Search

CN-122027274-A - Network security threat assessment method and system

CN122027274ACN 122027274 ACN122027274 ACN 122027274ACN-122027274-A

Abstract

The invention relates to the technical field of network security assessment, in particular to a network security threat assessment method and system, which comprise the steps of analyzing the occurrence frequency of each occurrence of loopholes in a plurality of continuous historical loopholes detection periods, identifying low-frequency fluctuation loopholes, respectively extracting occurrence scenes of the low-frequency fluctuation loopholes in the plurality of historical loopholes detection periods, carrying out risk analysis on each occurrence scene corresponding to the low-frequency fluctuation loopholes, screening out low-frequency high-risk scenes, and making a resource reserve and allocation plan in advance according to the development trend and potential influence of the low-frequency high-risk scenes, so that enough resource response is ensured when the network security threat is changed continuously, excessive dispersion of resources on the low-risk scenes is avoided, the resource utilization efficiency is improved, and the safety of high-risk scenes such as production line start-stop and switching is guaranteed by reinforcing the protection of the low-frequency loopholes, and the problems such as production stagnation and product quality degradation can be avoided.

Inventors

  • QIAN JIANBO
  • ZHANG HUI
  • WU WEIMING
  • WANG XIN
  • ZHAO JIANGTAO
  • LI ZIYUAN

Assignees

  • 江苏电子信息职业学院
  • 江苏沙盒科技有限公司

Dates

Publication Date
20260512
Application Date
20260205

Claims (10)

  1. 1. A method for evaluating a cyber security threat, comprising: Analyzing the occurrence frequency of each occurring vulnerability in a plurality of continuous historical vulnerability detection periods to identify low-frequency fluctuation vulnerabilities; Respectively extracting occurrence scenes of low-frequency fluctuation loopholes in a plurality of historical loopholes detection periods, performing risk analysis on each occurrence scene corresponding to the low-frequency fluctuation loopholes, and screening out low-frequency loopholes high-risk scenes; comparing the low-frequency loopholes with the high-risk scenes corresponding to each low-frequency loophole, screening out low-leakage high-risk critical scene, and exploring the coexistence rule of the low-frequency loopholes under the low-leakage high-risk critical scene to obtain the exploration result of the coexistence rule; the coexistence rule exploration result comprises a coexistence fluctuation signal or a coexistence stable signal; And evaluating the threat repair time of the coexistence of the low-frequency loopholes in the low-leakage high-risk critical scene according to the rule exploration result, and determining the coexistence threat repair time.
  2. 2. The cyber security threat assessment method of claim 1, wherein the process of analyzing the occurrence frequency of each vulnerability occurring is: equally dividing a historical vulnerability detection period into a plurality of historical vulnerability detection periods, selecting one vulnerability as a target vulnerability, and acquiring the occurrence frequency of the target vulnerability in the historical vulnerability detection period as a period vulnerability frequency; In the historical vulnerability detection period, carrying out average value calculation on the period vulnerability frequency in each historical vulnerability detection period to obtain the period vulnerability frequency; and (3) carrying out average value calculation on all periodic vulnerability frequencies to obtain a vulnerability detection frequency average value.
  3. 3. The network security threat assessment method of claim 2, wherein the identifying process of the low frequency fluctuation vulnerability is: in two continuous historical vulnerability detection periods, selecting period vulnerability frequencies corresponding to target vulnerabilities in the same historical vulnerability detection period, and combining the period vulnerability frequencies to be used as a group of vulnerability frequency groups; substituting all groups of vulnerability frequency groups into the Euclidean distance formula to obtain a target vulnerability frequency difference; Performing average value calculation on all target vulnerability frequency differences to obtain a vulnerability frequency stable value; And calculating the ratio of the average value of the vulnerability detection frequency to the stable vulnerability frequency value to obtain a vulnerability frequency identification value, and marking the vulnerability as a low-frequency fluctuation vulnerability if the vulnerability frequency identification value is smaller than a vulnerability frequency identification threshold.
  4. 4. The network security threat assessment method of claim 1, wherein the screening process of the low-frequency vulnerability high-risk scenario is: randomly selecting one appearance scene as a target scene, acquiring the number of objects subjected to low-frequency fluctuation loopholes under the target scene, and calculating the ratio of the number of objects subjected to low-frequency fluctuation loopholes to the total number of all objects to obtain a risk wave coverage range value, and acquiring the duration of the low-frequency fluctuation loopholes under the target scene, wherein the ratio of the duration of a historical loophole detection period is taken as a risk duration ratio; Summing the risk sweep range value and the risk duration ratio to obtain a scene risk analysis value; And if the scene risk analysis value is larger than the scene risk analysis threshold value, marking the target scene as a low-frequency vulnerability high-risk scene.
  5. 5. The cyber security threat assessment method of claim 1, wherein the screening process of the low-leakage high-risk critical scenario is: The low-frequency loopholes corresponding to each low-frequency loophole are arranged and integrated into a low-leakage high-risk scene sequence in a descending order according to the size of the corresponding scene risk analysis value; And randomly selecting two low-frequency loopholes, respectively carrying out overlapping comparison on the low-frequency loopholes and the high-risk scenes in the corresponding low-frequency loopholes and the high-risk scene sequences, and if the same low-frequency loopholes and the high-risk scenes exist in the low-frequency loopholes and the high-risk scene sequences of the two low-frequency loopholes, taking the same low-frequency loopholes and the high-risk scenes as low-frequency loopholes and high-risk overlapping scenes.
  6. 6. The network security threat assessment method according to claim 5, wherein the process of exploring the low-frequency vulnerability coexistence rule in the low-leakage high-risk critical scene from the interval duration dimension is as follows: In the historical vulnerability detection period, extracting a historical vulnerability detection period of a low-frequency vulnerability coexistence low-leakage high-risk critical scene as a low-leakage coexistence high-risk period; In the historical vulnerability detection period, acquiring interval duration between adjacent low-leakage coexistence high-risk periods, and calculating a ratio with the historical vulnerability detection period duration to obtain adjacent coexistence interval ratio; carrying out average value calculation on all adjacent coexistence time interval ratios in the historical vulnerability detection period to obtain a period adjacent coexistence time interval average value; and carrying out standard deviation calculation on the period adjacent coexistence interval mean value corresponding to each historical vulnerability detection period to obtain an adjacent coexistence interval exploration value.
  7. 7. The network security threat assessment method of claim 6, wherein the process of exploring the low-frequency vulnerability coexistence rule in the low-leakage high-risk critical scenario from the interval period dimension is as follows: in the historical vulnerability detection period, the number of historical vulnerability detection periods between adjacent low-leakage coexistence high-risk periods is obtained, and ratio calculation is carried out on the number of the historical vulnerability detection periods and the number of all the historical vulnerability detection periods to obtain the adjacent coexistence time-number ratio; carrying out average value calculation on all adjacent coexistence time-number ratios in the historical vulnerability detection period to obtain a period adjacent coexistence time-number average value; And carrying out standard deviation calculation on the average value of the adjacent coexistence time numbers of the period corresponding to each historical vulnerability detection period to obtain the adjacent coexistence time number exploration value.
  8. 8. The cyber security threat assessment method of claim 7, wherein the acquiring process of the rule exploration result is: summing the adjacent coexistence time interval exploration value and the adjacent coexistence time count exploration value to obtain a coexistence rule exploration value, and displaying the coexistence rule exploration value as a coexistence fluctuation signal if the coexistence rule exploration value is larger than a coexistence rule exploration threshold; and if the coexistence rule exploration value is smaller than or equal to the coexistence rule exploration threshold value, displaying the coexistence rule exploration value as a coexistence stable signal.
  9. 9. The cyber security threat assessment method of claim 8, wherein the co-existence threat remediation time is obtained by: when the coexistence fluctuation signal is displayed, extracting a period adjacent coexistence time interval average value corresponding to each historical vulnerability detection period, and taking the period adjacent coexistence time interval average value adjacent to the time dimension as a group of coexistence time interval analysis groups according to the time sequence corresponding to each historical vulnerability detection period to obtain a plurality of coexistence time interval analysis groups; calculating the period adjacent coexistence time interval mean value in the plurality of coexistence time interval analysis groups by using a moving average method to obtain repair coexistence threat time; And when the coexistence threat detection period is displayed as a coexistence stable signal, extracting a period adjacent coexistence time interval average value corresponding to each historical vulnerability detection period, and carrying out average value calculation to obtain coexistence threat repair time.
  10. 10. A cyber security threat assessment system, a cyber security threat assessment method according to any of claims 1-9, comprising: the low-wave vulnerability identification module is used for carrying out row analysis on the occurrence frequency of each vulnerability in a plurality of continuous historical vulnerability detection periods to identify low-frequency fluctuation vulnerabilities; The low-leakage high-risk analysis module is used for respectively extracting occurrence scenes of the low-frequency fluctuation loopholes in a plurality of historical loopholes detection periods, carrying out risk analysis on each occurrence scene corresponding to the low-frequency fluctuation loopholes, and screening out low-frequency loopholes high-risk scenes; The high-risk coexistence exploration module is used for comparing the low-frequency vulnerability high-risk scenes corresponding to each low-frequency vulnerability, screening out low-leakage high-risk critical scene, and exploring the low-frequency vulnerability coexistence rule under the low-leakage high-risk critical scene to obtain a coexistence rule exploration result; and the coexistence threat assessment module is used for assessing the threat restoration time of the coexistence of the low-frequency loopholes in the low-leakage high-risk critical scene according to the rule exploration result and determining the coexistence threat restoration time.

Description

Network security threat assessment method and system Technical Field The invention relates to the technical field of network security assessment, in particular to a network security threat assessment method and system. Background In the current digital age, network technology is rapidly developed and applied more widely, and the dependence of various business systems on networks is increasingly enhanced. However, the complexity and openness of the network environment also results in an endless threat layer of network security, which presents a significant challenge to personal, enterprise, and even regional information security. The network security threat assessment is a key link for guaranteeing network security, and at present, the traditional network security threat assessment method mainly focuses on detection/monitoring and analysis of common vulnerabilities, and evaluates security threats by counting indexes such as frequency, severity and the like of the occurrence of the vulnerabilities. However, conventional approaches tend to ignore the potential hazard of low frequency vulnerabilities. Low frequency vulnerabilities are easily ignored in conventional security monitoring due to their low frequency of occurrence. In practice, however, these low frequency vulnerabilities, once exploited, may cause serious security incidents, especially in certain business scenarios. For example, in an industrial control system, some low-frequency vulnerabilities may exist in control logic of critical equipment, which is not easily found at ordinary times, but once utilized by malicious attackers, may cause serious consequences such as production line shutdown, equipment damage, and the like, which affect normal production and economic benefits of enterprises. Moreover, due to the lack of regularity in the occurrence of low-frequency vulnerabilities, the traditional frequency-based evaluation method is difficult to accurately predict the occurrence time and scene thereof, so that security personnel cannot make precautionary preparations in advance, and the situation of passive response is often faced to emergency security events. On the other hand, the conventional method does not sufficiently consider the risk difference of the vulnerability occurrence scene. The sensitivity and the requirement of different business scenes on network security are different, the damage degree of the same vulnerability in different scenes can be different, and when a plurality of low-frequency vulnerabilities coexist in the same scene, the low-frequency vulnerabilities can mutually influence and interact with each other to generate more complex security threats. For example, when a low-frequency permission-improvement vulnerability and a low-frequency data leakage vulnerability coexist, an attacker may acquire a higher system permission by using the permission-improvement vulnerability first, and then steal sensitive information by using the data leakage vulnerability, thereby causing more serious consequences. The traditional method does not deeply explore the low-frequency vulnerability coexistence phenomenon, and cannot accurately grasp the rule and trend of vulnerability coexistence, and is difficult to make a targeted security policy to cope with the complex security threat. Therefore, the invention provides a network security threat assessment method and a system. Disclosure of Invention Aiming at the defects of the prior art, the invention provides a network security threat assessment method and a system, which are used for solving the technical problems in the prior art. The technical scheme adopted for solving the technical problems is as follows: a method of cyber security threat assessment, comprising: Analyzing the occurrence frequency of each occurring vulnerability in a plurality of continuous historical vulnerability detection periods to identify low-frequency fluctuation vulnerabilities; Respectively extracting occurrence scenes of low-frequency fluctuation loopholes in a plurality of historical loopholes detection periods, performing risk analysis on each occurrence scene corresponding to the low-frequency fluctuation loopholes, and screening out low-frequency loopholes high-risk scenes; comparing the low-frequency loopholes with the high-risk scenes corresponding to each low-frequency loophole, screening out low-leakage high-risk critical scene, and exploring the coexistence rule of the low-frequency loopholes under the low-leakage high-risk critical scene to obtain the exploration result of the coexistence rule; the coexistence rule exploration result comprises a coexistence fluctuation signal or a coexistence stable signal; And evaluating the threat repair time of the coexistence of the low-frequency loopholes in the low-leakage high-risk critical scene according to the rule exploration result, and determining the coexistence threat repair time. In a further technical scheme of the invention, the process of analyzi