CN113839817A - Network asset risk assessment method, device and system - Google Patents
Network asset risk assessment method, device and system Download PDFInfo
- Publication number
- CN113839817A CN113839817A CN202111115824.XA CN202111115824A CN113839817A CN 113839817 A CN113839817 A CN 113839817A CN 202111115824 A CN202111115824 A CN 202111115824A CN 113839817 A CN113839817 A CN 113839817A
- Authority
- CN
- China
- Prior art keywords
- asset
- data
- value
- risk
- target network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012502 risk assessment Methods 0.000 title claims abstract description 70
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000011156 evaluation Methods 0.000 claims abstract description 82
- 239000000523 sample Substances 0.000 claims abstract description 74
- 238000004364 calculation method Methods 0.000 claims description 31
- 230000000694 effects Effects 0.000 claims description 18
- 238000012550 audit Methods 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 13
- 238000012544 monitoring process Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 238000007670 refining Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000011158 quantitative evaluation Methods 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Mathematical Physics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Algebra (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the application provides a network asset risk assessment method, a device and a system, which relate to the technical field of Internet, wherein the network asset risk assessment method comprises the following steps: acquiring various probe data in a network, asset data of target network assets and a current evaluation time period; then, the asset value of the target network asset is calculated according to the various probe data and asset data; then calculating the vulnerability risk value of the target network asset according to various probe data and asset data; further, calculating a threat event risk value of the target network asset according to the current evaluation time period, various probe data and asset data; and finally, calculating the network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value and the threat event risk value, so that the comprehensive assessment of the network asset risk can be realized, the manual assessment is not needed, and the assessment result is accurate, objective and professional.
Description
Technical Field
The application relates to the technical field of internet, in particular to a network asset risk assessment method, device and system.
Background
With the continuous discovery of the internet, the network security problem is becoming more serious, and the need for accurate security risk quantitative evaluation of the network is increasing day by day. In the existing network asset risk assessment method, a corresponding weight value is usually set according to the importance degree of network equipment, and after the equipment risk score of each network equipment is weighted by the weight value, the weighted sum of all network equipment in a network to be assessed is obtained to assess the risk of the network to be assessed. However, in practice, it is found that in the prior art, a weighted value is usually determined artificially, so that artificial definition and strong subjectivity are caused in risk assessment, and further, assessment is not professional and accurate, so that comprehensive assessment of a network threat event cannot be performed. Therefore, the existing method needs manual evaluation, and the evaluation is not professional and accurate, so that the network threat event cannot be comprehensively evaluated.
Disclosure of Invention
The embodiment of the application aims to provide a method, a device and a system for evaluating the risk of the network assets, which can realize the comprehensive evaluation of the risk of the network assets, do not need to participate in the evaluation manually, and have accurate, objective and strong professional evaluation results.
A first aspect of an embodiment of the present application provides a method for assessing risk of a network asset, including:
acquiring various probe data in a network, asset data of target network assets and a current evaluation time period;
calculating the asset value of the target network asset according to the various probe data and the asset data;
calculating a vulnerability risk value of the target network asset according to the various probe data and the asset data;
calculating a threat event risk value of the target network asset according to the current evaluation time period, the various probe data and the asset data;
and calculating the network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value and the threat event risk value.
In the implementation process, various probe data in the network, asset data of target network assets and the current evaluation time period are obtained; then, the asset value of the target network asset is calculated according to the various probe data and asset data; then calculating the vulnerability risk value of the target network asset according to various probe data and asset data; further, calculating a threat event risk value of the target network asset according to the current evaluation time period, various probe data and asset data; and finally, calculating the network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value and the threat event risk value, so that the comprehensive assessment of the network asset risk can be realized, the manual assessment is not needed, and the assessment result is accurate, objective and professional.
Further, the acquiring of the various types of probe data in the network, the asset data of the target network asset, and the current evaluation time period includes:
acquiring original probe data of various types in a network, asset data of target network assets and a preset evaluation period, wherein the original probe data of various types comprises flow audit data, vulnerability data and safety log data;
carrying out unified standardized processing on the original various probe data to obtain various probe data;
and determining the current evaluation time period of the target network assets according to the evaluation period.
Further, the calculating the asset value of the target network asset according to the probe data and the asset data comprises:
according to the flow audit data and the asset data, calculating an asset CIA attribute value of the target network asset and an average activity of the target network asset in a target time period;
and calculating the asset value of the target network asset according to the asset CIA attribute value and the average activity.
Further, the calculating the vulnerability risk value of the target network asset according to the probe data and the asset data comprises:
calculating an asset baseline configuration risk value according to the vulnerability data and the asset data;
calculating an asset vulnerability risk value according to the vulnerability data;
and calculating the vulnerability risk value of the target network asset according to the asset baseline configuration risk value and the asset vulnerability risk value.
Further, said calculating a threat event risk value for said target network asset based on said current evaluation time period, said various types of probe data, and said asset data comprises:
calculating a passive threat event risk value for the target cyber asset, an outlying risk value for the target cyber asset, and a lateral threat risk value for the target cyber asset based on the current evaluation time period, the asset data, and the security log data;
calculating an active threat event risk value for the target network asset from the outlying risk value and the lateral threat risk value;
and calculating the threat event risk value of the target network asset according to the current evaluation time period, the passive threat event risk value and the active threat event risk value.
Further, the calculation formula for calculating the network asset risk assessment result of the target network asset in the current assessment time period is as follows:
Rasset=(Rweak+Rthreat)*V;
wherein R isassetNetwork asset wind for the target network asset within the current evaluation time periodEvaluation result of risk, RweakAs said vulnerability risk value, RthreatV is the asset value for the threat event risk value.
A second aspect of the embodiments of the present application provides a network asset risk assessment apparatus, including:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring various probe data in a network, asset data of target network assets and a current evaluation time period;
the first calculation unit is used for calculating the asset value of the target network asset according to the various probe data and the asset data;
the second calculation unit is used for calculating the vulnerability risk value of the target network asset according to the various probe data and the asset data;
the third calculation unit is used for calculating the risk value of the threat event of the target network asset according to the current evaluation time period, the various probe data and the asset data;
and the fourth calculation unit is used for calculating the network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value and the threat event risk value.
In the implementation process, the acquisition unit acquires various probe data in the network, asset data of target network assets and a current evaluation time period; the first computing unit computes the asset value of the target network asset according to the various probe data and asset data; then, the second computing unit computes the vulnerability risk value of the target network asset according to various probe data and asset data; further, a third calculation unit calculates a threat event risk value of the target network asset according to the current evaluation time period, various probe data and asset data; and finally, the fourth calculation unit calculates the network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value and the threat event risk value, so that the comprehensive assessment of the network asset risk can be realized, the manual assessment is not needed, and the assessment result is accurate, objective and high in specificity.
Further, the acquisition unit includes:
the system comprises an acquisition subunit, a monitoring unit and a processing unit, wherein the acquisition subunit is used for acquiring various original probe data in a network, asset data of a target network asset and a preset evaluation period, and the various original probe data comprises flow audit data, vulnerability data and safety log data;
the standardization subunit is used for carrying out unified standardization processing on the original various probe data to obtain various probe data;
and the determining subunit is used for determining the current evaluation time period in which the target network asset needs to be evaluated according to the evaluation period.
In a third aspect of the embodiments of the present application, a system for evaluating risk of a network asset performs risk evaluation of a network asset by using any one of the methods for evaluating risk of a network asset provided in the third aspect of the embodiments of the present application.
A fourth aspect of the embodiments of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the method for network asset risk assessment according to any one of the first aspect of the embodiments of the present application.
A fifth aspect of the embodiments of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the method for risk assessment of network assets according to any one of the first aspect of the embodiments of the present application.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a method for evaluating risk of a network asset according to an embodiment of the present application;
FIG. 2 is a schematic flow chart illustrating another method for assessing risk of a cyber asset according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a network asset risk assessment device according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of another network asset risk assessment device provided in the embodiments of the present application;
fig. 5 is a schematic diagram of a scheme framework of a network asset risk assessment method according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Example 1
Referring to fig. 1, fig. 1 is a schematic flow chart of a network asset risk assessment method according to an embodiment of the present disclosure. The network asset risk assessment method comprises the following steps:
s101, acquiring various probe data in a network, asset data of target network assets and a current evaluation time period.
In the embodiment of the present application, the asset data specifically includes network asset data and the like, and the embodiment of the present application is not limited thereto. The network asset risk assessment method is particularly used for risk assessment of network assets.
In the embodiment of the present application, the original probe data includes flow audit data, vulnerability data, security log data, and the like, and the embodiment of the present application is not limited thereto.
In the embodiment of the present application, the asset data of the target network asset includes, but is not limited to, asset name, IP address, confidentiality, integrity, availability, and other field information, asset scan data, and the like.
And S102, calculating the asset value of the target network asset according to the various probe data and asset data.
In the embodiment of the application, the average activity B of the target network assets can be calculated according to the flow audit data, and the asset value V is obtained by combining the asset CIA attribute value A.
And S103, calculating the vulnerability risk value of the target network asset according to the various probe data and asset data.
In the embodiment of the application, according to vulnerability data, asset baseline configuration risk value R is carried out on target network assetsbaseComputing and network vulnerability risk value RvulCalculating to obtain the vulnerability risk value R of the target network assetsweak。
And S104, calculating the risk value of the threat event of the target network asset according to the current evaluation time period, various probe data and asset data.
In the embodiment of the application, the threat time in the current evaluation time period is counted, and the risk value R of the passive threat event is calculatedpassiveA lateral threat risk value RhorAnd an external connection risk value RoutAnd further obtaining a threat event risk value R of the target network assetthreat。
And S105, calculating a network asset risk evaluation result of the target network asset in the current evaluation time period according to the asset value, the vulnerability risk value and the threat event risk value.
In the embodiment of the present application, the execution subject of the method may be a computing device such as a computer and a server, and is not limited in this embodiment.
In this embodiment, an execution subject of the method may also be an intelligent device such as a smart phone and a tablet computer, which is not limited in this embodiment.
In the embodiment of the application, the method is implemented, comprehensive evaluation is carried out from multiple dimensions such as network asset value, vulnerability and event threat, the evaluation links such as the network asset value and the event threat are corrected and optimized by refining the risk evaluation process of the network asset, more comprehensive risk evaluation of the network asset is realized, and meanwhile, the problems of non-speciality and inaccuracy of artificially defined network asset value in the network asset risk evaluation can be solved; and the problem that the evaluation of the network threat event is incomplete in the prior art is solved.
Therefore, the network asset risk assessment method described in the embodiment can realize the comprehensive assessment of the network asset risk without manual assessment, and has accurate, objective and professional assessment results.
Example 2
Referring to fig. 2, fig. 2 is a schematic flow chart of another network asset risk assessment method according to an embodiment of the present application. As shown in fig. 2, the method for evaluating the risk of the network asset comprises the following steps:
s201, acquiring original various probe data in the network, asset data of target network assets and a preset evaluation period, wherein the original various probe data comprises flow audit data, vulnerability data and safety log data.
In the embodiment of the present application, the evaluation period may specifically be an evaluation every 2min, an evaluation every 5min, an evaluation every 60min, and the like, and is preset, and the embodiment is not limited in any way.
S202, carrying out unified standardization processing on the original various probe data to obtain various probe data.
And S203, determining the current evaluation time period required to evaluate the target network assets according to the evaluation period.
In the embodiment of the application, various probe data in the network are collected, including flow audit data, vulnerability data, safety log data, network scanning data and the like, and the collected data are subjected to unified standardized processing.
In the embodiment of the present application, if the current time period is 12 points, for example, and the evaluation period is evaluated every 2min, it may be determined that 12: 00-12: 02 asset risk in the time period, wherein the corresponding current evaluation time period is 12: 00-12: 02, of course, can be 11: 59-12: 01, wherein the corresponding current evaluation time period is 11: 59 to 12:01, and this embodiment is not limited at all.
In the embodiment of the present application, by implementing the steps S201 to S203, various probe data in the network, asset data of a target network asset, and a current evaluation time period can be obtained.
After step S203, the following steps are also included:
and S204, calculating the asset CIA attribute value of the target network asset and the average activity of the target network asset in the target time period according to the flow audit data and the asset data.
As an optional implementation manner, in the multidimensional risk value calculation, for the asset value calculation, the overall value of the network is modified by introducing network activity, and then the formula for calculating the asset CIA attribute value of the target network asset is as follows:
A=lg[(2I+2C+2Av)/3]*5;
wherein A represents an asset CIA attribute value, I represents network asset integrity, C represents network asset confidentiality, Av represents network asset availability, and I, C, Av is E [1,5 ];
in the above formula, I, C and Av may be obtained according to the traffic audit data and the asset data, or may be preset parameters, and the embodiment of the present application is not limited thereto.
As an alternative embodiment, the formula for calculating the average activity of the target network asset in the target time period is as follows:
wherein,denotes the average activity, BkRepresents the single activity of the kth time unit; gikThe network session connection number corresponding to the kth time unit is represented, K represents the total number of time units included in the target time period, and n represents the total number of the target network assets.
In the above formula, the target time period is preset, and specifically may be 7 days, 10 days, and the like, and this embodiment of the present application is not limited. Specifically, when the target period is 7 days, then K is 7, BkIndicating the single day activity of day k.
And S205, calculating the asset value of the target network asset according to the asset CIA attribute value and the average activity.
As an alternative embodiment, the formula for calculating the asset value of the target network asset is:
wherein, V represents the asset value, A is the asset CIA attribute value, B represents the average activity, e and f are preset weight parameters, and e belongs to [0, 1], f belongs to [0, 1], and e + f is 1.
In the embodiment of the present application, by implementing the steps S204 to S205, the asset value of the target network asset can be calculated according to various probe data and asset data.
In the embodiment of the application, the average activity B of the target network assets is calculated according to the flow audit data, and the asset value V is obtained by combining the asset CIA attribute value A.
After step S205, the following steps are also included:
and S206, calculating the asset baseline configuration risk value according to the vulnerability data and the asset data.
In the embodiment of the application, in the calculation of the multidimensional risk value, the calculation of the network vulnerability risk value is mainly considered from two aspects of whether the configuration of the network is compliant and the existing vulnerability information.
As an alternative embodiment, the formula for calculating the asset baseline configuration risk value is:
wherein R isbaseRepresenting asset baseline configuration risk values, m representing non-compliance terms, n representing all configuration terms, αiAnd alphajIs a preset configuration item weight.
The values of m and n may be obtained by calculation according to the vulnerability data and the asset data, and the embodiment of the present application is not limited thereto.
And S207, calculating the asset vulnerability risk value according to the vulnerability data.
As an alternative embodiment, the formula for calculating the asset vulnerability risk value is as follows:
wherein R isvulRepresenting asset vulnerability risk value, n representing the number of vulnerabilities present in the network, ri_cvssRepresents the specific vulnerability score, r, output by vulnerability i according to the CVSS vulnerability score standardi_cvss∈[1,10]。
After step S207, the following steps are also included:
and S208, configuring the risk value and the asset vulnerability risk value according to the asset baseline, and calculating the vulnerability risk value of the target network asset.
As an alternative embodiment, the formula for calculating the vulnerability risk value of the target network asset is:
Rweak=a*Rbase+b*Rvul;
wherein R isweakFor vulnerability risk value, a, b are preset weight parameters, and a belongs to [0, 1]],b∈[0,1],a+b=1。
In the embodiment of the present application, by implementing the steps S206 to S208, the vulnerability risk value of the target network asset can be calculated according to various probe data and asset data.
In the embodiment of the application, according to vulnerability data, asset baseline configuration risk value R is carried out on target network assetsbaseComputing and network vulnerability risk value RvulCalculating to obtain the vulnerability risk value R of the target network assetsweak。
S209, calculating a passive threat event risk value of the target network asset, an external risk value of the target network asset and a transverse threat risk value of the target network asset according to the current evaluation time period, the asset data and the security log data.
In the embodiment of the application, in the multi-dimensional risk value calculation, the calculation process of the risk of the threat event is optimized, and the event of which the destination address is the network IP address in the threat event is defined as a passive threat event, namely the network is attacked; and defining an event with a source address as a network IP address in the threat event as an active threat event, namely, the network actively initiates an attack, and further refining the active threat event into a lateral attack threat event and an external behavior threat event.
As an optional implementation manner, when calculating the passive threat event risk value of the target network asset, statistical calculation is performed on the security event in the current evaluation time period, wherein the security event may be obtained according to the security log data, and a formula for specifically calculating the passive threat event risk value is as follows:
wherein R ispassiveFor passive threat event risk values, E represents the event level, and E ∈ (low-risk, medium-risk, high-risk), peventRepresents a quantized value corresponding to the event level, and pevent∈[1,3,5],numeventThe representation represents the number of events corresponding to each event level.
In the above formulaEvent level E and its corresponding quantized value peventThe evaluation time period may be obtained by performing analysis and calculation according to the current evaluation time period, the asset data, and the security log data, and the embodiment of the present application is not limited.
As an alternative embodiment, the statistical calculation is performed on the security events in the current evaluation time period, and the formula for calculating the lateral threat risk value of the target network asset is as follows:
wherein R ishorA lateral threat risk value is represented that,a specific score is output according to the CVSS vulnerability score standard and represents the vulnerability with the vulnerability number of cve
Wherein the asset set of the target network assets which are transversely attacked is H, Hj=<cve,result>Cve represents the vulnerability cve number that the target network asset is used for horizontal attacks, and correspondingly, result represents the result of the attack, belongs to (1, 3, 5), and represents an attack attempt when result is 1, represents suspected success when result is 3, and represents success when result is 5.
In the above formula, H, cve and result can be determined according to the current evaluation time period, asset data and security log data, and the embodiment of the present application is not limited thereto.
As an alternative implementation, statistical calculation is performed on the security events within the period time, and the formula for calculating the external connection risk value is as follows:
wherein R isoutRepresenting outjoin risk valuesThe external IP or domain name set of the target network assets is S, Sk=<event,threatIng>threatIng indicates the result of the collision of threat intelligence, threatIng belongs to (1, 5), when threatIng is 5, the collision matching of threat intelligence is successful, when threatIng is 1, the collision matching of threat intelligence is not successful,
in the above formula, event, threataIng andthe specific value of (a) may be determined according to the current evaluation time period, the asset data and the security log data, and the embodiment of the present application is not limited thereto.
And S210, calculating the active threat event risk value of the target network asset according to the external connection risk value and the transverse threat risk value.
As an alternative embodiment, the formula for calculating the active threat event risk value of the target network asset is:
Ractive=Rhor+Rout;
wherein R isactiveRepresenting an active threat event risk value, RhorRepresenting a lateral attack risk value (i.e., a lateral threat risk value), R, actively initiated by a target network assetoutAn event risk value representing an active initiation of an external connection activity by a target network asset (i.e., an external connection risk value).
And S211, calculating the threat event risk value of the target network asset according to the current evaluation time period, the passive threat event risk value and the active threat event risk value.
As an alternative embodiment, the formula for calculating the threat event risk value of the target network asset is:
Rthreat=c*Rpassive+d*Ractive;
wherein R isthreatRepresenting a threat event risk value, RpassiveRepresenting a passive threat event risk value, RactiveRepresenting the risk value of the active threat event, c and d are preset weight parameters, and c belongs to [0, 1]],d∈[0,1]And c + d is 1.
In the embodiment of the present application, by implementing the steps S209 to S211, the threat event risk value of the target network asset can be calculated according to the current evaluation time period, various probe data and asset data.
In the embodiment of the application, the threat time in the current evaluation time period is counted, and the risk value R of the passive threat event is calculatedpassiveA lateral threat risk value RhorAnd an external connection risk value RoutAnd further obtaining a threat event risk value R of the target network assetthreat。
And S212, calculating a network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value and the threat event risk value.
In the embodiment of the application, a calculation formula for calculating the network asset risk assessment result of the target network asset in the current assessment time period is as follows:
Rasset=(Rweak+Rthreat)*V;
wherein R isassetFor the network asset risk assessment result, R, of the target network asset in the current assessment time periodweakAs vulnerability risk value, RthreatV is the value of the asset for the threat event risk value.
In the embodiment of the application, the method is based on a network security situation perception product, and risk assessment is performed on target network assets in a network security situation perception system from multiple dimensions such as asset value, vulnerability and threat events, so that comprehensive risk control on the whole network is achieved, and the risk assessment and early warning capability of the network is improved.
After step S212, determining a new current evaluation time period according to the preset evaluation period again, and then executing steps S201 to S212 to calculate and update the network asset risk evaluation result in the new current evaluation time period.
In the embodiment of the application, event threats are refined into active threats and passive threats based on multi-dimensional assessment of asset values, vulnerabilities, threat events and the like, and the asset values are corrected by introducing network activity aiming at the calculation of the asset values, so that more comprehensive risk assessment calculation can be realized, and the accuracy of asset value risk assessment is improved.
According to the method, the problem of network asset risk assessment in the network is mainly solved, multi-dimension assessment is performed on asset value, vulnerability and threat events respectively, firstly, network asset risk assessment is performed on the basis of three dimensions of the asset value, the network vulnerability and the threat events, network-related threat events are divided into active threat events and passive threat events, two active threat scenarios are further refined for the active threat events, and more comprehensive risk assessment is achieved. And secondly, aiming at the calculation of the asset value, the asset value is corrected by introducing network activity, and the accuracy of the asset value is further improved by combining the asset CIA attribute value.
Therefore, the network asset risk assessment method described in the embodiment can realize the comprehensive assessment of the network asset risk without manual assessment, and has accurate, objective and professional assessment results.
Example 3
Referring to fig. 3, fig. 3 is a schematic structural diagram of a network asset risk assessment device according to an embodiment of the present application. As shown in fig. 3, the cyber asset risk evaluating apparatus includes:
an obtaining unit 310, configured to obtain various probe data in a network, asset data of a target network asset, and a current evaluation time period;
a first calculating unit 320 for calculating asset value of the target network asset according to the various probe data and asset data;
the second calculating unit 330 is configured to calculate a vulnerability risk value of the target network asset according to the various probe data and asset data;
the third calculating unit 340 is configured to calculate a risk value of a threat event of the target network asset according to the current evaluation time period, various probe data, and asset data;
and a fourth calculating unit 350, configured to calculate a network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value, and the threat event risk value.
In the embodiment of the present application, for explanation of the network asset risk assessment apparatus, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
Therefore, the network asset risk assessment device described in the embodiment can realize the comprehensive assessment of the network asset risk without manual assessment, and has accurate, objective and professional assessment results.
Example 4
Referring to fig. 4, fig. 4 is a schematic structural diagram of another network asset risk assessment device according to an embodiment of the present disclosure. The cyber asset risk assessment apparatus shown in fig. 4 is optimized by the cyber asset risk assessment apparatus shown in fig. 3. As shown in fig. 4, the obtaining unit 310 includes:
an obtaining subunit 311, configured to obtain original various probe data in the network, asset data of a target network asset, and a preset evaluation period, where the original various probe data includes flow audit data, vulnerability data, and security log data;
the normalization subunit 312 is configured to perform unified normalization processing on the original various probe data to obtain various probe data;
a determining subunit 313, configured to determine, according to the evaluation period, a current evaluation time period in which the target network asset needs to be evaluated.
As an alternative embodiment, the first calculation unit 320 includes:
and a first calculating subunit 321, configured to calculate, according to the traffic audit data and the asset data, an asset CIA attribute value of the target network asset and an average activity of the target network asset in the target time period.
And a second calculating subunit 322, configured to calculate the asset value of the target network asset according to the asset CIA attribute value and the average liveness.
As an alternative embodiment, the second calculation unit 330 includes:
a third computing subunit 331, configured to compute an asset baseline configuration risk value according to the vulnerability data and the asset data; calculating the asset vulnerability risk value according to the vulnerability data;
and a fourth calculating subunit 332, configured to calculate a vulnerability risk value of the target network asset according to the asset baseline configuration risk value and the asset vulnerability risk value.
As an alternative embodiment, the third computing unit 340 includes:
a fifth calculation submodule 341, configured to calculate a passive threat event risk value of the target network asset, an external risk value of the target network asset, and a lateral threat risk value of the target network asset according to the current evaluation time period, the asset data, and the security log data; calculating an active threat event risk value of the target network asset according to the external connection risk value and the transverse threat risk value;
and a sixth calculating submodule 342, configured to calculate a threat event risk value of the target network asset according to the current evaluation time period, the passive threat event risk value, and the active threat event risk value.
As an alternative embodiment, the calculation formula for calculating the network asset risk assessment result of the target network asset in the current assessment time period is as follows:
Rasset=(Rweak+Rthreat)*V;
wherein R isassetFor the network asset risk assessment result, R, of the target network asset in the current assessment time periodweakAs vulnerability risk value, RthreatV is the value of the asset for the threat event risk value.
In the embodiment of the present application, for explanation of the network asset risk assessment apparatus, reference may be made to the description in embodiment 1 or embodiment 2, and details are not repeated in this embodiment.
Therefore, the network asset risk assessment device described in the embodiment can realize the comprehensive assessment of the network asset risk without manual assessment, and has accurate, objective and professional assessment results.
The embodiment of the application provides a network asset risk assessment system, and the network asset risk assessment system carries out network asset risk assessment by applying the network asset risk assessment method in any one of the embodiment 1 and the embodiment 2 of the application.
Referring to fig. 5, fig. 5 is a schematic diagram of a scheme framework of a method for evaluating risk of a cyber asset according to an embodiment of the present disclosure. As shown in fig. 5, first, accessing traffic data, vulnerability data, and asset data to a network asset risk assessment system, and initializing the system; then, calculating a multi-dimensional risk value, wherein the multi-dimensional risk value comprises an asset value (namely the asset value), a vulnerability risk value and a threat event risk value; and further, calculating a final network asset risk assessment result according to the asset value, the vulnerability risk value and the threat event risk value, finally outputting the network asset risk assessment result, and performing periodic risk assessment calculation.
In the embodiment of the application, initializing the system is to perform canonicalization processing on information such as flow audit data, security log data, vulnerability data and network scanning data collected in a network to form standard network, vulnerability and threat event data, and to implement association relationship among the three through a uniform and unique identifier.
An embodiment of the present application provides an electronic device, including a memory and a processor, where the memory is used to store a computer program, and the processor runs the computer program to make the electronic device execute the network asset risk assessment method in any one of embodiment 1 or embodiment 2 of the present application.
An embodiment of the present application provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are read and executed by a processor, the computer program instructions execute the network asset risk assessment method according to any one of embodiment 1 or embodiment 2 of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. A method for cyber asset risk assessment, comprising:
acquiring various probe data in a network, asset data of target network assets and a current evaluation time period;
calculating the asset value of the target network asset according to the various probe data and the asset data;
calculating a vulnerability risk value of the target network asset according to the various probe data and the asset data;
calculating a threat event risk value of the target network asset according to the current evaluation time period, the various probe data and the asset data;
and calculating the network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value and the threat event risk value.
2. The method according to claim 1, wherein the acquiring of the probe data of each type, the asset data of the target network asset and the current evaluation time period in the network comprises:
acquiring original probe data of various types in a network, asset data of target network assets and a preset evaluation period, wherein the original probe data of various types comprises flow audit data, vulnerability data and safety log data;
carrying out unified standardized processing on the original various probe data to obtain various probe data;
and determining the current evaluation time period of the target network assets according to the evaluation period.
3. The method of claim 2, wherein said calculating an asset value of said target network asset from said types of probe data and said asset data comprises:
according to the flow audit data and the asset data, calculating an asset CIA attribute value of the target network asset and an average activity of the target network asset in a target time period;
and calculating the asset value of the target network asset according to the asset CIA attribute value and the average activity.
4. The method according to claim 2, wherein said calculating a vulnerability risk value of said target cyber asset from said types of probe data and said asset data comprises:
calculating an asset baseline configuration risk value according to the vulnerability data and the asset data;
calculating an asset vulnerability risk value according to the vulnerability data;
and calculating the vulnerability risk value of the target network asset according to the asset baseline configuration risk value and the asset vulnerability risk value.
5. The cyber asset risk assessment method according to claim 2, wherein said calculating a threat event risk value of said target cyber asset based on said current assessment time period, said types of probe data and said asset data comprises:
calculating a passive threat event risk value for the target cyber asset, an outlying risk value for the target cyber asset, and a lateral threat risk value for the target cyber asset based on the current evaluation time period, the asset data, and the security log data;
calculating an active threat event risk value for the target network asset from the outlying risk value and the lateral threat risk value;
and calculating the threat event risk value of the target network asset according to the current evaluation time period, the passive threat event risk value and the active threat event risk value.
6. The method according to claim 1, wherein the formula for calculating the risk assessment result of the target network asset in the current assessment time period is as follows:
Rasset=(Rweak+Rthreat)*V;
wherein R isassetFor the network asset risk assessment result, R, of the target network asset within the current assessment time periodweakAs said vulnerability risk value, RthreatV is the asset value for the threat event risk value.
7. A cyber asset risk assessment apparatus, characterized by comprising:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring various probe data in a network, asset data of target network assets and a current evaluation time period;
the first calculation unit is used for calculating the asset value of the target network asset according to the various probe data and the asset data;
the second calculation unit is used for calculating the vulnerability risk value of the target network asset according to the various probe data and the asset data;
the third calculation unit is used for calculating the risk value of the threat event of the target network asset according to the current evaluation time period, the various probe data and the asset data;
and the fourth calculation unit is used for calculating the network asset risk assessment result of the target network asset in the current assessment time period according to the asset value, the vulnerability risk value and the threat event risk value.
8. The cyber asset risk assessment device according to claim 7, wherein said acquisition unit comprises:
the system comprises an acquisition subunit, a monitoring unit and a processing unit, wherein the acquisition subunit is used for acquiring various original probe data in a network, asset data of a target network asset and a preset evaluation period, and the various original probe data comprises flow audit data, vulnerability data and safety log data;
the standardization subunit is used for carrying out unified standardization processing on the original various probe data to obtain various probe data;
and the determining subunit is used for determining the current evaluation time period in which the target network asset needs to be evaluated according to the evaluation period.
9. A cyber asset risk assessment system characterized in that the cyber asset risk assessment system applies the cyber asset risk assessment method according to any one of claims 1 to 6 to conduct cyber asset risk assessment.
10. An electronic device, comprising a memory for storing a computer program and a processor for executing the computer program to cause the electronic device to perform the network asset risk assessment method of any one of claims 1 to 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111115824.XA CN113839817B (en) | 2021-09-23 | 2021-09-23 | Network asset risk assessment method and device and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111115824.XA CN113839817B (en) | 2021-09-23 | 2021-09-23 | Network asset risk assessment method and device and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113839817A true CN113839817A (en) | 2021-12-24 |
CN113839817B CN113839817B (en) | 2023-05-05 |
Family
ID=78969421
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111115824.XA Active CN113839817B (en) | 2021-09-23 | 2021-09-23 | Network asset risk assessment method and device and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113839817B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114500024A (en) * | 2022-01-19 | 2022-05-13 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
CN114579980A (en) * | 2022-03-04 | 2022-06-03 | 福建中信网安信息科技有限公司 | Asset risk assessment method and terminal based on spatio-temporal data |
CN114615016A (en) * | 2022-02-09 | 2022-06-10 | 广东能源集团科学技术研究院有限公司 | Enterprise network security assessment method and device, mobile terminal and storage medium |
CN114666148A (en) * | 2022-03-31 | 2022-06-24 | 深信服科技股份有限公司 | Risk assessment method and device and related equipment |
CN115021978A (en) * | 2022-05-17 | 2022-09-06 | 云盾智慧安全科技有限公司 | Attack path prediction method and device, electronic equipment and storage medium |
CN115987672A (en) * | 2022-12-28 | 2023-04-18 | 北京天融信网络安全技术有限公司 | Method, device, equipment and medium for determining risk of network equipment |
CN116471131A (en) * | 2023-06-20 | 2023-07-21 | 北京门石信息技术有限公司 | Processing method and processing device for logical link information asset |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140173739A1 (en) * | 2012-12-18 | 2014-06-19 | Ratinder Paul Singh Ahuja | Automated asset criticality assessment |
CN107204876A (en) * | 2017-05-22 | 2017-09-26 | 成都网络空间安全技术有限公司 | A kind of network security risk evaluation method |
CN109146240A (en) * | 2018-07-03 | 2019-01-04 | 北京航空航天大学 | A kind of Information Security Risk Assessment Methods and system towards intelligent network connection vehicle |
CN111859393A (en) * | 2020-07-20 | 2020-10-30 | 交通运输信息安全中心有限公司 | Risk assessment system and method based on situation awareness alarm |
-
2021
- 2021-09-23 CN CN202111115824.XA patent/CN113839817B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140173739A1 (en) * | 2012-12-18 | 2014-06-19 | Ratinder Paul Singh Ahuja | Automated asset criticality assessment |
CN107204876A (en) * | 2017-05-22 | 2017-09-26 | 成都网络空间安全技术有限公司 | A kind of network security risk evaluation method |
CN109146240A (en) * | 2018-07-03 | 2019-01-04 | 北京航空航天大学 | A kind of Information Security Risk Assessment Methods and system towards intelligent network connection vehicle |
CN111859393A (en) * | 2020-07-20 | 2020-10-30 | 交通运输信息安全中心有限公司 | Risk assessment system and method based on situation awareness alarm |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114500024A (en) * | 2022-01-19 | 2022-05-13 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
CN114500024B (en) * | 2022-01-19 | 2024-03-22 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
CN114615016A (en) * | 2022-02-09 | 2022-06-10 | 广东能源集团科学技术研究院有限公司 | Enterprise network security assessment method and device, mobile terminal and storage medium |
CN114615016B (en) * | 2022-02-09 | 2023-08-01 | 广东能源集团科学技术研究院有限公司 | Enterprise network security assessment method and device, mobile terminal and storage medium |
CN114579980A (en) * | 2022-03-04 | 2022-06-03 | 福建中信网安信息科技有限公司 | Asset risk assessment method and terminal based on spatio-temporal data |
CN114579980B (en) * | 2022-03-04 | 2022-11-04 | 福建中信网安信息科技有限公司 | Asset risk assessment method and terminal based on spatio-temporal data |
CN114666148A (en) * | 2022-03-31 | 2022-06-24 | 深信服科技股份有限公司 | Risk assessment method and device and related equipment |
CN114666148B (en) * | 2022-03-31 | 2024-02-23 | 深信服科技股份有限公司 | Risk assessment method and device and related equipment |
CN115021978B (en) * | 2022-05-17 | 2023-11-24 | 云盾智慧安全科技有限公司 | Attack path prediction method, device, electronic equipment and storage medium |
CN115021978A (en) * | 2022-05-17 | 2022-09-06 | 云盾智慧安全科技有限公司 | Attack path prediction method and device, electronic equipment and storage medium |
CN115987672A (en) * | 2022-12-28 | 2023-04-18 | 北京天融信网络安全技术有限公司 | Method, device, equipment and medium for determining risk of network equipment |
CN115987672B (en) * | 2022-12-28 | 2023-09-26 | 北京天融信网络安全技术有限公司 | Risk determination method, apparatus, device and medium for network device |
CN116471131B (en) * | 2023-06-20 | 2023-09-08 | 北京门石信息技术有限公司 | Processing method and processing device for logical link information asset |
CN116471131A (en) * | 2023-06-20 | 2023-07-21 | 北京门石信息技术有限公司 | Processing method and processing device for logical link information asset |
Also Published As
Publication number | Publication date |
---|---|
CN113839817B (en) | 2023-05-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113839817A (en) | Network asset risk assessment method, device and system | |
CN110417721B (en) | Security risk assessment method, device, equipment and computer readable storage medium | |
CN110620759B (en) | Multi-dimensional association-based network security event hazard index evaluation method and system | |
CN109922069B (en) | Multidimensional association analysis method and system for advanced persistent threats | |
US10185832B2 (en) | Methods and systems for defending cyber attack in real-time | |
TWI595375B (en) | Anomaly detection using adaptive behavioral profiles | |
CN112822206B (en) | Network cooperative attack behavior prediction method and device and electronic equipment | |
CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
CN108270723B (en) | Method for acquiring predicted attack path of power network | |
Chatterjee et al. | An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems | |
EP3887988A1 (en) | People-centric threat scoring | |
CN111786974B (en) | Network security assessment method and device, computer equipment and storage medium | |
CN117478433B (en) | Network and information security dynamic early warning system | |
Kim et al. | Differential effects of prior experience on the malware resolution process | |
CN111669365B (en) | Network security test method and device | |
US20230008765A1 (en) | Estimation apparatus, estimation method and program | |
CN117478358A (en) | Decision recommendation method and device | |
US20140359780A1 (en) | Anti-cyber attacks control vectors | |
CN114039837B (en) | Alarm data processing method, device, system, equipment and storage medium | |
CN112422573B (en) | Attack path restoration method, device, equipment and storage medium | |
Boumezoued et al. | Cyber risk modeling using a two-phase Hawkes process with external excitation | |
Awan et al. | Continuous monitoring and assessment of cybersecurity risks in large computing infrastructures | |
CN113378159A (en) | Centralized control-based threat information assessment method | |
CN115086022B (en) | Method and device for adjusting safety evaluation index system | |
WO2023105590A1 (en) | Vulnerability evaluation device, vulnerability evaluation method, and vulnerability evaluation program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |