CN115883223A - Method and device for generating user risk profile, electronic device, storage medium - Google Patents
Method and device for generating user risk profile, electronic device, storage medium Download PDFInfo
- Publication number
- CN115883223A CN115883223A CN202211557720.9A CN202211557720A CN115883223A CN 115883223 A CN115883223 A CN 115883223A CN 202211557720 A CN202211557720 A CN 202211557720A CN 115883223 A CN115883223 A CN 115883223A
- Authority
- CN
- China
- Prior art keywords
- user
- risk
- network
- data
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
技术领域technical field
本发明涉及网络安全领域,具体而言,涉及一种用户风险画像的生成方法及装置、电子设备、存储介质。The present invention relates to the field of network security, in particular to a method and device for generating a user risk profile, electronic equipment, and a storage medium.
背景技术Background technique
随着网络技术的快速发展,网络安全重要性逐渐凸显,态势感知开始在网络安全领域展露头角,为了保证用户网络资产安全,态势感知产品需要定期进行网络风险评估(评估攻击活动对当前系统中各个资产的威胁情况,以及网络资产的风险状态),使得网络安全管理人员可以根据网络资产的安全状态评估结果及时发现失陷的、高风险状态资产信息,对其进行针对性的保护和处理。With the rapid development of network technology, the importance of network security has gradually become prominent, and situational awareness has begun to show its prominence in the field of network security. The threat situation of assets, and the risk status of network assets), so that network security managers can timely discover the information of lost and high-risk assets according to the assessment results of the security status of network assets, and carry out targeted protection and processing.
相关技术中,在对态势感知产品进行网络风险评估时,基本流程为:采集网络中安全设备、用户终端等上送的流量、网络威胁、漏洞扫描信息等数据,对数据进行规范化处理,然后对其中的有效信息进行关联性分析,从而发现攻击活动,在此基础上识别该攻击活动的源头和类型,上述网络风险评估方法是根据IP地址将网络中的各个风险事件关联,针对单个IP统计威胁事件、漏洞等风险信息,将同一IP地址上发生的发起或遭受网络威胁攻击的行为归集在一起,对网络资产的健康状况进行评估分析。In related technologies, when evaluating network risks for situational awareness products, the basic process is: collect data such as traffic, network threats, and vulnerability scanning information sent by security devices and user terminals in the network, standardize the data, and then Correlation analysis is performed on the effective information in order to discover attack activities, and on this basis to identify the source and type of the attack activities. The above-mentioned network risk assessment method is to associate each risk event in the network according to the IP address, and count the threats for a single IP. Risk information such as incidents and vulnerabilities collects together the behaviors of launching or being attacked by network threats on the same IP address, and evaluates and analyzes the health status of network assets.
但是,上述的网络风险评估方式存在如下弊端:在远程用户计费认证上网场景下,如校园网、企业网中,终端用户通过个人账号接入网络,然后通过DHCP或其它服务动态分配IP地址,同一IP地址往往在不同的时间段分配给不同的用户使用的不同设备,导致网络安全管理人员无法及时发现风险事件之间的关联性,定位到风险资产的实际责任人,及时对风险资产进行维护管理。However, the above-mentioned network risk assessment method has the following disadvantages: In the scenario of remote user billing and authentication, such as campus network and enterprise network, end users access the network through personal accounts, and then dynamically assign IP addresses through DHCP or other services. The same IP address is often allocated to different devices used by different users in different time periods, which makes network security managers unable to discover the correlation between risk events in time, locate the actual responsible person of risk assets, and maintain risk assets in a timely manner manage.
针对上述的问题,目前尚未提出有效的解决方案。For the above problems, no effective solution has been proposed yet.
发明内容Contents of the invention
本发明实施例提供了一种用户风险画像的生成方法及装置、电子设备、存储介质,以至少解决相关技术中进行网络风险评估时,在用户认证上网和动态IP分配的场景下存在无法准确对网络攻击行为进行关联分析的技术问题。Embodiments of the present invention provide a user risk profile generation method and device, electronic equipment, and storage media to at least solve the problem of inaccurate identification of user authentication and dynamic IP allocation in the context of network risk assessment in related technologies. Technical issues related to network attack behavior analysis.
根据本发明实施例的一个方面,提供了一种用户风险画像的生成方法,应用于网络安全系统中的态势感知平台,包括:接收网络事件数据集合,其中,所述网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,所述网络事件数据集合中的每份数据都关联有I P地址;基于所述I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据,其中,不同维度的所述网络风险数据对应有风险行为标签;基于所述网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像,其中,所述用户风险画像用于对所述用户对象的网络资产的健康状态进行评估。According to an aspect of an embodiment of the present invention, a method for generating a user risk profile is provided, which is applied to a situation awareness platform in a network security system, including: receiving a network event data set, wherein the data in the network event data set The type includes at least one of the following: traffic data, risk events and vulnerability information, and each piece of data in the network event data set is associated with an IP address; based on the IP address, each piece of data is associated with the user in the online user list Information is associated to determine the network risk data associated with each user object, wherein the network risk data of different dimensions corresponds to a risk behavior label; based on the risk behavior label corresponding to the network risk data, a corresponding user object is generated A user risk profile, wherein the user risk profile is used to evaluate the health status of the network assets of the user object.
可选地,所述在线用户列表通过以下方法生成:接收N个认证计费报文,其中,所述认证计费报文为不同用户对象通过远程网络在计费认证上网场景下产生的流量报文,N为大于等于1的正整数;解析所述认证计费报文,得到的I P地址、用户标识、物理地址、用户状态和时间戳,其中,所述用户状态包括:上线、下线和计费更新;基于所述I P地址、所述用户标识、所述物理地址、所述用户状态和所述时间戳,构建所述在线用户列表;对所述在线用户列表中关联不同所述I P地址的用户标识、用户状态进行维护,以更新所述在线用户列表中的用户信息。Optionally, the online user list is generated by the following method: receiving N authentication and accounting messages, wherein the authentication and accounting messages are traffic reports generated by different user objects through the remote network in the charging and authentication Internet access scenario text, N is a positive integer greater than or equal to 1; the IP address, user ID, physical address, user status and time stamp obtained by parsing the authentication and accounting message, wherein the user status includes: online, offline and Billing update; based on the IP address, the user identifier, the physical address, the user status and the timestamp, construct the online user list; associate different IP addresses in the online user list The user identification and user status of the user are maintained to update the user information in the online user list.
可选地,在接收网络事件数据集合之后,还包括:提取所述网络事件数据集合中每份数据的数据特征;筛选出所述数据特征指示符合网络风险特征集合的数据,得到网络风险数据集合;将所述网络风险数据集合、所述在线用户列表存储至分布式数据库。Optionally, after receiving the network event data set, it also includes: extracting the data features of each piece of data in the network event data set; filtering out the data whose data features indicate conforming to the network risk feature set, to obtain the network risk data set ; storing the network risk data set and the online user list in a distributed database.
可选地,所述用户风险画像的生成方法,还包括:采用攻击链检测引擎根据多个网络事件数据的用户信息匹配网络攻击行为模式,确定复杂威胁事件,并提取所述复杂威胁事件的事件特征;采用流量检测引擎对所述每位用户对象的网络流量进行流量分析和异常行为分析,确定流量风险特征和异常行为特征;将所述复杂威胁事件的事件特征、所述流量风险特征和所述异常行为特征集成为所述网络风险特征集合。Optionally, the method for generating a user risk profile further includes: using an attack chain detection engine to match network attack behavior patterns according to user information of multiple network event data, determine complex threat events, and extract events of the complex threat events characteristics; using a traffic detection engine to perform traffic analysis and abnormal behavior analysis on the network traffic of each user object, and determine the traffic risk characteristics and abnormal behavior characteristics; the event characteristics of the complex threat event, the traffic risk characteristics and all The set of abnormal behavior features is the set of network risk features.
可选地,在基于所述I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据之后,包括:将所述数据特征指示为复杂威胁事件的数据赋予威胁事件攻击类型标签,并确定所述复杂威胁事件的事件等级;将所述数据特征指示为漏洞信息的数据赋予漏洞信息等级;将所述数据特征指示密码数量低于预设数量阈值的数据赋予弱密码标识;基于所述威胁事件攻击类型标签、所述事件等级、所述漏洞信息等级和所述弱密码标识,确定所述用户对象的网络行为风险等级。Optionally, after associating each piece of data with user information in the online user list based on the IP address and determining the network risk data associated with each user object, it includes: indicating the data feature as a complex threat event The data of the threat event is assigned an attack type label, and the event level of the complex threat event is determined; the data characteristic indicated as vulnerability information is assigned a vulnerability information level; the data characteristic indicates that the number of passwords is lower than the preset number threshold The data is assigned a weak password identifier; based on the threat event attack type label, the event level, the vulnerability information level and the weak password identifier, determine the network behavior risk level of the user object.
可选地,在基于所述I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据之后,包括:将所述用户对象使用终端设备产生的各类型威胁事件与扫描出的漏洞信息建立事件关联关系;在所述事件关联关系指示所述终端设备发生针对目标漏洞的威胁事件的情况下,将所述用户对象标记为失陷用户,并将所述终端设备标记为风险终端设备。Optionally, after associating each piece of data with the user information in the online user list based on the IP address and determining the network risk data associated with each user object, it includes: using the user object generated by the terminal device Each type of threat event and the scanned vulnerability information establish an event correlation relationship; when the event correlation relationship indicates that a threat event targeting a target vulnerability occurs on the terminal device, the user object is marked as a compromised user, and all The above terminal devices are marked as risky terminal devices.
可选地,在基于所述网络风险数据对应的风险行为标签,生成与所述用户对象对应的用户风险画像之后,包括:展示存在所述网络风险数据的风险用户列表和所述风险用户列表中的每位用户对象的用户风险画像;和/或,展示所述每位用户对象的网络访问状态、持有的风险终端设备的数量、遭受网络攻击数量和网络攻击类别。Optionally, after generating the user risk profile corresponding to the user object based on the risk behavior label corresponding to the network risk data, including: displaying the list of risk users with the network risk data and the list of risk users in the list of risk users The user risk profile of each user object; and/or, display the network access status of each user object, the number of risky terminal devices held, the number of network attacks and the type of network attack.
根据本发明实施例的另一方面,还提供了一种用户风险画像的生成装置,应用于网络安全系统中的态势感知平台,包括:接收单元,用于接收网络事件数据集合,其中,所述网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,所述网络事件数据集合中的每份数据都关联有I P地址;确定单元,用于基于所述I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据,其中,不同维度的所述网络风险数据对应有风险行为标签;生成单元,用于基于所述网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像,其中,所述用户风险画像用于对所述用户对象的网络资产的健康状态进行评估。According to another aspect of the embodiments of the present invention, there is also provided a device for generating a user risk profile, which is applied to a situation awareness platform in a network security system, including: a receiving unit, configured to receive a network event data set, wherein the The data types in the network event data set include at least one of the following: traffic data, risk events, and vulnerability information, and each piece of data in the network event data set is associated with an IP address; a determination unit is configured to The address associates each piece of data with the user information in the online user list, and determines the network risk data associated with each user object, wherein the network risk data of different dimensions corresponds to a risky behavior label; the generation unit is used to base on The risk behavior tag corresponding to the network risk data generates a user risk profile corresponding to the user object, wherein the user risk profile is used to evaluate the health status of the user object's network assets.
可选地,所述确定单元包括:第一接收模块,用于接收N个认证计费报文,其中,所述认证计费报文为不同用户对象通过远程网络在计费认证上网场景下产生的流量报文,N为大于等于1的正整数;第一解析模块,用于解析所述认证计费报文,得到的I P地址、用户标识、物理地址、用户状态和时间戳,其中,所述用户状态包括:上线、下线和计费更新;第一构建模块,用于基于所述I P地址、所述用户标识、所述物理地址、所述用户状态和所述时间戳,构建所述在线用户列表;第一维护模块,用于对所述在线用户列表中关联不同所述I P地址的用户标识、用户状态进行维护,以更新所述在线用户列表中的用户信息。Optionally, the determining unit includes: a first receiving module, configured to receive N authentication and accounting messages, wherein the authentication and accounting messages are generated by different user objects through a remote network in the scenario of charging and authenticating Internet access traffic packets, N is a positive integer greater than or equal to 1; the first parsing module is used to parse the authentication and accounting packets to obtain IP addresses, user identifiers, physical addresses, user statuses, and timestamps, wherein the The user state includes: online, offline, and billing update; a first building module, configured to build the Online user list; a first maintenance module, configured to maintain user IDs and user states associated with different IP addresses in the online user list, so as to update user information in the online user list.
可选地,所述用户风险画像的生成装置还包括:第一提取模块,用于提取所述网络事件数据集合中每份数据的数据特征;第一筛选模块,用于筛选出所述数据特征指示符合网络风险特征集合的数据,得到网络风险数据集合;第一存储模块,用于将所述网络风险数据集合、所述在线用户列表存储至分布式数据库。Optionally, the device for generating a user risk profile further includes: a first extraction module, configured to extract data features of each piece of data in the network event data set; a first screening module, configured to filter out the data features Indicating the data conforming to the network risk feature set to obtain a network risk data set; a first storage module, configured to store the network risk data set and the online user list in a distributed database.
可选地,所述用户风险画像的生成装置还包括:第一确定模块,用于采用攻击链检测引擎根据多个网络事件数据的用户信息匹配网络攻击行为模式,确定复杂威胁事件,并提取所述复杂威胁事件的事件特征;第二确定模块,用于采用流量检测引擎对所述每位用户对象的网络流量进行流量分析和异常行为分析,确定流量风险特征和异常行为特征;第一集成模块,用于将所述复杂威胁事件的事件特征、所述流量风险特征和所述异常行为特征集成为所述网络风险特征集合。Optionally, the device for generating a user risk profile further includes: a first determining module, configured to use an attack chain detection engine to match network attack behavior patterns according to user information of multiple network event data, determine complex threat events, and extract all Describe the event characteristics of the complex threat event; the second determination module is used to use the traffic detection engine to perform traffic analysis and abnormal behavior analysis on the network traffic of each user object, and determine the traffic risk characteristics and abnormal behavior characteristics; the first integration module , configured to integrate the event feature of the complex threat event, the traffic risk feature, and the abnormal behavior feature into the network risk feature set.
可选地,所述用户风险画像的生成装置还包括:第三确定模块,用于将所述数据特征指示为复杂威胁事件的数据赋予威胁事件攻击类型标签,并确定所述复杂威胁事件的事件等级;第一指示模块,用于将所述数据特征指示为漏洞信息的数据赋予漏洞信息等级;第一标识模块,用于将所述数据特征指示密码数量低于预设数量阈值的数据赋予弱密码标识;第四确定模块,用于基于所述威胁事件攻击类型标签、所述事件等级、所述漏洞信息等级和所述弱密码标识,确定所述用户对象的网络行为风险等级。Optionally, the device for generating a user risk profile further includes: a third determining module, configured to assign a threat event attack type label to the data whose data feature indicates a complex threat event, and determine an event of the complex threat event Level; the first indication module is used to assign the data whose data characteristics indicate vulnerability information to the vulnerability information level; the first identification module is used to assign the data whose data characteristics indicate that the number of passwords is lower than the preset number threshold to weak Password identification; a fourth determination module, configured to determine the network behavior risk level of the user object based on the threat event attack type label, the event level, the vulnerability information level and the weak password identification.
可选地,所述用户风险画像的生成装置还包括:第一建立模块,用于将所述用户对象使用终端设备产生的各类型威胁事件与扫描出的漏洞信息建立事件关联关系;第一标记模块,用于在所述事件关联关系指示所述终端设备发生针对目标漏洞的威胁事件的情况下,将所述用户对象标记为失陷用户,并将所述终端设备标记为风险终端设备。Optionally, the device for generating a user risk profile further includes: a first establishment module, configured to establish an event correlation relationship between various types of threat events generated by the user object using terminal equipment and the scanned vulnerability information; A module configured to mark the user object as a compromised user and mark the terminal device as a risky terminal device when the event correlation indicates that a threat event targeting a target vulnerability occurs on the terminal device.
可选地,所述用户风险画像的生成装置还包括:第一展示模块,用于展示存在所述网络风险数据的风险用户列表和所述风险用户列表中的每位用户对象的用户风险画像;和/或,第二展示模块,用于展示所述每位用户对象的网络访问状态、持有的风险终端设备的数量、遭受网络攻击数量和网络攻击类别。Optionally, the device for generating a user risk profile further includes: a first display module, configured to display a list of risky users with the network risk data and a user risk profile of each user object in the list of risky users; And/or, the second display module is used to display the network access status of each user object, the number of risk terminal devices held, the number of network attacks suffered, and the types of network attacks.
根据本发明实施例的另一方面,还提供了一种电子设备,包括:处理器;以及存储器,用于存储所述处理器的可执行指令;其中,所述处理器配置为经由执行所述可执行指令来执行任意一项所述的用户风险画像的生成方法。According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including: a processor; and a memory for storing executable instructions of the processor; wherein, the processor is configured to execute the Instructions can be executed to execute any one of the methods for generating user risk profiles.
根据本发明实施例的另一方面,还提供了一种计算机可读存储介质,计算机可读存储介质包括存储的计算机程序,其中,在所述计算机程序运行时控制所述计算机可读存储介质所在设备执行任意一项所述的用户风险画像的生成方法。According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, the computer-readable storage medium includes a stored computer program, wherein when the computer program is running, the computer-readable storage medium is controlled The device executes any one of the methods for generating a user risk profile.
本公开中,采用以下步骤:接收网络事件数据集合,其中,网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,网络事件数据集合中的每份数据都关联有I P地址,基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据,其中,不同维度的网络风险数据对应有风险行为标签,基于网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像,其中,用户风险画像用于对用户对象的网络资产的健康状态进行评估。In this disclosure, the following steps are adopted: receiving a network event data set, wherein the data types in the network event data set include at least one of the following: traffic data, risk events, and vulnerability information, and each piece of data in the network event data set is Associated with an IP address, each piece of data is associated with the user information in the online user list based on the IP address, and the network risk data associated with each user object is determined. Among them, network risk data of different dimensions correspond to risky behavior labels, based on The risk behavior label corresponding to the network risk data generates a user risk profile corresponding to the user object, wherein the user risk profile is used to evaluate the health status of the user object's network assets.
本公开中,在态势感知平台收集到风险事件、漏洞信息、流量数据时,根据用户认证计费报文信息将上述风险数据与用户信息进行关联后存储,然后根据不同维度的数据建立风险行为标签,创建用户风险画像,通过该用户风险画像准确地对网络攻击行为进行关联分析,以直接定位到具体用户并及时通知用户进行网络安全的维护,进而解决了相关技术中进行网络风险评估时,在用户认证上网和动态I P分配的场景下存在无法准确对网络攻击行为进行关联分析的技术问题。In this disclosure, when the situational awareness platform collects risk events, vulnerability information, and traffic data, the above risk data is associated with user information according to user authentication and billing message information, and then stored, and then risk behavior labels are established based on data of different dimensions , create a user risk profile, and accurately correlate network attack behaviors through the user risk profile to directly locate specific users and notify users in time to maintain network security, thereby solving the problem of network risk assessment in related technologies. In the scenario of user authentication to access the Internet and dynamic IP allocation, there is a technical problem that it is impossible to accurately correlate and analyze network attack behaviors.
本公开中,通过接收解析原始RADI US报文维护在线用户信息表,丰富态势感知平台原始流量数据和检测的威胁漏洞信息,在此条件下通过用户和主机维度进行关联分析,检测网络风险事件。In this disclosure, the online user information table is maintained by receiving and analyzing the original RADI US message, enriching the original flow data of the situation awareness platform and the detected threat vulnerability information, and under this condition, correlation analysis is performed through the user and host dimensions to detect network risk events.
本公开中,在用户认证上网和动态I P分配的场景下,可以对多阶段的网络攻击活动进行防范,及时发现风险事件之间的关联性,定位到风险资产的实际责任人,及时对风险资产进行维护管理。In this disclosure, in the scenario of user authentication and dynamic IP allocation, multi-stage network attack activities can be prevented, the correlation between risk events can be found in time, the actual responsible person of risk assets can be located, and risk assets can be timely Perform maintenance management.
附图说明Description of drawings
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The accompanying drawings described here are used to provide a further understanding of the present invention and constitute a part of the application. The schematic embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute improper limitations to the present invention. In the attached picture:
图1是根据本发明实施例的一种可选的用户风险画像的生成方法的流程图;FIG. 1 is a flowchart of an optional method for generating a user risk profile according to an embodiment of the present invention;
图2是根据本发明实施例的一种可选的用户风险画像的生成系统架构示意图;FIG. 2 is a schematic diagram of an optional user risk profile generation system architecture according to an embodiment of the present invention;
图3是根据本发明实施例的一种可选的用户风险画像的生成装置的示意图;Fig. 3 is a schematic diagram of an optional device for generating a user risk profile according to an embodiment of the present invention;
图4是根据本发明实施例的一种用户风险画像的生成方法的电子设备(或移动设备)的硬件结构框图。Fig. 4 is a hardware structural block diagram of an electronic device (or mobile device) according to a method for generating a user risk profile according to an embodiment of the present invention.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the following will clearly and completely describe the technical solutions in the embodiments of the present invention in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only It is an embodiment of a part of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present invention.
需要说明的是,本发明的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first" and "second" in the description and claims of the present invention and the above drawings are used to distinguish similar objects, but not necessarily used to describe a specific sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances such that the embodiments of the invention described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having", as well as any variations thereof, are intended to cover a non-exclusive inclusion, for example, a process, method, system, product or device comprising a sequence of steps or elements is not necessarily limited to the expressly listed instead, may include other steps or elements not explicitly listed or inherent to the process, method, product or apparatus.
为便于本领域技术人员理解本发明,下面对本发明各实施例中涉及的部分术语或者名词做出解释:In order to facilitate those skilled in the art to understand the present invention, some terms or nouns involved in the various embodiments of the present invention are explained below:
RADI US,分布式的、客户端/服务器(Cl ient/Server)结构的信息交互协议,规定了客户端与服务器之间传递用户信息和计费信息的过程和报文格式,其用途是完成用户的认证、授权、计费功能。RADI US, a distributed, client/server (Client/Server) structured information interaction protocol, specifies the process and message format for transferring user information and billing information between the client and the server, and its purpose is to complete user Authentication, authorization, and accounting functions.
Kafka,一种高吞吐量的分布式发布订阅消息系统,可以处理消费者在网站中的所有动作流数据。Kafka, a high-throughput distributed publish-subscribe messaging system, can handle all action stream data of consumers in the website.
DGA域名,全称为Domain Generat ion Aigor ithm,通过DGA算法生成的随机性较高的域名。DGA domain name, the full name is Domain Generation Aigor itm, a domain name with high randomness generated by DGA algorithm.
C&C服务器,contro l&command server的缩写,命令和控制服务器,用来控制主机,负责处理信息,下发任务的中心机器。C&C server, the abbreviation of control l&command server, command and control server, used to control the host, responsible for processing information, the central machine of issuing tasks.
SMB协议,其中SMB全称是Server Message Block,网络协议名,能被用于Web连接和客户端与服务器之间的信息沟通,在会话层(sess ion l ayer)和表示层(presentation l ayer)以及小部分应用层(app l icat ion l ayer)的通信协议。SMB protocol, where the full name of SMB is Server Message Block, the network protocol name, can be used for Web connection and information communication between client and server, in session layer (sess ion layer) and presentation layer (presentation layer) and A small part of the application layer (app li cation layer) communication protocol.
需要说明的是,本公开所涉及的相关信息(包括但不限于用户设备信息、用户个人信息等)和数据(包括但不限于用于展示的数据、分析的数据等),均为经用户授权或者经过各方充分授权的信息和数据。例如,本系统和相关用户或机构间设置有接口,在获取相关信息之前,需要通过接口向前述的用户或机构发送获取请求,并在接收到前述的用户或机构反馈的同意信息后,获取相关信息。It should be noted that the relevant information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for display, data for analysis, etc.) involved in this disclosure are authorized by the user. Or information and data fully authorized by the parties. For example, there is an interface between this system and relevant users or institutions. Before obtaining relevant information, it is necessary to send an acquisition request to the aforementioned user or institution through the interface, and obtain relevant information after receiving the consent information fed back by the aforementioned user or institution. information.
本发明可应用于各种态势感知系统/产品/装置中,提供远程用户计费认证上网场景下的用户风险行为画像方法,在态势感知平台收集或检测到风险事件、漏洞信息、流量数据时,根据用户认证计费报文信息将这些风险数据与用户信息进行关联后存储,然后根据不同维度的数据建立风险行为标签,创建用户风险画像,对各个用户的网络资产安全风险整体健康状态进行评估展示,实现在用户认证上网和动态I P分配的场景下,能够准确对网络攻击行为进行关联分析,并获取到具体的用户,从而及时提醒用户防范网络攻击。The present invention can be applied to various situation awareness systems/products/devices, and provides a user risk behavior portrait method in the remote user billing and authentication online scenario. When the situation awareness platform collects or detects risk events, vulnerability information, and traffic data, According to user authentication and billing message information, these risk data are associated with user information and stored, and then risk behavior labels are established based on data of different dimensions, user risk portraits are created, and the overall health status of each user's network asset security risk is evaluated and displayed , in the scenario of user authentication and dynamic IP allocation, it can accurately correlate network attack behaviors and obtain specific users, so as to remind users to prevent network attacks in time.
新型的高级威胁会在不同的阶段采取不同的网络攻击行为,在攻击实施过程中,网络安全产品采用入侵检测、病毒过滤、未知威胁检测、反垃圾邮件、关联分析等多维度的检测技术进行攻击行为检测和发现,以便实时采取一系列的减缓和防护措施,一旦高级威胁通过某些技术完成渗透,进入到攻击后阶段,可以通过网络流量分析、异常行为分析等技术进行风险资产定位、异常行为判定、溯源取证等。在远程用户认证计费上网的场景(如校园网络,用户可能在宿舍区域、实验室区域使用同一移动终端或者不同的终端设备通过有线或无线网络接入校园网),由于存在动态I P分配场景以及不同场馆I P段分配的不同,只通过原始网络流量的I P信息难以对网络事件进行完整有效的关联。New types of advanced threats will adopt different network attack behaviors at different stages. During the attack implementation process, network security products use multi-dimensional detection technologies such as intrusion detection, virus filtering, unknown threat detection, anti-spam, and correlation analysis. Behavior detection and discovery, so that a series of mitigation and protection measures can be taken in real time. Once advanced threats have penetrated through certain technologies and entered the post-attack stage, risk asset location and abnormal behavior can be located through network traffic analysis, abnormal behavior analysis and other technologies. Judgment, traceability and evidence collection, etc. In the scenario of remote user authentication and billing to access the Internet (such as a campus network, users may use the same mobile terminal or different terminal devices to access the campus network through a wired or wireless network in the dormitory area or laboratory area), due to the existence of dynamic IP allocation scenarios and Due to the different allocation of IP segments in different venues, it is difficult to completely and effectively correlate network events only through the IP information of the original network traffic.
本发明基于生成的用户风险画像,可以更加全面地检测并发现网络中的风险事件,协助网络安全管理人员在用户维度进行威胁事件的溯源,并且及时发现网络行为风险等级高的用户,定位到对应的人员。Based on the generated user risk profile, the present invention can more comprehensively detect and discover risk events in the network, assist network security managers to trace the source of threat events in the user dimension, and timely discover users with high network behavior risk levels, and locate corresponding staff.
下面结合各个实施例对本发明进行详细说明。The present invention will be described in detail below in conjunction with various embodiments.
实施例一Embodiment one
根据本发明实施例,提供了一种用户风险画像的生成的方法实施例,需要说明的是,在附图的流程图示出的步骤可以在诸如一组计算机可执行指令的计算机系统中执行,并且,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。According to an embodiment of the present invention, an embodiment of a method for generating a user risk profile is provided. It should be noted that the steps shown in the flow chart of the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions, Also, although a logical order is shown in the flowcharts, in some cases the steps shown or described may be performed in an order different from that shown or described herein.
图1是根据本发明实施例的一种可选的用户风险画像的生成方法的流程图,如图1所示,该方法包括如下步骤:Fig. 1 is a flow chart of an optional method for generating a user risk profile according to an embodiment of the present invention. As shown in Fig. 1, the method includes the following steps:
步骤S102,接收网络事件数据集合,其中,网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,网络事件数据集合中的每份数据都关联有IP地址;Step S102, receiving a network event data set, wherein the data types in the network event data set include at least one of the following: traffic data, risk events, and vulnerability information, and each piece of data in the network event data set is associated with an IP address;
步骤S104,基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据,其中,不同维度的网络风险数据对应有风险行为标签;Step S104, associate each piece of data with the user information in the online user list based on the IP address, and determine the network risk data associated with each user object, wherein the network risk data of different dimensions correspond to risky behavior labels;
步骤S106,基于网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像,其中,用户风险画像用于对用户对象的网络资产的健康状态进行评估。Step S106, based on the risk behavior tags corresponding to the network risk data, generate a user risk profile corresponding to the user object, wherein the user risk profile is used to evaluate the health status of the user object's network assets.
通过上述步骤,先接收网络事件数据集合,其中,网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,网络事件数据集合中的每份数据都关联有I P地址,然后基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据,其中,不同维度的网络风险数据对应有风险行为标签,最后基于网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像,其中,用户风险画像用于对用户对象的网络资产的健康状态进行评估。本实施例中,在态势感知平台收集到风险事件、漏洞信息、流量数据时,根据用户认证计费报文信息将上述风险数据与用户信息进行关联后存储,然后根据不同维度的数据建立风险行为标签,创建用户风险画像,通过该用户风险画像准确地对网络攻击行为进行关联分析,以直接定位到具体用户并及时通知用户进行网络安全的维护,进而解决了相关技术中进行网络风险评估时,在用户认证上网和动态I P分配的场景下存在无法准确对网络攻击行为进行关联分析的技术问题。Through the above steps, the network event data set is first received, wherein the data types in the network event data set include at least one of the following: traffic data, risk events, and vulnerability information, and each piece of data in the network event data set is associated with an IP address, and then associate each piece of data with the user information in the online user list based on the IP address to determine the network risk data associated with each user object. Among them, network risk data of different dimensions correspond to risky behavior labels, and finally based on The risk behavior label corresponding to the risk data generates a user risk profile corresponding to the user object, wherein the user risk profile is used to evaluate the health status of the user object's network assets. In this embodiment, when the situational awareness platform collects risk events, vulnerability information, and traffic data, it associates the above risk data with user information according to user authentication and billing message information and stores them, and then establishes risk behaviors based on data of different dimensions Tags, create user risk profiles, and accurately correlate network attack behaviors through the user risk profiles to directly locate specific users and notify users in time to maintain network security, thereby solving the problem of network risk assessment in related technologies. In the scenario of user authentication to access the Internet and dynamic IP allocation, there is a technical problem that it is impossible to accurately correlate network attack behaviors.
下面结合上述各实施步骤来详细说明本实施例。This embodiment will be described in detail below in conjunction with the above implementation steps.
需要说明的是,本发明实施例的实施主体为态势感知平台,用户风险画像的生成系统部署在态势感知平台中,该态势感知平台可以与各种服务器(例如,RADI US认证服务器)连接,用户相关信息可通过服务器传输到态势感知平台,用户风险画像的生成系统接收有效信息,从而生成用户风险画像。It should be noted that the implementation subject of the embodiment of the present invention is the situational awareness platform, and the generation system of the user risk profile is deployed on the situational awareness platform. The situational awareness platform can be connected with various servers (for example, RADI US authentication server). Relevant information can be transmitted to the situational awareness platform through the server, and the user risk profile generation system receives valid information to generate a user risk profile.
在很多局域网环境中,用户终端的I P地址是动态分配的,用户可能使用不同的终端接入网络、或者携带同一移动终端设备在不同场馆接入网络、使用VPN通道访问内部网络等,这种情况下I P地址、终端设备和用户的对应关系不断变更,对态势感知平台的网络攻击活动判断以及网络资产风险状态评估造成干扰。用户认证上网是一种广泛的终端接入局域网络的场景,如校园网络、企业内部网络中,终端用户输入帐号密码,接入设备与RADI US服务器之间进行RADI US协议报文的交互,对用户身份进行验证后访问网络,通过RADI US服务器可以获得网络中I P地址、终端设备、用户三者之间的对应关系。In many local area network environments, the IP addresses of user terminals are dynamically assigned, and users may use different terminals to access the network, or carry the same mobile terminal device to access the network in different venues, use VPN channels to access the internal network, etc. The corresponding relationship between IP addresses, terminal devices, and users is constantly changing, which interferes with the judgment of network attack activities of the situational awareness platform and the assessment of the risk status of network assets. User authentication to access the Internet is a wide range of scenarios where a terminal accesses a local area network, such as a campus network or an enterprise internal network. When a terminal user enters an account and password, RADIUS protocol packets are exchanged between the access device and the RADIUS server. After the user's identity is authenticated to access the network, the corresponding relationship between the IP address, terminal equipment and users in the network can be obtained through the RADIUS server.
需要说明的是,在接收网络事件数据集合前,需要先创建在线用户列表,该在线用户列表以I P为关键字存储在缓存中,以提供高效的查询性能。It should be noted that before receiving the network event data set, an online user list needs to be created first, and the online user list is stored in the cache with IP as a key to provide efficient query performance.
本发明实施例中,在线用户列表通过以下方法生成:接收N个认证计费报文,其中,认证计费报文为不同用户对象通过远程网络在计费认证上网场景下产生的流量报文,N为大于等于1的正整数;解析认证计费报文,得到的I P地址、用户标识、物理地址、用户状态和时间戳,其中,用户状态包括:上线、下线和计费更新;基于I P地址、用户标识、物理地址、用户状态和时间戳,构建在线用户列表;对在线用户列表中关联不同I P地址的用户标识、用户状态进行维护,以更新在线用户列表中的用户信息。In the embodiment of the present invention, the online user list is generated by the following method: receiving N authentication and accounting messages, wherein the authentication and accounting messages are traffic messages generated by different user objects through the remote network in the charging and authentication online scenario, N is a positive integer greater than or equal to 1; the IP address, user ID, physical address, user status and time stamp obtained by parsing the authentication and accounting message, among which, the user status includes: online, offline and accounting update; based on IP Address, user ID, physical address, user status and time stamp, construct an online user list; maintain user IDs and user status associated with different IP addresses in the online user list, to update user information in the online user list.
可选的,服务器将认证计费报文转发到态势感知平台的指定端口,态势感知平台接收到原始报文信息,将其存储在kafka消息组件中,通过流式处理组件读取接收到的原始报文信息,根据RADI US协议解析出I P地址、用户名(对应于上述用户标识)、Mac地址(对应于上述物理地址)、用户状态、时间戳等数据,并根据上述数据创建在线用户列表,其中用户状态包括但不限于:上线、下线、计费更新,表1中以上线的用户状态示意说明在线用户列表搜包含的内容。Optionally, the server forwards the authentication and accounting message to the designated port of the situation awareness platform, and the situation awareness platform receives the original message information, stores it in the kafka message component, and reads the received original message component through the stream processing component. According to the message information, the IP address, user name (corresponding to the above user ID), Mac address (corresponding to the above physical address), user status, time stamp and other data are analyzed according to the RADIUS protocol, and an online user list is created based on the above data, The user status includes, but is not limited to: online, offline, and billing update. The online user status in Table 1 schematically illustrates the content contained in the online user list.
表1在线用户列表Table 1 List of online users
当创建完成在线用户列表后,根据解析出的报文字段维护在线用户列表,具体的维护规则如下:用户上线,在线用户列表中增加对应记录;用户下线,删除在线用户列表对应记录;并通过I P、Mac冲突和手动标记、超时检测降低报文丢失和乱序情况的影响;如果在线用户列表中不存在目标I P,或目标I P对应的用户名与报文中不一致,将其状态转变为上线,否则忽略该数据;用户上线后,根据上线的Mac地址将用户表中可能存在该Mac地址的用户设备下线;允许管理员通过界面操作将指定的用户标记为下线,并定时标记超时在线的用户下线。After the online user list is created, the online user list is maintained according to the parsed message fields. The specific maintenance rules are as follows: when the user goes online, the corresponding record is added to the online user list; when the user goes offline, the corresponding record in the online user list is deleted; and through IP, Mac conflicts and manual marking, timeout detection reduce the impact of message loss and disorder; if there is no target IP in the online user list, or the user name corresponding to the target IP is inconsistent with the message, change its status to online , otherwise ignore the data; after the user goes online, according to the online Mac address, the user device with the Mac address that may exist in the user table is offline; the administrator is allowed to mark the specified user as offline through the interface operation, and mark the timeout online at regular intervals of users go offline.
在生成在线用户列表后,可以以I P为键值KEY存储在缓存中以提供高效的查询性能,态势感知平台接收网络事件数据集合并对其进行解析。After the online user list is generated, it can be stored in the cache with IP as the key value KEY to provide efficient query performance. The situational awareness platform receives the network event data set and parses it.
步骤S102,接收网络事件数据集合,其中,网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,网络事件数据集合中的每份数据都关联有IP地址。Step S102, receiving a network event data set, wherein the data type in the network event data set includes at least one of the following: traffic data, risk events and vulnerability information, and each piece of data in the network event data set is associated with an IP address.
本发明实施例中,在接收网络事件数据集合之后,还包括:提取网络事件数据集合中每份数据的数据特征;筛选出数据特征指示符合网络风险特征集合的数据,得到网络风险数据集合;将网络风险数据集合、在线用户列表存储至分布式数据库。In the embodiment of the present invention, after receiving the network event data set, it also includes: extracting the data characteristics of each piece of data in the network event data set; screening out the data whose data characteristics indicate that it conforms to the network risk characteristic set, and obtaining the network risk data set; The network risk data collection and online user list are stored in the distributed database.
需要说明的是,态势感知平台收集到网络中的原始数据(对应于上述网络事件数据)后进行特征提取和行为分析,得到威胁事件、流量数据、主机漏洞等信息,然后在数据流处理模块中,根据这些事件数据的I P地址查询到对应的用户信息和主机信息,将用户和主机信息补全在事件数据中,储存到分布式数据库。It should be noted that the situational awareness platform collects the original data in the network (corresponding to the above-mentioned network event data) and performs feature extraction and behavior analysis to obtain information such as threat events, traffic data, host vulnerabilities, etc., and then in the data flow processing module According to the IP address of these event data, the corresponding user information and host information are queried, and the user and host information are completed in the event data and stored in the distributed database.
本发明实施例中,采用攻击链检测引擎根据多个网络事件数据的用户信息匹配网络攻击行为模式,确定复杂威胁事件,并提取复杂威胁事件的事件特征;采用流量检测引擎对每位用户对象的网络流量进行流量分析和异常行为分析,确定流量风险特征和异常行为特征;将复杂威胁事件的事件特征、流量风险特征和异常行为特征集成为网络风险特征集合。In the embodiment of the present invention, the attack chain detection engine is used to match the network attack behavior pattern according to the user information of multiple network event data, to determine the complex threat event, and to extract the event characteristics of the complex threat event; Perform traffic analysis and abnormal behavior analysis on network traffic to determine traffic risk characteristics and abnormal behavior characteristics; integrate event characteristics, traffic risk characteristics and abnormal behavior characteristics of complex threat events into a network risk characteristic set.
需要说明的是,在获取到多个网络事件数据后,态势感知平台通过用户信息关联网络事件进行风险检测,通过攻击链检测引擎根据多个网络事件的用户信息匹配网络攻击行为模式,发现复杂威胁事件,如用户设备有查询DGA域名的行为,之后通过SMB协议与一个或多个文件服务器建立连接并读取写入文件,则可能为主机感染勒索软件后,查询域名生成算法生成的域名,若找到有效的C&C服务器,则停止查询并通过SMB协议连接文件服务器,加密敏感数据,通过流量检测引擎对单个用户的网络流量进行流量分析、异常行为分析,包括流量阈值检测、流量突变分析等。It should be noted that after obtaining multiple network event data, the situational awareness platform conducts risk detection by associating network events with user information, and uses the attack chain detection engine to match network attack behavior patterns based on user information of multiple network events to discover complex threats Events, if the user device has the behavior of querying the DGA domain name, and then establishes a connection with one or more file servers through the SMB protocol and reads and writes files, it may be that the host is infected with ransomware and queries the domain name generated by the domain name generation algorithm. If a valid C&C server is found, the query will be stopped and the file server will be connected through the SMB protocol, sensitive data will be encrypted, and traffic analysis and abnormal behavior analysis will be performed on the network traffic of a single user through the traffic detection engine, including traffic threshold detection, traffic mutation analysis, etc.
步骤S104,基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据,其中,不同维度的网络风险数据对应有风险行为标签。Step S104, associate each piece of data with the user information in the online user list based on the IP address, and determine the network risk data associated with each user object, wherein network risk data of different dimensions correspond to risk behavior labels.
可选地,势态感知平台通过用户信息维度对风险事件进行聚合,生成用户的风险行为标签,为用户的网络行为风险等级打分。Optionally, the situational awareness platform aggregates risk events through the user information dimension, generates user risk behavior tags, and scores the user's network behavior risk level.
本发明实施例中,在基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据之后,包括:将数据特征指示为复杂威胁事件的数据赋予威胁事件攻击类型标签,并确定复杂威胁事件的事件等级;将数据特征指示为漏洞信息的数据赋予漏洞信息等级;将数据特征指示密码数量低于预设数量阈值的数据赋予弱密码标识;基于威胁事件攻击类型标签、事件等级、漏洞信息等级和弱密码标识,确定用户对象的网络行为风险等级。In the embodiment of the present invention, after associating each piece of data with the user information in the online user list based on the IP address and determining the network risk data associated with each user object, it includes: data that indicates the data feature as a complex threat event Assign threat event attack type labels, and determine the event level of complex threat events; assign vulnerability information level to data whose data characteristics indicate that the number of passwords is lower than the preset number threshold; Threat event attack type label, event level, vulnerability information level, and weak password identification determine the network behavior risk level of the user object.
本发明实施例中,在基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据之后,包括:将用户对象使用终端设备产生的各类型威胁事件与扫描出的漏洞信息建立事件关联关系;在事件关联关系指示终端设备发生针对目标漏洞的威胁事件的情况下,将用户对象标记为失陷用户,并将终端设备标记为风险终端设备。In the embodiment of the present invention, after associating each piece of data with the user information in the online user list based on the IP address, and determining the network risk data associated with each user object, it includes: associating various types of information generated by the user object using the terminal device; An event correlation relationship is established between the threat event and the scanned vulnerability information; when the event correlation relationship indicates that a threat event targeting the target vulnerability occurs on the terminal device, the user object is marked as a compromised user, and the terminal device is marked as a risk terminal device.
需要说明的是,态势感知平台通过定时任务对风险数据进行处理,对用户设备上产生的威胁事件攻击类型标签、威胁事件等级、漏洞信息等级、弱密码数量进行统计,并根据这些数据对用户网络行为的风险等级打分,将信息存储在数据库中。It should be noted that the situational awareness platform processes risk data through scheduled tasks, and collects statistics on the threat event attack type label, threat event level, vulnerability information level, and number of weak passwords generated on the user device, and uses these data to analyze user network information. The risk level of the behavior is scored, and the information is stored in the database.
将用户发生的威胁事件与扫描出的漏洞信息关联,如果有针对某一漏洞的威胁事件产生则将该用户对象标记为失陷用户。Associating the threat events of the user with the scanned vulnerability information, if there is a threat event for a certain vulnerability, the user object is marked as a compromised user.
步骤S106,基于网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像,其中,用户风险画像用于对用户对象的网络资产的健康状态进行评估。Step S106, based on the risk behavior tags corresponding to the network risk data, generate a user risk profile corresponding to the user object, wherein the user risk profile is used to evaluate the health status of the user object's network assets.
本发明实施例中,在基于网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像之后,包括:展示存在网络风险数据的风险用户列表和风险用户列表中的每位用户对象的用户风险画像;和/或,展示每位用户对象的网络访问状态、持有的风险终端设备的数量、遭受网络攻击数量和网络攻击类别。In the embodiment of the present invention, after generating the user risk profile corresponding to the user object based on the risk behavior label corresponding to the network risk data, it includes: displaying the risk user list with network risk data and each user object in the risk user list User risk profile; and/or, display the network access status of each user object, the number of risky terminal devices held, the number of network attacks suffered and the types of network attacks.
需要说明的是,在生成与用户对象对应的用户风险画像后,通过可视化页面展示内网中的风险用户列表,可以通过风险等级大小排序,展示用户的失陷状态、持有的风险设备的数量、用户遭受的网络攻击数量和类别等,并及时向相关用户发送告警信息,通知用户防范网络攻击。It should be noted that after the user risk profile corresponding to the user object is generated, the list of risk users in the intranet can be displayed through the visualization page, and the user's fall status, the number of risk devices held, The number and types of network attacks suffered by users, etc., and timely send warning information to relevant users to notify users to prevent network attacks.
通过上述实施例,在用户认证上网和动态I P分配的场景下,通过用户和主机信息可以更准确地对网络攻击行为进行关联分析,并对多阶段的网络攻击活动进行防范。并通过用户维度对威胁事件、漏洞信息进行聚合,展示用户资产的风险等级和失陷状态,网络安全管理人员可以通过态势感知平台的风险用户列表直接定位到具体的用户,通知用户对进行终端的维护和升级。Through the above embodiments, in the scenario of user authentication and dynamic IP allocation, network attack behaviors can be more accurately correlated and analyzed through user and host information, and multi-stage network attack activities can be prevented. It also aggregates threat events and vulnerability information through the user dimension to display the risk level and loss status of user assets. Network security managers can directly locate specific users through the risk user list on the situation awareness platform, and notify users to perform terminal maintenance. and upgrades.
下面结合一种更具体的实施例来说明本发明。The present invention will be described below in conjunction with a more specific embodiment.
图2是根据本发明实施例的一种可选的用户风险画像的生成系统架构的示意图,如图2所示,本发明实施例在进行网络风险评估时,态势感知平台的报文接收组件接收报文,将原始报文信息存储在消息队列,然后解析报文(如图2中以Rad ius报文解析示意),并对数据进行规范化处理,得到用户上下线信息,将该用户上下线信息传输至用户列表维护模块,更新列表信息,并将其传输至缓存组件进行保存,在线用户信息可通过用户列表查询,并将其展示给可视化界面,关联查询模块可通过缓存组件查询到用户信息,基于威胁事件、漏洞信息扫描事件(图2中简称为漏扫事件)以及流量信息进行关联查询(通过关联检测引擎进行关联查询),并存储风险信息,同时提供风险信息聚合评估,生成风险画像表,并通过可视化界面进行展示。Fig. 2 is a schematic diagram of an optional user risk profile generation system architecture according to an embodiment of the present invention, as shown in Fig. message, store the original message information in the message queue, then parse the message (shown as Radius message analysis in Figure 2), and standardize the data to obtain the user's online and offline information, and the user's online and offline information Transfer to the user list maintenance module, update the list information, and transfer it to the cache component for storage. Online user information can be queried through the user list and displayed to the visual interface. The association query module can query user information through the cache component. Based on threat events, vulnerability information scanning events (referred to as missing scan events in Figure 2) and traffic information, perform associated queries (through the associated detection engine to perform associated queries), store risk information, and provide risk information aggregation assessment at the same time to generate risk portrait tables , and display it through a visual interface.
在进行网络资产安全风险评估时,具体可以包括如下步骤:When conducting network asset security risk assessment, specific steps may include the following:
步骤一,RADI US认证服务器将认证计费报文转发到态势感知平台的指定端口,态势感知平台接收到原始报文信息,将其存储在kafka消息组件中;Step 1, the RADI US authentication server forwards the authentication and accounting message to the designated port of the situational awareness platform, and the situational awareness platform receives the original message information and stores it in the kafka message component;
步骤二,通过流式处理组件读取接收到的原始报文信息,根据RADI US协议解析出I P地址、用户名、Mac地址、用户状态、时间戳等数据;Step 2, read the received original message information through the stream processing component, and parse out IP address, user name, Mac address, user status, time stamp and other data according to the RADIUS protocol;
步骤三,根据解析出的报文字段维护在线用户表;Step 3, maintaining the online user table according to the parsed message field;
其中,在维护在线用户表时,维护策略包括:报文信息中用户状态包含上线、下线、计费更新等,用户上线,在线用户表中增加对应记录;用户下线,删除在线用户表对应记录,并通过I P、Mac冲突和手动标记、超时检测降低报文丢失和乱序情况的影响,计费更新数据:如果在线用户表中不存在目标I P,或目标I P对应的用户名与报文中不一致,将其状态转变为上线,否则忽略该数据用户上线后,根据上线的Mac地址将用户表中可能存在该Mac地址的用户设备下线。允许管理员通过界面操作将指定的用户标记为下线,并定时标记超时在线的用户下线。Among them, when maintaining the online user table, the maintenance strategy includes: the user status in the message information includes online, offline, billing update, etc., when the user goes online, the corresponding record is added in the online user table; when the user goes offline, delete the corresponding record in the online user table. Record, and reduce the impact of packet loss and out-of-sequence through IP, Mac conflicts, manual marking, and timeout detection, and update data for billing: If the target IP does not exist in the online user table, or the user name and message corresponding to the target IP If there is an inconsistency, change its status to online, otherwise ignore the data. After the user goes online, the user device with the Mac address that may exist in the user table will be offline according to the online Mac address. Allows administrators to mark specified users as offline through interface operations, and mark users who are online after timeouts to go offline at regular intervals.
步骤四,在线用户信息以I P为键值KEY存储在缓存组件中,以提供高效的查询性能,态势感知平台收集到网络中的原始数据后进行特征提取和行为分析,得到威胁事件、流量数据、主机漏洞等信息,然后在数据流处理模块中,根据该事件数据的I P地址查询到对应的用户信息和主机信息,将用户和主机信息补全在事件数据中,储存到分布式数据库;Step 4. Online user information is stored in the cache component with IP as the key value KEY to provide efficient query performance. After collecting the original data in the network, the situational awareness platform performs feature extraction and behavior analysis to obtain threat events, traffic data, Host vulnerability and other information, and then in the data flow processing module, query the corresponding user information and host information according to the IP address of the event data, complete the user and host information in the event data, and store it in the distributed database;
步骤五,态势感知平台通过用户信息关联网络事件进行风险检测;Step five, the situational awareness platform conducts risk detection by associating network events with user information;
通过攻击链检测引擎根据多个网络事件的用户信息匹配网络攻击行为模式,发现复杂威胁事件,如用户设备有查询DGA域名的行为,之后还通过SMB协议与一个或多个文件服务器建立连接并读取写入文件,则可能为主机感染勒索软件后,查询域名生成算法生成的域名,一旦找到有效的C&C服务器,则停止查询并通过SMB协议连接文件服务器,加密敏感数据。The attack chain detection engine matches the network attack behavior pattern according to the user information of multiple network events, and discovers complex threat events, such as user equipment querying the DGA domain name, and then establishes a connection with one or more file servers through the SMB protocol and reads If the host is infected with ransomware, it may query the domain name generated by the domain name generation algorithm. Once a valid C&C server is found, the query will be stopped and the file server will be connected to the file server through the SMB protocol to encrypt sensitive data.
通过流量检测引擎对单个用户的网络流量进行流量分析、异常行为分析,包括流量阈值检测、流量突变分析等。Traffic analysis and abnormal behavior analysis are performed on the network traffic of a single user through the traffic detection engine, including traffic threshold detection, traffic mutation analysis, etc.
步骤六,态势感知平台通过定时任务对风险数据进行处理,生成用户风险画像和评估用户网络风险状态;Step 6: The situational awareness platform processes risk data through scheduled tasks, generates user risk profiles and evaluates user network risk status;
对用户设备上产生的威胁事件攻击类型标签、威胁事件等级、漏洞信息等级、弱密码数量进行统计,并根据这些数据对用户网络行为的风险等级打分,将信息存储在数据库中。Make statistics on the threat event attack type label, threat event level, vulnerability information level, and number of weak passwords generated on the user's device, and score the risk level of the user's network behavior according to these data, and store the information in the database.
将用户发生的威胁事件与扫描出的漏洞信息关联,如果有针对某一漏洞的威胁事件产生则将用户标记为失陷用户。Correlate the threat events of the user with the scanned vulnerability information, and mark the user as a compromised user if there is a threat event for a certain vulnerability.
步骤七,通过可视化页面展示内网中的风险用户列表,可以通过风险等级大小排序,展示用户的失陷状态、持有的风险设备的数量、用户遭受的网络攻击数量和类别等。Step 7: Display the list of risky users in the intranet through the visual page. You can sort by risk level to display the user's compromise status, the number of risky devices held, the number and type of network attacks suffered by the user, etc.
通过上述实施例,通过接收解析原始RADI US报文维护在线用户信息表,丰富态势感知平台原始流量数据和检测的威胁漏洞信息,在此条件下通过用户和主机维度进行关联分析,检测网络风险事件,并通过用户信息维度对风险事件进行聚合,生成用户的风险行为标签,定位到具体用户,为用户的网络行为风险等级打分。Through the above-mentioned embodiment, the online user information table is maintained by receiving and analyzing the original RADI US message, and the original flow data of the situation awareness platform and the detected threat vulnerability information are enriched. Under this condition, correlation analysis is performed through the user and host dimensions to detect network risk events , and aggregate the risk events through the user information dimension to generate the user's risk behavior label, locate specific users, and score the user's network behavior risk level.
下面结合另一种可选的实施例来说明本发明。The present invention will be described below in conjunction with another optional embodiment.
实施例二Embodiment two
本实施例提供了一种用户风险画像的生成装置,该用户风险画像的生成装置所包含的各个实施单元对应于实施例一中的各个实施步骤。This embodiment provides a device for generating a user risk profile, and each implementation unit contained in the device for generating a user risk profile corresponds to each implementation step in the first embodiment.
图3是根据本发明实施例的一种可选的用户风险画像的生成装置的示意图,如图3所示,包括:接收单元30、确定单元32、生成单元34,其中,FIG. 3 is a schematic diagram of an optional user risk profile generation device according to an embodiment of the present invention. As shown in FIG. 3 , it includes: a receiving unit 30, a determining unit 32, and a generating unit 34, wherein,
接收单元30,用于接收网络事件数据集合,其中,网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,网络事件数据集合中的每份数据都关联有I P地址;The receiving unit 30 is configured to receive a network event data set, wherein the data types in the network event data set include at least one of the following: flow data, risk events, and vulnerability information, and each piece of data in the network event data set is associated with IP address;
确定单元32,用于基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据,其中,不同维度的网络风险数据对应有风险行为标签;The determining unit 32 is used to associate each piece of data with the user information in the online user list based on the IP address, and determine the network risk data associated with each user object, wherein the network risk data of different dimensions correspond to risky behavior labels;
生成单元34,用于基于网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像,其中,用户风险画像用于对用户对象的网络资产的健康状态进行评估。The generation unit 34 is configured to generate a user risk profile corresponding to the user object based on the risk behavior label corresponding to the network risk data, wherein the user risk profile is used to evaluate the health status of the user object's network assets.
上述用户风险画像的生成装置,通过接收单元30接收网络事件数据集合,其中,网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,网络事件数据集合中的每份数据都关联有I P地址;通过确定单元33基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据,其中,不同维度的网络风险数据对应有风险行为标签;通过生成单元34基于网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像,其中,用户风险画像用于对用户对象的网络资产的健康状态进行评估。本实施例中,在态势感知平台收集到风险事件、漏洞信息、流量数据时,根据用户认证计费报文信息将上述风险数据与用户信息进行关联后存储,然后根据不同维度的数据建立风险行为标签,创建用户风险画像,通过该用户风险画像准确地对网络攻击行为进行关联分析,以直接定位到具体用户并及时通知用户进行网络安全的维护,进而解决了相关技术中进行网络风险评估时,在用户认证上网和动态I P分配的场景下存在无法准确对网络攻击行为进行关联分析的技术问题。The above-mentioned user risk profile generation device receives the network event data set through the receiving unit 30, wherein the data type in the network event data set includes at least one of the following: traffic data, risk events and vulnerability information, and the network event data set. Each piece of data is associated with an IP address; through the determination unit 33, based on the IP address, each piece of data is associated with the user information in the online user list, and the network risk data associated with each user object is determined, wherein the network risks of different dimensions The data corresponds to a risky behavior label; based on the risky behavior label corresponding to the network risk data, the generating unit 34 generates a user risk profile corresponding to the user object, wherein the user risk profile is used to evaluate the health status of the user object's network assets. In this embodiment, when the situational awareness platform collects risk events, vulnerability information, and traffic data, it associates the above risk data with user information according to user authentication and billing message information and stores them, and then establishes risk behaviors based on data of different dimensions Tags, create user risk profiles, and accurately correlate network attack behaviors through the user risk profiles to directly locate specific users and notify users in time to maintain network security, thereby solving the problem of network risk assessment in related technologies. In the scenario of user authentication to access the Internet and dynamic IP allocation, there is a technical problem that it is impossible to accurately correlate network attack behaviors.
需要说明的是,本发明实施例的实施主体为态势感知平台,用户风险画像的生成系统部署在态势感知平台中,该态势感知平台与认证服务器连接,用户相关信息可通过服务器传输到态势感知平台,用户风险画像的生成系统接收有效信息,从而生成用户风险画像。It should be noted that the implementation subject of the embodiment of the present invention is the situational awareness platform, and the user risk profile generation system is deployed on the situational awareness platform. The situational awareness platform is connected to the authentication server, and user-related information can be transmitted to the situational awareness platform through the server. , the user risk profile generation system receives valid information to generate a user risk profile.
在很多局域网环境中,用户终端的I P地址是动态分配的,用户可能使用不同的终端接入网络、或者携带同一移动终端设备在不同场馆接入网络、使用VPN通道访问内部网络等,这种情况下I P地址、终端设备和用户的对应关系不断变更,对态势感知平台的网络攻击活动判断以及网络资产风险状态评估造成干扰。用户认证上网是一种广泛的终端接入局域网络的场景,如校园网络、企业内部网络中,终端用户输入帐号密码,接入设备与RADI US服务器之间进行RADI US协议报文的交互,对用户身份进行验证后访问网络,通过RADI US服务器可以获得网络中I P地址、终端设备、用户三者之间的对应关系。In many local area network environments, the IP addresses of user terminals are dynamically assigned, and users may use different terminals to access the network, or carry the same mobile terminal device to access the network in different venues, use VPN channels to access the internal network, etc. The corresponding relationship between IP addresses, terminal devices, and users is constantly changing, which interferes with the judgment of network attack activities of the situational awareness platform and the assessment of the risk status of network assets. User authentication to access the Internet is a wide range of scenarios where a terminal accesses a local area network, such as a campus network or an enterprise internal network. When a terminal user enters an account and password, RADIUS protocol packets are exchanged between the access device and the RADIUS server. After the user's identity is authenticated to access the network, the corresponding relationship between the IP address, terminal equipment and users in the network can be obtained through the RADIUS server.
可选地,确定单元32包括:第一接收模块,用于接收N个认证计费报文,其中,认证计费报文为不同用户对象通过远程网络在计费认证上网场景下产生的流量报文,N为大于等于1的正整数;第一解析模块,用于解析认证计费报文,得到的I P地址、用户标识、物理地址、用户状态和时间戳,其中,用户状态包括:上线、下线和计费更新;第一构建模块,用于基于I P地址、用户标识、物理地址、用户状态和时间戳,构建在线用户列表;第一维护模块,用于对在线用户列表中关联不同I P地址的用户标识、用户状态进行维护,以更新在线用户列表中的用户信息。Optionally, the determining unit 32 includes: a first receiving module, configured to receive N authentication and accounting messages, wherein the authentication and accounting messages are traffic reports generated by different user objects through the remote network in the scenario of charging and authenticating Internet access. text, N is a positive integer greater than or equal to 1; the first parsing module is used to parse the authentication and accounting message to obtain the IP address, user ID, physical address, user status and time stamp, wherein the user status includes: online, Offline and billing update; the first building block is used to build an online user list based on IP address, user ID, physical address, user status and time stamp; the first maintenance module is used to associate different IP addresses in the online user list The user ID and user status of the address are maintained to update the user information in the online user list.
可选地,RADI US认证服务器将认证计费报文转发到态势感知平台的指定端口,态势感知平台接收到原始报文信息,将其存储在kafka消息组件中,通过流式处理组件读取接收到的原始报文信息,根据RADI US协议解析出I P地址、用户名(对应于上述用户标识)、Mac地址(对应于上述物理地址)、用户状态、时间戳等数据,并根据上述数据创建在线用户列表,其中用户状态包括但不限于:上线、下线、计费更新。Optionally, the RADI US authentication server forwards the authentication and accounting message to the designated port of the situational awareness platform, and the situational awareness platform receives the original message information, stores it in the kafka message component, and reads and receives it through the stream processing component According to the RADIUS protocol, analyze the received original message information, such as IP address, user name (corresponding to the above user ID), Mac address (corresponding to the above physical address), user status, time stamp and other data, and create an online server based on the above data. User list, where user status includes but not limited to: online, offline, billing update.
当创建完成在线用户列表后,根据解析出的报文字段维护在线用户列表,具体的维护规则如下:用户上线,在线用户列表中增加对应记录;用户下线,删除在线用户列表对应记录;并通过I P、Mac冲突和手动标记、超时检测降低报文丢失和乱序情况的影响;如果在线用户列表中不存在目标I P,或目标I P对应的用户名与报文中不一致,将其状态转变为上线,否则忽略该数据;用户上线后,根据上线的Mac地址将用户表中可能存在该Mac地址的用户设备下线;允许管理员通过界面操作将指定的用户标记为下线,并定时标记超时在线的用户下线。After the online user list is created, the online user list is maintained according to the parsed message fields. The specific maintenance rules are as follows: when the user goes online, the corresponding record is added to the online user list; when the user goes offline, the corresponding record in the online user list is deleted; and through IP, Mac conflicts and manual marking, timeout detection reduce the impact of message loss and disorder; if there is no target IP in the online user list, or the user name corresponding to the target IP is inconsistent with the message, change its status to online , otherwise ignore the data; after the user goes online, according to the online Mac address, the user device with the Mac address that may exist in the user table is offline; the administrator is allowed to mark the specified user as offline through the interface operation, and mark the timeout online at regular intervals of users go offline.
在生成在线用户列表,以I P为KEY存储在缓存中以提供高效的查询性能,态势感知平台接收网络事件数据集合并对其进行解析。After generating the list of online users and storing it in the cache with IP as the key to provide efficient query performance, the situational awareness platform receives the network event data set and parses it.
可选地,用户风险画像的生成装置还包括:第一提取模块,用于提取网络事件数据集合中每份数据的数据特征;第一筛选模块,用于筛选出数据特征指示符合网络风险特征集合的数据,得到网络风险数据集合;第一存储模块,用于将网络风险数据集合、在线用户列表存储至分布式数据库。Optionally, the device for generating a user risk profile further includes: a first extraction module, configured to extract the data features of each piece of data in the network event data set; a first screening module, used to filter out data features that indicate conformity to the network risk feature set the data to obtain the network risk data set; the first storage module is used to store the network risk data set and the online user list in the distributed database.
需要说明的是,态势感知平台收集到网络中的原始数据(对应于上述网络事件数据)后进行特征提取和行为分析,得到威胁事件、流量数据、主机漏洞等信息,然后在数据流处理模块中,根据这些事件数据的I P地址查询到对应的用户信息和主机信息,将用户和主机信息补全在事件数据中,储存到分布式数据库。It should be noted that the situational awareness platform collects the original data in the network (corresponding to the above-mentioned network event data) and performs feature extraction and behavior analysis to obtain information such as threat events, traffic data, host vulnerabilities, etc., and then in the data flow processing module According to the IP address of these event data, the corresponding user information and host information are queried, and the user and host information are completed in the event data and stored in the distributed database.
可选地,用户风险画像的生成装置还包括:第一确定模块,用于采用攻击链检测引擎根据多个网络事件数据的用户信息匹配网络攻击行为模式,确定复杂威胁事件,并提取复杂威胁事件的事件特征;第二确定模块,用于采用流量检测引擎对每位用户对象的网络流量进行流量分析和异常行为分析,确定流量风险特征和异常行为特征;第一集成模块,用于将复杂威胁事件的事件特征、流量风险特征和异常行为特征集成为网络风险特征集合。Optionally, the device for generating a user risk profile further includes: a first determination module, configured to use an attack chain detection engine to match network attack behavior patterns according to user information of multiple network event data, determine complex threat events, and extract complex threat events event characteristics; the second determination module is used to use the traffic detection engine to conduct traffic analysis and abnormal behavior analysis on the network traffic of each user object, and determine traffic risk characteristics and abnormal behavior characteristics; the first integration module is used to integrate complex threats The event characteristics, traffic risk characteristics and abnormal behavior characteristics of the event are integrated into a network risk characteristic set.
需要说明的是,在获取到多个网络事件数据后,态势感知平台通过用户信息关联网络事件进行风险检测,通过攻击链检测引擎根据多个网络事件的用户信息匹配网络攻击行为模式,发现复杂威胁事件,如用户设备有查询DGA域名的行为,之后通过SMB协议与一个或多个文件服务器建立连接并读取写入文件,则可能为主机感染勒索软件后,查询域名生成算法生成的域名,若找到有效的C&C服务器,则停止查询并通过SMB协议连接文件服务器,加密敏感数据;通过流量检测引擎对单个用户的网络流量进行流量分析、异常行为分析,包括流量阈值检测、流量突变分析等。It should be noted that after obtaining multiple network event data, the situational awareness platform conducts risk detection by associating network events with user information, and uses the attack chain detection engine to match network attack behavior patterns based on user information of multiple network events to discover complex threats Events, if the user device has the behavior of querying the DGA domain name, and then establishes a connection with one or more file servers through the SMB protocol and reads and writes files, it may be that the host is infected with ransomware and queries the domain name generated by the domain name generation algorithm. If a valid C&C server is found, the query will be stopped and the file server will be connected through the SMB protocol to encrypt sensitive data; the traffic detection engine will perform traffic analysis and abnormal behavior analysis on the network traffic of a single user, including traffic threshold detection, traffic mutation analysis, etc.
可选地,用户风险画像的生成装置还包括:第三确定模块,用于将数据特征指示为复杂威胁事件的数据赋予威胁事件攻击类型标签,并确定复杂威胁事件的事件等级;第一指示模块,用于将数据特征指示为漏洞信息的数据赋予漏洞信息等级;第一标识模块,用于将数据特征指示密码数量低于预设数量阈值的数据赋予弱密码标识;第四确定模块,用于基于威胁事件攻击类型标签、事件等级、漏洞信息等级和弱密码标识,确定用户对象的网络行为风险等级。Optionally, the device for generating a user risk profile further includes: a third determination module, configured to assign a threat event attack type label to the data whose data feature indicates a complex threat event, and determine the event level of the complex threat event; the first indication module , for assigning a vulnerability information level to data whose data characteristics indicate vulnerability information; the first identification module is used to assign weak password identification to data whose data characteristics indicate that the number of passwords is lower than a preset number threshold; the fourth determination module is used for Determine the network behavior risk level of the user object based on the threat event attack type label, event level, vulnerability information level, and weak password identification.
本发明实施例中,通过用户信息维度对风险事件进行聚合,生成用户的风险行为标签,为用户的网络行为风险等级打分,从而通知用户进行相应操作防范网络威胁。In the embodiment of the present invention, the risk events are aggregated through the user information dimension to generate the user's risk behavior label and score the user's network behavior risk level, thereby notifying the user to perform corresponding operations to prevent network threats.
需要说明的是,态势感知平台通过定时任务对风险数据进行处理,对用户设备上产生的威胁事件攻击类型标签、威胁事件等级、漏洞信息等级、弱密码数量进行统计,并根据这些数据对用户网络行为的风险等级打分,将信息存储在数据库中。将用户发生的威胁事件与扫描出的漏洞信息关联,如果有针对某一漏洞的威胁事件产生则将用户标记为失陷用户。It should be noted that the situational awareness platform processes risk data through scheduled tasks, and collects statistics on the threat event attack type label, threat event level, vulnerability information level, and number of weak passwords generated on the user device, and uses these data to analyze user network information. The risk level of the behavior is scored, and the information is stored in the database. Correlate the threat events of the user with the scanned vulnerability information, and mark the user as a compromised user if there is a threat event for a certain vulnerability.
可选地,用户风险画像的生成装置还包括:第一建立模块,用于将用户对象使用终端设备产生的各类型威胁事件与扫描出的漏洞信息建立事件关联关系;第一标记模块,用于在事件关联关系指示终端设备发生针对目标漏洞的威胁事件的情况下,将用户对象标记为失陷用户,并将终端设备标记为风险终端设备。Optionally, the device for generating a user risk profile further includes: a first establishment module, configured to associate various types of threat events generated by a user object using a terminal device with the scanned vulnerability information; a first marking module, configured to When the event correlation indicates that a threat event targeting a target vulnerability occurs on the terminal device, the user object is marked as a compromised user, and the terminal device is marked as a risky terminal device.
可选地,用户风险画像的生成装置还包括:第一展示模块,用于展示存在网络风险数据的风险用户列表和风险用户列表中的每位用户对象的用户风险画像;和/或,第二展示模块,用于展示每位用户对象的网络访问状态、持有的风险终端设备的数量、遭受网络攻击数量和网络攻击类别。Optionally, the device for generating a user risk profile further includes: a first display module, configured to display a risk user list with network risk data and a user risk profile of each user object in the risk user list; and/or, a second The display module is used to display the network access status of each user object, the number of risky terminal devices held, the number of network attacks suffered, and the types of network attacks.
需要说明的是,在生成与用户对象对应的用户风险画像后,通过可视化页面展示内网中的风险用户列表,可以通过风险等级大小排序,展示用户的失陷状态、持有的风险设备的数量、用户遭受的网络攻击数量和类别等,并及时向相关用户发送告警信息,通知用户防范网络攻击。It should be noted that after the user risk profile corresponding to the user object is generated, the list of risk users in the intranet can be displayed through the visualization page, and the user's fall status, the number of risk devices held, The number and types of network attacks suffered by users, etc., and timely send warning information to relevant users to notify users to prevent network attacks.
上述的用户风险画像的生成装置还可以包括处理器和存储器,上述接收单元30、确定单元32、生成单元34等均作为程序单元存储在存储器中,由处理器执行存储在存储器中的上述程序单元来实现相应的功能。The above-mentioned user risk profile generation device may also include a processor and a memory. The above-mentioned receiving unit 30, determining unit 32, generating unit 34, etc. are all stored in the memory as program units, and the processor executes the above-mentioned program units stored in the memory. to achieve the corresponding functions.
上述处理器中包含内核,由内核去存储器中调取相应的程序单元。内核可以设置一个或以上,通过调整内核参数生成用户风险画像,进而评估网络资产的网络风险。The above-mentioned processor includes a kernel, and the kernel retrieves corresponding program units from the memory. One or more kernels can be set to generate user risk profiles by adjusting kernel parameters, and then evaluate the network risks of network assets.
根据本发明实施例的另一方面,还提供了一种电子设备,包括:处理器;以及存储器,用于存储所述处理器的可执行指令;其中,所述处理器配置为经由执行所述可执行指令来执行任意一项所述的用户风险画像的生成方法。According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including: a processor; and a memory for storing executable instructions of the processor; wherein, the processor is configured to execute the Instructions can be executed to execute any one of the methods for generating user risk profiles.
根据本发明实施例的另一方面,还提供了一种计算机可读存储介质,计算机可读存储介质包括存储的计算机程序,其中,在所述计算机程序运行时控制所述计算机可读存储介质所在设备执行任意一项所述的用户风险画像的生成方法。According to another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium, the computer-readable storage medium includes a stored computer program, wherein when the computer program is running, the computer-readable storage medium is controlled The device executes any one of the methods for generating a user risk profile.
本申请还提供了一种计算机程序产品,当在数据处理设备上执行时,适于执行初始化有如下方法步骤的程序:接收网络事件数据集合,其中,网络事件数据集合中的数据类型包括下述至少之一:流量数据、风险事件和漏洞信息,网络事件数据集合中的每份数据都关联有I P地址;基于I P地址将每份数据与在线用户列表中的用户信息进行关联,确定与每位用户对象关联的网络风险数据;基于网络风险数据对应的风险行为标签,生成与用户对象对应的用户风险画像。The present application also provides a computer program product, which, when executed on a data processing device, is suitable for executing a program initialized with the following method steps: receiving a network event data set, wherein the data types in the network event data set include the following At least one of: traffic data, risk events and vulnerability information, each piece of data in the network event data set is associated with an IP address; based on the IP address, each piece of data is associated with the user information in the online user list, and each The network risk data associated with the user object; based on the risk behavior label corresponding to the network risk data, a user risk profile corresponding to the user object is generated.
图4是根据本发明实施例的一种用户风险画像的生成方法的电子设备(或移动设备)的硬件结构框图。如图4所示,电子设备可以包括一个或多个(图中采用402a、402b,……,402n来示出)处理器402(处理器402可以包括但不限于微处理器MCU或可编程逻辑器件FPGA等的处理装置)、用于存储数据的存储器404。除此以外,还可以包括:显示器、输入/输出接口(I/O接口)、通用串行总线(USB)端口(可以作为I/O接口的端口中的一个端口被包括)、网络接口、键盘、电源和/或相机。本领域普通技术人员可以理解,图4所示的结构仅为示意,其并不对上述电子装置的结构造成限定。例如,电子设备还可包括比图4中所示更多或者更少的组件,或者具有与图4所示不同的配置。Fig. 4 is a hardware structural block diagram of an electronic device (or mobile device) according to a method for generating a user risk profile according to an embodiment of the present invention. As shown in Figure 4, the electronic device may include one or more (402a, 402b, ..., 402n are used in the figure to show) processor 402 (processor 402 may include but not limited to microprocessor MCU or programmable logic device, FPGA, etc.), memory 404 for storing data. In addition, it can also include: a display, an input/output interface (I/O interface), a universal serial bus (USB) port (which can be included as one of the ports of the I/O interface), a network interface, a keyboard , power supply and/or camera. Those of ordinary skill in the art can understand that the structure shown in FIG. 4 is only a schematic diagram, which does not limit the structure of the above-mentioned electronic device. For example, the electronic device may also include more or fewer components than shown in FIG. 4 , or have a different configuration than that shown in FIG. 4 .
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.
在本发明的上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。In the above-mentioned embodiments of the present invention, the descriptions of each embodiment have their own emphases, and for parts not described in detail in a certain embodiment, reference may be made to relevant descriptions of other embodiments.
在本申请所提供的几个实施例中,应该理解到,所揭露的技术内容,可通过其它的方式实现。其中,以上所描述的装置实施例仅仅是示意性的,例如所述单元的划分,可以为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,单元或模块的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed technical content can be realized in other ways. Wherein, the device embodiments described above are only illustrative. For example, the division of the units may be a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integrate into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of units or modules may be in electrical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可为个人计算机、服务器或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、只读存储器(ROM,Read-On ly Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in various embodiments of the present invention. The aforementioned storage media include: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disk or optical disk, etc., which can store program codes. medium.
以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that, for those of ordinary skill in the art, without departing from the principle of the present invention, some improvements and modifications can also be made, and these improvements and modifications can also be made. It should be regarded as the protection scope of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211557720.9A CN115883223A (en) | 2022-12-06 | 2022-12-06 | Method and device for generating user risk profile, electronic device, storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211557720.9A CN115883223A (en) | 2022-12-06 | 2022-12-06 | Method and device for generating user risk profile, electronic device, storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115883223A true CN115883223A (en) | 2023-03-31 |
Family
ID=85766145
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211557720.9A Pending CN115883223A (en) | 2022-12-06 | 2022-12-06 | Method and device for generating user risk profile, electronic device, storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115883223A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116095683A (en) * | 2023-04-11 | 2023-05-09 | 微网优联科技(成都)有限公司 | Network security protection method and device for wireless router |
| CN116647811A (en) * | 2023-05-25 | 2023-08-25 | 深圳市安数科技有限责任公司 | Image analysis method based on wireless gateway connection equipment characteristic factors |
| CN116866069A (en) * | 2023-08-08 | 2023-10-10 | 四川企创未来科技服务有限责任公司 | Network risk behavior recognition method based on big data |
| CN117034260A (en) * | 2023-10-08 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Event judgment information generation method and device, medium and electronic equipment |
| CN118827239A (en) * | 2024-09-18 | 2024-10-22 | 武汉博易讯信息科技有限公司 | A user security portrait analysis method, device, medium and product |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107103548A (en) * | 2011-11-17 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The monitoring method and system and risk monitoring and control method and system of network behavior data |
| US20180332064A1 (en) * | 2016-02-25 | 2018-11-15 | Sas Institute Inc. | Cybersecurity system |
| CN110719291A (en) * | 2019-10-16 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | A network threat identification method and identification system based on threat intelligence |
| CN111274227A (en) * | 2020-01-20 | 2020-06-12 | 上海市大数据中心 | Database auditing system and method based on cluster analysis and association rule |
| US20200351298A1 (en) * | 2018-01-18 | 2020-11-05 | Risksense, Inc. | Complex Application Attack Quantification, Testing, Detection and Prevention |
| CN112751835A (en) * | 2020-12-23 | 2021-05-04 | 石溪信息科技(上海)有限公司 | Traffic early warning method, system, equipment and storage device |
| US20210306369A1 (en) * | 2020-03-25 | 2021-09-30 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
-
2022
- 2022-12-06 CN CN202211557720.9A patent/CN115883223A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107103548A (en) * | 2011-11-17 | 2017-08-29 | 阿里巴巴集团控股有限公司 | The monitoring method and system and risk monitoring and control method and system of network behavior data |
| US20180332064A1 (en) * | 2016-02-25 | 2018-11-15 | Sas Institute Inc. | Cybersecurity system |
| US20200351298A1 (en) * | 2018-01-18 | 2020-11-05 | Risksense, Inc. | Complex Application Attack Quantification, Testing, Detection and Prevention |
| CN110719291A (en) * | 2019-10-16 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | A network threat identification method and identification system based on threat intelligence |
| CN111274227A (en) * | 2020-01-20 | 2020-06-12 | 上海市大数据中心 | Database auditing system and method based on cluster analysis and association rule |
| US20210306369A1 (en) * | 2020-03-25 | 2021-09-30 | Cleafy Società per Azioni | Methods of monitoring and protecting access to online services |
| CN112751835A (en) * | 2020-12-23 | 2021-05-04 | 石溪信息科技(上海)有限公司 | Traffic early warning method, system, equipment and storage device |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116095683A (en) * | 2023-04-11 | 2023-05-09 | 微网优联科技(成都)有限公司 | Network security protection method and device for wireless router |
| CN116647811A (en) * | 2023-05-25 | 2023-08-25 | 深圳市安数科技有限责任公司 | Image analysis method based on wireless gateway connection equipment characteristic factors |
| CN116866069A (en) * | 2023-08-08 | 2023-10-10 | 四川企创未来科技服务有限责任公司 | Network risk behavior recognition method based on big data |
| CN116866069B (en) * | 2023-08-08 | 2024-03-29 | 深圳市众志天成科技有限公司 | Network risk behavior recognition method based on big data |
| CN117034260A (en) * | 2023-10-08 | 2023-11-10 | 深圳安天网络安全技术有限公司 | Event judgment information generation method and device, medium and electronic equipment |
| CN117034260B (en) * | 2023-10-08 | 2024-01-26 | 深圳安天网络安全技术有限公司 | Event judgment information generation method and device, medium and electronic equipment |
| CN118827239A (en) * | 2024-09-18 | 2024-10-22 | 武汉博易讯信息科技有限公司 | A user security portrait analysis method, device, medium and product |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115883223A (en) | Method and device for generating user risk profile, electronic device, storage medium | |
| Protić | Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets | |
| US8819807B2 (en) | Apparatus and method for analyzing and monitoring sap application traffic, and information protection system using the same | |
| US9860278B2 (en) | Log analyzing device, information processing method, and program | |
| CN104509034B (en) | Pattern merges to identify malicious act | |
| CN103026345B (en) | For the dynamic multidimensional pattern of event monitoring priority | |
| CN110113350B (en) | Internet of things system security threat monitoring and defense system and method | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN105991587B (en) | An intrusion detection method and system | |
| CN107454109A (en) | A network stealing behavior detection method based on HTTP traffic analysis | |
| US9660833B2 (en) | Application identification in records of network flows | |
| CN106685984A (en) | A network threat analysis system and method based on packet capture technology | |
| US20110030059A1 (en) | Method for testing the security posture of a system | |
| CN116708253B (en) | Equipment identification method, device, equipment and medium | |
| CN106790062A (en) | A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute | |
| CN110460611A (en) | Full flow attack detecting technology based on machine learning | |
| CN108712369B (en) | Multi-attribute constraint access control decision system and method for industrial control network | |
| CN117938698A (en) | Network asset visualization and real-time attack and defense system | |
| EP3718284B1 (en) | Extending encrypted traffic analytics with traffic flow data | |
| CN110225009B (en) | Proxy user detection method based on communication behavior portrait | |
| KR101022167B1 (en) | Log optimization device of intrusion detection system considering the vulnerability of network asset | |
| CN117278245A (en) | Data collection methods, devices and storage media for Internet simulation scenarios | |
| CN112398803A (en) | Internet of things system security threat monitoring and defense system and method | |
| CN115866101A (en) | Method, device, and medium for asset attribution identification with multi-protocol linkage between internal and external networks | |
| CN114915442A (en) | Advanced persistent threat attack detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |