CN116366462A

CN116366462A - Risk detection method, risk detection device, computer equipment and storage medium

Info

Publication number: CN116366462A
Application number: CN202211619117.9A
Authority: CN
Inventors: 魏兴; 旷亚和; 王雪; 王雪霏
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2022-12-14
Filing date: 2022-12-14
Publication date: 2023-06-30

Abstract

The application relates to a risk detection method, a risk detection device, a risk detection computer device, a risk detection storage medium and a risk detection computer program product, and relates to the technical field of information security. The method comprises the following steps: generating initial detection data containing test flow data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to a server; the detection instruction is used for indicating the server to send flow data comprising initial detection data to the mirror image equipment; the flow data are used for monitoring the platform to obtain mirror image data through mirror image flow data of mirror image equipment, and determining data to be screened corresponding to the mirror image data based on a preset processing strategy; screening target detection data corresponding to the test flow data in the data to be screened; determining a risk detection result according to the initial detection data and the target detection data; the risk detection result is used for representing the monitoring risk of the monitoring platform. The monitoring risk of the monitoring platform can be evaluated by the scheme.

Description

Risk detection method, risk detection device, computer equipment and storage medium

Technical Field

The present disclosure relates to the field of information security technologies, and in particular, to a risk detection method, apparatus, computer device, and storage medium.

Background

Currently, in order to monitor network traffic, an attack event is captured in time, and a monitoring platform is used to monitor network traffic of a server. Specifically, the mirror device may mirror the network traffic of the server in real time to obtain a mirror network traffic, and send the mirror network traffic to the monitoring platform. And then the security policy in the monitoring platform can be triggered by the mirror image network flow to generate alarm information, so that the monitoring of the server is realized.

However, the monitoring platform cannot determine whether the mirror device mirrors all network traffic, and also cannot know whether the security policy that is not triggered in the monitoring platform is deployed successfully or not and whether the security policy that is not deployed is missed or not, so in the prior art, monitoring risks of the monitoring platform that detects based on the mirror network traffic and the security policy in a monitoring process cannot be evaluated.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a risk detection method, apparatus, computer device, computer readable storage medium, and computer program product capable of evaluating a monitoring risk of a monitoring platform.

In a first aspect, the present application provides a risk detection method. The method comprises the following steps:

Generating initial detection data containing test flow data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to a server; the detection instruction is used for indicating the server to send flow data comprising the initial detection data to mirror image equipment; the flow data are used for the monitoring platform to mirror the flow data through mirror equipment to obtain mirror data, and the data to be screened corresponding to the mirror data are determined based on a preset processing strategy;

screening target detection data corresponding to the test flow data in the data to be screened;

determining a risk detection result according to the initial detection data and the target detection data; and the risk detection result is used for representing the monitoring risk of the monitoring platform.

In one embodiment, the test flow data comprises a marker character; the generating initial detection data containing the test flow data according to the preset detection data generation strategy, and sending the detection instruction containing the initial detection data to the server comprises the following steps:

generating initial detection data containing the marking characters according to the marking characters, and sending detection instructions containing the initial detection data to a server corresponding to each first server address in a preset first server address set;

And in the data to be screened, screening the target detection data corresponding to the test flow data comprises the following steps:

and screening the data to be screened containing the marking characters from the data to be screened to obtain target detection data.

In one embodiment, the determining the risk detection result according to the initial detection data and the target detection data includes:

searching in a first server address corresponding to the initial detection data according to the source server address corresponding to the target detection data to obtain a deployed server address;

identifying a first server address other than the deployed server address as a missing server address, and generating a risk detection result based on the missing server address.

In one embodiment, the test traffic data includes preset security policy trigger data; the generating initial detection data containing the test flow data according to the preset detection data generation strategy, and sending the detection instruction containing the initial detection data to the server comprises the following steps:

generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data, and sending a detection instruction containing the preset security policy trigger data to a server corresponding to each second server address in a preset second server address set; the preset security policy triggering data is used for triggering the security policies in the monitoring platform to generate data to be screened including security policy response data;

and screening the security policy response data corresponding to the preset security policy triggering data in the data to be screened to obtain target detection data.

searching in preset security policy triggering data contained in the initial detection data according to a target security triggering identifier contained in the target detection data to obtain triggered security policy triggering data;

identifying preset security policy trigger data other than the triggered security policy trigger data as non-triggered security policy trigger data;

and identifying the security policy category corresponding to the non-triggered security policy triggering data as a triggering failure policy category, and generating a risk detection result based on the triggering failure policy category.

In one embodiment, the traffic data further includes service data, and the risk detection method further includes:

taking the data to be screened except the target detection data as reference data;

Based on the reference data, determining safety strategy trigger data corresponding to the reference data to obtain reference trigger data;

determining new preset security policy trigger data based on the reference trigger data and the preset security policy trigger data;

and under the condition that the triggering condition of the next risk detection is reached, returning to execute the step of generating initial detection data containing the preset security policy triggering data according to the preset security policy triggering data based on the new preset security policy triggering data.

In one embodiment, the step of returning to execute the triggering data according to the preset security policy and generating the initial detection data including the triggering data of the preset security policy when the triggering condition of the next risk detection is reached includes:

returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data under the condition that the next risk detection initiation time is reached; or alternatively, the process may be performed,

And under the condition that the next risk detection period is reached, returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data. In one embodiment, in the to-be-screened data, if the target detection data corresponding to the test flow data is not screened, the risk detection method further includes:

if the test flow data comprises a test identifier, identifying a first server address corresponding to the initial detection data as a missing server address, and generating a risk detection result based on the missing server address;

and if the test flow data comprises preset safety strategy triggering data, identifying a safety strategy class set corresponding to the preset safety strategy triggering data set as a triggering failure strategy class set, and generating the risk detection result based on the triggering failure strategy class set.

In a second aspect, the present application also provides a risk detection system. The risk detection system comprises a server, mirror image equipment, a monitoring platform and a monitoring risk detection terminal, wherein:

The monitoring risk assessment terminal is used for generating a strategy according to preset detection data, generating initial detection data containing test flow data and sending a detection instruction containing the initial detection data to the server;

the server is used for sending the flow data comprising the initial detection data to the mirror image equipment;

the mirror image equipment is used for mirroring the flow data to obtain mirror image data and sending the mirror image data to the monitoring platform;

the monitoring platform is used for determining data to be screened corresponding to the mirror image data based on a preset processing strategy;

the monitoring risk assessment terminal is further used for screening target detection data corresponding to the test flow data in the data to be screened; determining a risk detection result according to the initial detection data and the target detection data; and the risk detection result is used for representing the monitoring risk of the monitoring platform.

In one embodiment, the test flow data comprises a marker character; the monitoring risk assessment terminal is specifically used for:

In one embodiment, the monitoring risk assessment terminal is specifically configured to:

In one embodiment, the traffic data further includes service data, and the monitoring risk assessment terminal is further configured to:

and under the condition that the next risk detection period is reached, returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data. In one embodiment, in the to-be-screened data, when the target detection data corresponding to the test flow data is not screened, the monitoring risk assessment terminal is further configured to:

In a third aspect, the present application further provides a risk detection apparatus. The device comprises:

the generation module is used for generating initial detection data containing the test flow data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to the server, wherein the detection instruction is used for instructing the server to send the flow data containing the initial detection data to the mirror image equipment; the flow data are used for the monitoring platform to mirror the flow data through mirror equipment to obtain mirror data, and the data to be screened corresponding to the mirror data are determined based on a preset processing strategy;

the screening module is used for screening target detection data corresponding to the test flow data in the data to be screened;

the first determining module is used for determining a risk detection result according to the initial detection data and the target detection data; and the risk detection result is used for representing the monitoring risk of the monitoring platform.

In one embodiment, the test flow data comprises a marker character; the generating module is specifically configured to:

The screening module is specifically used for:

In one embodiment, the first determining module is specifically configured to:

In one embodiment, the test traffic data includes preset security policy trigger data; the generating module is specifically configured to:

The screening module is specifically used for:

In one embodiment, the first determining module is specifically configured to:

In one embodiment, the traffic data further includes service data, and the risk detection device further includes:

the second determining module is used for taking the data to be screened except the target detection data as reference data;

the third determining module is used for determining the safety strategy triggering data corresponding to the reference data based on the reference data to obtain the reference triggering data;

A fourth determining module, configured to determine new preset security policy trigger data based on the reference trigger data and the preset security policy trigger data;

and the updating module is used for returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data under the condition that the trigger condition of the next risk detection is reached.

In one embodiment, the updating module is specifically configured to:

and under the condition that the next risk detection period is reached, returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data. In one embodiment, in the to-be-screened data, if the target detection data corresponding to the test flow data is not screened, the risk detection device further includes:

The first identification module is used for identifying a first server address corresponding to the initial detection data as a missing server address if the test flow data comprises a test identifier, and generating a risk detection result based on the missing server address;

and the second identification module is used for identifying a safety strategy class set corresponding to the preset safety strategy trigger data set as a trigger failure strategy class set if the test flow data comprise the preset safety strategy trigger data, and generating the risk detection result based on the trigger failure strategy class set.

In a fourth aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the first aspect when the processor executes the computer program.

In a fifth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which, when executed by a processor, realizes the steps as described in the first aspect.

In a sixth aspect, the present application also provides a computer program product. The present application also provides a computer program product. The computer program product comprising a computer program which, when executed by a processor, implements the steps as described in the first aspect.

The risk detection method, the risk detection device, the risk detection computer equipment, the risk detection storage medium and the risk detection computer program product are used for generating initial detection data containing test flow data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to a server, wherein the detection instruction is used for instructing the server to send the flow data containing the initial detection data to the mirror image equipment; the flow data are used for monitoring the platform to obtain mirror image data through mirror image flow data of mirror image equipment, and determining data to be screened corresponding to the mirror image data based on a preset processing strategy; screening target detection data corresponding to the test flow data in the data to be screened; determining a risk detection result according to the initial detection data and the target detection data; the risk detection result is used for representing the monitoring risk of the monitoring platform. In the above scheme, the target detection data can be obtained by screening based on the test flow data, and the risk detection result is determined according to the target detection data obtained from the monitoring platform and the initially transmitted detection data (i.e. the initially detected data), so as to evaluate the monitoring risk of the monitoring platform in practical application.

Drawings

FIG. 1 is a diagram of an application environment of a risk detection method according to an embodiment;

FIG. 2 is a flow chart of a risk detection method according to an embodiment;

FIG. 3 is a schematic diagram of the format of an ICMP protocol message in one embodiment;

FIG. 4 is a flowchart illustrating a method for determining a risk detection result according to an embodiment;

FIG. 5 is a flowchart illustrating a method for determining a risk detection result according to another embodiment;

FIG. 6 is a block diagram of a risk detection system in one embodiment;

fig. 7 is an internal structural diagram of a computer device in one embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.

The risk detection method provided by the embodiment of the application can be applied to a server, and can also be applied to a system comprising a terminal and the server. The embodiment of the present application is illustrated by the application of the method to a system (i.e., a risk detection system) including a terminal and a server, where the risk detection system includes a server 102, a mirroring device 104, a monitoring platform 106, and a monitoring risk assessment terminal 108 as shown in fig. 1. The server 102 is electrically connected to the mirror device 104, the mirror device 104 is in communication connection with the monitoring platform 106, and the monitoring risk assessment terminal 108 is respectively in communication connection with the monitoring platform 106 and the server 102. The number of servers 102 is greater than or equal to 2. The mapping relationship between the mirror device 104 and the servers 102 may be that one mirror device 104 corresponds to a plurality of servers 102. The mirroring device 104 includes a switch 112 in which the traffic probe 110 is deployed. The mirror device 104 has at least one. The monitoring platform 106 monitors all of the mirrored devices 104. The number of mirroring devices 104 is a positive integer. In one embodiment, the monitoring risk assessment terminal 108 includes a detection parameter configuration unit 114, a detection data transmission unit 116, a monitoring risk assessment unit 118, and a risk detection result display unit 120. The detection parameter configuration unit 114 is configured to configure detection parameters of the monitoring risk assessment terminal 108. The detection parameters comprise a target server address, an initial risk detection initiation time and a detection data generation strategy. . The detection data sending unit 116 is configured to generate initial detection data according to a preset detection data generation policy, and send a detection instruction containing the initial detection data to a corresponding target server address at a corresponding initial risk detection initiation time. The monitoring risk assessment unit 118 is configured to obtain mirror image data in the monitoring platform 106, and screen target detection data corresponding to the test flow data based on a preset processing policy in the mirror image data; and the risk detection result is obtained based on the initial detection data and the target detection data. The risk detection result display unit 120 is configured to display a risk detection result.

The monitoring risk assessment terminal 108 generates initial detection data including test flow data according to a preset detection data generation strategy, and sends a detection instruction including the initial detection data to the server 102. Optionally, the test traffic data may include a flag character, and may also include preset security policy trigger data. Wherein the detection instruction is configured to instruct the server 102 to send traffic data including initial detection data to the mirroring device 104. In one embodiment, the initial detection data is a ICMP (Internet Control Message Protocol) protocol message containing a marker character. In another embodiment, the initial detection data is HTTP Request (HTTP Request) data containing preset security policy trigger data. The server 102 sends traffic data containing the initial detection data to the mirroring device 104. The mirroring device 104 performs mirroring on the traffic data to obtain mirrored data, and sends the mirrored data to the monitoring platform 106. Wherein the traffic data is the data sent by the server 102 to the mirror device 104. The initial detection data is traffic data including test traffic data. The mirror image data is data obtained after mirror image processing is performed on stream data. That is, the mirror data includes mirror data including initial detection data, which is data obtained by mirror processing of the initial detection data. It can be understood that, since one mirroring device 104 corresponds to a plurality of servers 102, the mirroring device 104 may receive traffic data sent by the plurality of servers 102, and mirror each traffic data to obtain a plurality of mirrored data. The monitoring platform 106 receives at least one piece of mirror image data, determines the mirror image data based on a preset processing strategy and the mirror image data, and determines data to be screened corresponding to the mirror image data. Optionally, the data to be screened may be mirror image data, or may be security policy response data obtained based on the mirror image data. The security policy response data is response data triggered by the security policy trigger data. The security policy triggering data contained in the mirror image data are obtained by mirror image processing of the flow data containing the security policy triggering data. The security policy triggering data in the initial detection data are preset security policy triggering data. In one embodiment, the initial detection data is an ICMP protocol packet including a flag character, and the monitoring platform 106 receives mirror image data corresponding to traffic data including the ICMP protocol packet including the flag character, and takes the mirror image data as data to be screened. In another embodiment, the initial detection data is HTTP request data including preset security policy trigger data, and the monitoring platform 106 receives mirror image data corresponding to traffic data including the HTTP request data including the preset security policy trigger data, and generates security policy response data based on the security policy data included in the mirror image data. The security policy response data comprise security policy response data corresponding to preset security policy data. The monitoring platform 106 takes the security policy response data as the data to be screened.

The monitoring risk assessment terminal 108 acquires data to be screened of the monitoring platform 106, and screens target detection data corresponding to the test flow data. In one embodiment, the test traffic data includes a marker character and the target detection data corresponding to the test traffic data is mirrored data including the marker character. In another embodiment, the test flow data includes preset security policy trigger data, and the target detection data corresponding to the test flow data includes security policy response data corresponding to the preset security policy trigger data. The monitoring risk assessment terminal 108 obtains a risk detection result based on the initial detection data and the target detection data. For a specific method for determining the risk detection result, please refer to step 206, step 402 to step 404, and step 502 to step 504.

In one embodiment, as shown in fig. 2, a risk detection method is provided, and the risk detection method is applied to the risk detection system in fig. 1, and includes the following steps:

step 202, generating initial detection data containing test flow data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to a server.

The detection instruction is used for indicating the server to send flow data comprising initial detection data to the mirror image equipment; the flow data are used for monitoring the platform to obtain mirror image data through mirror image equipment mirror image flow data, and the data to be screened corresponding to the mirror image data are determined based on a preset processing strategy.

In this embodiment, the monitoring risk assessment terminal 108 generates the initial detection data including the test flow data according to the preset detection data generation policy. The detection data generation strategy comprises initial risk detection initiating time, test flow data, a target server address set and data acquisition time to be screened. Alternatively, the initial risk detection initiation time may be at least one detection initiation time. Optionally, the test traffic data may include a flag character, and may also include preset security policy trigger data. The set of target server addresses includes at least one target server address, each of which is a server address of a server to be monitored by the monitoring platform 106, such as the address of the server 102 in FIG. 1. The target server address set corresponding to the test flow data containing the marking characters is a first server address set; the target server address set corresponding to the test flow data containing the preset security policy trigger data is the second server address set. The first set of server addresses may or may not be equal to the second set of server addresses. The monitoring risk assessment terminal 108 sends initial detection data to a server to which each target server address in the target server address set belongs at a preset initial risk detection initiation time. The server 102 sends the initial detection data to the mirror device 104, the mirror device 104 performs mirror image processing on the initial detection data to obtain mirror image data, and the mirror device 104 sends the mirror image data to the monitoring platform 106. The monitoring platform 106 obtains data to be screened based on the mirrored data. Specifically, in the case where the initial detection data includes a marker character, the data to be screened is mirror image data; in the case that the initial detection data includes preset security policy trigger data, the data to be screened is security policy response data. The security policy response data comprises security policy trigger data and a type of security policy triggered by the security policy trigger data.

Step 204, screening target detection data corresponding to the test flow data in the data to be screened.

In this embodiment, the monitoring risk assessment terminal 108 crawls the data to be screened from the monitoring platform 106 at a preset data acquisition time to be screened. The data acquisition time to be screened is determined based on the initial risk detection initiation time. Specifically, the data acquisition time to be screened is the sum of the initial risk detection initiation time and the reserved data transmission time, and the reserved data transmission time is a preset constant. Optionally, the data acquisition time to be screened may be at least one data acquisition time to be screened, or may be a data acquisition period to be screened. The monitoring risk assessment terminal 108 screens target detection data corresponding to the test flow data in the data to be screened. Specifically, in the case where the test traffic data contains a marker character, the target detection data is data to be screened that contains a marker character (for convenience of distinction, the marker character in the target detection data is referred to as a target marker character). The monitoring risk assessment terminal 108 screens the data to be screened containing the marked characters according to the marked characters, and obtains target detection data. In the case that the test flow data includes preset security policy trigger data, the target detection data is data to be screened including the preset security policy trigger data. The monitoring risk assessment terminal 108 screens the data to be screened according to the preset security policy triggering data, screens the data to be screened containing the preset security policy triggering data, and obtains target detection data. The number of the preset security policy triggering data is at least one, and one type of the preset security policy triggering data triggers one type of security policy. In the case that the number of the preset security policy triggering data is multiple, the monitoring risk assessment terminal 108 performs screening in the data to be screened according to each preset security policy triggering data, and screens the data to be screened containing the preset security policy triggering data to obtain target detection data.

Step 206, determining risk detection result according to the initial detection data and the target detection data.

The risk detection result is used for representing monitoring risk of the monitoring platform.

In this embodiment, for each target detection data, the monitoring risk assessment terminal 108 obtains a risk detection result based on the initial detection data, the target detection data, and a detection policy corresponding to the target detection data. Under the condition that the target detection data contains target mark characters, the detection strategy corresponding to the target detection data is based on the source server address corresponding to the target detection data, and search processing is carried out in the first service address set; under the condition that the target detection data comprises preset safety strategy triggering data (for convenience of distinguishing, the target detection data comprises the preset safety strategy triggering data serving as target safety triggering identifiers), the detection strategy corresponding to the target detection data is based on the target safety triggering identifiers, and search processing is carried out in the preset safety strategy triggering data. The risk detection results are generated based on search results obtained by the search process.

In the risk detection method, the target detection data can be obtained by screening based on the test flow data, and the risk detection result can be determined according to the target detection data and the initial detection data. It will be appreciated that the initial detection data is initially transmitted data and the target detection data is data that is later retrieved from the monitoring platform. Therefore, based on the risk detection result determined by the initially transmitted data and the data acquired from the monitoring platform later, the monitoring risk of the monitoring platform in the practical application can be estimated.

In one embodiment, the test traffic data comprises a marker character; generating initial detection data containing test flow data according to a preset detection data generation strategy, and sending the initial detection data to a server comprises the following steps:

and generating initial detection data containing the marked characters according to the marked characters, and sending the initial detection data to a server corresponding to each first server address in a preset first server address set.

In the data to be screened, screening target detection data corresponding to the test flow data comprises the following steps:

and screening the data to be screened containing the marking characters in the data to be screened to obtain target detection data.

In the embodiment of the present application, the monitoring risk assessment terminal 108 generates initial detection data including the tagged character according to the tagged character. In one embodiment, the initial detection data is a ICMP (Internet Control Message Protocol) protocol message. Specifically, as shown in fig. 3, the ICMP protocol packet includes a Type, a Code, a Checksum, an Identifier, an Identifier Sequence number, and a Special flag character specific Date. The monitoring risk assessment terminal 108 encapsulates the preset flag character in a Special flag character Date field of the ICMP protocol message, and generates the ICMP protocol message including the flag character. Illustratively, the marker character may be 616161. The monitoring risk assessment terminal 108 sends the initial detection data containing the marker character to the server corresponding to each first server address in the preset first server address set. Wherein the first server address is a server address of a server to be monitored by the monitoring platform 106. Alternatively, the first set of server addresses may include server addresses of all servers to be monitored by the monitoring platform 106, or may include server addresses of servers of portions to be monitored by the monitoring platform 106. And the monitoring risk assessment terminal 108 screens the data to be screened containing the marked characters in the data to be screened according to the marked characters to obtain target detection data. In one embodiment, the data to be screened is mirror image data, specifically, the risk assessment terminal 108 is monitored, and the mirror image data including the marker character is screened from the mirror image data according to the marker character, so as to obtain target detection data.

In this embodiment, initial detection data including the tag character is generated according to the tag character, the initial detection data is sent to a server corresponding to the first server address, and target detection data is obtained based on the tag character screening. Therefore, target detection data can be obtained by screening in the data to be screened quickly, and the monitoring efficiency is improved. Meanwhile, the risk of monitoring the certain server by the monitoring platform 106 can be accurately evaluated.

In one embodiment, as shown in fig. 4, determining the risk detection result from the initial detection data and the target detection data includes:

step 402, searching in the first server address corresponding to the initial detection data according to the source server address corresponding to the target detection data, so as to obtain the deployed server address.

In this embodiment, for each target detection data, the monitoring risk assessment terminal 108 searches, according to the source server address corresponding to the target detection data, for the first server address corresponding to the initial detection data, to obtain the deployed server address. The deployed server address is obtained by searching the first server address based on the source server address.

Step 404, identifying the first server address except the deployed server address as a missing server address, and generating a risk detection result based on the missing server address.

In the embodiment of the present application, the monitoring risk assessment terminal 108 counts the deployed server addresses, and identifies the first server address except the deployed server address as the missing server address. Wherein the first server address is a deployed server address or a missing server address. For example, assuming that the source server address corresponding to the target detection data includes address 1 and address 2, and the first server address in the first server address set includes address 1, address 2, and address 3, then the deployed server address includes address 1 and address 2, and the missing server address includes address 3. The monitoring risk assessment terminal 108 generates a risk detection result based on the missing server address. The risk detection result includes a missing server address. Optionally, the risk detection result may further include a detection initiation time, a data acquisition time to be screened, and the number of missing server addresses. The monitoring risk assessment terminal 108 displays the risk detection result. It will be appreciated that the missing server address is the server address of the server that the monitoring platform 106 is to monitor but not.

In this embodiment, the deployed server address and the missing server address are determined in the first server address according to the source server address corresponding to the target detection data, and the risk detection result is generated based on the missing server address. In this way, the monitoring risk assessment terminal 108 can assess the monitoring risk of the monitoring platform 106 based on the risk detection result, and see whether the monitoring platform 106 has a server missing monitoring.

In one embodiment, the test traffic data comprises preset security policy trigger data; generating initial detection data containing test flow data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to a server comprises the following steps:

generating initial detection data containing preset security policy trigger data according to the preset security policy trigger data, and sending detection instructions containing the preset security policy trigger data to a server corresponding to each second server address in a preset second server address set;

The preset security policy triggering data are used for triggering the security policies in the monitoring platform to generate data to be screened, wherein the data comprise security policy response data.

In this embodiment, the monitoring risk assessment terminal 108 generates initial detection data including preset security policy trigger data according to the preset security policy trigger data. The number of the preset security policy triggering data is at least one, and one type of the preset security policy triggering data triggers one type of security policy. The preset security policy triggering data is used for triggering the security policy, and if the security policy deployed on the monitoring platform 106 is triggered, the monitoring platform 106 generates security policy response data. The security policy response data is used to alert indicating that the security policy in the monitoring platform 106 is triggered. The security policy response data includes security policy trigger data, and a type of security policy triggered by the security policy trigger data. The security policy trigger data includes preset security policy trigger data. It may be appreciated that the security policy type in the security policy type set corresponding to the preset security policy trigger data set is the security policy type to be deployed by the monitoring platform 106. In one embodiment, the initial detection data is HTTP Request (HTTP Request) data. Specifically, the monitoring risk assessment terminal 108 writes at least one preset security policy trigger data in the HTTP request data, and generates HTTP request data including the preset security policy trigger data. The monitoring risk assessment terminal 108 sends initial detection data including preset security policy trigger data to a server corresponding to each second server address in the preset second server address set. Wherein the second server address is the server address of the server to be monitored by the monitoring platform 106. Alternatively, the second set of server addresses may include server addresses of all servers to be monitored by the monitoring platform 106, and may also include at least one deployed server address. The method of validating deployed server addresses refers to step 402 described above. The monitoring risk assessment terminal 108 screens the data to be screened corresponding to the preset security policy triggering data in the data to be screened according to the preset security policy triggering data, and obtains target detection data. In one embodiment, the data to be screened is security policy response data, specifically, the monitoring risk assessment terminal 108 screens security policy response data corresponding to preset security policy trigger data in the security policy response data according to preset security policy trigger data, so as to obtain target detection data.

In this embodiment, initial detection data including preset security policy trigger data is generated according to the preset security policy trigger data, and the initial detection data is sent to a server corresponding to the second server address. And then, triggering data screening based on a preset security policy to obtain target detection data. Therefore, the target detection data can be obtained by screening the data to be screened quickly, and the monitoring efficiency is improved. At the same time, the monitoring risk of the security policies deployed in the monitoring platform 106 may be accurately assessed.

In one embodiment, as shown in fig. 5, determining the risk detection result from the initial detection data and the target detection data includes:

step 502, searching in preset security policy triggering data contained in the initial detection data according to the target security triggering identifier contained in the target detection data, so as to obtain triggered security policy triggering data.

In this embodiment, for each target security trigger identifier included in the target detection data, the monitoring risk assessment terminal 108 searches for the triggered security policy trigger data from preset security policy trigger data included in the initial detection data according to each target security trigger identifier, so as to obtain triggered security policy trigger data. The target safety trigger mark characterizes trigger data of the target detection data. In one embodiment, the data to be screened is security policy response data, and the target detection data is security policy response data corresponding to preset security policy trigger data. The triggered security policy triggering data are preset security policy triggering data obtained by searching based on the target security triggering identifier.

In step 504, the preset security policy trigger data except the triggered security policy trigger data is identified as the non-triggered security policy trigger data.

In the embodiment of the present application, the monitoring risk assessment terminal 108 counts the triggered security policy trigger data and identifies the preset security policy trigger data other than the triggered security policy trigger data as the non-triggered security policy trigger data. The preset security policy triggering data is triggered security policy triggering data or non-triggered security policy triggering data.

Step 506, identifying the security policy category corresponding to the non-triggered security policy triggering data as a triggering failure policy category, and generating a risk detection result based on the triggering failure policy category.

In this embodiment, the monitoring risk assessment terminal 108 identifies a security policy class corresponding to the triggering data of the non-triggered security policy as a triggering failure policy class. Wherein, each security policy triggering data correspondingly triggers a security policy. The number of non-triggered security policy trigger data is a non-negative integer. For example, assuming that the untriggered security policy trigger data includes security policy trigger data 3, and the security policy class triggered by the security policy trigger data 3 is security policy 3, the monitoring risk assessment terminal 108 identifies the security policy 3 corresponding to the security policy trigger data 3 as a trigger failure policy class. It will be appreciated that the trigger failure policy class may be a security policy that has been deployed but not triggered on the monitoring platform 106, or may be a security policy that has not been deployed on the monitoring platform 106. The monitoring risk assessment terminal 108 generates a detection result based on the trigger failure policy class. The detection result comprises a trigger failure strategy category. Optionally, the detection result may further include a detection initiation time, a second detection data acquisition time, and a number of trigger failure policy categories. The monitoring risk assessment terminal 108 displays the detection result.

In this embodiment, the triggered security policy trigger data and the non-triggered security policy trigger data are determined according to the target security trigger identifier included in the target detection data in the preset security policy trigger data, and the detection result is generated based on the security policy category corresponding to the non-triggered security policy trigger data. In this way, the monitoring risk assessment terminal 108 can assess the monitoring risk of the detection platform based on the detection result, and see whether the monitoring platform 106 has a security policy with failed deployment or whether there is a security policy with missing deployment.

In one embodiment, the traffic data further includes traffic data, and the risk detection method further includes:

taking data to be screened except target detection data as reference data; determining safety strategy trigger data corresponding to the reference data based on the reference data to obtain the reference trigger data; determining new preset security policy trigger data based on the reference trigger data and the preset security policy trigger data; and under the condition that the triggering condition of the next risk detection is reached, returning to execute the step of generating initial detection data containing the preset safety strategy triggering data according to the preset safety strategy triggering data based on the new preset safety strategy triggering data.

Wherein the traffic data includes initial detection data, and traffic data. The initial detection data is traffic data sent by the monitoring risk assessment terminal 108 to the server 102 for detecting the monitoring risk of the monitoring platform 106. The traffic data is traffic data other than the initial detection data.

In this embodiment of the present application, in the case where the target detection data is security policy response data corresponding to preset security policy trigger data, the monitoring risk assessment terminal 108 uses data to be screened other than the target detection data as reference data. The data to be screened comprises target detection data and reference data. In the case that the test traffic data includes preset security policy trigger data, the data to be screened is security policy response data including security policy response data (i.e., target detection data and reference data) corresponding to the preset security policy trigger data, and security policy response data (i.e., reference data) corresponding to the traffic data. The monitoring risk assessment terminal 108 obtains security policy trigger data corresponding to the reference data based on the reference data, and takes the security policy trigger data corresponding to the reference data as reference trigger data. The monitoring risk assessment terminal 108 uses the reference trigger data and the original preset security policy trigger data as new preset security policy trigger data. And under the condition that the triggering condition of the next risk detection is reached, the monitoring risk assessment terminal 108 returns to execute the step of generating initial detection data containing the preset security policy triggering data according to the preset security policy triggering data based on the new preset security policy triggering data, so as to obtain a new risk detection result.

In this embodiment, the preset security policy trigger data is redetermined based on the reference data. The new preset security policy triggering data comprises reference triggering data and original preset security policy triggering data. Therefore, the preset safety strategy trigger data can be updated in time, and the missing can be checked, so that the risk detection is more comprehensively carried out based on the new preset safety strategy trigger data, and the obtained new risk detection result is more reliable.

In one embodiment, in the event that the triggering condition of the next risk detection is reached, based on the new preset security policy triggering data, the step of returning to execute the triggering data according to the preset security policy, and generating the initial detection data including the preset security policy triggering data includes:

returning to execute the step of generating initial detection data containing preset security policy trigger data according to the preset security policy trigger data based on new preset security policy trigger data under the condition that the next risk detection initiation moment is reached; or, if the next risk detection period is reached, returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data. The triggering condition of risk detection is the initiation time of risk detection or the risk detection period.

In the embodiment of the present application, when the next risk detection initiation time is reached, the monitoring risk assessment terminal 108 returns to execute the step of generating the initial detection data including the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data, so as to obtain a new risk detection result. The risk detection initiation time is an element in a preset risk detection initiation time set. The earliest risk detection initiating time in the risk detection initiating time set is the initial risk detection initiating time. The risk detection initiation time may be preset based on human experience.

Or, when the next risk detection period is reached, the monitoring risk assessment terminal 108 returns to execute the step of generating the initial detection data including the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data, so as to obtain a new risk detection result. Wherein the risk detection period is a preset time. The next risk detection period is reached, that is, the current time is equal to the sum of the initial risk detection initiation time and N risk detection periods, where N is a positive integer.

In this embodiment, the triggering condition of risk detection may be the time of initiation of risk detection, or may be a risk detection period. Therefore, manual timing detection is not needed, but risk detection is automatically carried out on the monitoring platform based on the triggering condition of the risk detection, and the detection efficiency is improved.

In one embodiment, in the data to be screened, in the case that the target detection data corresponding to the test flow data is not screened, the risk detection method further includes:

if the test flow data comprises the test identifier, identifying a first server address corresponding to the initial detection data as a missing server address, and generating a risk detection result based on the missing server address; if the test flow data comprises preset safety strategy triggering data, identifying a safety strategy class set corresponding to the preset safety strategy triggering data set as a triggering failure strategy class set, and generating a risk detection result based on the triggering failure strategy class set.

In this embodiment of the present application, in the data to be screened, if the monitoring risk assessment terminal 108 cannot screen the target detection data corresponding to the test flow data, if the test flow data includes the test identifier, the monitoring risk assessment terminal 108 identifies the first server address corresponding to the initial detection data as a lack of server address. The monitoring risk assessment terminal 108 generates a risk detection result based on the lack of the server address. The first server address corresponding to the initial detection data is used for constructing a first server address set. The missing server addresses are used to construct a missing server address set. Specifically, in the data to be screened, if the monitoring risk assessment terminal 108 cannot screen the target detection data corresponding to the test flow data, if the test flow data includes the test identifier, the monitoring risk assessment terminal 108 identifies the first server address set as a missing server address set, and generates a risk detection result based on the missing server address set. In the data to be screened, if the monitoring risk assessment terminal 108 cannot screen the target detection data corresponding to the test flow data, if the test flow data includes preset security policy trigger data, the monitoring risk assessment terminal 108 identifies a security policy class set corresponding to the preset security policy trigger data set as a trigger failure policy class set. The monitoring risk assessment terminal 108 generates a risk detection result based on the trigger failure policy class set.

In this embodiment, the risk detection result is generated based on the missing server address or the trigger failure policy class under the condition that the target detection data corresponding to the test flow data is not screened in the data to be screened. In this way, the monitoring risk assessment terminal 108 can assess the monitoring risk of the monitoring platform 106 based on the risk detection result, and see whether the monitoring platform 106 has a server missing monitoring, or whether there is a security policy with failed deployment, or whether there is a security policy with missing deployment.

It should be understood that, although the steps in the flowcharts related to the above embodiments are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides a risk detection system for implementing the risk detection method. The implementation of the solution provided by the system is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the risk detection system provided below may be referred to the limitation of the risk detection method hereinabove, and will not be repeated here.

In one embodiment, as shown in fig. 1, there is provided a risk detection system, including a server, a mirroring device, a monitoring platform, and a monitoring risk detection terminal, wherein:

the monitoring risk assessment terminal 108 is configured to generate initial detection data including test flow data according to a preset detection data generation policy, and send a detection instruction including the initial detection data to the server;

a server 102 for transmitting traffic data including initial detection data to the mirroring device;

the mirror image device 104 is used for mirroring the flow data, obtaining mirror image data and sending the mirror image data to the monitoring platform;

the monitoring platform 106 is configured to determine data to be screened corresponding to the mirror image data based on a preset processing policy;

The monitoring risk assessment terminal 108 is further configured to screen target detection data corresponding to the test flow data in the data to be screened; determining a risk detection result according to the initial detection data and the target detection data; the risk detection results are used to characterize the monitoring risk of the monitoring platform 106.

In one embodiment, the test traffic data comprises a marker character; the monitoring risk assessment terminal 108 is specifically configured to:

generating initial detection data containing the marked characters according to the marked characters, and sending detection instructions containing the initial detection data to a server 102 corresponding to each first server address in a preset first server address set;

In one embodiment, the monitoring risk assessment terminal 108 is specifically configured to:

the first server address other than the deployed server address is identified as a missing server address, and a risk detection result is generated based on the missing server address.

generating initial detection data containing preset security policy trigger data according to the preset security policy trigger data, and sending a detection instruction containing the preset security policy trigger data to a server 102 corresponding to each second server address in a preset second server address set; the preset security policy triggering data is used for triggering the security policies in the monitoring platform 106 to generate data to be screened including security policy response data;

searching in preset security policy triggering data contained in the initial detection data according to the target security triggering identifier contained in the target detection data to obtain triggered security policy triggering data;

and identifying the security policy category corresponding to the triggering data of the non-triggered security policy as a triggering failure policy category, and generating a risk detection result based on the triggering failure policy category.

In one embodiment, the traffic data further includes traffic data, and the monitoring risk assessment terminal 108 is further configured to:

taking data to be screened except target detection data as reference data;

determining safety strategy trigger data corresponding to the reference data based on the reference data to obtain the reference trigger data;

and under the condition that the triggering condition of the next risk detection is reached, returning to execute the step of generating initial detection data containing the preset safety strategy triggering data according to the preset safety strategy triggering data based on the new preset safety strategy triggering data.

returning to execute the step of generating initial detection data containing preset security policy trigger data according to the preset security policy trigger data based on new preset security policy trigger data under the condition that the next risk detection initiation moment is reached; or alternatively, the process may be performed,

and under the condition that the next risk detection period is reached, returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data. In one embodiment, in the case that the target detection data corresponding to the test flow data is not screened out in the data to be screened, the monitoring risk assessment terminal 108 is further configured to:

If the test flow data comprises the test identifier, identifying a first server address corresponding to the initial detection data as a missing server address, and generating a risk detection result based on the missing server address;

if the test flow data comprises preset safety strategy triggering data, identifying a safety strategy class set corresponding to the preset safety strategy triggering data set as a triggering failure strategy class set, and generating a risk detection result based on the triggering failure strategy class set.

Based on the same inventive concept, the embodiment of the application also provides a risk detection device for realizing the risk detection method. The implementation of the solution provided by the apparatus is similar to the implementation described in the above method, so the specific limitation of one or more embodiments of the risk detection apparatus provided below may be referred to the limitation of the risk detection method hereinabove, and will not be repeated here.

In one embodiment, as shown in fig. 6, there is provided a risk detection apparatus, the apparatus comprising:

the generating module 602 is configured to generate initial detection data including test traffic data according to a preset detection data generating policy, and send a detection instruction including the initial detection data to the server 102, where the detection instruction is configured to instruct the server 102 to send traffic data including the initial detection data to the mirroring device 104; the flow data are used for the monitoring platform 106 to mirror the flow data through the mirror image equipment 104 to obtain mirror image data, and the data to be screened corresponding to the mirror image data are determined based on a preset processing strategy;

A screening module 604, configured to screen target detection data corresponding to the test flow data from the data to be screened;

a first determining module 606, configured to determine a risk detection result according to the initial detection data and the target detection data; the risk detection results are used to characterize the monitoring risk of the monitoring platform 106.

In one embodiment, the test traffic data comprises a marker character; the generating module 602 is specifically configured to:

the screening module 604 specifically is configured to:

In one embodiment, the first determining module 606 is specifically configured to:

In one embodiment, the test traffic data comprises preset security policy trigger data; the generating module 602 is specifically configured to:

the screening module 604 specifically is configured to:

In one embodiment, the traffic data further includes traffic data, and the risk detection device further includes:

the second determining module is used for taking data to be screened except the target detection data as reference data;

the third determining module is used for determining safety strategy trigger data corresponding to the reference data based on the reference data to obtain the reference trigger data;

and the updating module is used for returning to execute the step of generating initial detection data containing preset safety strategy trigger data according to the preset safety strategy trigger data based on the new preset safety strategy trigger data under the condition that the trigger condition of the next risk detection is reached.

In one embodiment, the update module is specifically configured to:

And under the condition that the next risk detection period is reached, returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data. In one embodiment, in the case that the target detection data corresponding to the test flow data is not screened out in the data to be screened, the risk detection device further includes:

the second identifying module is configured to identify a security policy class set corresponding to the preset security policy trigger data set as a trigger failure policy class set if the test flow data includes the preset security policy trigger data, and generate a risk detection result based on the trigger failure policy class set.

The various modules in the risk detection system described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 7. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a risk detection method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the structure shown in fig. 7 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.

In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

It should be noted that, the user information (including, but not limited to, user equipment information, user personal information, etc.) and the data (including, but not limited to, data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data are required to comply with the related laws and regulations and standards of the related countries and regions.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.

Claims

1. A risk detection method, the method comprising:

2. The method of claim 1, wherein the test traffic data comprises a marker character; the generating initial detection data containing the test flow data according to the preset detection data generation strategy, and sending the detection instruction containing the initial detection data to the server comprises the following steps:

3. The method of claim 2, wherein said determining a risk detection result from said initial detection data and said target detection data comprises:

4. The method of claim 1, wherein the test traffic data comprises preset security policy trigger data; the generating initial detection data containing the test flow data according to the preset detection data generation strategy, and sending the detection instruction containing the initial detection data to the server comprises the following steps:

5. The method of claim 4, wherein said determining a risk detection result from said initial detection data and said target detection data comprises:

6. The method of claim 4, wherein the traffic data further comprises traffic data, the method further comprising:

7. The method according to claim 6, wherein the step of returning to execute the triggering data according to the preset security policy to generate initial detection data including the preset security policy triggering data based on the new preset security policy triggering data in case that the triggering condition of the next risk detection is reached comprises:

And under the condition that the next risk detection period is reached, returning to execute the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data based on the new preset security policy trigger data.

8. The method according to any one of claims 1 to 7, wherein in the case where the target detection data corresponding to the test traffic data is not screened out from the data to be screened, the method further comprises:

9. The risk detection system is characterized by comprising a server, mirror image equipment, a monitoring platform and a monitoring risk detection terminal, wherein:

10. A risk detection apparatus, the apparatus comprising:

11. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 8 when the computer program is executed.

12. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 8.