WO2021093051A1 - 一种ip地址的评估方法、系统及设备 - Google Patents

一种ip地址的评估方法、系统及设备 Download PDF

Info

Publication number
WO2021093051A1
WO2021093051A1 PCT/CN2019/123010 CN2019123010W WO2021093051A1 WO 2021093051 A1 WO2021093051 A1 WO 2021093051A1 CN 2019123010 W CN2019123010 W CN 2019123010W WO 2021093051 A1 WO2021093051 A1 WO 2021093051A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
address
risk
coefficient
risk coefficient
Prior art date
Application number
PCT/CN2019/123010
Other languages
English (en)
French (fr)
Inventor
蔡舒晗
陈志勇
王凤杰
Original Assignee
网宿科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 网宿科技股份有限公司 filed Critical 网宿科技股份有限公司
Publication of WO2021093051A1 publication Critical patent/WO2021093051A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the present invention relates to the technical field of data processing, in particular to an IP address evaluation method, system and equipment.
  • the purpose of this application is to provide an IP address evaluation method, system and equipment, which can accurately identify malicious IP addresses, thereby improving the effect of network security prevention.
  • one aspect of the present application provides an IP address evaluation method.
  • the method includes: obtaining user data, and determining the risk factor of the target IP address at the current moment based on the user data, and the risk factor is To characterize the risk that the target IP address exists for the entire network or a specified industry at the current moment; identify the target network segment where the target IP address is located, and according to each IP address in the target network segment at the current moment Calculate the risk coefficient of the target network segment; and determine the historical trend risk coefficient of the target IP address according to the risk coefficient of the target IP address at each moment; based on the target IP address at the current moment
  • the risk coefficient, the risk coefficient of the target network segment, and the historical trend risk coefficient of the target IP address are used to determine the comprehensive risk coefficient of the target IP address to determine whether the target IP address has an attack based on the comprehensive risk coefficient behavior.
  • the present application also provides an IP address evaluation system on the other hand, the system includes: a single IP address risk determination unit, configured to obtain user data, and determine the target IP address based on the user data.
  • the risk coefficient at the current moment where the risk coefficient is used to characterize the risk that the target IP address has for the entire network or a specified industry at the current moment
  • the target network segment risk determination unit is used to identify where the target IP address is located Target network segment, and calculate the risk coefficient of the target network segment according to the risk coefficient of each IP address in the target network segment at the current moment
  • the historical risk determination unit is configured to calculate the risk coefficient of the target network segment at each time according to the target IP address
  • the risk coefficient of the target IP address determines the historical trend risk coefficient of the target IP address
  • the attack determination unit is configured to determine the risk coefficient of the target IP address at the current moment, the risk coefficient of the target network segment, and the risk coefficient of the target IP address.
  • the historical trend risk coefficient determines the comprehensive risk coefficient of the target IP address, so as to determine whether
  • another aspect of the present application also provides an IP address evaluation device, the device includes a processor and a memory, the memory is used to store a computer program, and when the computer program is executed by the processor, Realize the above-mentioned IP address evaluation method.
  • the technical solutions provided by one or more embodiments of the present application can comprehensively evaluate whether an IP address has an attack behavior from multiple dimensions.
  • the risk coefficient of the target IP address to be evaluated at the current moment can be determined, and the risk coefficient can be for the entire network or a specific industry.
  • the overall risk of the network segment where the target IP address is located it can also reflect the degree of risk of the target IP address. Therefore, the overall risk coefficient of the target network segment can be calculated according to the risk coefficient of each IP address in the target network segment where the target IP address is located.
  • the IP address is not harmful, so in order to accurately assess the harmfulness of the IP address, you can refer to the target IP
  • the risk coefficients of the address at different times, and then the risk coefficients of these different times are combined to determine the historical trend risk coefficient of the target IP address.
  • the above three different risk coefficients can be integrated to obtain a comprehensive risk coefficient for evaluating the target IP address, and the comprehensive risk coefficient can be used to determine whether the target IP address has attack behavior. In this way, combining multiple dimensions of data to comprehensively evaluate the target IP address can improve the accuracy of the evaluation, and thereby improve the effectiveness of network security prevention.
  • FIG. 1 is a schematic diagram of the architecture of an IP address evaluation system in an embodiment of the present invention
  • Fig. 2 is a schematic diagram of steps of an IP address evaluation method in an embodiment of the present invention.
  • Fig. 3 is a flowchart of an IP address evaluation method in an embodiment of the present invention.
  • Fig. 4 is a schematic diagram of functional modules of an IP address evaluation system in an embodiment of the present invention.
  • Fig. 5 is a schematic structural diagram of an IP address evaluation device in an embodiment of the present invention.
  • This application provides an IP address evaluation method, which can be applied to the system architecture shown in FIG. 1.
  • this system can include user clients, cloud big data centers, analytical computing cluster cloud security protection nodes, and origin sites.
  • the access data of the user client will first pass through the cloud security protection node, and the access data initiated by the user client can be detected through the cloud security protection node.
  • the access data can include normal access data or attack data.
  • Behavioral access data For example, SQL injection, brute force cracking, XSS (Cross Site Scripting, cross-scripting attacks) and other attacks can be detected.
  • Access data can be uploaded to the cloud big data center, where the access data can be preprocessed such as data cleaning and format conversion.
  • the access data can be classified and aggregated after deduplication, desensitization, and elimination of unnecessary dimensional data, and finally usable analysis data can be obtained.
  • data in different formats can also be processed in a unified format, for example, can be unified into json format, etc., so as to facilitate subsequent data processing.
  • the specific data format used can be determined according to the actual development situation, and there is no restriction here.
  • the data processed by the cloud big data center can be sent to the analysis and calculation cluster, so that the risk degree of each IP address can be evaluated through the analysis and calculation cluster, and a blacklist database of IP addresses can be constructed.
  • the constructed IP address blacklist library can be sent to each cloud security protection node.
  • the data of the cloud security protection node can be first transmitted to the origin site and then transmitted to the user client, or directly transmitted to the user client to pass the cloud.
  • the security protection node performs operations such as monitoring and data interception on the IP addresses in the blacklist database.
  • the IP address evaluation method provided in an embodiment of the present application may include the following steps.
  • S1 Obtain user data, and determine the risk coefficient of the target IP address at the current moment based on the user data, where the risk coefficient is used to characterize the risk that the target IP address has for the entire network or a specified industry at the current moment .
  • the user data may be data uploaded by a cloud security protection node.
  • the user data may include normal access data, and may also include detected data with attack behavior. Specifically, these data can include access time, attack type, IP address of the user client, MAC address of the user client, device fingerprint of the user client, geographic location of the user client, and URL (Uniform Resource Locator) to be accessed. Locator), the industry classification to which the address belongs, etc.
  • the cloud security protection node can periodically upload user data, so that in the cloud big data center, user data in different periods can be obtained.
  • the industry types can be divided into government agencies, finance, transportation, games, e-commerce government affairs, etc., and labels that characterize the industry types can also be carried in the uploaded user data. In this way, user data can be further classified and managed based on industry type labels.
  • the user data of the target IP address in the most recent period of time can be selected for analysis, so as to determine that the target IP address is currently The risk factor at the moment. For example, you can select the user data of the most recent day to calculate the risk factor of the target IP address.
  • the risk factor of the target IP address at the current moment can be comprehensively determined by various influencing factors.
  • various influencing factors corresponding to the target IP address can be determined in advance, and these influencing factors may include, for example, the degree of attack, industry distribution, time rule, attack proportion, external intelligence risk, and so on.
  • the risk value corresponding to each impact factor at the current moment can be calculated separately.
  • the risk value corresponding to the degree of attack you can count the number of access requests for the target IP address with attack behavior from the selected user data, and the total number of access requests for the target IP address, the total number of access requests, It can include the number of normal access requests and access request data with offensive behavior. Subsequently, the ratio of the number of access requests with attack behavior to the total number of access requests can be used as the risk value of the attack degree of the target IP address.
  • the target industry to be analyzed may be determined, and the target industry may be, for example, the financial industry. Then, according to the industry type label carried in the user data, the number of access requests from the target IP address to the target industry can be counted, and the total number of attacks on all industries by the target IP to be analyzed in the user data can also be counted, and The ratio of the number of access requests to the total number of attacks can be calculated, and the ratio can indicate the extent to which the target IP address has attacked the target industry. For each industry, the respective ratio can be calculated.
  • each industry can be assigned its own weight value in advance, and the ratio of each industry can be multiplied by the respective weight value, and the result can be used as the distribution risk coefficient of each industry.
  • the weight value of each industry can be determined according to the degree of harm caused when each industry is attacked. Of course, other methods can also be used to determine the weight value of each industry in practical applications, which is not limited in this application.
  • the sum of the distribution risk coefficients of various industries can be used as the industry distribution risk value of the target IP address. The above process can be expressed as:
  • R12 can represent the industry distribution risk value of the target IP address
  • S represents the total number of industries
  • ⁇ i represents the weight value of the i-th industry
  • I i represents the ratio calculated by the i-th industry.
  • each time period to be analyzed can be determined in advance. For example, one day can be divided into three time periods, and these three time periods can be used as the time periods to be analyzed. Then, the attack coefficient of the target IP address in each time period can be counted. The attack coefficient can be used to characterize the ratio of the number of attacks of the target IP address in the current time period to the total number of attacks in the entire time period. Among them, the total number of attacks in all time periods may refer to the sum of the number of attacks of each IP address in all time periods. At the same time, for different time periods, the respective weight values can also be assigned.
  • the product of the attack coefficient and the corresponding weight value can be used as the regular risk coefficient of the time period, and the sum of the regular risk coefficients of each time period can be used as the target.
  • the regular risk value of an IP address can be determined according to the total amount of data access in each time period. For example, the data access volume from 7pm to 2am is relatively high, so the weight value of this time period can be set higher. The data access volume from 2 AM to 9 AM is low, so the weight value of this time period can be set lower. Of course, in practical applications, other methods may also be used to determine the weight value of each time period, which is not limited in this application.
  • the number of access requests with attack behavior on the target IP address and the total number of access requests with attack behavior on each IP address can be counted, and the target IP address can be stored
  • the ratio of the number of access requests with attack behavior to the total number of access requests with attack behavior on each IP address is used as the attack percentage risk value of the target IP address.
  • the larger the attack percentage risk value the more aggressive the IP address is. Obviously, the higher the risk.
  • external intelligence when calculating the risk value corresponding to the external intelligence risk, external intelligence can be referred to.
  • external intelligence may have a risk of misreporting, external intelligence cannot be directly used, but external intelligence can be used as a reference standard.
  • the preset value can be flexibly set according to the application scenario, or it can be obtained based on the analysis of historical data, there is no special restriction here.
  • the aforementioned malicious tags may be tags that characterize bad behaviors such as botnets and mining.
  • the aforementioned malicious domain names and malicious access links may be domain names and links summarized by network protection software. If the target IP address does not have a malicious label, or the target IP address is not associated with a malicious domain name or a malicious access link, the external intelligence risk value of the target IP address can be set to zero.
  • the risk value of each influencing factor can be determined separately. Because the value range of each risk value is different, it is likely that some risk values are larger and some risk values are smaller. In this way, the risk value with a smaller value is likely to be overwhelmed by the risk value with a larger value, which will cause the analysis result to be inconsistent. accurate.
  • the normalization method can be used to map each risk value to the same numerical interval. Specifically, the maximum risk value and the minimum risk value among the risk values corresponding to each of the impact factors can be identified, and the interval maximum value and the interval minimum value of the target interval to be mapped can be obtained.
  • the risk value corresponding to the impact factor can be normalized to the target interval according to the maximum risk value, the minimum risk value, the maximum value of the interval, and the minimum value of the interval. .
  • normalization can be performed according to the following formula:
  • y i represents the normalized risk value of the i-th impact factor
  • y min represents the minimum value of the interval
  • y max represents the maximum value of the interval
  • R max represents the maximum risk value
  • R min represents the minimum risk value
  • R i represents the The risk value of i influence factors before normalization.
  • the first difference between the maximum risk value and the minimum risk value can be calculated, and the second difference between the maximum value of the interval and the minimum value of the interval can be calculated, wherein the The ratio of the second difference value to the first difference value is used as a normalization coefficient.
  • a third difference between the risk value corresponding to the impact factor and the minimum risk value can be calculated, and the product of the third difference and the normalized coefficient can be calculated.
  • the sum of the product and the minimum value of the interval may be used as the risk value corresponding to the normalized impact factor.
  • the risk value corresponding to each normalized impact factor can be weighted and summed, and the result of the weighted summation can be used as the target IP address at the current moment.
  • Risk factor the weight value of each impact factor can also be flexibly set according to actual applications.
  • S3 Identify the target network segment where the target IP address is located, and calculate the risk coefficient of the target network segment according to the risk coefficient of each IP address in the target network segment at the current moment; and according to the target IP The risk coefficient of the address at each moment determines the historical trend risk coefficient of the target IP address.
  • the risk factor of a single IP address at the current moment can be obtained.
  • the target network segment where the target IP address is located can be identified according to the actual value of the target IP address, and the target network segment may be, for example, a class C network segment.
  • the risk coefficient of each IP address at the current moment can be calculated by the method of step S1. Then, the average value of the risk coefficient of each IP address in the target network segment at the current moment may be calculated, and the average value may be used as the risk coefficient of the target network segment.
  • the observation interval of the target IP address can be lengthened, so as to synthesize the historical data of the target IP address to obtain the historical trend risk coefficient of the target IP address.
  • the historical observation interval may be determined in advance, the historical observation interval may be, for example, the time from the most recent time to the previous week, and then the risk coefficient of the target IP address at each time in the historical observation interval may be read in turn .
  • the risk coefficient at each moment can be determined according to the actual calculation cycle.
  • the risk coefficient of the target IP address can be calculated based on daily user data, so the risk coefficient at each time mentioned above can refer to the daily risk coefficient. In this way, 7 risk factors within a week can be read.
  • Rh represents the historical trend risk coefficient of the target IP address
  • T represents the total number of moments in the historical observation interval
  • t represents the t-th time from the current time
  • 2 -t represents the reference weight corresponding to the time t
  • Rt Represents the risk factor at time t.
  • S5 Based on the risk coefficient of the target IP address at the current moment, the risk coefficient of the target network segment, and the historical trend risk coefficient of the target IP address, determine the comprehensive risk coefficient of the target IP address, so as to determine the overall risk coefficient of the target IP address according to the The comprehensive risk coefficient determines whether the target IP address has an attack behavior.
  • the risk coefficient of the target IP address at the current moment after the risk coefficient of the target IP address at the current moment, the risk coefficient of the target network segment, and the historical trend risk coefficient of the target IP address are calculated separately, the risk coefficient of the target IP address at the current moment can be calculated .
  • the risk coefficient of the target network segment and the historical trend risk coefficient of the target IP address are multiplied by their respective weight coefficients and then accumulated, and the result of the accumulation is used as the comprehensive risk coefficient of the target IP address.
  • the sum of the weight coefficients of the three coefficients can be 1, and the specific weight coefficient can be flexibly set according to actual application scenarios. In this way, the comprehensive risk coefficient obtained by combining the three risk coefficients can accurately characterize the potential risk of the target IP address to the entire network or a specified industry.
  • the various risk coefficients mentioned above can be calculated for the entire network or specified industries in practical applications. Specifically, if it is necessary to calculate the above-mentioned risk coefficients for the entire network data, then the use is to include the overall user data of each industry. And if it is necessary to assess the risk of the target IP address for a specific industry, then only the user data of the specified industry may be used, and user data of other industries may not be considered.
  • the advantage of this treatment is that some attacks have obvious industry characteristics, but when viewed from the entire network, such attacks may be submerged in a large amount of data. Only when the user data of the designated industry is analyzed separately, can the harmfulness of this kind of attack be reflected.
  • the risk coefficient of the target IP address at the current moment characterizes the risk for the entire network
  • the risk coefficient of the target network segment and the historical trend risk coefficient of the target IP address can also both characterize the risk for the entire network.
  • the risks of the Internet if the risk coefficient of the target IP address at the current moment characterizes the risk that exists for the specified industry, then the risk coefficient of the target network segment and the historical trend risk coefficient of the target IP address can both characterize the risk of the target IP address. Risks in designated industries.
  • the comprehensive risk coefficient of the target IP address it is possible to determine whether the target IP address is an IP address with an attack behavior according to a preset threshold determination strategy. For example, if the comprehensive risk factor of the target IP address is higher than a certain preset threshold, it can be determined that the target IP address has attack behavior, and the target IP address needs to be added to the blacklist database. And if the comprehensive risk factor of the target IP address is not higher than the preset threshold, it can be determined that there is no attack behavior in the target IP address, and there is no need to add the target IP address to the blacklist database.
  • a risk coefficient decay mechanism can be added to gradually decay the risk coefficient of the IP address that has not been updated.
  • the risk factor can be attenuated according to a specified time period, and the value after the attenuation process can be used as the new risk factor to replace the one before the attenuation process.
  • the specified time period may be, for example, one hour or half an hour, and it can be flexibly set according to actual conditions.
  • the risk factor of the target IP address at the current moment can be attenuated according to the following formula:
  • Rnew is the risk coefficient after attenuation
  • Rold is the risk coefficient before attenuation
  • is the attenuation coefficient less than 1 and greater than 0.
  • the risk factor of the target IP address has not been updated, it will continue to attenuate according to the above formula, and if the risk factor of the target IP address at the current moment is updated, the updated risk factor can be used to replace the previous update.
  • the risk factor is not limited to the above formula.
  • the IP addresses in the blacklist database can be dynamically updated. Specifically, if the target IP address is determined to be attacked before the attenuation process or update, the target IP address can be added to the blacklist, but if after the attenuation process or update, the target IP address is If it is determined that there is no attack behavior, the target IP address can be removed from the blacklist, so as to maintain the accuracy of the blacklist database.
  • this application also provides an IP address evaluation system, the system includes:
  • the single-IP address risk determination unit is used to obtain user data, and determine the risk coefficient of the target IP address at the current moment according to the user data, and the risk coefficient is used to characterize that the target IP address is for the entire target IP address at the current moment. Risks in the Internet or designated industries;
  • the target network segment risk determination unit is used to identify the target network segment where the target IP address is located, and calculate the risk coefficient of the target network segment according to the risk coefficient of each IP address in the target network segment at the current moment ;
  • the historical risk determining unit is configured to determine the historical trend risk coefficient of the target IP address according to the risk coefficient of the target IP address at each time;
  • the attack determination unit is configured to determine the comprehensive risk coefficient of the target IP address based on the risk coefficient of the target IP address at the current moment, the risk coefficient of the target network segment, and the historical trend risk coefficient of the target IP address, It is determined whether the target IP address has an attack behavior according to the comprehensive risk coefficient.
  • an embodiment of the present application also provides an IP address evaluation device, the device includes a processor and a memory, the memory is used to store a computer program, and when the computer program is executed by the processor, The above-mentioned IP address evaluation method can be realized.
  • the memory may include a physical device for storing information, which is usually digitized and then stored in a medium using electrical, magnetic, or optical methods.
  • the memory described in this embodiment may also include: a device that uses electrical energy to store information, such as RAM or ROM, etc.; a device that uses magnetic energy to store information, such as hard disk, floppy disk, magnetic tape, magnetic core memory, bubble memory, or U disk ; A device that uses optical means to store information, such as CD or DVD.
  • a device that uses electrical energy to store information such as RAM or ROM, etc.
  • a device that uses magnetic energy to store information such as hard disk, floppy disk, magnetic tape, magnetic core memory, bubble memory, or U disk
  • a device that uses optical means to store information such as CD or DVD.
  • quantum memory or graphene memory there are other types of memory, such as quantum memory or graphene memory.
  • the processor can be implemented in any suitable manner.
  • the processor may take the form of, for example, a microprocessor or a processor, and a computer-readable medium storing computer-readable program codes (for example, software or firmware) executable by the (micro)processor, logic gates, switches, dedicated integrated circuits, etc. Circuit (Application Specific Integrated Circuit, ASIC), programmable logic controller and embedded microcontroller form, etc.
  • ASIC Application Specific Integrated Circuit
  • ASIC Application Specific Integrated Circuit
  • the technical solutions provided by one or more embodiments of the present application can comprehensively evaluate whether an IP address has an attack behavior from multiple dimensions.
  • the risk coefficient of the target IP address to be evaluated at the current moment can be determined, and the risk coefficient can be for the entire network or a specific industry.
  • the overall risk of the network segment where the target IP address is located it can also reflect the degree of risk of the target IP address. Therefore, the overall risk coefficient of the target network segment can be calculated according to the risk coefficient of each IP address in the target network segment where the target IP address is located.
  • the IP address is not harmful, so in order to accurately assess the harmfulness of the IP address, you can refer to the target IP
  • the risk coefficients of the address at different times, and then the risk coefficients of these different times are combined to determine the historical trend risk coefficient of the target IP address.
  • the above three different risk coefficients can be integrated to obtain a comprehensive risk coefficient for evaluating the target IP address, and the comprehensive risk coefficient can be used to determine whether the target IP address has attack behavior. In this way, combining multiple dimensions of data to comprehensively evaluate the target IP address can improve the accuracy of the evaluation, and thus can improve the effect of network security prevention.
  • the embodiments of the present invention can be provided as a method, a system, or a computer program product. Therefore, the present invention may adopt a form of a complete hardware implementation, a complete software implementation, or a combination of software and hardware implementations. Moreover, the present invention may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • the computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
  • processors CPUs
  • input/output interfaces network interfaces
  • memory volatile and non-volatile memory
  • the memory may include non-permanent memory in a computer readable medium, random access memory (RAM) and/or non-volatile memory, such as read-only memory (ROM) or flash memory (flash RAM). Memory is an example of computer readable media.
  • RAM random access memory
  • ROM read-only memory
  • flash RAM flash memory
  • Computer-readable media include permanent and non-permanent, removable and non-removable media, and information storage can be realized by any method or technology.
  • the information can be computer-readable instructions, data structures, program modules, or other data.
  • Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, CD-ROM, digital versatile disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission media can be used to store information that can be accessed by computing devices. According to the definition in this article, computer-readable media does not include transitory media, such as modulated data signals and carrier waves.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种IP地址的评估方法、系统及设备,其中,所述方法包括:获取用户数据并根据所述用户数据,确定目标IP地址在当前时刻的风险系数;识别所述目标IP地址所在的目标网段,并根据所述目标网段内各个IP地址在所述当前时刻的风险系数,统计所述目标网段的风险系数;根据所述目标IP地址在各个时刻的风险系数,确定所述目标IP地址的历史趋势风险系数;基于所述目标IP地址在当前时刻的风险系数、所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数,确定所述目标IP地址的综合风险系数,以根据所述综合风险系数判断所述目标IP地址是否存在攻击行为。本申请提供的技术方案,能够准确地识别恶意IP地址,从而提高网络安全防范的效果。

Description

一种IP地址的评估方法、系统及设备 技术领域
本发明涉及数据处理技术领域,特别涉及一种IP地址的评估方法、系统及设备。
背景技术
目前,随着移动互联网、大数据、云计算、人工智能等新一代信息技术的快速发展,围绕网络和数据的服务与应用呈现爆发式增长,丰富的应用场景下暴露出越来越多的网络安全风险和问题。例如近几年频繁发生的勒索病毒攻击、跨国电信诈骗、数据泄露、网络暴力等事件,给互联网发展与治理带来巨大的挑战。如何判断来访IP地址是否为恶意IP地址成为一个亟需解决的问题。
目前,互联网中有许多公开的IP地址黑名单库,列入黑名单库中的IP地址曾今都发生过或多或少的攻击行为。因此,可以利用这些黑名单库进行恶意IP地址的识别。然而,这些黑名单库通常缺乏维护和管理,导致其中的IP地址可能不准确或者不全面,从而使得网络安全防范的效果不佳。鉴于此,目前需要一种更加有效的IP地址评估方法。
发明内容
本申请的目的在于提供一种IP地址的评估方法、系统及设备,能够准确地识别恶意IP地址,从而提高网络安全防范的效果。
为实现上述目的,本申请一方面提供一种IP地址的评估方法,所述方法包括:获取用户数据,并根据所述用户数据,确定目标IP地址在当前时刻的风险系数,所述风险系数用于表征所述目标IP地址在所述当前时刻针对全网或者指定行业存在的风险;识别所述目标IP地址所在的目标网段,并根据所述目标网段内各个IP地址在所述当前时刻的风险系数,统计所述目标网段的风险系数;以及根据所述目标IP地址在各个时刻的风险系数,确定所述目标IP地址的历史趋势风险系数;基于所述目标IP地址在当前时刻的风险系数、所述目标网段 的风险系数和所述目标IP地址的历史趋势风险系数,确定所述目标IP地址的综合风险系数,以根据所述综合风险系数判断所述目标IP地址是否存在攻击行为。
为实现上述目的,本申请另一方面还提供一种IP地址的评估系统,所述系统包括:单IP地址风险确定单元,用于获取用户数据,并根据所述用户数据,确定目标IP地址在当前时刻的风险系数,所述风险系数用于表征所述目标IP地址在所述当前时刻针对全网或者指定行业存在的风险;目标网段风险确定单元,用于识别所述目标IP地址所在的目标网段,并根据所述目标网段内各个IP地址在所述当前时刻的风险系数,统计所述目标网段的风险系数;历史风险确定单元,用于根据所述目标IP地址在各个时刻的风险系数,确定所述目标IP地址的历史趋势风险系数;攻击判定单元,用于基于所述目标IP地址在当前时刻的风险系数、所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数,确定所述目标IP地址的综合风险系数,以根据所述综合风险系数判断所述目标IP地址是否存在攻击行为。
为实现上述目的,本申请另一方面还提供一种IP地址的评估设备,所述设备包括处理器和存储器,所述存储器用于存储计算机程序,所述计算机程序被所述处理器执行时,实现上述的IP地址的评估方法。
由上可见,本申请一个或者多个实施方式提供的技术方案,可以从多个维度综合评估IP地址是否存在攻击行为。具体地,根据近期的用户数据,可以确定出待评估的目标IP地址在当前时刻的风险系数,该风险系数可以针对全网或者某个指定行业而言。此外,考虑到目标IP地址所在网段的整体风险,也能侧面反映目标IP地址的风险程度。因此,可以根据目标IP地址所在的目标网段中各个IP地址的风险系数,统计出目标网段整体的风险系数。再者,考虑到部分IP地址可能短暂地被利用,从而产生攻击行为,但是长期来看,该IP地址的危害性并不大,因此为了准确地评估IP地址的危害性,可以参考该目标IP地址在不同时刻的风险系数,然后综合这些不同时刻的风险系数,确定出目标IP地址的历史趋势风险系数。最终,可以将上述的三种不同的风险系数进行整合,从而得到用于评估目标IP地址的综合风险系数,该综合风险系数可以用于判断目标IP地址是否存在攻击行为。这样,结合多个维度的数据来对目标IP地址进行综合评估,能够提高评估的准确性,进而能够提高网络安全防范的效 果。
附图说明
为了更清楚地说明本发明实施方式中的技术方案,下面将对实施方式描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施方式,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1是本发明实施方式中IP地址的评估系统架构示意图;
图2是本发明实施方式中IP地址的评估方法步骤示意图;
图3是本发明实施方式中IP地址的评估方法的流程图;
图4是本发明实施方式中IP地址的评估系统的功能模块示意图;
图5是本发明实施方式中IP地址的评估设备的结构示意图。
具体实施方式
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请具体实施方式及相应的附图对本申请技术方案进行清楚、完整地描述。显然,所描述的实施方式仅是本申请一部分实施方式,而不是全部的实施方式。基于本申请中的实施方式,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施方式,都属于本申请保护的范围。
本申请提供一种IP地址的评估方法,该方法可以应用于如图1所示的系统架构中。在该系统中,可以包括用户客户端、云端大数据中心、分析计算集群云安全防护节点以及源站。其中,用户客户端的访问数据会首先经过云安全防护节点,通过云安全防护节点可以检测到用户客户端发起的访问数据,在这些访问数据中,可以包括正常的访问数据,也可以包括带有攻击行为的访问数据。例如,可以检测到SQL注入、暴力破解、XSS(Cross Site Scripting,跨脚本攻击)等攻击行为。访问数据可以被上传至云端大数据中心,在云端大数据中心处,可以对这些访问数据进行数据清洗和格式转换等预处理。具体地,可以对访问数据进行去重、脱敏以及剔除不必要维度的数据等处理后再进行分类、聚合,最终得到可用的分析数据。在完成数据清洗后,还可以将不同格式的数据进行统一格式的处理,例如可以统一为json格式等,从而便于后续的数据处 理。当然,具体使用何种数据格式,可以依照实际开发情况而定,这里并不做限制。
在本实施方式中,云端大数据中心处理得到的数据可以送入分析计算集群中,以通过分析计算集群评估出各个IP地址的风险程度,进而可以构建IP地址的黑名单库。最终,构建的IP地址黑名单库可以被送入各个云安全防护节点,云安全防护节点的数据可以先传输到源站再传输到用户客户端,也可以直接传输到用户客户端,从而通过云安全防护节点对黑名单库中的IP地址进行监控和数据拦截等操作。
请参阅图2和图3,本申请一个实施方式中提供的IP地址的评估方法,可以包括以下步骤。
S1:获取用户数据,并根据所述用户数据,确定目标IP地址在当前时刻的风险系数,所述风险系数用于表征所述目标IP地址在所述当前时刻针对全网或者指定行业存在的风险。
在本实施方式中,所述用户数据可以是云安全防护节点上传的数据。在该用户数据中,可以包括正常的访问数据,也可以包括检测得到的带有攻击行为的数据。具体地,在这些数据中,可以包括访问时间、攻击类型、用户客户端的IP地址、用户客户端的MAC地址、用户客户端的设备指纹、用户客户端的地理位置、访问的URL(Uniform Resource Locator,统一资源定位符)、访问地址所属的行业分类等。云安全防护节点可以定期上传用户数据,这样,在云端大数据中心中,可以获取到不同时期的用户数据。其中,为了区分不同的IP地址对不同行业的危害,可以将行业类型划分为政府机构、金融、交通运输、游戏、电子商务政务等,表征行业类型的标签也可以携带于上传的用户数据中,从而可以基于行业类型的标签,对用户数据进行进一步地分类和管理。
在本实施方式中,在获取到用户数据后,针对待评估的目标IP地址,为了保证评估的时效性,可以选取目标IP地址最近一段时间的用户数据进行分析,从而确定出目标IP地址在当前时刻的风险系数。例如,可以选择最近一天的用户数据来计算目标IP地址的风险系数。
在实际应用中,目标IP地址在当前时刻的风险系数可以由多方面的影响因子综合确定。具体地,可以预先确定出目标IP地址对应的各个影响因子,这些影响因子例如可以包括攻击程度、行业分布、时间规律、攻击占比、外部情报 风险等。针对各个影响因子,可以分别计算当前时刻各个影响因子对应的风险值。
举例来说,在计算攻击程度对应的风险值时,可以从选择的用户数据中,统计目标IP地址存在攻击行为的访问请求数量,和目标IP地址的访问请求总数量,该访问请求总数量,可以包括正常的访问请求数量和带有攻击行为的访问请求数据。后续,可以将存在攻击行为的访问请求数量和访问请求总数量的比值作为目标IP地址的攻击程度风险值。
又例如,在计算行业分布对应的风险值时,可以确定待分析的目标行业,该目标行业例如可以是金融行业。然后,可以根据用户数据中携带的行业类型的标签,统计目标IP地址针对该目标行业存在攻击行为的访问请求次数,还可以统计用户数据中待分析的目标IP对所有行业的攻击总次数,并可以计算该访问请求次数和攻击总次数的比值,该比值便可以表征目标IP地址对目标行业存在攻击行为的程度。对于每个行业而言,均可以计算得到各自的比值。同时,还可以预先为各个行业分配各自的权重值,将各个行业的比值和各自的权重值相乘,得到的结果便可以作为各个行业的分布风险系数。其中,各个行业的权重值,可以依据各个行业被攻击时引起的危害程度来决定。当然,在实际应用中也可以采用其他方式来确定各个行业的权重值,本申请对此并不做限定。最终,可以将各个行业的分布风险系数之和作为目标IP地址的行业分布风险值。上述过程,利用公式可以表示为:
Figure PCTCN2019123010-appb-000001
其中,R12可以表示目标IP地址的行业分布风险值,S表示行业的总数量,λ i表示第i个行业的权重值,I i表示第i个行业计算得到的比值。
又例如,在计算时间规则对应的风险值时,可以预先确定待分析的各个时间段。例如,可以将一天分为三个时间段,这三个时间段便可以作为待分析的时间段。然后,可以统计目标IP地址在各个时间段中的攻击系数。该攻击系数可以用于表征目标IP地址在当前时间段中的攻击次数与全部时间段中的攻击总次数的比值。其中,全部时间段中的攻击总次数可以指各个IP地址在全部时间段中的攻击次数的总和。同时,针对不同的时间段,也可以分配各自的权重值,最终,可以将攻击系数和对应的权重值的乘积作为时间段的规律风险系数,以及将各个时间段的规律风险系数之和作为目标IP地址的规律风险值。其中,各 个不同时间段的权重值,可以根据各个时间段的数据访问总量来确定。例如,晚上7点至凌晨2点的数据访问量较高,因此可以将该时间段的权重值设置得较高。而凌晨2点至早上9点的数据访问量较低,因此可以将该时间段的权重值设置得较低。当然,在实际应用中也可以采用其他方式来确定各个时间段的权重值,本申请对此并不做限定。
又例如,在计算攻击占比对应的风险值时,可以统计所述目标IP地址存在攻击行为的访问请求数量,和各个IP地址存在攻击行为的访问请求总数量,并将所述目标IP地址存在攻击行为的访问请求数量和所述各个IP地址存在攻击行为的访问请求总数量的比值作为所述目标IP地址的攻击占比风险值,攻击占比风险值越大,说明该IP地址攻击性越明显,风险越高。
又例如,在计算外部情报风险对应的风险值时,可以参考外部情报,只不过,由于外部情报可能存在误报的风险,因此不能直接采用外部情报,但是可以将外部情报作为一个参考标准。具体地,可以根据外部情报,判断目标IP地址是否存在恶意行为,并根据判断结果来为外部情报风险对应的风险值设置为不同的数值。例如,若所述目标IP地址具备恶意标签,并且所述目标IP地址与恶意域名或者恶意访问链接相关联,可以将所述目标IP地址的外部情报风险值置为非零的预设数值,该预设数值可以根据应用场景灵活设置,也可以根据历史数据分析得到,这里不进行特殊的限制。上述的恶意标签,可以是表征僵尸网络、挖矿等不良行为的标签。上述的恶意域名和恶意访问链接,可以是经过网络防护软件总结得到的域名和链接。而若所述目标IP地址不具备恶意标签,或者所述目标IP地址没有与恶意域名或者恶意访问链接相关联,则可以将所述目标IP地址的外部情报风险值置为零。
经过上述的方式,可以分别确定各个影响因子的风险值。由于各个风险值的数值区间不同,很可能导致部分风险值较大,而部分风险值较小,这样,数值较小的风险值很可能被数值较大的风险值淹没,而导致分析结果的不精确。鉴于此,可以通过归一化的方法,将各个风险值映射至相同的数值区间内。具体地,可以识别各个所述影响因子对应的风险值中的最大风险值和最小风险值,并获取待映射的目标区间的区间最大值和区间最小值。然后,针对任一影响因子对应的风险值,可以根据所述最大风险值、最小风险值、区间最大值以及区间最小值,将所述影响因子对应的风险值归一化至所述目标区间内。在实际应 用中,可以按照以下公式进行归一化处理:
Figure PCTCN2019123010-appb-000002
其中,y i表示第i个影响因子归一化后的风险值,y min表示区间最小值,y max表示区间最大值,R max表示最大风险值,R min表示最小风险值,R i表示第i个影响因子归一化前的风险值。
由上可见,可以计算所述最大风险值和所述最小风险值之间的第一差值,并计算所述区间最大值和所述区间最小值之间的第二差值,其中,所述第二差值和所述第一差值的比值作为归一化系数。然后,可以计算所述影响因子对应的风险值与所述最小风险值之间的第三差值,并计算所述第三差值与所述归一化系数的乘积。最终,可以将所述乘积与所述区间最小值的和作为归一化后的影响因子对应的风险值。
在得到各个影响因子归一化后的风险值后,可以对归一化后的各个影响因子对应的风险值进行加权求和,并将加权求和的结果作为所述目标IP地址在当前时刻的风险系数。其中,各个影响因子的权重值也可以根据实际应用灵活设置。
S3:识别所述目标IP地址所在的目标网段,并根据所述目标网段内各个IP地址在所述当前时刻的风险系数,统计所述目标网段的风险系数;以及根据所述目标IP地址在各个时刻的风险系数,确定所述目标IP地址的历史趋势风险系数。
经过步骤S1的方式,可以得到单个IP地址在当前时刻的风险系数。在本实施方式中,考虑到僵尸网络在发起攻击行为时,通常会将攻击源转换为多个,甚至转换为一个庞大的网络体系,这些攻击源通常可能会存在于同一个网段内。因此,目标IP地址所在网段内其它IP地址的风险系数,通常也会影响目标IP地址的风险系数。鉴于此,可以根据目标IP地址的实际数值,识别出目标IP地址所在的目标网段,该目标网段例如可以是C类网段。针对该目标网段内的各个IP地址,均可以通过步骤S1的方式,计算出各个IP地址在当前时刻的风险系数。然后,可以计算所述目标网段内的各个IP地址在所述当前时刻的风险系数的平均值,并将所述平均值作为所述目标网段的风险系数。
在本实施方式中,为了提高目标IP地址的评估准确度,可以将目标IP地址的观测区间拉长,从而综合目标IP地址的历史数据,得到目标IP地址的历 史趋势风险系数。具体地,可以预先确定历史观测区间,该历史观测区间例如可以是从最近的时刻起往前一周的时间,然后,可以依次读取目标IP地址在所述历史观测区间中每个时刻的风险系数。其中,每个时刻的风险系数可以按照实际的计算周期来确定。例如,目标IP地址的风险系数可以按照每天的用户数据计算得到,那么上述的每个时刻的风险系数,便可以指每天的风险系数。这样,可以读取到一周内的7个风险系数。由于距离当前时刻越久的数据,参考的价值越低,因此可以为各个时刻的风险系数设置不同的参考权重,其中,距离所述当前时刻越久,对应的参考权重越小。然后,可以计算各个时刻的风险系数与对应的参考权重的乘积,并将计算得到的各个乘积累加,这样,累加的结果便可以用于作为目标IP地址的历史趋势风险系数。
在实际应用中,上述计算历史趋势风险系数的过程可以通过以下公式表示:
Figure PCTCN2019123010-appb-000003
其中,Rh表示目标IP地址的历史趋势风险系数,T表示历史观测区间中时刻的总数量,t表示从当前时刻开始,往前第t个时刻,2 -t表示t时刻对应的参考权重,Rt表示t时刻的风险系数。
S5:基于所述目标IP地址在当前时刻的风险系数、所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数,确定所述目标IP地址的综合风险系数,以根据所述综合风险系数判断所述目标IP地址是否存在攻击行为。
在本实施方式中,在分别计算出目标IP地址在当前时刻的风险系数、目标网段的风险系数和目标IP地址的历史趋势风险系数后,可以将所述目标IP地址在当前时刻的风险系数、所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数与各自的权重系数相乘后累加,并将累加的结果作为所述目标IP地址的综合风险系数。其中,三个系数的权重系数之和可以为1,具体的权重系数可以按照实际应用场景灵活设置。这样,结合三个风险系数得到的综合风险系数,可以准确地表征目标IP地址对于全网或者指定行业的潜在风险。
需要说明的是,上述的各种风险系数,在实际应用中都可以是针对全网或者指定行业计算得到的。具体地,如果需要针对全网数据计算上述的各个风险系数,那么利用的便是包含各个行业的整体用户数据。而如果需要评估目标IP地址针对某个指定行业存在的风险,那么利用的可以是仅仅该指定行业的用户数据,对于其它行业的用户数据可以不做考虑。这样处理的好处在于,部分攻 击行为存在明显的行业特性,而放在全网来看,这样的攻击行为可能会淹没在众多的数据中。只有在单独对指定行业的用户数据进行分析时,才能体现出这种攻击行为的危害性。因此,若所述目标IP地址在所述当前时刻的风险系数表征针对全网存在的风险,那么所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数也可以均表征针对全网存在的风险。而若所述目标IP地址在所述当前时刻的风险系数表征针对指定行业存在的风险,那么所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数就可以均表征针对所述指定行业存在的风险。
在本实施方式中,在确定出目标IP地址的综合风险系数后,可以根据预先设置的阈值判定策略,判断目标IP地址是否为存在攻击行为的IP地址。例如,如果目标IP地址的综合风险系数高于某个预设的阈值,则可以判定目标IP地址存在攻击行为,需要将目标IP地址加入黑名单库。而如果目标IP地址的综合风险系数不高于该预设的阈值,则可以判定目标IP地址不存在攻击行为,无需将目标IP地址加入黑名单库。
在一个实施方式中,如果目标IP地址长期没有新的用户数据产生,那么该目标IP地址的风险系数就无法得到更新,随着时间的推移,之前计算出的风险系数可能就无法衡量现阶段目标IP地址的风险状态。因此,在本实施方式中可以加入风险系数的衰减机制,来逐步衰减没有进行更新的IP地址的风险系数。具体地,若所述目标IP地址在当前时刻的风险系数未进行更新,可以按照指定时间周期对所述风险系数进行衰减处理,并将衰减处理后的数值作为新的风险系数替换衰减处理前的风险系数。具体地,该指定时间周期例如可以是1小时或者半小时,可以根据实际情况灵活设置。在实际应用中,可以按照以下公式对目标IP地址在当前时刻的风险系数进行衰减:
Rnew=Rold*(1-α)
其中,Rnew为衰减后的风险系数,Rold为衰减之前的风险系数,α为小于1并且大于0的衰减系数。
如果目标IP地址的风险系数一直没有更新,那么便会按照上述的公式不断进行衰减,而若所述目标IP地址在当前时刻的风险系数进行了更新,则可以利用更新后的风险系数替换更新前的风险系数。
后续,为了与衰减机制保持同步,可以对黑名单库中的IP地址进行动态更 新。具体地,若在衰减处理或者更新之前,所述目标IP地址被判定为存在攻击行为,可以将所述目标IP地址加入黑名单,但是,若在衰减处理或者更新之后,所述目标IP地址被判定为不存在攻击行为,则可以将所述目标IP地址移出所述黑名单,从而保持黑名单库的准确度。
请参阅图4,本申请还提供一种IP地址的评估系统,所述系统包括:
单IP地址风险确定单元,用于获取用户数据,并根据所述用户数据,确定目标IP地址在当前时刻的风险系数,所述风险系数用于表征所述目标IP地址在所述当前时刻针对全网或者指定行业存在的风险;
目标网段风险确定单元,用于识别所述目标IP地址所在的目标网段,并根据所述目标网段内各个IP地址在所述当前时刻的风险系数,统计所述目标网段的风险系数;
历史风险确定单元,用于根据所述目标IP地址在各个时刻的风险系数,确定所述目标IP地址的历史趋势风险系数;
攻击判定单元,用于基于所述目标IP地址在当前时刻的风险系数、所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数,确定所述目标IP地址的综合风险系数,以根据所述综合风险系数判断所述目标IP地址是否存在攻击行为。
请参阅图5,本申请一个实施方式还提供一种IP地址的评估设备,所述设备包括处理器和存储器,所述存储器用于存储计算机程序,所述计算机程序被所述处理器执行时,可以实现上述的IP地址的评估方法。
在本实施方式中,所述存储器可以包括用于存储信息的物理装置,通常是将信息数字化后再以利用电、磁或者光学等方法的媒体加以存储。本实施方式所述的存储器又可以包括:利用电能方式存储信息的装置,如RAM或ROM等;利用磁能方式存储信息的装置,如硬盘、软盘、磁带、磁芯存储器、磁泡存储器或U盘;利用光学方式存储信息的装置,如CD或DVD。当然,还有其他方式的存储器,例如量子存储器或石墨烯存储器等等。
在本实施方式中,所述处理器可以按任何适当的方式实现。例如,所述处理器可以采取例如微处理器或处理器以及存储可由该(微)处理器执行的计算机可读程序代码(例如软件或固件)的计算机可读介质、逻辑门、开关、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑 控制器和嵌入微控制器的形式等等。
由上可见,本申请一个或者多个实施方式提供的技术方案,可以从多个维度综合评估IP地址是否存在攻击行为。具体地,根据近期的用户数据,可以确定出待评估的目标IP地址在当前时刻的风险系数,该风险系数可以针对全网或者某个指定行业而言。此外,考虑到目标IP地址所在网段的整体风险,也能侧面反映目标IP地址的风险程度。因此,可以根据目标IP地址所在的目标网段中各个IP地址的风险系数,统计出目标网段整体的风险系数。再者,考虑到部分IP地址可能短暂地被利用,从而产生攻击行为,但是长期来看,该IP地址的危害性并不大,因此为了准确地评估IP地址的危害性,可以参考该目标IP地址在不同时刻的风险系数,然后综合这些不同时刻的风险系数,确定出目标IP地址的历史趋势风险系数。最终,可以将上述的三种不同的风险系数进行整合,从而得到用于评估目标IP地址的综合风险系数,该综合风险系数可以用于判断目标IP地址是否存在攻击行为。这样,结合多个维度的数据来对目标IP地址进行综合评估,能够提高评估的准确性,进而能够提高网络安全防范的效果。
本说明书中的各个实施方式均采用递进的方式描述,各个实施方式之间相同相似的部分互相参见即可,每个实施方式重点说明的都是与其他实施方式的不同之处。尤其,针对系统和设备的实施方式来说,均可以参照前述方法的实施方式的介绍对照解释。
本领域内的技术人员应明白,本发明的实施方式可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施方式、完全软件实施方式、或结合软件和硬件方面的实施方式的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。
本发明是参照根据本发明实施方式的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或 多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。
内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。
计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。
还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。
以上所述仅为本申请的实施方式而已,并不用于限制本申请。对于本领域技术人员来说,本申请可以有各种更改和变化。凡在本申请的精神和原理之内所作的任何修改、等同替换、改进等,均应包含在本申请的权利要求范围之内。

Claims (12)

  1. 一种IP地址的评估方法,其特征在于,所述方法包括:
    获取用户数据,并根据所述用户数据,确定目标IP地址在当前时刻的风险系数,所述风险系数用于表征所述目标IP地址在所述当前时刻针对全网或者指定行业存在的风险;
    识别所述目标IP地址所在的目标网段,并根据所述目标网段内各个IP地址在所述当前时刻的风险系数,统计所述目标网段的风险系数;以及根据所述目标IP地址在各个时刻的风险系数,确定所述目标IP地址的历史趋势风险系数;
    基于所述目标IP地址在当前时刻的风险系数、所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数,确定所述目标IP地址的综合风险系数,以根据所述综合风险系数判断所述目标IP地址是否存在攻击行为。
  2. 根据权利要求1所述的方法,其特征在于,确定目标IP地址在当前时刻的风险系数包括:
    确定所述目标IP地址对应的各个影响因子,并分别计算当前时刻各个所述影响因子对应的风险值;
    识别各个所述影响因子对应的风险值中的最大风险值和最小风险值,并获取待映射的目标区间的区间最大值和区间最小值;
    针对任一影响因子对应的风险值,根据所述最大风险值、最小风险值、区间最大值以及区间最小值,将所述影响因子对应的风险值归一化至所述目标区间内;
    对归一化后的各个影响因子对应的风险值进行加权求和,并将加权求和的结果作为所述目标IP地址在当前时刻的风险系数。
  3. 根据权利要求2所述的方法,其特征在于,将所述影响因子对应的风险值归一化至所述目标区间内包括:
    计算所述最大风险值和所述最小风险值之间的第一差值,并计算所述区间最大值和所述区间最小值之间的第二差值,其中,所述第二差值和所述第一差 值的比值作为归一化系数;
    计算所述影响因子对应的风险值与所述最小风险值之间的第三差值,并计算所述第三差值与所述归一化系数的乘积;
    将所述乘积与所述区间最小值的和作为归一化后的影响因子对应的风险值。
  4. 根据权利要求2所述的方法,其特征在于,分别计算当前时刻各个所述影响因子对应的风险值包括以下至少一种:
    统计所述目标IP地址存在攻击行为的访问请求数量,和所述目标IP地址的访问请求总数量,并将所述存在攻击行为的访问请求数量和所述访问请求总数量的比值作为所述目标IP地址的攻击程度风险值;
    确定待分析的目标行业,并统计所述目标IP地址针对所述目标行业存在攻击行为的访问请求次数,和各个行业受到的攻击总次数,并计算所述访问请求次数和所述攻击总次数的比值;将所述比值和所述目标行业的权重值的乘积作为所述目标行业的分布风险系数,以及将各个行业的分布风险系数之和作为所述目标IP地址的行业分布风险值;
    预先确定待分析的各个时间段,并统计所述目标IP地址在各个所述时间段中的攻击系数;其中,所述攻击系数用于表征所述目标IP地址在当前时间段中的攻击次数与全部时间段中的攻击总次数的比值;将所述攻击系数和对应的权重值的乘积作为时间段的规律风险系数,以及将各个时间段的规律风险系数之和作为所述目标IP地址的规律风险值;
    统计所述目标IP地址存在攻击行为的访问请求数量,和各个IP地址存在攻击行为的访问请求总数量,并将所述目标IP地址存在攻击行为的访问请求数量和所述各个IP地址存在攻击行为的访问请求总数量的比值作为所述目标IP地址的攻击占比风险值;
    若所述目标IP地址具备恶意标签,并且所述目标IP地址与恶意域名或者恶意访问链接相关联,将所述目标IP地址的外部情报风险值置为非零的预设数值;若所述目标IP地址不具备恶意标签,或者所述目标IP地址没有与恶意域名或者恶意访问链接相关联,将所述目标IP地址的外部情报风险值置为零。
  5. 根据权利要求1所述的方法,其特征在于,统计所述目标网段的风险系数包括:
    计算所述目标网段内的各个IP地址在所述当前时刻的风险系数的平均值,并将所述平均值作为所述目标网段的风险系数。
  6. 根据权利要求1所述的方法,其特征在于,确定所述目标IP地址的历史趋势风险系数包括:
    预先确定历史观测区间,并依次读取所述目标IP地址在所述历史观测区间中每个时刻的风险系数;
    分别确定各个时刻的风险系数对应的参考权重,其中,距离所述当前时刻越久,对应的参考权重越小;
    计算各个时刻的风险系数与对应的参考权重的乘积,并将计算得到的各个乘积累加,其中,累加的结果用于作为所述目标IP地址的历史趋势风险系数。
  7. 根据权利要求1所述的方法,其特征在于,确定所述目标IP地址的综合风险系数包括:
    将所述目标IP地址在当前时刻的风险系数、所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数与各自的权重系数相乘后累加,并将累加的结果作为所述目标IP地址的综合风险系数。
  8. 根据权利要求1所述的方法,其特征在于,在确定目标IP地址在当前时刻的风险系数之后,所述方法还包括:
    若所述目标IP地址在当前时刻的风险系数未进行更新,按照指定时间周期对所述风险系数进行衰减处理,并将衰减处理后的数值作为新的风险系数替换衰减处理前的风险系数;
    若所述目标IP地址在当前时刻的风险系数进行了更新,利用更新后的风险系数替换更新前的风险系数。
  9. 根据权利要求8所述的方法,其特征在于,所述方法还包括:
    若在衰减处理或者更新之前,所述目标IP地址被判定为存在攻击行为,将 所述目标IP地址加入黑名单;
    若在衰减处理或者更新之后,所述目标IP地址被判定为不存在攻击行为,将所述目标IP地址移出所述黑名单。
  10. 根据权利要求1所述的方法,其特征在于,若所述目标IP地址在所述当前时刻的风险系数表征针对全网存在的风险,则所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数均表征针对全网存在的风险;若所述目标IP地址在所述当前时刻的风险系数表征针对指定行业存在的风险,则所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数均表征针对所述指定行业存在的风险。
  11. 一种IP地址的评估系统,其特征在于,所述系统包括:
    单IP地址风险确定单元,用于获取用户数据,并根据所述用户数据,确定目标IP地址在当前时刻的风险系数,所述风险系数用于表征所述目标IP地址在所述当前时刻针对全网或者指定行业存在的风险;
    目标网段风险确定单元,用于识别所述目标IP地址所在的目标网段,并根据所述目标网段内各个IP地址在所述当前时刻的风险系数,统计所述目标网段的风险系数;
    历史风险确定单元,用于根据所述目标IP地址在各个时刻的风险系数,确定所述目标IP地址的历史趋势风险系数;
    攻击判定单元,用于基于所述目标IP地址在当前时刻的风险系数、所述目标网段的风险系数和所述目标IP地址的历史趋势风险系数,确定所述目标IP地址的综合风险系数,以根据所述综合风险系数判断所述目标IP地址是否存在攻击行为。
  12. 一种IP地址的评估设备,其特征在于,所述设备包括存储器和处理器,所述存储器用于存储计算机程序,所述计算机程序被所述处理器执行时,实现如权利要求1至10中任一所述的方法。
PCT/CN2019/123010 2019-11-15 2019-12-04 一种ip地址的评估方法、系统及设备 WO2021093051A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911122060.X 2019-11-15
CN201911122060.XA CN112822143B (zh) 2019-11-15 2019-11-15 一种ip地址的评估方法、系统及设备

Publications (1)

Publication Number Publication Date
WO2021093051A1 true WO2021093051A1 (zh) 2021-05-20

Family

ID=75851893

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/123010 WO2021093051A1 (zh) 2019-11-15 2019-12-04 一种ip地址的评估方法、系统及设备

Country Status (2)

Country Link
CN (1) CN112822143B (zh)
WO (1) WO2021093051A1 (zh)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113612727A (zh) * 2021-06-24 2021-11-05 北京华云安信息技术有限公司 攻击ip识别方法、装置、设备和计算机可读存储介质
CN113691518A (zh) * 2021-08-17 2021-11-23 北京鸿腾智能科技有限公司 情报分析方法、装置、设备及存储介质
CN114257422A (zh) * 2021-12-01 2022-03-29 广东财经大学 一种加强内网逻辑边界的数据传输方法
CN114598525A (zh) * 2022-03-09 2022-06-07 中国医学科学院阜外医院 一种针对网络攻击的ip自动封禁的方法和装置
CN115293777A (zh) * 2022-10-09 2022-11-04 湖南三湘银行股份有限公司 基于区块链智能合约的区块链钱包操作提醒方法及系统
CN115412358A (zh) * 2022-09-02 2022-11-29 中国电信股份有限公司 网络安全风险评估方法、装置、电子设备及存储介质
CN116366372A (zh) * 2023-05-31 2023-06-30 北京嘉铭创新科技有限公司 一种网络攻击拦截方法、装置、设备及介质
CN116702154A (zh) * 2023-06-08 2023-09-05 张家口渣兔网络科技有限公司 一种基于大数据安全评估的分析系统及方法
CN117130566A (zh) * 2023-10-27 2023-11-28 睿至科技集团有限公司 一种分布式存储方法及存储平台
CN117319047A (zh) * 2023-10-09 2023-12-29 北京易财花科技有限公司 一种基于网络安全异常检测的网络路径分析方法及系统
CN117474318A (zh) * 2023-10-18 2024-01-30 国网湖北省电力有限公司直流公司 一种基于移动式红外测温技术的换流站阀厅运行监管系统
CN117495083A (zh) * 2023-10-24 2024-02-02 中交广州航道局有限公司 一种护岸边坡稳定性监测系统及方法
CN117647215A (zh) * 2023-11-22 2024-03-05 博睿智造科技(广州)有限公司 一种测试新能源液冷板平面度的检测设备及检测方法
CN118174960A (zh) * 2024-05-10 2024-06-11 华能信息技术有限公司 一种微服务架构的用户操作审计方法及系统

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113793066B (zh) * 2021-09-30 2022-04-01 成都安讯智服科技有限公司 基于风险分析的项目位置聚合方法、系统、终端及介质
CN116415237B (zh) * 2023-03-03 2024-03-19 港珠澳大桥管理局 风险设备识别方法、装置、计算机设备和存储介质
CN116455642B (zh) * 2023-04-21 2023-11-21 杭州虎符网络有限公司 一种基于日志分析的访问风险实时审计方法与系统
CN117811767B (zh) * 2023-11-16 2024-07-19 万郡绿建科技有限公司 风险ip地址的预警方法、装置、存储介质及电子设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911395A (zh) * 2017-12-30 2018-04-13 世纪龙信息网络有限责任公司 登录验证方法和系统、计算机存储介质和设备
CN107920055A (zh) * 2017-09-27 2018-04-17 中国银联股份有限公司 一种ip风险评价方法以及ip风险评价系统
CN108667828A (zh) * 2018-04-25 2018-10-16 咪咕文化科技有限公司 一种风险控制方法、装置及存储介质
CN109040000A (zh) * 2017-06-12 2018-12-18 北京京东尚科信息技术有限公司 基于ip地址的用户识别方法和系统
CN110213199A (zh) * 2018-02-28 2019-09-06 中国移动通信集团有限公司 一种撞库攻击监控方法、装置、系统及计算机存储介质

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1786222B1 (en) * 2005-11-15 2010-09-08 Alcatel Lucent Access network, gateway and management server for a cellular wireless communication system
CN104917643B (zh) * 2014-03-11 2019-02-01 腾讯科技(深圳)有限公司 异常账号检测方法及装置
CN107666473B (zh) * 2016-07-29 2020-07-17 深圳市信锐网科技术有限公司 一种攻击检测的方法及控制器
CN108234435A (zh) * 2016-12-22 2018-06-29 上海行邑信息科技有限公司 一种基于ip分类的自动检测方法
CN110198305A (zh) * 2019-05-05 2019-09-03 平安科技(深圳)有限公司 坐席ip的异常检测方法、系统、计算机设备及存储介质

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040000A (zh) * 2017-06-12 2018-12-18 北京京东尚科信息技术有限公司 基于ip地址的用户识别方法和系统
CN107920055A (zh) * 2017-09-27 2018-04-17 中国银联股份有限公司 一种ip风险评价方法以及ip风险评价系统
CN107911395A (zh) * 2017-12-30 2018-04-13 世纪龙信息网络有限责任公司 登录验证方法和系统、计算机存储介质和设备
CN110213199A (zh) * 2018-02-28 2019-09-06 中国移动通信集团有限公司 一种撞库攻击监控方法、装置、系统及计算机存储介质
CN108667828A (zh) * 2018-04-25 2018-10-16 咪咕文化科技有限公司 一种风险控制方法、装置及存储介质

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113612727B (zh) * 2021-06-24 2023-04-18 北京华云安信息技术有限公司 攻击ip识别方法、装置、设备和计算机可读存储介质
CN113612727A (zh) * 2021-06-24 2021-11-05 北京华云安信息技术有限公司 攻击ip识别方法、装置、设备和计算机可读存储介质
CN113691518B (zh) * 2021-08-17 2023-12-05 三六零数字安全科技集团有限公司 情报分析方法、装置、设备及存储介质
CN113691518A (zh) * 2021-08-17 2021-11-23 北京鸿腾智能科技有限公司 情报分析方法、装置、设备及存储介质
CN114257422A (zh) * 2021-12-01 2022-03-29 广东财经大学 一种加强内网逻辑边界的数据传输方法
CN114598525A (zh) * 2022-03-09 2022-06-07 中国医学科学院阜外医院 一种针对网络攻击的ip自动封禁的方法和装置
CN115412358A (zh) * 2022-09-02 2022-11-29 中国电信股份有限公司 网络安全风险评估方法、装置、电子设备及存储介质
CN115412358B (zh) * 2022-09-02 2024-01-30 中国电信股份有限公司 网络安全风险评估方法、装置、电子设备及存储介质
CN115293777A (zh) * 2022-10-09 2022-11-04 湖南三湘银行股份有限公司 基于区块链智能合约的区块链钱包操作提醒方法及系统
CN115293777B (zh) * 2022-10-09 2023-02-24 湖南三湘银行股份有限公司 基于区块链智能合约的区块链钱包操作提醒方法及系统
CN116366372A (zh) * 2023-05-31 2023-06-30 北京嘉铭创新科技有限公司 一种网络攻击拦截方法、装置、设备及介质
CN116366372B (zh) * 2023-05-31 2023-08-04 北京嘉铭创新科技有限公司 一种网络攻击拦截方法、装置、设备及介质
CN116702154A (zh) * 2023-06-08 2023-09-05 张家口渣兔网络科技有限公司 一种基于大数据安全评估的分析系统及方法
CN116702154B (zh) * 2023-06-08 2024-02-23 唐山旭华智能科技有限公司 一种基于大数据安全评估的分析系统及方法
CN117319047A (zh) * 2023-10-09 2023-12-29 北京易财花科技有限公司 一种基于网络安全异常检测的网络路径分析方法及系统
CN117474318A (zh) * 2023-10-18 2024-01-30 国网湖北省电力有限公司直流公司 一种基于移动式红外测温技术的换流站阀厅运行监管系统
CN117495083A (zh) * 2023-10-24 2024-02-02 中交广州航道局有限公司 一种护岸边坡稳定性监测系统及方法
CN117495083B (zh) * 2023-10-24 2024-04-12 中交广州航道局有限公司 一种护岸边坡稳定性监测系统及方法
CN117130566A (zh) * 2023-10-27 2023-11-28 睿至科技集团有限公司 一种分布式存储方法及存储平台
CN117647215A (zh) * 2023-11-22 2024-03-05 博睿智造科技(广州)有限公司 一种测试新能源液冷板平面度的检测设备及检测方法
CN118174960A (zh) * 2024-05-10 2024-06-11 华能信息技术有限公司 一种微服务架构的用户操作审计方法及系统

Also Published As

Publication number Publication date
CN112822143B (zh) 2022-05-27
CN112822143A (zh) 2021-05-18

Similar Documents

Publication Publication Date Title
WO2021093051A1 (zh) 一种ip地址的评估方法、系统及设备
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US12047396B2 (en) System and method for monitoring security attack chains
US11087329B2 (en) Method and apparatus of identifying a transaction risk
US11770401B2 (en) Correlated risk in cybersecurity
JP6321681B2 (ja) ウェブサイトユーザを識別する方法および装置
US20210019674A1 (en) Risk profiling and rating of extended relationships using ontological databases
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
US10878102B2 (en) Risk scores for entities
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
CN110351280B (zh) 一种威胁情报提取的方法、系统、设备及可读存储介质
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US20230362200A1 (en) Dynamic cybersecurity scoring and operational risk reduction assessment
US20210092160A1 (en) Data set creation with crowd-based reinforcement
RU2017118317A (ru) Система и способ автоматического расчета кибер-риска в бизнес-критических приложениях
CN107682345B (zh) Ip地址的检测方法、检测装置及电子设备
CN113098828B (zh) 网络安全报警方法及装置
CN110310129B (zh) 风险识别方法及其系统
US20160269431A1 (en) Predictive analytics utilizing real time events
US10896259B2 (en) Threat score determination
US20240231909A1 (en) System and method for universal computer asset normalization and configuration management
CN110765374A (zh) 风险链接识别方法、装置及计算机设备
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
Sree et al. HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce
CN111275106B (zh) 对抗样本生成方法、装置及计算机设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19952460

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19952460

Country of ref document: EP

Kind code of ref document: A1