CN115001849B - Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining - Google Patents
Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining Download PDFInfo
- Publication number
- CN115001849B CN115001849B CN202210785740.5A CN202210785740A CN115001849B CN 115001849 B CN115001849 B CN 115001849B CN 202210785740 A CN202210785740 A CN 202210785740A CN 115001849 B CN115001849 B CN 115001849B
- Authority
- CN
- China
- Prior art keywords
- threat
- attack
- threat attack
- vulnerability
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 102
- 238000005065 mining Methods 0.000 title claims abstract description 22
- 230000000694 effects Effects 0.000 claims abstract description 384
- 230000008447 perception Effects 0.000 claims abstract description 189
- 230000008569 process Effects 0.000 claims abstract description 66
- 238000009826 distribution Methods 0.000 claims abstract description 23
- 238000012038 vulnerability analysis Methods 0.000 claims abstract description 4
- 230000035515 penetration Effects 0.000 claims description 31
- 230000011273 social behavior Effects 0.000 claims description 19
- 238000011156 evaluation Methods 0.000 claims description 16
- 238000005067 remediation Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 8
- 238000013507 mapping Methods 0.000 claims description 2
- 230000004931 aggregating effect Effects 0.000 claims 1
- 238000013145 classification model Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract 1
- 230000000875 corresponding effect Effects 0.000 description 32
- 238000013461 design Methods 0.000 description 26
- 230000008439 repair process Effects 0.000 description 16
- 235000019580 granularity Nutrition 0.000 description 11
- 230000006399 behavior Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000012502 risk assessment Methods 0.000 description 5
- 238000001514 detection method Methods 0.000 description 3
- 230000002596 correlated effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000004807 localization Effects 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the application provides a vulnerability restoration method and a vulnerability restoration system for big data security vulnerability mining, which are characterized in that a threat attack activity sequence is obtained from a target threat perception event indicated by a vulnerability restoration analysis task of a threat perception server, and a reference security vulnerability distribution of a security protection process corresponding to the target threat perception event is determined based on the threat attack activity sequence, so that the security protection process and a shared security protection process corresponding to the security protection process are subjected to vulnerability restoration based on the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event, and therefore, the security vulnerability is mined by taking a single target threat perception event as a unit, and unified vulnerability restoration of a plurality of shared security protection processes is performed, and compared with the mode of performing vulnerability analysis and restoration by using a global threat perception event in the related technology, a more localized efficient vulnerability restoration scheme can be provided.
Description
Technical Field
The application relates to the technical field of information security, in particular to a vulnerability restoration method and a vulnerability restoration system aiming at big data security vulnerability mining.
Background
Security vulnerabilities are flaws in the specific implementation of hardware, software, protocols, or system security policies that may enable an attacker to access or destroy the system without authorization. Therefore, in order to ensure the normal operation of the internet service and the use experience of the user, security holes need to be found and processed in time and targeted repair needs to be performed. In the related art, a method for performing vulnerability analysis and repair by using a global threat awareness event is generally adopted, however, the method is difficult to meet the requirement of more localized high-efficiency vulnerability repair.
Disclosure of Invention
In order to at least overcome the defects in the prior art, the application aims to provide a vulnerability restoration method and a vulnerability restoration system aiming at big data security vulnerability mining.
In a first aspect, the present application provides a vulnerability restoration method for big data security vulnerability discovery, applied to a vulnerability restoration system, where the vulnerability restoration system is communicatively connected with a plurality of threat awareness servers, the method includes:
acquiring a threat attack activity sequence from a target threat perception event indicated by a vulnerability restoration analysis task of the threat perception server, and determining a reference security vulnerability distribution of a security protection process corresponding to the target threat perception event based on the threat attack activity sequence;
And performing vulnerability restoration on the security protection process and the shared security protection process corresponding to the security protection process based on the reference security vulnerability distribution of the security protection process corresponding to the target threat awareness event.
In a second aspect, the embodiment of the application also provides a bug fix system aiming at big data security bug excavation, which comprises a bug fix system and a plurality of threat perception servers in communication connection with the bug fix system;
the vulnerability restoration system is used for:
acquiring a threat attack activity sequence from a target threat perception event indicated by a vulnerability restoration analysis task of the threat perception server, and determining a reference security vulnerability distribution of a security protection process corresponding to the target threat perception event based on the threat attack activity sequence;
and performing vulnerability restoration on the security protection process and the shared security protection process corresponding to the security protection process based on the reference security vulnerability distribution of the security protection process corresponding to the target threat awareness event.
By adopting the technical scheme of any aspect, the threat attack activity sequence is obtained from the target threat perception event indicated by the threat detection analysis task of the threat perception server, and the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event is determined based on the threat attack activity sequence, so that the security protection process and the shared security protection process corresponding to the security protection process are subjected to vulnerability detection based on the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event, and therefore, a single target threat perception event is used as a unit for carrying out security mining, and unified vulnerability detection of a plurality of shared security protection processes is carried out.
Drawings
Fig. 1 is a flowchart illustrating a hypochondrium attack activity of a vulnerability restoration method for big data security vulnerability mining according to an embodiment of the present invention.
Description of the embodiments
The architecture of the vulnerability restoration system for big data security vulnerability mining provided by the embodiment of the invention is described below, and the vulnerability restoration system for big data security vulnerability mining can comprise the vulnerability restoration system and a threat perception server in communication connection with the vulnerability restoration system. The vulnerability restoration system and the threat perception server in the vulnerability restoration system for big data security vulnerability mining can cooperate to execute the vulnerability restoration method for big data security vulnerability mining described in the following method embodiments, and the execution steps of the specific vulnerability restoration system and the threat perception server can be partially described in detail in the following method embodiments.
The vulnerability restoration method for big data security vulnerability discovery provided by the embodiment can be executed by a vulnerability restoration system, and is described in detail below with reference to fig. 1.
And the Process100 obtains a threat attack activity sequence from a target threat perception event indicated by a vulnerability restoration analysis task of the threat perception server, and determines a reference security vulnerability distribution of a security protection Process corresponding to the target threat perception event based on the threat attack activity sequence.
And the Process200 performs vulnerability restoration on the security protection Process and the shared security protection Process corresponding to the security protection Process based on the reference security vulnerability distribution of the security protection Process corresponding to the target threat awareness event.
For example, after the reference security hole distribution is obtained, a shared hole repair instruction corresponding to the reference security hole distribution may be extracted from a pre-designated shared hole repair instruction library, and hole repair may be performed on the security protection process and the shared security protection process corresponding to the security protection process based on the shared hole repair instruction. Or when the shared bug repair instruction corresponding to the reference security bug distribution is not extracted from the pre-designated shared bug repair instruction library, outputting bug positioning feature points (such as process code positions of each reference security bug in the security protection process operation process) corresponding to the reference security bug distribution to the developer terminal so as to prompt the developer terminal to perform targeted repair.
By adopting the technical scheme, the threat attack activity sequence is obtained from the target threat perception event indicated by the threat restoration analysis task of the threat perception server, and the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event is determined based on the threat attack activity sequence, so that the security protection process and the shared security protection process corresponding to the security protection process are subjected to vulnerability restoration based on the reference security vulnerability distribution of the security protection process corresponding to the target threat perception event, and therefore, the security vulnerability is mined by taking a single target threat perception event as a unit, and unified vulnerability restoration of a plurality of shared security protection processes is performed, and compared with the mode of performing vulnerability analysis and restoration by using a global threat perception event in the related art, the high-efficiency vulnerability restoration scheme with higher localization can be provided.
For some exemplary design considerations, the Process100 is described in detail below in connection with specific embodiments.
And the Process110 obtains a threat attack activity sequence from the target threat awareness event indicated by the vulnerability restoration analysis task.
For any threat-aware event, the threat-aware event typically includes a large number of threat attack activities, which may include one or several threat attack chain data; the threat attack chain data refers to path data formed by each threat attack node in the threat attack process.
The threat attack activities are used for describing attack behavior information related to threat perception events, and the security vulnerability related features of the threat perception events are used for making decisions on main attack behavior features related to the threat perception events; it can be seen that there is a correlation between threat attack activity in threat-aware events and security vulnerability-related features of threat-aware events. Therefore, the technical scheme of the security vulnerability related characteristics of the threat awareness event can be determined through the threat attack activities included in the threat awareness event. For example, in response to a mining request for threat scenario variables regarding a target threat awareness event, the vulnerability remediation system may obtain the target threat awareness event indicated by the vulnerability remediation analysis task. Thus, a threat attack activity sequence may be obtained from the target threat awareness event; several threat attack activities may be included in the threat attack activity sequence herein, and the threat attack chain data is covered in the several threat attack activities. For some possible design ideas, the vulnerability restoration system can analyze threat attack activities of target threat perception events, and match a basic threat attack activity sequence obtained by threat attack activity analysis with a time window network flow database in one or more threat attack processes to obtain basic threat attack activities contained in the basic threat attack activity sequence and located in one or more initial threat attack tracking patterns. Then, based on the basic threat attack activities obtained by matching, threat attack activities in the target threat perception event are determined, so that a threat attack activity sequence for obtaining the target threat perception event is established.
The Process120 establishes a threat attack relationship network for the target threat awareness event in accordance with the plurality of threat attack activities.
For some possible design ideas, a threat attack relationship network for a target threat awareness event may include several network members; one threat attack activity is mapped by one network member, and threat attack activities mapped by the network members with network connection relations have threat attack cooperative behaviors in a target threat perception event. In other words, there are two threat attack activities corresponding to the threat attack cooperative behavior in the target threat awareness event, and there is a network connection relationship in the threat attack relationship network. Among other things, the threat attack synergy referred to herein may include any of the following meanings:
for some possible design considerations, the threat attack synergy mentioned above may refer to: in the process of threat attack collaboration on a target threat awareness event according to an external attack source, two threat attack activities simultaneously appear in the collaboration activities in the external attack source. The set of threat attack activities includes: threat attack activity L, threat attack activity M, threat attack activity E, threat attack activity B … … assume that threat attack co-action exists in the target threat awareness event due to the fact that threat attack activity L and threat attack activity M may occur simultaneously in the external attack source during the threat attack co-action. Since the threat attack activity M and the threat attack activity E may occur in the external attack source at the same time in the threat attack collaboration process, it may be considered that the threat attack activity M and the threat attack activity E have threat attack collaboration behaviors in the target threat awareness event. Since threat attack activity E and threat attack activity B cannot occur simultaneously in this external attack source, threat attack activity E and threat attack activity B may be considered to have no threat attack cooperative behavior in the target threat awareness event, and so on.
For other possible design considerations, threat attack synergy may refer to: in the process of threat attack collaboration on a target threat perception event according to an external attack source, two threat attack activities are simultaneously presented in the external attack source, and the defending time-space domain association parameter between the two threat attack activities is greater than the relation of the preset association parameter value. The defending time-space domain association parameter between the two threat attack activities can be calculated based on threat attack path variables of the two threat attack activities; the defending time-space domain association parameter between the two threat attack activities can be used for mapping defending time-space domain matching degree between the two threat attack activities, and the defending time-space domain association parameter is in direct proportion to the defending time-space domain matching degree; in other words, if the defending time-space domain association parameter between two threat attack activities is larger, the defending time-space domain matching degree between the two threat attack activities is larger. For example, a preset association parameter value is set to be K, a defending time-space domain association parameter between a threat attack activity L and a threat attack activity M is set to be kLM, a defending time-space domain association parameter between the threat attack activity M and a threat attack activity E is set to be kME, and a defending time-space domain association parameter between the threat attack activity E and a threat attack activity B is set to be kEB; and kLM < K, kME > K, kEB < K. Still taking the above example: since the defensive time-space domain correlation parameter (i.e., kLM) between the threat attack activity L and the threat attack activity M is smaller than the preset correlation parameter value (K), the vulnerability restoration system may consider that the threat attack activity L and the threat attack activity M do not have threat attack cooperative behavior in the target threat perception event, although the threat attack activity L and the threat attack activity M may simultaneously occur in an external attack source. Because the defending time-space domain association parameter (kME) between the threat attack activity M and the threat attack activity E is greater than the preset association parameter value (K), and the threat attack activity M and the threat attack activity E can simultaneously appear in an external attack source, the vulnerability restoration system can consider that the threat attack activity M and the threat attack activity E have threat attack cooperative behaviors in a target threat perception event, and the like. Therefore, when judging whether the two threat attack activities have threat attack cooperative behaviors in the target threat sensing event, the embodiment not only considers the distance between the threat attack penetration intervals of the two threat attack activities in the target threat sensing event through the external attack source, but also considers the defending time-space domain matching degree between the two threat attack activities, so that the judgment accuracy of the threat attack cooperative behaviors can be effectively improved, and the precision of the threat attack relation network is improved.
Based on the above technical solution, in the Process of implementing the Process120, the vulnerability restoration system may first establish a basic threat attack relationship network of the target threat perception event according to a plurality of threat attack activities; the basic threat attack relationship network includes a plurality of network members, each of which maps a threat attack activity. Secondly, the vulnerability restoration system may select at least one pair of combinations of cooperative threat attack activity instances from a plurality of threat attack activities, where the combinations of cooperative threat attack activity instances refer to combinations of threat attack activity instances composed of two threat attack activities having threat attack cooperative behavior in a target threat awareness event. Then, the vulnerability remediation system can traverse the combination of the collaborative threat attack activity instances of each pair; for the combination of the current collaborative threat attack activity examples traversed currently, two network members for associating two threat attack activities in the combination of the current collaborative threat attack activity examples can be respectively connected in a basic threat attack relationship network; when the combination of all the cooperative threat attack activity examples is traversed, a threat attack relation network of the target threat perception event can be obtained. For example, it may be assumed that several threat attack activities include: threat attack activity L (recorded by network member L), threat attack activity M (recorded by network member M), threat attack activity E (recorded by network member E), threat attack activity B (recorded by network member B), threat attack activity E (recorded by network member E) … …; and there are a total of 5 pairs of combinations of collaborative threat attack activity instances in the several threat attack activities, which are respectively: (threat attack activity L, threat attack activity M), (threat attack activity L, threat attack activity B), (threat attack activity M, threat attack activity E) and (threat attack activity B, threat attack activity E). Then, the vulnerability restoration system may connect the network member L and the network member M, connect the network member L and the network member B, connect the network member M and the network member E, and connect the network member B and the network member E in the basic threat attack relationship network, so as to obtain a threat attack relationship network of the target threat perception event.
And the Process130 generates threat attack participation of the threat attack activities mapped by the network members according to the threat attack cooperative information among the network members in the threat attack relationship network.
For some possible design ideas, because the threat attack cooperative behavior refers to a relationship that two threat attack activities are simultaneously present in one external attack source, or refers to a relationship that two threat attack activities are simultaneously present in one external attack source and a defending time-space domain association parameter between the two threat attack activities is greater than a preset association parameter value; therefore, the more threat attack activities with more threat attack cooperative behaviors are more frequent in the target threat sensing event, the more threat attack activities with more threat attack cooperative behaviors can be output, and the more risks are brought. Thus, when executing the Process130, the vulnerability repairing system may, for example, count the threat attack coordination times of the threat attack coordination behaviors of each threat attack activity based on the threat attack coordination information between the network members in the threat attack relationship network, and determine the threat attack participation degree of each threat attack activity based on the threat attack coordination times corresponding to each threat attack activity according to the principle that the threat attack coordination times and the threat attack participation degree are positively correlated.
For some possible design ideas, the threat attack coordination times corresponding to the threat attack activities can be directly output as threat attack participation degrees of the threat attack activities. Or, normalizing the threat attack coordination times corresponding to the threat attack activities, and outputting the threat attack participation degree of the threat attack activities. Or, the threat attack cooperative times corresponding to the threat attack activities can be weighted according to the threat attack participation degree parameters, the threat attack participation degree of the threat attack activities is output, and the threat attack participation degree parameters can be set based on actual service conditions. For example, referring to the foregoing example, if the network member L and the network member M have a derivative attack feature relationship, and the network member L and the network member B have a derivative attack feature relationship, it may be statistically determined that the threat attack coordination number of threat attack coordination behaviors of the threat attack activities L mapped by the network member L is 2; the threat attack coordination number may be directly output as the threat attack engagement of the threat attack activity L (i.e., the threat attack engagement is 2), or the threat attack coordination number may be weighted according to a threat attack engagement parameter (e.g., 1.5), the threat attack engagement of the threat attack activity L may be output (i.e., the threat attack engagement is 3), or the like.
In addition, for some possible design ideas, research shows that if two threat attack activities have threat attack cooperative behaviors in a target threat perception event, threat attack participations of the two threat attack activities usually affect each other because the two threat attack activities occur simultaneously. Accordingly, when executing the Process130, the vulnerability repairing system can calculate and obtain the threat attack participation degree of the threat attack activity of any network member by combining the threat attack participation degree of the threat attack activity mapped by the associated network member having the network connection relation with any network member, so as to improve the accuracy of the threat attack participation degree. For some possible design ideas, for threat attack activities mapped by any network member, one or more associated network members having a network connection relationship with the any network member can be generated according to threat attack cooperative information among the network members in the threat attack relationship network; then, based on the threat attack engagement of the threat attack activity mapped by each associated network member, determining the threat attack engagement of the threat attack activity mapped by any network member.
Wherein, based on the threat attack engagement of the threat attack activity mapped by each associated network member, the specific implementation manner of determining the threat attack engagement of the threat attack activity mapped by any network member may include any one of the following:
embodiment one: the vulnerability restoration system can determine and obtain the initial value of the threat attack activity mapped by any network member based on the threat attack coordination times of the threat attack coordination behaviors of the threat attack activities mapped by any network member. Secondly, the number of times that the threat attack activity mapped by any network member and the threat attack activity mapped by each associated network member are simultaneously appeared in an external attack source can be counted respectively, the counted times are normalized respectively, and risk assessment information of each associated network member is output. For example, for a threat attack activity L mapped by a network member L, the network member L has two associated network members, network member M and network member B; if the number of times that the threat attack activity L and the threat attack activity M mapped by the network member M are simultaneously present in the external attack source is 15 times, the number of times that the threat attack activity L and the threat attack activity B mapped by the network member B are simultaneously present in the external attack source is 5 times; the risk assessment information of network member M is 15/(15+5) =0.75, and the risk assessment information of network member B is 5/(15+5) =0.25. After the risk assessment information of each associated network member is obtained, weighting and summing threat attack participation degrees of each associated network member according to the risk assessment information of each associated network member; for example, assuming that the threat attack engagement of network member M is 0.4 and the threat attack engagement of network member B is 0.2, 0.4×0.75+0.2×0.25=0.35 may be performed. And then, carrying out summation operation on the numerical value obtained by the weighted summation and the initial value of the threat attack activity mapped by any network member, and outputting the threat attack participation degree of the threat attack activity mapped by any network member.
Embodiment two: the vulnerability remediation system may also determine threat attack engagement of threat attack activities mapped by each associated network member based on threat attack engagement of threat attack activities mapped by the associated network member.
In addition, for some possible design ideas, since the defending time-space domain association parameters can represent defending time-space domain matching degree between two threat attack activities, researches show that for any threat attack activity, if the defending time-space domain matching degree between other threat attack activities and any threat attack activity is larger, the influence of the threat attack participation degree of the other threat attack activities on the threat attack participation degree of the any threat attack activity is generally larger. Accordingly, when executing the Process130, the vulnerability repairing system can calculate the threat attack participation degree of the threat attack activity of any network member by combining the threat attack participation degree of the threat attack activity mapped by the associated network member having the network connection relation with any network member and the defending time-space domain association parameters between the threat attack activity mapped by any network member and the threat attack activity mapped by each associated network member, so as to further improve the accuracy of the threat attack participation degree. For some possible design ideas, for threat attack activities mapped by any network member, one or more associated network members having a network connection relationship with any network member may be generated according to threat attack cooperative information between network members in the threat attack relationship network. Then, the defending time-space domain association parameters between the threat attack activities mapped by any network member and the threat attack activities mapped by each associated network member can be calculated; and determining the threat attack participation degree of the threat attack activity mapped by any network member based on the defending time-space domain association parameter and the threat attack participation degree of the threat attack activity mapped by each associated network member.
The specific implementation method for determining the threat attack participation degree of the threat attack activity mapped by any network member based on the defending time-space domain association parameter and the threat attack participation degree of the threat attack activity mapped by each associated network member may include any one of the following:
embodiment one: the vulnerability restoration system can determine and obtain the initial value of the threat attack activity mapped by any network member based on the threat attack coordination times of the threat attack activity mapped by any network member. And secondly, weighting and summing threat attack participation degrees of all the associated network members according to all the defending time-space domain associated parameters. For example, for a threat attack activity L mapped by a network member L, the network member L has two associated network members, network member M and network member B; and the threat attack participation degree of the network member M is 0.4, and the threat attack participation degree of the network member B is 0.2. If the defending time-space domain association parameter between the threat attack activity L and the threat attack activity M mapped by the network member M is kLM, the defending time-space domain association parameter between the threat attack activity L and the threat attack activity B mapped by the network member B is kLB; then 0.4 x kLM +0.2 x kLB may be performed. The weighted calculated value and the initial value of the threat attack activity mapped by any network member can be summed, and the threat attack engagement of the threat attack activity mapped by any network member is output.
Embodiment two: the vulnerability restoration system can also determine the threat attack participation degree of the threat attack activity mapped by any network member based on the defending time-space domain association parameters and the threat attack participation degree of the threat attack activity mapped by each associated network member.
And a Process140, selecting key threat attack chain data of the target threat perception event from the threat attack activity sequence based on threat attack participation of each threat attack activity, and establishing vulnerability classification features of the target threat perception event according to threat attack path variables of the key threat attack chain data, wherein the vulnerability classification features represent security vulnerability related features of a security protection Process corresponding to the target threat perception event.
After the threat attack participation degree of each threat attack activity is obtained by the vulnerability restoration system, threat attack chain data with the largest threat attack participation degree can be selected from the threat attack activity sequence based on the threat attack participation degree of each threat attack activity, and the threat attack chain data is output as key threat attack chain data of a target threat perception event. Then, vulnerability classification features of the target threat perception event can be established according to threat attack path variables of the key threat attack chain data, and the vulnerability classification features represent security vulnerability related features of security protection processes corresponding to the target threat perception event.
The vulnerability restoration system selects the key threat attack chain data from the threat attack activity sequence, and one design thought can be as follows: firstly extracting all threat attack chain data included in a threat attack activity sequence, and then selecting threat attack chain data with the greatest threat attack participation degree from the extracted threat attack chain data to output the threat attack chain data as key threat attack chain data of a target threat perception event.
Aiming at a target threat perception event indicated by a bug fix analysis task, the embodiment of the application can obtain a plurality of threat attack activities from the target threat perception event, and establish a threat attack relation network of the target threat perception event according to the plurality of threat attack activities. Because threat attack activities mapped by network members with network connection relations in the threat attack relation network have threat attack cooperative behaviors in the target threat perception event, the threat attack activities with more threat attack cooperative behaviors have risks; therefore, the threat attack participation degree of the threat attack activities mapped by the network members can be more accurately determined according to the threat attack cooperative information among the network members in the threat attack relation network. Then, key threat attack chain data of the target threat perception event can be selected from the threat attack activity sequence based on threat attack participation degree of each threat attack activity, and vulnerability classification characteristics of security vulnerability related characteristics of security protection processes corresponding to the target threat perception event are established according to threat attack path variables of the key threat attack chain data. Therefore, the embodiment of the application can effectively improve the precision of the key threat attack chain data by improving the precision of the threat attack participation degree of each threat attack activity, thereby improving the precision of the relevant characteristics of the security vulnerabilities; and the relevant characteristics of the security vulnerabilities of threat perception events can be automatically analyzed in the whole security vulnerabilities classification flow, so that the manual investigation flow of security vulnerabilities classification is reduced.
For further exemplary design considerations, the Process100 is described in detail below in connection with another specific embodiment.
And the Process210 obtains a threat attack activity sequence from the target threat awareness event indicated by the vulnerability restoration analysis task.
For some possible design ideas, the vulnerability repair system can analyze threat attack activities of target threat sensing events indicated by a vulnerability repair analysis task and output a basic threat attack activity sequence; the basic threat attack activity sequence comprises a plurality of basic threat attack activities, and each basic threat attack activity in the basic threat attack activity sequence has time window network flow data in the threat attack process.
After the basic threat attack activity sequence is obtained, the vulnerability restoration system can extract a plurality of seed threat attack activities from the basic threat attack activity sequence based on one or more initial threat attack tracking patterns; reference herein to a seed threat attack activity refers to a base threat attack activity that is present in one or more initial threat attack tracking profiles, i.e., a seed threat attack activity refers to a threat attack activity that is present in both one or more initial threat attack tracking profiles and a target threat awareness event. For some possible design ideas, the vulnerability restoration system may directly extract a number of seed threat attack activities from the base threat attack activity sequence based on one or more initial threat attack tracking profiles; for example, for some possible design considerations, the vulnerability remediation system may traverse each base threat attack activity in the sequence of base threat attack activities; matching the currently traversed basic threat attack activities with one or more initial threat attack tracking maps to detect whether the currently traversed basic threat attack activities exist in the one or more initial threat attack tracking maps; if so, outputting the currently traversed basic threat attack activity as a seed threat attack activity.
According to the method, when a plurality of seed threat attack activities are extracted from a basic threat attack activity sequence based on one or more initial threat attack tracking patterns, the vulnerability repair system can firstly extract basic threat attack activities of time window network flow data in the process of a target threat attack flow from the basic threat attack activity sequence; the time window network flow data during the target threat attack procedure referred to herein may include at least one of: the type of attack type, the number of times each attack type occurs, and the probability of each attack type occurring until the current time window. Then, the vulnerability restoration system may extract a plurality of seed threat attack activities from the base threat attack activities of the time window network flow data in the target threat attack process based on one or more initial threat attack tracking patterns, and the specific embodiment of the vulnerability restoration system is similar to the specific embodiment of the step of extracting a plurality of seed threat attack activities from the base threat attack activity sequence directly based on one or more initial threat attack tracking patterns, which is described in detail herein.
After extracting the plurality of seed threat attack activities, a threat attack activity sequence (which may be represented by M') of the target threat awareness event may be established in accordance with the plurality of seed threat attack activities. For some possible design ideas, a threat attack activity sequence of a target threat perception event can be established directly according to a plurality of seed threat attack activities; in this embodiment, the threat attack activity in the sequence of threat attack activities is the seed threat attack activity, and the statistical distribution of threat attack activities is equal to the statistical distribution of seed threat attack activities. Other possible design ideas, as some seed threat attack activities which are adjacent in the target threat perception event and have special meaning may exist in the extracted seed threat attack activities; for these seed threat attack activities, they will typically appear simultaneously in the initial threat attack tracking profile, and the threat attack activities that are composed after their attack granularity is related together are more mining value than the individual seed threat attack activities. For example, for seed threat attack activities "L" and "M" they will typically appear in the initial threat attack tracking profile at the same time, and "l+m" is more mined than "L" and "M". Under the condition, the vulnerability restoration system can correlate the seed threat attack activity attack granularities together and output threat attack activities with the correlated attack granularities as threat attack activities so as to improve the accuracy of the follow-up topic identification. According to the method, when a threat attack activity sequence of a target threat perception event is established according to a plurality of seed threat attack activities, the vulnerability repair system can judge whether seed threat attack activities matching attack granularity association requirements exist in the plurality of seed threat attack activities; the attack granularity association requirements here may include: the threat attack penetration intervals in the target threat perception event are matched and exist in the same initial threat attack tracking map. If the seed threat attack activities with the matching attack granularity association requirements exist in the plurality of seed threat attack activities, carrying out attack granularity association processing on the seed threat attack activities with the matching attack granularity association requirements; and outputting the threat attack activity sequence subjected to attack granularity association processing and the seed threat attack activity which is not subjected to attack granularity association processing as threat attack activities, and adding the threat attack activities into the threat attack activity sequence of the target threat perception event. If the seed threat attack activities matching the attack granularity association requirement do not exist in the plurality of seed threat attack activities, outputting the seed threat attack activities as threat attack activities and adding the threat attack activities into a threat attack activity sequence of the target threat perception event.
The Process220 establishes a threat attack relationship network for the target threat awareness event in accordance with the plurality of threat attack activities.
For example, a basic threat attack relationship network for a target threat awareness event may be established in accordance with a number of threat attack activities; the basic threat attack relationship network includes a plurality of network members, each of which maps a threat attack activity. Second, a combination of at least one pair of collaborative threat attack activity instances, which refers to a combination of threat attack activity instances consisting of two threat attack activities that have threat attack collaborative behavior in a target threat awareness event, may be selected from a number of threat attack activities. Next, one or more network member subnetworks may be determined from the underlying threat attack relationship network based on a combination of the at least one pair of collaborative threat attack activity instances, any of which may include: two network members of two threat attack activities in a combination of a pair of collaborative threat attack activity instances are separately recorded. Then, two network members in each network member sub-network can be respectively connected in the basic threat attack relationship network, and the threat attack relationship network of the target threat perception event is output.
And the Process230 generates threat attack participation of the threat attack activities mapped by the network members according to the threat attack cooperative information among the network members in the threat attack relationship network.
The Process240 selects a number of threat awareness intelligence for the target threat awareness event from the sequence of threat attack activities based on the threat attack engagement of each threat attack activity.
For some possible design ideas, the vulnerability repairing system can select threat attack activities in a preset sequence interval from the threat attack activity sequence according to the order of threat attack participation, and output a plurality of threat perception informations of target threat perception events. In addition, aiming at some possible design ideas, the vulnerability repairing system can select threat attack activities with threat attack participation degree larger than the preset participation degree from the threat attack activity sequences to output a plurality of threat perception informations of target threat perception events. Wherein the plurality of threat awareness intelligence includes one or more key threat attack chain data. For convenience of explanation, threat attack activities in a preset sequence interval selected from the threat attack activity sequence according to the threat attack engagement degree ranking sequence are taken as examples of a plurality of threat perception informations in the follow-up.
And the Process250 selects the key threat attack chain data with the greatest threat attack participation degree from one or more key threat attack chain data, and outputs the key threat attack chain data as the key threat attack chain data of the target threat perception event.
And a Process260, establishing vulnerability classification characteristics of the target threat perception event according to threat attack path variables of the key threat attack chain data, wherein the vulnerability classification characteristics represent security vulnerability related characteristics of the security protection Process corresponding to the target threat perception event.
For some possible design ideas, the vulnerability repair system may first invoke a threat attack path variable generation model to extract threat attack path variables of the key threat attack chain data. For some possible design ideas, the threat attack path variable of the threat attack activity may be determined by combining forward path data and backward path data of the threat attack activity, or the threat attack path variable of the threat attack activity may be determined by combining functions of the threat attack activity in different dimensions, so that the threat attack activity may have the same threat attack path variable in different dimensions, which is not particularly limited.
After the threat attack path variable of the key threat attack chain data is obtained, the vulnerability classification characteristic of the target threat perception event can be established according to the threat attack path variable of the key threat attack chain data. For some possible design ideas, derived threat attack chain data corresponding to the key threat attack chain data can be obtained from the threat attack activity sequence; so-called derived threat attack chain data meets the following characteristics: in a threat attack relationship network, a derivative attack signature relationship exists between a network member for associating derivative threat attack chain data and a network member for associating critical threat attack chain data. And secondly, extracting threat attack path variables of the key threat attack chain data and threat attack path variables of the derivative threat attack chain data. Then, the threat attack path variable of the key threat attack chain data and the threat attack path variable of the derivative threat attack chain data can be aggregated, and vulnerability classification characteristics of the target threat perception event are output.
The Process270 obtains threat attack path variables of the threat awareness intelligence, and determines a degree of matching between the threat attack path variables of the threat awareness intelligence and the vulnerability classification feature.
And a Process280 for selecting vulnerability basic information of the target threat perception event from the plurality of threat perception information based on the matching degree between the threat attack path variable of each threat perception information and the vulnerability classification feature.
And the Process290 performs association configuration on the target threat awareness event and the vulnerability basic information.
In a specific implementation, after the vulnerability restoration system selects the vulnerability basic information of the target threat sensing event through the Process210-Process280, the target threat sensing event and the vulnerability basic information can be configured in a correlation manner.
The above mentioned vulnerability classification feature is the overall AI decision feature (i.e. the main AI decision feature) of the target threat perception event, and the security vulnerability related feature is the threat perception intelligence feature of the target threat perception event. In an alternative embodiment, the target threat awareness event is indicated to have a number of threat scenario variables when the number of statistical distributions of key threat attack chain data obtained from the target threat awareness event is a number. In this case, the vulnerability remediation system may further select the critical threat attack chain data of the target threat awareness event from one or more critical threat attack chain data, the threat attack engagement of the critical threat attack chain data being less than the threat attack engagement of the critical threat attack chain data. Secondly, the AI decision feature (i.e. the non-main AI decision feature) of the threat perception situation of the target threat perception event can be established according to the threat attack path variable of the key threat attack chain data, and the AI decision feature of the threat perception situation of the target threat perception event characterizes the threat scenario variable of the threat perception situation of the target threat perception event. Then, the target threat perception event, the vulnerability classification feature and the AI decision feature of the threat perception situation can be loaded into the attack penetration evaluation program, so that when an attack penetration evaluation instruction is responded, attack penetration evaluation processing can be performed based on the vulnerability classification feature and the AI decision feature of the threat perception situation.
For some possible design ideas, the vulnerability restoration system can also calculate the overall AI decision characteristics of other threat perception events and the AI decision characteristics of threat perception situations according to the steps of the method, and associate each calculated AI decision characteristic into an attack penetration evaluation program; that is, the attack penetration assessment program also includes one or more other threat awareness events, and each other threat awareness event has a corresponding overall AI decision feature and AI decision feature for a corresponding threat awareness situation. And when responding to the attack penetration evaluation instruction, the vulnerability restoration system can acquire the attack penetration evaluation characteristics of the attack penetration evaluation information carried by the attack penetration evaluation instruction. And secondly, acquiring each threat perception event in the attack penetration evaluation program and one or more AI decision features of each threat perception event, wherein each threat perception event has a risk influence parameter, and the one or more AI decision features of each threat perception event comprise the overall AI decision feature of each threat perception event and the AI decision feature of the threat perception situation. Then, the matching degree between the AI decision characteristics and the attack penetration evaluation characteristics of each threat perception event can be calculated respectively, and the risk influence parameters of each threat perception event are optimized based on the matching degree. For some possible design ideas, for any threat awareness event, the AI decision feature with the greatest degree of matching may be determined from one or more AI decision features of any threat awareness event based on the degree of matching between each AI decision feature of any threat awareness event and the attack penetration evaluation feature. If the AI decision feature with the largest matching degree is the overall AI decision feature of any threat perception event, the risk influence parameter of any threat perception event can be improved so as to update the risk influence parameter of any threat perception event; if the AI decision feature with the largest matching degree is the AI decision feature of the threat perception situation of any threat perception event, the risk influence parameter of any threat perception event can be reduced, so as to update the risk influence parameter of any threat perception event.
Aiming at a target threat perception event indicated by a bug fix analysis task, the embodiment of the application can obtain a plurality of threat attack activities from the target threat perception event, and establish a threat attack relation network of the target threat perception event according to the plurality of threat attack activities. Because threat attack activities mapped by network members with network connection relations in the threat attack relation network have threat attack cooperative behaviors in the target threat perception event, the threat attack activities with more threat attack cooperative behaviors have risks; therefore, the threat attack participation degree of the threat attack activities mapped by the network members can be more accurately determined according to the threat attack cooperative information among the network members in the threat attack relation network. Then, key threat attack chain data of the target threat perception event can be selected from the threat attack activity sequence based on threat attack participation degree of each threat attack activity, and vulnerability classification characteristics of security vulnerability related characteristics of security protection processes corresponding to the target threat perception event are established according to threat attack path variables of the key threat attack chain data. Therefore, the embodiment of the application can effectively improve the precision of the key threat attack chain data by improving the precision of the threat attack participation degree of each threat attack activity, thereby improving the precision of the relevant characteristics of the security vulnerabilities; and the relevant characteristics of the security vulnerabilities of threat perception events can be automatically analyzed in the whole security vulnerabilities classification flow, so that the manual investigation flow of security vulnerabilities classification is reduced.
For some possible design considerations, in some embodiments, the vulnerability remediation system may include a processor, a machine-readable storage medium, a bus, and a communication unit.
The processor may perform various suitable actions and processes based on programs stored in the machine-readable storage medium, such as program instructions associated with the vulnerability repair method for big data security vulnerability mining described in the foregoing embodiments. The processor, the machine-readable storage medium, and the communication unit communicate signals over the bus.
In particular, the processes described in the above exemplary flowcharts may be implemented as computer software programs, in accordance with embodiments of the present invention. For example, embodiments of the present invention include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via a communication unit, which, when being executed by a processor, performs the above-mentioned functions defined in the method of the embodiment of the invention.
Still another embodiment of the present invention provides a computer readable storage medium, where computer executable instructions are stored, where the computer executable instructions are used to implement the bug fix method for big data security hole mining according to any of the foregoing embodiments when executed by a processor.
Yet another embodiment of the present invention provides a computer program product, including a computer program, which when executed by a processor implements the vulnerability restoration method for big data security vulnerability mining as in any of the above embodiments.
It should be understood that, although each operation step is indicated by an arrow in the flowchart of the embodiment of the present invention, the order in which the steps are performed is not limited to the order indicated by the arrow. In some implementations of embodiments of the invention, the implementation steps in the flowcharts may be performed in other orders as desired, unless explicitly stated herein. Furthermore, some or all of the steps in the flowcharts may include multiple sub-steps or multiple stages based on the actual implementation scenario. Some or all of these sub-steps or phases may be performed at the same time, or each of these sub-steps or phases may be performed at different times, respectively. In the case of different execution time, the execution sequence of the sub-steps or stages can be flexibly configured according to the requirement, which is not limited by the embodiment of the present invention.
The foregoing is merely an optional implementation manner of some of the implementation scenarios of the present invention, and it should be noted that, for those skilled in the art, other similar implementation manners based on the technical ideas of the present invention are adopted without departing from the technical idea of the solution of the present invention, which is also included in the protection scope of the embodiments of the present invention.
Claims (9)
1. The vulnerability restoration method aiming at big data security vulnerability mining is characterized by being applied to a vulnerability restoration system, and comprises the following steps:
acquiring a threat attack activity sequence from a target threat perception event indicated by a vulnerability restoration analysis task of a threat perception server, and determining a reference security vulnerability distribution of a security protection process corresponding to the target threat perception event based on the threat attack activity sequence;
performing vulnerability restoration on the security protection process and a shared security protection process corresponding to the security protection process based on reference security vulnerability distribution of the security protection process corresponding to the target threat awareness event;
the step of obtaining a threat attack activity sequence from a target threat perception event indicated by a vulnerability restoration analysis task of a threat perception server, and determining a reference security vulnerability distribution of a security protection process corresponding to the target threat perception event based on the threat attack activity sequence comprises the following steps:
Obtaining a threat attack activity sequence from a target threat perception event indicated by a vulnerability restoration analysis task of the threat perception server, wherein the threat attack activity sequence comprises a plurality of threat attack activities, and threat attack chain data is covered in the plurality of threat attack activities;
establishing a threat attack relation network of the target threat perception event according to the threat attack activities, wherein the threat attack relation network comprises a plurality of network members; mapping a threat attack activity by a network member, wherein the threat attack activity mapped by each network member with a network connection relationship has threat attack cooperative behavior in the target threat perception event;
generating threat attack participation degrees of threat attack activities mapped by all network members according to threat attack cooperative information among all network members in the threat attack relation network;
the method comprises the steps of selecting key threat attack chain data of a target threat perception event from a threat attack activity sequence based on threat attack participation of each threat attack activity, establishing vulnerability classification characteristics of the target threat perception event according to threat attack path variables of the key threat attack chain data, loading the vulnerability classification characteristics into a security vulnerability classification model, and determining reference security vulnerability distribution of a security protection process corresponding to the target threat perception event, wherein the vulnerability classification characteristics represent security vulnerability related characteristics of the security protection process corresponding to the target threat perception event.
2. The vulnerability restoration method for big data security vulnerability mining according to claim 1, wherein the step of establishing the vulnerability classification feature of the target threat perception event according to the threat attack path variable of the key threat attack chain data specifically comprises:
acquiring derived threat attack chain data corresponding to the key threat attack chain data from the threat attack activity sequence, wherein the derived threat attack chain data accords with the following characteristics: in the threat attack relationship network, a derivative attack characteristic relationship exists between a network member for associating the derivative threat attack chain data and a network member for associating the key threat attack chain data;
extracting threat attack path variables of the key threat attack chain data and threat attack path variables of the derivative threat attack chain data;
and aggregating threat attack path variables of the key threat attack chain data and threat attack path variables of the derivative threat attack chain data, and outputting vulnerability classification characteristics of the target threat perception event.
3. The vulnerability restoration method for big data security vulnerability mining according to claim 1 or 2, wherein the step of selecting the key threat attack chain data of the target threat perception event from the threat attack activity sequence based on threat attack engagement of each threat attack activity specifically comprises:
According to the order of the threat attack engagement, a threat attack activity in a preset order interval is selected from the threat attack activity sequence, and a plurality of threat perception informations of the target threat perception event are output; or, from the threat attack activity sequence, selecting threat attack activities with threat attack participation greater than preset participation, and outputting a plurality of threat perception informations as the target threat perception event, wherein the threat perception informations comprise one or more key threat attack chain data;
and selecting the key threat attack chain data with the greatest threat attack participation degree from the one or more key threat attack chain data, and outputting the key threat attack chain data as the key threat attack chain data of the target threat perception event.
4. The vulnerability restoration method for big data security vulnerability discovery of claim 3, further comprising:
acquiring threat attack path variables of all threat perception information, and determining the matching degree between the threat attack path variables of all threat perception information and the vulnerability classification characteristics;
based on the matching degree between the threat attack path variable of each threat perception information and the vulnerability classification feature, vulnerability basic information of the target threat perception event is selected from the plurality of threat perception information, and the matching degree between the threat attack path variable of the vulnerability basic information and the vulnerability classification feature is larger than a set matching degree;
And carrying out association configuration on the target threat perception event and the vulnerability basic information so as to carry out security vulnerability analysis on the target threat perception event based on the vulnerability basic information.
5. The vulnerability restoration method for big data security vulnerability mining according to claim 3, wherein the vulnerability classification feature is an overall AI decision feature of the target threat awareness event, and the security vulnerability related feature is a threat awareness intelligence feature of the target threat awareness event; the method further comprises the steps of:
selecting the key threat attack chain data of the target threat perception event from the one or more key threat attack chain data, wherein the threat attack participation degree of the key threat attack chain data is smaller than that of the key threat attack chain data;
establishing an AI decision feature of a threat perception situation of the target threat perception event according to the threat attack path variable of the key threat attack chain data, wherein the AI decision feature of the threat perception situation of the target threat perception event characterizes a threat situation variable of the threat perception situation of the target threat perception event;
Loading the target threat perception event, the vulnerability classification feature and the AI decision feature of the threat perception situation into an attack penetration evaluation program so that when an attack penetration evaluation instruction is responded, attack penetration evaluation processing is performed based on the vulnerability classification feature and the AI decision feature of the threat perception situation;
the attack penetration evaluation program also comprises one or more other threat perception events, and each other threat perception event has a corresponding overall AI decision feature and AI decision features of a corresponding threat perception situation; the method further comprises the steps of:
when responding to an attack penetration evaluation instruction, acquiring attack penetration evaluation characteristics of attack penetration evaluation information carried by the attack penetration evaluation instruction;
acquiring each threat perception event in the attack penetration evaluation program and one or more AI decision features of each threat perception event, wherein each threat perception event has a risk influence parameter, and the one or more AI decision features of each threat perception event comprise the overall AI decision feature of each threat perception event and the AI decision feature of the threat perception situation;
Respectively calculating the matching degree between the AI decision characteristics of each threat perception event and the attack penetration evaluation characteristics, and optimizing risk influence parameters of each threat perception event based on the matching degree;
according to the optimized risk influence parameters of each threat perception event, ordering the threat perception events in a descending order;
the threat perception event output at the first position is selected to be output as the threat perception event to be further mined;
the step of optimizing the risk influence parameter of each threat perception event based on the matching degree specifically includes:
determining an AI decision feature with the largest matching degree from one or more AI decision features of any threat perception event based on the matching degree between each AI decision feature of the any threat perception event and the attack penetration evaluation feature aiming at any threat perception event;
if the AI decision feature with the largest matching degree is analyzed to be the overall AI decision feature of any threat perception event, the risk influence parameter of any threat perception event is improved;
and if the AI decision feature with the maximum matching degree is the AI decision feature of the threat perception situation of any threat perception event, reducing the risk influence parameter of any threat perception event.
6. The vulnerability restoration method for big data security vulnerability discovery according to claim 1 or 2, wherein the step of establishing the threat attack relationship network of the target threat awareness event according to the plurality of threat attack activities specifically comprises:
establishing a basic threat attack relation network of the target threat perception event according to the threat attack activities, wherein the basic threat attack relation network comprises a plurality of network members, and each network member maps one threat attack activity;
selecting at least one pair of combinations of cooperative threat attack activity instances from the plurality of threat attack activities, wherein the combinations of the cooperative threat attack activity instances refer to combinations of threat attack activity instances formed by two threat attack activities with threat attack cooperative behaviors in the target threat awareness event;
determining one or more network member subnetworks from the underlying threat attack relationship network based on a combination of the at least one pair of collaborative threat attack activity instances, any network member subnetwork comprising:
two network members respectively recording two threat attack activities in a combination of a pair of collaborative threat attack activity examples;
Respectively connecting two network members in each network member sub-network in the basic threat attack relationship network, and outputting a threat attack relationship network of the target threat perception event;
wherein the step of selecting a combination of at least one pair of collaborative threat attack activity instances from the plurality of threat attack activities specifically comprises:
determining a first threat attack penetration interval of a first threat attack activity in the target threat awareness event, wherein the first threat attack activity is any threat attack activity in the plurality of threat attack activities;
acquiring a second threat attack activity from the plurality of threat attack activities based on a first threat attack penetration interval of the first threat attack activity, wherein the penetration interval intersection ratio of the second threat attack activity between the second threat attack penetration interval and the first threat attack penetration interval in the target threat sensing event is larger than a set ratio;
calculating a defending time-space domain correlation parameter between the first threat attack activity and the second threat attack activity, wherein the defending time-space domain correlation parameter characterizes defending time-space domain matching degree between the first threat attack activity and the second threat attack activity;
If the defending time-space domain association parameter between the first threat attack activity and the second threat attack activity is larger than the preset association parameter value, determining that the first threat attack activity and the second threat attack activity have the threat attack cooperative behavior in the target threat perception event, and establishing a pair of cooperative threat attack activity instance combinations according to the first threat attack activity and the second threat attack activity.
7. The vulnerability restoration method for big data security vulnerability discovery according to claim 1 or 2, wherein the step of generating threat attack engagement of threat attack activities mapped by each network member according to threat attack cooperative information between each network member in the threat attack relationship network specifically comprises:
aiming at threat attack activities mapped by any network member, generating one or more associated network members with network connection relation with any network member according to threat attack cooperative information among all network members in the threat attack relation network;
calculating defensive time-space domain association parameters between threat attack activities mapped by any network member and threat attack activities mapped by each associated network member;
And determining the threat attack participation degree of the threat attack activity mapped by any network member based on the defending time-space domain association parameter and the threat attack participation degree of the threat attack activity mapped by each associated network member.
8. The vulnerability restoration method for big data security vulnerability mining according to claim 1 or 2, wherein the step of obtaining a threat attack activity sequence from a target threat perception event indicated by a vulnerability restoration analysis task of the threat perception server specifically comprises:
threat attack activity analysis is carried out on the target threat perception event indicated by the vulnerability restoration analysis task, and a basic threat attack activity sequence is output, wherein the basic threat attack activity sequence comprises a plurality of basic threat attack activities;
extracting a plurality of seed threat attack activities from the base threat attack activity sequence based on one or more initial threat attack tracking patterns, wherein the seed threat attack activities refer to the base threat attack activities existing in the one or more initial threat attack tracking patterns;
establishing a threat attack activity sequence of the target threat perception event according to the plurality of seed threat attack activities;
Each basic threat attack activity in the basic threat attack activity sequence has time window network flow data in the threat attack process; the step of extracting a plurality of seed threat attack activities from the base threat attack activity sequence based on one or more initial threat attack tracking maps specifically comprises the following steps:
extracting basic threat attack activities of time window network flow data in the process of a target threat attack flow from the basic threat attack activity sequence, wherein the time window network flow data in the process of the target threat attack flow comprises at least one of the following: the types of attack types, the number of times each attack type occurs and the probability of each attack type occurring until the current time window;
extracting a plurality of seed threat attack activities from the basic threat attack activities of the time window network flow data in the target threat attack process based on one or more initial threat attack tracking maps;
the step of establishing the threat attack activity sequence of the target threat perception event according to the plurality of seed threat attack activities specifically includes:
If the seed threat attack activities with the matching attack granularity association requirements exist in the seed threat attack activities, carrying out attack granularity association processing on the seed threat attack activities with the matching attack granularity association requirements;
the threat attack activity sequences after the attack granularity association processing and the seed threat attack activities which are not subjected to the attack granularity association processing are all output as threat attack activities and added into the threat attack activity sequences of the target threat perception events;
if the seed threat attack activities matching the attack granularity association requirements do not exist in the plurality of seed threat attack activities, outputting various seed threat attack activities as threat attack activities to be added into a threat attack activity sequence of the target threat perception event, wherein the attack granularity association requirements comprise: the threat attack penetration intervals in the target threat perception event are matched and exist in the same initial threat attack tracking map.
9. A vulnerability remediation system comprising a machine-readable storage medium having executable code stored thereon, which when executed by the processor, causes the processor to perform the vulnerability remediation method of any one of claims 1-8 for big data security vulnerability mining.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210785740.5A CN115001849B (en) | 2022-07-06 | 2022-07-06 | Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210785740.5A CN115001849B (en) | 2022-07-06 | 2022-07-06 | Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115001849A CN115001849A (en) | 2022-09-02 |
| CN115001849B true CN115001849B (en) | 2023-11-10 |
Family
ID=83020815
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210785740.5A Active CN115001849B (en) | 2022-07-06 | 2022-07-06 | Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115001849B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116094850B (en) * | 2023-04-11 | 2023-06-27 | 清华大学 | Network protocol vulnerability detection method and system based on system state tracking graph guidance |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107526971A (en) * | 2017-09-28 | 2017-12-29 | 北京计算机技术及应用研究所 | A kind of leak based on leak association distributed model finds method |
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN108985068A (en) * | 2018-06-26 | 2018-12-11 | 广东电网有限责任公司信息中心 | Loophole quick sensing, positioning and the method and system of verifying |
| CN113688400A (en) * | 2021-08-31 | 2021-11-23 | 杨馨 | Object output method based on big data vulnerability mining and big data mining system |
| CN114095273A (en) * | 2021-12-06 | 2022-02-25 | 青岛力口互联网科技有限公司 | Deep learning-based internet vulnerability mining method and big data mining system |
| CN114584360A (en) * | 2022-02-28 | 2022-06-03 | 苏春影 | Internet vulnerability optimization method based on big data mining and deep learning cloud system |
| CN114584361A (en) * | 2022-02-28 | 2022-06-03 | 苏春影 | Security vulnerability analysis method based on deep learning and big data and cloud computing system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180137288A1 (en) * | 2016-11-15 | 2018-05-17 | ERPScan B.V. | System and method for modeling security threats to prioritize threat remediation scheduling |
| US20220191230A1 (en) * | 2020-12-11 | 2022-06-16 | DeepSurface Security, Inc. | Diagnosing and managing network vulnerabilities |
-
2022
- 2022-07-06 CN CN202210785740.5A patent/CN115001849B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN107526971A (en) * | 2017-09-28 | 2017-12-29 | 北京计算机技术及应用研究所 | A kind of leak based on leak association distributed model finds method |
| CN108985068A (en) * | 2018-06-26 | 2018-12-11 | 广东电网有限责任公司信息中心 | Loophole quick sensing, positioning and the method and system of verifying |
| CN113688400A (en) * | 2021-08-31 | 2021-11-23 | 杨馨 | Object output method based on big data vulnerability mining and big data mining system |
| CN114095273A (en) * | 2021-12-06 | 2022-02-25 | 青岛力口互联网科技有限公司 | Deep learning-based internet vulnerability mining method and big data mining system |
| CN114584360A (en) * | 2022-02-28 | 2022-06-03 | 苏春影 | Internet vulnerability optimization method based on big data mining and deep learning cloud system |
| CN114584361A (en) * | 2022-02-28 | 2022-06-03 | 苏春影 | Security vulnerability analysis method based on deep learning and big data and cloud computing system |
Non-Patent Citations (1)
| Title |
|---|
| 管磊 ; 胡光俊 ; 王专 ; .基于大数据的网络安全态势感知技术研究.信息网络安全.2016,(09),第45-49页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115001849A (en) | 2022-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108696473B (en) | Attack path restoration method and device | |
| TWI595375B (en) | Anomaly detection using adaptive behavioral profiles | |
| Barford et al. | Cyber SA: Situational awareness for cyber defense | |
| EP3244334B1 (en) | Log files graphs path decomposition for network anomaly detection | |
| Yang et al. | High level information fusion for tracking and projection of multistage cyber attacks | |
| US20150087242A1 (en) | Systems and methods for active cellular transceiver analysis for harmful passive intermodulation detection | |
| CN112860588B (en) | Fuzzy test method for intelligent contract cross-contract loopholes | |
| CN115001849B (en) | Vulnerability restoration method and vulnerability restoration system aiming at big data security vulnerability mining | |
| Ur-Rehman et al. | Vulnerability modelling for hybrid IT systems | |
| Andrysiak et al. | Network traffic prediction and anomaly detection based on ARFIMA model | |
| Holsopple et al. | TANDI: Threat assessment of network data and information | |
| US9319420B1 (en) | Cyber intelligence clearinghouse | |
| Faiella et al. | A distributed framework for collaborative and dynamic analysis of android malware | |
| Rexha et al. | Impact of secure programming on web application vulnerabilities | |
| CN114095232A (en) | Power information system dynamic threat quantitative analysis method based on hidden Markov | |
| CN110222243A (en) | Determine the method, apparatus and storage medium of abnormal behaviour | |
| KR20180060616A (en) | RBA based integrated weak point diagnosis method | |
| Sukhwani et al. | A survey of anomaly detection techniques and hidden markov model | |
| Canastro et al. | Root cause analysis in 5G/6G networks | |
| CN116208416A (en) | Attack link mining method and system for industrial Internet | |
| Hasan et al. | Security game for cyber physical systems | |
| CN113297582A (en) | Safety portrait generation method based on information safety big data and big data system | |
| CN114884740B (en) | AI-based intrusion protection response data processing method and server | |
| CN115563657B (en) | Data information security processing method, system and cloud platform | |
| CN115130111B (en) | System operation vulnerability restoration method based on AI analysis and big data service system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230508 Address after: 657000 No. 19, changwan group, tielu village committee, Yanyuan Township, Zhenxiong County, Zhaotong City, Yunnan Province Applicant after: Wang Guozheng Address before: 250000 No. 5 Jiao Tong Road, Tianqiao District, Shandong, Ji'nan Applicant before: Jinan Lutong Huiyuan Electronic Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20231020 Address after: 443000 Rooms 1-9, Floor 3, Building 12, No. 35, Zhongnan Road, Wujiagang District, Yichang, Hubei Province Applicant after: Hubei Jifang Technology Co.,Ltd. Address before: 657000 No. 19, changwan group, tielu village committee, Yanyuan Township, Zhenxiong County, Zhaotong City, Yunnan Province Applicant before: Wang Guozheng |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |