WO2017152742A1 - Risk assessment method and apparatus for network security device - Google Patents

Risk assessment method and apparatus for network security device Download PDF

Info

Publication number
WO2017152742A1
WO2017152742A1 PCT/CN2017/073933 CN2017073933W WO2017152742A1 WO 2017152742 A1 WO2017152742 A1 WO 2017152742A1 CN 2017073933 W CN2017073933 W CN 2017073933W WO 2017152742 A1 WO2017152742 A1 WO 2017152742A1
Authority
WO
WIPO (PCT)
Prior art keywords
risk
item
evaluated
triggered
predetermined
Prior art date
Application number
PCT/CN2017/073933
Other languages
French (fr)
Chinese (zh)
Inventor
章倩
滕志猛
周娜
霍玉臻
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017152742A1 publication Critical patent/WO2017152742A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • This document relates to, but is not limited to, the field of network security technologies, and relates to a method and device for risk assessment of network security devices.
  • enterprise network administrators can open firewall ports to communicate with business partners, or close ports to avoid the use of exploits to change the configuration of network security devices, and to network through specific products.
  • the configuration of the security device is checked to detect vulnerabilities in the configuration in a timely manner.
  • the embodiment of the invention provides a risk assessment method and device for a network security device, which can more clearly, accurately and effectively indicate the current device security state.
  • the embodiment of the invention provides a risk assessment method for a network security device, the method comprising:
  • Determining a predetermined risk pool the risk pool including a plurality of risk items
  • the risk items in the predetermined risk database and the risk items triggered by the device to be evaluated are separately analyzed, and a corresponding calculation method is adopted to obtain a security status value of the device to be evaluated.
  • the embodiment of the present invention provides a risk assessment method for a network security device, by determining a predetermined risk database, extracting valid configuration information related to the risk item in the device to be evaluated, and according to effective configuration.
  • the risk analysis result of the information obtains the risk item that triggers the device to be evaluated, separately analyzes the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated, and adopts a corresponding calculation method to obtain the device to be evaluated.
  • Security status value The above technical solution calculates the security state of the device to be evaluated by analyzing the risk value of the risk item, the relationship between the risk items, and the number of triggers of each risk item that the risk item of the device to be evaluated has triggered. The value can be more intuitive, accurate and effective to indicate the current device security status.
  • the embodiment of the invention further provides a risk assessment device for a network security device, the device comprising: a determining module, an extracting module and an evaluating module;
  • the determining module is configured to determine a predetermined risk database, where the risk database includes configuration information of multiple risk items, where the configuration information includes an identification code and a description content of the risk item;
  • the extraction module is configured to extract the valid configuration information related to the risk item in the device to be evaluated, and obtain the risk item triggered by the device to be evaluated according to the risk analysis result of the effective configuration information;
  • the evaluation module is configured to separately analyze the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated, and adopt a corresponding calculation method to obtain a security status value of the device to be evaluated.
  • the embodiment of the present invention provides a risk assessment apparatus for a network security device.
  • the determining module determines a predetermined risk database, and the extraction module extracts valid configuration information related to the risk item in the device to be evaluated. And obtaining, according to the risk analysis result of the effective configuration information, a risk item that triggers the device to be evaluated, and the evaluation module separately analyzes the risk item in the predetermined risk database and the risk item triggered by the device to be evaluated, and adopts a corresponding calculation method to obtain The security status value of the device to be evaluated.
  • the technical solution described above analyzes the risk value of the risk item, the relationship between the risk items, and the number of triggers of each risk item that the risk item of the device to be evaluated has triggered.
  • the safety status value of the equipment to be evaluated is calculated locally, which can indicate the current equipment safety status more intuitively, accurately and effectively.
  • the embodiment of the present invention further provides a computer readable storage medium, where the computer readable storage medium stores computer executable instructions, and when the computer executable instructions are executed, implements a risk assessment method of the network security device.
  • FIG. 1 is a schematic flowchart of a method for risk assessment of a network security device according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a network security device risk assessment apparatus according to an embodiment of the present invention.
  • the method according to the embodiment of the present invention may be applied to a single device in a network security system, and the network security device may be a device such as a router, a firewall, a behavior manager, and a core switch, but is not limited thereto.
  • the method according to the embodiment of the present invention solves the problem that the analysis of the configuration result of the network security device by using a specific product in the related art is not comprehensive, so that the result of the final evaluation cannot accurately, effectively, and comprehensively reflect the security of the network security device.
  • the technical problem of the state is not comprehensive, so that the result of the final evaluation cannot accurately, effectively, and comprehensively reflect the security of the network security device.
  • FIG. 1 is a schematic flowchart of Embodiment 1 of a method for risk assessment of a network security device according to an embodiment of the present disclosure. This embodiment relates to a specific process for implementing a risk assessment method for a network security device. As shown in Figure 1, the method includes:
  • Step S101 Determine a predetermined risk pool, where the risk database includes multiple risk items
  • the user may customize the risk pool according to the business risk requirements according to the standard risk database provided by the unified security policy management system, wherein the risk database includes all vulnerability information of the device, where Each vulnerability is defined as a risk item.
  • the administrator password of the device is the default value, the device is open to the Telnet service, etc., but is not limited thereto.
  • each risk item has an identification code and a description content of the risk item, and each risk item (also referred to as a vulnerability) is analyzed in detail, and is represented by a corresponding field, where each risk item is present.
  • the included fields include, but are not limited to, the risk item identifier, the description content, the risk value caused by the risk item, the relationship between the risk item and the risk item, and the like.
  • step S102 the valid configuration information related to the risk item in the device to be evaluated is extracted, and the risk item triggered by the device to be evaluated is obtained according to the risk analysis result of the effective configuration information.
  • the unified security policy management system can be remotely connected to the device to be evaluated through SSH (Secure Shell), and the original configuration information of the device to be evaluated is extracted according to the configuration information of the risk items in the risk database. Extracting valid information related to the risk item in the device to be evaluated, that is, extracting all relevant valid configuration information that may have a vulnerability, forming normalized data, performing risk analysis according to a predetermined risk database, and obtaining the to-be-evaluated The risk item that the device has triggered.
  • SSH Secure Shell
  • the valid data in the original configuration information of the device to be evaluated that is, the information of the validity period of the password, and the field in which the password validity period is set in the normalized format are extracted.
  • the value of the field is the value of the valid period of the collected password, but not limited to this.
  • step S103 the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated are respectively analyzed, and a corresponding calculation method is adopted to obtain a security status value of the device to be evaluated.
  • the risk item in the selected risk database may be analyzed according to the risk database selected by the user, and the risk item triggered by the device to be evaluated may be analyzed, and the risk value and the risk item of the risk item may be analyzed.
  • the relationship between the risk value of the triggering risk item and the triggering risk item may be analyzed, and the corresponding analysis method is adopted to obtain the safety state value of the device to be evaluated.
  • a method for risk assessment of a network security device by determining a predetermined risk database, extracting valid configuration information related to the risk item in the device to be evaluated, and obtaining the risk analysis result according to the effective configuration information
  • the risk item of the device to be evaluated is triggered, the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated are analyzed, and a corresponding calculation method is adopted to obtain a safety state value risk value of the device to be evaluated.
  • the foregoing technical solution calculates the security status value of the device to be evaluated by analyzing the risk value of the risk item, the relationship between the risk items, and the number of triggers of each risk item triggered by the risk item of the device to be evaluated. It can indicate the current device security status more intuitively, accurately and effectively.
  • the method before the step 101 determines the predetermined risk pool, the method further includes:
  • a risk type of a configuration type is collected in advance, and the configuration type includes a baseline library and/or an ACL (Access Control List) library.
  • the risk assessment of the embodiment of the present invention is triggered from the perspective of the risk item, and the predetermined analysis method is used to determine whether the configuration of the device to be evaluated has a risk item, and the risk value existing in the risk item is used to determine the to-be-evaluated.
  • the security status value of the device Therefore, the pre-processing needs to collect and describe the configuration information of the device to be evaluated, and form a risk database required for configuration types such as baseline analysis and/or ACL risk analysis.
  • the formation of the risk library refers to the current related vulnerability library, such as CVE.
  • the pre-collected risk pools may be classified according to the configuration type, and the risk pool is specifically divided into a baseline module baseline pool and an ACL risk pool, so that they can be separately used for baseline analysis. And ACL risk analysis.
  • analyzing the risk items in the predetermined risk pool including:
  • the CVSS 3.0 Common Vulnerability Scoring System scoring method is used to analyze the risk value of the risk item in the predetermined risk database; for example, in this embodiment, the CVSS v3.0 scoring method can be used to analyze the acquisition schedule.
  • the risk value of the risk item in the risk library is used to analyze the risk value of the risk item in the risk library.
  • the risk database used for analysis may be a standard library or a risk total library provided by the unified security policy management system, or may be a user-customized customization according to the needs of the user. Risk library.
  • the total number of risk items in the predetermined risk database is counted, and the risk value of the risk item in the predetermined risk database is analyzed by using the CVSS3.0 scoring method.
  • the unified security policy control system adopts the latest official CVSS3.
  • the 0-scoring method considers the vulnerability path, attack complexity, privilege, user interaction, confidentiality, integrity, availability, etc., and uses the CVSS3.0 scoring formula to evaluate the risk value of the current vulnerability and conduct the vulnerability score.
  • Qualitative analysis divided into five levels of serious, high, medium, low and slight, to visually judge the severity of the current vulnerability, using the recognized CVSS3.0 scoring method, making the risk value of the vulnerability more accurate, reliable and credible .
  • the relationship between the risk item and the risk item is mainly used to analyze the relationship between different risk items (ie, loopholes) in the predetermined risk pool, where the relationship may be defined as: Any two risk items (ie, loopholes) A, B, if all risk pool rules that trigger risk item A must trigger risk item B, and the risk pool rule that triggers risk item B does not necessarily trigger risk item A, then the risk is considered A has a relationship with risk item B, where risk item B contains risk item A.
  • the ACL rule that triggers the included risk item ie, the vulnerability
  • Going higher, the safety score is lower.
  • the relationship between the risk items in the risk database is analyzed. The analysis steps are as follows:
  • the risk item R1 checks whether the external network to the internal network is open for the ANY type of the rule
  • the risk item R2 checks whether the external network to the internal network is open for the Telnet service
  • the risk item R3 checks whether the external network to the internal network is open to the X11 service.
  • the value R1 needs to be added in the "Vulnerability Relationship" field of risk items R2 and R3. If the relationship between them is not considered here, the ACL rule that triggers the risk item R1 is calculated multiple times (in the example, each ACL rule that triggers R1 is calculated 3 times). This inclusion relationship is taken into account, and the repeated calculation of the ACL rule is removed, and the accuracy of the system security ACL module and the comprehensive security state analysis result of the device is improved.
  • analyzing the risk items triggered by the device to be evaluated including:
  • the predetermined risk database includes an access control list ACL library, analyze one or more of the trigger number of each risk item triggered by the device to be evaluated, the risk value of the risk item, and the relationship between the risk items. One.
  • the user may trigger the trigger number of each risk item of the device to be evaluated and the risk value of the risk item according to the selected ACL risk database. And one or more of the three relationships between the risk items. It should be noted that different risk databases are used for analysis, and the detected vulnerability information is also different. The following will be explained in detail by way of example, as follows:
  • Step 11 Perform risk analysis on the normalized ACL policy data according to the risk database selected by the user, and collect an identification code number of an ACL policy that triggers each risk item (ie, a vulnerability);
  • Step 12 The result of step 11 is processed according to the association between the risk item and the risk item, and the ID number of the repeatedly calculated ACL policy is removed, and the ID number of the ACL policy that triggers each risk item is obtained after being processed;
  • Step 13 Count the number of times each risk item is triggered according to the processing result in step 12.
  • One of the ACL policy ID numbers represents a trigger. For example, for a risk item with a lower risk value, it is triggered once and triggered 100 times. The risk impact of the risk item is different. The risk item with more triggers indicates that the risk item is used. The number of times is higher, and the more times it is used, the more malicious usage is relatively, which increases the risk value of the device to be evaluated.
  • Step 14 Obtain an ACL security state value of the device to be evaluated according to the analysis result of steps 11, 12, and 13.
  • the analysis can be performed according to the following calculation process, including:
  • a security status value wherein the S n is a triggered risk item total score, and the S t is an untriggered risk item total score, Said
  • the security status of the system equipment ACL module is analyzed, and corresponding Security status value.
  • the above analysis method considers the relationship between the risk items and the number of times the risk items are triggered, so the analysis is more comprehensive.
  • the risk value is calculated by CVSS3.0 scoring technology, which is more reliable and credible than the empirical value method.
  • the calculated system security status value is more intuitive, accurate, and effective to indicate the current device security status.
  • analyzing the risk items triggered by the device to be evaluated including:
  • the predetermined risk database includes a baseline library, the risk value of the risk item triggered by the device to be evaluated is analyzed.
  • the user may analyze the risk value of each risk item according to the selected baseline risk database, and perform according to the data of the normalized baseline module. Risk analysis of the baseline module.
  • the baseline library used for analysis here may be a baseline library provided by the unified security policy management system, or a baseline library customized by the user according to his own business needs, and the selected baseline library is different, and the final evaluation result is also different.
  • Step 21 Select all baseline libraries related to the baseline from the risk database, and the user bases the normalized baseline data of the device to be evaluated according to the selected baseline library. Analysis; step 22, according to the triggered risk item (ie, vulnerability) detected in 21, the risk value of the risk item, the calculation of the security status value;
  • the total number of risk items M in the predetermined risk database can be calculated according to the calculation formula (2):
  • the triggered risk item ie, vulnerability
  • the risk value of the risk item the security status of the system equipment baseline module are analyzed, and the corresponding security status value is obtained.
  • the above analysis method uses the CVSS3.0 scoring technique for the calculation of the risk value of the risk item (ie, the vulnerability), and the method is more reliable and credible than the empirical value method.
  • the calculated system security status value is more intuitive, accurate, and effective to indicate the current device security status.
  • the predetermined risk database includes a baseline library and an access control list ACL library, respectively analyzing the risk item in the predetermined risk database and the risk item triggered by the device to be evaluated, Taking the corresponding calculation method, the security state value of the device to be evaluated is obtained, which will be described in detail by way of example, as follows:
  • Step 31 Determine whether the device to be evaluated supports ACL risk analysis. If supported, perform the security state analysis of the ACL module.
  • the specific execution method is the same as the ACL risk database in the above embodiment. Hold, do not execute;
  • Step 32 Perform security state analysis of the baseline module on the device to be analyzed, and execute the method in the same manner as the baseline library in the embodiment;
  • Step 33 Analyze the comprehensive security status of the device according to the analysis results of step 31 and step 32.
  • the S n is a total score of risk items triggered when the ACL library is accessed
  • the S t is a total score of risk items that are not triggered when the ACL library is accessed
  • the S′ n is an access baseline database. risk score item triggered when the S 't risk score item is accessed baseline library is not triggered.
  • the comprehensive safety status of the equipment to be evaluated Through the analysis of the comprehensive safety status of the equipment to be evaluated, the information of the triggered risk items (ie, the vulnerability) detected by the baseline analysis and the ACL analysis, the risk value of the risk item, the number of times the risk item is triggered, and the comprehensive safety status of the system equipment are analyzed. And get the corresponding security status value.
  • the triggered risk items ie, the vulnerability
  • the above analysis method considers the relationship between the risk items and the number of times the risk items are triggered, and the analysis is more comprehensive.
  • the risk value is calculated using the CVSS3.0 scoring technique, which is more reliable and reliable than the empirical method in the related art.
  • the calculated system security status value is more intuitive, accurate, and effective to indicate the current device security status.
  • FIG. 2 is a schematic structural diagram of a network security device risk assessment apparatus according to an embodiment of the present invention.
  • a network security device risk assessment apparatus includes a determination module 10, an extraction module 20, and an evaluation module 30. ;
  • the determining module 10 is configured to determine a predetermined risk database, where the risk database includes configuration information of multiple risk items, where the configuration information includes an identification code and a description content of the risk item;
  • the extraction module 20 is configured to extract the valid configuration information related to the risk item in the device to be evaluated, and obtain the risk item triggered by the device to be evaluated according to the risk analysis result of the effective configuration information;
  • the evaluation module 30 is configured to separately analyze the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated, and adopt a corresponding calculation method to obtain a security status value of the device to be evaluated.
  • a risk assessment apparatus for a network security device includes: determining a mode The block, the extraction module, and the evaluation module determine the predetermined risk database by the determining module, and the extraction module extracts valid configuration information related to the risk item in the device to be evaluated, and obtains the trigger according to the risk analysis result of the effective configuration information.
  • the risk item of the device is evaluated, and the evaluation module separately analyzes the risk item in the predetermined risk database and the risk item triggered by the device to be evaluated, and adopts a corresponding calculation method to obtain the safety state value of the device to be evaluated.
  • the foregoing technical solution calculates the security status value of the device to be evaluated by analyzing the risk value of the risk item, the relationship between the risk items, and the number of triggers of each risk item triggered by the risk item of the device to be evaluated. This makes the current device security status more intuitive, accurate and effective.
  • the device further includes: a pre-processing module 40;
  • the pre-processing module 40 is configured to pre-collect a risk database of a configuration type, including a baseline library and/or an access control list ACL library, before determining a predetermined risk pool.
  • the device provided by the embodiment of the present invention may perform the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not described herein again.
  • the evaluating module 30 implements analyzing the risk items in the predetermined risk pool by:
  • the evaluating module 30 implements analyzing, by using the following manner, a risk item that has been triggered by the device to be evaluated:
  • the predetermined risk database includes an access control list ACL library, analyzing one of the triggering times of each risk item triggered by the device to be evaluated, the risk value of the risk item, and the relationship between the risk items or Multiple.
  • the device provided by the embodiment of the present invention may perform the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not described herein again.
  • the evaluation module 30 implements the following manner. Analysis of the risk item triggered by the device to be evaluated:
  • the predetermined risk database includes a baseline library, the risk value of the risk item triggered by the device to be evaluated is analyzed.
  • the device provided by the embodiment of the present invention may perform the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not described herein again.
  • the embodiment of the present invention further provides a computer readable storage medium, where the computer readable storage medium stores computer executable instructions, and when the computer executable instructions are executed, implements a risk assessment method of the network security device.
  • each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function.
  • This application is not limited to any specific combination of hardware and software.

Abstract

A risk assessment method and apparatus for a network security device, the method comprising: extracting effective configuration information related to the risk segment in a device to be assessed by determining a predetermined risk repository, and acquiring, according to a risk analysis result of the effective configuration information, a risk segment triggering the device to be assessed, analysing risk segments in the predetermined risk repository and a risk segment triggered by the device to be assessed, and adopting the corresponding calculation method to obtain a security state value of the device to be assessed. The above-mentioned technical solution performs the corresponding calculation by analysing a risk value of a risk segment, the correlation between risk segments and the number of triggers of each risk segment triggered by a risk segment of the device to be assessed so as to obtain a security state value of the device to be assessed, thereby demonstrating a current security state of a device more intuitively, accurately and effectively.

Description

一种网络安全设备的风险评估方法和装置Method and device for risk assessment of network security equipment 技术领域Technical field
本文涉及但不限于网络安全技术领域,涉及一种网络安全设备的风险评估方法和装置。This document relates to, but is not limited to, the field of network security technologies, and relates to a method and device for risk assessment of network security devices.
背景技术Background technique
目前,随着互联网技术的不断发展,网络安全问题日益突出,企业网络中的多个位置都会部署防火墙、入侵防御系统、防病毒等安全产品,其中,企业与外网、商业合作伙伴之间的业务需求会时刻发生变化,并且公共漏洞和暴露(Common Vulnerabilities & Exposures,简称:CVE)、国家信息安全漏洞共享平台(China National Vulnerability Database,简称:CNVD)等权威机构时刻发布新发现的漏洞,这些都要求企业网络管理人员对网络安全设备的配置进行变更,从而保障企业网络的安全。At present, with the continuous development of Internet technology, network security issues are becoming more and more prominent. Security products such as firewalls, intrusion prevention systems, and anti-virus are deployed in multiple locations in enterprise networks, among which enterprises and external networks and business partners Business needs will change at any time, and authorities such as Common Vulnerabilities & Exposures (CVE) and China National Vulnerability Database (CNVD) will release newly discovered vulnerabilities. Enterprise network administrators are required to change the configuration of network security devices to ensure the security of the enterprise network.
相关技术中,企业网络管理人员会通过开放防火墙端口,以便与商业合作伙伴进行业务交流,或者关闭端口,避免被漏洞利用等办法来对网络安全设备的配置进行变更,同时通过特定的产品对网络安全设备的配置进行核查,以便及时发现配置中的漏洞。In related technologies, enterprise network administrators can open firewall ports to communicate with business partners, or close ports to avoid the use of exploits to change the configuration of network security devices, and to network through specific products. The configuration of the security device is checked to detect vulnerabilities in the configuration in a timely manner.
但是,相关技术通过特定的产品来对网络安全设备配置结果的分析考虑并不全面,使得最终评估的结果不能准确、有效、多方面的反映网络安全设备的安全状态。However, the related technologies do not comprehensively analyze the configuration results of network security devices through specific products, so that the results of the final evaluation cannot accurately, effectively and comprehensively reflect the security status of network security devices.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例提供了一种网络安全设备的风险评估方法和装置,能够更直观、准确、有效的表明当前设备安全状态。The embodiment of the invention provides a risk assessment method and device for a network security device, which can more clearly, accurately and effectively indicate the current device security state.
本发明实施例提供了一种网络安全设备的风险评估方法,该方法包括:The embodiment of the invention provides a risk assessment method for a network security device, the method comprising:
确定预定的风险库,所述风险库包括多条风险项; Determining a predetermined risk pool, the risk pool including a plurality of risk items;
提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取所述待评估设备触发的风险项;Extracting the valid configuration information related to the risk item in the device to be evaluated, and acquiring the risk item triggered by the device to be evaluated according to the risk analysis result of the effective configuration information;
分别分析预定的风险库中的风险项和所述待评估设备触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。The risk items in the predetermined risk database and the risk items triggered by the device to be evaluated are separately analyzed, and a corresponding calculation method is adopted to obtain a security status value of the device to be evaluated.
与相关技术相比,本发明实施例提供了一种网络安全设备的风险评估方法,通过确定预定的风险库,提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取触发所述待评估设备的风险项,分别分析预定的风险库中风险项和所述待评估设备已触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。,上述技术方案通过分析风险项的风险值、风险项之间的关联关系、所述待评估设备的风险项已触发的每条风险项的触发次数来进行相应地计算得到待评估设备的安全状态值,可以更直观、准确、有效的表明当前设备安全状态。Compared with the related art, the embodiment of the present invention provides a risk assessment method for a network security device, by determining a predetermined risk database, extracting valid configuration information related to the risk item in the device to be evaluated, and according to effective configuration. The risk analysis result of the information obtains the risk item that triggers the device to be evaluated, separately analyzes the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated, and adopts a corresponding calculation method to obtain the device to be evaluated. Security status value. The above technical solution calculates the security state of the device to be evaluated by analyzing the risk value of the risk item, the relationship between the risk items, and the number of triggers of each risk item that the risk item of the device to be evaluated has triggered. The value can be more intuitive, accurate and effective to indicate the current device security status.
本发明实施例还提供了一种网络安全设备的风险评估装置,该装置包括:确定模块、提取模块和评估模块;The embodiment of the invention further provides a risk assessment device for a network security device, the device comprising: a determining module, an extracting module and an evaluating module;
所述确定模块,设置为确定预定的风险库,所述风险库包括多条风险项的配置信息,所述配置信息包括风险项的识别码和描述内容;The determining module is configured to determine a predetermined risk database, where the risk database includes configuration information of multiple risk items, where the configuration information includes an identification code and a description content of the risk item;
所述提取模块,设置为提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取所述待评估设备触发的风险项;The extraction module is configured to extract the valid configuration information related to the risk item in the device to be evaluated, and obtain the risk item triggered by the device to be evaluated according to the risk analysis result of the effective configuration information;
所述评估模块,设置为分别分析预定的风险库中的风险项和所述待评估设备触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。The evaluation module is configured to separately analyze the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated, and adopt a corresponding calculation method to obtain a security status value of the device to be evaluated.
与相关技术相比,本发明实施例提供了一种网络安全设备的风险评估装置,通过确定模块确定预定的风险库,提取模块提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取触发所述待评估设备的风险项,评估模块分别分析预定的风险库中风险项和所述待评估设备已触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。上述技术方案通过这样分析风险项的风险值、风险项之间的关联关系、所述待评估设备的风险项已触发的每条风险项的触发次数来进行相 应地计算得到待评估设备的安全状态值,可以更直观、准确、有效的表明当前设备安全状态。Compared with the related art, the embodiment of the present invention provides a risk assessment apparatus for a network security device. The determining module determines a predetermined risk database, and the extraction module extracts valid configuration information related to the risk item in the device to be evaluated. And obtaining, according to the risk analysis result of the effective configuration information, a risk item that triggers the device to be evaluated, and the evaluation module separately analyzes the risk item in the predetermined risk database and the risk item triggered by the device to be evaluated, and adopts a corresponding calculation method to obtain The security status value of the device to be evaluated. The technical solution described above analyzes the risk value of the risk item, the relationship between the risk items, and the number of triggers of each risk item that the risk item of the device to be evaluated has triggered. The safety status value of the equipment to be evaluated is calculated locally, which can indicate the current equipment safety status more intuitively, accurately and effectively.
本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机可执行指令,所述计算机可执行指令被执行时实现网络安全设备的风险评估方法。The embodiment of the present invention further provides a computer readable storage medium, where the computer readable storage medium stores computer executable instructions, and when the computer executable instructions are executed, implements a risk assessment method of the network security device.
在阅读并理解了附图和详细描述后,可以明白其它方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图说明DRAWINGS
附图用来提供对本申请技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本申请的技术方案,并不构成对本申请技术方案的限制。The drawings are used to provide a further understanding of the technical solutions of the present application, and constitute a part of the specification, which is used together with the embodiments of the present application to explain the technical solutions of the present application, and does not constitute a limitation of the technical solutions of the present application.
图1为本发明实施例提供的一种网络安全设备的风险评估方法的流程示意图;1 is a schematic flowchart of a method for risk assessment of a network security device according to an embodiment of the present invention;
图2为本发明实施例提供的一种网络安全设备的风险评估装置的结构示意图。FIG. 2 is a schematic structural diagram of a network security device risk assessment apparatus according to an embodiment of the present invention.
具体实施方式detailed description
下文中将结合附图对本申请的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。Embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行。并且,虽然在流程图中示出了逻辑顺序,但是在一些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The steps illustrated in the flowchart of the figures may be executed in a computer system such as a set of computer executable instructions. Also, although logical sequences are shown in the flowcharts, in some cases the steps shown or described may be performed in a different order than the ones described herein.
本发明实施例涉及的方法可以应用于网络安全系统中的单个设备,该网络安全设备可以是路由器、防火墙、行为管理器和核心交换机等设备,但并不限于此。The method according to the embodiment of the present invention may be applied to a single device in a network security system, and the network security device may be a device such as a router, a firewall, a behavior manager, and a core switch, but is not limited thereto.
本发明实施例涉及的方法,解决了相关技术中通过特定的产品来对网络安全设备配置结果的分析考虑并不全面,使得最终评估的结果不能准确、有效、多方面的反映网络安全设备的安全状态的技术问题。 The method according to the embodiment of the present invention solves the problem that the analysis of the configuration result of the network security device by using a specific product in the related art is not comprehensive, so that the result of the final evaluation cannot accurately, effectively, and comprehensively reflect the security of the network security device. The technical problem of the state.
下面以具体地实施例对本申请的技术方案进行详细说明。下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在其它实施例不再赘述。The technical solutions of the present application are described in detail below with specific embodiments. The following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be described in other embodiments.
图1为本发明实施例提供的一种网络安全设备的风险评估方法实施例一的流程示意图。本实施例涉及的是实现网络安全设备的风险评估方法的具体过程。如图1所示,该方法包括:FIG. 1 is a schematic flowchart of Embodiment 1 of a method for risk assessment of a network security device according to an embodiment of the present disclosure. This embodiment relates to a specific process for implementing a risk assessment method for a network security device. As shown in Figure 1, the method includes:
步骤S101、确定预定的风险库,所述风险库包括多条风险项;Step S101: Determine a predetermined risk pool, where the risk database includes multiple risk items;
在本实施例中,用户可以根据统一安全策略管控系统提供的标准风险库,也可以根据业务需求,自定义风险库来适合企业的需求,其中,该风险库包括了设备的所有漏洞信息,这里定义每个漏洞为一条风险项,例如:设备的管理员密码为默认值,设备开放了Telnet服务等,但并不限于此。In this embodiment, the user may customize the risk pool according to the business risk requirements according to the standard risk database provided by the unified security policy management system, wherein the risk database includes all vulnerability information of the device, where Each vulnerability is defined as a risk item. For example, the administrator password of the device is the default value, the device is open to the Telnet service, etc., but is not limited thereto.
在本实施例中,每条风险项都有风险项的识别码和描述内容,对每个风险项(也简称:漏洞)进行了详细的分析,并用相应的字段进行表示,这里每个风险项包含的字段包括:风险项识别码、描述内容、风险项带来的风险值大小、风险项和风险项之间的关联关系等,但并不限于此。In this embodiment, each risk item has an identification code and a description content of the risk item, and each risk item (also referred to as a vulnerability) is analyzed in detail, and is represented by a corresponding field, where each risk item is present. The included fields include, but are not limited to, the risk item identifier, the description content, the risk value caused by the risk item, the relationship between the risk item and the risk item, and the like.
步骤S102、提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取所述待评估设备触发的风险项。In step S102, the valid configuration information related to the risk item in the device to be evaluated is extracted, and the risk item triggered by the device to be evaluated is obtained according to the risk analysis result of the effective configuration information.
在本实施例中,可以根据统一安全策略管控系统通过SSH(Secure Shell,安全外壳协议)远程连接到待评估的设备,根据风险库中风险项的配置信息对待评估设备的原始配置信息进行提取,提取待评估设备中与所述风险项相关的有效信息,即提取可能存在漏洞的所有相关的有效配置信息形成规范化数据,将所述规范化数据按照预定的风险库进行风险分析,获取所述待评估设备已触发的风险项。例如,风险库中存在一条关于管理员密码有效期的风险项,则需提取该待评估设备的原始配置信息中的有效数据,即密码有效期的信息,并在规范化的格式中设定密码有效期的字段,且该字段值即为采集到的密码有效期的值,但并不以此为限。In this embodiment, the unified security policy management system can be remotely connected to the device to be evaluated through SSH (Secure Shell), and the original configuration information of the device to be evaluated is extracted according to the configuration information of the risk items in the risk database. Extracting valid information related to the risk item in the device to be evaluated, that is, extracting all relevant valid configuration information that may have a vulnerability, forming normalized data, performing risk analysis according to a predetermined risk database, and obtaining the to-be-evaluated The risk item that the device has triggered. For example, if there is a risk item in the risk database regarding the validity period of the administrator password, the valid data in the original configuration information of the device to be evaluated, that is, the information of the validity period of the password, and the field in which the password validity period is set in the normalized format are extracted. And the value of the field is the value of the valid period of the collected password, but not limited to this.
步骤S103、分别分析预定的风险库中风险项和所述待评估设备触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。 In step S103, the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated are respectively analyzed, and a corresponding calculation method is adopted to obtain a security status value of the device to be evaluated.
在本实施例中,可根据用户选择的风险库分析所选择的风险库中的风险项,并对所述待评估设备触发的风险项进行分析,可以分析风险项的风险值与风险项之间的关联关系,也可以分析触发风险项的风险值与触发风险项之间的关联关系等,将分别分析后的结果采取相应的计算方法,获取所述待评估设备的安全状态值。In this embodiment, the risk item in the selected risk database may be analyzed according to the risk database selected by the user, and the risk item triggered by the device to be evaluated may be analyzed, and the risk value and the risk item of the risk item may be analyzed. The relationship between the risk value of the triggering risk item and the triggering risk item may be analyzed, and the corresponding analysis method is adopted to obtain the safety state value of the device to be evaluated.
本发明实施例提供的一种网络安全设备的风险评估方法,通过确定预定的风险库,提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取触发所述待评估设备的风险项,分析预定的风险库中风险项和所述待评估设备已触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值风险值。上述技术方案通过分析风险项的风险值、风险项之间的关联关系、所述待评估设备的风险项已触发的每条风险项的触发次数来进行相应地计算得到待评估设备的安全状态值,可以更直观、准确、有效的表明当前设备安全状态。A method for risk assessment of a network security device according to an embodiment of the present invention, by determining a predetermined risk database, extracting valid configuration information related to the risk item in the device to be evaluated, and obtaining the risk analysis result according to the effective configuration information The risk item of the device to be evaluated is triggered, the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated are analyzed, and a corresponding calculation method is adopted to obtain a safety state value risk value of the device to be evaluated. The foregoing technical solution calculates the security status value of the device to be evaluated by analyzing the risk value of the risk item, the relationship between the risk items, and the number of triggers of each risk item triggered by the risk item of the device to be evaluated. It can indicate the current device security status more intuitively, accurately and effectively.
可选地,在上述实施例的基础上,在上述步骤101确定预定的风险库之前,所述方法还包括:Optionally, on the basis of the foregoing embodiment, before the step 101 determines the predetermined risk pool, the method further includes:
预先收集配置类型的风险库,所述配置类型包括基线库和/或ACL(Access Control List,访问控制列表)库。A risk type of a configuration type is collected in advance, and the configuration type includes a baseline library and/or an ACL (Access Control List) library.
在实施例中,本发明实施例的风险评估是从风险项的角度触发,通过预定的分析方法来判断待评估设备的配置是否存在风险项,并结合这些风险项存在的风险值来判断待评估设备的安全状态值。因此,预处理中需要对待评估设备的配置信息进行收集和描述,形成基线分析和/或ACL风险分析等配置类型所需的风险库,其中,风险库的形成参考了当前相关漏洞库,如CVE(Common Vulnerabilities & Exposures,公共漏洞和暴露);也可以参考设备配置规范要求,如NIST(National Institute of Standards and Technology,美国国家标准与技术研究院)关于防火墙配置规范,还可以参考通用的一些标准,如基线标准、合规标准、PCI(Peripheral Component Interconnect,外围部件接口)标准等,但并不限于此。In an embodiment, the risk assessment of the embodiment of the present invention is triggered from the perspective of the risk item, and the predetermined analysis method is used to determine whether the configuration of the device to be evaluated has a risk item, and the risk value existing in the risk item is used to determine the to-be-evaluated. The security status value of the device. Therefore, the pre-processing needs to collect and describe the configuration information of the device to be evaluated, and form a risk database required for configuration types such as baseline analysis and/or ACL risk analysis. The formation of the risk library refers to the current related vulnerability library, such as CVE. (Common Vulnerabilities & Exposures, public vulnerabilities and exposures); also refer to equipment configuration specification requirements, such as NIST (National Institute of Standards and Technology) on firewall configuration specifications, can also refer to some common standards Such as, but not limited to, baseline standards, compliance standards, PCI (Peripheral Component Interconnect) standards, and the like.
在本实施例中,预先收集的风险库可以根据配置类型进行分类,将风险库具体区分为基线模块的基线库和ACL风险库,从而可以分别用于基线分析 和ACL风险分析。In this embodiment, the pre-collected risk pools may be classified according to the configuration type, and the risk pool is specifically divided into a baseline module baseline pool and an ACL risk pool, so that they can be separately used for baseline analysis. And ACL risk analysis.
可选地,在上述实施例的基础上,分析预定的风险库中的风险项,包括:Optionally, on the basis of the foregoing embodiment, analyzing the risk items in the predetermined risk pool, including:
统计预定的风险库中的风险项的总数;Count the total number of risk items in the predetermined risk pool;
采用CVSS3.0(Common Vulnerability Scoring System,通用漏洞评分系统)评分方法分析获取预定的风险库中的风险项的风险值;例如,在本实施例中,可以采用CVSS v3.0评分方法分析获取预定的风险库中的风险项的风险值。The CVSS 3.0 (Common Vulnerability Scoring System) scoring method is used to analyze the risk value of the risk item in the predetermined risk database; for example, in this embodiment, the CVSS v3.0 scoring method can be used to analyze the acquisition schedule. The risk value of the risk item in the risk library.
确定预定风险库中任意两条风险项之间是否存在关联关系;若触发第一条风险项必定会触发第二条风险项,且触发所述第二条风险项不会触发所述第一条风险项,则所述第一条风险项和第二条风险项之间存在关联。Determining whether there is an association relationship between any two risk items in the predetermined risk pool; if the first risk item is triggered, the second risk item is triggered, and triggering the second risk item does not trigger the first item For the risk item, there is an association between the first risk item and the second risk item.
在本实施例中,这里用于分析的风险库可以是统一安全策略管控系统提供的标准库或风险总库,也可以是由用户根据自己的业务需求,组合而成的适合自身企业的自定义风险库。In this embodiment, the risk database used for analysis may be a standard library or a risk total library provided by the unified security policy management system, or may be a user-customized customization according to the needs of the user. Risk library.
在本实施例中,统计预定的风险库中的风险项的总数,并采用CVSS3.0评分方法分析获取预定的风险库中的风险项的风险值,统一安全策略管控系统采用官方最新的CVSS3.0评分方法,从漏洞的攻击途径、攻击复杂度、特权、用户交互、机密性、完整性、可用性等角度进行考虑,利用CVSS3.0评分公式,评估当前漏洞的风险值,并对漏洞得分进行定性分析,划分成严重、高、中、低、轻微五个等级,用以直观的判断当前漏洞的严重程度,采用公认的CVSS3.0评分方法,使得漏洞的风险值更加准确、可靠、可信。In this embodiment, the total number of risk items in the predetermined risk database is counted, and the risk value of the risk item in the predetermined risk database is analyzed by using the CVSS3.0 scoring method. The unified security policy control system adopts the latest official CVSS3. The 0-scoring method considers the vulnerability path, attack complexity, privilege, user interaction, confidentiality, integrity, availability, etc., and uses the CVSS3.0 scoring formula to evaluate the risk value of the current vulnerability and conduct the vulnerability score. Qualitative analysis, divided into five levels of serious, high, medium, low and slight, to visually judge the severity of the current vulnerability, using the recognized CVSS3.0 scoring method, making the risk value of the vulnerability more accurate, reliable and credible .
其中,对于风险项与风险项之间的关联关系,主要是用来分析预定的风险库中的不同的风险项(即漏洞)之间的关联关系,这里关联关系的可以定义为:对风险库中任意两条风险项(即漏洞)A、B,如果触发风险项A的所有风险库规则必定会触发风险项B,并且触发风险项B的风险库规则不一定触发风险项A,则认为风险A与风险项B存在关联关系,其中风险项B包含风险项A。从定义可以看出,若不考虑这种包含关系,在对设备的安全得分进行计算时,则会导致触发被包含的风险项(即漏洞)的ACL规则被计算多次,导致设备的风险得分变高,安全得分降低。实际中,依据上述关联关系的定义,对风险库中的风险项进行关联关系分析,分析步骤如下: The relationship between the risk item and the risk item is mainly used to analyze the relationship between different risk items (ie, loopholes) in the predetermined risk pool, where the relationship may be defined as: Any two risk items (ie, loopholes) A, B, if all risk pool rules that trigger risk item A must trigger risk item B, and the risk pool rule that triggers risk item B does not necessarily trigger risk item A, then the risk is considered A has a relationship with risk item B, where risk item B contains risk item A. As can be seen from the definition, if the inclusion relationship is not considered, when the security score of the device is calculated, the ACL rule that triggers the included risk item (ie, the vulnerability) is calculated multiple times, resulting in the device's risk score. Going higher, the safety score is lower. In practice, based on the definition of the above relationship, the relationship between the risk items in the risk database is analyzed. The analysis steps are as follows:
(1)对预定的风险库中任意的两条风险项A、B,依据关联关系的定义,分析这两条风险项是否存在关联关系;(1) Analyze whether there is any relationship between the two risk items according to the definition of the relationship between the two risk items A and B in the predetermined risk database;
(2)若(1)中的风险项A、B存在关联关系,且B包含A,则在风险项B的“漏洞关联关系”字段添加风险项A的漏洞ID。(2) If the risk items A and B in (1) have an association relationship, and B contains A, the vulnerability ID of risk item A is added in the “vulnerability association relationship” field of risk item B.
例如:假设风险项R1检查外网到内网是否开放服务为ANY类型的规则,风险项R2检查外网到内网是否开放Telnet服务,风险项R3检查外网到内网是否开放X11服务,通过分析R1、R2、R3之间的关联关系可以得出结论:触发风险项R1的ACL规则必然会触发风险项R2、R3。因此,需在风险项R2和R3的“漏洞关联关系”字段添加值R1。这里若不考虑它们之间的关联关系,则会出现触发风险项R1的ACL规则被计算多次(例中可得出触发R1的每条ACL规则都被计算了3次)。将这种包含关系考虑进去,去除重复计算的ACL规则,提高了系统设备ACL模块和设备综合安全状态分析结果的准确性。For example, if the risk item R1 checks whether the external network to the internal network is open for the ANY type of the rule, the risk item R2 checks whether the external network to the internal network is open for the Telnet service, and the risk item R3 checks whether the external network to the internal network is open to the X11 service. Analysis of the relationship between R1, R2, and R3 can lead to the conclusion that the ACL rule that triggers the risk item R1 will inevitably trigger the risk items R2 and R3. Therefore, the value R1 needs to be added in the "Vulnerability Relationship" field of risk items R2 and R3. If the relationship between them is not considered here, the ACL rule that triggers the risk item R1 is calculated multiple times (in the example, each ACL rule that triggers R1 is calculated 3 times). This inclusion relationship is taken into account, and the repeated calculation of the ACL rule is removed, and the accuracy of the system security ACL module and the comprehensive security state analysis result of the device is improved.
可选地,在上述实施例的基础上,分析所述待评估设备触发的风险项,包括:Optionally, on the basis of the foregoing embodiment, analyzing the risk items triggered by the device to be evaluated, including:
若预定的风险库包括访问控制列表ACL库,则分析所述待评估设备触发的每条风险项的触发次数、风险项的风险值以及风险项之间的关联关系这三者中的一个或者多个。If the predetermined risk database includes an access control list ACL library, analyze one or more of the trigger number of each risk item triggered by the device to be evaluated, the risk value of the risk item, and the relationship between the risk items. One.
在本实施例中,若预定的风险库中是多种类型的ACL风险库,用户可根据选择的ACL风险库分析触发所述待评估设备的每条风险项的触发次数、风险项的风险值以及风险项之间的关联关系这三者中一个或者多个。需要说明的是,采用不同的风险库进行分析,检测出的漏洞信息也是不同的。下面将通过示例来进行详细说明,具体如下:In this embodiment, if the predetermined risk database is a plurality of types of ACL risk pools, the user may trigger the trigger number of each risk item of the device to be evaluated and the risk value of the risk item according to the selected ACL risk database. And one or more of the three relationships between the risk items. It should be noted that different risk databases are used for analysis, and the detected vulnerability information is also different. The following will be explained in detail by way of example, as follows:
步骤11、根据用户选择的风险库对规范化的ACL策略数据进行风险分析,统计触发每条风险项(即漏洞)的ACL策略的识别码号;Step 11: Perform risk analysis on the normalized ACL policy data according to the risk database selected by the user, and collect an identification code number of an ACL policy that triggers each risk item (ie, a vulnerability);
步骤12、对步骤11、中的结果依据风险项与风险项之间的关联关系进行处理,去除重复计算的ACL策略的ID号,得到处理后的触发每条风险项的ACL策略的ID号; Step 12: The result of step 11 is processed according to the association between the risk item and the risk item, and the ID number of the repeatedly calculated ACL policy is removed, and the ID number of the ACL policy that triggers each risk item is obtained after being processed;
步骤13、根据步骤12、中的处理结果统计触发每条风险项的次数,其中一个ACL策略ID号则代表触发一次。例如,对于一个风险值较低的风险项,触发了1次和触发了100次,评估这个风险项给系统造成的安全影响是不同的,触发次数较多的风险项,表明这个风险项被使用的次数较高,而越多次的被使用,则说明存在恶意的使用次数相对是比较多的,从而增加了待评估设备的风险值。Step 13. Count the number of times each risk item is triggered according to the processing result in step 12. One of the ACL policy ID numbers represents a trigger. For example, for a risk item with a lower risk value, it is triggered once and triggered 100 times. The risk impact of the risk item is different. The risk item with more triggers indicates that the risk item is used. The number of times is higher, and the more times it is used, the more malicious usage is relatively, which increases the risk value of the device to be evaluated.
步骤14、根据步骤11、12、13的分析结果,获取待评估设备ACL安全状态值。Step 14: Obtain an ACL security state value of the device to be evaluated according to the analysis result of steps 11, 12, and 13.
对于上述的步骤14,可以按照以下计算过程进行分析,包括:For step 14 above, the analysis can be performed according to the following calculation process, including:
统计预定的风险库中风险项总数M和触发每条风险项的ACL规则总数xi(i=1,2,...,n),可以按照计算公式(1)进行计算:The total number of risk items in the predetermined risk pool and the total number of ACL rules triggering each risk item x i (i = 1, 2, ..., n) can be calculated according to the calculation formula (1):
Figure PCTCN2017073933-appb-000001
Figure PCTCN2017073933-appb-000001
得到安全状态值,其中,所述Sn为触发的风险项总分,所述St为未触发的风险项总分,所述
Figure PCTCN2017073933-appb-000002
所述
Figure PCTCN2017073933-appb-000003
所述权重值Ri为所述风险项的风险值,i=1,2,3,...,n为触发风险项,n小于或等于M,M为正整数,i=n+1,...,M为未触发的风险项,xi为大于或等于1的正整数。Obtaining a security status value, wherein the S n is a triggered risk item total score, and the S t is an untriggered risk item total score,
Figure PCTCN2017073933-appb-000002
Said
Figure PCTCN2017073933-appb-000003
The weight value R i is a risk value of the risk item, i=1, 2, 3, ..., n is a trigger risk item, n is less than or equal to M, M is a positive integer, i=n+1, ..., M is an untriggered risk term, and x i is a positive integer greater than or equal to 1.
上述的过程中,通过分析ACL风险分析检测出的已触发的风险项(即漏洞)、风险项的风险值、风险项被触发的次数,分析了系统设备ACL模块的安全状态,并得出相应的安全状态值。In the above process, by analyzing the triggered risk items (ie, vulnerability) detected by ACL risk analysis, the risk value of the risk item, and the number of times the risk item is triggered, the security status of the system equipment ACL module is analyzed, and corresponding Security status value.
上述分析方法考虑了风险项之间的关联关系、风险项被触发的次数问题,因此分析更加全面。而风险值的计算采用CVSS3.0评分技术,相对取经验值的方法,该方法更加可靠、可信。此外,计算得到的系统安全状态值更直观、准确、有效的表明当前设备安全状态。The above analysis method considers the relationship between the risk items and the number of times the risk items are triggered, so the analysis is more comprehensive. The risk value is calculated by CVSS3.0 scoring technology, which is more reliable and credible than the empirical value method. In addition, the calculated system security status value is more intuitive, accurate, and effective to indicate the current device security status.
可选地,在上述实施例的基础上,分析所述待评估设备触发的风险项,包括:Optionally, on the basis of the foregoing embodiment, analyzing the risk items triggered by the device to be evaluated, including:
若预定的风险库包括基线库,则分析所述待评估设备触发的风险项的风险值。 If the predetermined risk database includes a baseline library, the risk value of the risk item triggered by the device to be evaluated is analyzed.
在本实施例中,若确定预定的风险库是多种类型的基线风险库,用户可根据选择的基线风险库分析每条风险项的风险值,并根据归一化的基线模块的数据,进行基线模块的风险分析。这里用于分析的基线库可以是统一安全策略管控系统自带的基线库,也可以是用户根据自身业务需求自定义的基线库,选择的基线库不同,最终的评估结果也不相同。下面将通过示例来进行详细说明,具体如下:步骤21、从风险库中选择出与基线相关的所有基线库,用户依据选择的基线库,对所述待评估设备的归一化基线数据进行基线分析;步骤22、根据21中检查出的已触发的风险项(即漏洞),风险项的风险值,进行安全状态值的计算;In this embodiment, if it is determined that the predetermined risk database is a plurality of types of baseline risk pools, the user may analyze the risk value of each risk item according to the selected baseline risk database, and perform according to the data of the normalized baseline module. Risk analysis of the baseline module. The baseline library used for analysis here may be a baseline library provided by the unified security policy management system, or a baseline library customized by the user according to his own business needs, and the selected baseline library is different, and the final evaluation result is also different. The following is a detailed description by way of example, as follows: Step 21: Select all baseline libraries related to the baseline from the risk database, and the user bases the normalized baseline data of the device to be evaluated according to the selected baseline library. Analysis; step 22, according to the triggered risk item (ie, vulnerability) detected in 21, the risk value of the risk item, the calculation of the security status value;
在本实施例中,对于上述的步骤22,可以按照以下计算过程进行分析:In this embodiment, for the above step 22, the analysis can be performed according to the following calculation process:
统计预定的风险库中风险项总数M,可以按照计算公式(2)进行计算:The total number of risk items M in the predetermined risk database can be calculated according to the calculation formula (2):
Figure PCTCN2017073933-appb-000004
Figure PCTCN2017073933-appb-000004
得到安全状态值,其中,所述S'n为触发的风险项总分,所述S't为未触发的风险项总分,所述
Figure PCTCN2017073933-appb-000005
所述
Figure PCTCN2017073933-appb-000006
所述权重值Ri为所述风险项的风险值,i=1,2,3,...,n为触发风险项,n小于或等于M,i=n+1,...,M为未触发的风险项。Obtaining a security status value, wherein the S′ n is a triggered risk item total score, and the S′ t is an untriggered risk item total score,
Figure PCTCN2017073933-appb-000005
Said
Figure PCTCN2017073933-appb-000006
The weight value R i is a risk value of the risk item, i=1, 2, 3, . . . , n is a trigger risk item, n is less than or equal to M, i=n+1, . . . , M Is an untriggered risk item.
上述的过程中,通过分析基线分析检测出的已触发的风险项(即漏洞)、风险项的风险值、分析了系统设备基线模块的安全状态,并得出相应的安全状态值。In the above process, the triggered risk item (ie, vulnerability) detected by the baseline analysis, the risk value of the risk item, the security status of the system equipment baseline module are analyzed, and the corresponding security status value is obtained.
上述分析方法对风险项(即漏洞)的风险值的计算采用CVSS3.0评分技术,相对取经验值的方法,该方法更加可靠、可信。此外,计算得到系统安全状态值更直观、准确、有效的表明当前设备安全状态。The above analysis method uses the CVSS3.0 scoring technique for the calculation of the risk value of the risk item (ie, the vulnerability), and the method is more reliable and credible than the empirical value method. In addition, the calculated system security status value is more intuitive, accurate, and effective to indicate the current device security status.
可选地,在上述实施例的基础上,若确定预定的风险库包括基线库和访问控制列表ACL库,则分别分析预定的风险库中的风险项和所述待评估设备触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值,下面将通过示例来进行详细说明,具体如下:Optionally, on the basis of the foregoing embodiment, if it is determined that the predetermined risk database includes a baseline library and an access control list ACL library, respectively analyzing the risk item in the predetermined risk database and the risk item triggered by the device to be evaluated, Taking the corresponding calculation method, the security state value of the device to be evaluated is obtained, which will be described in detail by way of example, as follows:
步骤31、判断待评估设备是否支持ACL风险分析,若支持则执行ACL模块的安全状态分析,具体执行方法,同上述实施例中ACL风险库,若不支 持,则不执行;Step 31: Determine whether the device to be evaluated supports ACL risk analysis. If supported, perform the security state analysis of the ACL module. The specific execution method is the same as the ACL risk database in the above embodiment. Hold, do not execute;
步骤32、对待分析的设备执行基线模块的安全状态分析,具体执行方法,同实施例中基线库;Step 32: Perform security state analysis of the baseline module on the device to be analyzed, and execute the method in the same manner as the baseline library in the embodiment;
步骤33、根据步骤31和步骤32的分析结果,分析设备的综合安全状态。Step 33: Analyze the comprehensive security status of the device according to the analysis results of step 31 and step 32.
对于上述步骤33,可以按照计算公式(3)进行计算:For the above step 33, the calculation can be performed according to the calculation formula (3):
Figure PCTCN2017073933-appb-000007
Figure PCTCN2017073933-appb-000007
其中,所述Sn为访问控制列表ACL库时所触发的风险项总分,所述St为为访问控制列表ACL库时未触发的风险项总分,所述S'n为访问基线库时所触发的风险项总分,所述S't为访问基线库时未触发的风险项总分。The S n is a total score of risk items triggered when the ACL library is accessed, and the S t is a total score of risk items that are not triggered when the ACL library is accessed, and the S′ n is an access baseline database. risk score item triggered when the S 't risk score item is accessed baseline library is not triggered.
通过对待评估设备综合安全状态分析,分析了基线分析和ACL分析检测出的已触发风险项(即漏洞)信息、风险项的风险值、风险项被触发的次数,分析了系统设备综合安全状态,并得出相应的安全状态值。Through the analysis of the comprehensive safety status of the equipment to be evaluated, the information of the triggered risk items (ie, the vulnerability) detected by the baseline analysis and the ACL analysis, the risk value of the risk item, the number of times the risk item is triggered, and the comprehensive safety status of the system equipment are analyzed. And get the corresponding security status value.
上述分析方法考虑了风险项之间的关联关系、风险项被触发的次数问题,分析更加全面。而风险值的计算采用CVSS3.0评分技术,与相关技术中取经验值的方法相比,该方法更加可靠、可信。此外,计算得到系统安全状态值更直观、准确、有效的表明当前设备安全状态。The above analysis method considers the relationship between the risk items and the number of times the risk items are triggered, and the analysis is more comprehensive. The risk value is calculated using the CVSS3.0 scoring technique, which is more reliable and reliable than the empirical method in the related art. In addition, the calculated system security status value is more intuitive, accurate, and effective to indicate the current device security status.
图2为本发明实施例提供的一种网络安全设备的风险评估装置的结构示意图,如图2所示,一种网络安全设备的风险评估装置,包括确定模块10、提取模块20和评估模块30;FIG. 2 is a schematic structural diagram of a network security device risk assessment apparatus according to an embodiment of the present invention. As shown in FIG. 2, a network security device risk assessment apparatus includes a determination module 10, an extraction module 20, and an evaluation module 30. ;
所述确定模块10,设置为确定预定的风险库,所述风险库包括多条风险项的配置信息,所述配置信息包括风险项的识别码和描述内容;The determining module 10 is configured to determine a predetermined risk database, where the risk database includes configuration information of multiple risk items, where the configuration information includes an identification code and a description content of the risk item;
所述提取模块20,设置为提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取所述待评估设备已触发的风险项;The extraction module 20 is configured to extract the valid configuration information related to the risk item in the device to be evaluated, and obtain the risk item triggered by the device to be evaluated according to the risk analysis result of the effective configuration information;
所述评估模块30,设置为分别分析预定的风险库中的风险项和所述待评估设备触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。The evaluation module 30 is configured to separately analyze the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated, and adopt a corresponding calculation method to obtain a security status value of the device to be evaluated.
本发明实施例提供的一种网络安全设备的风险评估装置,包括:确定模 块、提取模块和评估模块,通过确定模块确定预定的风险库,提取模块提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取触发所述待评估设备的风险项,评估模块分别分析预定的风险库中风险项和所述待评估设备已触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。上述技术方案通过分析风险项的风险值、风险项之间的关联关系、所述待评估设备的风险项已触发的每条风险项的触发次数来进行相应地计算得到待评估设备的安全状态值,使得更直观、准确、有效的表明当前设备安全状态。A risk assessment apparatus for a network security device according to an embodiment of the present invention includes: determining a mode The block, the extraction module, and the evaluation module determine the predetermined risk database by the determining module, and the extraction module extracts valid configuration information related to the risk item in the device to be evaluated, and obtains the trigger according to the risk analysis result of the effective configuration information. The risk item of the device is evaluated, and the evaluation module separately analyzes the risk item in the predetermined risk database and the risk item triggered by the device to be evaluated, and adopts a corresponding calculation method to obtain the safety state value of the device to be evaluated. The foregoing technical solution calculates the security status value of the device to be evaluated by analyzing the risk value of the risk item, the relationship between the risk items, and the number of triggers of each risk item triggered by the risk item of the device to be evaluated. This makes the current device security status more intuitive, accurate and effective.
可选地,在上述实施例的基础上,所述装置还包括:预处理模块40;Optionally, based on the foregoing embodiment, the device further includes: a pre-processing module 40;
所述预处理模块40,设置为在确定预定的风险库之前,预先收集配置类型的风险库,所述配置类型包括基线库和/或访问控制列表ACL库。The pre-processing module 40 is configured to pre-collect a risk database of a configuration type, including a baseline library and/or an access control list ACL library, before determining a predetermined risk pool.
本发明实施例提供的装置,可以执行上述方法实施例,其实现原理和技术效果类似,在此不再赘述。The device provided by the embodiment of the present invention may perform the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not described herein again.
可选地,在上述实施例的基础上,所述评估模块30通过如下方式实现分析预定的风险库中的风险项:Optionally, on the basis of the foregoing embodiment, the evaluating module 30 implements analyzing the risk items in the predetermined risk pool by:
统计预定的风险库中的风险项的总数;Count the total number of risk items in the predetermined risk pool;
采用CVSS3.0评分方法分析获取预定的风险库中的风险项的风险值;Using the CVSS3.0 scoring method to analyze the risk value of the risk item in the predetermined risk database;
确定预定的风险库中任意两条风险项之间是否关联关系,若触发第一条风险项必定会触发第二条风险项,且触发所述第二条风险项不会触发所述第一条风险项,则所述第一条风险项和第二条风险项之间存在关联。Determining whether there is any relationship between any two risk items in the predetermined risk database. If the first risk item is triggered, the second risk item must be triggered, and triggering the second risk item does not trigger the first item. For the risk item, there is an association between the first risk item and the second risk item.
可选地,在上述实施例的基础上,所述评估模块30通过如下方式实现分析所述待评估设备已触发的风险项:Optionally, on the basis of the foregoing embodiment, the evaluating module 30 implements analyzing, by using the following manner, a risk item that has been triggered by the device to be evaluated:
若预定的风险库包括访问控制列表ACL库,则分析触发所述待评估设备触发的每条风险项的触发次数、风险项的风险值以及风险项之间的关联关系这三者中的一个或者多个。If the predetermined risk database includes an access control list ACL library, analyzing one of the triggering times of each risk item triggered by the device to be evaluated, the risk value of the risk item, and the relationship between the risk items or Multiple.
本发明实施例提供的装置,可以执行上述方法实施例,其实现原理和技术效果类似,在此不再赘述。The device provided by the embodiment of the present invention may perform the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not described herein again.
可选地,在上述实施例的基础上,所述评估模块30通过如下方式实现分 析所述待评估设备触发的风险项:Optionally, on the basis of the foregoing embodiment, the evaluation module 30 implements the following manner. Analysis of the risk item triggered by the device to be evaluated:
若预定的风险库包括基线库,则分析所述待评估设备触发的风险项的风险值。If the predetermined risk database includes a baseline library, the risk value of the risk item triggered by the device to be evaluated is analyzed.
本发明实施例提供的装置,可以执行上述方法实施例,其实现原理和技术效果类似,在此不再赘述。The device provided by the embodiment of the present invention may perform the foregoing method embodiments, and the implementation principles and technical effects thereof are similar, and details are not described herein again.
虽然本申请所揭露的实施方式如上,但所述的内容仅为便于理解本申请而采用的实施方式,并非用以限定本申请。任何本申请所属领域内的技术人员,在不脱离本申请所揭露的精神和范围的前提下,可以在实施的形式及细节上进行任何的修改与变化,但本申请的专利保护范围,仍须以所附的权利要求书所界定的范围为准。The embodiments disclosed in the present application are as described above, but the description is only for the purpose of understanding the present application, and is not intended to limit the present application. Any modifications and changes in the form and details of the embodiments may be made by those skilled in the art without departing from the spirit and scope of the disclosure. The scope defined by the appended claims shall prevail.
本发明实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机可执行指令,所述计算机可执行指令被执行时实现网络安全设备的风险评估方法。The embodiment of the present invention further provides a computer readable storage medium, where the computer readable storage medium stores computer executable instructions, and when the computer executable instructions are executed, implements a risk assessment method of the network security device.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件(例如处理器)完成,所述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,例如通过集成电路来实现其相应功能,也可以采用软件功能模块的形式实现,例如通过处理器执行存储于存储器中的程序/指令来实现其相应功能。本申请不限制于任何特定形式的硬件和软件的结合。本领域的普通技术人员应当理解,可以对本申请的技术方案进行修改或者等同替换,而不脱离本申请技术方案的精神和范围,均应涵盖在本申请的权利要求范围当中。One of ordinary skill in the art will appreciate that all or a portion of the above steps may be performed by a program to instruct related hardware, such as a processor, which may be stored in a computer readable storage medium, such as a read only memory, disk or optical disk. Wait. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the above embodiment may be implemented in the form of hardware, for example, by implementing an integrated circuit to implement its corresponding function, or may be implemented in the form of a software function module, for example, executing a program stored in the memory by a processor. / instruction to achieve its corresponding function. This application is not limited to any specific combination of hardware and software. A person skilled in the art should understand that the technical solutions of the present application can be modified or equivalent, without departing from the spirit and scope of the technical solutions of the present application, and should be included in the scope of the claims of the present application.
工业实用性Industrial applicability
上述技术方案可以更加直观、准确、有效的表明当前设备的安全状态。 The above technical solution can more clearly, accurately and effectively indicate the security status of the current device.

Claims (10)

  1. 一种网络安全设备的风险评估方法,所述方法包括:A method for risk assessment of a network security device, the method comprising:
    确定预定的风险库,所述风险库包括多条风险项;Determining a predetermined risk pool, the risk pool including a plurality of risk items;
    提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取所述待评估设备触发的风险项;Extracting the valid configuration information related to the risk item in the device to be evaluated, and acquiring the risk item triggered by the device to be evaluated according to the risk analysis result of the effective configuration information;
    分别分析预定的风险库中的风险项和所述待评估设备触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。The risk items in the predetermined risk database and the risk items triggered by the device to be evaluated are separately analyzed, and a corresponding calculation method is adopted to obtain a security status value of the device to be evaluated.
  2. 根据权利要求1所述的方法,在确定预定的风险库之前,所述还包括:The method of claim 1 further comprising: prior to determining the predetermined risk pool:
    预先收集配置类型的风险库,所述配置类型包括基线库和/或访问控制列表ACL库。A risk type of a configuration type is collected in advance, and the configuration type includes a baseline library and/or an access control list ACL library.
  3. 根据权利要求2所述的方法,其中,所述分析预定的风险库中的风险项包括:The method of claim 2 wherein said analyzing the risk items in the predetermined risk pool comprises:
    统计预定的风险库中的风险项的总数;Count the total number of risk items in the predetermined risk pool;
    采用通用漏洞评分系统CVSS3.0评分方法分析获取预定的风险库中的风险项的风险值;Using the general vulnerability scoring system CVSS3.0 scoring method to analyze the risk value of the risk item in the predetermined risk database;
    确定预定的风险库中任意两条风险项之间是否存在关联关系;若触发第一条风险项必定会触发第二条风险项,且触发所述第二条风险项不会触发所述第一条风险项,则所述第一条风险项和第二条风险项之间存在关联。Determining whether there is an association relationship between any two risk items in the predetermined risk pool; if the first risk item is triggered, the second risk item is triggered, and triggering the second risk item does not trigger the first For the risk item, there is an association between the first risk item and the second risk item.
  4. 根据权利要求3所述的方法,其中,所述分析所述待评估设备触发的风险项包括:The method according to claim 3, wherein the analyzing the risk items triggered by the device to be evaluated comprises:
    若预定的风险库包括访问控制列表ACL库,则分析所述待评估设备触发的每条风险项的触发次数、风险项的风险值以及风险项之间的关联关系这三者中的一个或者多个。If the predetermined risk database includes an access control list ACL library, analyze one or more of the trigger number of each risk item triggered by the device to be evaluated, the risk value of the risk item, and the relationship between the risk items. One.
  5. 根据权利要求3所述的方法,其中,分析所述待评估设备触发的风险项,包括:The method according to claim 3, wherein analyzing the risk item triggered by the device to be evaluated comprises:
    若预定的风险库包括基线库,则分析所述待评估设备触发的风险项的风险值。 If the predetermined risk database includes a baseline library, the risk value of the risk item triggered by the device to be evaluated is analyzed.
  6. 一种网络安全设备的风险评估装置,该装置包括:确定模块、提取模块和评估模块;A risk assessment device for a network security device, the device comprising: a determination module, an extraction module, and an evaluation module;
    所述确定模块,设置为确定预定的风险库,所述风险库包括多条风险项的配置信息,所述配置信息包括风险项的识别码和描述内容;The determining module is configured to determine a predetermined risk database, where the risk database includes configuration information of multiple risk items, where the configuration information includes an identification code and a description content of the risk item;
    所述提取模块,设置为提取出待评估设备中与所述风险项相关的有效配置信息,并根据有效配置信息的风险分析结果获取所述待评估设备触发的风险项;The extraction module is configured to extract the valid configuration information related to the risk item in the device to be evaluated, and obtain the risk item triggered by the device to be evaluated according to the risk analysis result of the effective configuration information;
    所述评估模块,设置为分别分析预定的风险库中的风险项和所述待评估设备触发的风险项,采取相应的计算方法,得到所述待评估设备的安全状态值。The evaluation module is configured to separately analyze the risk item in the predetermined risk pool and the risk item triggered by the device to be evaluated, and adopt a corresponding calculation method to obtain a security status value of the device to be evaluated.
  7. 根据权利要求6所述的装置,所述装置还包括:预处理模块;The apparatus of claim 6 further comprising: a pre-processing module;
    所述预处理模块,设置为在确定预定的风险库之前,预先收集配置类型的风险库,所述配置类型包括基线库和/或访问控制列表ACL库。The pre-processing module is configured to pre-collect a risk database of a configuration type, including a baseline library and/or an access control list ACL library, before determining a predetermined risk pool.
  8. 根据权利要求7所述的装置,其中,所述评估模块通过如下方式实现分析预定的风险库中的风险项:The apparatus of claim 7, wherein the evaluation module implements analyzing the risk items in the predetermined risk pool by:
    统计预定的风险库中的风险项的总数;Count the total number of risk items in the predetermined risk pool;
    采用通用漏洞评分系统CVSS3.0评分方法分析获取预定的风险库中的风险项的风险值;Using the general vulnerability scoring system CVSS3.0 scoring method to analyze the risk value of the risk item in the predetermined risk database;
    确定预定的风险库中任意两条风险项之间是否存在关联关系,,若触发第一条风险项必定会触发第二条风险项,且触发所述第二条风险项不会触发所述第一条风险项,则所述第一条风险项和第二条风险项之间存在关联。Determining whether there is an association relationship between any two risk items in the predetermined risk pool, if the first risk item is triggered, the second risk item is triggered, and triggering the second risk item does not trigger the first For a risk item, there is an association between the first risk item and the second risk item.
  9. 根据权利要求8所述的装置,其中,所述评估模块通过如下方式实现分析所述待评估设备触发的风险项:The apparatus according to claim 8, wherein the evaluation module implements analyzing the risk item triggered by the device to be evaluated by:
    若预定的风险库包括访问控制列表ACL库,则分析所述待评估设备触发的每条风险项的触发次数、风险项的风险值以及风险项与风险项的关联关系这三者中的一个或者多个。If the predetermined risk database includes an access control list ACL library, analyzing one of the trigger number of each risk item triggered by the device to be evaluated, the risk value of the risk item, and the relationship between the risk item and the risk item or Multiple.
  10. 根据权利要求8所述的装置,其中,所述评估模块通过如下方式实现分析所述待评估设备触发的风险项: The apparatus according to claim 8, wherein the evaluation module implements analyzing the risk item triggered by the device to be evaluated by:
    若预定的风险库包括基线库,则分析所述待评估设备触发的风险项的风险值。 If the predetermined risk database includes a baseline library, the risk value of the risk item triggered by the device to be evaluated is analyzed.
PCT/CN2017/073933 2016-03-08 2017-02-17 Risk assessment method and apparatus for network security device WO2017152742A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610130297.2 2016-03-08
CN201610130297.2A CN107172004A (en) 2016-03-08 2016-03-08 The methods of risk assessment and device of a kind of Network Security Device

Publications (1)

Publication Number Publication Date
WO2017152742A1 true WO2017152742A1 (en) 2017-09-14

Family

ID=59788976

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/073933 WO2017152742A1 (en) 2016-03-08 2017-02-17 Risk assessment method and apparatus for network security device

Country Status (2)

Country Link
CN (1) CN107172004A (en)
WO (1) WO2017152742A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019128796A1 (en) * 2017-12-29 2019-07-04 华为技术有限公司 Risk analysis method and apparatus
CN111343135A (en) * 2018-12-19 2020-06-26 中国移动通信集团湖南有限公司 Network security situation detection method
CN112351022A (en) * 2020-10-30 2021-02-09 新华三技术有限公司 Security protection method and device for trust zone
CN113972992A (en) * 2020-07-23 2022-01-25 中国电信股份有限公司 Access method and device for SDP controller and computer-readable storage medium
CN114024860A (en) * 2021-11-02 2022-02-08 国网安徽省电力有限公司电力科学研究院 Risk monitoring system for network security equipment
CN115361227A (en) * 2022-09-22 2022-11-18 珠海市鸿瑞信息技术股份有限公司 Network security detection system and method based on data visualization
CN115964582A (en) * 2022-11-03 2023-04-14 太平洋电信股份有限公司 Network security risk assessment method and system
US11768945B2 (en) 2020-04-07 2023-09-26 Allstate Insurance Company Machine learning system for determining a security vulnerability in computer software

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108683662B (en) * 2018-05-14 2020-08-14 深圳市联软科技股份有限公司 Individual online equipment risk assessment method and system
CN109819292B (en) * 2019-01-28 2021-01-29 北京牡丹电子集团有限责任公司数字电视技术中心 Control method of remote media machine and remote media machine
CN110348704A (en) * 2019-06-25 2019-10-18 阿里巴巴集团控股有限公司 Risk Identification Method, apparatus and system
CN110851839B (en) * 2019-11-12 2022-03-11 杭州安恒信息技术股份有限公司 Risk-based asset scoring method and system
CN111488580A (en) * 2020-03-25 2020-08-04 杭州迪普科技股份有限公司 Potential safety hazard detection method and device, electronic equipment and computer readable medium
CN113537662A (en) * 2020-04-15 2021-10-22 上海汽车集团股份有限公司 Risk detection method and device
CN113159638B (en) * 2021-05-17 2023-04-18 国网山东省电力公司电力科学研究院 Intelligent substation layered health degree index evaluation method and device
CN117353966A (en) * 2022-06-29 2024-01-05 华为技术有限公司 Network risk assessment method and related device
CN116415237B (en) * 2023-03-03 2024-03-19 港珠澳大桥管理局 Risk device identification method, apparatus, computer device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070143851A1 (en) * 2005-12-21 2007-06-21 Fiberlink Method and systems for controlling access to computing resources based on known security vulnerabilities
CN102799822A (en) * 2012-07-11 2012-11-28 中国信息安全测评中心 Software running security measurement and estimation method based on network environment
CN103258165A (en) * 2013-05-10 2013-08-21 华为技术有限公司 Processing method and device for leak evaluation
CN105282131A (en) * 2015-02-10 2016-01-27 中国移动通信集团广东有限公司 Information security evaluation method, device and system based on risk item scanning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070143851A1 (en) * 2005-12-21 2007-06-21 Fiberlink Method and systems for controlling access to computing resources based on known security vulnerabilities
CN102799822A (en) * 2012-07-11 2012-11-28 中国信息安全测评中心 Software running security measurement and estimation method based on network environment
CN103258165A (en) * 2013-05-10 2013-08-21 华为技术有限公司 Processing method and device for leak evaluation
CN105282131A (en) * 2015-02-10 2016-01-27 中国移动通信集团广东有限公司 Information security evaluation method, device and system based on risk item scanning

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019128796A1 (en) * 2017-12-29 2019-07-04 华为技术有限公司 Risk analysis method and apparatus
CN111343135A (en) * 2018-12-19 2020-06-26 中国移动通信集团湖南有限公司 Network security situation detection method
CN111343135B (en) * 2018-12-19 2022-05-13 中国移动通信集团湖南有限公司 Network security situation detection method
US11768945B2 (en) 2020-04-07 2023-09-26 Allstate Insurance Company Machine learning system for determining a security vulnerability in computer software
CN113972992B (en) * 2020-07-23 2024-01-30 中国电信股份有限公司 Access method and device for SDP controller and computer storage medium
CN113972992A (en) * 2020-07-23 2022-01-25 中国电信股份有限公司 Access method and device for SDP controller and computer-readable storage medium
CN112351022B (en) * 2020-10-30 2022-07-12 新华三技术有限公司 Security protection method and device for trust zone
CN112351022A (en) * 2020-10-30 2021-02-09 新华三技术有限公司 Security protection method and device for trust zone
CN114024860A (en) * 2021-11-02 2022-02-08 国网安徽省电力有限公司电力科学研究院 Risk monitoring system for network security equipment
CN114024860B (en) * 2021-11-02 2023-11-21 国网安徽省电力有限公司电力科学研究院 Risk monitoring system for network security equipment
CN115361227A (en) * 2022-09-22 2022-11-18 珠海市鸿瑞信息技术股份有限公司 Network security detection system and method based on data visualization
CN115964582A (en) * 2022-11-03 2023-04-14 太平洋电信股份有限公司 Network security risk assessment method and system
CN115964582B (en) * 2022-11-03 2023-09-19 太平洋电信股份有限公司 Network security risk assessment method and system

Also Published As

Publication number Publication date
CN107172004A (en) 2017-09-15

Similar Documents

Publication Publication Date Title
WO2017152742A1 (en) Risk assessment method and apparatus for network security device
US11936664B2 (en) Identity attack detection and blocking
US11399039B2 (en) Automatic detection of illicit lateral movement
JP6599946B2 (en) Malicious threat detection by time series graph analysis
JP6334069B2 (en) System and method for accuracy assurance of detection of malicious code
JP6863969B2 (en) Detecting security incidents with unreliable security events
US10587647B1 (en) Technique for malware detection capability comparison of network security devices
US20200285737A1 (en) Dynamic cybersecurity detection of sequence anomalies
Corona et al. Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
US20200162497A1 (en) Prioritized remediation of information security vulnerabilities based on service model aware multi-dimensional security risk scoring
US11128655B2 (en) Method and system for managing security vulnerability in host system using artificial neural network
US11956264B2 (en) Method and system for verifying validity of detection result
US20160036812A1 (en) Database Queries Integrity and External Security Mechanisms in Database Forensic Examinations
TWI615730B (en) Information security management system for application level log-based analysis and method using the same
JP7204247B2 (en) Threat Response Automation Methods
KR20200025043A (en) Method and system for security information and event management based on artificial intelligence
Bhuiyan et al. API vulnerabilities: Current status and dependencies
WO2023163820A1 (en) Graph-based analysis of security incidents
Rastogi et al. Network anomalies detection using statistical technique: A chi-square approach
Rekhis et al. A Hierarchical Visibility theory for formal digital investigation of anti-forensic attacks
KR100961992B1 (en) Method and Apparatus of cyber criminal activity analysis using markov chain and Recording medium using it
Al-Jarrah et al. Hierarchical detection of insider attacks in cloud computing systems
Bernardo Targeted Attack Detection by Means of Free and Open Source Solutions
Anashkin et al. Implementation of Behavioral Indicators in Threat Detection and User Behavior Analysis
Nuangpookka The Need for an Internally Developed Intrusion Detection System for Web Servers

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17762428

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17762428

Country of ref document: EP

Kind code of ref document: A1