CN107294979A - The network safety evaluation method and device verified based on configuration - Google Patents

The network safety evaluation method and device verified based on configuration Download PDF

Info

Publication number
CN107294979A
CN107294979A CN201710513608.8A CN201710513608A CN107294979A CN 107294979 A CN107294979 A CN 107294979A CN 201710513608 A CN201710513608 A CN 201710513608A CN 107294979 A CN107294979 A CN 107294979A
Authority
CN
China
Prior art keywords
baseline
target device
risk
value
checked
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710513608.8A
Other languages
Chinese (zh)
Inventor
黄元飞
李燕伟
王博
杨鹏
高强
陈亮
应志军
林星辰
王鹏翩
张家旺
吴倩
杜薇
陈禹
张淼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
National Computer Network and Information Security Management Center
Original Assignee
Beijing University of Posts and Telecommunications
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications, National Computer Network and Information Security Management Center filed Critical Beijing University of Posts and Telecommunications
Priority to CN201710513608.8A priority Critical patent/CN107294979A/en
Publication of CN107294979A publication Critical patent/CN107294979A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a kind of network safety evaluation method and device verified based on configuration, wherein, method includes:The information of M target device of goal systems is obtained, the information of target device includes:The Internet protocol IP, M of the type of target device and target device are the integer more than or equal to 1;For each target device, the corresponding baseline of type for obtaining target device checks template, and baseline, which is checked, includes baseline check item and the corresponding Baseline security decision rule of baseline check item in template;Checked according to the IP of target device and baseline and baseline check item is included in template, obtain the configuration information of the baseline item to be checked of target device;According to the configuration information and Baseline security decision rule of baseline item to be checked, the value-at-risk of target device is determined;And then, determine the value-at-risk of goal systems.The network safety evaluation method and device verified based on configuration that the present invention is provided, the problem of existing ICS methods of risk assessment poor intuition can be solved.

Description

The network safety evaluation method and device verified based on configuration
Technical field
The present invention relates to field of information security technology, more particularly to a kind of network safety evaluation method verified based on configuration And device.
Background technology
Industrial control system (Industrial Control System, referred to as:ICS modern industry infrastructure) is controlled (such as power system, oil and gas system, chemical industry system, water conservancy system, traffic control system and industry manufacture system System etc.) operation.With the development of modern industry infrastructure, the system that ICS isolates formula from closing is to opening and interconnecting formula System transformation.Above-mentioned transition process brings risk to ICS information security, typically risk assessment need to be carried out to ICS, with to ICS The security risk being evaluated and faced in time for ICS adopt remedial measures.
The ICS of general large scale industry client includes the equipment from different vendor, and different equipment may use different Host computer application system and the different industrial control communication agreement (proprietary protocol of such as manufacturer) of use.It is of the prior art When commenting ICS risk, be directed to the equipment in ICS, according to the information for treating equipment it is different (such as different equipment use should With system etc.) and risk assessment is carried out respectively, this is treated according to the industrial control communication agreement for the use for treating risk assessment equipment Risk assessment equipment is identified, and further treats that the assets value of risk assessment equipment progress equipment is estimated to this, from And this risk assessment for treating risk assessment equipment is completed, obtain each carrying out the corresponding wind of equipment of above-mentioned risk assessment in ICS Danger value.
However, existing ICS methods of risk assessment poor intuition.
The content of the invention
It is existing to solve the embodiments of the invention provide a kind of network safety evaluation method and device verified based on configuration ICS methods of risk assessment poor intuition the problem of.
A kind of network safety evaluation method verified based on configuration that first aspect of the embodiment of the present invention is provided, including:
The information of M target device of goal systems is obtained, wherein, the information of above-mentioned target device includes:Above-mentioned target Internet protocol (the Internet Protocol, abbreviation of the type of equipment and above-mentioned target device:IP), M is more than or equal to 1 Integer;Wherein, above-mentioned goal systems is ICS;
For each above-mentioned target device, the corresponding baseline of type for obtaining above-mentioned target device checks template, above-mentioned base Baseline check item and the corresponding Baseline security decision rule of above-mentioned baseline check item are included in ray examination template;According to above-mentioned target The IP of equipment and above-mentioned baseline are checked includes baseline check item in template, the baseline item to be checked for obtaining above-mentioned target device is matched somebody with somebody Confidence ceases;According to the configuration information of above-mentioned baseline item to be checked and above-mentioned Baseline security decision rule, above-mentioned target device is determined Value-at-risk;
According to the value-at-risk of M above-mentioned target devices, the value-at-risk of above-mentioned goal systems is determined.
Optionally, above-mentioned baseline, which is checked, includes N in templateiIndividual baseline check item;Above-mentioned NiFor the integer more than or equal to 1;
Above-mentioned configuration information and above-mentioned Baseline security decision rule according to above-mentioned baseline item to be checked, determines above-mentioned target The value-at-risk of equipment, including:
For each baseline check item, differentiated according to the configuration information of above-mentioned baseline item to be checked and above-mentioned Baseline security and advised Then, the inspection result of above-mentioned baseline check item is obtained;
According to NiThe inspection result of individual baseline check item carries out the first weighted calculation, obtains the risk of above-mentioned target device Value.
Optionally, the above-mentioned value-at-risk according to M above-mentioned target devices, determines the value-at-risk of above-mentioned goal systems, including:
Second weighted calculation is carried out according to the value-at-risk of above-mentioned M above-mentioned target devices, the wind of above-mentioned goal systems is determined Danger value.
Optionally, the information of M target device of the above-mentioned goal systems of above-mentioned acquisition, including:
By the way that the corresponding finger print information of above-mentioned M target device is compared with the finger print information in default fingerprint base It is right, obtain the information of M target device of above-mentioned goal systems.
Optionally, the above method also includes:
Vulnerability scanning is carried out to above-mentioned target device, the corresponding vulnerability scanning result of above-mentioned target device is obtained;
It is above-mentioned according to NiThe inspection result of individual baseline check item carries out the first weighted calculation, obtains the wind of above-mentioned target device Danger value, including:
According to above-mentioned NiThe inspection result of individual baseline check item and above-mentioned vulnerability scanning result carry out the first weighted calculation, obtain Take the value-at-risk of above-mentioned target device.
Second aspect of the embodiment of the present invention provides a kind of network security assessment device verified based on configuration, including:Identification Module, task setup module and evaluation module;
Above-mentioned identification module is used for:The information of M target device of above-mentioned goal systems is obtained, wherein, above-mentioned target is set Standby information includes:The IP of the type of above-mentioned target device and above-mentioned target device, M are the integer more than or equal to 1;
Above-mentioned task setup module is used for:For each above-mentioned target device, the type correspondence of above-mentioned target device is obtained Baseline check template, above-mentioned baseline, which is checked, includes baseline check item and the corresponding Baseline security of above-mentioned baseline check item in template Decision rule;Checked according to the IP of above-mentioned target device and above-mentioned baseline and baseline check item is included in template, obtain above-mentioned target The configuration information of the baseline item to be checked of equipment;Differentiated according to the configuration information of above-mentioned baseline item to be checked and above-mentioned Baseline security Rule, determines the value-at-risk of above-mentioned target device;
Above-mentioned evaluation module is used for:According to the value-at-risk of M above-mentioned target devices, the risk of above-mentioned goal systems is determined Value.
Optionally, above-mentioned task setup module includes:Acquisition submodule, acquisition engine and differentiation engine;
Above-mentioned acquisition submodule is used for:For each above-mentioned target device, the type for obtaining above-mentioned target device is corresponding Baseline is checked to be sentenced in template, above-mentioned baseline inspection template comprising baseline check item and the corresponding Baseline security of above-mentioned baseline check item It is irregular;
Above-mentioned acquisition engine is used for:For each above-mentioned target device, according to the IP of above-mentioned target device and above-mentioned baseline Check and baseline check item is included in template, obtain the configuration information of the baseline item to be checked of above-mentioned target device;
Above-mentioned differentiation engine is used for:For each above-mentioned target device, according to the configuration information of above-mentioned baseline item to be checked With above-mentioned Baseline security decision rule, the value-at-risk of above-mentioned target device is determined.
Optionally, above-mentioned baseline, which is checked, includes N in templateiIndividual baseline check item;Above-mentioned NiFor the integer more than or equal to 1;
Above-mentioned differentiation engine includes:Judgement unit and the first computing unit;
Above-mentioned judgement unit is used for:For each baseline check item, according to the configuration information of above-mentioned baseline item to be checked and Above-mentioned Baseline security decision rule, obtains the inspection result of above-mentioned baseline check item;
Above-mentioned first computing unit is used for:For each baseline check item, according to NiThe inspection result of individual baseline check item The first weighted calculation is carried out, the value-at-risk of above-mentioned target device is obtained.
Optionally, above-mentioned evaluation module includes:Second computing unit;
Above-mentioned second computing unit is used for:Second weighted calculation is carried out according to the value-at-risk of above-mentioned M above-mentioned target devices, Determine the value-at-risk of above-mentioned goal systems.
Optionally, said apparatus also includes:Scan module;
Above-mentioned scan module is used for:Vulnerability scanning is carried out to above-mentioned target device, the corresponding leakage of above-mentioned target device is obtained Hole scanning result;
Above-mentioned first computing unit includes:3rd computation subunit;
Above-mentioned 3rd computation subunit is used for according to above-mentioned NiThe inspection result and above-mentioned vulnerability scanning of individual baseline check item As a result the first weighted calculation is carried out, the value-at-risk of above-mentioned target device is obtained.
The network safety evaluation method provided in an embodiment of the present invention verified based on configuration, including:Obtain the M of goal systems The information of individual target device, wherein, the information of target device includes:The type of target device and the Internet protocol of target device IP, M are the integer more than or equal to 1;For each target device, the corresponding baseline of type for obtaining target device checks template, Baseline, which is checked, includes baseline check item and the corresponding Baseline security decision rule of baseline check item in template;According to target device IP and baseline, which are checked, includes baseline check item in template, obtain the configuration information of the baseline item to be checked of target device;According to base The configuration information and Baseline security decision rule of line item to be checked, determine the value-at-risk of target device;According to M target device Value-at-risk, determines the value-at-risk of goal systems.The network safety evaluation method provided in an embodiment of the present invention verified based on configuration For by checking that the configuration information of the baseline of target device in goal systems reaches the purpose to goal systems risk assessment.Enter one Step ground, sets different baselines to check template, and check the baseline in template according to baseline according to the different type of target device Check item gathers the configuration information of the baseline item to be detected of corresponding target device, checks that the baseline in template is pacified further through baseline Full decision rule differentiates to the configuration information of baseline check item and baseline item to be checked, obtains the risk of correspondence target device Value, finally, the value-at-risk of goal systems is obtained according to the value-at-risk of different target equipment in goal systems, completed to goal systems Risk assessment.The value-at-risk of the goal systems provided in the embodiment of the present invention based on the network safety evaluation method that configuration is verified Effect with the risk status directly perceived for obtaining goal systems.Also, the network peace verified in the embodiment of the present invention based on configuration Overall evaluating method can be improved carries out risk assessment efficiency to the target device in goal systems.On the other hand, the present invention is implemented Example also provides the network security assessment device verified based on configuration, for completing the above-mentioned network security assessment verified based on configuration Method.The network safety evaluation method and device provided in an embodiment of the present invention verified based on configuration, can solve existing mesh The problem of methods of risk assessment poor intuition of mark system.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to do one simply to introduce, it should be apparent that, drawings in the following description are this hairs Some bright embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can be with root Other accompanying drawings are obtained according to these accompanying drawings.
The network safety evaluation method verified based on configuration and the flow of device embodiment one that Fig. 1 provides for the present invention are shown It is intended to;
The network safety evaluation method verified based on configuration and the flow of device embodiment two that Fig. 2 provides for the present invention are shown It is intended to;
The network safety evaluation method verified based on configuration and the flow of device embodiment three that Fig. 3 provides for the present invention are shown It is intended to;
The network safety evaluation method verified based on configuration and the structure of device embodiment one that Fig. 4 provides for the present invention are shown It is intended to;
The network safety evaluation method verified based on configuration and the structure of device embodiment two that Fig. 5 provides for the present invention are shown It is intended to;
The network safety evaluation method verified based on configuration and the structure of device embodiment three that Fig. 6 provides for the present invention are shown It is intended to.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.
Term " first ", " second ", " the 3rd " in description and claims of this specification and above-mentioned accompanying drawing and/or (if present)s such as " the 4 " is for distinguishing similar object, without for describing specific order or precedence.Should The data that the understanding is so used can be exchanged in the appropriate case, so as to embodiments of the invention described herein, for example can Enough orders with addition to those for illustrating or describing herein are implemented.In addition, term " comprising " and " having " and they Any deformation, it is intended that covering is non-exclusive to be included, for example, containing the process of series of steps or unit, method, being System, product or equipment are not necessarily limited to those steps or the unit clearly listed, but may include not list clearly or For the intrinsic other steps of these processes, method, product or equipment or unit.
When risk of the prior art to ICS is commented, risk assessment need to be carried out respectively to the distinct device in ICS, and obtain Obtain the respective risk assessment value of distinct device in ICS so that existing ICS methods of risk assessment poor intuition.
Provided in an embodiment of the present invention is by checking goal systems (bag based on the network safety evaluation method that configuration is verified Include ICS) in the configuration information of baseline of target device reach purpose to goal systems risk assessment.Further, according to mesh The different type of marking device sets different baselines to check template, and the baseline check item collection pair in baseline inspection template The configuration information of the baseline item to be detected for the target device answered, the Baseline security decision rule pair in template is checked further through baseline The configuration information of baseline check item and baseline item to be checked is differentiated, obtains the value-at-risk of correspondence target device, finally, according to The value-at-risk of different target equipment obtains the value-at-risk of goal systems in goal systems, completes the risk assessment to goal systems. The value-at-risk of the goal systems provided in the embodiment of the present invention based on the network safety evaluation method that configuration is verified, which is had, intuitively to be obtained Take the effect of the risk status of goal systems.Also, the network safety evaluation method verified in the embodiment of the present invention based on configuration It can improve and risk assessment efficiency is carried out to the target device in goal systems.On the other hand, the embodiment of the present invention is also provided The network security assessment device verified based on configuration, for completing the above-mentioned network safety evaluation method verified based on configuration.This The network safety evaluation method and device verified based on configuration that inventive embodiments are provided, can solve existing ICS risk The problem of appraisal procedure poor intuition.
Technical scheme is described in detail with specifically embodiment below providing by the present invention.This is several below Individual specific embodiment can be combined with each other, and may no longer be gone to live in the household of one's in-laws on getting married in some embodiments for same or analogous concept or process State.
The network safety evaluation method verified based on configuration and the flow of device embodiment one that Fig. 1 provides for the present invention are shown It is intended to.The application goal systems for the network safety evaluation method verified based on configuration that the present embodiment is provided is ICS systems, Wherein ICS, which includes at least one asset equipment, (to be referred to as that " target is set in the present embodiment as desired asset equipment to be assessed It is standby ").Further, the network safety evaluation method verified based on configuration that the present embodiment is provided is commented for ICS risk Estimate, the value-at-risk for the ICS that the method provided according to the present invention is obtained is used for the security or the ICS for assessing the ICS The risk faced, and when adopted remedial measures for the risk that ICS faces.With reference to Fig. 1, the present embodiment provide based on Putting the network safety evaluation method of verification includes herein below.
Step 101:The information of M target device of goal systems is obtained, wherein, the information of the target device includes: The Internet protocol IP, M of the type of the target device and the target device are the integer more than or equal to 1.
In the present embodiment, the equipment for treating risk assessment is target device, and M target device is for being verified based on configuration Equipment (as treats the asset equipment in risk assessment ICS), and M target, which is set, to be the armamentarium in above-mentioned ICS, can also For a part of equipment in above-mentioned ICS.
In the network safety evaluation method verified based on configuration that the present embodiment is provided, M mesh in ICS is obtained respectively first The information of marking device, wherein, the information of each target device includes:The type of target device and the IP of target device, above-mentioned M The type of individual target device can be with identical, can also be different, specifically, and the type difference of target device can be with feeling the pulse with the finger-tip marking device Application system is different.Corresponding baseline is obtained according to the type of the target device of acquisition and checks task, wherein, different targets are set The different baseline of standby type correspondence checks template.
Optionally, as a kind of enforceable mode, by by the corresponding finger print information of above-mentioned M target device with it is default Fingerprint base in finger print information be compared, the information of the M target device of the ICS can be obtained.
Optionally, as another enforceable mode there is provided user input interface, receive user's input treats that risk is commented The information for the target device estimated.
Specifically, the specific embodiment party that corresponding baseline checks task is obtained for the target device in each ICS Formula is as described in step 102 to step 104.
Step 102:For each target device, the corresponding baseline of type for obtaining the target device checks mould Plate, the baseline, which is checked, includes baseline check item and the corresponding Baseline security decision rule of the baseline check item in template.
In the present embodiment by above-mentioned ICS treat target device A exemplified by illustrate, first pass through in step 101 obtain Target device A type and target device A IP, then, the baseline inspection according to corresponding to target device A type obtains it Template a, baseline, which is checked, includes baseline check item and the corresponding Baseline security decision rule of baseline check item in template a.
Specifically, the baseline according to corresponding to target device A type obtains it checks a kind of template a achievable side Formula is:Default to be equipped with information bank, described information storehouse includes the type and its corresponding baseline check item of all target devices, And the corresponding Baseline security decision rule of the baseline check item., just can be in above-mentioned letter after the type for determining target device A Cease the corresponding baseline check item of type and corresponding Baseline security decision rule that target device A is obtained in storehouse, also, target The type correspondence of the corresponding baseline check item of type of device A and corresponding Baseline security decision rule formation target device A Baseline check template.
Step 103:For each target device, checked according to the IP of the target device and the baseline in template Comprising baseline check item, the configuration information of the baseline item to be checked of the target device is obtained.
After the corresponding baseline inspection template of type for obtaining target device A, according to the target device obtained in step 101 A IP can realize the configuration information of remote collection target device A baseline.
Specifically, and according to the target device A obtained in step 102 the corresponding baseline of type the baseline in template is checked Check item, the configuration information for targetedly obtaining target device A baseline (is that target device A baseline item to be checked is matched somebody with somebody Confidence ceases), it is differentiated for step 104.
More specifically, the one of the configuration information of remote collection target device A baseline is realized according to target device A IP Planting achievable mode is:Its port and user plane and password are obtained after the IP of access target device A, and then logs in target and is set Standby A, so as to realize the configuration information of remote collection target device A baseline.
Step 104:For each target device, according to the configuration information and the baseline of baseline item to be checked Safe decision rule, determines the value-at-risk of the target device.
The corresponding baseline of type for obtaining target device A by step 102 checks template, and mesh is obtained further through step 103 After the configuration information of marking device A baseline item to be checked, at step 104, to matching somebody with somebody for target device A baseline item to be checked Confidence breath is differentiated, to obtain target device A value-at-risk.
Specifically, by checking that the corresponding baselines of target device A Baseline security decision rule and target in template a are set The configuration information of standby A baseline item to be checked is compared, and draws differentiation result, obtains target device A's according to differentiation result Value-at-risk.
M target device can obtain corresponding value-at-risk after step 102 to step 104 in above-mentioned ICS.
Step 105:According to the value-at-risk of the M target devices, the value-at-risk of the goal systems is determined.
Using the value-at-risk of the M target devices in above-mentioned ICS, ICS value-at-risk is obtained, the wind to ICS is completed Assess danger.
What the present embodiment was provided is by checking target device in ICS based on the network safety evaluation method that configuration is verified The configuration information of baseline reaches the purpose to ICS risk assessment.Different baseline inspections are set according to the different type of target device Look into template, and check that according to baseline the baseline check item in template gathers the configuration of the baseline item to be detected of corresponding target device Information, checks that the Baseline security decision rule in template matches somebody with somebody confidence to baseline check item and baseline item to be checked further through baseline Breath is differentiated, obtains the value-at-risk of correspondence target device, finally, and ICS is obtained according to the value-at-risk of different target equipment in ICS Value-at-risk, complete risk assessment to ICS.There is provided in the present embodiment based on the network safety evaluation method that configuration is verified ICS value-at-risk has the effect of the risk status directly perceived for obtaining ICS.Also, verified in the embodiment of the present invention based on configuration Network safety evaluation method can be improved carries out risk assessment efficiency to the target device in ICS.The present embodiment provide based on The network safety evaluation method and device verified are configured, the methods of risk assessment poor intuition that can solve existing ICS is asked Topic.
The network safety evaluation method verified based on configuration and the flow of device embodiment two that Fig. 2 provides for the present invention are shown It is intended to, the present embodiment is carried out on the basis of embodiment one.With reference to Fig. 2, the present embodiment includes herein below.
Wherein, the content of step 201, step 202 and step 203 and implement process respectively with step 101, step 102 with the content of step 103 and to implement process identical, will not be repeated here.
Step 204:The baseline, which is checked, includes N in templateiIndividual baseline check item;Wherein, NiFor the integer more than or equal to 1; For each baseline check item, according to the configuration information of baseline item to be checked and the Baseline security decision rule, obtain The inspection result of the baseline check item.
Step 205:For each baseline check item, according to NiThe inspection result of individual baseline check item carries out the first weighting meter Calculate, obtain the value-at-risk of the target device.
Wherein, step 204 and step 205 are a kind of implementation of step 104 in embodiment one in the present embodiment.
Specifically, M target device M baseline of correspondence in above-mentioned ICS checks template, and i-th of target device is corresponding Baseline check template include NiIndividual baseline check item.I is the integer more than or equal to 1 and less than or equal to M, NiFor more than or equal to 1 Integer.
Illustrated by taking the target device A in embodiment one as an example.The corresponding baselines of target device A, which are checked in template a, to be wrapped Containing S baseline check item, wherein, S is the integer more than or equal to 1.Then checked according to baseline in template a comprising S baseline inspection , the configuration information of corresponding S baseline item to be checked is gathered in target device A, then, baseline is checked in template a The configuration information of S baseline of Baseline security decision rule and target device A item to be checked is compared, and draws differentiation result, Obtain the inspection result of S baseline check item.
The inspection result of target device A S baseline check item is subjected to the first weighted calculation, the target device is obtained A value-at-risk.Wherein, above-mentioned first weighted calculation can check the corresponding calculations of template a for baseline.
M target device can obtain corresponding value-at-risk after step 204 and step 205 in above-mentioned ICS.
Step 206:Second weighted calculation is carried out according to the value-at-risk of the M target devices, the target is determined The value-at-risk of system.
Wherein, step 206 is a kind of implementation of step 105 in embodiment one in the present embodiment.
Specifically, the value-at-risk of above-mentioned ICS M target device is subjected to the second weighted calculation, obtains above-mentioned ICS wind Danger value.Wherein, a kind of weighted calculation mode that above-mentioned second weighted calculation can be set according to the need for above-mentioned ICS.
Present embodiments provide the specific acquisition modes of the value-at-risk of each target device in above-mentioned ICS:Examined according to baseline Look into and N is included in templateiIndividual baseline check item, gathers corresponding N in corresponding target deviceiThe configuration of individual baseline item to be checked Information, then, corresponding baseline is checked the N of the Baseline security decision rule and target device in templateiIndividual baseline is to be checked The configuration information of item is compared, and draws and obtains NiThe inspection result of individual baseline check item, by NiThe inspection knot of individual baseline check item Fruit just obtained after corresponding first weighting the value-at-risk of target device.In addition, present embodiments providing according to each target The method that the value-at-risk of equipment obtains ICS value-at-risk.The ICS methods of risk assessments provided by this implementation can be expeditiously The corresponding baseline of type for obtaining each target device checks template, and then obtains the value-at-risk of each target device.More enter one Step ground, the value-at-risk of each target device in ICS obtains the value-at-risk of the ICS, can intuitively assess the ICS Risk.
The network safety evaluation method verified based on configuration and the flow of device embodiment three that Fig. 3 provides for the present invention are shown It is intended to, the present embodiment is carried out on the basis of embodiment two.With reference to Fig. 3, the present embodiment includes herein below.
Wherein, the content of step 301, step 302, step 303 and step 304 and implement process respectively with implementation The content of step 201, step 202, step 203 and step 204 and to implement process identical in example two, no longer goes to live in the household of one's in-laws on getting married herein State.
Step 305:Vulnerability scanning is carried out to the target device, the corresponding vulnerability scanning knot of the target device is obtained Really.
Step 306:According to the NiThe inspection result of individual baseline check item and the vulnerability scanning result carry out first and added Power is calculated, and obtains the value-at-risk of the target device.
Wherein, step 305 and step 306 are that vulnerability scanning is carried out to target device in ICS, and by vulnerability scanning result Calculate the implementation of the value-at-risk into correspondence target device.
Specifically, illustrated by taking target device A in above-mentioned ICS as an example.The ICS methods of risk assessments that the present embodiment is provided Vulnerability scanning also is carried out to target device A, scanning result is obtained.Then, by the corresponding S baseline check items of target device A Inspection result and above-mentioned vulnerability scanning result carry out the first weighted calculation, obtain target device A value-at-risk.
It should be noted that the execution sequence of step 305 and step 306 and step 301 to step 304 is regardless of front and rear.
M target device can obtain corresponding value-at-risk after step 305 and step 306 in above-mentioned ICS.
The content of step 307 and implement process respectively with the content of the step 206 in embodiment two and specific Implementation process is identical, will not be repeated here.
In the network safety evaluation method verified based on configuration that the present embodiment is provided, the whole provided except embodiment two Outside method and step, the step of vulnerability scanning is carried out to the target device in ICS is additionally provided, and provide scanning result and base The inspection result of ray examination is used to the method for calculating the value-at-risk of corresponding target device.The present embodiment provide based on The network safety evaluation method for putting verification further enriches risk assessment content so that ICS risk is assessed with this method Value is more close to the value-at-risk of reality.
The network safety evaluation method verified based on configuration and the structure of device embodiment one that Fig. 4 provides for the present invention are shown It is intended to.With reference to Fig. 4, in the present embodiment, the network security assessment device verified based on configuration is included:Identification module 11, task are set Put module 12 and evaluation module 13.Wherein, task setup module 12 includes:Acquisition submodule 121, acquisition engine 122 and differentiation Engine 123.
Identification module 11 is used for:The information of M target device of goal systems is obtained, wherein, the letter of the target device Breath includes:The IP of the type of the target device and the target device, M are the integer more than or equal to 1.
Acquisition submodule 121 is used for:For each target device, the corresponding base of type of the target device is obtained Ray examination template, the baseline is checked in template comprising baseline check item and the corresponding Baseline security differentiation of the baseline check item Rule.
Acquisition engine 122 is used for:For each target device, examined according to the IP of the target device and the baseline Look into and baseline check item is included in template, obtain the configuration information of the baseline item to be checked of the target device.
Differentiate that engine 123 is used for:For each target device, according to the configuration information of baseline item to be checked and The Baseline security decision rule, determines the value-at-risk of the target device.
Evaluation module 13 is used for:According to the value-at-risk of the M target devices, the value-at-risk of the goal systems is determined.
Part in the above-mentioned network security assessment device verified based on configuration, accordingly can perform side shown in Fig. 1 The technical scheme of method embodiment, its implementing principle and technical effect are similar, will not be repeated here.
The network safety evaluation method verified based on configuration and the structure of device embodiment two that Fig. 5 provides for the present invention are shown It is intended to.In the present embodiment, on the basis of the network security assessment device verified shown in Fig. 4 based on configuration, with reference to Fig. 5, its In, differentiate that engine 123 includes:The computing unit 1232 of judgement unit 1231 and first;Evaluation module 13 includes:Second computing unit 131。
Judgement unit 1231 is used for:For each baseline check item, according to the configuration information of baseline item to be checked and The Baseline security decision rule, obtains the inspection result of the baseline check item.
First computing unit 1232 is used for:For each baseline check item, according to NiThe inspection of individual baseline check item As a result the first weighted calculation is carried out, the value-at-risk of the target device is obtained.
Second computing unit 131 is used for:Second weighted calculation is carried out according to the value-at-risk of the M target devices, Determine the value-at-risk of the goal systems.
Part in the above-mentioned network security assessment device verified based on configuration, accordingly can perform side shown in Fig. 2 The technical scheme of method embodiment, its implementing principle and technical effect are similar, will not be repeated here.
The network safety evaluation method verified based on configuration and the structure of device embodiment three that Fig. 6 provides for the present invention are shown It is intended to.In the present embodiment, on the basis of the network security assessment device verified based on configuration shown in Fig. 5, with reference to Fig. 6, also Including:Scanning element 14, wherein, the first computing unit 1232 includes:Three computation subunits 1233.
Scan module 14 is used for:Vulnerability scanning is carried out to the target device, the corresponding leak of the target device is obtained Scanning result.
3rd computation subunit 1233 is used for:According to the NiThe inspection result and the vulnerability scanning of individual baseline check item As a result the first weighted calculation is carried out, the value-at-risk of the target device is obtained.
Part in the above-mentioned network security assessment device verified based on configuration, accordingly can perform side shown in Fig. 3 The technical scheme of method embodiment, its implementing principle and technical effect are similar, will not be repeated here.
Finally it should be noted that:Various embodiments above is merely illustrative of the technical solution of the present invention, rather than its limitations;To the greatest extent The present invention is described in detail with reference to foregoing embodiments for pipe, it will be understood by those within the art that:Its according to The technical scheme described in foregoing embodiments can so be modified, or which part or all technical characteristic are entered Row equivalent substitution;And these modifications or replacement, the essence of appropriate technical solution is departed from various embodiments of the present invention technology The scope of scheme.

Claims (10)

1. a kind of network safety evaluation method verified based on configuration, it is characterised in that including:
The information of M target device of the goal systems is obtained, wherein, the information of the target device includes:The target The Internet protocol IP, M of the type of equipment and the target device are the integer more than or equal to 1;
For each target device, the corresponding baseline of type for obtaining the target device checks template, the baseline inspection Look into and baseline check item and the corresponding Baseline security decision rule of the baseline check item are included in template;According to the target device IP and the baseline checks baseline check item is included in template, the baseline item to be checked for obtaining the target device matches somebody with somebody confidence Breath;According to the configuration information of baseline item to be checked and the Baseline security decision rule, the wind of the target device is determined Danger value;
According to the value-at-risk of the M target devices, the value-at-risk of the goal systems is determined.
2. according to the method described in claim 1, it is characterised in that the baseline, which is checked, includes N in templateiIndividual baseline check item; Wherein, NiFor the integer more than or equal to 1;
The configuration information and the Baseline security decision rule according to baseline item to be checked, determines the target device Value-at-risk, including:
For each baseline check item, according to the configuration information of baseline item to be checked and the Baseline security decision rule, Obtain the inspection result of the baseline check item;
According to NiThe inspection result of individual baseline check item carries out the first weighted calculation, obtains the value-at-risk of the target device.
3. method according to claim 2, it is characterised in that the value-at-risk according to the M target devices, it is determined that The value-at-risk of the goal systems, including:
Second weighted calculation is carried out according to the value-at-risk of the M target devices, the value-at-risk of the goal systems is determined.
4. the method according to claim any one of 1-3, it is characterised in that M mesh of the acquisition goal systems The information of marking device, including:
By the way that the corresponding finger print information of the M target device is compared with the finger print information in default fingerprint base, obtain Obtain the information of M target device of the goal systems.
5. method according to claim 2, it is characterised in that also include:
Vulnerability scanning is carried out to the target device, the corresponding vulnerability scanning result of the target device is obtained;
It is described according to NiThe inspection result of individual baseline check item carries out the first weighted calculation, obtains the value-at-risk of the target device, Including:
According to the NiThe inspection result of individual baseline check item and the vulnerability scanning result carry out the first weighted calculation, obtain institute State the value-at-risk of target device.
6. a kind of network security assessment device verified based on configuration, it is characterised in that including:Identification module, task set mould Block and evaluation module;
The identification module is used for:The information of M target device of the goal systems is obtained, wherein, the target device Information includes:The Internet protocol IP, M of the type of the target device and the target device are the integer more than or equal to 1;
The task setup module is used for:For each target device, the corresponding base of type of the target device is obtained Ray examination template, the baseline is checked in template comprising baseline check item and the corresponding Baseline security differentiation of the baseline check item Rule;Checked according to the IP of the target device and the baseline and baseline check item is included in template, obtain the target device Baseline item to be checked configuration information;Rule are differentiated according to the configuration information of baseline item to be checked and the Baseline security Then, the value-at-risk of the target device is determined;
The evaluation module is used for:According to the value-at-risk of the M target devices, the value-at-risk of the goal systems is determined.
7. device according to claim 6, it is characterised in that the task setup module includes:Acquisition submodule, collection Engine and differentiation engine;
The acquisition submodule is used for:For each target device, the corresponding baseline of type of the target device is obtained Template is checked, the baseline is checked in template comprising baseline check item and the corresponding Baseline security differentiation rule of the baseline check item Then;
The acquisition engine is used for:For each target device, according to the IP of the target device and the baseline inspection Baseline check item is included in template, the configuration information of the baseline item to be checked of the target device is obtained;
The differentiation engine is used for:For each target device, according to the configuration information of baseline item to be checked and institute Baseline security decision rule is stated, the value-at-risk of the target device is determined.
8. device according to claim 7, it is characterised in that the baseline, which is checked, includes N in templateiIndividual baseline check item; Wherein, NiFor the integer more than or equal to 1;
The differentiation engine includes:Judgement unit and the first computing unit;
The judgement unit is used for:For each baseline check item, according to the configuration information of baseline item to be checked and described Baseline security decision rule, obtains the inspection result of the baseline check item;
First computing unit is used for:For each baseline check item, according to NiThe inspection result of individual baseline check item carries out the One weighted calculation, obtains the value-at-risk of the target device.
9. device according to claim 8, it is characterised in that the evaluation module includes:Second computing unit;
Second computing unit is used for:Second weighted calculation is carried out according to the value-at-risk of the M target devices, it is determined that The value-at-risk of the goal systems.
10. device according to claim 8, it is characterised in that also include:Scan module;
The scan module is used for:Vulnerability scanning is carried out to the target device, the corresponding leak of the target device is obtained and sweeps Retouch result;
First computing unit includes:3rd computation subunit;
3rd computation subunit is used for:According to the NiThe inspection result of individual baseline check item and the vulnerability scanning result The first weighted calculation is carried out, the value-at-risk of the target device is obtained.
CN201710513608.8A 2017-06-29 2017-06-29 The network safety evaluation method and device verified based on configuration Pending CN107294979A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710513608.8A CN107294979A (en) 2017-06-29 2017-06-29 The network safety evaluation method and device verified based on configuration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710513608.8A CN107294979A (en) 2017-06-29 2017-06-29 The network safety evaluation method and device verified based on configuration

Publications (1)

Publication Number Publication Date
CN107294979A true CN107294979A (en) 2017-10-24

Family

ID=60099246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710513608.8A Pending CN107294979A (en) 2017-06-29 2017-06-29 The network safety evaluation method and device verified based on configuration

Country Status (1)

Country Link
CN (1) CN107294979A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110008711A (en) * 2019-04-15 2019-07-12 苏州浪潮智能科技有限公司 A kind of security baseline detection method, device, equipment and readable storage medium storing program for executing
CN110262420A (en) * 2019-06-18 2019-09-20 国家计算机网络与信息安全管理中心 A kind of distributed industrial control network security detection system
CN110858132A (en) * 2018-11-22 2020-03-03 哈尔滨安天科技集团股份有限公司 Configuration safety detection method and device for printing equipment
CN111176202A (en) * 2019-12-31 2020-05-19 成都烽创科技有限公司 Safety management method, device, terminal equipment and medium for industrial control network
CN112818307A (en) * 2021-02-25 2021-05-18 深信服科技股份有限公司 User operation processing method, system, device and computer readable storage medium
CN113037766A (en) * 2021-03-23 2021-06-25 中通服创发科技有限责任公司 Comprehensive evaluation method for asset safety and health degree under multiple scenes
CN113556252A (en) * 2021-07-23 2021-10-26 中信银行股份有限公司 Method and system for checking and repairing network equipment baseline configuration
CN113625686A (en) * 2021-07-29 2021-11-09 珠海市鸿瑞信息技术股份有限公司 Safety baseline checking system and method based on industrial control protocol
CN114978657A (en) * 2022-05-17 2022-08-30 安天科技集团股份有限公司 Security baseline checking method and device, electronic equipment and storage medium
CN116055326A (en) * 2022-11-25 2023-05-02 国网山东省电力公司电力科学研究院 Intelligent substation automation and network security equipment configuration checking method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110178948A1 (en) * 2010-01-20 2011-07-21 International Business Machines Corporation Method and system for business process oriented risk identification and qualification
CN102238038A (en) * 2011-07-26 2011-11-09 北京神州绿盟信息安全科技股份有限公司 Network equipment security evaluation method and device
CN103368927A (en) * 2012-04-11 2013-10-23 北京神州绿盟信息安全科技股份有限公司 Security configuration inspecting device and method
CN105282131A (en) * 2015-02-10 2016-01-27 ***通信集团广东有限公司 Information security evaluation method, device and system based on risk item scanning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110178948A1 (en) * 2010-01-20 2011-07-21 International Business Machines Corporation Method and system for business process oriented risk identification and qualification
CN102238038A (en) * 2011-07-26 2011-11-09 北京神州绿盟信息安全科技股份有限公司 Network equipment security evaluation method and device
CN103368927A (en) * 2012-04-11 2013-10-23 北京神州绿盟信息安全科技股份有限公司 Security configuration inspecting device and method
CN105282131A (en) * 2015-02-10 2016-01-27 ***通信集团广东有限公司 Information security evaluation method, device and system based on risk item scanning

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110858132A (en) * 2018-11-22 2020-03-03 哈尔滨安天科技集团股份有限公司 Configuration safety detection method and device for printing equipment
CN110008711A (en) * 2019-04-15 2019-07-12 苏州浪潮智能科技有限公司 A kind of security baseline detection method, device, equipment and readable storage medium storing program for executing
CN110262420A (en) * 2019-06-18 2019-09-20 国家计算机网络与信息安全管理中心 A kind of distributed industrial control network security detection system
CN111176202A (en) * 2019-12-31 2020-05-19 成都烽创科技有限公司 Safety management method, device, terminal equipment and medium for industrial control network
CN112818307B (en) * 2021-02-25 2024-05-28 深信服科技股份有限公司 User operation processing method, system, equipment and computer readable storage medium
CN112818307A (en) * 2021-02-25 2021-05-18 深信服科技股份有限公司 User operation processing method, system, device and computer readable storage medium
CN113037766A (en) * 2021-03-23 2021-06-25 中通服创发科技有限责任公司 Comprehensive evaluation method for asset safety and health degree under multiple scenes
CN113556252A (en) * 2021-07-23 2021-10-26 中信银行股份有限公司 Method and system for checking and repairing network equipment baseline configuration
CN113556252B (en) * 2021-07-23 2023-06-06 中信银行股份有限公司 Method and system for checking and repairing network equipment baseline configuration
CN113625686A (en) * 2021-07-29 2021-11-09 珠海市鸿瑞信息技术股份有限公司 Safety baseline checking system and method based on industrial control protocol
CN114978657A (en) * 2022-05-17 2022-08-30 安天科技集团股份有限公司 Security baseline checking method and device, electronic equipment and storage medium
CN114978657B (en) * 2022-05-17 2024-02-13 安天科技集团股份有限公司 Security baseline checking method and device, electronic equipment and storage medium
CN116055326A (en) * 2022-11-25 2023-05-02 国网山东省电力公司电力科学研究院 Intelligent substation automation and network security equipment configuration checking method and system

Similar Documents

Publication Publication Date Title
CN107294979A (en) The network safety evaluation method and device verified based on configuration
CN106789955A (en) A kind of network security situation evaluating method
CN104301302B (en) Go beyond one's commission attack detection method and device
CN106233663B (en) System and method for carrying strong authentication event on the different channels
CN109559192A (en) Risk checking method, device, equipment and storage medium based on association map
CN107786547A (en) A kind of auth method based on block chain, device and computer-readable recording medium
CN107251033A (en) System and method for carrying out active user checking in online education
CN109478263A (en) System and equipment for architecture assessment and strategy execution
CN107172004A (en) The methods of risk assessment and device of a kind of Network Security Device
CN106411950B (en) Authentication method, apparatus and system based on block chain transaction id
CN108470003A (en) Fuzz testing methods, devices and systems
CN105264491A (en) Identifying implicit assumptions associated with a software product
CN109040119A (en) A kind of leak detection method and device of intelligent building network
CN106803801A (en) Using the system and method for the wireline test result data of polymerization
CN106506545A (en) A kind of network security threats assessment system and method
CN106878341A (en) The vulnerability scanning method and device of the network equipment
CN104852916A (en) Social engineering-based webpage verification code recognition method and system
CN107026731A (en) A kind of method and device of subscriber authentication
CN110399712A (en) Validation-cross method, apparatus, medium and calculating equipment based on identifying code
CN103914383A (en) Fuzz testing system on basis of multi-swarm collaboration evolution genetic algorithm
CN107704750A (en) Pattern mapping
CN104240348B (en) Admittance identity authentication method based on image identification
Liu et al. False-data-injection-enabled network parameter modifications in power systems: Attack and detection
CN107172053A (en) The method of controlling security and safety control of computer
Sajith et al. Network intrusion detection system using ANFIS classifier

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171024