WO2019218875A1 - Procédé et système d'évaluation de risque d'équipement de réseau unique - Google Patents

Procédé et système d'évaluation de risque d'équipement de réseau unique Download PDF

Info

Publication number
WO2019218875A1
WO2019218875A1 PCT/CN2019/085191 CN2019085191W WO2019218875A1 WO 2019218875 A1 WO2019218875 A1 WO 2019218875A1 CN 2019085191 W CN2019085191 W CN 2019085191W WO 2019218875 A1 WO2019218875 A1 WO 2019218875A1
Authority
WO
WIPO (PCT)
Prior art keywords
risk
score
network
level
tested
Prior art date
Application number
PCT/CN2019/085191
Other languages
English (en)
Chinese (zh)
Inventor
涂大志
郭景楠
王新成
王志
Original Assignee
深圳市联软科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市联软科技股份有限公司 filed Critical 深圳市联软科技股份有限公司
Publication of WO2019218875A1 publication Critical patent/WO2019218875A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the invention belongs to the field of internet technology, and particularly relates to a method and system for risk assessment of a single network device.
  • the evaluation granularity of the above two methods is too coarse, and the general network risk assessment is the risk status within a certain period of time, but the equipment may be frequently alerted during certain time periods, but the risk level or deduction is the same.
  • the number of alarms cannot be reasonably added to the inspection.
  • the results of multiple alarms cannot be comprehensively considered, so the network security administrator cannot be effectively provided.
  • the present invention provides a method and system for risk assessment of a single in-network device, which can be added to analyze the number of alarms, and can comprehensively consider various types of alarms, and the evaluation method is more effective.
  • a single on-net device risk assessment method includes the following steps:
  • the detection result obtained in the preset evaluation time includes the check item of the alarm in the detection result, the risk level of the check item, and the number of times the single station is in the network device.
  • the stored detection result is analyzed according to a preset evaluation model, and the device behavior loss value is obtained;
  • the detecting the single unit according to the check item performs real-time detection on the network device, and the detection result specifically includes:
  • the risk level of the check item in which the alarm occurs is scored, and the alarm score is obtained;
  • the detection result includes the alarm score.
  • the all the detection results are analyzed according to the preset evaluation model, and the device behavior loss value is specifically included:
  • the device behavior loss value is calculated by:
  • Behavior_loss (max_level+sum_level ⁇ 0.1) ⁇ max_level ⁇ tanh(check_count);
  • behavior_loss is the value of the device behavior loss of the single device in the network to be tested
  • max_level is the highest alarm score in the detection result of the single device in the network
  • sum_level is the detection result of the single device in the network to be tested.
  • the sum of the alarm scores, check_count is the cumulative number of alarms on the network device to be tested.
  • the calculating the risk score of the single device in the network device according to the device behavior loss value specifically includes:
  • the device behavior loss value of the single device in the network to be tested is subtracted, and the risk score is obtained.
  • the second aspect is a single on-net device risk assessment system, including:
  • Setting unit used to set multiple inspection items and the risk level of each inspection item
  • the detecting unit is configured to perform real-time detection on the network device to be tested according to the check item, and obtain the detection result;
  • the statistical unit is configured to store the detection result obtained in the preset evaluation time, including the check item in which the alarm occurs in the detection result, the risk level of the check item, and the number of times the single station is in the network device.
  • the evaluation unit is configured to analyze the stored detection result according to the preset evaluation model to obtain the device behavior loss value, and is also used to calculate the risk score of the single network device to be tested according to the device behavior loss value.
  • the detecting the single unit according to the check item performs real-time detection on the network device, and the detection result specifically includes:
  • the risk level of the check item in which the alarm occurs is scored, and the alarm score is obtained;
  • the detection result includes the alarm score.
  • the all the detection results are analyzed according to the preset evaluation model, and the device behavior loss value is specifically included:
  • the device behavior loss value is calculated by:
  • Behavior_loss (max_level+sum_level ⁇ 0.1) ⁇ max_level ⁇ tanh(check_count);
  • behavior_loss is the value of the device behavior loss of the single device in the network to be tested
  • max_level is the highest alarm score in the detection result of the single device in the network
  • sum_level is the detection result of the single device in the network to be tested.
  • the sum of the alarm scores, check_count is the cumulative number of alarms on the network device to be tested.
  • the calculating the risk score of the single device in the network device according to the device behavior loss value specifically includes:
  • the device behavior loss value of the single device in the network to be tested is subtracted, and the risk score is obtained.
  • the method and system for assessing the risk of a single in-network device provided by the present invention discard the idea of taking the highest alarm score in all the check items in the prior art, and periodically detect the network device for a certain period of time. All the test results are counted, and the number of alarms can be added for analysis, and the evaluation method is more effective.
  • FIG. 1 is a flow chart of an evaluation method provided in Embodiment 1.
  • FIG. 2 is a block diagram of a module of an evaluation system provided in Embodiment 4.
  • the term “if” can be interpreted as “when” or “on” or “in response to determining” or “in response to detecting” depending on the context. .
  • the phrase “if determined” or “if detected [condition or event described]” may be interpreted in context to mean “once determined” or “in response to determining” or “once detected [condition or event described] ] or “in response to detecting [conditions or events described]”.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • a single on-net device risk assessment method includes the following steps:
  • the alarms of the check items include three aspects: “non-compliance behavior”, “abnormal behavior”, and “dangerous behavior”. For example, if a change in the IP/MAC address of the network device, a change in the device name, a change in the operating system, etc. are detected, an abnormal behavior is considered.
  • Different check items define the risk level according to the degree of threat, and the risk level is low for the check items with low threat level. For high-threat inspection items, the risk level is high.
  • a single in-network device includes a PC device, a network device, a mobile device, an IoT device, an ICS device, and the like.
  • S2 Perform real-time detection on the network device according to the check item, and obtain the detection result
  • the test results include all the compliance behaviors, non-compliance behaviors, abnormal behaviors, and dangerous behavior check items, and also record the risk level of the check items of the alarm behavior.
  • the detection is performed in real time, so that the security of the network device can be detected in real time.
  • S3 storing the detection result obtained in the preset evaluation time, including the check item in which the alarm occurs in the detection result, the risk level of the check item, and the number of times the single station is in the network device to generate an alarm;
  • the check items of the statistical alarms facilitate subsequent risk assessment.
  • the number of alarms that occur on a single network device that is, the cumulative number of check items that have an alarm in all test reports.
  • the detection result can be analyzed periodically.
  • the analysis time can be set, and the analysis time can be analyzed once every hour and two hours, and the risk status of the single device on the network device is updated. If the evaluation time is set to 24 hours, it means that the risk status of the single device under test on the day is updated. That is to say, the single device in the network to be tested has been tested according to the check item. If it is analyzed once every hour, the test result obtained by the single device on the network to be tested is obtained for analysis, and the single device in the network to be tested is updated. Risk status. This ensures that the risk status of the single network device under test is updated in real time.
  • S5 Calculate the risk score of the single device in the network to be tested according to the value of the device behavior loss.
  • the method discards the idea of taking the highest alarm score in all the check items in the prior art, and periodically detects the network device, performs statistics on all the detection results in a certain period of time, and can add the number of alarms for analysis, and the evaluation method is more effective. .
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • the detecting a single station according to the check item is detected on the network device, and the detection result is specifically included;
  • the risk level of the check item in which the alarm occurs is scored, and the alarm score is obtained;
  • the detection result includes the alarm score.
  • the risk level is more intuitive through scoring, and the higher the risk level, the higher the score.
  • the risk level of the device access during non-working hours is 4 points
  • the risk level of the installed enterprise software is 6 points.
  • the risk level is 4. If the check item A has 2 alarms, the risk level is upgraded to 5.
  • the method provided by the embodiment of the present invention is a brief description, and the part of the embodiment is not mentioned, and the corresponding content in the first embodiment can be referred to.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • the analyzing the all the detection results according to the preset evaluation model, and obtaining the device behavior loss value specifically includes:
  • the device behavior loss value is calculated by:
  • Behavior_loss (max_level+sum_level ⁇ 0.1) ⁇ max_level ⁇ tanh(check_count);
  • behavior_loss is the value of the device behavior loss of the single device in the network to be tested
  • max_level is the highest alarm score in the detection result of the single device in the network
  • sum_level is the detection result of the single device in the network to be tested.
  • the sum of the alarm scores, check_count is the cumulative number of alarms on the network device to be tested.
  • the number of detection items increases with the increase of the deployment time.
  • the results obtained from the evaluation model are always positive, between [0,100].
  • the value of the behavioral loss of the computing device obtained by the above formula can be increased as the number of occurrences of the alarm of the check item increases. That is, if the number of alarms of a single device to be tested on the network device increases, the risk level is higher.
  • the calculating, according to the device behavior loss value, the risk score of the single device in the network device to be tested includes:
  • the device behavior loss value of the single device in the network to be tested is subtracted, and the risk score is obtained.
  • the full score value can be set to 100 points, and the risk score is equal to 100 minus the device behavior loss value.
  • the safest situation for network devices is 100 points, and the most dangerous situation is 0 points.
  • the score classification and qualitative description are personalized by the user.
  • the method provided by the embodiment of the present invention is a brief description, and the part of the embodiment is not mentioned, and the corresponding content in the second embodiment can be referred to.
  • Embodiment 4 is a diagrammatic representation of Embodiment 4:
  • Embodiment 4 provides a single in-network device risk assessment system, including:
  • Setting unit used to set multiple inspection items and the risk level of each inspection item
  • the detecting unit is configured to perform real-time detection on the network device to be tested according to the check item, and obtain the detection result;
  • the statistical unit is configured to store the detection result obtained in the preset evaluation time, including the check item in which the alarm occurs in the detection result, the risk level of the check item, and the number of times the single station is in the network device.
  • the evaluation unit is configured to analyze the stored detection result according to the preset evaluation model to obtain the device behavior loss value, and is also used to calculate the risk score of the single network device to be tested according to the device behavior loss value.
  • the detecting the single unit according to the check item performs real-time detection on the network device, and the detection result specifically includes:
  • the risk level of the check item in which the alarm occurs is scored, and the alarm score is obtained;
  • the detection result includes the alarm score.
  • the all the detection results are analyzed according to the preset evaluation model, and the device behavior loss value is specifically included:
  • the device behavior loss value is calculated by:
  • Behavior_loss (max_level+sum_level ⁇ 0.1) ⁇ max_level ⁇ tanh(check_count);
  • behavior_loss is the value of the device behavior loss of the single device in the network to be tested
  • max_level is the highest alarm score in the detection result of the single device in the network
  • sum_level is the detection result of the single device in the network to be tested.
  • the sum of the alarm scores, check_count is the cumulative number of alarms on the network device to be tested.
  • the calculating the risk score of the single device in the network device according to the device behavior loss value specifically includes:
  • the device behavior loss value of the single device in the network to be tested is subtracted, and the risk score is obtained.
  • the disclosed systems and methods can be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, or an electrical, mechanical or other form of connection.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiments of the present invention.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention contributes in essence or to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • a number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

La présente invention concerne un procédé et un système d'évaluation de risque d'équipement de réseau unique, le procédé consistant à : configurer une pluralité de points de contrôles et un niveau de risque de chaque point de contrôle; tester un équipement de réseau unique à tester en temps réel selon les points de contrôle de façon à obtenir un résultat de test; stocker des résultats de test obtenus dans un temps d'évaluation prédéfini, comprenant des éléments d'inspection dans lesquels une alarme s'est produite dans les résultats de test, les niveaux de risque des points de contrôles, et le nombre d'alarmes qui s'est produit sur l'équipement de réseau unique à tester; analyser les résultats de test stockés selon un modèle d'évaluation prédéfini pour obtenir une valeur de perte de comportement d'équipement; et calculer un score de risque de l'équipement de réseau unique à tester en fonction de la valeur de perte de comportement d'équipement. Le présent procédé abandonne le raisonnement de l'utilisation du score d'alarme le plus élevé parmi tous les éléments d'inspection dans la technologie existante, teste régulièrement un équipement de réseau, compile tous les résultats de test dans une certaine période de temps, et peut ajouter le nombre d'alarmes pour l'analyse, ainsi le procédé d'évaluation est plus efficace.
PCT/CN2019/085191 2018-05-14 2019-04-30 Procédé et système d'évaluation de risque d'équipement de réseau unique WO2019218875A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810455479.6A CN108683662B (zh) 2018-05-14 2018-05-14 单台在网设备风险评估方法及***
CN201810455479.6 2018-05-14

Publications (1)

Publication Number Publication Date
WO2019218875A1 true WO2019218875A1 (fr) 2019-11-21

Family

ID=63806390

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/085191 WO2019218875A1 (fr) 2018-05-14 2019-04-30 Procédé et système d'évaluation de risque d'équipement de réseau unique

Country Status (2)

Country Link
CN (1) CN108683662B (fr)
WO (1) WO2019218875A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108683662B (zh) * 2018-05-14 2020-08-14 深圳市联软科技股份有限公司 单台在网设备风险评估方法及***
CN110443515A (zh) * 2019-08-09 2019-11-12 杭州安恒信息技术股份有限公司 基于威胁指数的物联网安全检测方法与***
CN111865660A (zh) * 2020-06-12 2020-10-30 广东电网有限责任公司 一种用于网络设备的运行风险评价方法和***

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105205732A (zh) * 2015-09-28 2015-12-30 中国南方电网有限责任公司 一种基于设备风险特征模型的风险评估和检修方法
CN106203666A (zh) * 2015-04-30 2016-12-07 中国南方电网有限责任公司 一种数据网络设备风险评估方法及装置
CN107451402A (zh) * 2017-07-13 2017-12-08 北京交通大学 一种基于告警数据分析的设备健康度评估方法及装置
CN108009711A (zh) * 2017-11-23 2018-05-08 平安科技(深圳)有限公司 风险评估方法、装置、计算机设备及可读存储介质
CN108683662A (zh) * 2018-05-14 2018-10-19 深圳市联软科技股份有限公司 单台在网设备风险评估方法及***

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9015090B2 (en) * 2005-09-06 2015-04-21 Daniel Chien Evaluating a questionable network communication
US20140143864A1 (en) * 2012-11-21 2014-05-22 Snoopwall Llc System and method for detecting, alerting and blocking data leakage, eavesdropping and spyware
CN104092469A (zh) * 2014-07-22 2014-10-08 西安电子科技大学 基于等弦长直线逼近的简化Log-BP迭代译码方法
CN107172004A (zh) * 2016-03-08 2017-09-15 中兴通讯股份有限公司 一种网络安全设备的风险评估方法和装置
CN106790198A (zh) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 一种信息***风险评估方法及***
CN107204876B (zh) * 2017-05-22 2020-09-29 成都网络空间安全技术有限公司 一种网络安全风险评估方法
CN107911231B (zh) * 2017-10-25 2020-12-25 北京神州绿盟信息安全科技股份有限公司 一种威胁数据的评估方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106203666A (zh) * 2015-04-30 2016-12-07 中国南方电网有限责任公司 一种数据网络设备风险评估方法及装置
CN105205732A (zh) * 2015-09-28 2015-12-30 中国南方电网有限责任公司 一种基于设备风险特征模型的风险评估和检修方法
CN107451402A (zh) * 2017-07-13 2017-12-08 北京交通大学 一种基于告警数据分析的设备健康度评估方法及装置
CN108009711A (zh) * 2017-11-23 2018-05-08 平安科技(深圳)有限公司 风险评估方法、装置、计算机设备及可读存储介质
CN108683662A (zh) * 2018-05-14 2018-10-19 深圳市联软科技股份有限公司 单台在网设备风险评估方法及***

Also Published As

Publication number Publication date
CN108683662A (zh) 2018-10-19
CN108683662B (zh) 2020-08-14

Similar Documents

Publication Publication Date Title
US7437281B1 (en) System and method for monitoring and modeling system performance
US7082381B1 (en) Method for performance monitoring and modeling
US10592308B2 (en) Aggregation based event identification
WO2019218875A1 (fr) Procédé et système d'évaluation de risque d'équipement de réseau unique
US8457928B2 (en) Automatic determination of dynamic threshold for accurate detection of abnormalities
US8751417B2 (en) Trouble pattern creating program and trouble pattern creating apparatus
US8635498B2 (en) Performance analysis of applications
US9413773B2 (en) Method and apparatus for classifying and combining computer attack information
US8352789B2 (en) Operation management apparatus and method thereof
US7197428B1 (en) Method for performance monitoring and modeling
JP5768983B2 (ja) 契約違反予測システム、契約違反予測方法および契約違反予測プログラム
CN112188531A (zh) 异常检测方法、装置、电子设备及计算机存储介质
WO2015136624A1 (fr) Procédé et dispositif de contrôle de performance d'application
US7369967B1 (en) System and method for monitoring and modeling system performance
CN116747528B (zh) 一种游戏后台用户监管方法及***
CN111898647A (zh) 一种基于聚类分析的低压配电设备误告警识别方法
CN108092985A (zh) 网络安全态势分析方法、装置、设备及计算机存储介质
US9817973B2 (en) Method and device for monitoring virus trend abnormality
KR101281460B1 (ko) 통계적 공정 관리도를 이용하여 이상증후를 탐지하는 방법
US9397921B2 (en) Method and system for signal categorization for monitoring and detecting health changes in a database system
CN107465652B (zh) 一种操作行为检测方法、服务器及***
CN110489260A (zh) 故障识别方法、装置及bmc
RU180789U1 (ru) Устройство аудита информационной безопасности в автоматизированных системах
CN117252640A (zh) 熔断降级方法、规则引擎***和电子设备
JP2014153736A (ja) 障害予兆検出方法、プログラムおよび装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19804101

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 14/04/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19804101

Country of ref document: EP

Kind code of ref document: A1