CN116781373A - Risk assessment method, apparatus, device, storage medium, and program product - Google Patents

Risk assessment method, apparatus, device, storage medium, and program product Download PDF

Info

Publication number
CN116781373A
CN116781373A CN202310829467.6A CN202310829467A CN116781373A CN 116781373 A CN116781373 A CN 116781373A CN 202310829467 A CN202310829467 A CN 202310829467A CN 116781373 A CN116781373 A CN 116781373A
Authority
CN
China
Prior art keywords
security
target
security event
events
target host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310829467.6A
Other languages
Chinese (zh)
Inventor
朱周平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Original Assignee
China Telecom Technology Innovation Center
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Technology Innovation Center, China Telecom Corp Ltd filed Critical China Telecom Technology Innovation Center
Priority to CN202310829467.6A priority Critical patent/CN116781373A/en
Publication of CN116781373A publication Critical patent/CN116781373A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present application relates to a risk assessment method, apparatus, device, storage medium and program product. The method comprises the following steps: firstly, a target security event set corresponding to a target host to be evaluated and comprising a plurality of security events related to the target host is obtained, then, a first security evaluation result of the target host is determined according to threat levels of security events in the target security event set and occurrence frequencies of different time periods, then, under the condition that the first security evaluation result indicates that the target host is in a security suspicious state, feature access feature information used for representing service access related to security events of the target host is determined according to the target security event set, then, a second security evaluation result of the target host is determined according to the access feature information, and finally, whether the target host is a high risk host is determined according to the second security evaluation result. By adopting the method, the accuracy of risk assessment of the target host can be improved.

Description

Risk assessment method, apparatus, device, storage medium, and program product
Technical Field
The present application relates to the field of network security technologies, and in particular, to a risk assessment method, apparatus, device, storage medium, and program product.
Background
With the increasing number of network devices and protection devices, evaluating the risk of the devices by analyzing the massive security events generated by the devices is an increasingly popular and effective means, and therefore a more accurate and comprehensive risk evaluation method is particularly important.
Currently, risk assessment is generally directly defined according to the risk level of a security event of a device, but such risk assessment method is not accurate enough.
Disclosure of Invention
Based on this, it is necessary to provide a risk assessment method, apparatus, device, storage medium and program product, which are more accurate in risk assessment, in view of the above-mentioned technical problems.
In a first aspect, the present application provides a risk assessment method. The method comprises the following steps: acquiring a target security event set corresponding to a target host to be evaluated, wherein the target security event set comprises a plurality of security events related to the target host; determining a first security evaluation result of the target host according to threat levels of security events in the target security event set and occurrence frequencies of different time periods; determining access characteristic information according to the target security event set and determining a second security evaluation result of the target host according to the access characteristic information under the condition that the first security evaluation result indicates that the target host is in a security suspicious state, wherein the access characteristic information is used for representing the characteristics of service access related to the security event of the target host; and determining whether the target host is a high-risk host according to the second security assessment result.
In one embodiment, obtaining a target security event set corresponding to a target host to be evaluated includes: acquiring an initial security event set, wherein the initial security event set comprises a plurality of security events corresponding to a target host; and screening the security events with the importance degree larger than a preset threshold value from the initial security event set to obtain a target security event set.
In one embodiment, screening security events from the initial set of security events that have a degree of importance greater than a preset threshold includes: sorting the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small; and taking the security events corresponding to the N security event types before sequencing as security events with importance degrees larger than a preset threshold value, wherein N is a positive integer larger than or equal to 1.
In one embodiment, the sorting the security event types included in the initial security event set in the order of from the big to the small number of the security events of each type in the initial security event set includes: if the number of the security events of different types is consistent, determining the arrangement sequence according to threat levels corresponding to the security events of different types.
In one embodiment, the sorting the security event types included in the initial security event set in the order of from the big to the small number of the security events of each type in the initial security event set includes: if the security event type in the initial security event set is determined to be greater than N, the step of sequencing the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small is executed.
In one embodiment, the method further comprises: and if the security event type in the initial security event set is less than or equal to N, taking the initial security event set as a target security event set.
In one embodiment, the first security evaluation result includes a first security evaluation value, the occurrence frequencies of different periods include a first occurrence frequency of an operating period and a second occurrence frequency of a non-operating period, and determining the first security evaluation result of the target host according to threat levels of security events in the target security event set and the occurrence frequencies of different periods includes: for each security event, determining a security evaluation sub-value of the security event according to the threat level, the first occurrence frequency and the second occurrence frequency of the security event; and obtaining a first security evaluation value according to the average value of the security evaluation sub-values of each security event.
In one embodiment, obtaining the first security assessment value according to an average value of the security assessment sub-values of each security event includes: and carrying out correction processing on the average value of the security evaluation sub-values of each security event according to whether the target host is an asset or not so as to obtain a first security evaluation value.
In one embodiment, determining access characteristic information from a set of target security events includes: determining first access characteristic information when the target host is a role for initiating access based on the target security event set; determining second access characteristic information when the target host is the accessed role based on the target security event set; the first access information and the second access information are used as access characteristic information.
In one embodiment, determining first access characteristic information when the target host is the role of initiating access based on the target security event set includes: screening a first security event with the same source IP address as the IP address of a target host from a target security event set; the number m1 of the first security events and the number n1 of the destination IP addresses included in the first security events are taken as first access characteristic information.
In one embodiment, determining second access characteristic information when the target host is the accessed role based on the target security event set includes: screening a second security event with the same destination IP address as the IP address of the target host from the target security event set; the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events are taken as second access characteristic information.
In one embodiment, determining the second security assessment result of the target host according to the access characteristic information includes: calculating a weighted sum according to the number m1 of the first security events, the number n1 of the destination IP addresses included in the first security events, the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events; and determining a second security assessment result according to the weighted sum and the first security assessment result.
In a second aspect, the application further provides a risk assessment device. The device comprises:
the system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring a target security event set corresponding to a target host to be evaluated, and the target security event set comprises a plurality of security events related to the target host;
the first determining module is used for determining a first security evaluation result of the target host according to threat levels of all security events in the target security event set and occurrence frequencies of different time periods;
The second determining module is used for determining access characteristic information according to the target security event set and determining a second security evaluation result of the target host according to the access characteristic information under the condition that the first security evaluation result indicates that the target host is in a security suspicious state, wherein the access characteristic information is used for representing the characteristics of service access related to the security event of the target host;
and the third determining module is used for determining whether the target host is a high-risk host according to the second security evaluation result.
In one embodiment, the acquiring module is specifically configured to acquire an initial security event set, where the initial security event set includes a plurality of security events corresponding to the target host; and screening the security events with the importance degree larger than a preset threshold value from the initial security event set to obtain a target security event set.
In one embodiment, the acquiring module is specifically configured to sort the security event types included in the initial security event set according to the order of the number of the security events of each type in the initial security event set from large to small; and taking the security events corresponding to the N security event types before sequencing as security events with importance degrees larger than a preset threshold value, wherein N is a positive integer larger than or equal to 1.
In one embodiment, the acquiring module is specifically configured to determine the arrangement order according to threat levels corresponding to different types of security events if the number of the different types of security events is consistent.
In one embodiment, the acquiring module is specifically configured to, if it is determined that the security event type in the initial security event set is greater than N, execute the step of ordering the security event types included in the initial security event set according to the order of the number of the security events of each type in the initial security event set from high to low.
In one embodiment, the acquiring module is further configured to, if it is determined that the security event type in the initial security event set is less than or equal to N, take the initial security event set as the target security event set.
In one embodiment, the first security evaluation result includes a first security evaluation value, the occurrence frequencies of different time periods include a first occurrence frequency of an operating time period and a second occurrence frequency of a non-operating time period, and the first determining module is specifically configured to determine, for each security event, a security evaluation sub-value of the security event according to a threat level of the security event, the first occurrence frequency and the second occurrence frequency; and obtaining a first security evaluation value according to the average value of the security evaluation sub-values of each security event.
In one embodiment, the first determining module is specifically configured to perform correction processing on an average value of the security evaluation sub-values of each security event according to whether the target host is an asset, so as to obtain a first security evaluation value.
In one embodiment, the second determining module is specifically configured to determine, based on the target security event set, first access characteristic information when the target host is a role of initiating access; determining second access characteristic information when the target host is the accessed role based on the target security event set; the first access information and the second access information are used as access characteristic information.
In one embodiment, the second determining module is specifically configured to screen from the target security event set to obtain a first security event that includes a source IP address that is the same as an IP address of the target host; the number m1 of the first security events and the number n1 of the destination IP addresses included in the first security events are taken as first access characteristic information.
In one embodiment, the second determining module is specifically configured to screen from the target security event set to obtain a second security event that includes a destination IP address that is the same as the IP address of the target host; the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events are taken as second access characteristic information.
In one embodiment, the second determining module is specifically configured to calculate a weighted sum according to the number m1 of the first security events, the number n1 of the destination IP addresses included in the first security events, the number m2 of the second security events, and the number n2 of the source IP addresses included in the second security events; and determining a second security assessment result according to the weighted sum and the first security assessment result.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the risk assessment method of any of the above first aspects when the processor executes the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the risk assessment method of any of the first aspects described above.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the risk assessment method of any of the first aspects described above.
The risk assessment method, the risk assessment device, the risk assessment equipment, the storage medium and the risk assessment program product are characterized in that firstly, a target security event set corresponding to a target host to be assessed and comprising a plurality of security events related to the target host is obtained, then, a first security assessment result of the target host is determined according to threat levels of the security events in the target security event set and occurrence frequencies of different time periods, then, under the condition that the first security assessment result indicates that the target host is in a security suspicious state, feature access feature information used for representing service access related to the security event of the target host is determined according to the target security event set, then, a second security assessment result of the target host is determined according to the access feature information, and finally, whether the target host is a high risk host is determined according to the second security assessment result. In this way, when the risk assessment is performed on the target host, the first screening is performed through the first security assessment result, then the second screening is performed according to the second security assessment result when the first security assessment result indicates that the target host may have risk, and finally whether the target host is a high risk host is determined.
Drawings
FIG. 1 is a flow chart of a risk assessment method according to one embodiment;
FIG. 2 is a flow chart of a risk assessment method according to another embodiment;
FIG. 3 is a flow chart of a risk assessment method according to another embodiment;
FIG. 4 is a flow chart of initial security event set ordering screening in another embodiment;
FIG. 5 is a flowchart illustrating a first security assessment determination procedure according to another embodiment;
FIG. 6 is a flow chart of an access characteristic information determining step in another embodiment;
FIG. 7 is a flowchart illustrating the access characteristic information determining step in another embodiment;
FIG. 8 is a flowchart illustrating the access characteristic information determining step in another embodiment;
FIG. 9 is a flowchart illustrating a second security assessment result determining step according to another embodiment;
FIG. 10 is a flow chart of a risk assessment method according to another embodiment;
FIG. 11 is a flow chart of a risk assessment method in another embodiment;
FIG. 12 is a block diagram of a risk assessment device in one embodiment;
fig. 13 is an internal structural view of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
In one embodiment, as shown in fig. 1, a risk assessment method is provided, where the method is applied to a terminal for illustration, it is understood that the method may also be applied to a server, and may also be applied to a system including the terminal and the server, and implemented through interaction between the terminal and the server. The method comprises the following steps:
step 101, a target security event set corresponding to a target host to be evaluated is obtained.
Wherein the set of target security events includes a plurality of security events associated with the target host. The target host is a device to be subjected to security risk assessment. Optionally, all security events including a plurality of devices for a period of time can be obtained from a preset database, from which a plurality of security events related to the target host can be screened, that is, the target security event set.
Step 102, determining a first security evaluation result of the target host according to threat levels of security events in the target security event set and occurrence frequencies of different time periods.
Different security events correspond to different threat levels, and because the importance of the security events occurring at different times is different, optionally, the occurrence frequency of different time periods may include the occurrence frequency of weekdays and the occurrence frequency of non-weekdays. Alternatively, the first security evaluation result may be determined by weighting and summing the threat level of each security event and the occurrence frequency of different periods, where the weights are set differently according to the importance.
Step 103, determining access characteristic information according to the target security event set and determining a second security evaluation result of the target host according to the access characteristic information under the condition that the first security evaluation result indicates that the target host is in a security suspicious state.
The access characteristic information is used for characterizing service access related to the security event of the target host. Alternatively, the access characteristic information may include characteristic information when the target host actively accesses and characteristic information when the target host is an accessed object. And determining a second security assessment result of the target host by means of weighting calculation on the access characteristic information.
The first security evaluation result indicates that the target host is in a security suspicious state, that is, the target host may be a high risk host, and optionally, the first security evaluation result and the first preset threshold may be used to determine whether the target host is in the security suspicious state. When the value of the first security assessment result is larger than a first preset threshold value, the target host is determined to be possibly a high-risk host, in this case, further judgment is made on the target host, and a second security assessment result of the target host is determined according to the access characteristic information. Optionally, when the value of the first security assessment result is not greater than the first preset threshold, it is indicated that the target host is not in a security suspicious state.
Step 104, determining whether the target host is a high risk host according to the second security assessment result.
Optionally, the high risk host is a host with a security risk, and whether the target host is the high risk host may be determined according to the second security evaluation result and the determination result of the second preset threshold. For example, when the value of the second security assessment result is greater than the second preset threshold, it may be determined that the target host is a high risk host. Optionally, when the value of the second evaluation result is not greater than the second preset threshold, it may be determined that the target host is not a high risk host, and the next host may be continuously evaluated according to the security event acquired in the database.
In the above embodiment, firstly, a target security event set corresponding to a target host to be evaluated and including a plurality of security events related to the target host is obtained, then, a first security evaluation result of the target host is determined according to threat levels of security events in the target security event set and occurrence frequencies of different time periods, then, under the condition that the first security evaluation result indicates that the target host is in a security suspicious state, feature access feature information for characterizing service access related to the security event of the target host is determined according to the target security event set, then, a second security evaluation result of the target host is determined according to the access feature information, and finally, whether the target host is a high risk host is determined according to the second security evaluation result. In this way, when the risk assessment is performed on the target host, the first screening is performed through the first security assessment result, then the second screening is performed according to the second security assessment result when the first security assessment result indicates that the target host may have risk, and finally whether the target host is a high risk host is determined.
In one embodiment, as shown in fig. 2, the step of obtaining a target security event set corresponding to a target host to be evaluated includes:
step 201, an initial set of security events is obtained.
The initial security event set includes a plurality of security events corresponding to the target host.
Step 202, screening security events with importance degree larger than a preset threshold value from the initial security event set to obtain a target security event set.
Because the possible number of the security events in the initial security event set is more, in order to improve the efficiency, the initial security event set can be screened, the target security event set is obtained by screening the security events of important types, and the risk assessment result of the target host is further determined by the target security event set.
Optionally, the step of screening the initial security event set is shown in fig. 3, and includes:
step 301, sorting the security event types included in the initial security event set according to the order of the number of the security events of each type in the initial security event set from large to small.
Optionally, counting the number of the security events of each type in the initial security event set, and then sequencing the number of the security events of each type from large to small.
Optionally, if the number of the security events of different types is consistent, determining the arrangement sequence according to threat levels corresponding to the security events of different types. I.e. the ranking is adjusted from high to low according to threat level. Alternatively, if the threat level is also the same, the ranking is done randomly.
Step 302, taking the security events corresponding to the N security event types before the sorting as the security events with the importance degree larger than a preset threshold value.
N is a positive integer greater than or equal to 1. After the initial security events are ordered according to the above, the security events corresponding to the first N security event types in the order are security events with importance degree greater than a preset threshold, that is, security events with importance types, and these security events are used as a target security event set.
Optionally, before ordering the initial set of security events, it is further necessary to determine whether the security event type in the initial set of security events is greater than N.
If the security event type in the initial security event set is determined to be greater than N, the step of sequencing the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small is executed.
And if the security event type in the initial security event set is less than or equal to N, taking the initial security event set as a target security event set. A specific initial security event screening procedure is shown in fig. 4.
In the above embodiment, the target security event set is determined by screening the initial security event set, and the security events are screened by types, so that the security events with a large number of security events and high threat level are focused on, and meanwhile, the processing of repeated and similar security events is avoided, so that the analysis efficiency can be improved.
In an embodiment of the present application, the first security evaluation result includes a first security evaluation value, the occurrence frequencies of different periods include a first occurrence frequency of an operating period and a second occurrence frequency of a non-operating period, and a determination process of the result of the first security evaluation is shown in fig. 5, and includes:
step 501, for each security event, determining a security assessment sub-value of the security event according to the threat level, the first occurrence frequency and the second occurrence frequency of the security event.
Different types of security events may come from different physical levels, may come from different security analysis stages, and have different threat levels. According to each security event in the target security event set, determining threat level of each type of security event to be marked as K, marking the first occurrence frequency of the type of security event in a working period, namely a working day as f1, marking the second occurrence frequency of the type of security event in a non-working period, namely a non-working day as f2, and calculating a security evaluation sub-value of the type of security event according to K, f1 and f 2.
Step 502, obtaining a first security evaluation value according to the average value of the security evaluation sub-values of each security event.
And taking the average value of the security evaluation sub-values of the security events of each type as a first security evaluation value. Optionally, according to whether the target host is an asset, the average value of the security evaluation sub-values of each security event is modified to obtain a first security evaluation value. Whether the target host is an asset representing the importance of the target host can be marked according to actual requirements. The specific calculation formula is as follows:
wherein N is the number of security event types for the subset of security events; l is 1 when the target host is an asset and 0 when the target host is not an asset; g is a constant, which is the highest threat level of the security event; k (K) i Threat levels for various security events; f (f) i 1 is the first occurrence frequency of various security events; f (f) i 2 is the second occurrence frequency of various security events.
In the above embodiment, the threat level of the security event is considered in the first security evaluation result, and the working time occurrence frequency and the non-working time occurrence frequency are combined to correct, so that the host with high risk can be rapidly judged, and the risk evaluation efficiency is improved.
In one embodiment, the step of determining access characteristic information from a set of target security events is shown in fig. 6 and includes:
step 601, determining first access characteristic information when a target host is a role of initiating access based on a target security event set.
The security event includes a source IP address and a destination IP address related to the security event. The determining process of the first access characteristic information is shown in fig. 7, and includes:
step 701, a first security event including a source IP address identical to an IP address of a target host is selected from a target security event set.
The first security event is a security event in which the source IP address in the set of target security events is the same as the IP address of the target host.
In step 702, the number m1 of the first security events and the number n1 of destination IP addresses included in the first security events are used as the first access characteristic information.
Counting the number of first security events in a target security event set and the number of destination IP addresses related in the first security events, and taking the information as first access characteristic information.
Step 602, determining second access characteristic information when the target host is the accessed role based on the target security event set.
When the target host is the accessed role, that is, when the IP address of the target host is the destination IP in the security event, optionally, the step of determining the second access characteristic information is as shown in fig. 8, including:
step 801, a second security event including a destination IP address identical to the IP address of the target host is selected from the target security event set.
The second security event is a security event in which the destination IP address in the target security event set is the same as the IP address of the target host.
Step 802, taking the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events as second access characteristic information.
The number of second security events and the number of source IP addresses involved in the second security events are counted as second access characteristic information.
And 603, taking the first access information and the second access information as access characteristic information.
Optionally, after determining the access characteristic information, determining a second security assessment result of the target host according to the access characteristic information is shown in fig. 9, and includes:
Step 901, calculating a weighted sum according to the number m1 of the first security events, the number n1 of the destination IP addresses included in the first security events, the number m2 of the second security events, and the number n2 of the source IP addresses included in the second security events.
Step 902, determining a second security assessment result according to the weighted sum and the first security assessment result.
Optionally, the second security evaluation result includes a second security evaluation value, and a calculation formula of the second security evaluation value is as follows:
wherein Score1 is the first security assessment value.
In the above embodiment, based on the first security evaluation result, the second security evaluation result is determined by combining the access characteristics of the target host, that is, the access characteristic information obtained by different access initiatives, and finally the high risk host is screened out.
In an embodiment of the present application, please refer to fig. 10, which shows a flowchart of a risk assessment method provided in an embodiment of the present application, the risk assessment method includes the following steps:
in step 1001, an initial set of security events is obtained.
Step 1002, screening security events with importance degree greater than a preset threshold value from the initial security event set to obtain a target security event set.
And sequencing the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small. And taking the security events corresponding to the N security event types before sequencing as security events with importance degrees larger than a preset threshold value. And if the security event type in the initial security event set is less than or equal to N, taking the initial security event set as a target security event set.
In step 1003, for each security event, a security assessment sub-value of the security event is determined according to the threat level, the first occurrence frequency and the second occurrence frequency of the security event.
Step 1004, obtaining a first security evaluation value according to the average value of the security evaluation sub-values of each security event.
In step 1005, in the case that the first security evaluation result indicates that the target host is in a security suspicious state, access feature information is determined according to the target security event set, and a second security evaluation result of the target host is determined according to the access feature information.
Wherein the first access characteristic information is determined based on the set of target security events when the target host is the role of initiating access. Second access characteristic information is determined when the target host is the accessed role based on the target security event set. The first access information and the second access information are used as access characteristic information.
In step 1006, it is determined whether the target host is a high risk host according to the second security assessment result.
In order to facilitate the reader to understand the technical solution provided by the embodiments of the present application, an exemplary risk assessment algorithm of the present application is illustrated, please refer to fig. 11, fig. 11 is a flowchart of a risk assessment method, and specific steps are as follows:
(1) All security events generated in the time period T are obtained from the database and are taken as an original security event set and marked as X 0 Here, the time period T may be set to 24h.
(2) For a target host to be evaluated, screening from the original security event set, and determining an initial security event set X 1 The initial set of security events is ordered according to the method described in the above embodiments, as shown in table 1 below.
Table 1 initial set of security events
Rule_id (security event type number of database) Number of events Threat level
1001 5 7
1002 5 6.5
1005 5 5
1008 5 5
1007 4 6
1011 2 3
1020 1 2
1009 1 2
Setting N as 6, wherein the number of security event types in the table is greater than 6, so that the security events of the first 6 types are selected to obtain a target security event set X 2
(3) From a set of target security events X 2 The number of security events occurring at working times 08:00-18:00 and non-working times 18:00-08:00 (the next day) was counted and assuming the highest risk level g=10, table 2 was obtained:
TABLE 2 safety event statistics for on-time and off-time
Security event type numbering Number of working hours Number of off-time Threat level
1001 2 3 7
1002 3 2 6.5
1005 4 1 5
1007 2 2 6
1008 1 4 5
1011 0 2 3
Meanwhile, the current target host is an asset, i.e., L is 1, so that score1= 2.218 can be calculated according to the calculation formula of the first security evaluation value in the above embodiment, the first preset threshold is set to 2, and at this time, the first security risk evaluation result is greater than the first preset threshold, and the second security risk evaluation result is continuously determined under the condition that the target host is indicated to be in a security suspicious state. Optionally, if the first security assessment result is not greater than the first preset threshold, the target host is indicated to have no risk, and the step (2) is returned to assess the security risk of the next host.
(4) From a set of target security events X 2 Statistics of the time visit of the target host for the source IP and the target IP respectivelyFeature information is asked as shown in table 3 below:
table 3 access to a feature information statistics table
Number of security event types m involved Number n of associated peer IPs
When the host is the source IP 3 3
When the host is the destination IP 5 5
Obtaining score=5.05 according to a calculation formula of the second risk evaluation value, setting a second preset threshold to be 3.8, and determining that the target host is a high risk host if the second risk evaluation result is larger than the second preset threshold. Optionally, if the second risk assessment result is not greater than the second preset threshold, determining that the risk assessment of the target host is not a high risk host, and returning to the step (2) to assess the security risk of the next host.
(5) And determining a high-risk host according to the two evaluation processes, and storing evaluation data associated with the high-risk host into a disk file or other storage devices, wherein optionally, the risk evaluation result can be displayed, a striking identification high-risk host IP can be set, and a treatment suggestion is given.
In the above embodiment, the important information of the finally screened high-risk host is displayed and the processing suggestion is given, so that the efficiency of risk assessment analysis can be improved.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a risk assessment device for realizing the risk assessment method. The implementation of the solution provided by the apparatus is similar to the implementation described in the above method, so the specific limitation in the embodiments of the risk assessment apparatus provided below may be referred to the limitation of the risk assessment method hereinabove, and will not be repeated here.
In one embodiment, as shown in fig. 12, there is provided a risk assessment apparatus 1200 comprising: an acquisition module 1201, a first determination module 1202, a second determination module 1203, and a third determination module 1204, wherein:
the acquiring module 1201 is configured to acquire a target security event set corresponding to a target host to be evaluated, where the target security event set includes a plurality of security events related to the target host;
the first determining module 1202 is configured to determine a first security evaluation result of the target host according to threat levels of security events in the target security event set and occurrence frequencies of different periods;
the second determining module 1203 is configured to determine access feature information according to the target security event set and determine a second security evaluation result of the target host according to the access feature information when the first security evaluation result indicates that the target host is in a security suspicious state, where the access feature information is used to characterize a feature of service access related to a security event of the target host;
The third determining module 1204 is configured to determine whether the target host is a high risk host according to the second security evaluation result.
In one embodiment, the obtaining module 1201 is specifically configured to obtain an initial security event set, where the initial security event set includes a plurality of security events corresponding to the target host; and screening the security events with the importance degree larger than a preset threshold value from the initial security event set to obtain a target security event set.
In one embodiment, the obtaining module 1201 is specifically configured to sort the security event types included in the initial security event set according to the order of the number of the security events of each type in the initial security event set from high to low; and taking the security events corresponding to the N security event types before sequencing as security events with importance degrees larger than a preset threshold value, wherein N is a positive integer larger than or equal to 1.
In one embodiment, the obtaining module 1201 is specifically configured to determine the arrangement order according to threat levels corresponding to different types of security events if the number of different types of security events is consistent.
In one embodiment, the obtaining module 1201 is specifically configured to, if it is determined that the security event type in the initial security event set is greater than N, perform the step of ordering the security event types included in the initial security event set according to the order of the number of security events of each type in the initial security event set from high to low.
In one embodiment, the obtaining module 1201 is further configured to, if it is determined that the security event type in the initial security event set is less than or equal to N, take the initial security event set as the target security event set.
In one embodiment, the first security evaluation result includes a first security evaluation value, the occurrence frequencies of different periods include a first occurrence frequency of an operating period and a second occurrence frequency of a non-operating period, and the first determining module 1202 is specifically configured to determine, for each security event, a security evaluation sub-value of the security event according to a threat level of the security event, the first occurrence frequency and the second occurrence frequency; and obtaining a first security evaluation value according to the average value of the security evaluation sub-values of each security event.
In one embodiment, the first determining module 1202 is specifically configured to perform a correction process on an average value of the security evaluation sub-values of each security event according to whether the target host is an asset, so as to obtain a first security evaluation value.
In one embodiment, the second determining module 1203 is specifically configured to determine, based on the target security event set, first access characteristic information when the target host is a role of initiating access; determining second access characteristic information when the target host is the accessed role based on the target security event set; the first access information and the second access information are used as access characteristic information.
In one embodiment, the second determining module 1203 is specifically configured to screen the target security event set for a first security event that includes a source IP address that is the same as the IP address of the target host; the number m1 of the first security events and the number n1 of the destination IP addresses included in the first security events are taken as first access characteristic information.
In one embodiment, the second determining module 1203 is specifically configured to screen the second security event set to obtain a second security event that includes a destination IP address that is the same as the IP address of the target host; the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events are taken as second access characteristic information.
In one embodiment, the second determining module 1203 is specifically configured to calculate a weighted sum according to the number m1 of the first security events, the number n1 of the destination IP addresses included in the first security events, the number m2 of the second security events, and the number n2 of the source IP addresses included in the second security events; and determining a second security assessment result according to the weighted sum and the first security assessment result.
The respective modules in the risk assessment apparatus described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 13. The computer device includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input means. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface, the display unit and the input device are connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a risk assessment method. The display unit of the computer device is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device. The display screen can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be a key, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structure shown in FIG. 13 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor when executing the computer program performing the steps of: acquiring a target security event set corresponding to a target host to be evaluated, wherein the target security event set comprises a plurality of security events related to the target host; determining a first security evaluation result of the target host according to threat levels of security events in the target security event set and occurrence frequencies of different time periods; determining access characteristic information according to the target security event set and determining a second security evaluation result of the target host according to the access characteristic information under the condition that the first security evaluation result indicates that the target host is in a security suspicious state, wherein the access characteristic information is used for representing the characteristics of service access related to the security event of the target host; and determining whether the target host is a high-risk host according to the second security assessment result.
In one embodiment, the processor when executing the computer program further performs the steps of: acquiring an initial security event set, wherein the initial security event set comprises a plurality of security events corresponding to a target host; and screening the security events with the importance degree larger than a preset threshold value from the initial security event set to obtain a target security event set.
In one embodiment, the processor when executing the computer program further performs the steps of: sorting the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small; and taking the security events corresponding to the N security event types before sequencing as security events with importance degrees larger than a preset threshold value, wherein N is a positive integer larger than or equal to 1.
In one embodiment, the processor when executing the computer program further performs the steps of: if the number of the security events of different types is consistent, determining the arrangement sequence according to threat levels corresponding to the security events of different types.
In one embodiment, the processor when executing the computer program further performs the steps of: if the security event type in the initial security event set is determined to be greater than N, the step of sequencing the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small is executed.
In one embodiment, the processor when executing the computer program further performs the steps of: and if the security event type in the initial security event set is less than or equal to N, taking the initial security event set as a target security event set.
In one embodiment, the first security assessment result includes a first security assessment value, the occurrence frequencies of the different periods include a first occurrence frequency of the active period and a second occurrence frequency of the inactive period, and the processor when executing the computer program further implements the steps of: for each security event, determining a security evaluation sub-value of the security event according to the threat level, the first occurrence frequency and the second occurrence frequency of the security event; and obtaining a first security evaluation value according to the average value of the security evaluation sub-values of each security event.
In one embodiment, the processor when executing the computer program further performs the steps of: and carrying out correction processing on the average value of the security evaluation sub-values of each security event according to whether the target host is an asset or not so as to obtain a first security evaluation value.
In one embodiment, the processor when executing the computer program further performs the steps of: determining first access characteristic information when the target host is a role for initiating access based on the target security event set; determining second access characteristic information when the target host is the accessed role based on the target security event set; the first access information and the second access information are used as access characteristic information.
In one embodiment, the processor when executing the computer program further performs the steps of: screening a first security event with the same source IP address as the IP address of a target host from a target security event set; the number m1 of the first security events and the number n1 of the destination IP addresses included in the first security events are taken as first access characteristic information.
In one embodiment, the processor when executing the computer program further performs the steps of: screening a second security event with the same destination IP address as the IP address of the target host from the target security event set; the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events are taken as second access characteristic information.
In one embodiment, the processor when executing the computer program further performs the steps of: calculating a weighted sum according to the number m1 of the first security events, the number n1 of the destination IP addresses included in the first security events, the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events; and determining a second security assessment result according to the weighted sum and the first security assessment result.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: acquiring a target security event set corresponding to a target host to be evaluated, wherein the target security event set comprises a plurality of security events related to the target host; determining a first security evaluation result of the target host according to threat levels of security events in the target security event set and occurrence frequencies of different time periods; determining access characteristic information according to the target security event set and determining a second security evaluation result of the target host according to the access characteristic information under the condition that the first security evaluation result indicates that the target host is in a security suspicious state, wherein the access characteristic information is used for representing the characteristics of service access related to the security event of the target host; and determining whether the target host is a high-risk host according to the second security assessment result.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring an initial security event set, wherein the initial security event set comprises a plurality of security events corresponding to a target host; and screening the security events with the importance degree larger than a preset threshold value from the initial security event set to obtain a target security event set.
In one embodiment, the computer program when executed by the processor further performs the steps of: sorting the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small; and taking the security events corresponding to the N security event types before sequencing as security events with importance degrees larger than a preset threshold value, wherein N is a positive integer larger than or equal to 1.
In one embodiment, the computer program when executed by the processor further performs the steps of: if the number of the security events of different types is consistent, determining the arrangement sequence according to threat levels corresponding to the security events of different types.
In one embodiment, the computer program when executed by the processor further performs the steps of: if the security event type in the initial security event set is determined to be greater than N, the step of sequencing the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small is executed.
In one embodiment, the computer program when executed by the processor further performs the steps of: and if the security event type in the initial security event set is less than or equal to N, taking the initial security event set as a target security event set.
In one embodiment, the first security assessment result comprises a first security assessment value, the frequency of occurrence of the different periods comprises a first frequency of occurrence of the active period and a second frequency of occurrence of the inactive period, the computer program when executed by the processor further implementing the steps of: for each security event, determining a security evaluation sub-value of the security event according to the threat level, the first occurrence frequency and the second occurrence frequency of the security event; and obtaining a first security evaluation value according to the average value of the security evaluation sub-values of each security event.
In one embodiment, the computer program when executed by the processor further performs the steps of: and carrying out correction processing on the average value of the security evaluation sub-values of each security event according to whether the target host is an asset or not so as to obtain a first security evaluation value.
In one embodiment, the computer program when executed by the processor further performs the steps of: determining first access characteristic information when the target host is a role for initiating access based on the target security event set; determining second access characteristic information when the target host is the accessed role based on the target security event set; the first access information and the second access information are used as access characteristic information.
In one embodiment, the computer program when executed by the processor further performs the steps of: screening a first security event with the same source IP address as the IP address of a target host from a target security event set; the number m1 of the first security events and the number n1 of the destination IP addresses included in the first security events are taken as first access characteristic information.
In one embodiment, the computer program when executed by the processor further performs the steps of: screening a second security event with the same destination IP address as the IP address of the target host from the target security event set; the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events are taken as second access characteristic information.
In one embodiment, the computer program when executed by the processor further performs the steps of: calculating a weighted sum according to the number m1 of the first security events, the number n1 of the destination IP addresses included in the first security events, the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events; and determining a second security assessment result according to the weighted sum and the first security assessment result.
In one embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, performs the steps of: acquiring a target security event set corresponding to a target host to be evaluated, wherein the target security event set comprises a plurality of security events related to the target host; determining a first security evaluation result of the target host according to threat levels of security events in the target security event set and occurrence frequencies of different time periods; determining access characteristic information according to the target security event set and determining a second security evaluation result of the target host according to the access characteristic information under the condition that the first security evaluation result indicates that the target host is in a security suspicious state, wherein the access characteristic information is used for representing the characteristics of service access related to the security event of the target host; and determining whether the target host is a high-risk host according to the second security assessment result.
In one embodiment, the computer program when executed by the processor further performs the steps of: acquiring an initial security event set, wherein the initial security event set comprises a plurality of security events corresponding to a target host; and screening the security events with the importance degree larger than a preset threshold value from the initial security event set to obtain a target security event set.
In one embodiment, the computer program when executed by the processor further performs the steps of: sorting the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small; and taking the security events corresponding to the N security event types before sequencing as security events with importance degrees larger than a preset threshold value, wherein N is a positive integer larger than or equal to 1.
In one embodiment, the computer program when executed by the processor further performs the steps of: if the number of the security events of different types is consistent, determining the arrangement sequence according to threat levels corresponding to the security events of different types.
In one embodiment, the computer program when executed by the processor further performs the steps of: if the security event type in the initial security event set is determined to be greater than N, the step of sequencing the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small is executed.
In one embodiment, the computer program when executed by the processor further performs the steps of: and if the security event type in the initial security event set is less than or equal to N, taking the initial security event set as a target security event set.
In one embodiment, the first security assessment result comprises a first security assessment value, the frequency of occurrence of the different periods comprises a first frequency of occurrence of the active period and a second frequency of occurrence of the inactive period, the computer program when executed by the processor further implementing the steps of: for each security event, determining a security evaluation sub-value of the security event according to the threat level, the first occurrence frequency and the second occurrence frequency of the security event; and obtaining a first security evaluation value according to the average value of the security evaluation sub-values of each security event.
In one embodiment, the computer program when executed by the processor further performs the steps of: and carrying out correction processing on the average value of the security evaluation sub-values of each security event according to whether the target host is an asset or not so as to obtain a first security evaluation value.
In one embodiment, the computer program when executed by the processor further performs the steps of: determining first access characteristic information when the target host is a role for initiating access based on the target security event set; determining second access characteristic information when the target host is the accessed role based on the target security event set; the first access information and the second access information are used as access characteristic information.
In one embodiment, the computer program when executed by the processor further performs the steps of: screening a first security event with the same source IP address as the IP address of a target host from a target security event set; the number m1 of the first security events and the number n1 of the destination IP addresses included in the first security events are taken as first access characteristic information.
In one embodiment, the computer program when executed by the processor further performs the steps of: screening a second security event with the same destination IP address as the IP address of the target host from the target security event set; the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events are taken as second access characteristic information.
In one embodiment, the computer program when executed by the processor further performs the steps of: calculating a weighted sum according to the number m1 of the first security events, the number n1 of the destination IP addresses included in the first security events, the number m2 of the second security events and the number n2 of the source IP addresses included in the second security events; and determining a second security assessment result according to the weighted sum and the first security assessment result.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) related to the present application are information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards of the related country and region.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (16)

1. A risk assessment method, the method comprising:
acquiring a target security event set corresponding to a target host to be evaluated, wherein the target security event set comprises a plurality of security events related to the target host;
determining a first security evaluation result of the target host according to threat levels of security events in the target security event set and occurrence frequencies of different time periods;
Determining access characteristic information according to the target security event set and determining a second security evaluation result of the target host according to the access characteristic information under the condition that the first security evaluation result indicates that the target host is in a security suspicious state, wherein the access characteristic information is used for representing the characteristics of service access related to the security event of the target host;
and determining whether the target host is a high-risk host according to the second security assessment result.
2. The method according to claim 1, wherein the obtaining the target security event set corresponding to the target host to be evaluated includes:
acquiring an initial security event set, wherein the initial security event set comprises a plurality of security events corresponding to the target host;
and screening the security events with the importance degree larger than a preset threshold value from the initial security event set to obtain the target security event set.
3. The method of claim 2, wherein the screening security events from the initial set of security events for which the importance level is greater than a preset threshold comprises:
sorting the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small;
And taking the security events corresponding to the N security event types before sequencing as security events with importance degrees larger than a preset threshold value, wherein N is a positive integer larger than or equal to 1.
4. The method of claim 3, wherein the ordering the security event types included in the initial set of security events in the order of the number of security events of each type in the initial set of security events from top to bottom comprises:
if the number of the security events of different types is consistent, determining an arrangement sequence according to threat levels corresponding to the security events of different types.
5. The method of claim 3, wherein the ordering the security event types included in the initial set of security events in the order of the number of security events of each type in the initial set of security events from top to bottom comprises:
and if the security event type in the initial security event set is determined to be greater than N, executing the step of sequencing the security event types included in the initial security event set according to the sequence that the number of the security events of each type in the initial security event set is from large to small.
6. A method according to claim 3, characterized in that the method further comprises:
and if the security event type in the initial security event set is less than or equal to N, the initial security event set is used as the target security event set.
7. The method of claim 1, wherein the first security assessment result includes a first security assessment value, the frequency of occurrence of the different periods includes a first frequency of occurrence of an active period and a second frequency of occurrence of a non-active period, and wherein the determining the first security assessment result for the target host based on the threat level of each security event in the set of target security events and the frequency of occurrence of the different periods includes:
for each security event, determining a security assessment sub-value of the security event according to the threat level of the security event, the first occurrence frequency and the second occurrence frequency;
and obtaining the first security evaluation value according to the average value of the security evaluation sub-values of each security event.
8. The method of claim 7, wherein the obtaining the first security assessment value from the average of the security assessment sub-values for each of the security events comprises:
And according to whether the target host is an asset, carrying out correction processing on the average value of the security evaluation sub-values of each security event to obtain the first security evaluation value.
9. The method of claim 1, wherein said determining access characteristic information from said set of target security events comprises:
determining first access characteristic information when the target host is a role for initiating access based on the target security event set;
determining second access characteristic information when the target host is an accessed role based on the target security event set;
and taking the first access information and the second access information as the access characteristic information.
10. The method of claim 9, wherein the determining, based on the set of target security events, first access characteristic information when the target host is the role of initiating access comprises:
screening a first security event from the target security event set, wherein the first security event comprises a source IP address which is the same as the IP address of the target host;
number m of the first security events 1 And the number n of destination IP addresses comprised by said first security event 1 As the first access characteristic information.
11. The method of claim 10, wherein the determining second access characteristic information when the target host is an accessed role based on the set of target security events comprises:
screening a second security event with the same destination IP address as the IP address of the target host from the target security event set;
number m of the second security events 2 And the number n of source IP addresses comprised by the second security event 2 As the second access characteristic information.
12. The method of claim 11, wherein determining a second security assessment result for the target host based on the access characteristic information comprises:
according to the number m of the first security events 1 The number n of destination IP addresses comprised by the first security event 1 Number m of said second security events 2 And the number n of source IP addresses comprised by the second security event 2 Calculating a weighted sum;
and determining the second security assessment result according to the weighted sum and the first security assessment result.
13. A risk assessment apparatus, the apparatus comprising:
The system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring a target security event set corresponding to a target host to be evaluated, and the target security event set comprises a plurality of security events related to the target host;
the first determining module is used for determining a first security evaluation result of the target host according to threat levels of all security events in the target security event set and occurrence frequencies of different time periods;
the second determining module is configured to determine access characteristic information according to the target security event set and determine a second security evaluation result of the target host according to the access characteristic information when the first security evaluation result indicates that the target host is in a security suspicious state, where the access characteristic information is used to characterize a service access characteristic related to a security event of the target host;
and the third determining module is used for determining whether the target host is a high-risk host according to the second security evaluation result.
14. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any one of claims 1 to 12 when the computer program is executed.
15. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 12.
16. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any one of claims 1 to 12.
CN202310829467.6A 2023-07-07 2023-07-07 Risk assessment method, apparatus, device, storage medium, and program product Pending CN116781373A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310829467.6A CN116781373A (en) 2023-07-07 2023-07-07 Risk assessment method, apparatus, device, storage medium, and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310829467.6A CN116781373A (en) 2023-07-07 2023-07-07 Risk assessment method, apparatus, device, storage medium, and program product

Publications (1)

Publication Number Publication Date
CN116781373A true CN116781373A (en) 2023-09-19

Family

ID=88008069

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310829467.6A Pending CN116781373A (en) 2023-07-07 2023-07-07 Risk assessment method, apparatus, device, storage medium, and program product

Country Status (1)

Country Link
CN (1) CN116781373A (en)

Similar Documents

Publication Publication Date Title
CN115759148B (en) Image processing method, device, computer equipment and computer readable storage medium
CN117033039A (en) Fault detection method, device, computer equipment and storage medium
CN114626747A (en) Weight analysis method, device, equipment and medium for resource acquisition influence factors
CN116030312B (en) Model evaluation method, device, computer equipment and storage medium
CN117035980A (en) Resource borrowing evaluation method, device, computer equipment and storage medium
CN116894721A (en) Index prediction method and device and computer equipment
CN116109215A (en) Credibility quantitative evaluation method and device of credibility numerical control system and computer equipment
CN116781373A (en) Risk assessment method, apparatus, device, storage medium, and program product
CN115905864A (en) Abnormal data detection model training method and device and computer equipment
CN115758271A (en) Data processing method, data processing device, computer equipment and storage medium
CN115147296A (en) Hyperspectral image correction method, device, computer equipment and storage medium
CN114253481A (en) Data storage method and device, computer equipment and storage medium
WO2017062026A1 (en) Generating cohorts using automated weighting and multi-level ranking
CN116645374B (en) Point defect detection method, point defect detection device, computer equipment and storage medium
CN117459255A (en) Policy evaluation method, policy evaluation device, computer equipment and storage medium
CN117853217A (en) Financial default rate prediction method, device and equipment for protecting data privacy
CN115757958A (en) Product recommendation method and device, computer equipment and storage medium
CN117520743A (en) Method, device, equipment, storage medium and product for monitoring user electricity consumption risk
CN116956305A (en) Evaluation method, apparatus, device, medium and program product for penetration test
CN118411033A (en) Pollution flashover countermeasure determination method, pollution flashover countermeasure determination device, computer equipment, medium and product
CN116861273A (en) Partition parameter determining method, apparatus, computer device and storage medium
CN116910039A (en) Abnormal data detection method, apparatus, device, storage medium, and program product
CN118297458A (en) Quality detection method, apparatus, device, storage medium, and program product
CN117238017A (en) Face recognition method, device, computer equipment and storage medium
CN117217760A (en) Abnormal resource transfer data detection method and device and computer equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination