CN113486336A - Method, device, gateway equipment and storage medium for predicting attack - Google Patents
Method, device, gateway equipment and storage medium for predicting attackDownload PDFInfo
- Publication number
- CN113486336A CN113486336ACN202110677366.2ACN202110677366ACN113486336ACN 113486336 ACN113486336 ACN 113486336ACN 202110677366 ACN202110677366 ACN 202110677366ACN 113486336 ACN113486336 ACN 113486336A
- Authority
- CN
- China
- Prior art keywords
- index
- attack
- threat
- vulnerability
- matrix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/16—Matrix or vector computation, e.g. matrix-matrix or matrix-vector multiplication, matrix factorization
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Mathematical Optimization (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Pure & Applied Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Algebra (AREA)
- Databases & Information Systems (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Translated fromChinese
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for predicting an attack, a gateway device, and a storage medium.
Background
The internet brings great convenience to our lives, but faces various attacks and threats, and how to effectively and timely discover which devices are dangerous devices which are easy to attack other devices and which devices are fragile devices which are easy to attack by other devices is of great importance to maintaining network security. In reality, in terms of considering the security of the devices, only the number of attacks on the devices is often considered, which devices are easy to attack other devices are not considered, and the attack relationship among the devices is not considered, so that the devices which initiate attacks cannot be stopped, vulnerable devices which are easy to attack by other devices cannot be effectively protected in time, and the attack situation among the devices cannot be effectively predicted.
Disclosure of Invention
The disclosure provides a method, a device, a gateway device and a storage medium for predicting attacks, which can predict the aggressiveness of the device.
The present disclosure provides a method of predicting an attack, the method comprising:
acquiring the attacked historical parameters of each device in the topology, wherein the historical parameters comprise: presetting the attacked times and equipment information of an attacker in a period;
generating an attack matrix among the devices according to the historical parameters;
calculating and obtaining a threat index and a vulnerability index of each device according to the attack matrix;
and predicting the aggressiveness of each device according to the threat index and/or the vulnerability index.
Optionally, the obtaining of the attacked historical parameters of each device in the topology includes:
and collecting log data of each device, and acquiring attacked historical parameters of each device from the log data.
Optionally, the generating an attack matrix between the devices according to the historical parameters includes:
generating a directed graph among the devices according to the historical parameters;
and converting the directed graph into an attack matrix, wherein the row vector of the attack matrix represents the times of attacking other equipment by each equipment, and the column vector represents the times of attacking other equipment by each equipment.
Optionally, the calculating and obtaining the threat index and the vulnerability index of each device according to the attack matrix includes:
determining a threat index of each device according to the sum of the row vectors of the attack matrix;
and determining the vulnerability index of each device according to the sum of the column vectors of the attack matrix.
Optionally, the predicting the aggressiveness of each device according to the threat index and/or the vulnerability index includes:
setting a threat threshold and a vulnerability threshold;
determining whether a threat index and/or a vulnerability index of a target device of the devices exceeds the threat threshold and/or the vulnerability threshold;
if yes, predicting that the target equipment is strong in aggressivity;
and if not, predicting that the target equipment is weak in aggressivity.
The present disclosure also provides a device for predicting attacks, the device comprising:
an obtaining module, configured to obtain a history parameter of each attacked device in the topology, where the history parameter includes: presetting the attacked times and equipment information of an attacker in a period;
the calculation module is used for generating an attack matrix among the devices according to the historical parameters;
the calculation module is further used for calculating and obtaining a threat index and a vulnerability index of each device according to the attack matrix;
and the prediction module is used for predicting the aggressiveness of each device according to the threat index and/or the vulnerability index.
Optionally, the obtaining module is specifically configured to collect log data of each device, and obtain an attacked history parameter of each device from the log data.
Optionally, the computing module is specifically configured to generate a directed graph among the devices according to the historical parameters;
and converting the directed graph into an attack matrix, wherein the row vector of the attack matrix represents the times of attacking other equipment by each equipment, and the column vector represents the times of attacking other equipment by each equipment.
Optionally, the computing module is specifically configured to determine a threat index of each device according to a sum of row vectors of the attack matrix;
and determining the vulnerability index of each device according to the sum of the column vectors of the attack matrix.
Optionally, the prediction module is specifically configured to set a threat threshold and a vulnerability threshold;
determining whether a threat index and/or a vulnerability index of a target device of the devices exceeds the threat threshold and/or the vulnerability threshold;
if yes, predicting that the target equipment is strong in aggressivity;
and if not, predicting that the target equipment is weak in aggressivity.
The present disclosure also provides a network management device, which includes: a memory, a processor and a program stored on the memory and executable on the processor, the program implementing any of the above method steps when executed by the processor.
The present disclosure also provides a computer readable storage medium having a program stored thereon, which when executed by a processor, performs any of the method steps described above.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a schematic flowchart of a method for predicting an attack according to an embodiment of the present disclosure.
Fig. 2 is a schematic diagram of a network topology according to an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The present disclosure provides a method of predicting an attack, as shown in fig. 1, the method comprising:
s101, acquiring attacked historical parameters of each device in the topology, wherein the historical parameters comprise: presetting the attacked times and equipment information of an attacker in a period;
s102, generating an attack matrix among the devices according to the historical parameters;
s103, calculating and obtaining a threat index and a vulnerability index of each device according to the attack matrix;
s104, predicting the aggressiveness of each device according to the threat index and/or the vulnerability index.
In this embodiment, the foregoing steps may be executed by the network management device, specifically, in step S101, the network management device may acquire data information of each device within a control range of the network management device through the log collector, and analyze the data information of each device according to a predefined analysis rule, so as to obtain an attacked history parameter of each device.
In general, the log information of the attacked device includes information of the attacking device (for example, information such as a device number and an address of the attacking device), and the log information of the attacking device does not include information of the attacked device, so that the history parameters obtained by analyzing the data information include: and presetting the attacked times and the equipment information of the attacker in the period. The preset period may be determined by an administrator, and in this embodiment, the preset period may be one hour.
In this embodiment, in order to count the information of the initiating attacking device and the information of the attacked device and visually show the relationship between the attacking device and the attacked device, a directed graph may be constructed according to the history parameters, as shown in fig. 2, V1, V2, V3, V4, V5, V6, and V7 are vertices of the directed graph, respectively represent device 1,device 2,device 3,device 4,device 5,device 6, anddevice 7, and arrows are edges of the directed graph, which represent directions in which one device attacks another device. The numbers on the arrows indicate the number of times one device attacks another device, the in-arrows at the vertices indicate the number of times one device is attacked by another device, and the out-arrows at the vertices indicate the number of times one device attacks another device.
According to the content in fig. 2, an attack matrix between devices is generated, as shown in the following matrix:
in the matrix, the row vector represents a device ViNumber of attacks on other devices, column vector device V of matrixiThe number of attacks by other devices, since the device is unlikely to attack itself, the values of the main diagonal elements of the matrix are all 0.
In step S103, the threat index and the vulnerability index of each device may be obtained based on the attack matrix, and specifically, the threat index of each device may be determined according to the sum of the row vectors of the attack matrix, and the vulnerability index of each device may be determined according to the sum of the column vectors of the attack matrix.
In practical application, the threat index of each device is determined by using the sum of the row vectors of the attack matrix, and the vulnerability index of each device is determined according to the sum of the column vectors of the attack matrix through the following formula.
The formula I is as follows:
formula one for calculationThreat index, wherein AiFor representing the threat index of a certain device, n representing n devices, dijIs the weight of the directed graph, representing the device ViAttack device VjThe number of times. Device ViThe threat level of (c) is the sum of the ith row of the matrix.
The formula II is as follows:
equation two is used to calculate the vulnerability index, where BiFor indicating the vulnerability index of a certain device, n for n devices, djiIs the weight of the directed graph, representing the device ViIs subjected to equipment VjThe number of attacks. Device ViIs the sum of the ith column of the matrix.
In practical application, whether the corresponding device is strong or weak may be determined by taking the threat index or the vulnerability index as a reference, and of course, whether the corresponding device is strong or weak may also be determined by taking the threat index and the vulnerability index together, and a more accurate prediction result may be obtained by determining the two parameters together.
In this embodiment, to implement automatic early warning, an administrator may set a threat threshold and a vulnerability threshold in a management device applying the scheme, and when a threat index and/or a vulnerability index of a certain device is greater than the threat threshold and/or the vulnerability threshold (the threat index is greater than the threat threshold and/or the vulnerability index is greater than the vulnerability threshold), the device is considered to have a strong possibility of attack, and the device is considered to be strong in aggressiveness; otherwise, the possibility of the attack of the device is considered to be weak.
According to the embodiment, the obtained historical parameters of each device can be used for predicting the aggressiveness of each device, and if the system detects that a certain device is strong in aggressiveness, an alarm can be output to prompt an administrator that the certain device is strong in aggressiveness and needs to be monitored intensively.
Based on the same concept as the above method embodiments, the embodiments of the present disclosure further provide an attack prediction apparatus, which includes:
an obtaining module, configured to obtain a history parameter of each attacked device in the topology, where the history parameter includes: presetting the attacked times and equipment information of an attacker in a period;
the calculation module is used for generating an attack matrix among the devices according to the historical parameters;
the calculation module is further used for calculating and obtaining a threat index and a vulnerability index of each device according to the attack matrix;
and the prediction module is used for predicting the aggressiveness of each device according to the threat index and/or the vulnerability index.
Optionally, the obtaining module is specifically configured to collect log data of each device, and obtain an attacked history parameter of each device from the log data.
Optionally, the computing module is specifically configured to generate a directed graph among the devices according to the historical parameters;
and converting the directed graph into an attack matrix, wherein the row vector of the attack matrix represents the times of attacking other equipment by each equipment, and the column vector represents the times of attacking other equipment by each equipment.
Optionally, the computing module is specifically configured to determine a threat index of each device according to a sum of row vectors of the attack matrix;
and determining the vulnerability index of each device according to the sum of the column vectors of the attack matrix.
Optionally, the prediction module is specifically configured to set a threat threshold and a vulnerability threshold;
determining whether a threat index and/or a vulnerability index of a target device of the devices exceeds the threat threshold and/or the vulnerability threshold;
if yes, predicting that the target equipment is strong in aggressivity;
and if not, predicting that the target equipment is weak in aggressivity.
Based on the foregoing embodiments, the present disclosure further provides a network management device, where the network management device can obtain a topology map of a managed network, and the network management device includes: a memory, a processor and a program stored on the memory and executable on the processor, which when executed by the processor implements the various embodiments described above.
The present disclosure also provides a computer-readable storage medium having a program stored thereon, which when executed by a processor, implements the above-described embodiments.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (12)
Translated fromChinesePriority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110677366.2ACN113486336A (en) | 2021-06-18 | 2021-06-18 | Method, device, gateway equipment and storage medium for predicting attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110677366.2ACN113486336A (en) | 2021-06-18 | 2021-06-18 | Method, device, gateway equipment and storage medium for predicting attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113486336Atrue CN113486336A (en) | 2021-10-08 |
Family
ID=77933733
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110677366.2APendingCN113486336A (en) | 2021-06-18 | 2021-06-18 | Method, device, gateway equipment and storage medium for predicting attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113486336A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101075917A (en)* | 2007-07-16 | 2007-11-21 | 华为技术有限公司 | Method and apparatus for predicting network attack behaviour |
| CN102098306A (en)* | 2011-01-27 | 2011-06-15 | 北京信安天元科技有限公司 | Network attack path analysis method based on incidence matrixes |
| US20170346839A1 (en)* | 2014-12-05 | 2017-11-30 | T-Mobile Usa, Inc. | Similarity search for discovering multiple vector attacks |
| CN112615888A (en)* | 2020-12-30 | 2021-04-06 | 绿盟科技集团股份有限公司 | Threat assessment method and device for network attack behavior |
- 2021
- 2021-06-18CNCN202110677366.2Apatent/CN113486336A/enactivePending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101075917A (en)* | 2007-07-16 | 2007-11-21 | 华为技术有限公司 | Method and apparatus for predicting network attack behaviour |
| CN102098306A (en)* | 2011-01-27 | 2011-06-15 | 北京信安天元科技有限公司 | Network attack path analysis method based on incidence matrixes |
| US20170346839A1 (en)* | 2014-12-05 | 2017-11-30 | T-Mobile Usa, Inc. | Similarity search for discovering multiple vector attacks |
| CN112615888A (en)* | 2020-12-30 | 2021-04-06 | 绿盟科技集团股份有限公司 | Threat assessment method and device for network attack behavior |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109922075B (en) | Network security knowledge graph construction method and device and computer equipment | |
| US10296739B2 (en) | Event correlation based on confidence factor | |
| EP2769508B1 (en) | System and method for detection of denial of service attacks | |
| CN114357447B (en) | Attacker threat scoring method and related device | |
| CN112685682B (en) | Method, device, equipment and medium for identifying forbidden object of attack event | |
| US9692779B2 (en) | Device for quantifying vulnerability of system and method therefor | |
| US12081569B2 (en) | Graph-based analysis of security incidents | |
| US20160269431A1 (en) | Predictive analytics utilizing real time events | |
| CN113839817A (en) | Network asset risk assessment method, device and system | |
| US10681059B2 (en) | Relating to the monitoring of network security | |
| US20130318609A1 (en) | Method and apparatus for quantifying threat situations to recognize network threat in advance | |
| CN113711559A (en) | System and method for detecting anomalies | |
| CN117834301B (en) | Internet of things-based network security communication control method and system | |
| KR102574205B1 (en) | Method and apparatus for network attack detection | |
| CN113821792A (en) | Method and device for preventing model parameter stealing, computer equipment and storage medium | |
| US20250023899A1 (en) | Methods and Systems for Threat Evaluation Based on Anticipated Pathways of Malicious Actors | |
| CN108509796A (en) | A kind of detection method and server of risk | |
| Rani et al. | An optimized neural network with AdaHessian for cryptojacking attack prediction for Securing Crypto Exchange Operations of MEC applications | |
| CN114785538B (en) | Data association analysis method and device, computer equipment and storage medium | |
| CN113127855A (en) | Safety protection system and method | |
| CN113098827A (en) | Network security early warning method and device based on situation awareness | |
| CN118445814B (en) | An information security risk discovery system | |
| CN114448690A (en) | Attack organization analysis method, device, equipment and medium | |
| US20140359780A1 (en) | Anti-cyber attacks control vectors | |
| CN113486336A (en) | Method, device, gateway equipment and storage medium for predicting attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |