CN105704119A - Method and device for determining network security posture distribution - Google Patents

Abstract

An embodiment of the invention discloses a method and device for determining network security posture. According to the method, a first object to be assessed and a second object to be assessed are determined from M objects of network security data, and according to network security posture of the first object to be assessed for the ith attribute of the first object to be assessed and a mapping relation between the second object to be assessed and the first object to be assessed, network security posture of the second object to be assessed for the ith attribute is determined. By determining the mapping relation between the first object to be assessed and the second object to be assessed, the second object to be assessed is associated with the ith attribute, thereby determining the network security posture of the second object to be assessed for the ith attribute. The method provided by the embodiment of the invention supports research on and exploration of network security posture, and can generate more network security posture, thereby realizing expansion of completeness of network security posture.

Description

A kind of method and device determining that network safety situation is distributed

Technical field

The present invention relates to computer network security technology field, particularly relate to a kind of method and device determining that network safety situation is distributed。

Background technology

Along with the expanding day of information network scale, in network, the quantity of various equipment sharply increases, and is also sharply increasing from various safety outwardly and inwardly and attack, is threaten the network information security。Under the background that the powerful calculating ability of cloud computing and the secure data of magnanimity occur, security firm generally introduces security postures perception preventive means, allows user be seen clearly that the safety overall situation of oneself, grasps security postures in real time, and make Rational Decision。It is information and data owing to supporting the basis of decision-making, therefore obtains the advantage that it is critical only that acquisition information and data of decision superiority。

Prior art for data definition and management on, the commonly used collection management of demand mode, namely define which kind of data by manual method or data set cooperation is situation, such as safe class is for the distribution of regional areas, it is exactly the security postures data generally supported, in addition with amount of assets for the distribution of risk class, value-at-risk for the distribution and time trend etc. thereof of assets。The basis of these security postures is the magnanimity secure data that safety product gathers, situation source is customer demand or engineer experience, therefore, the organizational form of data is traditional artificial requirement analysis method by prior art, but, adopt this artificial requirement analysis method often that the analysis of security postures is incomplete, and there is omission。

To sum up, need a kind of method determining network safety situation at present badly, promote the completeness to security postures and excavate, it is to avoid the omission of above-mentioned artificial requirement analysis method。

Summary of the invention

The embodiment of the present invention provides a kind of method determining network safety situation and device, excavates in order to promote the completeness to security postures, it is to avoid the omission of above-mentioned artificial requirement analysis method。

The method of a kind of network safety situation that the embodiment of the present invention provides, including:

Obtain network security data；Described network security data includes M object；

The first object to be assessed and the second object to be assessed is determined from described M object；

According at least to described first object to be assessed and the second object to be assessed, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed；

According to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。

Preferably, described first object to be assessed of mapping relations between described network safety situation and described second object to be assessed and described first object to be assessed according to to(for) the i-th attribute of described first object to be assessed, determine the described second object to be assessed network safety situation for described i-th attribute, including:

By determining the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed with drag:

δ=F (U)

$p\∈p_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}=\underset{n=1}{\overset{N_i}{\∪}}{q}_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}$

Wherein, δ is the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed；F is the network safety situation function set；β is described first object to be assessed；α is described second object to be assessed；MAP is the mapping relations between α, β；β _ key_iFor described i-th attribute；β _ value_nThe n-th property value for the i-th attribute in β；U is the set complete or collected works of described second object distribution to be assessed；P is the described second object to be assessed distributed collection for an attribute of described first object to be assessed；Q is the described second object to be assessed distributed collection for a property value of an attribute of described first object to be assessed。

Determine that described second object to be assessed is for the network safety situation of described i-th attribute, also includes it is preferred that described:

According to the described second object to be assessed network safety situation for described i-th attribute, it is determined that described second object to be assessed is distributed for the network safety situation of described i-th attribute；

By determining that described second object to be assessed is distributed for the network safety situation of described i-th attribute with drag:

$D_{\mathrm{\δ}}=F\left(P_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}\right)=\underset{n=1}{\overset{N_i}{\∪}}F\left(q_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}\right)$

Wherein, D_δFor described second object to be assessed, the network safety situation of described i-th attribute is distributed。

It is preferred that also include:

According to described second object to be assessed, the network safety situation of described i-th attribute is distributed, it is determined that described second object to be assessed is for the distribution trend of described i-th attribute；

By determining the described second object to be assessed distribution trend for described i-th attribute with drag:

$E_{\mathrm{\δ}}=S_{D_{\mathrm{\δ}}}\left(t\right)$

Wherein, E_δFor the described second object to be assessed distribution trend for described i-th attribute, S is time change function, and t is the time。

It is preferred that after described acquisition network security data, also include:

According to the rule pre-set, described M object is divided into two or more object sets；

Described according at least to described first object to be assessed and the second object to be assessed, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed, including:

Determine first object set at described first object place to be assessed and second object set at described second object place to be assessed；

According to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed。

Preferably, the described network security data corresponding with described second object set according to described first object to be assessed, described second object to be assessed and described first object set, determine the mapping relations between described first object to be assessed and described second object to be assessed, including:

The mapping relations between described first object to be assessed and described second object to be assessed are determined by below equation:

$MAP=\underset{i=1}{\overset{N}{\∪}}{\mathrm{map}}_{val}^{{\mathrm{\γ}}_i}$

Wherein, MAP is the mapping relations between described second object to be assessed and described first object to be assessed；

γ₁=alpha, gamma_N=β,For at object γ_iWith described object γ_iProperty value between corresponding relation；N obtains according to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set。

The embodiment of the present invention provides a kind of device determining network safety situation, and this device includes:

Acquisition module, is used for obtaining network security data；Described network security data includes M object；

Processing module, for determining the first object to be assessed and the second object to be assessed from described M object；According at least to described first object to be assessed and the second object to be assessed, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed；

Determine module, for according to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。

It is preferred that described determine module specifically for:

By determining the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed with drag:

δ=F (U)

$p\∈p_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}=\underset{n=1}{\overset{N_i}{\∪}}{q}_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}$

Wherein, δ is the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed；F is the network safety situation function set；β is described first object to be assessed；α is described second object to be assessed；MAP is the mapping relations between α, β；β _ key_iFor described i-th attribute；β _ value_nThe n-th property value for the i-th attribute in β；U is the set complete or collected works of described second object distribution to be assessed；P is the described second object to be assessed distributed collection for an attribute of described first object to be assessed；Q is the described second object to be assessed distributed collection for a property value of an attribute of described first object to be assessed。

Determine that module is additionally operable to it is preferred that described:

According to the described second object to be assessed network safety situation for described i-th attribute, it is determined that described second object to be assessed is distributed for the network safety situation of described i-th attribute；

By determining that described second object to be assessed is distributed for the network safety situation of described i-th attribute with drag:

$D_{\mathrm{\δ}}=F\left(P_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}\right)=\underset{n=1}{\overset{N_i}{\∪}}F\left(q_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}\right)$

Wherein, D_δFor described second object to be assessed, the network safety situation of described i-th attribute is distributed。

Determine that module is additionally operable to it is preferred that described:

According to described second object to be assessed, the network safety situation of described i-th attribute is distributed, it is determined that described second object to be assessed is for the distribution trend of described i-th attribute；

By determining the described second object to be assessed distribution trend for described i-th attribute with drag:

$E_{\mathrm{\δ}}=S_{D_{\mathrm{\δ}}}\left(t\right)$

Wherein, E_δFor the described second object to be assessed distribution trend for described i-th attribute, S is time change function, and t is the time。

It is preferred that described acquisition module is additionally operable to:

According to the rule pre-set, described M object is divided into two or more object sets；

Determine first object set at described first object place to be assessed and second object set at described second object place to be assessed；

According to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed。

It is preferred that described processing module is additionally operable to:

The mapping relations between described first object to be assessed and described second object to be assessed are determined by below equation:

$MAP=\underset{i=1}{\overset{N}{\∪}}{\mathrm{map}}_{val}^{{\mathrm{\γ}}_i}$

Wherein, MAP is the mapping relations between described second object to be assessed and described first object to be assessed；

γ₁=alpha, gamma_N=β,For at object γ_iWith described object γ_iProperty value between corresponding relation；N obtains according to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set。

In the embodiment of the present invention, obtain network security data, from M object of network security data, determine the first object to be assessed and the second object to be assessed；According at least to described first object to be assessed and the second object to be assessed, determine the mapping relations between described first object to be assessed and described second object to be assessed, and according to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。In the embodiment of the present invention, first the first object to be assessed and the second object to be assessed are determined, it is determined by the mapping relations between the first object to be assessed and the second object to be assessed, second object to be assessed and the i-th Attribute Association are got up, so that it is determined that go out the second object to be assessed network safety situation for the i-th attribute。The method of the determination network safety situation that the embodiment of the present invention provides, supports the research to network safety situation and excavation, can generate more network safety situation, thereby through software defined network security postures, it is achieved the completeness of extended network security postures。

Accompanying drawing explanation

In order to be illustrated more clearly that the technical scheme in the embodiment of the present invention, below the accompanying drawing used required during embodiment is described is briefly introduced, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings。

The schematic flow sheet corresponding to a kind of method determining network safety situation that Fig. 1 provides for the embodiment of the present invention；

The structural representation of a kind of device determining network safety situation that Fig. 2 provides for the embodiment of the present invention。

Detailed description of the invention

In order to make the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, the present invention is described in further detail, it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments。Based on the embodiment in the present invention, all other embodiments that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention。

The schematic flow sheet corresponding to a kind of method determining network safety situation that Fig. 1 provides for the embodiment of the present invention, as it is shown in figure 1, the method includes:

Step 101, obtains network security data；Described network security data includes M object；

Step 102, determines the first object to be assessed and the second object to be assessed from described M object；

Step 103, according at least to described first object to be assessed and the second object to be assessed, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed；

Step 104, according to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。

In the embodiment of the present invention, first the first object to be assessed and the second object to be assessed are determined, it is determined by the mapping relations between the first object to be assessed and the second object to be assessed, second object to be assessed and the i-th Attribute Association are got up, so that it is determined that go out the second object to be assessed network safety situation for the i-th attribute。The method of the determination network safety situation that the embodiment of the present invention provides, supports the research to network safety situation and excavation, can generate more network safety situation, thereby through software defined network security postures, it is achieved the completeness of extended network security postures。

For network security data, owing to file can regard the set that many batches of homogeneity infobits are constituted as, therefore the embodiment of the present invention is concerned only with the content of infobit data, in order to be derived there the data model of definition network safety situation。

Network security data in the embodiment of the present invention includes M object, specifically, a network security data can be defined as a time dependent object。It is specifically introduced below for object and the concept relevant to object。

Object refers to logic entity, represents an abstract things, by object oriented, and the class categories that this things is relevant, the set composition that the actual value list corresponding with each classification is constituted。The object properties (KEY) of one object refer to the class categories that this things is relevant, and an object comprises a KEY set。Property value (VALUE) is corresponding to the concrete value of certain classification (attribute), the set of the corresponding VALUE value of a KEY of object。It should be noted that VALUE can also be another object。Object instance: logic entity, represents a concrete things of corresponding objects, and for example, object properties and property value thereof are to solidify, for a subset of object related parameter。Determinant attribute (Distinguished-Key): unique one or more attributes identifying object instance can be used for, it is possible to choose gathering from the KEY of existing object。

Described M object in a step 101, after obtaining network security data, according to the rule pre-set, can be divided into two or more object sets by the embodiment of the present invention；Such as, according to the difference of Data Source, network security data can be divided into safe original data set, asset data set and leak data acquisition system。

As shown in table 1, for the exemplary partial content in the safe original data set of WSM product (website Risk Monitoring)。

Table 1: safe raw data sample

Wherein, D-Key may be selected to be Key₁∪Key₂。

Further, an object in above-mentioned safe original data set is designated as R_t, wherein t represents sometime, then according to the definition of object, can obtain:

$R_t=\underset{i=1}{\overset{I}{\∪}}\underset{j=1}{\overset{J_i}{\∪}}{\mathrm{v\αl}}_j^{{\mathrm{Key}}_i}$

Wherein, R_tHaving I attribute (Key), the i-th attribute has J_iThe set of individual property value。If definition Key₁For object name, J₁It is 1, thenName for this object。

As shown in table 2, for the exemplary partial content in the asset data set of client。

Table 2: asset data example

Wherein, D-Key may be selected to be Key₁∪Key₃。

Further, an object in above-mentioned asset data set is designated as C_t, wherein t represents sometime, then according to the definition of object, can obtain:

$C_t=\underset{m=1}{\overset{M}{\∪}}\underset{n=1}{\overset{N_m}{\∪}}{\mathrm{val}}_n^{{\mathrm{Key}}_m}$

Wherein, R_tHaving M attribute (Key), m attribute has N_mThe set of individual property value。

As shown in table 3, for the exemplary partial content in leak data acquisition system。

Table 3: leak data instance

Key numbers	Key title	Value explanation
			1	Leak ID	Concrete leak is numbered
2	Vulnerability classification	WASC1.0/OWASP-2010/OWASP-2013 etc.
			3	Threat types	WEB leak/extension horse/distort/sensitive word etc.
4	Risk score value	1～10
			5	Custom Attributes	Other attributes

Wherein, D-Key may be selected to be Key₁∪Key₂。

Further, an object in above-mentioned leak data acquisition system is designated as C_t, wherein t represents sometime, then according to the definition of object, can obtain:

$V_t=\underset{h=1}{\overset{H}{\∪}}\underset{g=1}{\overset{G_h}{\∪}}{\mathrm{v\αl}}_g^{{\mathrm{Key}}_h}$

Wherein, R_tHaving H attribute (Key), h attribute has G_hThe set of individual property value。

In a step 102, the first object to be assessed and the second object to be assessed can be determined according to practical situation。Wherein, the span of the first object to be assessed and the second object to be assessed is { R_t,C_t,V_t}。

In step 103, according to the determine in step 102 first object to be assessed and the second object to be assessed, further determine that out first object set at the first object place to be assessed and second object set at the second object place to be assessed, and according to network security data corresponding to the first object to be assessed, the second object to be assessed and the first object set and the second object set, it is determined that the mapping relations between the first object to be assessed and the second object to be assessed。In the embodiment of the present invention, by network security data being divided into two or more object set, so that in determining the process of mapping relations of the first object to be assessed and the second object to be assessed, without to traveling through all of network security data, by the network security data that the first object set and the second object set are corresponding, determine the first object to be assessed and the mapping relations of the second object to be assessed, thus simplifying the data processing amount determining mapping relations, improve the efficiency determining mapping relations。

In the embodiment of the present invention, mapping relations are defined by network security data, and mapping relations can cross over multiple object。Specifically, can by determining the mapping relations between the first object to be assessed and the second object to be assessed with drag:

$MAP=\underset{i=1}{\overset{N}{\∪}}{\mathrm{map}}_{val}^{{\mathrm{\γ}}_i}$

Wherein, MAP is the mapping relations between described second object to be assessed and described first object to be assessed；

γ₁=alpha, gamma_N=β,For at object γ_iWith described object γ_iProperty value between corresponding relation；N obtains according to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set。

N in the embodiment of the present invention specifically refers to the link number of object map chain, its value needs to obtain according to the first object to be assessed, the second object to be assessed and network security data, can be interpreted as including at network security object (in big data) pathway figure of shape of throwing the net from the first object to be assessed to the one of the second object to be assessed further visually, selecting a wherein road, on this path, the number of all node objects is exactly the value of N。Specifically, if described first object to be assessed is identical with described second object to be assessed, then N is 1；If the property value that described first object to be assessed is described second object to be assessed, being then that one-level maps, now N is 2；If a property value object of a described first property value object to liking described second object to be assessed to be assessed, being then two grades of mappings, now N is 3。

At step 104, can by determining the second object to be assessed network safety situation for the i-th attribute in the first object to be assessed with drag:

δ=F (U)

$p\∈p_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}=\underset{n=1}{\overset{N_i}{\∪}}{q}_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}$

Wherein, δ is the second object to be assessed network safety situation for the i-th attribute in the first object to be assessed；F is the network safety situation function set；β is the first object to be assessed；α is the second object to be assessed；β _ key_iIt it is the i-th attribute；MAP is the mapping relations between α, β；β _ value_nThe n-th property value for the i-th attribute in β；U is the set complete or collected works of described second object distribution to be assessed；P is the described second object to be assessed distributed collection for an attribute of described first object to be assessed；Q is the described second object to be assessed distributed collection for a property value of an attribute of described first object to be assessed, namely has the set of the second object to be assessed of a property value of an attribute of the first object to be assessed。

In the embodiment of the present invention, α, β ∈ { R_t,C_t,V_t,F is the filtration or feature extraction function that object set is relevant, relevant with concrete operations object, for instance realistic example sum, calculation risk value etc.。

Further, it is determined that after going out the second object to be assessed network safety situation for the i-th attribute in the first object to be assessed, can by determining that the second object to be assessed is distributed for the network safety situation of the i-th attribute with drag:

$D_{\mathrm{\δ}}=F\left(P_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}\right)=\underset{n=1}{\overset{N_i}{\∪}}F\left(q_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}\right)$

Wherein, D_δFor described second object to be assessed, the network safety situation of described i-th attribute is distributed。

Such as: α, β are assets object C_t, β _ key_iFor the area attribute of assets, F is collection instance summation,Represent the amount of assets of specific region, D_δIt is then that the amount of assets situation to region is distributed。

Further, above situation is distributed the change function of t in time and is distribution trend, is represented by:

$E_{\mathrm{\δ}}=S_{D_{\mathrm{\δ}}}\left(t\right)$

Wherein, E_δFor the described second object to be assessed distribution trend for described i-th attribute, S is time change function, and t is the time。Namely specific D it is presented as in the t time_δSet。

Such as, D_δFor amount of assets, the situation in region is distributed, E_δIt is then the amount of assets distribution time trend to region。

By above-mentioned model introduction and conclusion it can be seen that D_δ=G (tuple), E_δ=S (t, tuple), wherein tuple={ α, β, β _ key_i, F, MAP}, i.e. network safety situation distribution D_δAnd distribution trend E_δBeing the function of above-mentioned 5 tuple tuple, G, S represent the functional relationship set。The embodiment of the present invention, by selecting and changing 5 tuple tuple variable { α, β, β _ key_i, F, the content of MAP}, can one network safety situation distribution of unique definition and corresponding distribution trend。

The embodiment of the present invention, by formal abstract, has extracted { α, β, β _ key_i, F, MAP}5 tuple tuple variable, situation and trend definition flexibly can be realized by defining this tuple variable, dynamical min and the analysis of Situation model can be supported simultaneously, support its security postures of User Defined and trend。Additionally, network security data R_t,C_t,V_tSupport User Defined attribute and the extension mechanism of corresponding property value customization, under the premise that situation data model is constant, by expanding the span of tuple variable, it may be achieved complicated Situation model definition。

As shown in table 4, the data instance of the network safety situation for being determined by the five-tuple in the embodiment of the present invention。

Table 4: the data instance of network safety situation

By foregoing, the embodiment of the present invention is set about from general secure data form, takes out the dependent variable of network safety situation model, freely defines security postures according to the value of provided dependent variable, support software definition situation, be conceptually similar to software defined network。And existing security postures perception product/platform needs the initial data to collecting to carry out format analysis and information retrieval, in order to generate security postures data。The process of this information retrieval is undertaken by predefined solidification situation demand, and it is carry out under the Situation model solidified that prior art does not extract the independent variable of Situation model, Study on Trend and data mining, and similar network fixed route configures。Therefore, the embodiment of the present invention can be in terms of existing technologies, it would be preferable to support User Defined security postures, thus meeting user's request better。

In the embodiment of the present invention, obtain network security data, from M object of network security data, determine the first object to be assessed and the second object to be assessed；According at least to described first object to be assessed and the second object to be assessed, determine the mapping relations between described first object to be assessed and described second object to be assessed, and according to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。In the embodiment of the present invention, first the first object to be assessed and the second object to be assessed are determined, it is determined by the mapping relations between the first object to be assessed and the second object to be assessed, second object to be assessed and the i-th Attribute Association are got up, so that it is determined that go out the second object to be assessed network safety situation for the i-th attribute。The method of the determination network safety situation that the embodiment of the present invention provides, supports the research to network safety situation and excavation, can generate more network safety situation, thereby through software defined network security postures, it is achieved the completeness of extended network security postures。

For said method flow process, the embodiment of the present invention also provides for a kind of device determining network safety situation, and the particular content of this device is referred to said method to be implemented。

The structural representation of a kind of device determining network safety situation that Fig. 2 provides for the embodiment of the present invention, this device includes:

Acquisition module 201, is used for obtaining network security data；Described network security data includes M object；

Processing module 202, for determining the first object to be assessed and the second object to be assessed from described M object；According at least to described first object to be assessed and the second object to be assessed, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed；

Determine module 203, for according to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。

It is preferred that described determine module 203 specifically for:

By determining the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed with drag:

δ=F (U)

$p\∈p_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}=\underset{n=1}{\overset{N_i}{\∪}}{q}_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}$

Wherein, δ is the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed；F is the network safety situation function set；β is described first object to be assessed；α is described second object to be assessed；MAP is the mapping relations between α, β；β _ key_iFor described i-th attribute；β _ value_nThe n-th property value for the i-th attribute in β；U is the set complete or collected works of described second object distribution to be assessed；P is the described second object to be assessed distributed collection for an attribute of described first object to be assessed；Q is the described second object to be assessed distributed collection for a property value of an attribute of described first object to be assessed。

Determine that module 203 is additionally operable to it is preferred that described:

According to the described second object to be assessed network safety situation for described i-th attribute, it is determined that described second object to be assessed is distributed for the network safety situation of described i-th attribute；

By determining that described second object to be assessed is distributed for the network safety situation of described i-th attribute with drag:

$D_{\mathrm{\δ}}=F\left(P_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}\right)=\underset{n=1}{\overset{N_i}{\∪}}F\left(q_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}\right)$

Wherein, D_δFor described second object to be assessed, the network safety situation of described i-th attribute is distributed。

Determine that module is additionally operable to it is preferred that described:

According to described second object to be assessed, the network safety situation of described i-th attribute is distributed, it is determined that described second object to be assessed is for the distribution trend of described i-th attribute；

By determining the described second object to be assessed distribution trend for described i-th attribute with drag:

$E_{\mathrm{\δ}}=S_{D_{\mathrm{\δ}}}\left(t\right)$

Wherein, E_δFor the described second object to be assessed distribution trend for described i-th attribute, S is time change function, and t is the time。

It is preferred that described acquisition module 201 is additionally operable to:

According to the rule pre-set, described M object is divided into two or more object sets；

Determine first object set at described first object place to be assessed and second object set at described second object place to be assessed；

According to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed。

It is preferred that described processing module 202 is additionally operable to:

The mapping relations between described first object to be assessed and described second object to be assessed are determined by below equation:

$MAP=\underset{i=1}{\overset{N}{\∪}}{\mathrm{map}}_{val}^{{\mathrm{\γ}}_i}$

Wherein, MAP is the mapping relations between described second object to be assessed and described first object to be assessed；

γ₁=alpha, gamma_N=β,For at object γ_iWith described object γ_iProperty value between corresponding relation；N obtains according to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set。

It can be seen from the above: in the embodiment of the present invention, obtains network security data, determines the first object to be assessed and the second object to be assessed from M object of network security data；According at least to described first object to be assessed and the second object to be assessed, determine the mapping relations between described first object to be assessed and described second object to be assessed, and according to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。In the embodiment of the present invention, first the first object to be assessed and the second object to be assessed are determined, it is determined by the mapping relations between the first object to be assessed and the second object to be assessed, second object to be assessed and the i-th Attribute Association are got up, so that it is determined that go out the second object to be assessed network safety situation for the i-th attribute。The method of the determination network safety situation that the embodiment of the present invention provides, supporting the research to network safety situation and excavation, can generating more network safety situation, thus realizing the completeness of extended network security postures。

Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method or computer program。Therefore, the present invention can adopt the form of complete hardware embodiment, complete software implementation or the embodiment in conjunction with software and hardware aspect。And, the present invention can adopt the form at one or more upper computer programs implemented of computer-usable storage medium (including but not limited to disk memory, CD-ROM, optical memory etc.) wherein including computer usable program code。

The present invention is that flow chart and/or block diagram with reference to method according to embodiments of the present invention, equipment (system) and computer program describe。It should be understood that can by the combination of the flow process in each flow process in computer program instructions flowchart and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame。These computer program instructions can be provided to produce a machine to the processor of general purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device so that the instruction performed by the processor of computer or other programmable data processing device is produced for realizing the device of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame。

These computer program instructions may be alternatively stored in and can guide in the computer-readable memory that computer or other programmable data processing device work in a specific way, the instruction making to be stored in this computer-readable memory produces to include the manufacture of command device, and this command device realizes the function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame。

These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices provides for realizing the step of function specified in one flow process of flow chart or multiple flow process and/or one square frame of block diagram or multiple square frame。

Although preferred embodiments of the present invention have been described, but those skilled in the art are once know basic creative concept, then these embodiments can be made other change and amendment。So, claims are intended to be construed to include preferred embodiment and fall into all changes and the amendment of the scope of the invention。

Obviously, the present invention can be carried out various change and modification without deviating from the spirit and scope of the present invention by those skilled in the art。So, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification。

Claims (12)

1. the method determining network safety situation, it is characterised in that the method includes:

Obtain network security data；Described network security data includes M object；

The first object to be assessed and the second object to be assessed is determined from described M object；

According at least to described first object to be assessed and the second object to be assessed, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed；

According to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。

2. the method for claim 1, it is characterized in that, described first object to be assessed of mapping relations between described network safety situation and described second object to be assessed and described first object to be assessed according to to(for) the i-th attribute of described first object to be assessed, determine the described second object to be assessed network safety situation for described i-th attribute, including:

By determining the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed with drag:

δ=F (U)

$p\∈p_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}=\underset{n=1}{\overset{N_i}{\∪}}{q}_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}$

Wherein, δ is the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed；F is the network safety situation function set；β is described first object to be assessed；α is described second object to be assessed；MAP is the mapping relations between α, β；β _ key_iFor described i-th attribute；β _ value_nThe n-th property value for the i-th attribute in β；U is the set complete or collected works of described second object distribution to be assessed；P is the described second object to be assessed distributed collection for an attribute of described first object to be assessed；Q is the described second object to be assessed distributed collection for a property value of an attribute of described first object to be assessed。

3. method as claimed in claim 2, it is characterised in that described determine that described second object to be assessed is for the network safety situation of described i-th attribute, also includes:

According to the described second object to be assessed network safety situation for described i-th attribute, it is determined that described second object to be assessed is distributed for the network safety situation of described i-th attribute；

By determining that described second object to be assessed is distributed for the network safety situation of described i-th attribute with drag:

$D_{\mathrm{\δ}}=F\left(P_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}\right)=\underset{n=1}{\overset{N_i}{\∪}}F\left(q_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}\right)$

Wherein, D_δFor described second object to be assessed, the network safety situation of described i-th attribute is distributed。

4. method as claimed in claim 3, it is characterised in that also include:

According to described second object to be assessed, the network safety situation of described i-th attribute is distributed, it is determined that described second object to be assessed is for the distribution trend of described i-th attribute；

By determining the described second object to be assessed distribution trend for described i-th attribute with drag:

$E_{\mathrm{\δ}}=S_{D_{\mathrm{\δ}}}\left(t\right)$

Wherein, E_δFor the described second object to be assessed distribution trend for described i-th attribute, S is time change function, and t is the time。

5. the method for claim 1, it is characterised in that after described acquisition network security data, also include:

According to the rule pre-set, described M object is divided into two or more object sets；

Described according at least to described first object to be assessed and the second object to be assessed, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed, including:

Determine first object set at described first object place to be assessed and second object set at described second object place to be assessed；

According to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed。

6. method as claimed in claim 5, it is characterized in that, the described network security data corresponding with described second object set according to described first object to be assessed, described second object to be assessed and described first object set, determine the mapping relations between described first object to be assessed and described second object to be assessed, including:

The mapping relations between described first object to be assessed and described second object to be assessed are determined by below equation:

$MAP=\underset{i=1}{\overset{N}{\∪}}{\mathrm{map}}_{val}^{{\mathrm{\γ}}_i}$

Wherein, MAP is the mapping relations between described second object to be assessed and described first object to be assessed；

γ₁=alpha, gamma_N=β,For at object γ_iWith described object γ_iProperty value between corresponding relation；N obtains according to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set。

7. the device determining network safety situation, it is characterised in that this device includes:

Acquisition module, is used for obtaining network security data；Described network security data includes M object；

Processing module, for determining the first object to be assessed and the second object to be assessed from described M object；According at least to described first object to be assessed and the second object to be assessed, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed；

Determine module, for according to the mapping relations between described first object to be assessed network safety situation and described second object to be assessed and described first object to be assessed for the i-th attribute of described first object to be assessed, it is determined that described second object to be assessed is for the network safety situation of described i-th attribute；I is positive integer。

8. device as claimed in claim 7, it is characterised in that described determine module specifically for:

By determining the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed with drag:

δ=F (U)

$p\∈p_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}=\underset{n=1}{\overset{N_i}{\∪}}{q}_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}$

Wherein, δ is the described second object to be assessed network safety situation for the i-th attribute in described first object to be assessed；F is the network safety situation function set；β is described first object to be assessed；α is described second object to be assessed；MAP is the mapping relations between α, β；β _ key_iFor described i-th attribute；β _ value_nThe n-th property value for the i-th attribute in β；U is the set complete or collected works of described second object distribution to be assessed；P is the described second object to be assessed distributed collection for an attribute of described first object to be assessed；Q is the described second object to be assessed distributed collection for a property value of an attribute of described first object to be assessed。

9. device as claimed in claim 8, it is characterised in that described determine that module is additionally operable to:

According to the described second object to be assessed network safety situation for described i-th attribute, it is determined that described second object to be assessed is distributed for the network safety situation of described i-th attribute；

By determining that described second object to be assessed is distributed for the network safety situation of described i-th attribute with drag:

$D_{\mathrm{\δ}}=F\left(P_{\mathrm{\β}\_{\mathrm{key}}_i}^{MAP\left(\mathrm{\α}\right)}\right)=\underset{n=1}{\overset{N_i}{\∪}}F\left(q_{\mathrm{\β}\_{\mathrm{value}}_n}^{MAP\left(\mathrm{\α}\right)}\right)$

Wherein, D_δFor described second object to be assessed, the network safety situation of described i-th attribute is distributed。

10. device as claimed in claim 9, it is characterised in that described determine that module is additionally operable to:

According to described second object to be assessed, the network safety situation of described i-th attribute is distributed, it is determined that described second object to be assessed is for the distribution trend of described i-th attribute；

By determining the described second object to be assessed distribution trend for described i-th attribute with drag:

$E_{\mathrm{\δ}}=S_{D_{\mathrm{\δ}}}\left(t\right)$

Wherein, E_δFor the described second object to be assessed distribution trend for described i-th attribute, S is time change function, and t is the time。

11. device as claimed in claim 7, it is characterised in that described acquisition module is additionally operable to:

According to the rule pre-set, described M object is divided into two or more object sets；

Determine first object set at described first object place to be assessed and second object set at described second object place to be assessed；

According to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set, it is determined that the mapping relations between described first object to be assessed and described second object to be assessed。

12. device as claimed in claim 11, it is characterised in that described processing module is additionally operable to:

The mapping relations between described first object to be assessed and described second object to be assessed are determined by below equation:

$MAP=\underset{i=1}{\overset{N}{\∪}}{\mathrm{map}}_{val}^{{\mathrm{\γ}}_i}$

Wherein, MAP is the mapping relations between described second object to be assessed and described first object to be assessed；

γ₁=alpha, gamma_N=β,For at object γ_iWith described object γ_iProperty value between corresponding relation；N obtains according to the network security data that described first object to be assessed, described second object to be assessed and described first object set are corresponding with described second object set。