CN118012775A - Reinforcing test method based on kernel protection server data - Google Patents
Reinforcing test method based on kernel protection server data Download PDFInfo
- Publication number
- CN118012775A CN118012775A CN202410263140.1A CN202410263140A CN118012775A CN 118012775 A CN118012775 A CN 118012775A CN 202410263140 A CN202410263140 A CN 202410263140A CN 118012775 A CN118012775 A CN 118012775A
- Authority
- CN
- China
- Prior art keywords
- data
- generate
- attack
- threat
- confidence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000010998 test method Methods 0.000 title claims abstract description 24
- 230000003014 reinforcing effect Effects 0.000 title description 2
- 230000002787 reinforcement Effects 0.000 claims abstract description 159
- 230000002159 abnormal effect Effects 0.000 claims abstract description 131
- 238000004458 analytical method Methods 0.000 claims abstract description 96
- 230000008439 repair process Effects 0.000 claims abstract description 62
- 238000012360 testing method Methods 0.000 claims abstract description 42
- 238000004088 simulation Methods 0.000 claims abstract description 30
- 238000013461 design Methods 0.000 claims abstract description 17
- 238000009472 formulation Methods 0.000 claims abstract description 9
- 239000000203 mixture Substances 0.000 claims abstract description 9
- 238000012937 correction Methods 0.000 claims description 66
- 238000011156 evaluation Methods 0.000 claims description 36
- 238000009826 distribution Methods 0.000 claims description 29
- 239000013598 vector Substances 0.000 claims description 28
- 238000004364 calculation method Methods 0.000 claims description 22
- 230000007246 mechanism Effects 0.000 claims description 22
- 230000009467 reduction Effects 0.000 claims description 21
- 238000012545 processing Methods 0.000 claims description 14
- 238000007728 cost analysis Methods 0.000 claims description 10
- 230000008451 emotion Effects 0.000 claims description 10
- 238000005516 engineering process Methods 0.000 claims description 9
- 230000004927 fusion Effects 0.000 claims description 9
- 238000012216 screening Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 7
- 238000012549 training Methods 0.000 claims description 7
- 230000010354 integration Effects 0.000 claims description 6
- 238000012098 association analyses Methods 0.000 claims description 5
- 238000007405 data analysis Methods 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 3
- 230000009469 supplementation Effects 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 37
- 230000008447 perception Effects 0.000 abstract 1
- 230000006399 behavior Effects 0.000 description 28
- 238000004422 calculation algorithm Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 9
- 230000009286 beneficial effect Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 6
- 238000010801 machine learning Methods 0.000 description 6
- 206010000117 Abnormal behaviour Diseases 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000002547 anomalous effect Effects 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 2
- 230000010485 coping Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000002996 emotional effect Effects 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000001788 irregular Effects 0.000 description 2
- 230000008450 motivation Effects 0.000 description 2
- 238000003012 network analysis Methods 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 238000000513 principal component analysis Methods 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 2
- 238000000342 Monte Carlo simulation Methods 0.000 description 1
- 208000025174 PANDAS Diseases 0.000 description 1
- 208000021155 Paediatric autoimmune neuropsychiatric disorders associated with streptococcal infection Diseases 0.000 description 1
- 240000000220 Panda oleosa Species 0.000 description 1
- 235000016496 Panda oleosa Nutrition 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000000354 decomposition reaction Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013136 deep learning model Methods 0.000 description 1
- 238000012938 design process Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000003064 k means clustering Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003058 natural language processing Methods 0.000 description 1
- 230000007935 neutral effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000013179 statistical model Methods 0.000 description 1
- 238000003860 storage Methods 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of reinforcement test, in particular to a reinforcement test method based on kernel protection server data. The method comprises the following steps: performing flow state analysis according to the kernel log file to generate comprehensive abnormal flow data; carrying out attack load design based on the comprehensive abnormal flow data to generate attack load data; threat utilization probability analysis is carried out on threat information data, and threat utilization probability data are generated; performing reinforcement policy formulation based on attack load data and threat utilization probability data to generate reinforcement policy data; performing repair necessity assessment according to the comprehensive load attack report and the reinforcement strategy data to generate a repair necessity score; and transmitting the reinforcement strategy data and the repair necessity score to the terminal to generate a reinforcement test report. The invention carries out simulation attack by acquiring threat information data and designing attack load so as to realize the advanced perception of the vulnerability threat and improve the accuracy of reinforcement test.
Description
Technical Field
The invention relates to the technical field of reinforcement test, in particular to a reinforcement test method based on kernel protection server data.
Background
The kernel of the server is the core part of the operating system and is responsible for managing hardware resources and performing critical operations. Thus, the data stored in the kernel is typically the most sensitive, including access control lists, user credentials, encryption keys, and the like. Once the kernel is attacked or compromised, the security of the entire system is compromised. The kernel protection testing method can ensure the overall security of the system. By ensuring the security of the kernel, the attack surface of the system can be reduced. However, the conventional reinforcement test method based on the kernel protection server data mainly focuses on known loopholes or insufficient real-time performance, so that the reinforcement test result is inaccurate and a false negative result is generated.
Disclosure of Invention
Based on this, it is necessary to provide a reinforcement test method based on kernel protection server data to solve at least one of the above technical problems.
In order to achieve the above object, a reinforcement test method based on kernel protection server data, the method comprises the following steps:
step S1: obtaining a kernel log file; performing flow state analysis according to the kernel log file to generate comprehensive abnormal flow data; carrying out attack load design based on the comprehensive abnormal flow data to generate attack load data;
Step S2: acquiring threat information data; carrying out data clustering processing on threat information data to generate high-confidence data and low-confidence data; confidence correction is carried out on the high confidence coefficient data and the low confidence coefficient data, and high confidence coefficient correction data and low confidence coefficient correction data are generated;
Step S3: constructing a potential threat model based on the high confidence correction data and the low confidence correction data; threat utilization probability analysis is carried out through a potential threat model, and threat utilization probability data are generated;
Step S4: carrying out attack simulation by utilizing probability data based on attack load data and threat, and generating a comprehensive load attack report; performing reinforcement strategy formulation based on the comprehensive load attack report to generate reinforcement strategy data;
Step S5: performing repair necessity assessment according to the comprehensive load attack report and the reinforcement strategy data to generate a repair necessity score; and transmitting the reinforcement strategy data and the repair necessity score to the terminal to generate a reinforcement test report.
The invention can be used for deeply knowing the running condition and potential problems of the system by acquiring the kernel log file. Analyzing traffic states in kernel log files helps to detect abnormal activities such as network attacks, abnormal accesses, etc. Helping to discover potential threats early and reducing attack surface. And summarizing the flow state analysis result into comprehensive abnormal flow data, and providing a comprehensive view of the system safety state. By analyzing the abnormal traffic data, specific attack loads can be designed for simulating potential attack scenarios. Facilitating testing of the vulnerability of the system and preparing the defense strategy. Threat intelligence data is obtained to better understand the current threat situation, including known attack patterns and attacker behavior. Clustering threat intelligence data may help classify the data into high confidence and low confidence, enabling security professionals to more attentively process the most threatening information. By correcting the confidence coefficient of the data, the accuracy and the reliability of the data can be improved, and the most important information can be further screened out. Combining the high confidence correction data with the low confidence correction data, a potential threat model may be constructed for predicting a possible threat situation. Generating threats utilizes probability data to help evaluate potential impact of the threat. This helps the system administrator to know which threats are more risky in order to take measures more purposefully. And carrying out attack simulation by using the attack load data and the threat by using the probability data so as to evaluate the resistance of the system to various attacks. Helping to reveal potential vulnerabilities. Reinforcement policies are formulated based on the attack reports, which help improve the security of the system. Including, for example, repairing known vulnerabilities, enforcing access control, and other security measures. By evaluating the attack report and reinforcement policy data, it can be determined which problems need to be resolved urgently to improve the security of the system. The reinforcement test report provides comprehensive information about the security of the system including vulnerabilities, repair policies, repair necessity scores, etc. Helping to understand the security status of the system. Therefore, the reinforcement test method based on the kernel protection server data constructs a potential threat model through threat information data, and discovers hidden vulnerabilities and weaknesses in time. The attack load is designed to simulate the attack, so that the possibility that the hidden bug is utilized is determined, and the accuracy of the reinforcement test is improved.
Preferably, step S1 comprises the steps of:
Step S11: obtaining a kernel log file;
Step S12: performing flow state analysis according to the kernel log file to generate normal flow data and abnormal flow data;
Step S13: source tracing is carried out on the normal flow data to generate hidden abnormal flow data;
step S14: performing abnormal data supplementation on the abnormal flow data according to the hidden abnormal flow data to generate comprehensive abnormal flow data;
Step S15: and carrying out attack load design based on the comprehensive abnormal flow data to generate attack load data.
According to the method, the kernel log file is obtained, is a record of system activities and events, and is an important data source for evaluating system health and safety. By analyzing the flow state of the kernel log file, normal and abnormal network flows can be distinguished. This helps to discover potential attacks, faults, or system anomalies. Source tracing of normal traffic data reveals hidden abnormal traffic, i.e., those abnormal conditions that cannot be immediately identified. Helping to more fully understand the potential risks in the system. And combining the hidden abnormal flow data to further supplement and analyze the identified abnormal flow, thereby generating comprehensive abnormal flow data. Helping to describe the abnormal situation of the system more accurately. Based on the comprehensive abnormal flow data, various attack load data are designed. Providing important basis for simulating potential attacks and helping to test the weakness and the security of the system.
Preferably, step S13 comprises the steps of:
step S131: extracting the access times of the normal flow data to generate access times data;
step S132: performing data tag design on the access frequency data based on a preset access frequency threshold, and generating low access tag data when the access frequency data is smaller than or equal to the preset access frequency threshold; when the access frequency data is larger than a preset access frequency threshold value, generating high access tag data;
Step S133: performing source tracing on the normal flow data according to the low access tag data to generate low access flow tracing data;
Step S134: performing data analysis on the low visit traffic traceability data to generate low simulated abnormal traffic data;
Step S135: performing access habit analysis on the normal flow data according to the high access tag data to generate special access habit data;
step S136: and carrying out data integration on the low abnormal flow imitation data and the special access habit data to generate hidden abnormal flow data.
The invention can help identify which resources are concerned to how much by extracting the access times information in the normal traffic, which helps to know the behavior of the user or system. The tag design based on the access times data helps to separate traffic into different categories, such as low access and high access, for easier subsequent analysis and processing. Tracing the source from the low access tag data may reveal the source of the low access traffic, helping to determine which resources or users may be overlooked or problematic. By analyzing the low-access traffic traceable data, abnormal conditions in the low-access data can be detected, and potential problems or threats can be found early. Analysis of the high access tag data can help learn about special access habits, identify unusual patterns of behavior, and help detect abuse or anomalies. Integrating low-profile abnormal traffic data with special access habit data helps create comprehensive abnormal traffic data that may contain abnormal behavior hidden in normal traffic, helping for more comprehensive risk identification.
Preferably, step S134 includes the steps of:
Step S1341: performing IP address statistics according to the kernel log file to generate IP address distribution data;
Step S1342: performing data classification on the low-access traffic tracing data by using the IP address distribution data to generate low-access regional address data and high-access regional address data;
Step S1343: carrying out communication behavior analysis on the low-imitation regional address data to generate low-imitation regional abnormal data;
step S1344: request information extraction is carried out based on the highly imitated regional address data, and request information data is generated;
Step S1345: carrying out reasonable value calculation on the request information data by using a request rationality calculation formula to generate a request rationality score;
Step S1346: performing abnormal access analysis on the address data of the high access region through the request rationality score to generate high imitation region abnormal data;
Step S1347: and carrying out data fusion on the low-imitation regional abnormal data and the high-imitation regional abnormal data to generate comprehensive abnormal flow data.
The IP address statistics is performed through the kernel log file, so that the IP address distribution condition in the network traffic is known, and the determination of which IP addresses generate most traffic is facilitated, and the identification of potential problem sources is facilitated. The IP address distribution data is used for classifying the low-access traffic traceability data, and the traffic data is divided into a low-access area address and a high-access area address, so that traffic is focused on a specific area. By analyzing the communication behavior of the low-profile regional address data, potentially anomalous behavior is facilitated to be detected, which may involve unauthorized access or other security issues. Extracting the request information for the addressee facilitates further analysis and understanding of the nature of these requests, which helps identify normal and abnormal requests. By calculating the request rationality score, a quantitative assessment of the rationality of requests can be made, which helps determine which requests are normal and which are likely to be abnormal. The use of request rationality scores to conduct unusual access analysis to highly imitated regional address data helps to detect possible unusual requests and behaviors, thereby early finding potential problems. The combination of the low-imitation regional abnormal data and the high-imitation regional abnormal data can create comprehensive abnormal flow data, which is helpful for comprehensively knowing various abnormal conditions in the network flow.
Preferably, the request rationality calculation formula in step S1345 is as follows:
Where R is a request rationality score, T 1 is a request start time, T 2 is a request end time, N (T) is a total number of requests when a time period is T, T is a duration of the time period T, a t is a weight of the time period T, τ 0 is a start time of the time period T, τ is a termination time of the time period T, c s is a network fluctuation value when time is s, e is a base of natural logarithm, b s is a request density value when time is s, β is a request type weight, N is a total number of request time periods, y i is an i-th request type, ω is a deviation adjustment term of the request rationality score.
The invention constructs a request rationality calculation formula which is used for carrying out reasonable value calculation on request information data and generating request rationality scores. The formula fully considers the request starting time T 1, the request ending time T 2, the total number of requests N (T) when the time period is T, the duration T of the time period T, the weight a t of the time period T, the starting time tau 0 of the time period T, the ending time tau of the time period T, the network fluctuation value c s when the time is s, the base number e of natural logarithms, the request density value b s when the time is s, the request type weight beta, the total number N of request time periods, the ith request type y i, the deviation adjustment term omega of the request rationality score and the interaction among variables to form the following functional relation:
By passing through The dynamics of the request density are shown. If N (T) fluctuates significantly over the period of time while T is shorter, this may result in severe fluctuations in the request density, meaning that the requests are frequent while possibly representing a decrease in the rationality of the request. The introduction of a t represents the importance of the different time periods. Longer time periods may be considered more important, so a t may be used to adjust the contribution of time periods to the overall rationality score, and by adjusting the value of a t, different weights may be assigned over different time periods to reflect their actual impact on system performance. Helping to reasonably consider the importance of different time periods. /(I)The calculation of (1) takes into account the association of network conditions with the distribution of requests, the network fluctuation values may affect the success rate and delay of the requests, while the request density values represent the concentration of the requests. Through this part of the calculation, the impact of network conditions on request rationality can be more fully evaluated. And the system optimization is facilitated, so that the reasonability of the request under different network fluctuation conditions can be accurately evaluated. y i considers the impact of the request type on request rationality. Different request types may have different effects on server data. By adjusting the values of β and y i, the rationality score can be adjusted according to the importance of the request type, which can better reflect the impact of different request types. The functional relation can accurately evaluate the request rationality score of each user so as to more accurately select abnormal access data in the high-imitation regional address data, thereby improving the accuracy of reinforcement test. And the deviation adjustment item omega of the request rationality score is utilized to adjust and correct the functional relation, for example, request failure or performance reduction caused by hardware faults, influence on server availability caused by external events and the like are adjusted, error influence caused by the data or error item is reduced, thus the request rationality score R is generated more accurately, and accuracy and reliability of rationality evaluation on request data of different users are improved. Meanwhile, each weight and adjustment value in the formula can be adjusted according to actual conditions, and the method is applied to request information data of different application users, so that flexibility and applicability of an algorithm are improved.
Preferably, step S2 comprises the steps of:
Step S21: constructing a threat information network by using a blockchain technology; acquiring threat information data based on a threat information network;
step S22: carrying out emotion semantic analysis on threat information data to generate reliable information data; carrying out data structuring treatment on the reliable information data to generate structured information data;
step S23: carrying out data clustering processing on the structured information data to generate high-confidence data and low-confidence data;
Step S24: carrying out submission time analysis on the high-confidence information data to generate submission time distribution data; confidence correction is carried out on the high-confidence information data based on the submitting time distribution data, and high-confidence correction data is generated;
step S25: extracting low-frequency vocabulary from the low-confidence data to generate special vocabulary data; data screening is carried out on the low confidence coefficient data according to the special vocabulary data, and the special low confidence coefficient data is generated;
Step S26: submitting the special low-confidence data according to the high-confidence correction data for association analysis to generate presenter association data; and carrying out confidence correction on the special low-confidence data according to the associated data of the submitter, and generating low-confidence correction data.
The invention ensures the safety and traceability of data by establishing a distributed and non-tamperable threat information network. This makes the data more trusted, difficult to tamper with, and enables data sharing and collaboration. The data provider and the user can exchange information with confidence. Emotion semantic analysis helps to understand the emotional tendency and meaning of the intelligence data, thereby providing more context information. The data structuring makes the data easy to process and query, and improves the usability and readability of the data. Data clustering helps to separate informative data into high confidence data and low confidence data, thereby making the quality of the data clearer. And the method is beneficial to reducing false alarms and improving the accuracy of information data. By submitting the time analysis, timeliness of the data can be considered, ensuring that high confidence data is still valuable. Confidence correction helps to improve the reliability of the data and ensures that the most important information is fully valued. Extracting low frequency words and special words helps to identify potential information in the data or trends in new fields. Data screening can help reject irrelevant information, making the data more focused and useful. The presenter association analysis is helpful to find the association relationship between the high confidence data and the special low confidence data publishers, for example, if a certain special low confidence data publisher is found to be the same name as a certain high confidence data publisher, the confidence of the low confidence data can be improved through confidence correction so as to better evaluate the potential threat.
Preferably, step S3 comprises the steps of:
step S31: performing feature vectorization according to the high-confidence correction data and the low-confidence correction data to generate high-confidence vector data and low-confidence vector data;
Step S32: carrying out data dimension reduction fusion on the high-confidence vector data and the low-confidence vector data to generate dimension reduction information data; designing an attention mechanism through the confidence level in the dimension-reduction information data, and generating a model attention mechanism;
Step S33: constructing a threat network model based on a model attention mechanism according to the dimension reduction information data;
Step S34: carrying out association path analysis on the threat network model to generate association path data; performing entity dependency analysis on the threat network model to generate entity dependency relationship data;
step S35: performing association compensation on the association path data according to the entity dependency relationship data to generate compensation association path data;
Step S36: model training is carried out on the threat network model through compensating associated path data, and a potential threat model is generated;
step S37: and carrying out threat utilization probability analysis according to the potential threat model to generate threat utilization probability data.
The invention can make the data easier to be processed and analyzed by the machine learning model by converting the high confidence correction data and the low confidence correction data into the feature vectors. Helping to convert the informative data into a numerical form that can be processed by the algorithm. The dimension reduction fusion of the high-confidence vector data and the low-confidence vector data can reduce the data dimension, reduce the calculation cost and keep key information. The attention mechanism is designed through the confidence in the dimension-reduction information data, so that important information can be highlighted, and the effect of subsequent analysis is improved. The threat network model is constructed based on the dimension reduction information data and the model attention mechanism, so that the association and the dependency relationship of the threat can be understood. The threat network can be analyzed more systematically to get a better understanding of the nature and behavior patterns of the threat. By performing correlation path analysis and entity dependence analysis on the threat network model, the propagation path of the threat and the correlation entity can be revealed. And the association path data can be corrected or supplemented by carrying out association compensation on the association path data through the entity dependency relationship data, so that the analysis is more comprehensive and accurate. By training the threat network model using the compensated correlation path data, a more accurate model of the potential threat may be generated. This model can better predict and identify threats. The probability analysis of threat utilization is performed based on the potential threat model, and the probability of actual threat utilization can be evaluated to take corresponding defensive measures.
Preferably, step S4 comprises the steps of:
step S41: constructing a virtual environment; performing attack simulation on the virtual environment by using the attack load data to generate a first load attack report;
step S42: carrying out load updating design on attack load data according to threat utilization probability data to generate threat attack load;
step S43: performing threat attack simulation on the virtual environment data based on the threat attack load to generate a second load attack report;
Step S44: performing similar attack analysis on the first load attack report and the second load attack report to generate a comprehensive load attack report;
Step S45: and carrying out reinforcement strategy formulation according to the comprehensive load attack report to generate reinforcement strategy data.
The invention can evaluate the performance of the system when being attacked by constructing the virtual environment and performing attack simulation. And the method is beneficial to finding potential loopholes and weaknesses and identifying weak links of the system in advance. The attack load is updated by utilizing probability data according to the threat, so that the attack simulation is more real and close to the actual threat. The method is helpful for simulating the latest threat form and improving the defending capability against novel attacks. Based on the updated threat attack load, simulation is performed, a second load attack report is generated, and the security of the system can be more comprehensively evaluated. Helping to discover weaknesses and possible coping strategies of the system under different attack scenarios. By performing similar attack analysis on the first and second payload attack reports and generating a comprehensive payload attack report, a common attack mode and vulnerability can be identified. This helps to formulate a more comprehensive, targeted reinforcement strategy. Based on the comprehensive load attack report, a reinforcement strategy is formulated, so that the safety of the system can be improved in a targeted manner. Measures are taken to help prevent known and potential threats, and the influence of potential attacks on the system is reduced.
Preferably, step S5 comprises the steps of:
step S51: carrying out attack cost assessment through the comprehensive load attack report to generate attack cost analysis data;
step S52: performing reinforcement cost evaluation on reinforcement strategy data to generate reinforcement cost data;
Step S53: and carrying out repair necessity assessment on the attack cost analysis data and the reinforcement cost data by using a repair necessity assessment formula to generate a repair necessity score.
Step S54: and transmitting the reinforcement strategy data and the repair necessity score to the terminal to generate a reinforcement test report.
The invention can estimate the potential cost of the attacker by analyzing the comprehensive load attack report. To help understand the economic motivation for attacks and to evaluate risk to the system. Helping to determine which vulnerabilities or threats are most threatening. Cost assessment of the formulated reinforcement policies may determine the resources and costs required to implement the policies. Helping to decide whether to bear these costs to increase the security of the system. By combining the repair necessity evaluation formula with the attack cost and reinforcement cost data, it is possible to determine which vulnerabilities or threats should be repaired most preferentially. Helps to allocate limited secure resources to the most urgent problem to minimize risk. Transmitting reinforcement policy data and repair necessity scores to the terminal to generate reinforcement test reports helps provide a clear action plan. This report may include specific steps and schedules that help ensure that the security of the system is improved to reduce potential threats.
Preferably, the repair necessity evaluation formula in step S53 is as follows:
Where X is a necessity evaluation score, T 1 is a start time of the necessity evaluation, T 2 is an end time of the necessity evaluation, H j (m) is a reinforcement cost at time m, H g (m) is an attack cost at time m, f (m) is an attack frequency value at time m, V (m) is a vulnerability impact level value at time m, O (m) is a threat severity score at time m, g (m) is a vulnerability exposure probability value at time m, E (m) is a vulnerability exposure level value at time m, P (m) is a threat occurrence probability value at time m, The bias adjustment value of the score is evaluated for necessity.
The invention constructs a repair necessity evaluation formula for evaluating the repair necessity of the attack cost analysis data and the reinforcement cost data to generate a repair necessity score. The formula fully considers the starting time T 1 of the necessity assessment, the ending time T 2 of the necessity assessment, the reinforcement cost H j (m) at the time m, the attack cost H g (m) at the time m, the attack frequency value f (m) at the time m, the vulnerability influence degree value V (m) at the time m, the threat severity score O (m) at the time m, the vulnerability exposure probability value g (m) at the time m, the vulnerability exposure degree value E (m) at the time m, the threat occurrence probability value P (m) at the time m, the deviation adjustment value of the necessity assessment scoreAnd interactions between variables to form the following functional relationship:
The difference between the attack cost and the reinforcement cost is obtained through H g(m)-Hj (m), when the value is positive, the reinforcement cost is larger than the attack cost, and the larger the probability that the corresponding vulnerability threat is utilized, the larger the corresponding repair necessity score, and measures are needed to reduce the risk. f (m) represents the possibility of an attack occurring at this point in time. If f (m) is higher, then attacks may occur more frequently during this period, increasing the urgency to fix the vulnerability. V (m) represents the degree of influence on the system after the vulnerability is utilized. If V (m) is larger, the system may be more endangered after the vulnerability is utilized, and the urgency of repairing the vulnerability is increased. O (m) represents the severity of the threat. A higher threat severity score may mean that the impact of the attack is more severe. The sum of the attack cost and the reinforcement cost, i.e., the total cost, is obtained by H g(m)+Hj (m). The overall cost data helps to determine which vulnerability threats pose a greater threat to the security of the server data, requiring more preferential processing. Where if g (m) is higher then the vulnerability is more readily exploited by an attacker during this time period, if E (m) is higher then the vulnerability in the system is more readily found, if P (m) is higher then the threat is more likely to occur. The reference of the time integral considers the change of each relevant parameter of the vulnerability threat along with the change of time, and dynamically evaluates the necessity of vulnerability restoration. The functional relation can accurately evaluate the repaired necessity of the threat found by each test in real time, thereby obtaining a repair necessity score to feed back to the terminal equipment and help to make more accurate necessary decisions. And uses the deviation adjustment value of the necessity evaluation score For adjusting and modifying the functional relation, e.g. the current part of the calculation has a low necessity score, i.e. the repair has a low urgency, but the risk is not already present in the history, then it should be taken into account whether the/>And the adjustment is carried out, so that the error influence caused by the data or the error item is reduced, the necessity evaluation score X is generated more accurately, and the accuracy and reliability of repairing necessity evaluation on the attack cost analysis data and the reinforcement cost data are improved. Meanwhile, the adjustment value in the formula can be adjusted according to actual conditions, and is applied to repair necessity evaluation of different risk vulnerabilities, so that the flexibility and applicability of the algorithm are improved.
The method has the beneficial effects that the method acquires the kernel log file which contains key information about the operation of the system, such as abnormal events and error messages. By retrieving these files, potential problems can be quickly identified. Analyzing traffic conditions in the kernel log file helps identify anomalies in network traffic, such as large-scale packet transmissions or frequent connection attempts. The integration of the abnormal traffic data into the integrated abnormal traffic data facilitates a more comprehensive understanding of possible anomalies in the system. Based on the abnormal traffic data, attack loads are designed, and the attack loads can be used for simulating potential attack behaviors, so that the vulnerability and the loophole of the system can be found. Threat intelligence data includes information about recent threats and attacks from multiple sources to learn about the current threat environment. The threat intelligence data is clustered, so that related information can be classified together, and a clearer threat image is provided. The classification of informative data into high confidence and low confidence data may focus on the most important and trusted information. Confidence correction is carried out on the low-confidence data, so that the usability and the reliability of the data are improved. The threat model is constructed using high confidence data and low confidence data, which helps the system to better understand the nature of different threats and potential threats. Through probability analysis, the actual utilization probabilities of different threats can be estimated, which are helpful for determining which threats are more likely to be threatening to the system. And simulating actual attack scenes by using the attack load data and the threat utilization probability data to know loopholes and potential attack paths in the system. And generating an attack report, and specifying the simulation result of the attack, thereby being beneficial to identifying weak points needing to take measures. Based on the result of attack simulation, a reinforcement strategy is formulated to reduce vulnerability of the system and improve security. And evaluating the emergency degree of the vulnerability and the vulnerability to be repaired in the system according to the comprehensive load attack report and the reinforcement strategy data. The reinforcement policy data and repair necessity score are transmitted to the terminal, and a reinforcement test report is generated to verify the effectiveness of the reinforcement measures and the improvement of the system. Therefore, the reinforcement test method based on the kernel protection server data constructs a potential threat model through threat information data, and discovers hidden vulnerabilities and weaknesses in time. The attack load is designed to simulate the attack, so that the possibility that the hidden bug is utilized is determined, and the accuracy of the reinforcement test is improved.
Drawings
FIG. 1 is a flow chart of the steps of a reinforcement test method based on kernel protection server data;
FIG. 2 is a flowchart illustrating the detailed implementation of step S2 in FIG. 1;
FIG. 3 is a flowchart illustrating the detailed implementation of step S3 in FIG. 1;
FIG. 4 is a flowchart illustrating the detailed implementation of step S4 in FIG. 1;
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
The following is a clear and complete description of the technical method of the present patent in conjunction with the accompanying drawings, and it is evident that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, are intended to fall within the scope of the present invention.
Furthermore, the drawings are merely schematic illustrations of the present invention and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. The functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor methods and/or microcontroller methods.
It will be understood that, although the terms "first," "second," etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of example embodiments. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
To achieve the above objective, please refer to fig. 1 to 4, a reinforcement testing method based on kernel protection server data, the method comprises the following steps:
step S1: obtaining a kernel log file; performing flow state analysis according to the kernel log file to generate comprehensive abnormal flow data; carrying out attack load design based on the comprehensive abnormal flow data to generate attack load data;
Step S2: acquiring threat information data; carrying out data clustering processing on threat information data to generate high-confidence data and low-confidence data; confidence correction is carried out on the high confidence coefficient data and the low confidence coefficient data, and high confidence coefficient correction data and low confidence coefficient correction data are generated;
Step S3: constructing a potential threat model based on the high confidence correction data and the low confidence correction data; threat utilization probability analysis is carried out through a potential threat model, and threat utilization probability data are generated;
Step S4: carrying out attack simulation by utilizing probability data based on attack load data and threat, and generating a comprehensive load attack report; performing reinforcement strategy formulation based on the comprehensive load attack report to generate reinforcement strategy data;
Step S5: performing repair necessity assessment according to the comprehensive load attack report and the reinforcement strategy data to generate a repair necessity score; and transmitting the reinforcement strategy data and the repair necessity score to the terminal to generate a reinforcement test report.
The invention can be used for deeply knowing the running condition and potential problems of the system by acquiring the kernel log file. Analyzing traffic states in kernel log files helps to detect abnormal activities such as network attacks, abnormal accesses, etc. Helping to discover potential threats early and reducing attack surface. And summarizing the flow state analysis result into comprehensive abnormal flow data, and providing a comprehensive view of the system safety state. By analyzing the abnormal traffic data, specific attack loads can be designed for simulating potential attack scenarios. Facilitating testing of the vulnerability of the system and preparing the defense strategy. Threat intelligence data is obtained to better understand the current threat situation, including known attack patterns and attacker behavior. Clustering threat intelligence data may help classify the data into high confidence and low confidence, enabling security professionals to more attentively process the most threatening information. By correcting the confidence coefficient of the data, the accuracy and the reliability of the data can be improved, and the most important information can be further screened out. Combining the high confidence correction data with the low confidence correction data, a potential threat model may be constructed for predicting a possible threat situation. Generating threats utilizes probability data to help evaluate potential impact of the threat. This helps the system administrator to know which threats are more risky in order to take measures more purposefully. And carrying out attack simulation by using the attack load data and the threat by using the probability data so as to evaluate the resistance of the system to various attacks. Helping to reveal potential vulnerabilities. Reinforcement policies are formulated based on the attack reports, which help improve the security of the system. Including, for example, repairing known vulnerabilities, enforcing access control, and other security measures. By evaluating the attack report and reinforcement policy data, it can be determined which problems need to be resolved urgently to improve the security of the system. The reinforcement test report provides comprehensive information about the security of the system including vulnerabilities, repair policies, repair necessity scores, etc. Helping to understand the security status of the system. Therefore, the reinforcement test method based on the kernel protection server data constructs a potential threat model through threat information data, and discovers hidden vulnerabilities and weaknesses in time. The attack load is designed to simulate the attack, so that the possibility that the hidden bug is utilized is determined, and the accuracy of the reinforcement test is improved.
In the embodiment of the present invention, as described with reference to fig. 1, a step flow diagram of a reinforcement test method based on kernel protection server data according to the present invention is provided, and in this example, the reinforcement test method based on kernel protection server data includes the following steps:
step S1: obtaining a kernel log file; performing flow state analysis according to the kernel log file to generate comprehensive abnormal flow data; carrying out attack load design based on the comprehensive abnormal flow data to generate attack load data;
In embodiments of the present invention, tools such as rsyslog may be used to manage and store log data by configuring the system to log the kernel. Network traffic related information in the kernel log file is analyzed using log analysis tools such as ELK Stack (log Stack, kibana) or Splunk. And generating abnormal flow data by formulating rules, screening abnormal events and detecting abnormal flow. Based on the abnormal traffic data and the known attack vector, different types of attack loads, such as SQL injection, cross-site scripting attack and the like, are designed. Tools such as Metasploit Framework, OWASP ZAP, or Burp Suite are used to generate and test attack loads.
Step S2: acquiring threat information data; carrying out data clustering processing on threat information data to generate high-confidence data and low-confidence data; confidence correction is carried out on the high confidence coefficient data and the low confidence coefficient data, and high confidence coefficient correction data and low confidence coefficient correction data are generated;
In an embodiment of the present invention, threat intelligence data is obtained in real time by subscribing to threat intelligence providers using threat intelligence sharing criteria (e.g., STIX/TAXII). Or constructing a threat information network based on the blockchain technology, and setting up a reward mechanism to acquire real-time threat information data. Information from channels such as security news, hacking communities, vulnerability reports, etc. is collected and aggregated. Threat intelligence data is classified and grouped using a data analysis tool, and similar data is combined according to a sharing criteria. Confidence scores are given to threat intelligence data according to factors such as credibility, accuracy and the like of the data sources. The confidence correction can be performed on the high-confidence data according to the submission time, for example, if the distribution time of the high-confidence data is consistent, the confidence of the information can be properly improved, and if the distribution time is scattered, the confidence of the corresponding information can be properly reduced. For low confidence data, correction may be performed based on the publisher information, for example, when a publisher of certain low confidence information is consistent with a publisher of certain high confidence data, the confidence of the low confidence data may be appropriately improved to improve the accuracy of the data.
Step S3: constructing a potential threat model based on the high confidence correction data and the low confidence correction data; threat utilization probability analysis is carried out through a potential threat model, and threat utilization probability data are generated;
In the embodiment of the invention, a potential threat model is constructed according to high-confidence data and low-confidence data by using a machine learning or statistical modeling technology, and various data characteristics are considered. And analyzing the potential utilization probability of different threats by using the constructed model, and considering the targets and the capabilities of the attacker. Threat utilization probability data is generated to help determine which threats are more likely to pose a threat to the system.
Step S4: carrying out attack simulation by utilizing probability data based on attack load data and threat, and generating a comprehensive load attack report; performing reinforcement strategy formulation based on the comprehensive load attack report to generate reinforcement strategy data;
In the embodiment of the invention, by constructing a virtual environment, the environment can be an isolated test environment or a simulation network. The prepared attack load data is applied to the system and the network in the virtual environment. May involve deploying malware to a target system, simulating network traffic, or performing other aggression. Different types of attacks are simulated in the virtual environment, including malware propagation, exploits, denial of service attacks, etc. The activity and data during the attack are recorded. Network traffic, system logs, and other relevant data of the virtual environment are monitored to capture results of the attack simulation. Based on the result of the attack simulation, a comprehensive load attack report is generated, wherein the comprehensive load attack report comprises information such as an attack mode, an affected system, an attack success rate and the like. Threat analysis is carried out on the comprehensive load attack report, and potential threats and vulnerabilities are identified. Based on the threat analysis results, reinforcement policies are formulated, including fix vulnerabilities, improve security configurations, implement access control, enhance identity verification, and the like. The reinforcement policy is prioritized and the execution order is ordered according to the severity and potential impact of the threat.
Step S5: performing repair necessity assessment according to the comprehensive load attack report and the reinforcement strategy data to generate a repair necessity score; and transmitting the reinforcement strategy data and the repair necessity score to the terminal to generate a reinforcement test report.
In the embodiment of the invention, the threat influence possibly generated under the condition of not repairing is evaluated by combining the comprehensive load attack report and the reinforcement strategy data. A repair necessity score for each threat or reinforcement policy is calculated based on the evaluated threat impact, the priority of the reinforcement policy, and the availability of resources. This may be accomplished using algorithms or methods that trade off different factors. The generated reinforcement policy data and repair necessity score are transmitted to the terminal device, which may be done by network transmission, data export or other means. At the terminal device, a reinforcement test report is generated using the transmitted data. The report may include repair necessity scores, suggested reinforcement policies, implementation plans, and resource requirements for each threat. Based on the suggestions and priorities in the reinforcement test report, a corresponding reinforcement policy is implemented to improve the security of the system and network. With the implementation of reinforcement measures, the security of the system is continuously monitored, and reinforcement policies and test reports are updated to reflect the latest threat intelligence and system status.
Preferably, step S1 comprises the steps of:
Step S11: obtaining a kernel log file;
Step S12: performing flow state analysis according to the kernel log file to generate normal flow data and abnormal flow data;
Step S13: source tracing is carried out on the normal flow data to generate hidden abnormal flow data;
step S14: performing abnormal data supplementation on the abnormal flow data according to the hidden abnormal flow data to generate comprehensive abnormal flow data;
Step S15: and carrying out attack load design based on the comprehensive abnormal flow data to generate attack load data.
According to the method, the kernel log file is obtained, is a record of system activities and events, and is an important data source for evaluating system health and safety. By analyzing the flow state of the kernel log file, normal and abnormal network flows can be distinguished. This helps to discover potential attacks, faults, or system anomalies. Source tracing of normal traffic data reveals hidden abnormal traffic, i.e., those abnormal conditions that cannot be immediately identified. Helping to more fully understand the potential risks in the system. And combining the hidden abnormal flow data to further supplement and analyze the identified abnormal flow, thereby generating comprehensive abnormal flow data. Helping to describe the abnormal situation of the system more accurately. Based on the comprehensive abnormal flow data, various attack load data are designed. Providing important basis for simulating potential attacks and helping to test the weakness and the security of the system.
In the embodiment of the invention, the kernel log records are configured, and the kernel log files are automatically collected and archived by using a log management tool so as to ensure the integrity and long-term storage of data. Network traffic related data is extracted from the kernel log file using appropriate tools. By parsing the network traffic information in the kernel log, various attributes of the traffic, such as source IP, destination IP, port, protocol, connection duration, etc., are analyzed. A reference model of normal flow is established using the historical normal flow data. The reference model may be constructed using a statistical model, a machine learning model, a deep learning model, or the like. The real-time kernel log data is compared to the benchmark model to identify traffic that does not match the normal traffic pattern. Wherein the unmatched traffic is considered abnormal traffic, which is marked to generate abnormal traffic data. Normal traffic generally conforms to normal network behavior, while abnormal traffic may include extensive connection attempts, unauthorized access attempts, and the like. And analyzing the normal traffic data to determine the source IP address or the identity of the source user. Traffic that appears normal but may actually be abnormal is identified, which may include internal threats, potential malicious activity, advanced persistent threats, and the like. Tools such as WIRESHARK, TCPDUMP, etc. can be used to analyze the traffic in depth to detect hidden anomalies. And combining the hidden abnormal flow data with the original abnormal flow data to obtain a more comprehensive abnormal flow data set. And carrying out deep analysis according to the comprehensive abnormal flow data, knowing the characteristics of attack load, such as the protocol type, the target port, the data packet structure and the like of the attack, and providing a basis for designing similar attack load. And selecting a corresponding attack load type, such as malicious data packet, code injection, buffer overflow and the like, according to an analysis result of the comprehensive abnormal traffic data. Multiple attack loads are designed based on the selected type, including different types of exploits, SQL injection, cross-site scripting attack, buffer overflows, etc. The design process needs to consider a security protection mechanism for bypassing the server system, so as to ensure the validity of attack load. Various attack tools, such as Metasploit, burp Suite, OWASP ZAP, etc., may be used to generate and test attack loads. Attacks using designed attack loads, such as security laboratories or isolated networks, are simulated in a controlled environment. And detecting an attack result, and optimizing the designed attack load based on the attack result.
Preferably, step S13 comprises the steps of:
step S131: extracting the access times of the normal flow data to generate access times data;
step S132: performing data tag design on the access frequency data based on a preset access frequency threshold, and generating low access tag data when the access frequency data is smaller than or equal to the preset access frequency threshold; when the access frequency data is larger than a preset access frequency threshold value, generating high access tag data;
Step S133: performing source tracing on the normal flow data according to the low access tag data to generate low access flow tracing data;
Step S134: performing data analysis on the low visit traffic traceability data to generate low simulated abnormal traffic data;
Step S135: performing access habit analysis on the normal flow data according to the high access tag data to generate special access habit data;
step S136: and carrying out data integration on the low abnormal flow imitation data and the special access habit data to generate hidden abnormal flow data.
The invention can help identify which resources are concerned to how much by extracting the access times information in the normal traffic, which helps to know the behavior of the user or system. The tag design based on the access times data helps to separate traffic into different categories, such as low access and high access, for easier subsequent analysis and processing. Tracing the source from the low access tag data may reveal the source of the low access traffic, helping to determine which resources or users may be overlooked or problematic. By analyzing the low-access traffic traceable data, abnormal conditions in the low-access data can be detected, and potential problems or threats can be found early. Analysis of the high access tag data can help learn about special access habits, identify unusual patterns of behavior, and help detect abuse or anomalies. Integrating low-profile abnormal traffic data with special access habit data helps create comprehensive abnormal traffic data that may contain abnormal behavior hidden in normal traffic, helping for more comprehensive risk identification.
In the embodiment of the invention, key information such as a source IP address, a target IP address, access time and the like is extracted from normal flow data. And counting the access times of each source IP address or user according to the extracted data, and generating access times data. The preset access number threshold is set, typically according to the access frequency of the normal traffic. According to the threshold value, the access times data are divided into two types of labels: low access tags and high access tags. A low access tag indicates that the number of accesses is less than or equal to the threshold, and a high access tag indicates that the number of accesses is greater than the threshold. Normal traffic data with low access tags is analyzed to determine its source IP address or the identity of the user. The identity of the low access source is determined using access records, authentication information, session data, etc. in order to identify potential anomalous behavior. The low access traffic trace data is analyzed to find out the behavior which is inconsistent with the normal access mode, and the behavior may comprise unauthorized access, abnormal data transmission and the like. And integrating the data of the specific abnormal behaviors into low-simulated abnormal flow data. And carrying out special analysis on the normal flow data with the high access tag to search for possible special access habits or abnormal behaviors. Data of special access habits, such as abnormally frequent accesses, irregular operations, and the like, are recorded. And carrying out data integration on the low abnormal flow imitation data and the special access habit data to generate hidden abnormal flow data.
Preferably, step S134 includes the steps of:
Step S1341: performing IP address statistics according to the kernel log file to generate IP address distribution data;
Step S1342: performing data classification on the low-access traffic tracing data by using the IP address distribution data to generate low-access regional address data and high-access regional address data;
Step S1343: carrying out communication behavior analysis on the low-imitation regional address data to generate low-imitation regional abnormal data;
step S1344: request information extraction is carried out based on the highly imitated regional address data, and request information data is generated;
Step S1345: carrying out reasonable value calculation on the request information data by using a request rationality calculation formula to generate a request rationality score;
Step S1346: performing abnormal access analysis on the address data of the high access region through the request rationality score to generate high imitation region abnormal data;
Step S1347: and carrying out data fusion on the low-imitation regional abnormal data and the high-imitation regional abnormal data to generate comprehensive abnormal flow data.
The IP address statistics is performed through the kernel log file, so that the IP address distribution condition in the network traffic is known, and the determination of which IP addresses generate most traffic is facilitated, and the identification of potential problem sources is facilitated. The IP address distribution data is used for classifying the low-access traffic traceability data, and the traffic data is divided into a low-access area address and a high-access area address, so that traffic is focused on a specific area. By analyzing the communication behavior of the low-profile regional address data, potentially anomalous behavior is facilitated to be detected, which may involve unauthorized access or other security issues. Extracting the request information for the addressee facilitates further analysis and understanding of the nature of these requests, which helps identify normal and abnormal requests. By calculating the request rationality score, a quantitative assessment of the rationality of requests can be made, which helps determine which requests are normal and which are likely to be abnormal. The use of request rationality scores to conduct unusual access analysis to highly imitated regional address data helps to detect possible unusual requests and behaviors, thereby early finding potential problems. The combination of the low-imitation regional abnormal data and the high-imitation regional abnormal data can create comprehensive abnormal flow data, which is helpful for comprehensively knowing various abnormal conditions in the network flow.
In the embodiment of the invention, the data related to the network traffic is extracted from the kernel log file, and the data comprises a source IP address and a target IP address. And counting the extracted data, and calculating the occurrence frequency of each IP address to generate IP address distribution data. And using IP address distribution data to divide the IP addresses in the low access traffic tracing data into two types, namely a low access area address and a high access area address, and according to the frequency of the IP addresses in the distribution data. A threshold is set to distinguish between low and high access regions, typically based on the relative frequency of IP address occurrences. And analyzing communication behaviors in the low-imitation area address data, including frequency of data transmission, data packet size, protocol use and the like. Identifying behaviors that are inconsistent with normal communication behavior may include abnormally frequent data transfers, irregular protocol use, and so forth. And integrating the data of the specific abnormal behaviors into low-imitation regional abnormal data for subsequent analysis and processing. Request information in the highly imitated area address data is analyzed, including a URL, an HTTP header, a request method and the like. The extracted request information data is converted into a structured format for subsequent processing and analysis. The preset request rationality calculation formula is used, and variables such as the total number of requests, the request time period, the network fluctuation value and the like are fully considered in the formula, so that the request rationality score of each user is accurately evaluated, the quick and accurate selection of abnormal access data in the high-imitation regional address data is facilitated, and the accuracy of the subsequent reinforcement test is improved. In addition to the preset formulas, the request rationality score may be evaluated using machine learning models, rule-based systems, behavioral analysis, context-based evaluations, and the like. And using the request rationality score to analyze abnormal access to the address data of the high access region, and identifying unreasonable requests. And integrating unreasonable request information data into highly imitated regional abnormal data. And merging the anomaly data of the low-imitation region and the anomaly data of the high-imitation region into a data set, wherein the data set comprises various anomaly behaviors, and capturing anomalies from different angles of the low-access region and the high-access region to generate comprehensive anomaly flow data.
Preferably, the request rationality calculation formula in step S1345 is as follows:
Where R is a request rationality score, T 1 is a request start time, T 2 is a request end time, N (T) is a total number of requests when a time period is T, T is a duration of the time period T, a t is a weight of the time period T, τ 0 is a start time of the time period T, τ is a termination time of the time period T, c s is a network fluctuation value when time is s, e is a base of natural logarithm, b s is a request density value when time is s, β is a request type weight, N is a total number of request time periods, y i is an i-th request type, ω is a deviation adjustment term of the request rationality score.
The invention constructs a request rationality calculation formula which is used for carrying out reasonable value calculation on request information data and generating request rationality scores. The formula fully considers the request starting time T 1, the request ending time T 2, the total number of requests N (T) when the time period is T, the duration T of the time period T, the weight a t of the time period T, the starting time tau 0 of the time period T, the ending time tau of the time period T, the network fluctuation value c s when the time is s, the base number e of natural logarithms, the request density value b s when the time is s, the request type weight beta, the total number N of request time periods, the ith request type y i, the deviation adjustment term omega of the request rationality score and the interaction among variables to form the following functional relation:
By passing through The dynamics of the request density are shown. If N (T) fluctuates significantly over the period of time while T is shorter, this may result in severe fluctuations in the request density, meaning that the requests are frequent while possibly representing a decrease in the rationality of the request. The introduction of a t represents the importance of the different time periods. Longer time periods may be considered more important, so a t may be used to adjust the contribution of time periods to the overall rationality score, and by adjusting the value of a t, different weights may be assigned over different time periods to reflect their actual impact on system performance. Helping to reasonably consider the importance of different time periods. /(I)The calculation of (1) takes into account the association of network conditions with the distribution of requests, the network fluctuation values may affect the success rate and delay of the requests, while the request density values represent the concentration of the requests. Through this part of the calculation, the impact of network conditions on request rationality can be more fully evaluated. And the system optimization is facilitated, so that the reasonability of the request under different network fluctuation conditions can be accurately evaluated. y i considers the impact of the request type on request rationality. Different request types may have different effects on server data. By adjusting the values of β and y i, the rationality score can be adjusted according to the importance of the request type, which can better reflect the impact of different request types. The functional relation can accurately evaluate the request rationality score of each user so as to more accurately select abnormal access data in the high-imitation regional address data, thereby improving the accuracy of reinforcement test. And the deviation adjustment item omega of the request rationality score is utilized to adjust and correct the functional relation, for example, request failure or performance reduction caused by hardware faults, influence on server availability caused by external events and the like are adjusted, error influence caused by the data or error item is reduced, thus the request rationality score R is generated more accurately, and accuracy and reliability of rationality evaluation on request data of different users are improved. Meanwhile, each weight and adjustment value in the formula can be adjusted according to actual conditions, and the method is applied to request information data of different application users, so that flexibility and applicability of an algorithm are improved.
Preferably, step S2 comprises the steps of:
Step S21: constructing a threat information network by using a blockchain technology; acquiring threat information data based on a threat information network;
step S22: carrying out emotion semantic analysis on threat information data to generate reliable information data; carrying out data structuring treatment on the reliable information data to generate structured information data;
step S23: carrying out data clustering processing on the structured information data to generate high-confidence data and low-confidence data;
Step S24: carrying out submission time analysis on the high-confidence information data to generate submission time distribution data; confidence correction is carried out on the high-confidence information data based on the submitting time distribution data, and high-confidence correction data is generated;
step S25: extracting low-frequency vocabulary from the low-confidence data to generate special vocabulary data; data screening is carried out on the low confidence coefficient data according to the special vocabulary data, and the special low confidence coefficient data is generated;
Step S26: submitting the special low-confidence data according to the high-confidence correction data for association analysis to generate presenter association data; and carrying out confidence correction on the special low-confidence data according to the associated data of the submitter, and generating low-confidence correction data.
The invention ensures the safety and traceability of data by establishing a distributed and non-tamperable threat information network. This makes the data more trusted, difficult to tamper with, and enables data sharing and collaboration. The data provider and the user can exchange information with confidence. Emotion semantic analysis helps to understand the emotional tendency and meaning of the intelligence data, thereby providing more context information. The data structuring makes the data easy to process and query, and improves the usability and readability of the data. Data clustering helps to separate informative data into high confidence data and low confidence data, thereby making the quality of the data clearer. And the method is beneficial to reducing false alarms and improving the accuracy of information data. By submitting the time analysis, timeliness of the data can be considered, ensuring that high confidence data is still valuable. Confidence correction helps to improve the reliability of the data and ensures that the most important information is fully valued. Extracting low frequency words and special words helps to identify potential information in the data or trends in new fields. Data screening can help reject irrelevant information, making the data more focused and useful. The presenter association analysis is helpful to find the association relationship between the high confidence data and the special low confidence data publishers, for example, if a certain special low confidence data publisher is found to be the same name as a certain high confidence data publisher, the confidence of the low confidence data can be improved through confidence correction so as to better evaluate the potential threat.
As an example of the present invention, referring to fig. 2, the step S2 in this example includes:
Step S21: constructing a threat information network by using a blockchain technology; acquiring threat information data based on a threat information network;
In embodiments of the present invention, participants are allowed to anonymously submit threat intelligence data by creating an autonomously running blockchain network, which is encrypted and recorded on the blockchain. The intelligent contracts can reward the contributors according to the quality and importance of the data to encourage more individuals to share threat intelligence data, improving the diversity and timeliness of the data. The anonymity of the data may be protected by zero knowledge proof or the like.
Step S22: carrying out emotion semantic analysis on threat information data to generate reliable information data; carrying out data structuring treatment on the reliable information data to generate structured information data;
In the embodiment of the invention, the threat information data is subjected to emotion analysis and semantic analysis by using a natural language processing technology so as to determine the emotion polarity and semantic content of the data. Threat information data which is neutral or positive in emotion and has clear semantics is screened out through emotion semantic analysis, and reliable information data is generated. The threat intelligence data is converted into a structured format including standard fields such as threat type, attack style, affected assets, etc., to generate structured intelligence data.
Step S23: carrying out data clustering processing on the structured information data to generate high-confidence data and low-confidence data;
In the embodiment of the invention, the structured information data is grouped by using a clustering algorithm (such as K-means clustering, hierarchical clustering and the like), and the data is divided into different clusters according to the similarity. From the clustering results, it is determined which structured data appear more frequently, which is marked as high confidence data, and less explicit or uncertain data is marked as low confidence data.
Step S24: carrying out submission time analysis on the high-confidence information data to generate submission time distribution data; confidence correction is carried out on the high-confidence information data based on the submitting time distribution data, and high-confidence correction data is generated;
In embodiments of the present invention, the distribution of commit time, such as the number of commitments per day, week, or month, is determined by analyzing the commit time of the high confidence intelligence data. And carrying out confidence adjustment on the high-confidence information data based on the submitting time distribution data. More evenly distributed data may achieve higher confidence, while data generated during a particular time period may decrease confidence. High confidence data with confidence adjustments is generated to better reflect the confidence of the data.
Step S25: extracting low-frequency vocabulary from the low-confidence data to generate special vocabulary data; data screening is carried out on the low confidence coefficient data according to the special vocabulary data, and the special low confidence coefficient data is generated;
In the embodiment of the invention, unusual or special words are extracted by analyzing text content of low-confidence data, and the words possibly contain hidden information. And screening the low confidence data according to the extracted special words, and reserving the data related to the special words. A low confidence data set is generated that contains special words that may contain potentially threatening information or unusual intelligence.
Step S26: submitting the special low-confidence data according to the high-confidence correction data for correlation analysis to generate the associated data of the submitter
In the embodiment of the invention, whether the association or the common point between the submitters exists is determined by analyzing the submitter information in the high-confidence correction data and the special low-confidence data. Confidence adjustments are made to the special low confidence data based on the presenter-associated data. If there is a correlation, the reliability of the data may be improved. Low confidence correction data with confidence adjustments is generated to more accurately reflect the confidence of the data while accounting for presenter-related information.
Preferably, step S3 comprises the steps of:
step S31: performing feature vectorization according to the high-confidence correction data and the low-confidence correction data to generate high-confidence vector data and low-confidence vector data;
Step S32: carrying out data dimension reduction fusion on the high-confidence vector data and the low-confidence vector data to generate dimension reduction information data; designing an attention mechanism through the confidence level in the dimension-reduction information data, and generating a model attention mechanism;
Step S33: constructing a threat network model based on a model attention mechanism according to the dimension reduction information data;
Step S34: carrying out association path analysis on the threat network model to generate association path data; performing entity dependency analysis on the threat network model to generate entity dependency relationship data;
step S35: performing association compensation on the association path data according to the entity dependency relationship data to generate compensation association path data;
Step S36: model training is carried out on the threat network model through compensating associated path data, and a potential threat model is generated;
step S37: and carrying out threat utilization probability analysis according to the potential threat model to generate threat utilization probability data.
The invention can make the data easier to be processed and analyzed by the machine learning model by converting the high confidence correction data and the low confidence correction data into the feature vectors. Helping to convert the informative data into a numerical form that can be processed by the algorithm. The dimension reduction fusion of the high-confidence vector data and the low-confidence vector data can reduce the data dimension, reduce the calculation cost and keep key information. The attention mechanism is designed through the confidence in the dimension-reduction information data, so that important information can be highlighted, and the effect of subsequent analysis is improved. The threat network model is constructed based on the dimension reduction information data and the model attention mechanism, so that the association and the dependency relationship of the threat can be understood. The threat network can be analyzed more systematically to get a better understanding of the nature and behavior patterns of the threat. By performing correlation path analysis and entity dependence analysis on the threat network model, the propagation path of the threat and the correlation entity can be revealed. And the association path data can be corrected or supplemented by carrying out association compensation on the association path data through the entity dependency relationship data, so that the analysis is more comprehensive and accurate. By training the threat network model using the compensated correlation path data, a more accurate model of the potential threat may be generated. This model can better predict and identify threats. The probability analysis of threat utilization is performed based on the potential threat model, and the probability of actual threat utilization can be evaluated to take corresponding defensive measures.
As an example of the present invention, referring to fig. 3, the step S3 in this example includes:
step S31: performing feature vectorization according to the high-confidence correction data and the low-confidence correction data to generate high-confidence vector data and low-confidence vector data;
In the embodiment of the invention, the features can comprise text features, numerical features, time features and the like by extracting the features from the high-confidence correction data and the low-confidence correction data. The extracted features are converted into numerical vector form and text features are represented using techniques such as Bag of Words model (Bag of Words) or word embedding (Word Embeddings) to generate high-confidence vector data and low-confidence vector data.
Step S32: carrying out data dimension reduction fusion on the high-confidence vector data and the low-confidence vector data to generate dimension reduction information data; designing an attention mechanism through the confidence level in the dimension-reduction information data, and generating a model attention mechanism;
In the embodiment of the invention, the high-confidence vector data and the low-confidence vector data are reduced in dimension by using a dimension reduction technology such as Principal Component Analysis (PCA) or Singular Value Decomposition (SVD) so as to reduce the dimension and extract main information. The two types of data are combined to generate dimension-reducing information data. And designing a model attention mechanism according to the confidence level in the dimension reduction information data. The attention mechanism may assign different weights according to the importance of the data so that the model is more focused on the high confidence data.
Step S33: constructing a threat network model based on a model attention mechanism according to the dimension reduction information data;
In the embodiment of the invention, a model attention mechanism is designed according to the confidence level in the dimension reduction information data. The attention mechanism may assign different weights according to the importance of the data so that the model is more focused on the high confidence data.
Step S34: carrying out association path analysis on the threat network model to generate association path data; performing entity dependency analysis on the threat network model to generate entity dependency relationship data;
In the embodiment of the invention, the associated path data is generated by carrying out associated path analysis on the threat network model. May include using graph algorithms or network analysis techniques to determine information propagation paths and relationships, such as shortest path algorithms or depth first searches. And analyzing entity dependency relations among different threat information according to the threat network model. A network analysis tool (e.g., networkX) may be used to identify dependencies between entities.
Step S35: performing association compensation on the association path data according to the entity dependency relationship data to generate compensation association path data;
In the embodiment of the invention, the relationship of threat information is more accurately reflected by adjusting the associated path data according to the entity dependency relationship data. Possibly including adding or deleting connections or paths.
Step S36: model training is carried out on the threat network model through compensating associated path data, and a potential threat model is generated;
In the embodiment of the invention, the threat network model is trained by using the data with the associated path compensation to build the potential threat model. Deep learning techniques, such as a graph neural network, may be used for training.
Step S37: and carrying out threat utilization probability analysis according to the potential threat model to generate threat utilization probability data.
In the embodiment of the invention, the probability distribution of threat information is analyzed by using the potential threat model so as to estimate the utilization probability of the threat information. By statistical analysis or simulation methods. Based on the analysis results, utilization probability data of threat information is generated for assessing the risk and impact of potential threats. The probability data may be generated using statistical tools or data analysis libraries (e.g., pandas or Matplotlib).
In embodiments of the present invention, by selecting a particular threat scenario or threat hypothesis. Such as context regarding a particular threat action or attacker behavior, including attack targets, attack methods, etc. A probability model is established based on the potential threat model and the selected threat context for estimating a utilization probability of the potential threat. A bayesian network, probability map model, machine learning model, or other suitable method may be used. Data (association paths, entity dependencies, compensation association paths, etc.) in the potential threat model is imported into the probabilistic model as an input to the model. And carrying out parameter estimation on the parameters in the probability model. For example by analysis of historical data and statistical estimation to determine probability distributions in the model. The probability model is used for carrying out inference by Bayesian inference, monte Carlo simulation and other methods, and the utilization probability of the potential threat under the selected threat situation is estimated. The output of the analysis model, including the utilization probabilities of the potential threats, generates threat utilization probability data.
Preferably, step S4 comprises the steps of:
step S41: constructing a virtual environment; performing attack simulation on the virtual environment by using the attack load data to generate a first load attack report;
step S42: carrying out load updating design on attack load data according to threat utilization probability data to generate threat attack load;
step S43: performing threat attack simulation on the virtual environment data based on the threat attack load to generate a second load attack report;
Step S44: performing similar attack analysis on the first load attack report and the second load attack report to generate a comprehensive load attack report;
Step S45: and carrying out reinforcement strategy formulation according to the comprehensive load attack report to generate reinforcement strategy data.
The invention can evaluate the performance of the system when being attacked by constructing the virtual environment and performing attack simulation. And the method is beneficial to finding potential loopholes and weaknesses and identifying weak links of the system in advance. The attack load is updated by utilizing probability data according to the threat, so that the attack simulation is more real and close to the actual threat. The method is helpful for simulating the latest threat form and improving the defending capability against novel attacks. Based on the updated threat attack load, simulation is performed, a second load attack report is generated, and the security of the system can be more comprehensively evaluated. Helping to discover weaknesses and possible coping strategies of the system under different attack scenarios. By performing similar attack analysis on the first and second payload attack reports and generating a comprehensive payload attack report, a common attack mode and vulnerability can be identified. This helps to formulate a more comprehensive, targeted reinforcement strategy. Based on the comprehensive load attack report, a reinforcement strategy is formulated, so that the safety of the system can be improved in a targeted manner. Measures are taken to help prevent known and potential threats, and the influence of potential attacks on the system is reduced.
As an example of the present invention, referring to fig. 4, the step S4 includes, in this example:
step S41: constructing a virtual environment; performing attack simulation on the virtual environment by using the attack load data to generate a first load attack report;
In the embodiment of the invention, by creating an isolated virtual environment, the simulation target system or network can be realized by using a virtualization technology (such as VMware, virtualBox) or a cloud platform. The attack payload data is prepared, which may include malware, exploit tools, or custom attack scripts. And deploying attack loads in the virtual environment, and simulating different types of attack behaviors, including malicious software propagation, port scanning, vulnerability exploitation and the like. Network traffic and system logs of the virtual environment are monitored to capture data of the attack. A first payload attack report is generated from the captured data describing the manner of the attack, the affected system and the possible threats.
Step S42: carrying out load updating design on attack load data according to threat utilization probability data to generate threat attack load;
In the embodiment of the invention, the potential threats of the attack load data are evaluated by using the threat utilization probability data. And identifying an attack mode with high probability. Based on the analysis result, the attack payload data is updated to contain the new attack pattern or variant. This may include modifying malware code, altering attack parameters, etc. And generating updated attack loads to include the attack modes identified in the threat utilization probability data.
Step S43: performing threat attack simulation on the virtual environment data based on the threat attack load to generate a second load attack report;
In the embodiment of the invention, the new threat attack is simulated by deploying the updated attack load into the virtual environment. Network traffic and system logs of the virtual environment are again monitored to capture data of the second attack. A second payload attack report is generated from the captured data describing the new attack pattern, the affected system and the possible threats.
Step S44: performing similar attack analysis on the first load attack report and the second load attack report to generate a comprehensive load attack report;
In the embodiment of the invention, the similar attack modes and differences are identified by comparing the first load attack report with the second load attack report. Based on the result of the analysis of the similar attack, the same attack method is screened out, the superiority and inferiority of the similar attack method are analyzed, and the data of the two attacks are synthesized to describe the threat more comprehensively, so that a comprehensive load attack report is generated.
Step S45: and carrying out reinforcement strategy formulation according to the comprehensive load attack report to generate reinforcement strategy data.
In the embodiment of the invention, the reinforcement strategy is formulated based on the threat analysis result in the comprehensive load attack report, and the reinforcement strategy comprises the steps of repairing loopholes, improving security configuration, implementing access control and the like. The reinforcement policies are clarified into a data form, including specific steps, priorities and schedules. And implementing corresponding safety reinforcement measures in the virtual environment or the actual production environment according to the reinforcement strategy data.
In the embodiment of the invention, the comprehensive load attack report is analyzed in detail to know the nature of the attack, the threat degree, the attack path and the vulnerability point. Security measures of the current system or network, including firewalls, intrusion detection systems, vulnerability management, etc., are determined so as to learn about the effectiveness and vulnerability of the measures. Based on the analysis of the comprehensive load attack report, a specific reinforcement strategy is formulated, such as methods of compensating known loopholes, updating security configuration, strengthening access control and the like. The reinforcement policies are clarified into a data form, including specific steps, priorities and schedules. Based on the severity and potential risk of the threat, it is determined which policies should be implemented first, thereby prioritizing the formulated reinforcement policies. The effect of the implemented policy is periodically evaluated and the policy is updated according to the new threat information and attack situation.
Preferably, step S5 comprises the steps of:
step S51: carrying out attack cost assessment through the comprehensive load attack report to generate attack cost analysis data;
step S52: performing reinforcement cost evaluation on reinforcement strategy data to generate reinforcement cost data;
Step S53: and carrying out repair necessity assessment on the attack cost analysis data and the reinforcement cost data by using a repair necessity assessment formula to generate a repair necessity score.
Step S54: and transmitting the reinforcement strategy data and the repair necessity score to the terminal to generate a reinforcement test report.
The invention can estimate the potential cost of the attacker by analyzing the comprehensive load attack report. To help understand the economic motivation for attacks and to evaluate risk to the system. Helping to determine which vulnerabilities or threats are most threatening. Cost assessment of the formulated reinforcement policies may determine the resources and costs required to implement the policies. Helping to decide whether to bear these costs to increase the security of the system. By combining the repair necessity evaluation formula with the attack cost and reinforcement cost data, it is possible to determine which vulnerabilities or threats should be repaired most preferentially. Helps to allocate limited secure resources to the most urgent problem to minimize risk. Transmitting reinforcement policy data and repair necessity scores to the terminal to generate reinforcement test reports helps provide a clear action plan. This report may include specific steps and schedules that help ensure that the security of the system is improved to reduce potential threats.
In the embodiment of the invention, the cost evaluation is carried out on the threat described in the comprehensive load attack report, including the time, the resource, the skill and the tool cost of the attack. This may be done based on threat analysis and the results of the simulated attack. And (5) sorting the attack cost evaluation result into data, including cost evaluation, attack mode and influence. The cost of implementing the reinforcement strategy is assessed, including time, resources, labor, and technical requirements. May be accomplished according to the specific steps and implementation of the reinforcement strategy. And (3) sorting the reinforcement cost evaluation result into data, including cost evaluation, reinforcement strategy and required resources. And utilizing a preset repair necessity evaluation formula, wherein the formula fully considers reinforcement cost, attack frequency and vulnerability influence degree variable so as to objectively, accurately and real-timely evaluate the necessity of repairing the threat found by each test and generate a repair necessity score. For measuring which threats need to be repaired more urgently and which reinforcement strategies are most worthy of implementation. Besides the preset formula, the repair necessity score can be obtained by evaluating methods such as expert opinion, subjective trade-off, return on investment analysis and the like. The generated reinforcement policy data and repair necessity score are transmitted to the terminal device, which may include network transmission or data export. At the terminal device, a reinforcement test report is generated using the transmitted data. The report includes a suggested reinforcement policy that repairs necessity scores and enforces the suggestion. This may be done by report generation tools or custom scripts. The generated reinforcement test report is submitted to an associated security team or management layer to support decision-making and enforcement of reinforcement measures.
Preferably, the repair necessity evaluation formula in step S53 is as follows:
Where X is a necessity evaluation score, T 1 is a start time of the necessity evaluation, T 2 is an end time of the necessity evaluation, H j (m) is a reinforcement cost at time m, H g (m) is an attack cost at time m, f (m) is an attack frequency value at time m, V (m) is a vulnerability impact level value at time m, O (m) is a threat severity score at time m, g (m) is a vulnerability exposure probability value at time m, E (m) is a vulnerability exposure level value at time m, P (m) is a threat occurrence probability value at time m, The bias adjustment value of the score is evaluated for necessity.
The invention constructs a repair necessity evaluation formula for evaluating the repair necessity of the attack cost analysis data and the reinforcement cost data to generate a repair necessity score. The formula fully considers the starting time T 1 of the necessity assessment, the ending time T 2 of the necessity assessment, the reinforcement cost H j (m) at the time m, the attack cost H g (m) at the time m, the attack frequency value f (m) at the time m, the vulnerability influence degree value V (m) at the time m, the threat severity score O (m) at the time m, the vulnerability exposure probability value g (m) at the time m, the vulnerability exposure degree value E (m) at the time m, the threat occurrence probability value P (m) at the time m, the deviation adjustment value of the necessity assessment scoreAnd interactions between variables to form the following functional relationship:
The difference between the attack cost and the reinforcement cost is obtained through H g(m)-Hj (m), when the value is positive, the reinforcement cost is larger than the attack cost, and the larger the probability that the corresponding vulnerability threat is utilized, the larger the corresponding repair necessity score, and measures are needed to reduce the risk. f (m) represents the possibility of an attack occurring at this point in time. If f (m) is higher, then attacks may occur more frequently during this period, increasing the urgency to fix the vulnerability. V (m) represents the degree of influence on the system after the vulnerability is utilized. If V (m) is larger, the system may be more endangered after the vulnerability is utilized, and the urgency of repairing the vulnerability is increased. O (m) represents the severity of the threat. A higher threat severity score may mean that the impact of the attack is more severe. The sum of the attack cost and the reinforcement cost, i.e., the total cost, is obtained by H g(m)+Hj (m). The overall cost data helps to determine which vulnerability threats pose a greater threat to the security of the server data, requiring more preferential processing. Where if g (m) is higher then the vulnerability is more readily exploited by an attacker during this time period, if E (m) is higher then the vulnerability in the system is more readily found, if P (m) is higher then the threat is more likely to occur. The reference of the time integral considers the change of each relevant parameter of the vulnerability threat along with the change of time, and dynamically evaluates the necessity of vulnerability restoration. The functional relation can accurately evaluate the repaired necessity of the threat found by each test in real time, thereby obtaining a repair necessity score to feed back to the terminal equipment and help to make more accurate necessary decisions. And uses the deviation adjustment value of the necessity evaluation score For adjusting and modifying the functional relation, e.g. the current part of the calculation has a low necessity score, i.e. the repair has a low urgency, but the risk is not already present in the history, then it should be taken into account whether the/>And the adjustment is carried out, so that the error influence caused by the data or the error item is reduced, the necessity evaluation score X is generated more accurately, and the accuracy and reliability of repairing necessity evaluation on the attack cost analysis data and the reinforcement cost data are improved. Meanwhile, the adjustment value in the formula can be adjusted according to actual conditions, and is applied to repair necessity evaluation of different risk vulnerabilities, so that the flexibility and applicability of the algorithm are improved.
The method has the beneficial effects that the method acquires the kernel log file which contains key information about the operation of the system, such as abnormal events and error messages. By retrieving these files, potential problems can be quickly identified. Analyzing traffic conditions in the kernel log file helps identify anomalies in network traffic, such as large-scale packet transmissions or frequent connection attempts. The integration of the abnormal traffic data into the integrated abnormal traffic data facilitates a more comprehensive understanding of possible anomalies in the system. Based on the abnormal traffic data, attack loads are designed, and the attack loads can be used for simulating potential attack behaviors, so that the vulnerability and the loophole of the system can be found. Threat intelligence data includes information about recent threats and attacks from multiple sources to learn about the current threat environment. The threat intelligence data is clustered, so that related information can be classified together, and a clearer threat image is provided. The classification of informative data into high confidence and low confidence data may focus on the most important and trusted information. Confidence correction is carried out on the low-confidence data, so that the usability and the reliability of the data are improved. The threat model is constructed using high confidence data and low confidence data, which helps the system to better understand the nature of different threats and potential threats. Through probability analysis, the actual utilization probabilities of different threats can be estimated, which are helpful for determining which threats are more likely to be threatening to the system. And simulating actual attack scenes by using the attack load data and the threat utilization probability data to know loopholes and potential attack paths in the system. And generating an attack report, and specifying the simulation result of the attack, thereby being beneficial to identifying weak points needing to take measures. Based on the result of attack simulation, a reinforcement strategy is formulated to reduce vulnerability of the system and improve security. And evaluating the emergency degree of the vulnerability and the vulnerability to be repaired in the system according to the comprehensive load attack report and the reinforcement strategy data. The reinforcement policy data and repair necessity score are transmitted to the terminal, and a reinforcement test report is generated to verify the effectiveness of the reinforcement measures and the improvement of the system. Therefore, the reinforcement test method based on the kernel protection server data constructs a potential threat model through threat information data, and discovers hidden vulnerabilities and weaknesses in time. The attack load is designed to simulate the attack, so that the possibility that the hidden bug is utilized is determined, and the accuracy of the reinforcement test is improved.
The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
The foregoing is only a specific embodiment of the invention to enable those skilled in the art to understand or practice the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. The reinforcement test method based on the kernel protection server data is characterized by comprising the following steps of:
step S1: obtaining a kernel log file; performing flow state analysis according to the kernel log file to generate comprehensive abnormal flow data; carrying out attack load design based on the comprehensive abnormal flow data to generate attack load data;
Step S2: acquiring threat information data; carrying out data clustering processing on threat information data to generate high-confidence data and low-confidence data; confidence correction is carried out on the high confidence coefficient data and the low confidence coefficient data, and high confidence coefficient correction data and low confidence coefficient correction data are generated;
Step S3: constructing a potential threat model based on the high confidence correction data and the low confidence correction data; threat utilization probability analysis is carried out through a potential threat model, and threat utilization probability data are generated;
Step S4: carrying out attack simulation by utilizing probability data based on attack load data and threat, and generating a comprehensive load attack report; performing reinforcement strategy formulation based on the comprehensive load attack report to generate reinforcement strategy data;
Step S5: performing repair necessity assessment according to the comprehensive load attack report and the reinforcement strategy data to generate a repair necessity score; and transmitting the reinforcement strategy data and the repair necessity score to the terminal to generate a reinforcement test report.
2. The reinforcement test method based on kernel protection server data according to claim 1, wherein the step S1 comprises the steps of:
Step S11: obtaining a kernel log file;
Step S12: performing flow state analysis according to the kernel log file to generate normal flow data and abnormal flow data;
Step S13: source tracing is carried out on the normal flow data to generate hidden abnormal flow data;
step S14: performing abnormal data supplementation on the abnormal flow data according to the hidden abnormal flow data to generate comprehensive abnormal flow data;
Step S15: and carrying out attack load design based on the comprehensive abnormal flow data to generate attack load data.
3. The reinforcement test method based on kernel protection server data according to claim 2, wherein step S13 comprises the steps of:
step S131: extracting the access times of the normal flow data to generate access times data;
step S132: performing data tag design on the access frequency data based on a preset access frequency threshold, and generating low access tag data when the access frequency data is smaller than or equal to the preset access frequency threshold; when the access frequency data is larger than a preset access frequency threshold value, generating high access tag data;
Step S133: performing source tracing on the normal flow data according to the low access tag data to generate low access flow tracing data;
Step S134: performing data analysis on the low visit traffic traceability data to generate low simulated abnormal traffic data;
Step S135: performing access habit analysis on the normal flow data according to the high access tag data to generate special access habit data;
step S136: and carrying out data integration on the low abnormal flow imitation data and the special access habit data to generate hidden abnormal flow data.
4. The reinforcement test method based on kernel protection server data as set forth in claim 3, wherein the step S134 comprises the steps of:
Step S1341: performing IP address statistics according to the kernel log file to generate IP address distribution data;
Step S1342: performing data classification on the low-access traffic tracing data by using the IP address distribution data to generate low-access regional address data and high-access regional address data;
Step S1343: carrying out communication behavior analysis on the low-imitation regional address data to generate low-imitation regional abnormal data;
step S1344: request information extraction is carried out based on the highly imitated regional address data, and request information data is generated;
Step S1345: carrying out reasonable value calculation on the request information data by using a request rationality calculation formula to generate a request rationality score;
Step S1346: performing abnormal access analysis on the address data of the high access region through the request rationality score to generate high imitation region abnormal data;
Step S1347: and carrying out data fusion on the low-imitation regional abnormal data and the high-imitation regional abnormal data to generate comprehensive abnormal flow data.
5. The reinforcement test method based on kernel-protected server data as recited in claim 4, wherein the request rationality calculation formula in step S1345 is as follows:
Where R is a request rationality score, T 1 is a request start time, T 2 is a request end time, N (T) is a total number of requests when a time period is T, T is a duration of the time period T, a t is a weight of the time period T, τ 0 is a start time of the time period T, τ is a termination time of the time period T, c s is a network fluctuation value when time is s, e is a base of natural logarithm, b s is a request density value when time is s, β is a request type weight, N is a total number of request time periods, y i is an i-th request type, ω is a deviation adjustment term of the request rationality score.
6. The reinforcement test method based on kernel protection server data according to claim 2, wherein step S2 comprises the steps of:
Step S21: constructing a threat information network by using a blockchain technology; acquiring threat information data based on a threat information network;
step S22: carrying out emotion semantic analysis on threat information data to generate reliable information data; carrying out data structuring treatment on the reliable information data to generate structured information data;
step S23: carrying out data clustering processing on the structured information data to generate high-confidence data and low-confidence data;
Step S24: carrying out submission time analysis on the high-confidence information data to generate submission time distribution data; confidence correction is carried out on the high-confidence information data based on the submitting time distribution data, and high-confidence correction data is generated;
step S25: extracting low-frequency vocabulary from the low-confidence data to generate special vocabulary data; data screening is carried out on the low confidence coefficient data according to the special vocabulary data, and the special low confidence coefficient data is generated;
Step S26: submitting the special low-confidence data according to the high-confidence correction data for association analysis to generate presenter association data; and carrying out confidence correction on the special low-confidence data according to the associated data of the submitter, and generating low-confidence correction data.
7. The reinforcement test method based on kernel protection server data according to claim 6, wherein the step S3 comprises the steps of:
step S31: performing feature vectorization according to the high-confidence correction data and the low-confidence correction data to generate high-confidence vector data and low-confidence vector data;
Step S32: carrying out data dimension reduction fusion on the high-confidence vector data and the low-confidence vector data to generate dimension reduction information data; designing an attention mechanism through the confidence level in the dimension-reduction information data, and generating a model attention mechanism;
Step S33: constructing a threat network model based on a model attention mechanism according to the dimension reduction information data;
Step S34: carrying out association path analysis on the threat network model to generate association path data; performing entity dependency analysis on the threat network model to generate entity dependency relationship data;
step S35: performing association compensation on the association path data according to the entity dependency relationship data to generate compensation association path data;
Step S36: model training is carried out on the threat network model through compensating associated path data, and a potential threat model is generated;
step S37: and carrying out threat utilization probability analysis according to the potential threat model to generate threat utilization probability data.
8. The reinforcement test method based on kernel protection server data according to claim 7, wherein the step S4 comprises the steps of:
step S41: constructing a virtual environment; performing attack simulation on the virtual environment by using the attack load data to generate a first load attack report;
step S42: carrying out load updating design on attack load data according to threat utilization probability data to generate threat attack load;
step S43: performing threat attack simulation on the virtual environment data based on the threat attack load to generate a second load attack report;
Step S44: performing similar attack analysis on the first load attack report and the second load attack report to generate a comprehensive load attack report;
Step S45: and carrying out reinforcement strategy formulation according to the comprehensive load attack report to generate reinforcement strategy data.
9. The reinforcement test method based on kernel protection server data according to claim 8, wherein the step S5 comprises the steps of:
step S51: carrying out attack cost assessment through the comprehensive load attack report to generate attack cost analysis data;
step S52: performing reinforcement cost evaluation on reinforcement strategy data to generate reinforcement cost data;
Step S53: and carrying out repair necessity assessment on the attack cost analysis data and the reinforcement cost data by using a repair necessity assessment formula to generate a repair necessity score.
Step S54: and transmitting the reinforcement strategy data and the repair necessity score to the terminal to generate a reinforcement test report.
10. The reinforcement test method based on kernel protection server data according to claim 9, wherein the repair necessity evaluation formula in step S53 is as follows:
Where X is a necessity evaluation score, T 1 is a start time of the necessity evaluation, T 2 is an end time of the necessity evaluation, H j (m) is a reinforcement cost at time m, H g (m) is an attack cost at time m, f (m) is an attack frequency value at time m, V (m) is a vulnerability impact level value at time m, O (m) is a threat severity score at time m, g (m) is a vulnerability exposure probability value at time m, E (m) is a vulnerability exposure level value at time m, P (m) is a threat occurrence probability value at time m, The bias adjustment value of the score is evaluated for necessity.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410263140.1A CN118012775A (en) | 2024-03-07 | 2024-03-07 | Reinforcing test method based on kernel protection server data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410263140.1A CN118012775A (en) | 2024-03-07 | 2024-03-07 | Reinforcing test method based on kernel protection server data |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118012775A true CN118012775A (en) | 2024-05-10 |
Family
ID=90945234
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410263140.1A Pending CN118012775A (en) | 2024-03-07 | 2024-03-07 | Reinforcing test method based on kernel protection server data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118012775A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118368151A (en) * | 2024-06-20 | 2024-07-19 | 青岛理工大学 | Network security threat detection method and system based on machine learning |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111614628A (en) * | 2020-04-28 | 2020-09-01 | 上海汽车集团股份有限公司 | Kernel reinforcement system and method, cloud server, client, electronic device and storage medium |
| US20220100645A1 (en) * | 2020-09-29 | 2022-03-31 | Amazon Technologies, Inc. | Automated testing of systems and applications |
| CN114510714A (en) * | 2022-01-14 | 2022-05-17 | 麒麟软件有限公司 | Kysec safety mechanism testing method and system |
| CN115022036A (en) * | 2022-06-01 | 2022-09-06 | 中国科学院计算技术研究所 | Attack traffic generation method and system and network security test system |
| CN117272330A (en) * | 2023-11-22 | 2023-12-22 | 深圳市奥盛通科技有限公司 | Method and system for reinforcing and updating server system |
-
2024
- 2024-03-07 CN CN202410263140.1A patent/CN118012775A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111614628A (en) * | 2020-04-28 | 2020-09-01 | 上海汽车集团股份有限公司 | Kernel reinforcement system and method, cloud server, client, electronic device and storage medium |
| US20220100645A1 (en) * | 2020-09-29 | 2022-03-31 | Amazon Technologies, Inc. | Automated testing of systems and applications |
| CN114510714A (en) * | 2022-01-14 | 2022-05-17 | 麒麟软件有限公司 | Kysec safety mechanism testing method and system |
| CN115022036A (en) * | 2022-06-01 | 2022-09-06 | 中国科学院计算技术研究所 | Attack traffic generation method and system and network security test system |
| CN117272330A (en) * | 2023-11-22 | 2023-12-22 | 深圳市奥盛通科技有限公司 | Method and system for reinforcing and updating server system |
Non-Patent Citations (2)
| Title |
|---|
| JING WANG等: "Research on Simulation Technology of Network Attack Impact", 《2023 IEEE INTERNATIONAL CONFERENCE ON SENSORS, ELECTRONICS AND COMPUTER ENGINEERING (ICSECE)》, 29 September 2023 (2023-09-29), pages 1452 * |
| 王丽娜等: "基于全系统模拟的OP-TEE内核模糊测试方法", 《信息安全学报》, 15 July 2023 (2023-07-15), pages 85 - 98 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118368151A (en) * | 2024-06-20 | 2024-07-19 | 青岛理工大学 | Network security threat detection method and system based on machine learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11637853B2 (en) | Operational network risk mitigation system and method | |
| Xiong et al. | Threat modeling–A systematic literature review | |
| US11336669B2 (en) | Artificial intelligence cyber security analyst | |
| CN107835982B (en) | Method and apparatus for managing security in a computer network | |
| US8762188B2 (en) | Cyberspace security system | |
| US8533841B2 (en) | Deriving remediations from security compliance rules | |
| US20230325511A1 (en) | Cyber threat scoring, cyber security training and proactive defense by machine and human agents incentivized with digital assets | |
| CN118012775A (en) | Reinforcing test method based on kernel protection server data | |
| Jung et al. | CAVP: A context-aware vulnerability prioritization model | |
| CN116846619A (en) | Automatic network security risk assessment method, system and readable storage medium | |
| US20230396641A1 (en) | Adaptive system for network and security management | |
| Zeng et al. | Licality—likelihood and criticality: Vulnerability risk prioritization through logical reasoning and deep learning | |
| Khan et al. | Towards augmented proactive cyberthreat intelligence | |
| US20240171614A1 (en) | System and method for internet activity and health forecasting and internet noise analysis | |
| Kersten et al. | 'Give Me Structure': Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center | |
| Roytman et al. | Modern Vulnerability Management: Predictive Cybersecurity | |
| Samuel et al. | Leveraging external data sources to enhance secure system design | |
| Grisci et al. | Perspectives on risk prioritization of data center vulnerabilities using rank aggregation and multi-objective optimization | |
| Malik | Continuous Risk Assessment for Large-Scale Cyber Systems | |
| US20240291869A1 (en) | Self-adjusting cybersecurity analysis with network mapping | |
| US20240250979A1 (en) | Automated cybersecurity vulnerability prioritization | |
| Pak | Near real-time risk assessment using hidden Markov models | |
| Islam et al. | Intelligent Dynamic Cybersecurity Risk Management Framework with Explainability and Interpretability of AI models for Enhancing Security and Resilience of Digital Infrastructure | |
| Cheimonidis et al. | Dynamic vulnerability severity calculator for industrial control systems | |
| Samuel | A Data-Driven Approach to Evaluate the Security of System Designs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240722 Address after: Unit 504, Building 2, Yong'an Mingzhu, Yong'an North Road, Lianhua County, Pingxiang City, Jiangxi Province 337000 Applicant after: Chen Genzhao Country or region after: China Address before: Room 2305, Block B, Nord Plaza, No. 328 Dunhua Road, Shibei District, Qingdao City, Shandong Province, 262000 Applicant before: Qingdao Baotong Xinglian Network Technology Co.,Ltd. Country or region before: China |