CN117014184A - Asset management method applied to network security monitoring system - Google Patents

Asset management method applied to network security monitoring system Download PDF

Info

Publication number
CN117014184A
CN117014184A CN202310797197.5A CN202310797197A CN117014184A CN 117014184 A CN117014184 A CN 117014184A CN 202310797197 A CN202310797197 A CN 202310797197A CN 117014184 A CN117014184 A CN 117014184A
Authority
CN
China
Prior art keywords
asset
enterprise
value
vulnerability
level
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310797197.5A
Other languages
Chinese (zh)
Inventor
代长昊
徐廷洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huaneng Ningxia Energy Co ltd
Ningxia Jinli Photovoltaic Power Co ltd
Original Assignee
Huaneng Ningxia Energy Co ltd
Ningxia Jinli Photovoltaic Power Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huaneng Ningxia Energy Co ltd, Ningxia Jinli Photovoltaic Power Co ltd filed Critical Huaneng Ningxia Energy Co ltd
Priority to CN202310797197.5A priority Critical patent/CN117014184A/en
Publication of CN117014184A publication Critical patent/CN117014184A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The application discloses an asset management method applied to a network security monitoring system, which relates to the technical field of data processing and comprises the steps of determining an original asset range boundary according to an enterprise internal network topology structure; analyzing the network flow between the internal network topology structure of the enterprise and the external network topology structure of the enterprise to obtain flow information; extending the original asset range boundary through the interaction degree to obtain a target asset range boundary; identifying and classifying the assets within the target asset range boundary, and determining the value of each asset according to the tags; constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files; the security measures policy is selected based on the level and vulnerability level of the asset profile. The accuracy of the asset range is guaranteed, so that the reliability of asset identification is improved, and the adaptability of safety monitoring is improved.

Description

Asset management method applied to network security monitoring system
Technical Field
The application relates to the technical field of data processing, in particular to an asset management method applied to a network security monitoring system.
Background
A network security monitoring system is a system for monitoring network security status and responding to security events in real time. Asset management is an important task in network security monitoring systems, the main purpose of which is to determine and classify and manage all assets in the network, including hardware and software assets. This may better protect the safety and stability of the system.
In the prior art, the network topology of an enterprise is often used as an asset identification range, and the network topology of external contact is not considered, so that the asset range is inaccurate, and the asset identification is not identified. And inaccurate judgment of the value and vulnerability of the assets results in poor adaptability of the security measure policy.
Therefore, how to improve the accuracy of the asset range and the adaptability of the safety protection is a technical problem to be solved at present.
Disclosure of Invention
The application provides an asset management method applied to a network security monitoring system, which is used for solving the technical problems of inaccurate asset range, poor security protection adaptability and low asset management efficiency in the prior art.
The method comprises the following steps:
acquiring an enterprise internal network topology structure, and determining an original asset range boundary according to the enterprise internal network topology structure;
acquiring an enterprise external network topology structure, and analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure to obtain traffic information;
determining the interaction degree of nodes in the enterprise internal network topology structure and nodes in the enterprise external network topology structure through the flow information, so as to extend the original asset range boundary and obtain a target asset range boundary;
identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels;
constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files;
and selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy.
In some embodiments of the present application, analyzing network traffic between an internal network topology of an enterprise and an external network topology of the enterprise to obtain traffic information includes:
respectively constructing an internal node list and an external node list by scanning the internal network topology structure of the enterprise and the external network topology structure of the enterprise, wherein the internal node list comprises all nodes in the internal network topology structure of the enterprise, and the external node list comprises all nodes in the external network topology structure of the enterprise;
analyzing the source, the destination and the flow direction of a network data packet between an enterprise internal network topological structure and an enterprise external network topological structure, and correlating nodes in an internal node list and an external node list to obtain a first correlation node list;
acquiring at least one of an access log, a security log, a system log, an application program log and a network equipment log between the nodes in the internal node list and the external node list, and associating the nodes in the internal node list and the external node list to obtain a second association node list;
and constructing node trend graphs in the internal node list and the external node list through the first associated node list and the second associated node list, and determining the flow of each node as flow information.
In some embodiments of the present application, determining, according to the traffic information, a degree of interaction between a node in an internal network topology of an enterprise and a node in an external network topology of the enterprise includes:
calculating the flow ratio and the communication mode similarity of each internal node and each external node related to the internal node in the node trend graph;
wherein N is the similarity of communication modes, N is the number of calibration modes of the communication modes, alpha i For the weight corresponding to the ith calibration mode, Q i K is the sum of the maximum similarity of all calibration modes;
determining the interaction degree of the nodes based on the traffic proportion and the communication mode similarity;
wherein M is the interaction degree, beta is the conversion coefficient, T is the flow ratio, exp is the exponential function, and k is the preset constant.
In some embodiments of the present application, extending the original asset range boundary to obtain a target asset range boundary includes:
and determining external nodes, of which the interaction degree exceeds an interaction degree threshold, of the nodes in the internal network topology structure of the enterprise and the nodes in the external network topology structure of the enterprise as extension points according to the flow information, and extending the original asset range boundary according to the extension points and the node trend of the node trend graph so as to obtain the target asset range boundary.
In some embodiments of the present application, identifying and classifying assets within a target asset range boundary to construct a tag for each asset, comprising:
identifying the assets within the range boundary of the target asset to obtain all the assets, and generating identity tags for all the assets;
classifying the assets in multi-attribute categories, acquiring the weights of each attribute category of the assets of the enterprise, determining the multi-attribute weights of the assets, and generating category labels;
performing functional classification on the assets according to different functions of the assets, determining functional weights, and generating functional weight labels;
the tag structure group (identity tag, category tag, functional tag) of the asset is established by the identity tag, category tag and functional tag.
In some embodiments of the application, determining the value of each asset from the tag includes:
acquiring the data information value, productivity value, business influence value and maintenance value of the asset;
determining asset value based on the data information value, productivity value, business impact value, maintenance value, category label and function label of the asset;
wherein L is asset value, gamma 1 Weight corresponding to data information value, W 1 Value of data information, exp represents an exponential function, Z 1 Is multi-attribute weight, k 1 For a first predetermined constant, gamma 2 Weight corresponding to productivity value, W 2 For productivity value, Z 2 To be the functional weight, k 2 For a second predetermined constant, gamma 3 To weight the business impact value, W 3 To influence the value of business, Z 01 For multiple attribute weight threshold, Z 02 For the functional weight threshold, k 3 For a third predetermined constant, gamma 4 To maintain the weight corresponding to the value, W 4 For maintenance value.
In some embodiments of the application, and determining the vulnerability of each level of the asset profile, comprises:
calculating the vulnerability degree of each asset in each level asset archive;
wherein J is the vulnerability degree, n is the vulnerability number in the asset, delta i Is the hazard weight of the ith vulnerability, Y i For the influence of the ith vulnerability, P i For the disclosure degree of the ith loophole, D min Delta is i Y i P i Minimum value of [ a ]]Is a rounding symbol;
the vulnerability level of each level asset profile is derived from the vulnerability level of each asset in each level asset profile.
In some embodiments of the application, the security measure policy is selected based on the level and vulnerability level of the asset profile, comprising:
if the level and the vulnerability degree of the asset file accord with the preset matching relation, adopting a corresponding preset safety measure strategy;
if the level and the vulnerability degree of the asset file do not accord with the preset matching relation and the matching deviation distance exceeds the matching deviation distance threshold, selecting a safety measure strategy based on the difference of the matching deviation distance and the matching deviation distance threshold;
the preset matching relation between the levels of the asset file and the vulnerability level is that different levels correspond to different calibrated vulnerability levels, and the matching deviation distance is that the vulnerability level is larger than the calibrated vulnerability level.
In some embodiments of the present application, after safeguarding the corresponding asset in accordance with the security policy, the method further comprises:
the update frequency of the corresponding asset is determined by the vulnerability level of the asset.
By applying the technical scheme, the internal network topology structure of the enterprise is obtained, and the boundary of the original asset range is determined according to the internal network topology structure of the enterprise; acquiring an enterprise external network topology structure, and analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure to obtain traffic information; determining the interaction degree of nodes in the enterprise internal network topology structure and nodes in the enterprise external network topology structure through the flow information, so as to extend the original asset range boundary and obtain a target asset range boundary; identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels; constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files; and selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy. According to the application, the boundary of the original asset range is extended through the internal network topology structure and the external network topology structure of the enterprise, so that the accuracy of the asset range is ensured, and the reliability of asset identification is improved. The security measure strategy is selected according to the level and the vulnerability degree of the asset file, so that the adaptability of security protection is ensured, the security of the asset is improved, and the efficiency of asset management is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an asset management method applied to a network security monitoring system according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The embodiment of the application provides an asset management method applied to a network security monitoring system, as shown in fig. 1, comprising the following steps:
step S101, acquiring an internal network topology structure of an enterprise, and determining an original asset range boundary according to the internal network topology structure of the enterprise.
In this embodiment, the original asset range boundary is the boundary of the internal network.
Step S102, obtaining an enterprise external network topology structure, analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure, and obtaining traffic information.
In this embodiment, the asset partition of an enterprise is not only related to its internal network topology, but also to the network topology of its cooperating enterprise. The external network topology of the enterprise is the network topology with which the cooperative enterprise is in contact.
In some embodiments of the present application, analyzing network traffic between an internal network topology of an enterprise and an external network topology of the enterprise to obtain traffic information includes:
respectively constructing an internal node list and an external node list by scanning the internal network topology structure of the enterprise and the external network topology structure of the enterprise, wherein the internal node list comprises all nodes in the internal network topology structure of the enterprise, and the external node list comprises all nodes in the external network topology structure of the enterprise;
analyzing the source, the destination and the flow direction of a network data packet between an enterprise internal network topological structure and an enterprise external network topological structure, and correlating nodes in an internal node list and an external node list to obtain a first correlation node list;
acquiring at least one of an access log, a security log, a system log, an application program log and a network equipment log between the nodes in the internal node list and the external node list, and associating the nodes in the internal node list and the external node list to obtain a second association node list;
and constructing node trend graphs in the internal node list and the external node list through the first associated node list and the second associated node list, and determining the flow of each node as flow information.
In this embodiment, at least one of an access log, a security log, a system log, an application log, and a network device log between nodes in both the internal node list and the external node list is acquired.
Access Logs (Access Logs): events of accessing network resources including access time, source IP address, destination IP address, access method, etc. are recorded.
Security Logs (Security Logs): security events and attack actions such as login failures, denial of service attacks, malware attacks, etc. are recorded.
System log (System Logs): events and error information during system operation, such as system start-up, service start-up, system crash, etc., are recorded.
Application Logs): events and information during the running of the application are recorded, such as database access logs, web application logs, email logs, etc.
Network equipment log (Network Device Logs): events and information during the operation of the network device, such as router logs, switch logs, firewall logs, etc., are recorded.
The logs can represent interaction between the internal node and the external node to a certain extent, and the types of the logs which are in contact with the internal node and the external node can be represented, so the logs belong to the protection scope of the application.
In this embodiment, the network data packet is analyzed by using a network traffic monitoring tool, such as Wireshark, tcpdump, to obtain the first association node list. And obtaining a second association node list through the log, and obtaining the required relationship between the internal and external nodes by taking account of two factors of the network data packet and the log.
In this embodiment, the node trend graphs in the internal node list and the external node list are constructed through the first association node list and the second association node list. The node trend graph is constructed by combining the contents of the first association node list and the second association node list, so that the node trend graph can be understood as a flow between the internal node and the external node, and the flow information of the nodes is displayed.
Step S103, determining the interaction degree of the nodes in the enterprise internal network topology structure and the nodes in the enterprise external network topology structure through the flow information, and extending the original asset range boundary to obtain the target asset range boundary.
In this embodiment, the nodes in the previous step are screened according to the interaction degree, and range boundary extension is performed according to the screened nodes, and the target asset range boundary is the asset range to be identified.
In some embodiments of the present application, determining, according to the traffic information, a degree of interaction between a node in an internal network topology of an enterprise and a node in an external network topology of the enterprise includes:
calculating the flow ratio and the communication mode similarity of each internal node and each external node related to the internal node in the node trend graph;
wherein N is the similarity of communication modes, N is the number of calibration modes of the communication modes, alpha i For the weight corresponding to the ith calibration mode, Q i K is the sum of the maximum similarity of all calibration modes;
determining the interaction degree of the nodes based on the traffic proportion and the communication mode similarity;
wherein M is the interaction degree, beta is the conversion coefficient, T is the flow ratio, exp is the exponential function, and k is the preset constant.
In this embodiment, the flow ratio between the internal and external nodes may reflect the interaction degree between the two nodes. The higher the scale, the more frequently interactions between two nodes are represented, and the higher the degree of correlation. The communication mode may also reflect the degree of interaction between nodes to some extent. The degree of correlation between two nodes may be high if the communication modes between them are the same.
In this embodiment, the calibration mode of the communication mode includes a communication protocol, a communication port, a communication direction, and the like. K is the maximum degree of similarity for all calibration modesAnd, refer to alpha i Q i The sum of the maximum similarity, namely the communication modes of the two are identical.
In the present embodiment of the present application,representing a correction of the degree of interaction +.>The value range is between 0.1 and 0.15.
In some embodiments of the present application, extending the original asset range boundary to obtain a target asset range boundary includes:
and determining external nodes, of which the interaction degree exceeds an interaction degree threshold, of the nodes in the internal network topology structure of the enterprise and the nodes in the external network topology structure of the enterprise as extension points according to the flow information, and extending the original asset range boundary according to the extension points and the node trend of the node trend graph so as to obtain the target asset range boundary.
In this embodiment, undesirable nodes are removed, and the original asset range boundary extension is performed based on the nodes that meet the requirements.
The scheme has the beneficial effects that:
all external nodes with interaction are determined through data comprising analysis and log analysis, and the interaction degree with the external nodes is determined according to the flow proportion and the communication mode similarity, so that the original asset range boundary is extended. The accuracy of the asset range is improved, a good foundation is laid for the next asset identification, and the reliability of asset identification is guaranteed.
And step S104, identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels.
In this embodiment, each asset is identified, the identified assets are classified, a tag is constructed, and the asset value is determined. All assets present in the network are identified by means of network scanning, manual inspection, etc.
In some embodiments of the present application, identifying and classifying assets within a target asset range boundary to construct a tag for each asset, comprising:
identifying the assets within the range boundary of the target asset to obtain all the assets, and generating identity tags for all the assets;
classifying the assets in multi-attribute categories, acquiring the weights of each attribute category of the assets of the enterprise, determining the multi-attribute weights of the assets, and generating category labels;
performing functional classification on the assets according to different functions of the assets, determining functional weights, and generating functional weight labels;
the tag structure group (identity tag, category tag, functional tag) of the asset is established by the identity tag, category tag and functional tag.
In this embodiment, the multi-attribute category classification is performed on the asset, and the weight of each attribute category of the asset of the enterprise is obtained, so as to determine the multi-attribute weight of the asset. For example, the asset is classified one by one according to the location of the asset, the department's attribution, and the asset technology type (multi-attribute). The category 1 of the location of the asset where the asset is located, the department attribution 1, the asset technology type 1, etc. of a certain asset are obtained, and are called each attribute category. The attribute category weight refers to 10 types of asset technology types, namely, asset technology types 1-10 are given different weights to each type, and the total weight sum is 1. The multi-attribute weight is the sum of weights corresponding to the position category 1, the department attribution 1 and the asset technology type 1.
In this embodiment, the different functions of the asset perform the function classification on the asset and determine the function weight. The functions of the asset comprise functions of calculation, storage, transmission and the like, and different functions correspond to different weights.
In this embodiment, the tag structure group (identity tag, category tag, function tag) of the asset is used to identify the identity information of the asset, the category tag is used to determine the multi-attribute weight of the asset, and the function tag is used to determine the function weight of the asset.
In some embodiments of the application, determining the value of each asset from the tag includes:
acquiring the data information value, productivity value, business influence value and maintenance value of the asset;
determining asset value based on the data information value, productivity value, business impact value, maintenance value, category label and function label of the asset;
wherein L is asset value, gamma 1 Weight corresponding to data information value, W 1 Value of data information, exp represents an exponential function, Z 1 Is multi-attribute weight, k 1 For a first predetermined constant, gamma 2 Weight corresponding to productivity value, W 2 For productivity value, Z 2 To be the functional weight, k 2 For a second predetermined constant, gamma 3 To weight the business impact value, W 3 To influence the value of business, Z 01 For multiple attribute weight threshold, Z 02 For the functional weight threshold, k 3 For a third predetermined constant, gamma 4 To maintain the weight corresponding to the value, W 4 For maintenance value.
In this embodiment, the evaluation of asset value is mainly affected by the following four aspects.
The value of the data information, the data and information contained in the asset may help the organization make decisions, improve efficiency and competitiveness, and thus the value of the asset may be determined by evaluating the value of such data and information.
The productivity value, the asset may provide productivity and capacity to an organization, e.g., a server may provide computing power, a storage device may provide storage space, and thus the value may be determined by evaluating the productivity and capacity of the asset.
The value of an asset may be determined by evaluating its impact on business continuity and security, as it has an important impact on the business continuity and security of an organization, such as core applications and databases.
Maintaining value, assets require periodic maintenance and updating, and these costs can also be one of the reference factors in determining asset value.
In this embodiment, the asset types are different, the multi-attribute weights are different, and different effects are generated on the data information value. Different asset functionality weights can affect productivity value. And the influence value on the service is jointly influenced by the multi-attribute weight and the functional weight.
Step S105, constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level asset file.
In this embodiment, the value of each asset is in a different range, and there are corresponding asset files of different levels. The higher the level of the asset profile, the more important the asset. The asset profile can be viewed as a division of many similarly valued assets into an area, facilitating subsequent computing and security. The vulnerability level of each level of an asset profile is herein the vulnerability level of the asset profile and is not specific to the asset.
In some embodiments of the application, and determining the vulnerability of each level of the asset profile, comprises:
calculating the vulnerability degree of each asset in each level asset archive;
wherein J is the vulnerability degree, n is the vulnerability number in the asset, delta i Is the hazard weight of the ith vulnerability, Y i For the influence of the ith vulnerability, P i For the disclosure degree of the ith loophole, D min Delta is i Y i P i Minimum value of [ a ]]Is a rounding symbol;
the vulnerability level of each level asset profile is derived from the vulnerability level of each asset in each level asset profile.
In this embodiment, the comprehensive vulnerability level corresponding to each archive is determined by the vulnerability level of each asset.
And step S106, selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy.
In this embodiment, the security measure policy is selected according to the level and vulnerability level of the asset file, and the higher the level and the higher the vulnerability level, the higher the security measure policy, i.e., the security protection level, is required.
In some embodiments of the application, the security measure policy is selected based on the level and vulnerability level of the asset profile, comprising:
if the level and the vulnerability degree of the asset file accord with the preset matching relation, adopting a corresponding preset safety measure strategy;
if the level and the vulnerability degree of the asset file do not accord with the preset matching relation and the matching deviation distance exceeds the matching deviation distance threshold, selecting a safety measure strategy based on the difference of the matching deviation distance and the matching deviation distance threshold;
the preset matching relation between the levels of the asset file and the vulnerability level is that different levels correspond to different calibrated vulnerability levels, and the matching deviation distance is that the vulnerability level is larger than the calibrated vulnerability level.
In this embodiment, each asset profile level corresponds to a range of nominal vulnerability levels. When the vulnerability degree is greater than the corresponding calibration vulnerability degree of the level, the matching deviation distance exists.
In this embodiment, the security measure policy is selected based on the difference between the match offset distance and the match offset distance threshold, and the security measure policy is enhanced based on the difference.
The beneficial effect of above-mentioned scheme:
the value of each asset is determined by identifying the constructed tag structure array of the asset, so that the asset files are classified, the asset is integrated into the asset files, and different security protection strategies are selected according to the vulnerability degree and the level of the asset files. The adaptability and the precision of safety monitoring are improved, and the property can be ensured to stably run for a long time.
In some embodiments of the present application, after safeguarding the corresponding asset in accordance with the security policy, the method further comprises:
the update frequency of the corresponding asset is determined by the vulnerability level of the asset.
In this embodiment, determining the update frequency of the corresponding asset according to the vulnerability level of the asset refers to setting the update frequency of the asset according to the vulnerability level of the asset, wherein the update refers to operations such as checking the asset for a specified period, deleting the failed asset, or updating the changed asset. The vulnerability level of each asset corresponds to an update frequency of the asset. The higher the vulnerability level, the more frequently the asset is updated and vice versa.
By applying the technical scheme, the internal network topology structure of the enterprise is obtained, and the boundary of the original asset range is determined according to the internal network topology structure of the enterprise; acquiring an enterprise external network topology structure, and analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure to obtain traffic information; determining the interaction degree of nodes in the enterprise internal network topology structure and nodes in the enterprise external network topology structure through the flow information, so as to extend the original asset range boundary and obtain a target asset range boundary; identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels; constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files; and selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy. According to the application, the boundary of the original asset range is extended through the internal network topology structure and the external network topology structure of the enterprise, so that the accuracy of the asset range is ensured, and the reliability of asset identification is improved. The security measure strategy is selected according to the level and the vulnerability degree of the asset file, so that the adaptability of security protection is ensured, the security of the asset is improved, and the efficiency of asset management is improved.
From the above description of the embodiments, it will be clear to those skilled in the art that the present application may be implemented in hardware, or may be implemented by means of software plus necessary general hardware platforms. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.), and includes several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective implementation scenario of the present application.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be appreciated by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not drive the essence of the corresponding technical solutions to depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (9)

1. An asset management method for use in a network security monitoring system, the method comprising:
acquiring an enterprise internal network topology structure, and determining an original asset range boundary according to the enterprise internal network topology structure;
acquiring an enterprise external network topology structure, and analyzing network traffic between the enterprise internal network topology structure and the enterprise external network topology structure to obtain traffic information;
determining the interaction degree of nodes in the enterprise internal network topology structure and nodes in the enterprise external network topology structure through the flow information, so as to extend the original asset range boundary and obtain a target asset range boundary;
identifying and classifying the assets within the range boundary of the target asset, thereby constructing a label corresponding to each asset, and determining the value of each asset according to the labels;
constructing asset files of different levels based on the range of the value of each asset, and determining the vulnerability degree of each level of asset files;
and selecting a safety measure strategy according to the level and the vulnerability degree of the asset file, and carrying out safety protection on the corresponding asset according to the safety measure strategy.
2. The asset management method for network security monitoring system of claim 1, wherein analyzing network traffic between the internal network topology of the enterprise and the external network topology of the enterprise to obtain traffic information comprises:
respectively constructing an internal node list and an external node list by scanning the internal network topology structure of the enterprise and the external network topology structure of the enterprise, wherein the internal node list comprises all nodes in the internal network topology structure of the enterprise, and the external node list comprises all nodes in the external network topology structure of the enterprise;
analyzing the source, the destination and the flow direction of a network data packet between an enterprise internal network topological structure and an enterprise external network topological structure, and correlating nodes in an internal node list and an external node list to obtain a first correlation node list;
acquiring at least one of an access log, a security log, a system log, an application program log and a network equipment log between the nodes in the internal node list and the external node list, and associating the nodes in the internal node list and the external node list to obtain a second association node list;
and constructing node trend graphs in the internal node list and the external node list through the first associated node list and the second associated node list, and determining the flow of each node as flow information.
3. The asset management method applied to the network security monitoring system as claimed in claim 2, wherein determining the interaction degree of the node in the internal network topology of the enterprise and the node in the external network topology of the enterprise through the traffic information comprises:
calculating the flow ratio and the communication mode similarity of each internal node and each external node related to the internal node in the node trend graph;
wherein N is the similarity of communication modes, N is the number of calibration modes of the communication modes, alpha i For the weight corresponding to the ith calibration mode, Q i K is the sum of the maximum similarity of all calibration modes;
determining the interaction degree of the nodes based on the traffic proportion and the communication mode similarity;
wherein M is the interaction degree, beta is the conversion coefficient, T is the flow ratio, exp is the exponential function, and k is the preset constant.
4. The asset management method for a network security monitoring system of claim 3, whereby the original asset range boundary is extended to obtain a target asset range boundary, comprising:
and determining external nodes, of which the interaction degree exceeds an interaction degree threshold, of the nodes in the internal network topology structure of the enterprise and the nodes in the external network topology structure of the enterprise as extension points according to the flow information, and extending the original asset range boundary according to the extension points and the node trend of the node trend graph so as to obtain the target asset range boundary.
5. The asset management method for a network security monitoring system of claim 1, wherein identifying and classifying assets within a target asset range boundary to construct a tag for each asset comprises:
identifying the assets within the range boundary of the target asset to obtain all the assets, and generating identity tags for all the assets;
classifying the assets in multi-attribute categories, acquiring the weights of each attribute category of the assets of the enterprise, determining the multi-attribute weights of the assets, and generating category labels;
performing functional classification on the assets according to different functions of the assets, determining functional weights, and generating functional weight labels;
the tag structure group (identity tag, category tag, functional tag) of the asset is established by the identity tag, category tag and functional tag.
6. The asset management method for use with a network security monitoring system of claim 5, wherein determining the value of each asset based on the tag comprises:
acquiring the data information value, productivity value, business influence value and maintenance value of the asset;
determining asset value based on the data information value, productivity value, business impact value, maintenance value, category label and function label of the asset;
wherein L is asset value, gamma 1 Weight corresponding to data information value, W 1 Value of data information, exp represents an exponential function, Z 1 Is multi-attribute weight, k 1 For a first predetermined constant, gamma 2 Weight corresponding to productivity value, W 2 For productivity value, Z 2 To be the functional weight, k 2 For a second predetermined constant, gamma 3 To weight the business impact value, W 3 To influence the value of business, Z 01 For multiple attribute weight threshold, Z 02 For the functional weight threshold, k 3 For a third predetermined constant, gamma 4 To maintain the weight corresponding to the value, W 4 For maintenance value.
7. The asset management method for a network security monitoring system of claim 1, wherein determining the vulnerability level of each level asset profile comprises:
calculating the vulnerability degree of each asset in each level asset archive;
wherein J is the vulnerability degree, n is the vulnerability number in the asset, delta i Is the hazard weight of the ith vulnerability, Y i For the influence of the ith vulnerability, P i For the disclosure degree of the ith loophole, D min Delta is i Y i P i Minimum value of [ a ]]Is a rounding symbol;
the vulnerability level of each level asset profile is derived from the vulnerability level of each asset in each level asset profile.
8. The asset management method for network security monitoring systems of claim 7, wherein selecting the security measure policy based on the level and vulnerability level of the asset profile comprises:
if the level and the vulnerability degree of the asset file accord with the preset matching relation, adopting a corresponding preset safety measure strategy;
if the level and the vulnerability degree of the asset file do not accord with the preset matching relation and the matching deviation distance exceeds the matching deviation distance threshold, selecting a safety measure strategy based on the difference of the matching deviation distance and the matching deviation distance threshold;
the preset matching relation between the levels of the asset file and the vulnerability level is that different levels correspond to different calibrated vulnerability levels, and the matching deviation distance is that the vulnerability level is larger than the calibrated vulnerability level.
9. The asset management method for a network security monitoring system of claim 7, wherein after safeguarding the corresponding asset in accordance with a security policy, the method further comprises:
the update frequency of the corresponding asset is determined by the vulnerability level of the asset.
CN202310797197.5A 2023-06-28 2023-06-28 Asset management method applied to network security monitoring system Pending CN117014184A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310797197.5A CN117014184A (en) 2023-06-28 2023-06-28 Asset management method applied to network security monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310797197.5A CN117014184A (en) 2023-06-28 2023-06-28 Asset management method applied to network security monitoring system

Publications (1)

Publication Number Publication Date
CN117014184A true CN117014184A (en) 2023-11-07

Family

ID=88568162

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310797197.5A Pending CN117014184A (en) 2023-06-28 2023-06-28 Asset management method applied to network security monitoring system

Country Status (1)

Country Link
CN (1) CN117014184A (en)

Similar Documents

Publication Publication Date Title
US10878102B2 (en) Risk scores for entities
US11637853B2 (en) Operational network risk mitigation system and method
US10140453B1 (en) Vulnerability management using taxonomy-based normalization
CN111565205B (en) Network attack identification method and device, computer equipment and storage medium
EP1768045A2 (en) Application of cut-sets to network interdependency security risk assessment
US9021595B2 (en) Asset risk analysis
US8539018B2 (en) Analysis of IT resource performance to business organization
TW201629824A (en) Anomaly detection using adaptive behavioral profiles
US11240119B2 (en) Network operation
CN111866027A (en) Asset safety assessment method and system based on intelligence analysis
US11876674B1 (en) Network segmentation
CN112560046A (en) Method and device for evaluating service data security index
CN110110528A (en) Safety risk estimating method, device and the equipment of information system
CN115378712A (en) Threat information sharing method based on government affair block chain base
CN117014184A (en) Asset management method applied to network security monitoring system
CN114205146B (en) Processing method and device for multi-source heterogeneous security log
CN117391214A (en) Model training method and device and related equipment
CN114168610A (en) Distributed storage and query method and system based on line sequence division
CN113032774A (en) Training method, device and equipment of anomaly detection model and computer storage medium
CN110995465A (en) Communication point panoramic view information operation and maintenance method and system
CN117176476B (en) Network security assessment method and system based on node weight
US20240015165A1 (en) Method for verifying security technology deployment efficacy across a computer network
US20230388313A1 (en) Automatic User Group Manager
US20240015164A1 (en) Method for verifying security technology deployment efficacy across a computer network
CN116721704B (en) Method and system for updating hierarchical protection biological information database

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination