CN-120896719-B - Equal-protection evaluation method and system

Abstract

The application discloses an equal-protection evaluation method and system, which belong to the technical field of network security evaluation, and concretely comprise the steps of collecting related data of a target system, preprocessing the collected related data, constructing an initial vulnerability and system isolation attribute dataset, establishing a virtualized isolation intensity quantization model based on vulnerability chain propagation, generating a multi-hop attack chain for attack, calculating a security isolation index of the target system by using propagation probability among nodes, defining an isolation failure boundary and a redundancy protection coefficient, constructing an isolation intensity quantization evaluation model, carrying out self-adaption evaluation by using a machine learning algorithm, and generating a comprehensive evaluation report according to a machine learning algorithm output result.

Inventors

• HU YANXIONG
• Shen shibo
• YU BO
• ZHAO XIAOYU
• JIANG LINGYAN
• GUO MIN
• GUO BINGBING
• WANG JIAN
• NI CHEN
• SHEN TING
• LU LIN

Assignees

• 浙江东安检测技术有限公司

Dates

Publication Date

20260508

Application Date

20250701

Claims (7)

1. 1. An isoperimetric assessment method, comprising: Collecting relevant data of a target system, including a virtualized architecture, a network topology, application deployment, a vulnerability database and historical security event data, preprocessing the collected relevant data, and constructing an initial vulnerability and system isolation attribute data set; establishing a virtualized isolation intensity quantization model based on vulnerability chain propagation, generating a multi-hop attack chain for attack, calculating a security isolation index of a target system by using propagation probability among nodes, and defining an isolation failure boundary and a redundancy protection coefficient at the same time, wherein the multi-hop attack chain generates the attack chain by the virtualized isolation intensity quantization model of vulnerability chain propagation, and performs multi-hop path splicing on the generated attack chain; Constructing an isolation intensity quantitative evaluation model, performing self-adaptive evaluation by using a machine learning algorithm, and generating a comprehensive evaluation report according to the output result of the machine learning algorithm; Establishing a virtualized isolation intensity quantization model based on vulnerability chain propagation, generating a multi-hop attack chain for attack, calculating a security isolation index of a target system by using propagation probability among nodes, and defining an isolation failure boundary and a redundancy protection coefficient at the same time, wherein the method comprises the following steps: based on the vulnerability database and the security event log, analyzing the relation between the container escape vulnerability and the host vulnerability, and constructing a vulnerability association map; Analyzing the vulnerability association graph, generating a multi-hop attack chain, and verifying and attacking; Calculating a safety isolation index of a target system by using the propagation probability among nodes, and defining an isolation failure boundary and a redundancy protection coefficient; analyzing the vulnerability association graph to generate a multi-hop attack chain, and verifying and attacking the multi-hop attack chain, wherein the method comprises the following steps: Starting from the container escape loopholes, traversing causal relations, privilege dependence and propagation paths in the loophole association map, and screening out key nodes including host kernel loopholes and control plane component loopholes; Monitoring a container process to transmit sensitive data to a host machine, marking privileged operation as a key node of an attack chain, simulating control flow transfer of vulnerability exploitation, judging whether an attack path is reachable, analyzing a mechanism triggering a host machine kernel vulnerability when an escape vulnerability occurs, and generating a variant load aiming at an isolation boundary of the container and the host machine; Generating an attack chain, and performing multi-hop path splicing on the generated attack chain; Verifying the spliced attack chain and executing attack; the generating the attack chain and performing multi-hop path splicing on the generated attack chain comprises the following steps: configuring a container environment and setting a host machine state; Breaking through NMAESPACE isolation, obtaining the ordinary user permission of the host machine, and analyzing host machine resources accessed after escape; matching the escaped rights with host kernel holes, simulating and utilizing the host kernel holes to acquire root rights, and analyzing the control capability of the host; Testing whether the control plane loophole can take over the cluster-level authority by utilizing the propagation path from the host to the control plane; And verifying the privilege dependence and the propagation path, and verifying whether a network or file system channel of a container-host-control plane is open, if the verification is successful, the multi-hop path splicing is successful, otherwise, the multi-hop path splicing fails.
2. 2. The method of claim 1, wherein the analyzing the relationship between the container escape vulnerability and the host vulnerability based on the vulnerability database and the security event log, and constructing the vulnerability association map comprise: Integrating CVE and CNVD loopholes, and extracting metadata of container escape loopholes, host kernel loopholes and K8s control plane loopholes; establishing side relations among vulnerabilities, including causal relations, privilege dependencies and propagation paths; And taking the vulnerability metadata as nodes, and constructing a vulnerability association map.
3. 3. An isosceles measure evaluating method as claimed in claim 2, wherein the causal relationship comprises: analyzing the pre-condition of vulnerability triggering, and verifying a causal chain of the vulnerability exploitation through static code analysis or dynamic debugging; Identifying the position of the vulnerability in the attack chain; And analyzing the influence of the successful utilization of the loopholes on the subsequent stage.
4. 4. An isosceles measure evaluating method as claimed in claim 2, wherein the privilege dependence comprises: Constructing a three-level authority model of a container-host-control plane; Identifying privilege conditions of the exploit; the dependence of the privilege condition is verified.
5. 5. The isosceles assessment method according to claim 2, wherein said propagation path includes: Identifying communication channels between components of the target system; monitoring a sensitive data transmission path by using a stain tracking technology; and determining an attack propagation mode by combining network configuration and service exposure.
6. 6. The method of claim 1, wherein constructing an isolation intensity quantitative assessment model, performing adaptive assessment using a machine learning algorithm, and generating a comprehensive assessment report based on the output of the machine learning algorithm, comprises: extracting the characteristics of the related data of the target system after preprocessing, wherein the characteristics comprise space isolation degree, time delay degree, resource consumption degree and historical attack data; constructing an isolation intensity quantitative evaluation model by using a machine learning algorithm, training, and adaptively updating the isolation intensity quantitative evaluation model by using newly acquired data every hour; and inputting the characteristics of the preprocessed related data of the target system into a trained isolation intensity quantization evaluation model, outputting the isolation intensity index and the safety level of the target system, and automatically generating a comprehensive evaluation report.
7. 7. An equal-protection evaluation system for realizing the equal-protection evaluation method of any one of claims 1-6, which is characterized by comprising a data processing module, an attack and quantization module and an evaluation module; The data processing module is used for collecting related data of a target system, and comprises a virtualized architecture, network topology, application deployment, a vulnerability database and historical security event data, preprocessing the collected related data and constructing an initial vulnerability and system isolation attribute data set; The attack and quantization module is used for establishing a virtualized isolation intensity quantization model based on vulnerability chain propagation, generating a multi-hop attack chain for attack, calculating a security isolation index of a target system by using propagation probability among nodes, and defining an isolation failure boundary and a redundancy protection coefficient at the same time, wherein the multi-hop attack chain generates an attack chain by the virtualized isolation intensity quantization model of vulnerability chain propagation, and carries out multi-hop path splicing on the generated attack chain; the evaluation module is used for constructing an isolation intensity quantization evaluation model, performing self-adaptive evaluation by using a machine learning algorithm, and generating a comprehensive evaluation report according to the output result of the machine learning algorithm.

Description

Equal-protection evaluation method and system Technical Field The invention belongs to the technical field of network security evaluation, and particularly relates to an equal-protection evaluation method and system. Background Information security level protection refers to the hierarchical implementation of security protection on information systems (network devices) for storing, transmitting and processing national important information, legal persons, private information of other organizations and citizens, public information, and information security events occurring in the information systems, and hierarchical response and treatment on information security products used in the information systems. The information security level protection evaluation (abbreviated as the like protection evaluation) works are activities of checking and evaluating the security level protection condition of the non-related national secret information system according to the national information security level protection system regulation by a level evaluation mechanism and the related management standards and technical standards. The traditional equal-protection evaluation method relies on manpower, has low efficiency, has great influence on the evaluation result by the main view, requires a great amount of time and manpower to evaluate, and is difficult to dynamically adapt to new loopholes and attack means. The AI technology provides a new method for equiprotection evaluation in the aspects of pattern recognition, automatic reasoning and big data analysis, but has the risk of multi-tenant isolation failure in the cloud primary environment, and is difficult to deal with dynamic attack chains such as container escape, host machine authority raising, control plane penetration and the like by relying on static configuration. The Chinese patent with the authorization notice number of CN113657849B discloses an equal-security evaluation information processing method, device and system, wherein the method comprises the steps of acquiring triggered equal-security evaluation item information and corresponding target contact information thereof, establishing a group contact object corresponding to the equal-security evaluation item information in an instant messaging tool, acquiring element components contained in the equal-security evaluation item information, adding the element components serving as contact objects into groups of the group contact objects to form group members, setting associated contacts corresponding to each group member, transmitting component content of the element components corresponding to each group member to the associated contacts to perform compliance evaluation, analyzing compliance evaluation results of all components of the equal-security evaluation item information, generating equal-security evaluation report and transmitting the equal-security evaluation report to the target contact. The invention simplifies the interaction process of the equi-insurance assessment and improves the equi-insurance assessment efficiency. The problems of the prior art are that the environment change and the novel threat are difficult to adapt, the dynamic attack chain is not enough, and the accuracy of the quality assurance evaluation is low. Disclosure of Invention Aiming at the defects of the prior art, the invention provides an equal-protection assessment method and system, which realize dynamic, quantitative and intelligent assessment of the security protection capability of each isolation level in a virtualized environment by constructing a vulnerability association map. In order to achieve the above purpose, the present invention provides the following technical solutions: An isoperimetric assessment method comprising: collecting relevant data of a target system; Establishing a vulnerability association graph according to the collected target system related data, generating a multi-hop attack chain based on the vulnerability association graph, attacking the target system, generating the attack chain by the vulnerability association graph, and performing multi-hop path splicing on the generated attack chain, wherein the multi-hop path splicing performs hop splicing according to the side relationship among the vulnerabilities; and performing self-adaption and other security assessment by using a machine learning algorithm, and generating and other security assessment reports according to self-adaption and other security assessment output results. Specifically, the step of establishing a vulnerability association graph according to the collected target system related data, generating a multi-hop attack chain based on the vulnerability association graph, and attacking the target system includes: based on the collected target system related data, analyzing the relation between the container escape loopholes and host loopholes, and constructing a loophole association map; Analyzing the vulnerability association graph,