CN117692187A - Vulnerability restoration priority ordering method and device based on dynamics - Google Patents
Vulnerability restoration priority ordering method and device based on dynamics Download PDFInfo
- Publication number
- CN117692187A CN117692187A CN202311640762.3A CN202311640762A CN117692187A CN 117692187 A CN117692187 A CN 117692187A CN 202311640762 A CN202311640762 A CN 202311640762A CN 117692187 A CN117692187 A CN 117692187A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- dimension
- vpt
- dimension information
- asset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 28
- 238000004364 calculation method Methods 0.000 claims abstract description 44
- 238000012549 training Methods 0.000 claims abstract description 29
- 238000011156 evaluation Methods 0.000 claims abstract description 20
- 238000012163 sequencing technique Methods 0.000 claims abstract description 17
- 230000008439 repair process Effects 0.000 claims abstract description 16
- 238000004422 calculation algorithm Methods 0.000 claims description 38
- 239000013598 vector Substances 0.000 claims description 24
- 238000007637 random forest analysis Methods 0.000 claims description 21
- 238000003066 decision tree Methods 0.000 claims description 15
- 238000012423 maintenance Methods 0.000 claims description 15
- 238000012913 prioritisation Methods 0.000 claims description 10
- 238000010606 normalization Methods 0.000 claims description 8
- 238000007781 pre-processing Methods 0.000 claims description 5
- 238000002360 preparation method Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 235000019633 pungent taste Nutrition 0.000 claims description 5
- 238000011084 recovery Methods 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims description 4
- 230000000694 effects Effects 0.000 description 6
- 238000002790 cross-validation Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 238000005067 remediation Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a vulnerability restoration priority ordering method and device based on dynamic state, wherein the method comprises the following steps: configuring basic weights of dimension factors affecting vulnerabilities and switches of the corresponding dimension factors; collecting dimension information corresponding to dimension factors affecting vulnerabilities, wherein the dimension information comprises asset dimension information, vulnerability dimension information, threat dimension information and operation dimension information; if the VPT vulnerability ordering calculation model needs to be updated, training the VPT vulnerability ordering calculation model based on the updated dimension factors and dimension information; evaluating and calculating vulnerability information according to a trained VPT vulnerability ordering calculation model, and calculating vulnerability evaluation values from 4 dimensions of the vulnerability, namely the asset, vulnerability, threat and operation; and sequencing the loopholes from high to low according to the loophole evaluation value, and outputting the optimal loophole repair sequencing priority. The invention can dynamically update according to the single factor changing condition, help enterprises to analyze the priority of the repair work, and reduce the business risk to the greatest extent.
Description
Technical Field
The invention relates to the field of network security, in particular to a vulnerability restoration priority ordering method and device based on dynamic state.
Background
Vulnerabilities have become one of the hot topics in the current IT field in recent years. First, the propagation speed of the vulnerability is increased. By means of large communities and social platforms, the propagation speed of the loopholes is remarkable, the loopholes disclosed in the morning can be utilized in the afternoon, and many attacks can be generated in the evening; second, the number of vulnerabilities is increasing. Information technology and people's life are more and more recent, the application of confetti and eight doors, massive data, technology are continuously developing, and the application is promoted in a large scale, and a large amount of holes are influencing every people's life.
When the number of vulnerabilities is very large and the vulnerabilities cannot be repaired one by one, the conventional management means generally makes management requirements, and hopes that the repair proportion of the vulnerabilities reaches a certain proportion, such as 90%, in a certain time, the purpose of preventing the attacker from successfully attacking cannot be truly achieved, because resources are limited, if priority analysis is not performed on repair work, knowing which vulnerabilities need to be repaired preferentially, limited resources cannot be concentrated on vulnerability handling which may have great influence on the service, and therefore service risks cannot be reduced rapidly.
Disclosure of Invention
The invention aims to provide a dynamic vulnerability restoration priority ordering method and device, which are used for solving the problems.
A vulnerability restoration prioritization method based on dynamics comprises the following steps:
configuring basic weights of dimension factors affecting vulnerabilities and switches of corresponding dimension factors, wherein the dimension factors comprise asset factors, vulnerability threat factors and vulnerability operation and maintenance factors;
collecting dimension information corresponding to dimension factors affecting vulnerabilities, wherein the dimension information comprises asset dimension information, vulnerability dimension information, threat dimension information and operation dimension information;
if the VPT vulnerability ordering calculation model needs to be updated, training the VPT vulnerability ordering calculation model based on the updated dimension factors and dimension information;
evaluating and calculating vulnerability information according to a trained VPT vulnerability ordering calculation model, and calculating vulnerability evaluation values from 4 dimensions of the vulnerability, namely the asset, vulnerability, threat and operation;
and sequencing the loopholes from high to low according to the loophole evaluation value, and outputting the optimal loophole repair sequencing priority.
Further, the asset dimension information comprises asset importance, asset position and asset protection condition, a set of asset-based dimension data is obtained, the vulnerability dimension information comprises vulnerability values, vulnerability hotness and cross verification, a set of vulnerability-based dimension data is obtained, the threat dimension information comprises vulnerability utilization POC, vulnerability utilization mode and vulnerability attack cost, a set of vulnerability-based threat dimension data is obtained, and the operation dimension information comprises vulnerability neglect ratio and recovery difficulty.
Further, the calculating step of the VPT vulnerability ordering calculation model specifically includes:
data preparation and preprocessing: normalizing the collected dimension information to ensure that the data of different factors have similar ranges;
characteristic engineering: creating a feature vector X based on the dimension information after normalization processing, wherein each element corresponds to the feature of one vulnerability sample, and the feature vector X i =w×a, where a is an asset attribute value, W is an attribute weight, and the feature vector X is constructed as follows:
X=[x 1 ,x 2 ,…x i ,…,x n ]
wherein x is i Is the i-th attribute value in the feature vector;
training a model VPT vulnerability ordering calculation model by using a supervised random forest algorithm;
combining the model output with the output of the random forest algorithm using a weighted average algorithm to produce a final vulnerability restoration priority score using the following formula:
VPT final =(1-α)·VPT RF +α·VPT weighted_average
wherein, VPT final Is the final vulnerability restoration priority score, VPTRF is the output of random forest algorithm, PT weighted_average Is the output of the weighted average algorithm and α is the hyper-parameter that adjusts the weight.
Further, a supervised random forest algorithm is used for training a model VPT vulnerability ordering calculation model, and the model comprises the following specific steps:
randomly selecting N samples from the training data with a put-back mode as a training data set;
when each decision tree is constructed, randomly selecting m features from a feature set for splitting for each node, and then selecting the best feature for splitting by using a metric method;
repeating the steps to construct a plurality of decision trees;
each decision tree has a voting result and the final priority score is determined based on the voting results of the plurality of trees.
A dynamic-based vulnerability remediation prioritization apparatus comprising:
the dimension factor configuration module is used for configuring basic weights of dimension factors affecting the vulnerability and switches of corresponding dimension factors, wherein the dimension factors comprise asset factors, vulnerability threat factors and vulnerability operation and maintenance factors;
the dimension information collection module is used for collecting dimension information corresponding to dimension factors affecting the vulnerability, wherein the dimension information comprises asset dimension information, vulnerability dimension information, threat dimension information and operation dimension information;
the model updating training module is used for training the VPT vulnerability ordering calculation model based on the updated dimension factors and dimension information when the VPT vulnerability ordering calculation model needs to be updated;
the evaluation calculation module is used for performing evaluation calculation on the vulnerability information according to the trained VPT vulnerability ordering calculation model, and calculating vulnerability evaluation values from 4 dimensions of the assets, the vulnerability, the threat and the operation and maintenance of the vulnerability;
and the sequencing output module is used for sequencing the loopholes from high to low according to the loophole evaluation value and outputting the optimal loophole repair sequencing priority.
Further, the asset dimension information comprises asset importance, asset position and asset protection condition, a set of asset-based dimension data is obtained, the vulnerability dimension information comprises vulnerability values, vulnerability hotness and cross verification, a set of vulnerability-based dimension data is obtained, the threat dimension information comprises vulnerability utilization POC, vulnerability utilization mode and vulnerability attack cost, a set of vulnerability-based threat dimension data is obtained, and the operation dimension information comprises vulnerability neglect ratio and recovery difficulty.
Further, the calculating step of the VPT vulnerability ordering calculation model specifically includes:
data preparation and preprocessing: normalizing the collected dimension information to ensure that the data of different factors have similar ranges;
characteristic engineering: creating a feature vector X based on the dimension information after normalization processing, wherein each element corresponds to the feature of one vulnerability sample, and the feature vector X i =w×a, where a is an asset attribute value, W is an attribute weight, and the feature vector X is constructed as follows:
X=[x 1 ,x 2 ,…x i ,…,x n ]
wherein x is i Is the i-th attribute value in the feature vector;
training a model VPT vulnerability ordering calculation model by using a supervised random forest algorithm;
combining the model output with the output of the random forest algorithm using a weighted average algorithm to produce a final vulnerability restoration priority score using the following formula:
VPT final =(1-α)·VPT RF +α·VPT weighted_average
wherein, VPT final Is the final vulnerability restoration priority score, VPT RF Is the output of random forest algorithm, PT weighted_average Is the output of the weighted average algorithm and α is the hyper-parameter that adjusts the weight.
Further, a supervised random forest algorithm is used for training a model VPT vulnerability ordering calculation model, and the model comprises the following specific steps:
randomly selecting N samples from the training data with a put-back mode as a training data set;
when each decision tree is constructed, randomly selecting m features from a feature set for splitting for each node, and then selecting the best feature for splitting by using a metric method;
repeating the steps to construct a plurality of decision trees;
each decision tree has a voting result and the final priority score is determined based on the voting results of the plurality of trees.
According to the method, the information of the activity level of the external vulnerability exploitation is obtained from the cloud, and the priority suggestion of vulnerability restoration is given by comprehensively evaluating the information of the activity level of the external vulnerability exploitation and combining with various factors such as the importance level of a local business system and the protection level of assets, and the method can dynamically update the information according to the single factor change condition, so that the repairing work effect achieves the aim of reducing the safety risk to the greatest extent.
Drawings
FIG. 1 is a flow chart of a dynamic-based vulnerability restoration prioritization method in accordance with an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention aims to provide a dynamic vulnerability restoration priority ordering method, which is used for collecting 4 dimensional information of configuration, vulnerability, threat and operation and maintenance of an asset affected by a vulnerability from the perspective of the asset vulnerability, integrally evaluating the vulnerability through a big data model algorithm, giving out a priority ordering result, helping enterprises to analyze the priority of the repair work, and reducing business risks to the greatest extent. As shown in fig. 1, the method comprises the steps of:
step S1: the basic weights of dimension factors (asset factors, vulnerability threat factors and vulnerability operation and maintenance factors) and the switches of the corresponding dimension factors are configured according to actual conditions and stored in a local rule configuration file. The configuration result of the step affects the enabling, disabling, the weight ratio of the configuration factors and the like of the corresponding factor attribute in the calculation of the subsequent step.
And S2, collecting asset dimension information affecting the vulnerability, wherein the asset dimension information comprises three dimensions of asset importance, asset position and asset protection condition, and obtaining an asset dimension data set. The collected asset dimension information is as follows:
asset importance (asset_importance): asset "importance" attribute information. Including minor, common, important, critical, core.
Asset location (asset_position): the location information of the asset in the affiliated network comprises an extranet, an intranet and a private network.
Asset protection case (asset_protect): asset "asset protection Condition" attribute information including proprietary protection rules, protected devices, unprotected
Step S3: vulnerability dimension information affecting the vulnerability is collected, wherein the vulnerability dimension information comprises vulnerability values, vulnerability hotness and cross-validation dimensions, and a vulnerability-based dimension data set is obtained. The vulnerability dimension information collected is as follows:
vulnerability value (vulnerabilities): vulnerability value of product vulnerability. The assignment is performed according to 0-10.
Vulnerability heat (heat): and acquiring the vulnerability heat information according to the cloud information.
Cross-validation (cross-validation): the vulnerability information source attribute comprises that the number of data sources is more than 2, the number of sources is equal to 2, and the number of sources is less than 2.
Step S4: threat dimension information affecting the vulnerability is collected, including the vulnerability exploitation POC, the vulnerability exploitation mode and the vulnerability attack cost, and a vulnerability threat dimension data set is obtained, wherein the collected threat dimension information is as follows. :
exploit POC (POC): the data source comprises a vulnerability information extraction POC and the vulnerability exploitation attribute comprises the following 2 types: POC and POC-free.
Exploit mode (attack_mode): the exploit mode (attack path) source CVSS3 and CVSS2 scoring vectors are obtained through CVE, and the exploit mode attribute comprises the following 4 types: remote, adjacent network, local, physical.
Attack cost (attack_complex): the attack cost (attack complexity) source CVSS3 and CVSS2 scoring vectors are obtained through CVE, and the attack cost attribute comprises the following 3 types: high, medium, low.
Step S5: and collecting operation and maintenance dimension information affecting the loopholes, including the loophole neglect ratio and the recovery difficulty, and obtaining a loophole-based operation and maintenance dimension data set. The collected operation and maintenance dimension information is as follows:
vulnerability ignore ratio (ignore_ratio): namely, the leak false alarm neglect rate: calculating the number of times that the product vulnerability history is ignored by false alarm, considering the verified neglected and verified false alarm states, and calculating the mode: (verified neglect+verified false alarm)/(early warning+initial discovery), the attributes are classified into high, medium and low.
Repair difficulty (repair_difference): based on cloud information and the repair difficulty of the locally set loopholes, the attributes comprise patch upgrading, manual modification, incapability of repairing and others.
Step S6: judging whether the VPT vulnerability ordering calculation model needs to be updated according to whether the configuration information of the dimension factors in the step S1 is modified or whether vulnerability correction information recorded by the system exceeds a built-in threshold value, if so, retraining the VPT vulnerability ordering calculation model based on the updated dimension factors and dimension information to find the VPT vulnerability ordering calculation model which accords with the optimal customer service scene, and if not, performing the step S7.
The calculation method of the VPT vulnerability ordering algorithm model is as follows:
(1) Data preparation and preprocessing:
the dimension information collected based on steps S2-S5 includes an asset factor (asset_position, asset_protection), a vulnerability factor (vulnerabilities, heat, cross_value), a vulnerability threat factor (poc, attack_mode, attack_complex), and a vulnerability operation and maintenance factor (vulnerability_ratio).
The collected dimensional information is normalized to ensure that the data for the different factors have similar ranges. Normalization can be performed using the following formula:
this will ensure that the value of each factor is in the range of 0, 1.
(2) Characteristic engineering:
a feature vector X is created based on the dimensional information collected in steps S2-S5, where each element corresponds to a feature of one vulnerability sample. Consider the basis weights W for different dimension factors, where W is determined from domain knowledge or data analysis.
Feature vector X i =w×a, where a is an asset attribute value and W is an attribute weight.
The feature vector X is constructed as follows:
X=[x 1 ,x 2 ,…x i ,…,x n ]
here, x i Is the i-th attribute value in the feature vector.
(3) Training a random forest model:
the model is trained using a supervised random forest algorithm. In this process, the following steps are employed:
1. n samples are randomly selected from the training data with a put back, which will constitute the training data set.
2. When constructing each decision tree, for each node, m features are randomly selected from the feature set to split, and then the information gain or other metric method is used to select the best feature to split.
3. Repeating the steps to construct a plurality of decision trees.
4. Each decision tree has a voting result and the final priority score can be determined based on the voting results of the multiple trees.
(4) Dual algorithm optimal guarantee VPT
The results of the two algorithms are combined:
combining the model output with the output of the random forest algorithm using a weighted average algorithm to produce a final vulnerability restoration priority score using the following formula:
VPT final =(1-α)·VPT RF +α·VPT weighted_average
wherein, VPT final Is the final vulnerability restoration priority score, VPT RF Is the output of random forest algorithm, PT weighted_average The output of the weighted average algorithm, alpha is the super parameter of the adjustment weight, and can be adjusted according to the requirement.
Step S7: and evaluating and calculating the vulnerability information according to the VPT vulnerability ordering calculation model, and performing vulnerability evaluation values from 4 dimensions of the vulnerability, namely the asset, vulnerability, threat and operation and maintenance.
The specific calculation process is as follows:
taking a Strust2 vulnerability for a particular asset as an example, the specific property values of the vulnerability asset are as follows:
asset importance: core (5)
Asset location: private network (2)
Protection is provided or not: unprotected (3)
Vulnerability heat degree: middle (2)
Cross-validation: source greater than 2 (3)
POC (Point of Care) or not: with POC (2)
Attack utilization mode: remote (4)
Vulnerability attack cost: low (3)
Vulnerability false alarm rate: low (3)
Repair difficulty level: patch upgrade (4)
Vulnerability degree: 8
According to the asset configuration information, the attributes are configured as follows:
{
″asset_importance":5,
″asset_position":2,
″asset_protect":3,
″heat":2,
″cross_validation":3,
″poc":2,
″attack_mode":4,
″attack_complexity":3,
″ignore_ratio":3,
″repair_difficulty":4,
″vulnerability":8
}
according to the provided vulnerability information, under the condition that the weight W is 1, a feature vector X is constructed as follows:
X=[5,2,3,2,3,2,4,3,3,4,8]
and carrying out normalization processing on the feature vector. Each attribute value is scaled to between 0 and 1, assuming simple linear normalization. For a certain attribute value x i The normalization is calculated as follows.
The values are obtained:
X′=[1,1,0.75,0.5,0.75,0.5,1,0.75,0.75,1,1]
using the provided model and weights, a VPT score is calculated. According to the optimal guarantee VPT of the double algorithm, the following formula is adopted:
VPT final =(1-α)·VPT RF +α·VPT weighted_average
wherein, VPT RF Is the output of random forest algorithm, VPT weighted_average Is the output of the weighted average algorithm. It is assumed that it has been calculated that:
VPT RF =80
VPT weighted_average =90
using the weight α=0.5, the final VPT score is then calculated:
VPT final =(1-0.5)·80+0.5·90=85
step S8: and sequencing according to the vulnerability assessment value from high to low, and outputting an optimal vulnerability restoration sequencing priority list.
Step S9: and (3) according to the actual repair record information of the vulnerability history by the user as a judgment standard, aiming at the parameters in the feature engineering in the step S7, performing model training to find a vulnerability repair priority ranking calculation model which is most fit with the user scene.
The embodiment of the invention also provides a vulnerability restoration priority ordering device based on the dynamic state, which comprises the following steps:
the dimension factor configuration module is used for configuring basic weights of dimension factors affecting the vulnerability and switches of corresponding dimension factors, wherein the dimension factors comprise asset factors, vulnerability threat factors and vulnerability operation and maintenance factors;
the dimension information collection module is used for collecting dimension information corresponding to dimension factors affecting the vulnerability, wherein the dimension information comprises asset dimension information, vulnerability dimension information, threat dimension information and operation dimension information;
the model updating training module is used for training the VPT vulnerability ordering calculation model based on the updated dimension factors and dimension information when the VPT vulnerability ordering calculation model needs to be updated;
the evaluation calculation module is used for performing evaluation calculation on the vulnerability information according to the trained VPT vulnerability ordering calculation model, and calculating vulnerability evaluation values from 4 dimensions of the assets, the vulnerability, the threat and the operation and maintenance of the vulnerability;
and the sequencing output module is used for sequencing the loopholes from high to low according to the loophole evaluation value and outputting the optimal loophole repair sequencing priority.
The invention has the following beneficial effects:
1. according to the method, the information of the activity level of the external vulnerability exploitation is obtained from the cloud, and the priority suggestion of vulnerability restoration is given by comprehensively evaluating the information of the activity level of the external vulnerability exploitation and combining with various factors such as the importance level of a local business system and the protection level of assets, and the method can dynamically update the information according to the single factor change condition, so that the repairing work effect achieves the aim of reducing the safety risk to the greatest extent. Refining the priority analysis index can enhance the user-defined ability and optimize the algorithm model.
2. The invention combines data of various sources with threat information, asset importance, protection condition, vulnerability neglect ratio and other information, analyzes the data through a big data algorithm, and predicts the possibility of vulnerability attack utilization by utilizing machine learning. The method can help enterprises to analyze the priority of the repair work and know which vulnerabilities need to be repaired preferentially. The limited resources are concentrated on vulnerability handling which can have a great influence on the business, so that business risks are reduced to the greatest extent.
3. Meanwhile, in order to meet the risk emphasis of different users, the invention provides a flexible priority computing model, and supports flexible adjustment of each dimension factor, including enabling, disabling, factor weight ratio and the like. By providing a dynamic evaluation priority model, the weight of each dimension factor can be flexibly configured, and the aspects of availability of the loopholes, the criticality of the assets or services, the severity of the loopholes, the existing compensation control measures and the like are comprehensively considered, so that the loopholes are dynamically output to prioritize and score.
The foregoing is merely illustrative embodiments of the present invention, and the present invention is not limited thereto, and any changes or substitutions that may be easily contemplated by those skilled in the art within the scope of the present invention should be included in the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.
Claims (8)
1. A dynamic vulnerability restoration priority ordering method is characterized by comprising the following steps:
configuring basic weights of dimension factors affecting vulnerabilities and switches of corresponding dimension factors, wherein the dimension factors comprise asset factors, vulnerability threat factors and vulnerability operation and maintenance factors;
collecting dimension information corresponding to dimension factors affecting vulnerabilities, wherein the dimension information comprises asset dimension information, vulnerability dimension information, threat dimension information and operation dimension information;
if the VPT vulnerability ordering calculation model needs to be updated, training the VPT vulnerability ordering calculation model based on the updated dimension factors and dimension information;
evaluating and calculating vulnerability information according to a trained VPT vulnerability ordering calculation model, and calculating vulnerability evaluation values from 4 dimensions of the vulnerability, namely the asset, vulnerability, threat and operation;
and sequencing the loopholes from high to low according to the loophole evaluation value, and outputting the optimal loophole repair sequencing priority.
2. The dynamic vulnerability restoration prioritization method of claim 1, wherein: the method comprises the steps that asset dimension information comprises asset importance, asset positions and asset protection conditions, a set of asset-based dimension data is obtained, vulnerability dimension information comprises vulnerability values, vulnerability hotness and cross verification, a set of vulnerability-based dimension data is obtained, threat dimension information comprises vulnerability utilization POC (point-to-point) devices, vulnerability utilization modes and vulnerability attack cost, a set of vulnerability-based threat dimension data is obtained, and operation dimension information comprises vulnerability neglect ratio and recovery difficulty.
3. The dynamic vulnerability restoration prioritization method of claim 1, wherein: the calculating step of the VPT vulnerability ordering calculation model specifically comprises the following steps:
data preparation and preprocessing: normalizing the collected dimension information to ensure that the data of different factors have similar ranges;
characteristic engineering: creating a feature vector X based on the dimension information after normalization processing, wherein each element corresponds to the feature of one vulnerability sample, and the feature vector X i =w×a, where a is an asset attribute value, W is an attribute weight, and the feature vector X is constructed as follows:
X=[x 1 ,x 2 ,…x i ,…,x n ]
wherein x is i Is the i-th attribute value in the feature vector;
training a model VPT vulnerability ordering calculation model by using a supervised random forest algorithm;
combining the model output with the output of the random forest algorithm using a weighted average algorithm to produce a final vulnerability restoration priority score using the following formula:
VPT final =(1-α)·VPT RF +α·VPT weighted_average
wherein, VPT final Is the final vulnerability restoration priority score, VPT RF Is the output of random forest algorithm, PT weighted_average Is the output of the weighted average algorithm and α is the hyper-parameter that adjusts the weight.
4. The dynamic vulnerability restoration prioritization method of claim 3, wherein: training a model VPT vulnerability ordering calculation model by using a supervised random forest algorithm, specifically comprising:
randomly selecting N samples from the training data with a put-back mode as a training data set;
when each decision tree is constructed, randomly selecting m features from a feature set for splitting for each node, and then selecting the best feature for splitting by using a metric method;
repeating the steps to construct a plurality of decision trees;
each decision tree has a voting result and the final priority score is determined based on the voting results of the plurality of trees.
5. A dynamic-based vulnerability restoration prioritization apparatus, comprising:
the dimension factor configuration module is used for configuring basic weights of dimension factors affecting the vulnerability and switches of corresponding dimension factors, wherein the dimension factors comprise asset factors, vulnerability threat factors and vulnerability operation and maintenance factors;
the dimension information collection module is used for collecting dimension information corresponding to dimension factors affecting the vulnerability, wherein the dimension information comprises asset dimension information, vulnerability dimension information, threat dimension information and operation dimension information;
the model updating training module is used for training the VPT vulnerability ordering calculation model based on the updated dimension factors and dimension information when the VPT vulnerability ordering calculation model needs to be updated;
the evaluation calculation module is used for performing evaluation calculation on the vulnerability information according to the trained VPT vulnerability ordering calculation model, and calculating vulnerability evaluation values from 4 dimensions of the assets, the vulnerability, the threat and the operation and maintenance of the vulnerability;
and the sequencing output module is used for sequencing the loopholes from high to low according to the loophole evaluation value and outputting the optimal loophole repair sequencing priority.
6. The dynamic-based vulnerability restoration prioritization apparatus of claim 5, wherein: the method comprises the steps that asset dimension information comprises asset importance, asset positions and asset protection conditions, a set of asset-based dimension data is obtained, vulnerability dimension information comprises vulnerability values, vulnerability hotness and cross verification, a set of vulnerability-based dimension data is obtained, threat dimension information comprises vulnerability utilization POC (point-to-point) devices, vulnerability utilization modes and vulnerability attack cost, a set of vulnerability-based threat dimension data is obtained, and operation dimension information comprises vulnerability neglect ratio and recovery difficulty.
7. The dynamic-based vulnerability restoration prioritization apparatus of claim 5, wherein: the calculating step of the VPT vulnerability ordering calculation model specifically comprises the following steps:
data preparation and preprocessing: normalizing the collected dimension information to ensure that the data of different factors have similar ranges;
characteristic engineering: creating a feature vector X based on the dimension information after normalization processing, wherein each element corresponds to the feature of one vulnerability sample, and the feature vector X i =w×a, where a is an asset attribute value, W is an attribute weight, and the feature vector X is constructed as follows:
X=[x 1 ,x 2 ,…x i ,…,x n ]
wherein x is i Is the i-th attribute value in the feature vector;
training a model VPT vulnerability ordering calculation model by using a supervised random forest algorithm;
combining the model output with the output of the random forest algorithm using a weighted average algorithm to produce a final vulnerability restoration priority score using the following formula:
VPT final =(1-α)·VPT RF +α·VPT weighted_average
wherein, VPT final Is the final vulnerability restoration priority score, VPT RF Is the output of random forest algorithm, PT weighted_average Is the output of the weighted average algorithm and α is the hyper-parameter that adjusts the weight.
8. The dynamic-based vulnerability restoration prioritization apparatus of claim 7, wherein: training a model VPT vulnerability ordering calculation model by using a supervised random forest algorithm, specifically comprising:
randomly selecting N samples from the training data with a put-back mode as a training data set;
when each decision tree is constructed, randomly selecting m features from a feature set for splitting for each node, and then selecting the best feature for splitting by using a metric method;
repeating the steps to construct a plurality of decision trees;
each decision tree has a voting result and the final priority score is determined based on the voting results of the plurality of trees.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311640762.3A CN117692187B (en) | 2023-12-04 | Vulnerability restoration priority ordering method and device based on dynamics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311640762.3A CN117692187B (en) | 2023-12-04 | Vulnerability restoration priority ordering method and device based on dynamics |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117692187A true CN117692187A (en) | 2024-03-12 |
| CN117692187B CN117692187B (en) | 2024-06-04 |
Family
ID=
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200351294A1 (en) * | 2019-04-30 | 2020-11-05 | EMC IP Holding Company LLC | Prioritization of remediation actions for addressing vulnerabilities in an enterprise system |
| US20210392153A1 (en) * | 2020-06-10 | 2021-12-16 | Saudi Arabian Oil Company | System and method for vulnerability remediation prioritization |
| CN116010966A (en) * | 2022-12-21 | 2023-04-25 | 中电信数智科技有限公司 | Method for optimizing vulnerability restoration priority |
| CN116389034A (en) * | 2022-12-30 | 2023-07-04 | 湖北天融信网络安全技术有限公司 | Vulnerability priority determining method and device |
| CN116502234A (en) * | 2023-05-08 | 2023-07-28 | 安徽华云安科技有限公司 | Vulnerability value dynamic evaluation method and device based on decision tree |
| CN116821916A (en) * | 2023-06-09 | 2023-09-29 | 北京启明星辰信息安全技术有限公司 | Method for realizing vulnerability processing, computer storage medium and terminal |
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200351294A1 (en) * | 2019-04-30 | 2020-11-05 | EMC IP Holding Company LLC | Prioritization of remediation actions for addressing vulnerabilities in an enterprise system |
| US20210392153A1 (en) * | 2020-06-10 | 2021-12-16 | Saudi Arabian Oil Company | System and method for vulnerability remediation prioritization |
| CN116010966A (en) * | 2022-12-21 | 2023-04-25 | 中电信数智科技有限公司 | Method for optimizing vulnerability restoration priority |
| CN116389034A (en) * | 2022-12-30 | 2023-07-04 | 湖北天融信网络安全技术有限公司 | Vulnerability priority determining method and device |
| CN116502234A (en) * | 2023-05-08 | 2023-07-28 | 安徽华云安科技有限公司 | Vulnerability value dynamic evaluation method and device based on decision tree |
| CN116821916A (en) * | 2023-06-09 | 2023-09-29 | 北京启明星辰信息安全技术有限公司 | Method for realizing vulnerability processing, computer storage medium and terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112235283B (en) | Vulnerability description attack graph-based network attack evaluation method for power engineering control system | |
| CN106790256B (en) | Active machine learning system for dangerous host supervision | |
| Tao et al. | The future of artificial intelligence in cybersecurity: A comprehensive survey | |
| CN110991568A (en) | Target identification method, device, equipment and storage medium | |
| Ajdani et al. | Introduced a new method for enhancement of intrusion detection with random forest and PSO algorithm | |
| Choubineh et al. | Applying separately cost-sensitive learning and Fisher's discriminant analysis to address the class imbalance problem: A case study involving a virtual gas pipeline SCADA system | |
| Guo et al. | The Prediction Analysis of Peer‐to‐Peer Lending Platforms Default Risk Based on Comparative Models | |
| CN117692187B (en) | Vulnerability restoration priority ordering method and device based on dynamics | |
| CN109871711B (en) | Ocean big data sharing and distributing risk control model and method | |
| Napanda et al. | Artificial intelligence techniques for network intrusion detection | |
| Chandra et al. | Development of a cyber-situational awareness model of risk maturity using fuzzy fmea | |
| KR102562671B1 (en) | Threat hunting system and method for against social issue-based advanced persistent threat using genetic algorithm | |
| CN116545679A (en) | Industrial situation security basic framework and network attack behavior feature analysis method | |
| CN117692187A (en) | Vulnerability restoration priority ordering method and device based on dynamics | |
| CN112422573B (en) | Attack path restoration method, device, equipment and storage medium | |
| CN115987544A (en) | Network security threat prediction method and system based on threat intelligence | |
| Hurst et al. | Protecting critical infrastructures through behavioural observation | |
| LU502287B1 (en) | Detection of malicious activity | |
| Camacho et al. | A Cybersecurity Risk Analysis Framework for Systems with Artificial Intelligence Components | |
| Mesadieu et al. | Leveraging Deep Reinforcement Learning Technique for Intrusion Detection in SCADA Infrastructure | |
| CN115473672B (en) | Leak-proof detection method based on online interactive WEB dynamic defense | |
| Mora et al. | Enforcing corporate security policies via computational intelligence techniques | |
| Jiang et al. | A bio-inspired host-based multi-engine detection system with sequential pattern recognition | |
| Haribalaji et al. | Distributed Denial of Service (DDOS) Attack Detection Using Classification Algorithm | |
| Samusevich | Game theoretic optimization of detecting malicious behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |