CN108683662B - Individual online equipment risk assessment method and system - Google Patents

Abstract

The invention provides a method and a system for evaluating the risk of single online equipment, wherein in the method, a plurality of inspection items and the risk level of each inspection item are set; detecting the single online equipment to be detected in real time according to the inspection items to obtain a detection result; storing the detection result obtained within the preset evaluation time, wherein the detection result comprises the inspection item with the alarm, the risk level of the inspection item and the alarm frequency of the single network equipment to be detected; analyzing the stored detection result according to a preset evaluation model to obtain an equipment behavior loss value; and calculating the risk value of the single online equipment to be tested according to the equipment behavior loss value. The method abandons the idea of taking the highest alarm score in all the inspection items in the prior art, detects the network equipment at regular time, counts all the detection results in a certain time period, can add alarm times for analysis, and is more effective.

Description

Individual online equipment risk assessment method and system

Technical Field

The invention belongs to the technical field of internet, and particularly relates to a method and a system for evaluating the risk of a single online device.

Background

In the prior art, the risk evaluation of a single online device mainly has the following modes:

1. setting a detection rule, setting a plurality of detection items, detecting the network equipment according to the detection items, and artificially determining a risk level through the threat degree of each detection item to be used as a risk measurement index of the network equipment;

2. and setting equipment inspection items, setting scores for all the inspection items, and enabling the alarm of a single detection item to not visually show the overall equipment risk condition.

The evaluation granularity of the two methods is too coarse, and the general network risk evaluation is a risk state in a certain time period, but some danger detections may frequently give alarms in a certain time period, but the risk grades or deductions are the same, so that the alarm times cannot be reasonably added into the investigation, the results of various alarms cannot be comprehensively considered, and effective reference cannot be provided for a network security administrator.

Disclosure of Invention

Aiming at the defects in the prior art, the invention provides the method and the system for evaluating the risk of the single online device, which can add the alarm times for analysis, can comprehensively consider various alarm types, and are more effective.

In a first aspect, a method for evaluating risk of a single online device includes the following steps:

setting a plurality of examination items and a risk level of each examination item;

detecting the single online equipment to be detected in real time according to the inspection items to obtain a detection result;

storing the detection result obtained within the preset evaluation time, wherein the detection result comprises the inspection item with the alarm, the risk level of the inspection item and the alarm frequency of the single network equipment to be detected;

analyzing the stored detection result according to a preset evaluation model to obtain an equipment behavior loss value;

and calculating the risk value of the single online equipment to be tested according to the equipment behavior loss value.

Further, the real-time detection of the single online equipment to be detected according to the inspection items specifically comprises the steps of obtaining a detection result;

detecting the single on-line equipment to be detected in real time according to the inspection items;

grading the risk level of the inspection item with the alarm to obtain an alarm score;

recording the alarm score;

the detection result includes the alert score.

Further, the analyzing all the detection results according to the preset evaluation model to obtain the device behavior loss value specifically includes:

setting analysis time;

when the analysis time arrives, the device behavior loss value is calculated by:

behavior_loss＝(max_level+sum_level×0.1)×max_level×tanh(check_count)；

wherein, behavior _ loss is the equipment behavior loss value of the single network equipment to be detected, max _ level is the highest alarm score in the detection result of the single network equipment to be detected, and sum _ level is the value in the detection result of the single network equipment to be detectedThe check _ count is the accumulated times of alarms appearing in the network equipment of the single equipment to be tested,

further, the calculating the risk score of the single online device to be tested according to the device behavior loss value specifically includes:

setting a full score value;

and subtracting the equipment behavior loss value of the single online equipment to be tested by adopting a deduction method on the basis of the full score value to obtain the risk score.

In a second aspect, a single online device risk assessment system includes:

a setting unit: the risk level setting module is used for setting a plurality of examination items and the risk level of each examination item;

a detection unit: the system is used for detecting the single on-line equipment to be detected in real time according to the detection items to obtain a detection result;

a statistic unit: the system comprises a storage unit, a processing unit and a processing unit, wherein the storage unit is used for storing a detection result obtained within preset evaluation time, and the detection result comprises a check item with an alarm appearing in the detection result, a risk level of the check item and the number of times of the alarm appearing in the network equipment of a single unit to be detected;

an evaluation unit: the device is used for analyzing the stored detection result according to a preset evaluation model to obtain a device behavior loss value; and the risk score of the single online equipment to be tested is calculated according to the equipment behavior loss value.

Further, the real-time detection of the single online equipment to be detected according to the inspection items specifically comprises the steps of obtaining a detection result;

detecting the single on-line equipment to be detected in real time according to the inspection items;

grading the risk level of the inspection item with the alarm to obtain an alarm score;

recording the alarm score;

the detection result includes the alert score.

Further, the analyzing all the detection results according to the preset evaluation model to obtain the device behavior loss value specifically includes:

setting analysis time;

when the analysis time arrives, the device behavior loss value is calculated by:

behavior_loss＝(max_level+sum_level×0.1)×max_level×tanh(check_count)；

wherein, behavior _ loss is the equipment behavior loss value of the single network equipment to be detected, max _ level is the highest alarm score in the detection result of the single network equipment to be detected, sum _ level is the sum of all alarm scores in the detection result of the single network equipment to be detected, check _ count is the accumulated times of alarms appearing in the single network equipment to be detected,

further, the calculating the risk score of the single online device to be tested according to the device behavior loss value specifically includes:

setting a full score value;

and subtracting the equipment behavior loss value of the single online equipment to be tested by adopting a deduction method on the basis of the full score value to obtain the risk score.

According to the technical scheme, the method and the system for evaluating the risk of the single online device abandon the thought of taking the highest alarm score in all the inspection items in the prior art, detect the network device at regular time, count all the detection results in a certain time period, add alarm times for analysis, and have more effective evaluation method.

Drawings

In order to more clearly illustrate the detailed description of the invention or the technical solutions in the prior art, the drawings that are needed in the detailed description of the invention or the prior art will be briefly described below. Throughout the drawings, like elements or portions are generally identified by like reference numerals. In the drawings, elements or portions are not necessarily drawn to scale.

Fig. 1 is a flowchart of an evaluation method according to an embodiment.

Fig. 2 is a block diagram of an evaluation system according to a fourth embodiment.

Detailed Description

Embodiments of the present invention will be described in detail below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and therefore are only examples, and the protection scope of the present invention is not limited thereby. It is to be noted that, unless otherwise specified, technical or scientific terms used herein shall have the ordinary meaning as understood by those skilled in the art to which the invention pertains.

It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".

The first embodiment is as follows:

referring to fig. 1, a method for evaluating risk of a single online device includes the following steps:

s1, setting a plurality of examination items and the risk level of each examination item;

specifically, the inspection item occurrence alarm includes three aspects of "non-compliant behavior", "abnormal behavior", and "dangerous behavior". For example, if a change in the IP/MAC address of a network device, a change in the device name, a change in the operating system, etc. is detected, then an abnormal behavior is considered to have occurred. Different inspection items define the risk level according to the threat degree, and for the inspection item with low threat degree, the risk level is low. For the examination items with high threat degree, the risk level is high. The single online device includes a PC device, a network device, a mobile device, an IoT device, an ICS device, and the like.

S2, detecting the single online equipment to be detected in real time according to the check items to obtain a detection result;

specifically, when a single online device to be detected detects, all the check items need to be detected. The detection result comprises all inspection items of compliance behaviors, non-compliance behaviors, abnormal behaviors and dangerous behaviors, and the risk level of the inspection item of the alarm behavior is recorded. When the detection is carried out according to the check items, the detection is carried out in real time, so that the safety of the network equipment can be detected in real time.

S3, storing the detection result obtained in the preset evaluation time, wherein the detection result comprises the check item of the alarm appearing in the detection result, the risk level of the check item and the alarm appearing frequency of the single network equipment to be detected;

specifically, the checking items of the alarm are counted, so that the risk assessment is conveniently carried out subsequently. The number of times of alarm occurrence of a single network device is the accumulated number of check items of alarm occurrence in all detection reports.

S4, analyzing the stored detection result according to a preset evaluation model to obtain a device behavior loss value;

specifically, the detection result may be analyzed at regular time. For example: for example, the analysis time is set, and the analysis time can be one hour or two hours, so as to update the risk state of the single on-line device to be tested. If the evaluation time is set to be 24 hours, the risk state of the single online device to be tested on the current day is updated. That is to say, the single on-line device to be tested is always tested according to the check items, if the single on-line device to be tested is analyzed once in an hour, the detection result obtained by the single on-line device to be tested in the same day is obtained for analysis, and the risk state of the single on-line device to be tested is updated. Therefore, the risk state of the single on-line equipment to be tested is ensured to be updated in real time.

And S5, calculating the risk score of the single online device to be tested according to the device behavior loss value.

The method abandons the idea of taking the highest alarm score in all the inspection items in the prior art, detects the network equipment at regular time, counts all the detection results in a certain time period, can add alarm times for analysis, and is more effective.

Example two:

the method provided by the second embodiment is added with the following contents on the basis of the first embodiment:

the detection of the single online equipment to be detected according to the inspection item specifically comprises the steps of obtaining a detection result;

detecting the single on-line equipment to be detected in real time according to the inspection items;

grading the risk level of the inspection item with the alarm to obtain an alarm score;

recording the alarm score;

the detection result includes the alert score.

Specifically, the risk level is more intuitive through scoring, and the higher the risk level, the higher the score. For example: the risk level of the device accessing in the non-working time is 4 points, and the risk level of the illegal enterprise software is 6 points. The risk level is 4 when 1 alarm occurs in the inspection item a, and the risk level is upgraded to 5 if 2 alarms occur in the inspection item a.

For a brief description of the method provided by the embodiment of the present invention, reference may be made to the corresponding contents in the first embodiment.

Example three:

the method provided by the third embodiment is added with the following contents on the basis of the second embodiment:

analyzing all detection results according to a preset evaluation model to obtain an equipment behavior loss value specifically comprises:

setting analysis time;

when the analysis time arrives, the device behavior loss value is calculated by:

behavior_loss＝(max_level+sum_level×0.1)×max_level×tanh(check_count)；

wherein, behavior _ loss is the equipment behavior loss value of the single network equipment to be detected, max _ level is the highest alarm score in the detection result of the single network equipment to be detected, sum _ level is the sum of all alarm scores in the detection result of the single network equipment to be detected, check _ count is the accumulated times of alarms appearing in the single network equipment to be detected,

in particular, as the deployment time of the network equipment increases after the network equipment is deployed on the client site, the number of the detection items of the network equipment is larger and larger. And when the evaluation model is established, the upper limit of the number of the examination items of the deployed network equipment cannot be estimated. Therefore, the hyperbolic tangent model in the method is completely free from the influence of the upper limit of the alarm times on the robustness of the evaluation model. The results obtained from the evaluation model were always positive, between 0, 100. The value of the loss of computing device behavior obtained by the above formula can increase as the number of alarms occurring for the check term increases. Namely, if the more times of alarms of the single device to be tested on the network equipment, the higher the risk level.

In the analysis, all detection results within the evaluation time are used as input of the evaluation model. For example: and if the analysis time is up, the times of the check items with alarm are respectively 5, 7 and 4 in 3 detection results of the single network equipment to be detected. 3 parts of detection results; the score for the highest risk rating is 6; in the 3 detection results, the sum of the scores of the risk grades of the inspection items with alarms is 25,50 and 22 respectively. Then max _ level is 6, sum _ level is 25+50+22 is 97, and check _ count is 5+7+4 is 16.

Optionally, the calculating the risk score of the single online device to be tested according to the device behavior loss value specifically includes:

setting a full score value;

and subtracting the equipment behavior loss value of the single online equipment to be tested by adopting a deduction method on the basis of the full score value to obtain the risk score.

Specifically, the full score may be set to 100 points, with the risk score equal to 100 minus the device behavioral loss value. The greater the device behavior loss value, the lower the risk score, and the higher the risk of the network device. Conversely, the smaller the device behavior loss value, the higher the risk score, and the lower the risk of the network device. The safest case of the network device is 100 points, and the most dangerous case is 0 points. The score grading and qualitative description is configured individually by the user.

For a brief description of the method provided by the embodiment of the present invention, reference may be made to the corresponding contents in the second embodiment.

Example four:

referring to fig. 2, the fourth embodiment provides a system for evaluating risk of a single online device, including:

a setting unit: the risk level setting module is used for setting a plurality of examination items and the risk level of each examination item;

a detection unit: the system is used for detecting the single on-line equipment to be detected in real time according to the detection items to obtain a detection result;

a statistic unit: the system comprises a storage unit, a processing unit and a processing unit, wherein the storage unit is used for storing a detection result obtained within preset evaluation time, and the detection result comprises a check item with an alarm appearing in the detection result, a risk level of the check item and the number of times of the alarm appearing in the network equipment of a single unit to be detected;

an evaluation unit: the device is used for analyzing the stored detection result according to a preset evaluation model to obtain a device behavior loss value; and the risk score of the single online equipment to be tested is calculated according to the equipment behavior loss value.

Further, the real-time detection of the single online equipment to be detected according to the inspection items specifically comprises the steps of obtaining a detection result;

detecting the single on-line equipment to be detected in real time according to the inspection items;

grading the risk level of the inspection item with the alarm to obtain an alarm score;

recording the alarm score;

the detection result includes the alert score.

Further, the analyzing all the detection results according to the preset evaluation model to obtain the device behavior loss value specifically includes:

setting analysis time;

when the analysis time arrives, the device behavior loss value is calculated by:

behavior_loss＝(max_level+sum_level×0.1)×max_level×tanh(check_count)；

wherein, behavior _ loss is the equipment behavior loss value of the single network equipment to be detected, max _ level is the highest alarm score in the detection result of the single network equipment to be detected, sum _ level is the sum of all alarm scores in the detection result of the single network equipment to be detected, check _ count is the accumulated times of alarms appearing in the single network equipment to be detected,

further, the calculating the risk score of the single online device to be tested according to the device behavior loss value specifically includes:

setting a full score value;

and subtracting the equipment behavior loss value of the single online equipment to be tested by adopting a deduction method on the basis of the full score value to obtain the risk score.

The device provided by the embodiment of the present invention has the same implementation principle and technical effect as the method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the method embodiments without reference to the device embodiments.

In the several embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present invention, and they should be construed as being included in the following claims and description.

Claims (4)

1. A single online equipment risk assessment method is characterized by comprising the following steps:

setting a plurality of examination items and a risk level of each examination item;

detecting the single online equipment to be detected in real time according to the inspection items to obtain a detection result;

storing the detection result obtained within the preset evaluation time, wherein the detection result comprises the inspection item with the alarm, the risk level of the inspection item and the alarm frequency of the single network equipment to be detected;

analyzing the stored detection result according to a preset evaluation model to obtain an equipment behavior loss value;

calculating the risk value of the single online equipment to be tested according to the equipment behavior loss value;

the real-time detection of the single online equipment to be detected according to the inspection items specifically comprises the following steps:

detecting the single on-line equipment to be detected in real time according to the inspection items;

grading the risk level of the inspection item with the alarm to obtain an alarm score;

recording the alarm score;

the detection result comprises the alarm score;

analyzing all detection results according to a preset evaluation model to obtain an equipment behavior loss value specifically comprises:

setting analysis time;

when the analysis time arrives, the device behavior loss value is calculated by:

behavior_loss＝(max_level+sum_level×0.1)×max_level×tanh(check_count)；

wherein behavior _ loss is the equipment behavior loss value of the single on-line equipment to be tested,max _ level is the highest alarm score in the detection result of the network equipment of the single equipment to be detected, sum _ level is the sum of all alarm scores in the detection result of the network equipment of the single equipment to be detected, check _ count is the accumulated times of alarm occurrence of the network equipment of the single equipment to be detected,

2. the method for risk assessment of individual online devices of claim 1,

the calculating the risk score of the single online device to be tested according to the device behavior loss value specifically comprises:

setting a full score value;

and subtracting the equipment behavior loss value of the single online equipment to be tested by adopting a deduction method on the basis of the full score value to obtain the risk score.

3. A single online device risk assessment system, comprising:

a setting unit: the risk level setting module is used for setting a plurality of examination items and the risk level of each examination item;

a detection unit: the system is used for detecting the single on-line equipment to be detected in real time according to the detection items to obtain a detection result;

a statistic unit: the system comprises a storage unit, a processing unit and a processing unit, wherein the storage unit is used for storing a detection result obtained within preset evaluation time, and the detection result comprises a check item with an alarm appearing in the detection result, a risk level of the check item and the number of times of the alarm appearing in the network equipment of a single unit to be detected;

an evaluation unit: the device is used for analyzing the stored detection result according to a preset evaluation model to obtain a device behavior loss value; the system is also used for calculating the risk value of the single online equipment to be tested according to the equipment behavior loss value;

the real-time detection of the single online equipment to be detected according to the inspection items specifically comprises the following steps:

detecting the single on-line equipment to be detected in real time according to the inspection items;

grading the risk level of the inspection item with the alarm to obtain an alarm score;

recording the alarm score;

the detection result comprises the alarm score;

analyzing all detection results according to a preset evaluation model to obtain an equipment behavior loss value specifically comprises:

setting analysis time;

when the analysis time arrives, the device behavior loss value is calculated by:

behavior_loss＝(max_level+sum_level×0.1)×max_level×tanh(check_count)；

wherein, behavior _ loss is the equipment behavior loss value of the single network equipment to be detected, max _ level is the highest alarm score in the detection result of the single network equipment to be detected, sum _ level is the sum of all alarm scores in the detection result of the single network equipment to be detected, check _ count is the accumulated times of alarms appearing in the single network equipment to be detected,

4. the individual online device risk assessment system of claim 3,

the calculating the risk score of the single online device to be tested according to the device behavior loss value specifically comprises:

setting a full score value;

and subtracting the equipment behavior loss value of the single online equipment to be tested by adopting a deduction method on the basis of the full score value to obtain the risk score.

Images