CN116756305A - Information processing method and device for associated internal assets and electronic equipment - Google Patents

Information processing method and device for associated internal assets and electronic equipment Download PDF

Info

Publication number
CN116756305A
CN116756305A CN202310774950.9A CN202310774950A CN116756305A CN 116756305 A CN116756305 A CN 116756305A CN 202310774950 A CN202310774950 A CN 202310774950A CN 116756305 A CN116756305 A CN 116756305A
Authority
CN
China
Prior art keywords
information
field information
safety
text
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310774950.9A
Other languages
Chinese (zh)
Inventor
李长龙
高斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu New Hope Finance Information Co Ltd
Original Assignee
Chengdu New Hope Finance Information Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu New Hope Finance Information Co Ltd filed Critical Chengdu New Hope Finance Information Co Ltd
Priority to CN202310774950.9A priority Critical patent/CN116756305A/en
Publication of CN116756305A publication Critical patent/CN116756305A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/34Browsing; Visualisation therefor
    • G06F16/345Summarisation for human users
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/258Data format conversion from or to a database

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides an information processing method, an information processing device and electronic equipment for associating internal assets, which are used for acquiring safety information field information corresponding to an initial safety information text after acquiring the safety information text. In addition, database information corresponding to the internal assets of the target enterprise is determined, wherein the database information comprises system field information of a plurality of application systems used by the target enterprise. And matching the safety information field information with the system field information in the database information, discarding the safety information field information when the safety information field information is not matched with the system field information, and processing the safety information field information according to a preset standard format when the safety information field information is matched with the system field information to output a corresponding threat information abstract. The scheme is used for carrying out matching and processing on the safety information field information based on the actual system field information of the enterprise internal assets, and the obtained threat information abstract can be matched with the actual conditions of the enterprise internal assets, so that comprehensive safety threat perception on the enterprise internal assets is realized.

Description

Information processing method and device for associated internal assets and electronic equipment
Technical Field
The present application relates to the field of data processing technologies, and in particular, to an information processing method and apparatus for associating internal assets, and an electronic device.
Background
Threat intelligence is some evidence-based knowledge, including context, mechanisms, labels, meanings, and actionable advice, that relates to threats or hazards in the face of an enterprise asset, and that can be used by an enterprise asset-related entity to provide information support for responding to or processing decisions of the threat or hazard.
In the existing threat information processing mode, an initial threat information content text is generally obtained through technical means such as official patch release, announcement of a security department or manufacturer, an initial summary of information is extracted based on a self-defined keyword label, and then an information summary text is generated by combining external knowledge. In the prior art, the method of extracting the information initial abstract by using the custom keyword label leads to the limitation of the scope of threat information, thereby leading to the perception failure of potential novel security threats.
Disclosure of Invention
The application aims at providing an information processing method, an information processing device and electronic equipment for related internal assets, which can obtain threat information abstracts consistent with actual conditions of the internal assets of enterprises, and realize comprehensive security threat perception.
Embodiments of the application may be implemented as follows:
in a first aspect, the present application provides an information processing method for associating an internal asset, the method comprising:
acquiring an initial security information text, and acquiring security information field information corresponding to the security information text, wherein the security information text is vulnerability description information;
determining database information corresponding to internal assets of a target enterprise, wherein the database information comprises system field information of a plurality of application systems used by the target enterprise;
matching the security information field information with system field information in the database information;
discarding the safety information field information if the safety information field information is not matched with the system field information;
and if the safety information field information is matched with the system field information, processing the safety information field information according to a preset standard format, and outputting a corresponding threat information abstract.
In an optional embodiment, the step of obtaining the security information field information corresponding to the security information text includes:
preprocessing the safety information text;
and carrying out vectorization processing on the preprocessed safety information text to obtain corresponding safety information field information.
In an alternative embodiment, the security intelligence text includes security intelligence text obtained from a plurality of different channels;
the step of preprocessing the security information text comprises the following steps:
determining a target security information text obtained from a target channel from among security information texts obtained from a plurality of different channels;
aiming at the safety information texts obtained from channels except the target channel, carrying out similarity calculation on the safety information texts and the target safety information texts to obtain a similarity value;
and when the similarity value is higher than a preset threshold value, the safety information text is reserved, and when the similarity value is lower than the preset threshold value, the safety information text is discarded.
In an alternative embodiment, the step of determining database information corresponding to the internal assets of the target enterprise includes:
detecting the internal asset system of the target enterprise by utilizing each detection fingerprint in the fingerprint library;
determining an application system corresponding to the internal asset of the target enterprise according to the detection result;
and obtaining database information according to the determined system field information of the application system.
In an alternative embodiment, the step of obtaining database information according to the determined system field information of the application system includes:
detecting whether the system field information of the determined application system exists in the database;
if yes, updating the system field information in the database;
if the information does not exist, the system field information of the application system is added to a database, and the database information is obtained.
In an alternative embodiment, the initial security intelligence text is obtained through an external channel and/or an internal channel obtained by cleansing findings through a log of the internal assets of the target enterprise.
In an alternative embodiment, the step of matching the security intelligence field information with system field information in the database information includes:
acquiring a vulnerability application name and a vulnerability application version in the security information field information, and acquiring an application system name and an application system version in the system field information in the database information;
matching the vulnerability application name and the vulnerability application version with the application system name and the application system version respectively;
and if the security information field information is successfully matched, judging that the security information field information is matched with the system field information.
In an optional embodiment, the threat intelligence abstract includes at least one of a vulnerability number, a vulnerability disclosure time, a vulnerability score, a vulnerability triggering rule, a vulnerability scope of influence, vulnerability information and a vulnerability reference link.
In a second aspect, the present application provides an intelligence processing apparatus for associating internal assets, the apparatus comprising:
the information acquisition module is used for acquiring an initial security information text, and acquiring security information field information corresponding to the security information text, wherein the security information text is vulnerability description information;
the information determining module is used for determining database information corresponding to the internal assets of the target enterprise, wherein the database information comprises system field information of a plurality of application systems used by the target enterprise;
the matching module is used for matching the safety information field information with the system field information in the database information;
the discarding module is used for discarding the safety information field information when the safety information field information is not matched with the system field information;
and the processing module is used for processing the safety information field information according to a preset standard format when the safety information field information is matched with the system field information, and outputting a corresponding threat information abstract.
In a third aspect, the present application provides an electronic device comprising one or more storage media and one or more processors in communication with the storage media, the one or more storage media storing machine-executable instructions that are executable by the processor to perform the method steps recited in any one of the preceding embodiments when the electronic device is operated.
The beneficial effects of the embodiment of the application include, for example:
the application provides an information processing method, an information processing device and electronic equipment for associating internal assets, which are used for acquiring safety information field information corresponding to an initial safety information text after acquiring the safety information text. In addition, database information corresponding to the internal assets of the target enterprise is determined, wherein the database information comprises system field information of a plurality of application systems used by the target enterprise. And matching the safety information field information with the system field information in the database information, discarding the safety information field information when the safety information field information is not matched with the system field information, and processing the safety information field information according to a preset standard format when the safety information field information is matched with the system field information to output a corresponding threat information abstract. The scheme is used for carrying out matching and processing on the safety information field information based on the actual system field information of the enterprise internal assets, and the obtained threat information abstract can be matched with the actual conditions of the enterprise internal assets, so that comprehensive safety threat perception on the enterprise internal assets is realized.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for processing information of associated internal assets provided by an embodiment of the present application;
FIG. 2 is a flow chart of sub-steps included in step S11 of FIG. 1;
FIG. 3 is a flow chart of sub-steps included in step S111 of FIG. 2;
FIG. 4 is a flow chart of sub-steps included in step S12 of FIG. 1;
FIG. 5 is a flowchart of sub-steps included in step S123 of FIG. 4;
FIG. 6 is a flow chart of sub-steps included in step S13 of FIG. 1;
FIG. 7 is a functional block diagram of an information processing apparatus for associating internal assets provided by an embodiment of the present application;
fig. 8 is a block diagram of an electronic device according to an embodiment of the present application.
Icon: 110-information processing means for associating the internal assets; 111-an information acquisition module; 112-an information determination module; 113-a matching module; 114-a discard module; 115-a processing module; a 120-processor; 130-memory; 140-communication module.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present application, it should be noted that features in the embodiments of the present application may be combined with each other without conflict.
Referring to fig. 1, a flowchart of an information processing method of an associated internal asset provided by the present application is shown, where the information processing method of an associated internal asset may be applied to an electronic device, and the electronic device may be a server, a terminal device, or the like. Referring to fig. 1, the following describes the information processing method of the related internal assets provided in this embodiment in detail.
S11, acquiring an initial security information text, and acquiring security information field information corresponding to the security information text, wherein the security information text is vulnerability description information.
S12, determining database information corresponding to the internal assets of the target enterprise, wherein the database information comprises system field information of a plurality of application systems used by the target enterprise.
And S13, matching the safety information field information with the system field information in the database information.
S14, if the safety information field information is not matched with the system field information, discarding the safety information field information.
And S15, if the safety information field information is matched with the system field information, processing the safety information field information according to a preset standard format, and outputting a corresponding threat information abstract.
In this embodiment, the initial security information text mainly refers to a description text of the system vulnerability, including, for example, description information of the newly issued system vulnerability, updated system vulnerability description information, and the like. The channels for obtaining the security information text may have multiple channels, including from external channels and from internal channels.
The external channel mode may include a mode of searching and acquiring a security information text from various public information resources based on an open source network information (Open source intelligence, OSINT) means, or a mode of monitoring websites such as a bar/cracking forum/darknet commonly used by a black party/wool party to find whether a security information text related to an internal product of a target enterprise exists, or the like.
The internal channel obtaining mode may include obtaining the security information text by using a manual feedback mode, or obtaining the security information text by cleaning and finding the log records of the internal assets of the target enterprise, etc.
It is understood that the security information text is descriptive information about the system vulnerability obtained from various channels.
In this embodiment, the internal asset usage of the target enterprise is monitored regularly, where the target enterprise may be any enterprise that needs vulnerability security management. Of course, the method is not limited to a certain enterprise, a certain department in the enterprise, and the like. The internal assets may be application systems used within the enterprise, such as attendance management systems, production systems, order systems, and the like.
For the internal assets of the target enterprise, a database may be utilized to manage the internal assets of the target enterprise. And obtaining database information by finding information of a plurality of application systems used by the target enterprise, and storing the database information in a database. When the information is stored in the database, the information of the application system is subjected to standardization processing to obtain standardized system field information, and the standardized system field information is stored in the database, so that the standardized database information is stored.
In order to perform security management on the internal assets of the target enterprise, in this embodiment, after the security information text is periodically acquired and processed to obtain the security information field information, the security information field information is matched with the system field information in the database information of the internal assets of the target enterprise. And under the condition that the security information field information is matched with the upper system field information, indicating that the target enterprise has an application system for which the acquired vulnerability description information is used. And under the condition that the security information field information is not matched with the system field information, the target enterprise is indicated not to use the application system for which the obtained vulnerability description information is aimed.
Under the condition that the target enterprise has an application system for which the obtained vulnerability description information is aimed, the security information field information can be processed according to a preset standard format to obtain a threat information abstract.
The preset standard format may be according to a preset standard field, that is, the security information field information is output according to the preset standard field, so as to obtain a threat information abstract. The preset standard field in the threat intelligence abstract can comprise at least one of a vulnerability number, a vulnerability disclosure time, a vulnerability score, a vulnerability triggering rule, a vulnerability influence range, vulnerability information and a vulnerability reference link.
And under the condition that the target enterprise does not use the application system for which the obtained vulnerability description information is aimed, discarding the security information field information.
The information processing scheme of the related internal assets provided by the embodiment abandons the mode of extracting the information abstract by adopting the self-defined keyword label in the prior art, and performs matching and processing of the safety information field information based on the actual system field information of the internal assets of the enterprise. In the practical application process, the number and types of application systems in the internal assets of an enterprise are often quite large, and a manager has difficulty in manually managing numerous application system information. Based on the method of regularly finding the internal assets adopted in the embodiment, the application system information can be accurately detected, and the defect that the method of extracting the information abstract from the custom keyword label in the prior art is possibly inconsistent with the actual application system condition of an enterprise is avoided.
Based on the scheme in the embodiment, the obtained threat information abstract can be consistent with the actual condition of the assets in the enterprise, so that comprehensive security threat perception for the assets in the enterprise is realized.
In this embodiment, as can be seen from the above description, after the initial security information text is obtained, the security information text may be processed to obtain the corresponding security information field information, and optionally, referring to fig. 2, the step of obtaining the security information field information may include the following substeps:
s111, preprocessing the safety information text.
S112, vectorizing the preprocessed safety information text to obtain corresponding safety information field information.
In this embodiment, preprocessing the security information text may include unified processing of the format of the security information text, for example, processing the security information text in a plurality of different formats into a unified format, so as to facilitate standardized management.
Further, preprocessing of the security intelligence text may also include processing the trustworthiness of the source of the security intelligence text. The processing can be realized in a mode of combining manual judgment, or the credibility of various channels is set in advance, so that when the safety information text is actually obtained, the corresponding credibility can be obtained according to the actual source channel of the obtained safety information text and the preset credibility value. Thus, whether the acquired security information text is credible or not is judged.
In addition, the preprocessing of the security information text may further include performing a deduplication process on the security information text, that is, performing deduplication on a portion that is repeated in the acquired security information text, so as to avoid unnecessary repeated workload.
Referring to fig. 3, in one possible implementation, the step of preprocessing the security intelligence text may also be implemented by the following sub-steps:
s1111, determining a target security information text obtained from the target channel from among the security information texts obtained from the plurality of different channels.
S1112, carrying out similarity calculation on the security information text and the target security information text to obtain a similarity value aiming at the security information text obtained by other channels except the target channel.
And S1113, when the similarity value is higher than a preset threshold value, the safety information text is reserved, and when the similarity value is lower than the preset threshold value, the safety information text is discarded.
In this embodiment, the target channel may be an official website of each application system, that is, the security information text published by the official website is highest in credibility. If the security information text related to the same vulnerability is also acquired in other channels, the security information text issued by the target channel can be used as a standard, and if the similarity between the security information text from other channels and the security information text from the target channel is too large, the security information text from other channels can be determined to have too low quality, and can be discarded.
When similarity calculation is performed between the security information text from other channels and the target security information text, the text can be divided into different fields, and the content of the corresponding field can be subjected to similarity calculation. When the similarity of the corresponding fields is calculated, the text of the fields can be subjected to word segmentation, and the word subjected to word segmentation is subjected to similarity calculation.
Note that, the calculation of the similarity between the security information texts is not limited to the above-described method, and may be performed by using other existing text similarity calculation methods.
After the preprocessing of the safety information text is performed by combining any one or more modes, the vectorization processing can be performed on the preprocessed safety information text to obtain the corresponding safety information field information. The vectorization processing may be performed by using an OCR (Optical Character Recognition, character recognition) or NLP (Natural Language Processing ) processing method.
In addition, in this embodiment, an API interface of an automated asset discovery system or a third party may be used to periodically discover system information used by the target enterprise, and timely update the content in the database of the assets within the target enterprise. Referring to FIG. 4, as one possible implementation, database information for the internal assets of the target enterprise may be determined periodically in the following manner.
S121, detecting the internal asset systems of the target enterprises by utilizing all detection fingerprints in the fingerprint library.
S122, determining an application system corresponding to the internal asset of the target enterprise according to the detection result.
And S123, obtaining database information according to the determined system field information of the application system.
The fingerprint library is provided with a plurality of detection fingerprints, and the function of detecting the fingerprints is mainly used for detecting whether a corresponding application system exists or not. Based on this, each probing fingerprint in the fingerprint library may be utilized to probe the application system for the internal assets of the target enterprise.
When the detection is carried out by utilizing the detection fingerprint, if the fed back information meets the specific characteristics, the application system corresponding to the detection fingerprint is successfully identified, otherwise, the application system corresponding to the detection fingerprint cannot be identified, namely, the application system corresponding to the detection fingerprint does not exist in the internal asset of the target enterprise.
Under the condition that the application system corresponding to a certain detection fingerprint exists in the internal asset of the target enterprise, the system field information of the application system can be extracted, and then database information is obtained.
Referring to fig. 5, in this embodiment, in the step of extracting the system field information of the application system to obtain the database information, the following steps may be implemented:
s1231, it is detected whether the system field information of the determined application system exists in the database, if so, the following step S1232 is executed, and if not, the following step S1233 is executed.
S1232, updating the system field information in the database.
S1233, adding the system field information of the application system to a database to obtain database information.
In this embodiment, if the system field information of a certain application system already exists in the database, the original system field information in the database may be updated according to the currently extracted system field information of the application system. The database field information of the application system of the target enterprise may be shown in the following table 1.
Updating database information for an application system includes, for example, updating the source of the application system. The internal assets of the target enterprise can be divided into assets of different departments, and the source of the application system refers to which department is specifically sourced. In addition, the latest update time of the application system can be updated, that is, the latest update time of the application system is recorded under the time field.
Table 1 database field information
On this basis, the security information field information obtained in the above manner can be matched with the system field information in the database information to determine whether to retain the security information field information. Referring to fig. 6, in this embodiment, this step can be implemented by:
s131, obtaining the vulnerability application name and the vulnerability application version in the security information field information, and obtaining the application system name and the application system version in the system field information in the database information.
S132, matching the vulnerability application name and the vulnerability application version with the application system name and the application system version respectively.
And S133, if the matching is successful, judging that the safety information field information is matched with the system field information.
In this embodiment, the security information field information obtained after the processing includes a vulnerability application name and a vulnerability application version, that is, indicates which version of which application the published vulnerability security information is for. In addition, the system field information in the database of the internal assets of the target enterprise includes application system names and application system versions, indicating which application systems, and in particular which versions, the target enterprise uses.
Based on the above, the vulnerability application name and the application system name can be respectively matched, and the vulnerability application version and the application system version can be matched, if the names and the versions are matched, the obtained vulnerability security information is indicated to correspond to the application system of the internal asset of the target enterprise, and in this case, the security information field information can be subjected to standardized processing to obtain the threat information abstract. Otherwise, the vulnerability security information is not needed by the target enterprise, and the security information field information can be discarded.
In this embodiment, when the security information field information is subjected to the standardized processing, the threat information abstract may be obtained by processing according to the fields shown in table 2.
TABLE 2 threat intelligence summary field information
Fields Type(s) Length of
Vulnerability numbering string 30
Disclosure time of datetime -
CVSS string 100
Triggering rules string 50
Vulnerability impact scope string 200
Vulnerability related information string 200
Reference links string 200
According to the information processing method for the associated internal assets, an automatic application asset discovery tool is utilized to discover the system information of the application system used by the target enterprise at regular intervals so as to match with the acquired safety information, and compared with the mode that a keyword label needs to be manually maintained in the prior art, the method for acquiring the keyword label is more timely, accurate and automatic, and the actual situation of the internal assets of the enterprise is more met. For new threat information content, specified abstract content can be generated according to a standardized template, and compared with the prior art, the method has the advantage that the length judgment of external knowledge is not needed to form the abstract content.
Based on the same application concept, please refer to fig. 7, which shows a schematic diagram of functional modules of the information processing apparatus 110 related to the internal asset according to the embodiment of the present application, where the functional modules of the information processing apparatus 110 related to the internal asset may be divided according to the above-mentioned method embodiment. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present application, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.
For example, in the case of dividing each function module by the corresponding function, the information processing apparatus 110 of the related internal asset shown in fig. 7 is only one apparatus schematic diagram. The information processing apparatus 110 associated with the internal asset may include an information acquisition module 111, an information determination module 112, a matching module 113, a discarding module 114, and a processing module 115, and functions of each functional module of the information processing apparatus 110 associated with the internal asset will be described in detail below.
The information acquisition module 111 is configured to acquire an initial security information text, and acquire security information field information corresponding to the security information text, where the security information text is vulnerability description information;
it is understood that the information acquisition module 111 may be used to perform the above step S11, and reference may be made to the details of the implementation of the information acquisition module 111 in the above step S11.
An information determining module 112, configured to determine database information corresponding to an internal asset of a target enterprise, where the database information includes system field information of a plurality of application systems used by the target enterprise;
it will be appreciated that the information determination module 112 may be used to perform step S12 described above, and reference may be made to the details of step S12 regarding the implementation of the information determination module 112.
A matching module 113, configured to match the security information field information with system field information in the database information;
it will be appreciated that the matching module 113 may be used to perform step S13 described above, and reference may be made to the details of step S13 regarding the implementation of the matching module 113.
A discarding module 114, configured to discard the security information field information when the security information field information does not match the system field information;
it will be appreciated that the discard module 114 may be used to perform step S14 described above, and reference may be made to the details of step S14 regarding the implementation of the discard module 114.
And the processing module 115 is configured to process the security information field information according to a preset standard format when the security information field information matches the system field information, and output a corresponding threat information abstract.
It will be appreciated that the processing module 115 may be configured to perform step S15 described above, and reference may be made to the details of step S15 for a detailed implementation of the processing module 115.
In one possible implementation, the information obtaining module 111 may be configured to:
preprocessing the safety information text;
and carrying out vectorization processing on the preprocessed safety information text to obtain corresponding safety information field information.
In one possible implementation, the security intelligence text includes security intelligence text obtained from a plurality of different channels, and the information obtaining module 111 may be configured to:
determining a target security information text obtained from a target channel from among security information texts obtained from a plurality of different channels;
aiming at the safety information texts obtained from channels except the target channel, carrying out similarity calculation on the safety information texts and the target safety information texts to obtain a similarity value;
and when the similarity value is higher than a preset threshold value, the safety information text is reserved, and when the similarity value is lower than the preset threshold value, the safety information text is discarded.
In one possible implementation, the information determining module 112 may be configured to:
detecting the internal asset system of the target enterprise by utilizing each detection fingerprint in the fingerprint library;
determining an application system corresponding to the internal asset of the target enterprise according to the detection result;
and obtaining database information according to the determined system field information of the application system.
In one possible implementation, the information determining module 112 may be configured to:
detecting whether the system field information of the determined application system exists in the database;
if yes, updating the system field information in the database;
if the information does not exist, the system field information of the application system is added to a database, and the database information is obtained.
In one possible implementation, the initial security intelligence text is obtained through an external channel and/or an internal channel obtained by cleansing findings through a log record of the internal assets of the target enterprise.
In one possible implementation, the matching module 113 may be configured to:
acquiring a vulnerability application name and a vulnerability application version in the security information field information, and acquiring an application system name and an application system version in the system field information in the database information;
matching the vulnerability application name and the vulnerability application version with the application system name and the application system version respectively;
and if the security information field information is successfully matched, judging that the security information field information is matched with the system field information.
Referring to fig. 8, a block diagram of an electronic device according to an embodiment of the application includes a memory 130, a processor 120, and a communication module 140. The memory 130, the processor 120, and the communication module 140 are electrically connected directly or indirectly to each other to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines.
Wherein the memory 130 is used for storing programs or data. The Memory 130 may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc.
The processor 120 is used to read/write data or programs stored in the memory 130 and perform the information processing method of associating internal assets provided by any embodiment of the present application.
The communication module 140 is used for establishing communication connection between the electronic device and other communication terminals through a network, and is used for receiving and transmitting data through the network.
It should be understood that the structure shown in fig. 8 is merely a schematic structural diagram of an electronic device that may also include more or fewer components than those shown in fig. 8, or have a different configuration than that shown in fig. 8.
Further, the embodiment of the application also provides a computer readable storage medium, and the computer readable storage medium stores machine executable instructions, which when executed implement the information processing method of the related internal assets provided by the embodiment.
In particular, the computer readable storage medium can be a general purpose storage medium, such as a mobile disk, a hard disk, etc., and the computer program on the computer readable storage medium can execute the above-mentioned information processing method of associating the internal assets when executed. With respect to the processes involved in the computer readable storage medium and when executed as executable instructions thereof, reference is made to the relevant descriptions of the method embodiments described above and will not be described in detail herein.
In summary, the method, the device and the electronic equipment for processing information of related internal assets provided by the embodiment of the application acquire the initial security information text and then acquire the security information field information corresponding to the security information text. In addition, database information corresponding to the internal assets of the target enterprise is determined, wherein the database information comprises system field information of a plurality of application systems used by the target enterprise. And matching the safety information field information with the system field information in the database information, discarding the safety information field information when the safety information field information is not matched with the system field information, and processing the safety information field information according to a preset standard format when the safety information field information is matched with the system field information to output a corresponding threat information abstract. The scheme is used for carrying out matching and processing on the safety information field information based on the actual system field information of the enterprise internal assets, and the obtained threat information abstract can be matched with the actual conditions of the enterprise internal assets, so that comprehensive safety threat perception on the enterprise internal assets is realized.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the scope of the present application should be included in the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method of intelligence processing associated with an internal asset, the method comprising:
acquiring an initial security information text, and acquiring security information field information corresponding to the security information text, wherein the security information text is vulnerability description information;
determining database information corresponding to internal assets of a target enterprise, wherein the database information comprises system field information of a plurality of application systems used by the target enterprise;
matching the security information field information with system field information in the database information;
discarding the safety information field information if the safety information field information is not matched with the system field information;
and if the safety information field information is matched with the system field information, processing the safety information field information according to a preset standard format, and outputting a corresponding threat information abstract.
2. The information processing method of associating an internal asset according to claim 1, wherein the step of obtaining the security information field information corresponding to the security information text comprises:
preprocessing the safety information text;
and carrying out vectorization processing on the preprocessed safety information text to obtain corresponding safety information field information.
3. The information processing method of associating an internal asset according to claim 2, wherein the security information text includes security information text obtained from a plurality of different channels;
the step of preprocessing the security information text comprises the following steps:
determining a target security information text obtained from a target channel from among security information texts obtained from a plurality of different channels;
aiming at the safety information texts obtained from channels except the target channel, carrying out similarity calculation on the safety information texts and the target safety information texts to obtain a similarity value;
and when the similarity value is higher than a preset threshold value, the safety information text is reserved, and when the similarity value is lower than the preset threshold value, the safety information text is discarded.
4. The method for processing information associated with an internal asset according to claim 1, wherein the step of determining database information corresponding to the internal asset of the target enterprise comprises:
detecting the internal asset system of the target enterprise by utilizing each detection fingerprint in the fingerprint library;
determining an application system corresponding to the internal asset of the target enterprise according to the detection result;
and obtaining database information according to the determined system field information of the application system.
5. The method for processing information associated with an internal asset according to claim 4, wherein the step of obtaining database information from the determined system field information of the application system comprises:
detecting whether the system field information of the determined application system exists in the database;
if yes, updating the system field information in the database;
if the information does not exist, the system field information of the application system is added to a database, and the database information is obtained.
6. The method of claim 1, wherein the initial secure intelligence text is obtained through an external channel and/or an internal channel obtained by cleansing discovery through a log record of the internal asset of the target enterprise.
7. The information processing method of associating an internal asset according to claim 1, wherein the step of matching the security information field information with system field information in the database information comprises:
acquiring a vulnerability application name and a vulnerability application version in the security information field information, and acquiring an application system name and an application system version in the system field information in the database information;
matching the vulnerability application name and the vulnerability application version with the application system name and the application system version respectively;
and if the security information field information is successfully matched, judging that the security information field information is matched with the system field information.
8. The method of claim 1-7, wherein the threat intelligence summary includes at least one of a vulnerability number, a vulnerability disclosure time, a vulnerability score, a vulnerability triggering rule, a vulnerability scope of influence, vulnerability information, and a vulnerability reference link.
9. An intelligence processing apparatus for associating an internal asset, the apparatus comprising:
the information acquisition module is used for acquiring an initial security information text, and acquiring security information field information corresponding to the security information text, wherein the security information text is vulnerability description information;
the information determining module is used for determining database information corresponding to the internal assets of the target enterprise, wherein the database information comprises system field information of a plurality of application systems used by the target enterprise;
the matching module is used for matching the safety information field information with the system field information in the database information;
the discarding module is used for discarding the safety information field information when the safety information field information is not matched with the system field information;
and the processing module is used for processing the safety information field information according to a preset standard format when the safety information field information is matched with the system field information, and outputting a corresponding threat information abstract.
10. An electronic device comprising one or more storage media and one or more processors in communication with the storage media, the one or more storage media storing processor-executable machine-executable instructions that, when the electronic device is run, are executed by the processor to perform the method steps recited in any of claims 1-8.
CN202310774950.9A 2023-06-28 2023-06-28 Information processing method and device for associated internal assets and electronic equipment Pending CN116756305A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310774950.9A CN116756305A (en) 2023-06-28 2023-06-28 Information processing method and device for associated internal assets and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310774950.9A CN116756305A (en) 2023-06-28 2023-06-28 Information processing method and device for associated internal assets and electronic equipment

Publications (1)

Publication Number Publication Date
CN116756305A true CN116756305A (en) 2023-09-15

Family

ID=87956870

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310774950.9A Pending CN116756305A (en) 2023-06-28 2023-06-28 Information processing method and device for associated internal assets and electronic equipment

Country Status (1)

Country Link
CN (1) CN116756305A (en)

Similar Documents

Publication Publication Date Title
EP4319054A2 (en) Identifying legitimate websites to remove false positives from domain discovery analysis
US20180357214A1 (en) Log analysis system, log analysis method, and storage medium
CN110716868B (en) Abnormal program behavior detection method and device
CN111177714A (en) Abnormal behavior detection method and device, computer equipment and storage medium
CN110929125A (en) Search recall method, apparatus, device and storage medium thereof
CN110674360B (en) Tracing method and system for data
US20220019742A1 (en) Situational awareness by fusing multi-modal data with semantic model
CN112131249A (en) Attack intention identification method and device
CN112559526A (en) Data table export method and device, computer equipment and storage medium
WO2016188334A1 (en) Method and device for processing application access data
CN114493255A (en) Enterprise abnormity monitoring method based on knowledge graph and related equipment thereof
CN115795021A (en) Big data risk monitoring, recognizing and early warning device and system
CN114417405B (en) Privacy service data analysis method based on artificial intelligence and server
CN111371581A (en) Method, device, equipment and medium for detecting business abnormity of Internet of things card
CN113343228A (en) Event credibility analysis method and device, electronic equipment and readable storage medium
CN113723555A (en) Abnormal data detection method and device, storage medium and terminal
US20120078912A1 (en) Method and system for event correlation
CN115174205B (en) Network space safety real-time monitoring method, system and computer storage medium
CN116756305A (en) Information processing method and device for associated internal assets and electronic equipment
CN115408236A (en) Log data auditing system, method, equipment and medium
CN113037555A (en) Risk event marking method, risk event marking device and electronic equipment
CN113869904A (en) Suspicious data identification method, device, electronic equipment, medium and computer program
CN109409127B (en) Method and device for generating network data security policy and storage medium
CN111027296A (en) Report generation method and system based on knowledge base
CN109582534B (en) Method and device for determining operation entry of system and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination