to form a net knowledge structure to obtain semantic information, such as: acquiring the association relation between the domain name and the IP through the domain name resolution relation, acquiring the association relation between the vulnerability and the URL and the association relation between the vulnerability and the IP through the vulnerability exploitation position, acquiring the association relation between the IP and the port through the IP open port, acquiring the association relation between the domain name and the organization through the whois registration information and the like;
attribute extraction, namely acquiring attribute information of undetermined entities from different attack surface data of a graph database, such as acquiring the type of an IP, acquiring domain name registration time and domain name state, and acquiring the vulnerability type, vulnerability grade, vulnerability source and the like of a vulnerability entity.
And S140, carrying out entity connection and knowledge combination on the structured information.
In some embodiments, the entity connection is to connect entity items extracted by an entity, including: judging whether the entities with the same name and the entity items in the knowledge base represent different meanings and whether other named entities in the knowledge base represent the same meanings with the entity items, and linking the entity fingering items to the corresponding entities in the knowledge base after confirming the corresponding correct entity objects in the knowledge base; and (3) knowledge merging, namely performing field mapping and merging on structured data in a graph database, such as data of an IP library, a domain name library, a vulnerability library and the like.
By carrying out entity connection and knowledge combination on the structured information, the extracted disordered structured information becomes hierarchical and logical.
And S150, associating different entities to form a netlike association relationship.
In some embodiments, associating different entities to form a mesh-like association relationship includes: and organizing the association relation of attack surface data through a knowledge expression relation reasoning technology and deep learning relation reasoning, and associating different entities to obtain a netlike association relation.
And S160, visually displaying the association relation of the entities.
According to the embodiment of the disclosure, firstly, attack surface data is obtained, the attack surface data is subjected to cleaning, de-duplication, analysis and mapping operations and is stored in a graph database, then structured information is extracted from semi-structured and unstructured attack surface data in the graph database, the structured information is subjected to entity connection and knowledge combination, then different entities are associated to form a netlike association relationship, and finally the association relationship of the entities is subjected to visual display, so that the complex attack surface data is accurate, logical and visual, the association relationship of each entity is displayed, a security team can conveniently and rapidly locate and evaluate risks, the exposed surface is converged, and the weak point information of the attack surface is repaired.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present disclosure. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
The foregoing is a description of embodiments of the method, and the following further describes embodiments of the present disclosure through examples of apparatus.
Fig. 2 shows a block diagram of an attack surface visual modeling apparatus based on a knowledge graph according to an embodiment of the present disclosure. The apparatus 200 comprises:
the attack surface data acquisition module 210 is configured to acquire attack surface data.
The attack surface data processing and storing module 220 is configured to perform operations of cleaning, deduplication, analysis, and mapping on attack surface data, and store the attack surface data in the graph database.
The attack surface data knowledge extraction module 230 is configured to extract structured information from the semi-structured and unstructured attack surface data in the graph database.
And the attack surface knowledge fusion module 240 is configured to perform entity connection and knowledge fusion on the structured information.
The attack face knowledge reasoning module 250 is configured to associate different entities to form a netlike association relationship.
The attack surface visual display module 260 is configured to visually display the association relationship of the entity.
In some embodiments, the attack surface data acquisition module 210 is specifically configured to:
the attack surface data is acquired through three modes of data acquisition, API docking and scanning tools.
Specifically, through data acquisition, acquiring action tracks of bidding information, suppliers, cooperation units, news and organizing personnel friend circles exposed in the Internet and open source information of an organization; obtaining contents including obtaining organization domain name, IP, mobile application registration information and the like through API docking; the acquisition of the information through the scanning tool comprises acquisition of the information such as IP, domain name, vulnerability, unsafe configuration, high-risk ports and the like through detection of security engine tools such as asset detection and vulnerability scanning.
In some embodiments, the attack surface data processing and storage module 220 is specifically configured to:
and (3) cleaning, de-duplicating, analyzing and mapping structured, semi-structured and unstructured data in the obtained attack surface data, and storing the data in a graph database.
In some embodiments, the attack surface data knowledge extraction module 230 is specifically configured to:
and extracting structured information from the semi-structured and unstructured attack surface data in the graph database by using entity extraction, relation extraction and attribute extraction methods.
Specifically, extracting an entity, and automatically identifying a named entity from a text data set of semi-structured and unstructured data in a graph database by using an NLP technology;
extracting relations, namely extracting association relations among entities from related corpus of the text data set, and connecting the entities through the relations to form a net knowledge structure to obtain semantic information;
and extracting the attribute, and acquiring attribute information of the undetermined entity from different attack surface data of the graph database.
In some embodiments, the attack surface knowledge fusion module 240 is specifically configured to:
and carrying out entity connection and knowledge combination on the structured information, so that the extracted disordered structured information becomes hierarchical and logical.
Specifically, the entity connection is to connect entity items extracted from an entity, and includes: judging whether the entities with the same name and the entity items in the knowledge base represent different meanings and whether other named entities in the knowledge base represent the same meanings with the entity items, and linking the entity fingering items to the corresponding entities in the knowledge base after confirming the corresponding correct entity objects in the knowledge base; the knowledge merging is to perform field mapping and merging on structured data in a graph database, such as data of an IP library, a domain name library, a vulnerability library and the like.
In some embodiments, the attack-side knowledge reasoning module 250 is specifically configured to:
and organizing the association relation of attack surface data through a knowledge expression relation reasoning technology and deep learning relation reasoning, and associating different entities to obtain a netlike association relation.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the described modules may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
Fig. 3 illustrates a block diagram of different entity mesh associations provided by an embodiment of the present disclosure.
In some embodiments, the mesh associations of different entities are as follows:
domain name-URL, domain name-operating system, domain name-geographical location, vulnerability-domain name, domain name-organization, domain name-sample, domain name-domain name, organization-host, organization-mailbox, IP-organization, organization-Zhang three, host-application, host-IP, host-vulnerability, mailbox-Zhang three, mailbox-server, IP-domain name, IP-IP, IP-vulnerability, IP-URL, IP-geographical location, IP-operating system, IP-port, IP-sample; wherein,,
IP-organization, which means the organization to which IP belongs; IP-domain name, meaning that IP is reverse resolved into the domain name; an IP-vulnerability, which means that the vulnerability exists on the IP; domain name-organization, which represents the organization to which the domain name belongs; domain name-URL, representing the address of a fixed resource on the domain name; organization-Zhang San, meaning Zhang Sanis the employee of the organization; mailbox-Zhang San, which means that the mailbox belongs to Zhang San; vulnerability-domain name, meaning that the vulnerability exists on the domain name.
Fig. 4 shows a schematic block diagram of an electronic device 400 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The electronic device 400 includes a computing unit 401 that can perform various suitable actions and processes according to a computer program stored in a ROM402 or a computer program loaded from a storage unit 408 into a RAM 403. In the RAM403, various programs and data required for the operation of the electronic device 400 may also be stored. The computing unit 401, ROM402, and RAM403 are connected to each other by a bus 404. An I/O interface 405 is also connected to bus 404.
Various components in electronic device 400 are connected to I/O interface 405, including: an input unit 406 such as a keyboard, a mouse, etc.; an output unit 407 such as various types of displays, speakers, and the like; a storage unit 408, such as a magnetic disk, optical disk, etc.; and a communication unit 409 such as a network card, modem, wireless communication transceiver, etc. The communication unit 409 allows the electronic device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The computing unit 401 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 401 performs the various methods and processes described above, such as method 100. For example, in some embodiments, the method 100 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 400 via the ROM402 and/or the communication unit 409. One or more of the steps of the method 100 described above may be performed when a computer program is loaded into RAM403 and executed by the computing unit 401. Alternatively, in other embodiments, the computing unit 401 may be configured to perform the method 100 by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-chips (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that the present disclosure further provides a non-transitory computer readable storage medium storing computer instructions, where the computer instructions are configured to cause a computer to perform the method 100 and achieve corresponding technical effects achieved by performing the method according to the embodiments of the present disclosure, which are not described herein for brevity.
In addition, the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method 100.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: display means for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. The attack surface visual modeling method based on the knowledge graph is characterized by comprising the following steps of:
acquiring attack surface data;
cleaning, de-duplication, analysis and mapping operation are carried out on the attack surface data, and the attack surface data is stored in a graph database;
extracting structured information from the semi-structured and unstructured attack surface data in the graph database;
carrying out entity connection and knowledge combination on the structured information;
associating different entities to form a netlike association relationship;
and visually displaying the association relation of the entity.
2. The method of claim 1, wherein the attack surface data is divided into an internal attack surface and an external attack surface in terms of service perspective latitude; and is divided into an attack surface and an exposure surface on the digital type latitude.
3. The method of claim 1, wherein the acquiring attack surface data comprises acquiring through data acquisition, acquiring through API interfacing, and acquiring through a scanning tool.
4. The method of claim 1, wherein the operations of cleaning, deduplicating, analyzing, and mapping the attack surface data comprise: and cleaning, de-duplicating, analyzing and mapping the structured, semi-structured and unstructured data in the attack surface data.
5. The method of claim 1, wherein the extracting structured information from semi-structured and unstructured attack surface data in the graph database includes entity extraction, relationship extraction, and attribute extraction;
the entity extracts, and the named entity is automatically identified from a text data set of semi-structured and unstructured data in a graph database through an NLP technology;
the relation extraction is carried out, the association relation between the entities is extracted from the related corpus of the text data set, the entities are connected through the relation, a net knowledge structure is formed, and semantic information is obtained;
and extracting the attribute, and acquiring attribute information of the undetermined entity from different attack surface data of the graph database.
6. The method according to claim 1, wherein the entity connection is a connection of entity items extracted from the entity, and the method comprises: judging whether the entities with the same name and the entity items in the knowledge base represent different meanings and whether other named entities in the knowledge base represent the same meanings with the entity items, and linking the entity fingering items to the corresponding entities in the knowledge base after confirming the corresponding correct entity objects in the knowledge base;
and the knowledge is combined, and the structured data in the graph database is subjected to field mapping and combination.
7. The method of claim 1, wherein the associating the different entities to form a mesh-like association relationship comprises:
and organizing the association relation of attack surface data through a knowledge expression relation reasoning technology and deep learning relation reasoning, and associating different entities to obtain a netlike association relation.
8. An attack surface visual modeling device based on a knowledge graph, which is characterized by comprising:
the attack surface data acquisition module is used for acquiring attack surface data;
the attack surface data processing and storing module is used for carrying out cleaning, deduplication, analysis and mapping operations on attack surface data and storing the attack surface data into the graph database;
the attack surface data knowledge extraction module is used for extracting structured information from the semi-structured and unstructured attack surface data in the graph database;
the attack face knowledge fusion module is used for carrying out entity connection and knowledge combination on the structured information;
the attack face knowledge reasoning module is used for associating different entities to form a netlike association relation;
and the attack surface visual display module is used for visually displaying the association relation of the entity.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310632307.2A CN116340414A (en) | 2023-05-31 | 2023-05-31 | Knowledge graph-based attack surface visual modeling method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310632307.2A CN116340414A (en) | 2023-05-31 | 2023-05-31 | Knowledge graph-based attack surface visual modeling method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116340414A true CN116340414A (en) | 2023-06-27 |
Family
ID=86880829
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310632307.2A Pending CN116340414A (en) | 2023-05-31 | 2023-05-31 | Knowledge graph-based attack surface visual modeling method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116340414A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015170963A1 (en) * | 2014-05-05 | 2015-11-12 | Mimos Berhad | System and method for automatically generating a knowledge base |
| CN109597855A (en) * | 2018-11-29 | 2019-04-09 | 北京邮电大学 | Domain knowledge map construction method and system based on big data driving |
| CN110008288A (en) * | 2019-02-19 | 2019-07-12 | 武汉烽火技术服务有限公司 | The construction method in the knowledge mapping library for Analysis of Network Malfunction and its application |
| CN110688456A (en) * | 2019-09-25 | 2020-01-14 | 北京计算机技术及应用研究所 | Vulnerability knowledge base construction method based on knowledge graph |
-
2023
- 2023-05-31 CN CN202310632307.2A patent/CN116340414A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015170963A1 (en) * | 2014-05-05 | 2015-11-12 | Mimos Berhad | System and method for automatically generating a knowledge base |
| CN109597855A (en) * | 2018-11-29 | 2019-04-09 | 北京邮电大学 | Domain knowledge map construction method and system based on big data driving |
| CN110008288A (en) * | 2019-02-19 | 2019-07-12 | 武汉烽火技术服务有限公司 | The construction method in the knowledge mapping library for Analysis of Network Malfunction and its application |
| CN110688456A (en) * | 2019-09-25 | 2020-01-14 | 北京计算机技术及应用研究所 | Vulnerability knowledge base construction method based on knowledge graph |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10255364B2 (en) | Analyzing a query and provisioning data to analytics | |
| US20130054286A1 (en) | Computing and managing conflicting functional data requirements using ontologies | |
| US9996607B2 (en) | Entity resolution between datasets | |
| CN111708801A (en) | Report generation method and device and electronic equipment | |
| US9734172B2 (en) | Establishing governance rules over data assets | |
| EP2608135A1 (en) | Rule-based determination and validation in business object processing | |
| CN112784732B (en) | Method, device, equipment and medium for identifying and model training of feature type change | |
| US20230153519A1 (en) | Document tracking through version hash linked graphs | |
| AU2018220157A1 (en) | Systems and methods for reordering sequential actions | |
| US10229267B2 (en) | Method and device for virus identification, nonvolatile storage medium, and device | |
| US20140195536A1 (en) | Creating dimension/topic term subgraphs | |
| CN112100623B (en) | Risk assessment method, apparatus, device and storage medium for machine learning model | |
| Birch et al. | The future of spreadsheets in the big data era | |
| CN113312560A (en) | Group detection method and device and electronic equipment | |
| CN111316191A (en) | Prediction engine for multi-level pattern discovery and visual analysis recommendation | |
| CN116340414A (en) | Knowledge graph-based attack surface visual modeling method and device | |
| US20170249073A1 (en) | Systems, devices, and methods for dynamic virtual data analysis | |
| CN110941662A (en) | Graphical method, system, storage medium and terminal for scientific research cooperative relationship | |
| US20130268855A1 (en) | Examining an execution of a business process | |
| CN113610008A (en) | Method, device, equipment and storage medium for acquiring state of slag car | |
| CN113627816A (en) | Evaluation management method and device, electronic equipment and storage medium | |
| US20170148195A1 (en) | Visualizing temporal aspects of serial processes | |
| CN115296917B (en) | Asset exposure surface information acquisition method, device, equipment and storage medium | |
| Cui et al. | User Behavior Auditing in Electric Management Information System based on Graph Clustering | |
| US11928154B2 (en) | System and method for efficient creation and incremental updating of representations of email conversations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230627 |