[go: up one dir, main page]

CN110766329B - Risk analysis method, device, equipment and medium for information assets - Google Patents

Risk analysis method, device, equipment and medium for information assets Download PDF

Info

Publication number
CN110766329B
CN110766329B CN201911025955.1A CN201911025955A CN110766329B CN 110766329 B CN110766329 B CN 110766329B CN 201911025955 A CN201911025955 A CN 201911025955A CN 110766329 B CN110766329 B CN 110766329B
Authority
CN
China
Prior art keywords
information
asset
assets
risk
safety
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911025955.1A
Other languages
Chinese (zh)
Other versions
CN110766329A (en
Inventor
吴永飞
寿弘宇
金建新
杨青
常宗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hua Xia Bank Co Ltd
Original Assignee
Hua Xia Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hua Xia Bank Co Ltd filed Critical Hua Xia Bank Co Ltd
Priority to CN201911025955.1A priority Critical patent/CN110766329B/en
Publication of CN110766329A publication Critical patent/CN110766329A/en
Application granted granted Critical
Publication of CN110766329B publication Critical patent/CN110766329B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S10/00Systems supporting electrical power generation, transmission or distribution
    • Y04S10/50Systems or methods supporting the power network operation or management, involving a certain degree of interaction with the load-side end user applications

Landscapes

  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Engineering & Computer Science (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Economics (AREA)
  • Operations Research (AREA)
  • Game Theory and Decision Science (AREA)
  • Development Economics (AREA)
  • Marketing (AREA)
  • Educational Administration (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a risk analysis method of an information asset, which comprises the steps of obtaining historical safety information and current safety information of the information asset; predicting a first information asset at risk based on the historical security information and determining a second information asset at which an anomaly occurs based on the current security information; determining related assets of the first information asset and the second information asset; iteratively analyzing based on historical security information and current security information of the related assets until related assets of the related assets are not predicted to be at risk and no anomaly is found. The method carries out panoramic radiation analysis through two dimensions such as time, space and the like, realizes comprehensive and accurate asset risk analysis, and meets the requirement on asset risk management. The application also discloses a corresponding device.

Description

Risk analysis method, device, equipment and medium for information assets
Technical Field
The present application relates to the field of computers, and in particular, to a method, an apparatus, a device, a medium, and a computer program product for risk analysis of information assets.
Background
With the continuous deepening of refined security operation management, business support capability and service quality need to be continuously improved, particularly, the current banking business is gradually networked, the number of Information Technology (IT) assets exposed on the internet is increased, and how to effectively manage the types and the number of the rapidly increased IT assets, how to effectively identify and analyze security events which have occurred in the IT assets and how to face security risks become important.
Currently, the goal of centralized management of IT asset information in IT production activities is basically achieved, the data base of asset management is provided, and a risk management system for calculating the risk value of IT assets by collecting the value of IT assets, the threat of IT assets and the vulnerability of IT assets is established.
However, IT is difficult for the existing IT asset analysis methods to comprehensively and readably identify the assets at risk during risk analysis, which brings a safety hazard to asset management.
Disclosure of Invention
In view of this, the present application provides a risk analysis method for information assets, which predicts the safety risk faced by the information asset from a time level by a point and a line, and analyzes the safety risk faced by the related asset from a space level by a point and a line, so as to realize comprehensive and accurate risk identification and reduce the potential safety hazard. Corresponding apparatus, devices, media and computer program products are also provided.
A first aspect of an embodiment of the present application provides a risk analysis method for an information asset, where the method includes:
acquiring historical safety information and current safety information of information assets;
predicting a first information asset at risk based on the historical security information and determining a second information asset at which an anomaly occurs based on the current security information;
determining related assets of the first information asset and the second information asset;
iteratively analyzing based on historical security information and current security information of the related assets until related assets of the related assets are not predicted to be at risk and no anomaly is found.
Optionally, the security information includes at least one of an operation behavior, a security event, vulnerability information, patch information, configuration information, and traffic information.
Optionally, the predicting a first information asset at risk based on the historical security information and determining a second information asset at which an abnormality occurs based on the current security information includes:
inputting the historical safety information and the current safety information into a pre-trained risk panoramic radiation model;
extracting business features related to information asset safety from the historical safety information and the current safety information through the risk panoramic radiation model;
and predicting a first information asset with risk and a second information asset with abnormity based on the mapping relation between the business characteristics and the asset safety.
Optionally, the risk panoramic radiation model is obtained by training through the following method:
acquiring a training sample, wherein the training sample comprises safety information of a sample asset and a safety label, and the safety label is used for identifying whether the sample asset has risks or is abnormal;
training a risk panoramic radiation model by using a machine learning algorithm according to the training sample until a training end condition is met;
the panoramic radiation model takes safety information as input, and takes a prediction result of whether risk exists or whether abnormity occurs as output, the panoramic radiation model comprises an analysis module based on time dimension and an analysis module based on space dimension, the analysis module based on time dimension is used for analyzing according to information including historical safety information and current safety information, and the analysis module based on space dimension is used for analyzing the safety condition of related assets of the sample assets based on the sample assets.
Optionally, the method further includes:
collecting log data of the sample asset;
and determining a data attribute tag corresponding to the log data according to the safety analysis service requirement, and using the data attribute tag as the safety information of the sample asset.
Optionally, the determining related assets of the first information asset and the second information asset comprises:
determining similar assets of the first information asset and the second information asset, assets with interconnection and mutual access relations, assets belonging to the same service system and assets belonging to the same network;
and taking at least one of the similar assets, the assets with interconnection and mutual access relations, the assets belonging to the same business system and the assets belonging to the same network as related assets of the first information assets and the second information assets.
Optionally, the information assets include physical assets and/or logical assets.
A second aspect of the embodiments of the present application provides an apparatus for risk analysis of an information asset, where the apparatus includes:
the system comprises an acquisition unit, a storage unit and a processing unit, wherein the acquisition unit is used for acquiring historical safety information and current safety information of information assets;
a first determination unit for predicting a first information asset at risk based on the historical security information and determining a second information asset where an abnormality occurs based on the current security information;
a second determination unit configured to determine related assets of the first information asset and the second information asset;
and the iterative analysis unit is used for carrying out iterative analysis on the basis of the historical safety information and the current safety information of the related assets until the related assets of the related assets are not predicted to have risks and no abnormity is found.
A third aspect of embodiments of the present application provides an apparatus, comprising a processor and a memory:
the memory is used for storing a computer program;
the processor is configured to execute the method for risk analysis of information assets according to the first aspect of the application according to the instructions in the computer program.
A fourth aspect of embodiments of the present application provides a computer-readable storage medium for storing a computer program for executing the method for risk analysis of an information asset according to the first aspect of the present application.
A fifth aspect of the embodiments of the present application provides a computer program product containing computer readable instructions, which when run on a computer, cause the computer to execute the method for risk analysis of information assets according to the above aspects.
According to the technical scheme, the embodiment of the application has the following advantages:
when risk analysis of the information assets is carried out, historical safety information and current safety information of the information assets are firstly obtained, then a first information asset with risk is predicted from a time dimension based on the historical safety information, a second information asset with abnormality is determined based on the current safety information, related assets of the first information asset and the second information asset are determined from a space dimension, iterative analysis is carried out based on the historical safety information and the current safety information of the related assets until the risk is predicted and the abnormality is not found, comprehensive and accurate asset risk analysis is realized, and the requirement for asset risk management is met.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
FIG. 1 is a system architecture diagram of a risk analysis method for information assets in an embodiment of the present application;
FIG. 2 is a flow chart of a method for risk analysis of information assets in an embodiment of the application;
FIG. 3 is a schematic diagram of an asset association relationship in an embodiment of the present application;
FIG. 4 is a flowchart of a risk panoramic radiation model training method in an embodiment of the present application;
FIG. 5 is a schematic diagram of a data tagging architecture in an embodiment of the present application;
FIG. 6 is a schematic view of a risk panoramic radiation model architecture in an embodiment of the present application;
FIG. 7 is a schematic view of an analysis scene of a risk panoramic radiation model in an embodiment of the present application;
FIG. 8 is a schematic structural diagram of a risk analysis device for information assets in an embodiment of the present application;
fig. 9 is a schematic structural diagram of a server in an embodiment of the present application.
Detailed Description
The embodiment of the application provides an obstacle detection method, which is used for solving the problems of high baseline requirement, high calibration requirement and the like when a binocular camera is used for detecting obstacles, and the problem of detection omission caused by the fact that the colors of the obstacles are close to the colors of the environment, and does not need to increase extra cost.
In order to make the technical solutions of the present application better understood, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the drawings described above, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Aiming at the problem that the existing IT asset analysis method is difficult to comprehensively and preparedly identify the assets with risks during risk analysis and brings potential safety hazards to asset management, the application provides the IT asset risk analysis method which analyzes the risks and whether the IT assets are abnormal or not from a point-to-line mode and a line-to-line mode in two dimensions of time and space based on historical safety information and current safety information, can effectively identify the assets with risks or abnormal conditions even if the state and configuration of the IT assets are changed, and meets the requirements of IT asset risk management.
IT is understood that the risk analysis method for the IT assets provided by the application can be applied to any processing device with data processing capability, and the processing device can be specifically a terminal or a server. The terminal may be a desktop terminal such as a desktop, or a portable mobile terminal such as a tablet computer and a smart phone, or may be a Virtual Reality (VR) or Augmented Reality (AR) terminal, which is not limited in this embodiment. The server is specifically a computing device providing a risk analysis service, and the computing device may be independent or a computing cluster formed by a plurality of computing devices. For ease of understanding, the server is hereinafter illustrated.
The risk analysis method for the IT assets can be stored in the processing equipment in the form of a computer program, and the processing equipment can realize the risk analysis method provided by the application by running the computer program. The computer program may be independent, or may be a functional module, a plug-in, an applet, or the like integrated with another computer program.
In practical applications, the method for risk analysis of IT assets provided by the present application includes, but is not limited to, the application environment as shown in fig. 1.
As shown in fig. 1, a server 101 acquires historical security information and current security information of an information asset 103 from a network 102, predicts a first information asset at risk based on the historical security information, and determines a second information asset at which an abnormality occurs based on the current security information, then determines related assets of the first information asset and the second information asset, and then performs an iterative analysis based on the historical security information and the current security information of the related assets until the related assets of the related assets are not predicted to have a risk and no abnormality is found.
In order to make the technical solution of the present application clearer and easier to understand, each step of the risk analysis method for IT assets provided by the present application will be described in detail from the perspective of the server.
Referring to fig. 2, a flow chart of a method for risk analysis of an information asset, the method comprising:
s201: historical security information and current security information of the information asset are obtained.
The information assets, that is, IT assets, may specifically be physical assets, including physical devices in a network such as hosts, servers, storage devices, routers, etc., or may also be logical assets, where the logical assets refer to assets existing in the form of software, such as database applications, web components, etc.
In particular implementations, the server may first determine the IT assets included in the network and then collect historical security information and current security information for the IT assets. The server can determine assets in the network through a dynamic asset tracking technology, wherein the dynamic asset tracking technology specifically refers to active discovery and abnormal audit of IT assets through at least one of configuration analysis, remote scanning, flow analysis and the like, and further, the server can supplement discovery of unknown assets in combination with event analysis.
When determining the IT assets based on remote scanning, the service may first scan all IPs within a given IP segment one by one, detecting the survival of the IT assets within that segment, and thereby determining the IT assets included in the network. Furthermore, the server also detects the survival port of the survival host and collects equipment information, such as the type and version of an operating system, and detects the detailed asset characteristics of the online IP (Internet protocol) in an asset fingerprint characteristic matching analysis mode, including the type of an asset system, the open service condition and the like, so that the asset information is enriched.
When the IT assets are determined based on the configuration analysis, partial equipment information can be recorded in an initializing mode, the more comprehensive the types and the more the quantity of the recorded equipment are, the faster the convergence speed of the unknown equipment discovery algorithm is, and the unknown equipment can be discovered more quickly and accurately. The configuration analysis specifically refers to discovering unknown assets from a network layer by analyzing information such as an Address Resolution Protocol (ARP) cache table, a Media Access Control (MAC) Address table, a routing table, and an interface information table.
During specific implementation, a server firstly broadcasts a flooding activation data packet to an address field to be checked to ensure that asset information is updated, secondly collects various information such as an ARP cache table, an MAC address table, a routing table, an interface information table and the like of known assets, then analyzes the interconnection relationship between the known assets and other equipment by taking the known assets as nodes, continuously expands the collection range, detects unknown assets step by step and finally discovers all the assets which can be reached by the equipment.
Flow analysis can be achieved in two ways: one way is that a special flow analysis device is deployed in a network node, the flow direction characteristics of the network flow are captured and analyzed, data messages are unpacked layer by layer from a data link layer, a network layer and a transmission layer, MAC address information, IP address information, port information and the like in a protocol header are analyzed, the communication characteristics, the flow characteristics and the flow direction characteristics of the data messages are analyzed, unknown IP and MAC information are found and tracked from the analysis, and therefore IT assets in the network are determined; the other mode is that based on Deep Packet Inspection (DPI) equipment already deployed in the existing network, an access analysis rule from a server area to an external network is configured, an XDR ticket is generated, and communication characteristics and traffic flow direction characteristics of each server are analyzed by analyzing the XDR ticket.
On the basis of the remote scanning, the configuration analysis and/or the flow analysis, the server can also perform event analysis to supplement and discover unknown assets. Specifically, the server may collect log information, such as firewall, WAF, IDS, and the like, analyze a source address, a destination address, a source port, a destination port, and the like appearing in the log, discover unknown IP assets therein, master basic behavior characteristics thereof, and enrich threat characteristic information of the assets.
The historical security information refers to security information generated in a historical time period, the current security information refers to security information generated in a current time period, and the security information may specifically include at least one of operation behavior, security events, vulnerability information, patch information, configuration information, and traffic information.
The operation behavior, the security event and vulnerability information, the patch information and the like can be obtained through the security log, and the configuration information such as the host type, the operating system version, the software type, the software version, the port service and the like can be obtained through periodic tasks when assets are found, and the method specifically comprises an online obtaining mode and an offline obtaining mode.
For example, for a port service, the port service may be determined by performing a service-to-port mapping presentation on an identifiable port, where the port service may include any one or more of a File Transfer Protocol (FTP) service, a Secure File Transfer Protocol (SFTP) service, a TELNET service (TELNET), or a Secure Shell (SSH) service.
For another example, for software types, such as database types, database applications and versions on a host can be discovered by scanning and recognizing host ports through asset fingerprinting technology, which supports database types including, but not limited to, MySQL, Oracle, SQLServer, Sybase, DB2, and PostgreSQL.
Obviously, the asset discovery and management mode belongs to an active technical means, and can timely discover the problems of private change of equipment use, private deployment of software, private public network interface and the like without depending on the enthusiasm of an administrator, thereby solving the defects caused by manual input mode or the mode of managing equipment by using an asset management system and avoiding the long-term existence of invisible assets.
In addition, various information of the IT assets, such as IP addresses, MAC addresses and the like, can be used for generating asset fingerprints for uniquely identifying the assets, and the risks of IP faking and the like caused by the fact that the assets are identified only through the IP addresses are avoided.
S202: a first information asset at risk is predicted based on the historical security information, and a second information asset at which an anomaly has occurred is determined based on the current security information.
In particular implementations, the server predicts assets that are at risk or have an anomaly from the time dimension. In some possible implementations, the server may establish a mapping relationship between the security information and the risk, and thus, the server may predict whether each IT asset has a risk in the future based on historical security information of the IT asset according to the mapping relationship, wherein the asset predicted to have the risk is regarded as the first information asset. Of course, when the current security information represents that the IT asset is abnormal, such as the IT asset is invaded, the server may directly determine the abnormal IT asset as the second information asset.
In some possible implementation manners, the server may also predict the first information asset at risk and the second information asset with abnormality through technical means such as machine learning. In specific implementation, a server may train a risk panoramic radiation model through machine learning such as deep learning, input historical security information and current security information into a risk panoramic radiation model trained in advance, extract business features related to information asset security from the historical security information and the current security information through the risk panoramic radiation model, and then predict a first information asset at risk and a second information asset at abnormality based on a mapping relationship between the business features and asset security.
It should be noted that, the panoramic radiation model takes the safety information as input, and takes the prediction result of whether the risk exists or whether the abnormality occurs as output, and the panoramic radiation model specifically includes two analysis modules, one is an analysis module based on the time dimension, and the other is an analysis module based on the space dimension. The analysis module based on the time dimension is specifically used for analyzing according to information including historical safety information and current safety information, and the analysis module based on the space dimension is specifically used for analyzing according to the safety condition of related assets of the sample assets based on the sample assets. The panoramic radiation model can be obtained by training a training sample, and the training process of the model will be described in detail below.
S203: determining related assets of the first information asset and the second information asset.
The related assets specifically refer to IT assets having an association relation with the current IT asset. The incidence relation between the assets is the core of asset management, and is the key to the problems of fault diagnosis, alarm correlation, performance analysis and the like. The incidence relation model is clearly defined, so that the clear incidence relation between the asset objects can be shown, and more accurate incidence relation service is provided for asset application.
In some possible implementations, the server may determine at least one of the similar asset, the asset having an interconnection and mutual access relationship, and the asset belonging to the same business system and the asset belonging to the same network as the related asset of the first information asset and the second information asset according to the determination.
The similar assets are assets with the same characteristics, for example, IT assets with tomcat middleware installed, and the assets with interconnection and mutual access relation refer to assets with accessible communication links.
In some possible implementations, some assets may seem unrelated but may affect each other, for example, a host administrator may attack a service system from an idle server in an extranet control network by opening a firewall policy, and a firewall and the idle server seem unrelated to each other, but in a case where the firewall is opened, the server may become an attack source of the service system, that is, the firewall affects the idle server. Based on this, the related assets may also include assets that interact with each other.
In order to comprehensively and accurately program asset association relations, hierarchical relation construction can be carried out according to the service asset classes, the application asset classes, the logic asset classes and the physical asset classes, and the inconsistency of relations of asset objects in different levels is avoided. Further, complex association relationships between asset classes can be described through the UML diagram.
Referring to fig. 3, a schematic diagram of an asset association relationship is shown, which defines a business resource domain, an application resource domain, a logical resource domain and a physical resource domain, wherein business functions in the business resource domain depend on application services of the application resource domain, the application services run on middleware services of the logical resource domain, the application implements corresponding services based on processes of the logical resource domain, and the processes implement corresponding services by using a file system, a database object and a middleware server of the logical resource domain. It should be noted that the process is specifically run in a server in the physical resource domain, the server is deployed to a middleware in the physical resource domain, the middleware server in the logical resource layer is implemented based on the middleware, in addition, the server is further connected to a network device in the physical resource domain through a network connection, and is connected to a storage device in the physical resource domain through a storage connection, the database object in the logical resource domain is implemented based on a database in the physical resource domain, and the database is specifically deployed on the server.
S204: iteratively analyzing based on historical security information and current security information of the related assets until related assets of the related assets are not predicted to be at risk and no anomaly is found.
In a specific implementation, the server may predict, for each related asset, whether the related asset is at risk or has an abnormality in the same manner as in S202, and then re-determine the related asset corresponding to the at-risk asset and the abnormal asset, and perform risk analysis on the related asset until the related asset is not predicted to have a risk and no abnormality is found.
It should be noted that, when the server performs iterative analysis on the related assets, the server may perform iterative analysis one by one, or perform parallel iterative analysis, and the server may select a corresponding iterative analysis mode according to its own computing power and the like.
From the above, the embodiment of the application provides a risk analysis method for IT assets, which includes the steps of firstly obtaining historical security information and current security information of information assets, then predicting a first information asset with risk from a time dimension based on the historical security information, determining a second information asset with abnormality based on the current security information, then determining related assets of the first information asset and the second information asset from a space dimension, and performing iterative analysis based on the historical security information and the current security information of the related assets until the first information asset and the second information asset are not predicted to have risk and no abnormality is found, so that comprehensive and accurate asset risk analysis is realized, and requirements for asset risk management are met.
Next, from the perspective of the server, a training process of the risk panoramic radiation model provided in the embodiment of the present application is described.
Referring to fig. 4, a flow chart of a risk panoramic radiation model training method is shown, and the method includes:
s401: training samples are obtained.
The training sample includes security information for a sample asset and a security label that identifies whether the sample asset is at risk or has an anomaly. In one example, the security tag may identify by three tag values that a sample asset is abnormal, is not currently abnormal but at risk, and is not currently abnormal nor at risk.
The security information is used for determining the security condition of the IT asset, and specifically, the security information may include at least one of operation behavior, security events, vulnerability information, patch information, configuration information, and traffic information. For convenience of data processing, the server may perform tagging processing on the security information, and represent the security information by a plurality of tags.
During concrete implementation, the server can collect log data of the sample asset, and then semanticize and abstract the log data according to the safety analysis service requirement, so that a data attribute tag corresponding to the log data is determined, and the data attribute tag is used as safety information of the sample asset.
In practical application, the server can adopt a tree-shaped hierarchical label system, and the collected original log data is labeled through an automatic labeling mechanism, so that the problem of flat label explosion is solved. For ease of understanding, the tagging process is described below in connection with a data tagging architecture.
Referring to fig. 5, the original log data (i.e., the original data) is acquired, and then extraction-transposition-Load (ETL) processing may be performed on the original data to obtain structured log data, where the structured log data may be stored in a structured log library, and then a first-level tag and each level tag below the first-level tag, such as a second-level tag, a third-level tag, and so on, are generated by an automatic tagger.
After generating each level of label, making label credibility decision, if the reliability is high, if the reliability is higher than a preset credibility threshold, updating the data into a warehouse, if the reliability is low, if the reliability is lower than the preset credibility threshold, performing manual audit on the label, and establishing a new label, so as to perfect a label system, and certainly, an invalid or old label can be eliminated by adopting a sliding window detection mode and the like, specifically, a sliding time window is preset, if the sliding time window is set to be 1 year, an appearance threshold is set, if the appearance threshold is set to be 10 times, then counting the number of label appearance times, and if the number of label appearance times is lower than the appearance threshold, the label is deleted from the label system.
The automatic labeler can label seed data in a manual mode, and then based on the seed data, machine learning such as a logistic regression algorithm is used for training to obtain the automatic labeler.
It should be noted that different label systems can be obtained according to different security analysis service requirements. Based on this, when the process of collecting the safety information, whether the service system has the following information or not can be inspected to carry out threat applicability screening:
TABLE 1 threat applicability investigation of business system information
Figure BDA0002248626520000121
Through analysis of various investigation items, an applicable threat subset of the service system can be obtained, wherein threats of four different levels are separately recorded so as to correspond to an implementation level of safety protection measures. When the threats affect a plurality of layers of the service system at the same time, the maximum value of the threat occurrence probability and the threat hazard degree can be taken after the factors of safety protection measures are considered, and finally the service threat applicable subset and the corresponding symbol value thereof are obtained. Therefore, the corresponding information in the log data can be labeled according to the service threat applicable subset and the corresponding identifier thereof.
S402: and training a risk panoramic radiation model by using a machine learning algorithm according to the training samples until a training end condition is met.
The panoramic radiation model takes safety information as input, and takes a prediction result of whether risk exists or whether abnormity occurs as output, the panoramic radiation model comprises an analysis module based on time dimension and an analysis module based on space dimension, the analysis module based on time dimension is used for analyzing according to information including historical safety information and current safety information, and the analysis module based on space dimension is used for analyzing the safety condition of related assets of the sample assets based on the sample assets.
During specific implementation, the server can select a corresponding machine learning algorithm according to actual requirements, such as asset data analysis algorithms of decision trees, random forests, deep learning, reinforcement learning and the like, and train the risk panoramic radiation model by using the training samples until the training end conditions are met.
In the deep learning example, a risk panoramic radiation model can be initialized, the risk panoramic radiation model can be a convolutional neural network model specifically, then training samples are input into the risk panoramic radiation model in batches, the risk panoramic predicts whether sample assets are abnormal or have risks through deep learning, then the prediction result is compared with safety tags of the training samples to obtain a loss function of the model, and parameters of the risk panoramic radiation model are updated based on the loss function.
After multiple iterations, if the loss function of the risk panoramic radiation model is in a convergence state or is smaller than a preset value, the training end condition can be considered to be met, the server can stop training the risk panoramic radiation model, and the risk panoramic radiation model is used for IT asset risk management after the model test is passed.
In this embodiment, in order to distinguish different IT assets, the server may perform asset fingerprint identification after performing asset dynamic discovery, and record or batch import asset data into the asset attribute information base, so that the server may distinguish different assets based on the asset fingerprints stored in the asset attribute information base. Of course, the server may also store collected security information of the asset, such as operational behaviors, security events, etc., into a security information database for training and prediction based on the security information in the security information database.
In order to facilitate understanding of the technical solution of the present application, the operation principle of the risk panoramic radiation model is further described below with reference to the framework of the risk panoramic radiation model.
Referring to fig. 6, the server may perform asset data collection, specifically including asset dynamic discovery, asset fingerprint identification, asset data entry, and batch import, and then store the collected asset data in an asset attribute information base, and in addition, the server may perform security data collection, that is, collect security information of each asset, including operation behavior, security events, vulnerability information, and the like, and then perform big data analysis by using a risk panoramic radiation model based on information in the asset attribute information base and the asset security information base, and a time-based asset health profile and a space-based asset health profile to obtain a time-based IT security risk and a space-based IT security risk, and may implement dynamic security risk panoramic radiation according to the time-based IT security risk and the space-based IT security risk.
Wherein the time-based asset health profile specifically includes past security status (i.e., historical security information) and current security status (i.e., current security information) of the asset, and the space-based asset health profile specifically includes security status of related assets, such as similar assets, assets with interconnected inter-visional relationships, assets that appear to be unrelated, security status of assets belonging to the same business system and the same network.
The asset health record based on time mainly aims at describing the safety state of the whole life cycle of IT assets, and comprises an asset basic information record and an asset health state record, and the asset health state record based on time specifically comprises the following steps:
TABLE 2 asset basis information archive
Figure BDA0002248626520000141
Figure BDA0002248626520000151
TABLE 3 asset health Profile
Figure BDA0002248626520000152
The space-based asset health profile collects the safety conditions corresponding to the relevant assets of the IT assets mainly through big data technology, and the safety conditions of each asset in the relevant assets can be characterized by using the asset health status profile shown in table 4.
For convenience of understanding, a specific scenario embodiment is also provided to introduce a risk analysis method for an IT asset.
Referring to a schematic diagram of an analysis flow of an IT asset risk panoramic radiation model shown in fig. 7, in the scenario, an Apache issues Apache Tomcat at 12/1/2015, so that an internal memory overflow vulnerability exists, the vulnerability is a security vulnerability which can be utilized by an external hacker, the vulnerability affects previous versions of the Apache Tomcat 5.5, and a server can analyze all IT assets with the vulnerability in a network and analyze assets with the vulnerability affecting the network through the IT asset risk panoramic radiation model.
Specifically, in an iterative process, analysis is performed with time as an axis:
1. corresponding to the IT asset health record, the assets of the previous version of Apache Tomcat 5.5 installed in the history and the assets of the previous version of Apache Tomcat 5.5 installed currently are found
2. And analyzing the security events corresponding to the IT assets, analyzing whether the IT assets have related overflow, illegal accounts, abnormal files and other security events generated by the vulnerability or not at present, and predicting the security events to be generated by the assets with the version installed at present.
Analysis was then performed with space as the axis:
1. centered on the asset A of the previous version with Apache Tomcat 5.5 installed in history, analyzing whether the IT assets with similarity to A in history have the same security events as A
2. And analyzing whether the asset associated with A has a security event related to A according to the security event occurred in A, such as attack on A as a springboard.
And (3) secondary iteration:
1. if an asset B similar to A is found, then asset B is analyzed according to an iterative process
2. If the asset C affected by A is found, analyzing the security effect of C, and analyzing the asset C according to an iterative process
Three iterations-N iterations:
the process of two iterations and one iteration is continued until no anomalies are found in all IT assets.
In this example, one iteration analysis is specifically:
(1) finding that the current version of the server A is matched with the associated overflow alarm, finding an illegal account and finding an abnormal file;
(2) finding that the server B uses the low version Tomcat once, and finding illegal accounts and abnormal files by matching historical versions;
(3) discovering that the server C and the server A have service interaction, discovering illegal account numbers and discovering abnormal files;
(4) and (4) finding that the server D and the server A are in the same network segment, and the server D has no abnormity.
The secondary iteration analysis specifically comprises the following steps:
(5) the server E and the server B have business interaction, but no abnormity is found;
(6) the server F and the server C are in the same network segment, and find illegal accounts and abnormal files;
(7) the server G and the server C have service interaction and no abnormity is found;
three-time iterative analysis:
(8) the server H and the server F have service interaction and no abnormity is found;
(9) the server I and the server F are in the same network segment, and no abnormity is found.
In summary, the server a is invaded, B, C, F is suspected to be invaded, and is not considered to be invaded by the traditional association analysis method.
By the method, the types and the number of the rapidly increased IT assets can be effectively managed, the occurring safety events and the facing safety risks of the IT assets can be effectively identified and analyzed, and the following requirements of industries such as finance and the like on asset risk management are met: in the aspect of IT asset management, the defect caused by adopting a manual input mode or using an asset management system to manage equipment is overcome; a complete asset information file is constructed, and problems such as IP faking and the like can be found; when the state and configuration of the IT assets are changed, historical security events and future security risks can be analyzed from a time level point-by-point and line-by-line; when the state and the configuration of the IT assets are changed, the IT assets with similarity and the security risks of the IT assets related to the IT assets can be analyzed from a spatial level by points and lines; when the state and the configuration of the IT assets are changed, the IT assets with similarity to the IT assets and the security events and the security risks facing the future of the IT assets related to the IT assets which have historically occurred can be analyzed point by point and surface from two layers of time and space.
Based on the above specific implementation manner of the risk analysis method for information assets provided by the embodiment of the present application, the present application further provides a corresponding device, which is introduced from the perspective of functional modularization below.
Referring to fig. 8, a schematic structural diagram of an information asset risk analysis apparatus 800 includes:
an obtaining unit 810, configured to obtain historical security information and current security information of an information asset;
a first determination unit 820 for predicting a first information asset at risk based on the historical security information and determining a second information asset where an abnormality occurs based on the current security information;
a second determining unit 830 for determining related assets of the first information asset and the second information asset;
an iterative analysis unit 840, configured to perform iterative analysis based on the historical security information and the current security information of the related assets until the related assets of the related assets are not predicted to have risks and no abnormality is found.
Optionally, the security information includes at least one of an operation behavior, a security event, vulnerability information, patch information, configuration information, and traffic information.
Optionally, the first determining unit 820 is specifically configured to:
inputting the historical safety information and the current safety information into a pre-trained risk panoramic radiation model;
extracting business features related to information asset safety from the historical safety information and the current safety information through the risk panoramic radiation model;
and predicting a first information asset with risk and a second information asset with abnormity based on the mapping relation between the business characteristics and the asset safety.
Optionally, the apparatus 800 further includes a model training unit, specifically configured to:
acquiring a training sample, wherein the training sample comprises safety information of a sample asset and a safety label, and the safety label is used for identifying whether the sample asset has risks or is abnormal;
training a risk panoramic radiation model by using a machine learning algorithm according to the training sample until a training end condition is met;
the panoramic radiation model takes safety information as input, and takes a prediction result of whether risk exists or whether abnormity occurs as output, the panoramic radiation model comprises an analysis module based on time dimension and an analysis module based on space dimension, the analysis module based on time dimension is used for analyzing according to information including historical safety information and current safety information, and the analysis module based on space dimension is used for analyzing the safety condition of related assets of the sample assets based on the sample assets.
Optionally, the model training unit is further configured to:
collecting log data of the sample asset;
and determining a data attribute tag corresponding to the log data according to the safety analysis service requirement, and using the data attribute tag as the safety information of the sample asset.
Optionally, the second determining unit 830 is specifically configured to:
determining similar assets of the first information asset and the second information asset, assets with interconnection and mutual access relations, assets belonging to the same service system and assets belonging to the same network;
and taking at least one of the similar assets, the assets with interconnection and mutual access relationship and the assets belonging to the same business system and the assets belonging to the same network as related assets of the first information assets and the second information assets.
Optionally, the information assets comprise physical assets and/or logical assets.
Embodiments of the present application further provide a device for implementing risk analysis of IT assets, which may specifically be a server, where the server 900 may generate relatively large differences due to different configurations or performances, and may include one or more Central Processing Units (CPUs) 922 (e.g., one or more processors) and a memory 932, and one or more storage media 930 (e.g., one or more mass storage devices) storing an application 942 or data 944. Memory 932 and storage media 930 can be, among other things, transient storage or persistent storage. The program stored on the storage medium 930 may include one or more modules (not shown), each of which may include a series of instruction operations for the server. Still further, a central processor 922 may be provided in communication with the storage medium 930 to execute a series of instruction operations in the storage medium 930 on the server 900.
The server 900 may also include one or more power supplies 926, one or more wired or wireless network interfaces 950, one or more input-output interfaces 959, and/or one or more operating systems 941, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
The steps performed by the server in the above embodiments may be based on the server structure shown in fig. 9.
The CPU922 is configured to execute the following steps:
acquiring historical safety information and current safety information of information assets;
predicting a first information asset at risk based on the historical security information, and determining a second information asset at which an anomaly has occurred based on the current security information;
determining related assets of the first information asset and the second information asset;
iteratively analyzing based on historical security information and current security information of the related assets until related assets of the related assets are not predicted to be at risk and no anomaly is found.
Optionally, the CPU922 is further configured to execute the steps of any implementation manner of the risk analysis method for information assets provided in the embodiment of the present application.
The embodiment of the application also provides a computer readable storage medium, which is used for storing program codes, and the program codes are used for executing the risk analysis method of the information assets.
Embodiments of the present application further provide a computer program product containing computer readable instructions, which when executed on a computer, cause the computer to perform the method for risk analysis of information assets according to the above aspects.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
It should be understood that in the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and these modifications or substitutions do not depart from the scope of the technical solutions of the embodiments of the present application.

Claims (9)

1. A method for risk analysis of an information asset, the method comprising:
acquiring historical safety information and current safety information of information assets; inputting the historical safety information and the current safety information into a pre-trained risk panoramic radiation model;
predicting, by the risk panoramic radiation model, a first information asset at risk based on the historical security information, and determining a second information asset at which an anomaly has occurred based on the current security information;
determining related assets of the first information asset and the second information asset;
performing iterative analysis based on historical security information and current security information of the related assets until the related assets of the related assets are not predicted to have risks and no abnormality is found;
wherein the predicting a first information asset at risk based on the historical security information and determining a second information asset at which an anomaly occurred based on the current security information comprises:
extracting business features related to information asset safety from the historical safety information and the current safety information through the risk panoramic radiation model;
predicting a first information asset with risk and a second information asset with abnormity on the basis of the mapping relation between the business characteristics and asset safety;
the panoramic radiation model comprises a time dimension-based analysis module and a space dimension-based analysis module, wherein the time dimension-based analysis module is used for analyzing according to information including historical safety information and current safety information, and the space dimension analysis module is used for analyzing the safety condition of related assets of a sample asset based on the sample asset.
2. The method of claim 1, wherein the security information comprises at least one of operational behavior, security events, vulnerability information, patch information, configuration information, and traffic information.
3. The method of claim 1, wherein the risk panoramic radiation model is trained by:
acquiring a training sample, wherein the training sample comprises safety information of a sample asset and a safety label, and the safety label is used for identifying whether the sample asset has risks or is abnormal;
training a risk panoramic radiation model by using a machine learning algorithm according to the training sample until a training end condition is met;
the panoramic radiation model takes safety information as input, and takes a prediction result of whether the panoramic radiation model has risks or is abnormal as output.
4. The method of claim 3, further comprising:
collecting log data of the sample asset;
and determining a data attribute tag corresponding to the log data according to the safety analysis service requirement, and taking the data attribute tag as the safety information of the sample asset.
5. The method of any of claims 1 to 4, wherein said determining the assets related to the first information asset and the second information asset comprises:
determining similar assets of the first information asset and the second information asset, assets with interconnection and mutual access relations, assets belonging to the same service system and assets belonging to the same network;
and taking at least one of the similar assets, the assets with interconnection and mutual access relations, the assets belonging to the same business system and the assets belonging to the same network as related assets of the first information assets and the second information assets.
6. The method according to any of claims 1 to 4, wherein the information assets comprise physical assets and/or logical assets.
7. An apparatus for risk analysis of an information asset, the apparatus comprising:
the system comprises an acquisition unit, a risk panoramic radiation model and a risk panoramic radiation model, wherein the acquisition unit is used for acquiring historical safety information and current safety information of information assets and inputting the historical safety information and the current safety information into the risk panoramic radiation model trained in advance;
a first determination unit, configured to predict a first information asset at risk based on the historical security information through a risk panoramic radiation model, and determine a second information asset where an abnormality occurs based on the current security information;
a second determination unit configured to determine related assets of the first information asset and the second information asset;
the iterative analysis unit is used for carrying out iterative analysis on the basis of the historical safety information and the current safety information of the related assets until the related assets of the related assets are not predicted to have risks and are not abnormal;
wherein the predicting a first information asset at risk based on the historical security information and determining a second information asset at which an anomaly occurred based on the current security information comprises:
extracting business features related to information asset safety from the historical safety information and the current safety information through the risk panoramic radiation model;
predicting a first information asset with risk and a second information asset with abnormity based on the mapping relation between the business characteristics and asset safety;
the panoramic radiation model comprises a time dimension-based analysis module and a space dimension-based analysis module, wherein the time dimension-based analysis module is used for analyzing according to information including historical safety information and current safety information, and the space dimension analysis module is used for analyzing the safety condition of related assets of a sample asset based on the sample asset.
8. An apparatus, comprising a processor and a memory:
the memory is used for storing a computer program;
the processor is configured to execute the method for risk analysis of an information asset of any one of claims 1 to 6 according to instructions in the computer program.
9. A computer-readable storage medium for storing a computer program for executing the method for risk analysis of an information asset according to any one of claims 1 to 6.
CN201911025955.1A 2019-10-25 2019-10-25 Risk analysis method, device, equipment and medium for information assets Active CN110766329B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911025955.1A CN110766329B (en) 2019-10-25 2019-10-25 Risk analysis method, device, equipment and medium for information assets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911025955.1A CN110766329B (en) 2019-10-25 2019-10-25 Risk analysis method, device, equipment and medium for information assets

Publications (2)

Publication Number Publication Date
CN110766329A CN110766329A (en) 2020-02-07
CN110766329B true CN110766329B (en) 2022-08-23

Family

ID=69333749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911025955.1A Active CN110766329B (en) 2019-10-25 2019-10-25 Risk analysis method, device, equipment and medium for information assets

Country Status (1)

Country Link
CN (1) CN110766329B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112751830B (en) * 2020-12-15 2024-01-23 广东华兴银行股份有限公司 Method, equipment and medium for improving network attack detection accuracy
CN113922991A (en) * 2021-09-18 2022-01-11 深信服科技股份有限公司 Resource monitoring method and device, electronic equipment and storage medium
CN114064464B (en) * 2021-11-03 2025-05-06 上海浦东发展银行股份有限公司 Security requirements analysis method, device, computer equipment and storage medium
WO2023206522A1 (en) * 2022-04-29 2023-11-02 Siemens Aktiengesellschaft Method, apparatusand device for hardening assets in ot system and storage medium and computer program product
CN114884831B (en) * 2022-07-11 2022-09-09 中国人民解放军国防科技大学 A network asset sorting method and device for a network space surveying and mapping system
CN114915502B (en) * 2022-07-15 2022-10-04 北京六方云信息技术有限公司 Asset abnormal behavior detection method and device, terminal equipment and storage medium
CN118488020B (en) * 2024-07-15 2024-10-11 山东迈智信息科技有限公司 Operation management system of embedded network switch

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874220A (en) * 2005-05-18 2006-12-06 阿尔卡特公司 Communication network security risk exposure management systems and methods
CN102340485A (en) * 2010-07-19 2012-02-01 中国科学院计算技术研究所 Network Security Situational Awareness System and Its Method Based on Information Correlation
CN104052635A (en) * 2014-06-05 2014-09-17 北京江南天安科技有限公司 Risk situation prediction method and system based on safety pre-warning
CN107800670A (en) * 2016-09-05 2018-03-13 百度在线网络技术(北京)有限公司 Method and apparatus for early warning web portal security
CN107819771A (en) * 2017-11-16 2018-03-20 国网湖南省电力有限公司 A kind of Information Security Risk Assessment Methods and system based on assets dependence

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874220A (en) * 2005-05-18 2006-12-06 阿尔卡特公司 Communication network security risk exposure management systems and methods
CN102340485A (en) * 2010-07-19 2012-02-01 中国科学院计算技术研究所 Network Security Situational Awareness System and Its Method Based on Information Correlation
CN104052635A (en) * 2014-06-05 2014-09-17 北京江南天安科技有限公司 Risk situation prediction method and system based on safety pre-warning
CN107800670A (en) * 2016-09-05 2018-03-13 百度在线网络技术(北京)有限公司 Method and apparatus for early warning web portal security
CN107819771A (en) * 2017-11-16 2018-03-20 国网湖南省电力有限公司 A kind of Information Security Risk Assessment Methods and system based on assets dependence

Also Published As

Publication number Publication date
CN110766329A (en) 2020-02-07

Similar Documents

Publication Publication Date Title
CN110766329B (en) Risk analysis method, device, equipment and medium for information assets
US20230011004A1 (en) Cyber security sandbox environment
US12301627B2 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US11025674B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
CN110620759B (en) Evaluation method and system of network security event hazard index based on multi-dimensional correlation
US20220232040A1 (en) Advanced cybersecurity threat mitigation using software supply chain analysis
Chen et al. Causeinfer: Automatic and distributed performance diagnosis with hierarchical causality graph in large distributed systems
US7530105B2 (en) Tactical and strategic attack detection and prediction
US8214372B2 (en) Determining configuration parameter dependencies via analysis of configuration data from multi-tiered enterprise applications
Koumar et al. Cesnet-timeseries24: Time series dataset for network traffic anomaly detection and forecasting
KR102745296B1 (en) Apparatus and Method for Cybersecurity Threat Detection Using Generative Artificial Intelligence Technology
CN117220957A (en) An attack behavior response method and system based on threat intelligence
Forain et al. Towards system security: What a comparison of national vulnerability databases reveals
US20240195841A1 (en) System and method for manipulation of secure data
CN118138361A (en) Security policy making method and system based on autonomously evolutionary agent
Puccetti et al. ROSPaCe: Intrusion detection dataset for a ROS2-based cyber-physical system and IoT networks
CN118590274A (en) A method for detecting abnormal nodes in provenance graph based on honeypoint intelligence threshold adjustment
CN117454376A (en) Industrial Internet data security detection response and tracing method and device
CN117828586A (en) A method and system for tracking and tracing power data attacks
Lagraa et al. Deep mining port scans from darknet
Jeon et al. An Effective Threat Detection Framework for Advanced Persistent Cyberattacks.
Lin et al. Correlation of cyber threat intelligence with sightings for intelligence assessment and augmentation
WO2025010665A1 (en) Log-based attack link identification method and apparatus, and device and storage medium
Kenfack et al. Implementation of machine learning method for the detection and prevention of attack in supervised network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant