CN106487810A - A kind of cloud platform security postures cognitive method - Google Patents
A kind of cloud platform security postures cognitive method Download PDFInfo
- Publication number
- CN106487810A CN106487810A CN201611051883.4A CN201611051883A CN106487810A CN 106487810 A CN106487810 A CN 106487810A CN 201611051883 A CN201611051883 A CN 201611051883A CN 106487810 A CN106487810 A CN 106487810A
- Authority
- CN
- China
- Prior art keywords
- cloud platform
- evaluation point
- floating
- safe
- cycle
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000036544 posture Effects 0.000 title claims abstract description 27
- 230000001149 cognitive effect Effects 0.000 title claims abstract description 9
- 238000011156 evaluation Methods 0.000 claims abstract description 123
- 238000007667 floating Methods 0.000 claims abstract description 59
- 230000003068 static effect Effects 0.000 claims description 3
- 230000008859 change Effects 0.000 description 11
- 238000013139 quantization Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 4
- 238000010276 construction Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 230000008447 perception Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- UQGKUQLKSCSZGY-UHFFFAOYSA-N Olmesartan medoxomil Chemical compound C=1C=C(C=2C(=CC=CC=2)C2=NNN=N2)C=CC=1CN1C(CCC)=NC(C(C)(C)O)=C1C(=O)OCC=1OC(=O)OC=1C UQGKUQLKSCSZGY-UHFFFAOYSA-N 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000001314 paroxysmal effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012935 Averaging Methods 0.000 description 1
- YNAVUWVOSKDBBP-UHFFFAOYSA-N Morpholine Chemical compound C1COCCN1 YNAVUWVOSKDBBP-UHFFFAOYSA-N 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000007596 consolidation process Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000005484 gravity Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of cloud platform security postures cognitive method.This method is:1) choose some basal evaluation points and determine the quantized value of each basal evaluation point;Choose some floating evaluation points and determine the initial value of each floating evaluation point;2) quantized value of each floating evaluation point is regularly updated according to the cloud platform information of collection;Wherein, in the assessed value according to previous cycle floating evaluation point and this cycle safe float factor more this cycle floating evaluation point quantized value;3) cloud platform is divided into some safe floors, the quantized value of the evaluation point belonging to same safe floor is merged, obtain assessed value C of this safe floor;Wherein, described evaluation point includes basal evaluation point and floating evaluation point;4) calculate security evaluation result Q of this cloud platform according to the assessed value of each safe floor of cloud platform, determine the security postures of cloud platform.The present invention can be monitored assessing security postures to whole cloud platform, and easy and simple to handle, security reliability is high.
Description
Technical field
The present invention relates to network security technology, information security technology, technical field of data security, specifically a kind of peace
Full Situation Awareness method.
Background technology
" explosion type " development of cloud computing brings the difficulty in supervision also to government and enterprise.Corrupted data, information leakage,
Account is stolen ... in recent years, and with the development of cloud storage industry, " cloud security " leak problem is of common occurrence.Touch " upload "
" preservation ", needs the Large Copacity file being stored in Solid Tools originally, only needs several steps just can easily be saved in network " high in the clouds ".
But the thing followed, is that individual privacy leaking data emerges in an endless stream, and some depend on the enterprise of cloud disk data storage also to face letter
Breath security threat, some enterprises or even factor data run off and are forced to undertake huge the reparation even risk of bankruptcy.At present, China is still
Do not formulate evaluation criteria and the policy of correlation, so that " cloud service " provider is carried out with the assessment supervision with safety as main contents.
China need to strengthen the research and development of independently controlled cloud computing safe practice, prevents cloud computing safe practice and application especially E-Government
Cloud construction relies on the situation of external main flow company, and this is to solve problem of data safety in China's cloud computing safety problem and cloud
One of key point, the research to " cloud " safety and the exploration of technical solution need to continue deeply.
And in numerous cloud services, landing of government and enterprises' cloud is the certainty of development trend, be safely government and enterprises' cloud weight among,
Only there is the cloud security management planning of overall situation strategy, just can ensure that smooth the migrating to government and enterprises' cloud of government and enterprise, and guarantee
Close rule.Coming years cloud security market will enter the high-speed developing period, and the many security firms of home and overseas are also all in layout cloud
Security fields strategy.But in general, also not yet there is a clear and definite codes and standards system domestic market, market is also heroes
Try to win the champion, each has something to recommend him.The construction of government and enterprises' cloud both needed solve functional department between " information island " problem, simultaneously it is also contemplated that
The various safety problems of cloud computing technology.In general, current government and enterprises' cloud faces resource consolidation, industry prison on full-scale development
The challenges such as pipe, the migration of security control, user's supervision and old application, also face the new-type pressure of O&M on cloud in addition
Power and the challenge of safety problem.The application of cloud has become basically universal in the middle of each enterprise, in national " 12 " plan
It is also proposed that " information sharing will be strengthened, practise strict economy ", it is imperative for building government and enterprises' cloud.Land comprehensively government and enterprises' cloud be primarily from
Security standpoint is started with and is planned.Meet conjunction rule, be that government and enterprises' cloud conscientiously lands and smooths the important leverage migrated.
The service that cloud computing provides can be divided into tri- aspects of IaaS, PaaS, SaaS, and the due care point of these three aspects
It is different.Vulnerability scanning and penetration testing be all PaaS and infrastructure to service (IaaS) cloud security technology all necessary
Execution.No matter they are managed application or runtime server and storage infrastructure in cloud, and user must be right
The safe condition of the system being exposed in the Internet is estimated.For test API in PaaS and IaaS environment and application journey
Sequence integrated for, should pay close attention to, with the enterprise of cloud supplier collaboration, the data being under transmission state, and by bypassing
The potential unauthorized access to application program data for the mode such as authentication or injection attack.
Therefore, the present invention establishes a cloud platform security postures cognitive method.Divide with traditional big data security postures
Analysis method is different, and this method carries out stage construction division security system, analyzes from multiple angles in conjunction with evaluation point, constitutes this safety
The data core of Situation Awareness method.Detection cloud platform security incident, security breaches, perceive cloud platform security postures, to whole
Cloud platform be monitored and to real-time collecting to daily record be analyzed, obtain the security postures of system, thus for cloud platform
Stability and reliability provide safeguard, and improve the safety of system data, strengthen the controllability to system for the user, improve system
Service quality and user satisfaction.
Content of the invention
Based on problem above, it is an object of the invention to provide a kind of cloud platform security postures cognitive method, can be to whole
Individual cloud platform be monitored and to real-time collecting to daily record be analyzed, the security postures of assessment system, easy and simple to handle, safety
Reliability is high.
The cloud platform security postures cognitive method of the present invention, quantifies including basal evaluation point, floating evaluation point quantifies, safety
Aspect merges, cloud platform index of security assessment and cloud platform security postures perceive five steps.
Step 1:Basal evaluation point quantifies
The work of basal evaluation point result quantitiesization to be dominated in the way of expert's assessment, by expert to correlation by way of evaluation
Basal evaluation point (according to practical situation in advance set need scope taken into consideration in basal evaluation point and its specifically refer to
Mark item) given a mark.This step work major part can be carried out after cloud platform construction completes deployment, then to phase
Pass information is stored, in cloud platform running afterwards can also as needed and change, re-start basal evaluation
Point quantifies.Practical situation according to basal evaluation point be divided into meet, major part meets, major part does not meet, do not meet level Four, its
Corresponding quantized value is { 1,0.8,0.4,0 }.Scoring g according to n experti, can be calculated as below single basal evaluation point P's
Quantized value:
Step 2:Floating evaluation point quantifies
It is based on basal evaluation mode first that floating evaluation point quantization work is divided into two steps, by expert, index of correlation is given
Initial scoring P0, this step carries out only when method is initial, and the quantization method of this evaluation point is according to ralocatable mode afterwards
Carry out.The present invention defines safe float factor first, and system has leak by the present invention, the attack that is subject to and other safety
Event etc. is referred to as safe float factor.If floating evaluation point quantifies to carry out with T cycle interval time, then this floating assessment
The quantized value of point will be by previous cycle assessed value and floating factors in this cycle.Safe float factor RTMainly by
The n safety problem producing in the T cycle is determined, for a safety problem, its often relate to the vulnerability of system with
Leak problem, so the present invention scores with reference to CVSS (universal safety leak marking system) leak when quantifying, for not in CVE
Safety problem in (general leak and disclosure storehouse) storehouse, needs manager problem specifically to be positioned and scores, therefore a peace
The scoring S of problem is entirely:
Wherein scvssFor this safety problem corresponding leak CVSS score value in CVE, when safety problem in CVE no according to
According to when, then by the way of system manager's manual examination and verification, i.e. vi, ki, yi ∈ [0,1], variable vi represents the prestige of safety problem
Side of body degree, ki represents the easy-to-use degree of safety problem, and yi represents that safety problem, to corresponding evaluation point influence degree, thus to be portrayed
This safety problem.
Safe float factors quantization result R during T cycle just be can get by above methodT.The present invention considers now
To the quantization P that this floating evaluation point during n safety problem, in the T cycle, occursTCalculating:
Step 3:Safe aspect merges
According to first two steps, can easily calculate each evaluation point and (include aforesaid basal evaluation point and assessment of floating
Point two classes) quantized value Pi, next in units of aspect, the quantized value of evaluation point is merged.In view of this method
The scope of application and autgmentability, the not concrete division to aspect, and evaluation point aspect here divides makes strict restriction, and method makes
Used time, can according to the main business function of cloud platform and requirement, autotelic divided and used, with a certain safe aspect be
Basis, assessed value C that the N number of evaluation point quantized result belonging to it is merged is:
Step 4:Cloud platform index of security assessment
As it was previously stated, whole head is along being longitudinally divided into 7 aspects, because every aspect is related to content and safety problem is each not
Identical, it has different impact to whole cloud platform safe operation, in combination with the service request of cloud platform itself, right
The degree of concern of each safe aspect is different, sets weight q of each safe aspect respectivelyiPreferably to combine cloud platform itself
Practical situation, wherein qi ∈ [60,100], thus calculate cloud platform security evaluation result as follows:
Step 5:Cloud platform security postures perceive
Can be right from transverse and longitudinal both direction (evaluation point and safe aspect) to cloud platform by the said method present invention
The safe condition of cloud platform is estimated quantifying, and obtains corresponding real-time results.Feature according to the change of cloud platform security postures
The paroxysmal analysis for safety problem before, simultaneously takes account of base values quantization work and is substantially in cloud platform deployment
Complete run at the beginning of related work afterwards or just, thus here present invention primarily contemplates be by floating factor affected floating
Dynamic evaluation point, when the T cycle to the prediction quantized value of a certain floating evaluation point be:
Predictive value P according to the point that floatsT+1, next can respectively to safe aspect, overall cloud platform according to amount above
Change method is predicted quantifying, thus realizing comprehensive to platform entirety, safe aspect, evaluation point in laterally and longitudinally two angles
Trend prediction.
Cloud platform security postures cognitive method of the present invention, in conjunction with cloud platform practical situation, the method is by cloud platform system edge
Longitudinally divided be 7 aspects be once physical security, network security, Host Security, virtual level abstract security, software platform peace
Entirely, application safety, data safety.Wherein combine cloud platform feature, mark off virtual level with respect to legacy system and preferably portray
Cloud platform safety.Some evaluation points are marked off in addition on lateral angles and runs through every aspect.
The present invention is directed to the perception Forecasting Methodology of cloud platform, and based on cloud platform, real security postures data is put down to cloud in the recent period
Platform security postures are perceived.
Cloud platform security postures cognitive method of the present invention, is accomplished by the calculating of evaluation point.The method will be commented
Estimate that to be a little divided into 2 big class be basal evaluation point and floating evaluation point successively, the concept of factor of clearly floating in floating evaluation point
And evaluation point is quantified.
Compared with prior art, the positive effect of the present invention is:
Layered mode in the method covers the application and data division from bottom physical environment to upper strata, basis simultaneously
Cloud platform feature, virtual level is abstracted the convenient difference preferably portraying cloud platform and conventional systems.From laterally with
Longitudinal two aspects provide the comprehensive evaluation system for cloud platform environment, ensure that cloud platform security postures perceive
The availability of method and accuracy.
In conjunction with the practical situation of cloud platform security context, in reality safety problem exist very strong sudden, often greatly
Scale breaks out, again can quick-recovery safe condition soon through timely reparation.Relative tendency and legacy data are for security postures
The effect of perception is extremely limited, and therefore when being predicted perception, the present invention pays the utmost attention to utilize Recent data, from three dimensions
The security postures of cloud platform are reasonably assessed and is predicted.
Brief description
Fig. 1 is the system journal real-time processing flow chart of the present invention.
Fig. 2 is the system trend assessment handling process of the present invention.
Specific embodiment
For making the object, technical solutions and advantages of the present invention become more apparent, below in conjunction with specific embodiment, and reference
Accompanying drawing 1, the present invention is described in more detail.
Embodiments of the invention are applied under cloud platform environment.
It is basal evaluation point and floating evaluation point respectively that the present invention is divided into 2 big class evaluation point.Here it is considered that different
Platform in the specific implementation, the difference of its monitoring capacity and environmental condition, have different monitoring requirements to evaluation point, so not right
Evaluation point classification does rigid division.User, when using this method, can design according to the concrete condition of cloud platform example
Evaluation point classification situation.
The following detailed description of 5 steps in said method.
Basal evaluation point described in the inventive method step 1 comprises many Static State Indexes, and these indexs cover the bottom of from
Layer hardware arrives upper layer application and data every aspect, wherein to physical environment, system architecture, related the commenting such as safety measure
Estimate and a little often all substantially establish when design is with deployment, therefore it is referred to as basal evaluation point.It is considered herein that in cloud platform this
The score value of a little basal evaluation points hardly changes over time.These evaluation points are exactly the P in formula.According to evaluation point
In evaluation index, expert is to each evaluation point (i.e. PITo Pn) given a mark.
Present invention assumes that there being n expert, and each expert is to PiThe fraction beaten is referred to as gi, then to giIt is averaging just permissible
Obtain Pi.The number of basal evaluation point and content can be can be obtained by respectively by step 1 according to the difference change of application scenarios
Score P of the Static State Index item of individual basal evaluation pointi.
The index of used floating evaluation point in the inventive method step 2 relates generally to system vulnerability, various attack things
The safety problems such as part, security threat and security incident.We are included into floating evaluation point these indexs is due to these safety
The appearance of problem have sudden, therefore these factors be with the time relevant, can change.Exactly because this is former
Because it is believed that the scoring that these are put can be floated, so such evaluation point is called floating evaluation point.Same type of
Safety problem can be divided in different floating evaluation points according to classification, thus convenient comment to a certain floating evaluation point
Point.In the method these safety problems are referred to as safe float factor.For example:In Host Security aspect, we need to consider
This floating evaluation point of intrusion defense, has the index of many to assist the scoring of this point, such as in this floating evaluation point
The leak that scans by hole scanner, port opened without permission etc. is detected by protection capacity of safety protection software.
The present invention illustrates the embodiment of the present invention Data Source possible when carrying out step 2 assessment below.
Taking the once safety Situation Assessment to this cloud platform as a example.The data different to source different structure is needed to receive
Collection.Available data is divided into following several:
Daily record data, including system journal, application daily record etc. and by some ripe technology (for example:Cloud application safety
Securing software) security incident that found.These events can pass through log transmission agreement rsyslog protocol forward, then via
The distributed massive logs of highly reliable High Availabitity characteristic are collected, are polymerized, Transmission system Flume is acquired.From these data
The present invention can analyze the safety problem obtaining cloud platform presence.
The leak of cloud platform, it is possible to use open vulnerability assessment system Openvas carries out leak to main frame and virtual machine
Scan and to obtain.
The establishment of virtual machine needs a platform as support, and common cloud computing management platform is openstack.For
The application programming interfaces (api) that the problem of the information of these platforms of openstack itself and presence is carried by openstack come
There is provided.
Except mode above-mentioned can also obtain the safety problem of cloud platform using additive method.
The present invention divides them into following two module according to the difference of gathered data type and adopting of safety problem is described
Collection process:
1. vulnerability scanning module
Using open vulnerability assessment system openvas, destination host is scanned, obtains main frame vulnerability information, and will
Scanning result stores in the corresponding list item of mysql data base.Vulnerability information has respectively:When Vulnerability Name, creation time, modification
Between, the owner, main frame, port numbers, deterrent, the order of severity, description etc..These vulnerability informations are assessment cloud platform peaces of floating
During full situation, needs are used, and are one of safety situation evaluation Data Sources.
2. log collection processing module
It is responsible for the security event log in collection cloud platform, examine event, Firewall Events, integrity including system journal
Monitor event etc..In addition it is also necessary to carrying out receiving, classify, format to all kinds of daily records collecting, finally by it after having gathered daily record
Be stored in suitable data base, call when being estimated.
1) daily record classification
Based on the structure of the message field in log information, all of original log is classified, identical having
Message structure be divided into a class, it is hereby achieved that below several classification and its concrete message field contents:
2) journal formatting
For different classes of daily record, design the regular expression needed for journal formatting, usage log handling implement (example
As:The Morphline instrument that log collection aggregation transfer system Flume carries) real-time logs stream is processed, change into knot
The daily record of structure simultaneously stores in data base, calls when needing analysis to use again.The computing of illustration method step 2 below
Process.
The first step of floating evaluation point quantization work is based on the basal evaluation mode in step 1, by expert according to safety
Floating factor index of correlation item, gives each floating evaluation point one of cloud platform initial scoring P0.This step is only in method
Carry out when initial, scoring for system provides an initial value, the quantization method of evaluation point is carried out according to ralocatable mode afterwards.
Invention defines time interval T in ralocatable mode, often the T present invention just re-starts and comments after a while
Point.
Aforesaid safety problem when quantifying with reference to the scoring of CVSS (universal safety leak marking system) leak, for not existing
Safety problem in CVE (general leak and disclosure storehouse) storehouse, needs manager problem specifically to be positioned and scores.Manager
In scoring, each problem corresponds to one group of vi, ki, yi, wherein vi, ki, yi ∈ [0,1].Variable vi represents the prestige of safety problem
Side of body degree, ki represents the easy-to-use degree (degree that i.e. safety problem is easily utilized) of safety problem, and yi represents safety problem phase
The influence degree to scoring for the evaluation point answered.Temporarily this three are multiplied as the score value of this leak now, if not in CVE
Safety problem in storehouse has score value, and the present invention just claims this problem to be solved.Belonging to same evaluation point
The score value of all these safety problems (in CVE and that the person of being managed was processed) adds up and has just obtained in formula
RT′.But if through the T cycle, also have some safety problems it no longer in CVE storehouse, also the person of being managed is not processed, then this
Invent the R just it being previously obtainedT' it is multiplied by coefficient 1.3 as last floating factors quantization result RT.If there being score value,
Then do not need this coefficients R 'T=RT.If in this section of RTSafety problem does not occur, then this R inside the timeTFor 0.
If RTBe worth for 0, and safety problem number n=0, then it is considered herein that cloud platform is toward developing toward the good aspect,
Therefore the present invention value of this original floating estimation items is multiplied by 1.1 as this cycle floating score PT.If RTIt is worth and be
0, but safety problem number n>0, illustrate to occur in that the not leak in CVE storehouse and all not person's of the being managed process of these leaks,
So platform or trend degenerating, so the value of this original floating estimation items is multiplied by 0.5 as this by the present invention
The floating scoring P in individual cycleT.If RTValue is more than 0, then the present invention deducts this float value R from original scoringTI.e. PT-1-
RT, obtain the floating scoring P in this cycleT.
Finally, due to the scoring of the present invention is limited to 0, between 1, if therefore PTLess than 0, the present invention just takes 0;If big
In 1, then take 1.
It is cloud platform to be divided into different aspects according to being actually needed, by the present invention described in the inventive method step 3
In step 1, the two class evaluation points obtaining in 2 are put into respective aspect, then will be belonged to this aspect according to the formula in step 3
The score value of evaluation point is added and is averaged, and calculates assessed value C of every aspect.
It is the safety situation evaluation value calculating whole cloud platform described in the inventive method step 4, due to different application ring
Border is different to the degree of concern of each safe aspect, and therefore the present invention sets different weights qi to each safe aspect respectively
Preferably to combine the practical situation of platform itself.For example in cloud platform, the present invention can be by network security, secure virtual machine
Higher etc. what the weight of aspect was arranged.
It is the change in value trend in the floating evaluation point future in prediction steps 2 described in the inventive method step 5.Due to
Basal evaluation point will not change, so the present invention only needs to predict floating evaluation point, repeats step 3,4 calculating process
Can be obtained by the safety situation evaluation value of following cloud platform.According to cloud platform security postures change feature and before for peace
The complete paroxysmal analysis of problem, the present invention is multiplied by different weights with the scoring in 5 cycles before the cycle to be predicted and predicts this
The individual cycle scoring (bigger apart from the nearlyer proportion of present time, but specific gravity difference is not again very big, because it is considered herein that cloud
If platform occurred severe safety event in the past, illustrate that cloud platform may there is problem in system, then will imply that it
It is also possible to such safety problem occurs in future).
The present invention is how specifically to be commented by illustrating the security postures perception evaluating method in the present invention below
Estimate calculation.This calculating process is divided into following 5 steps:
First, it is assumed that the cloud platform of the present present invention is divided into 4 layers, it is respectively:Network security layer C1, secure virtual machine layer
C2, virtual platform management level safe floor C3 and physical machine safe floor C4.
Step 1:Basal evaluation point quantifies.
The cloud platform that the present invention asks expert to be the present invention carries out the marking of basal evaluation point.Assume this cloud platform this 4 layers
In have 4 basal evaluation point P1-P4.According to the practical situation of index item and the matching degree of desired Safety situation, the present invention
Be divided into meet, major part meets, major part does not meet, do not meet level Four, its corresponding quantized value be { 1,0.8,0.4,0 }.Often
Individual expert gives a mark to this 4 layers, the fraction summation of all for each layer experts is averaged and obtains each basal evaluation point
Score value.
Step 2:Floating evaluation point quantifies.
It is based on basal evaluation mode that floating evaluation point quantifies the first step, by expert, index of correlation is given with initial commenting
Point.
3 floating evaluation points P5-P8 are had in assume this cloud platform 4 layers.Calculate expert according to the formula of step 1 to be given
Initial assessment value meansigma methodssAs follows:
It is assumed that vulnerability scanning module is found that 3 leaks after the T cycle, it is TCP timestamps, SSH respectively
Weak MAC Algorithms Supported, Check for SSL Weak Ciphers and Dropbear SSH CRLF
Injection Vulnerability, the present invention is safety problem 1,2,3,4 their Uniform Name.In addition, from collection
To daily record in present invention discover that within this cycle system receive Denial of Service attack and MAC spoofing attack, of the present invention
Their Uniform Name are safety problem 5,6.
It is assumed that safety problem 1,2,4,5 belongs to floating evaluation point P5 in this 6 safety problems, safety problem 3 belongs to floating
Dynamic evaluation point P6, safety problem in floating evaluation point P7, and safety problem 6 belongs to floating evaluation point P8.Their scoring
As follows:
Whether in CVE storehouse | scvss | The whether person's of being managed scoring | vi | ki | yi | vi·ki·yi | |
Safety problem 1 | Do not exist | - | It is | 0.8 | 0.4 | 0.2 | 0.064 |
Safety problem 2 | ? | 0.9 | - | ||||
Safety problem 3 | Do not exist | - | It is | 0.2 | 0.7 | 0.7 | 0.098 |
Safety problem 4 | ? | 2.4 | - | ||||
Safety problem 5 | Do not exist | No | |||||
Safety problem 6 | Do not exist | - | No |
R5T1'=0.064+0.9 × 0.1+2.4 × 0.1=0.394
It is not scored due to there is safety problem 5, so R5T1=1.3 R5 'T1=0.5122
R6T1'=0.098, R6T1=R6 'T1=0.098
R7T1'=0, R7T1=R7 'T1=0
R8T1'=0, R8T1=1.3 R8 'T1=0
Therefore according to rule, after a T cycle, the assessed value of P5, P6, P7, P8 is as follows:
P5T1=P5 'T1=0.306
P6T1=P6 'T1=0.202
P7T1=P7 'T1=0.99
P8′T1=0.5 P8T0=0.25
P7T1=P8 'T1=0.99
Step 3:Safe aspect merges.
According to first two steps, calculate the quantized value of each evaluation point, next in units of aspect, to network security
Layer C1, secure virtual machine layer C2, virtual platform management level safe floor C3, the assessed value of the safe aspect of physical machine safe floor C4 is entered
Row calculates.
Assume that P1, P3, P5 belong to C1 layer, P2, P4 belong to C2 layer, and P6 belongs to C3 layer, and P7, P8 belong to C4 layer.
Starting stage:
P1 | P2 | P3 | P4 | P5 | P6 | P7 | P8 |
0.78 | 0.78 | 0.38 | 0.28 | 0.7 | 0.3 | 0.9 | 0.5 |
According to formula
C1 | C2 | C3 | C4 |
0.62 | 0.53 | 0.3 | 0.7 |
Through the T cycle:
P1 | P2 | P3 | P4 | P5 | P6 | P7 | P8 |
0.78 | 0.78 | 0.38 | 0.28 | 0.306 | 0.202 | 0.99 | 0.25 |
According to formula
C1 | C2 | C3 | C4 |
0.4887 | 0.53 | 0.202 | 0.62 |
Step 4:Cloud platform index of security assessment.
It is as follows that the present invention assigns weight respectively to four layers:
C1 | C2 | C3 | C4 | |
qi | 80 | 90 | 70 | 60 |
Can be obtained according to formula:
Initial Q=0.5343
Q=0.4605 after the T cycle
Can see that Q-value diminishes, illustrate that the safety of this cloud platform declines, the middle present invention also may be used from the description above
Safety problem is occurred in that with discovery platform, so it is rational that Q-value diminishes.
Step 5:Cloud platform security postures perceive.
This step is used in the middle of prediction, if platform does not need to predict future secure situation trend, then front 4 steps are just
Enough.If necessary to predict, it is necessary for predicting the situation of change (basal evaluation point does not change) of floating evaluation point.
How this step of illustration is predicted to floating evaluation point below:
First, basal evaluation point is constant
P1 | P2 | P3 | P4 |
0.78 | 0.78 | 0.38 | 0.28 |
And evaluation point of floating needs to be changed according to formula.
It is now assumed that have a floating evaluation point the T1-T5 cycle scoring as follows:
PT1 | PT2 | PT3 | PT4 | PT5 |
0.42 | 0.3 | 0.5 | 0.62 | 0.71 |
Then can be in the hope of PT6=0.539
The numerical value of T6 moment all floatings evaluation point can be calculated in the same manner, these numerical value are re-started the 3rd, 4 again
Step computing can be obtained by the C in T6 moment, Q-value, also can be obtained by the security postures value of T6 moment cloud platform.
Above-mentioned specific embodiment is only the concrete case of the present invention, and the scope of patent protection of the present invention includes but is not limited to
Above-mentioned specific embodiment, any any omission made within the spirit and principles in the present invention, modification, equivalent, changes
Enter, all should fall into the scope of patent protection of the present invention.
Claims (10)
1. a kind of cloud platform security postures cognitive method, its step is:
1) choose some basal evaluation points and determine the quantized value of each basal evaluation point;Choose some floating evaluation points and determine
The initial value of each floating evaluation point;
2) quantized value of each floating evaluation point is regularly updated according to the cloud platform information of collection;Wherein, floated according to the previous cycle
The quantized value of safe float factor more this cycle floating evaluation point in the assessed value of dynamic evaluation point and this cycle;
3) cloud platform is divided into some safe floors, the quantized value of the evaluation point belonging to same safe floor is merged, obtains
Assessed value C of this safe floor;Wherein, described evaluation point includes basal evaluation point and floating evaluation point;
4) calculate security evaluation result Q of this cloud platform according to the assessed value of each safe floor of cloud platform, determine the safety of cloud platform
Situation.
2. the method for claim 1 is it is characterised in that determine T according to the n safety problem producing in the T cycle
Safe float factor R in cycleT;Wherein, the scoring S of each safety problem is:
scvssFor CVSS score value in CVE storehouse for the corresponding leak of this safety problem, vi, ki, yi ∈ [0,1], vi represent that safety is asked
The threat degree of topic, ki represents the easy-to-use degree of safety problem, and yi represents safety problem to corresponding evaluation point influence degree.
3. method as claimed in claim 2 is it is characterised in that safe float factor R in T cycleTFor: SiFor i-th safety problem, n is T
The safety problem sum in cycle.
4. method as claimed in claim 3 it is characterised in that during T cycle floating evaluation point quantized value PTFor:PT-1For assessment of floating during the T-1 cycle
The quantized value of point.
5. the method for claim 1 is it is characterised in that described assessed value C is:PiFor in safe floor i-th
The quantized value of individual evaluation point, N is evaluation point sum in this safe floor.
6. method as claimed in claim 5 is it is characterised in that security evaluation result Q of described cloud platform is:Wherein, m is cloud platform safe floor sum, CiFor the assessed value of i-th safe floor of cloud platform, CiWeight be
qi.
7. described method as arbitrary in claim 1~6 is it is characterised in that described safe floor includes:Physical security layer, network
Safe floor, Host Security layer, virtual level abstract security layer, software platform safe floor, application safe floor data safe floor.
8. described method as arbitrary in claim 1~6 is it is characterised in that the static state that described basal evaluation point is cloud platform refers to
Mark.
9. the arbitrary described method of claim 1~6 is it is characterised in that the method gathering described cloud platform information is:Collection cloud
The daily record data of platform obtains described cloud platform information.
10. the arbitrary described method of claim 1~6 is it is characterised in that the method gathering described cloud platform information is:Collection
The vulnerability information of destination host in cloud platform, obtains described cloud platform information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611051883.4A CN106487810B (en) | 2016-11-25 | 2016-11-25 | A kind of cloud platform security postures cognitive method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611051883.4A CN106487810B (en) | 2016-11-25 | 2016-11-25 | A kind of cloud platform security postures cognitive method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106487810A true CN106487810A (en) | 2017-03-08 |
CN106487810B CN106487810B (en) | 2019-10-18 |
Family
ID=58275135
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611051883.4A Expired - Fee Related CN106487810B (en) | 2016-11-25 | 2016-11-25 | A kind of cloud platform security postures cognitive method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106487810B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107220549A (en) * | 2017-05-26 | 2017-09-29 | 中国民航大学 | Leak risk basal evaluation method based on CVSS |
CN107483414A (en) * | 2017-07-20 | 2017-12-15 | 安徽继远软件有限公司 | A kind of security protection system and its means of defence based on cloud computing virtualized environment |
CN107645510A (en) * | 2017-10-19 | 2018-01-30 | 北京知道创宇信息技术有限公司 | A kind of computational methods and computing device of regional safety prevention ability |
CN108650326A (en) * | 2018-05-18 | 2018-10-12 | 深圳源广安智能科技有限公司 | A kind of effective transportation information service systems |
CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A kind of cloud security assessment system and method |
WO2019075795A1 (en) * | 2017-10-19 | 2019-04-25 | 国云科技股份有限公司 | Method for evaluating security of cloud computing platform |
CN109951477A (en) * | 2019-03-18 | 2019-06-28 | 武汉思普崚技术有限公司 | A kind of method and apparatus based on threat information detection network attack |
CN111740974A (en) * | 2020-06-16 | 2020-10-02 | 黑龙江省网络空间研究中心 | Network security emergency linkage system and method |
CN112073389A (en) * | 2020-08-21 | 2020-12-11 | 苏州浪潮智能科技有限公司 | Cloud host security situation awareness system, method, device and storage medium |
CN115484176A (en) * | 2022-09-02 | 2022-12-16 | 浪潮云信息技术股份公司 | Layered design method and system for distributed cloud system operation situation perception |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102098180A (en) * | 2011-02-17 | 2011-06-15 | 华北电力大学 | Network security situational awareness method |
CN104883369A (en) * | 2015-05-29 | 2015-09-02 | 天津大学 | Cloud configuration safety assessment method |
CN105553957A (en) * | 2015-12-09 | 2016-05-04 | 国家电网公司 | Network safety situation awareness early-warning method and system based big data |
CN105681314A (en) * | 2016-01-29 | 2016-06-15 | 博雅网信(北京)科技有限公司 | Cloud environment security scanner and method |
US20160269436A1 (en) * | 2015-03-10 | 2016-09-15 | CA, Inc | Assessing trust of components in systems |
-
2016
- 2016-11-25 CN CN201611051883.4A patent/CN106487810B/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102098180A (en) * | 2011-02-17 | 2011-06-15 | 华北电力大学 | Network security situational awareness method |
US20160269436A1 (en) * | 2015-03-10 | 2016-09-15 | CA, Inc | Assessing trust of components in systems |
CN104883369A (en) * | 2015-05-29 | 2015-09-02 | 天津大学 | Cloud configuration safety assessment method |
CN105553957A (en) * | 2015-12-09 | 2016-05-04 | 国家电网公司 | Network safety situation awareness early-warning method and system based big data |
CN105681314A (en) * | 2016-01-29 | 2016-06-15 | 博雅网信(北京)科技有限公司 | Cloud environment security scanner and method |
Non-Patent Citations (1)
Title |
---|
ALBAKRI, SAMEER HASAN: "Security risk assessment framework for cloud computing environments", 《SECURITY AND COMMUNICATION NETWORKS》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107220549A (en) * | 2017-05-26 | 2017-09-29 | 中国民航大学 | Leak risk basal evaluation method based on CVSS |
CN107220549B (en) * | 2017-05-26 | 2020-12-01 | 中国民航大学 | Vulnerability risk basic evaluation method based on CVSS |
CN107483414A (en) * | 2017-07-20 | 2017-12-15 | 安徽继远软件有限公司 | A kind of security protection system and its means of defence based on cloud computing virtualized environment |
CN107645510A (en) * | 2017-10-19 | 2018-01-30 | 北京知道创宇信息技术有限公司 | A kind of computational methods and computing device of regional safety prevention ability |
WO2019075795A1 (en) * | 2017-10-19 | 2019-04-25 | 国云科技股份有限公司 | Method for evaluating security of cloud computing platform |
CN108650326A (en) * | 2018-05-18 | 2018-10-12 | 深圳源广安智能科技有限公司 | A kind of effective transportation information service systems |
CN109379373A (en) * | 2018-11-23 | 2019-02-22 | 中国电子科技网络信息安全有限公司 | A kind of cloud security assessment system and method |
CN109951477A (en) * | 2019-03-18 | 2019-06-28 | 武汉思普崚技术有限公司 | A kind of method and apparatus based on threat information detection network attack |
CN109951477B (en) * | 2019-03-18 | 2021-07-13 | 武汉思普崚技术有限公司 | Method and device for detecting network attack based on threat intelligence |
CN111740974A (en) * | 2020-06-16 | 2020-10-02 | 黑龙江省网络空间研究中心 | Network security emergency linkage system and method |
CN112073389A (en) * | 2020-08-21 | 2020-12-11 | 苏州浪潮智能科技有限公司 | Cloud host security situation awareness system, method, device and storage medium |
CN115484176A (en) * | 2022-09-02 | 2022-12-16 | 浪潮云信息技术股份公司 | Layered design method and system for distributed cloud system operation situation perception |
Also Published As
Publication number | Publication date |
---|---|
CN106487810B (en) | 2019-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106487810A (en) | A kind of cloud platform security postures cognitive method | |
Haider et al. | Generating realistic intrusion detection system dataset based on fuzzy qualitative modeling | |
Cheng et al. | Metrics of security | |
Jonsson et al. | A quantitative model of the security intrusion process based on attacker behavior | |
Arshad et al. | A novel intrusion severity analysis approach for Clouds | |
US10462253B2 (en) | Social network grouping method and system, and computer storage medium | |
US9692779B2 (en) | Device for quantifying vulnerability of system and method therefor | |
CN106921504B (en) | Method and equipment for determining associated paths of different users | |
US20210406365A1 (en) | Malicious enterprise behavior detection tool | |
GB2519216A (en) | System and method for discovering optimal network attack paths | |
Saleh et al. | Common investigation process model for Internet of Things forensics | |
Kim et al. | A big data framework for network security of small and medium enterprises for future computing | |
CN110213236B (en) | Method for determining business safety risk, electronic equipment and computer storage medium | |
US10419449B1 (en) | Aggregating network sessions into meta-sessions for ranking and classification | |
CN109977680A (en) | A kind of business datum security risk recognition methods and system | |
CN104320271B (en) | A kind of network equipment safety evaluation method and device | |
Susila et al. | Impact of cloud security in digital twin | |
CN114036059A (en) | Automatic penetration testing system and method for power grid system and computer equipment | |
Nkosi et al. | Insider threat detection model for the cloud | |
US10965696B1 (en) | Evaluation of anomaly detection algorithms using impersonation data derived from user data | |
CN113886829B (en) | Method and device for detecting defect host, electronic equipment and storage medium | |
Srivastava et al. | An effective computational technique for taxonomic position of security vulnerability in software development | |
VijayaChandra et al. | Numerical formulation and simulation of social networks using graph theory on social cloud platform | |
CN106445641A (en) | Method for data migration between safety virtual platforms on discrete computing node | |
Albanese et al. | Computer-aided human centric cyber situation awareness |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20191018 |