Risk detection method and device, computer device and storage medium
By generating and filtering initial detection data, the risk detection results of the monitoring platform are evaluated, which solves the problem that existing technologies cannot assess the traffic and security policy deployment of mirrored devices, and improves the accuracy and efficiency of risk assessment and monitoring of the monitoring platform.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- INDUSTRIAL AND COMMERCIAL BANK OF CHINA
- Filing Date
- 2022-12-14
- Publication Date
- 2026-06-16
Smart Images
Figure CN116366462B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of information security technology, and in particular to a risk detection method, apparatus, computer equipment, and storage medium. Background Technology
[0002] Currently, to monitor network traffic and promptly detect attacks, monitoring platforms are used to monitor server network traffic. Specifically, mirroring devices can mirror server network traffic in real time and send the mirrored network traffic to the monitoring platform. The security policies within the monitoring platform can then be triggered by the mirrored network traffic, generating alarm information and thus enabling server monitoring.
[0003] However, the monitoring platform cannot determine whether the mirrored device has mirrored all network traffic, nor can it know whether the security policies that have not been triggered in the monitoring platform have been successfully deployed, or whether any security policies have been missed. Therefore, the existing technology cannot assess the monitoring risks of a monitoring platform that detects based on mirrored network traffic and security policies during the monitoring process. Summary of the Invention
[0004] Therefore, it is necessary to provide a risk detection method, apparatus, computer equipment, computer-readable storage medium, and computer program product that can assess the monitoring risks of a monitoring platform in response to the above-mentioned technical problems.
[0005] Firstly, this application provides a risk detection method. The method includes:
[0006] According to a preset detection data generation strategy, initial detection data containing test traffic data is generated, and a detection instruction containing the initial detection data is sent to the server. The detection instruction is used to instruct the server to send traffic data including the initial detection data to the mirroring device. The traffic data is used by the monitoring platform to mirror the traffic data through the mirroring device to obtain mirror data, and to determine the data to be filtered corresponding to the mirror data based on a preset processing strategy.
[0007] Among the data to be filtered, the target detection data corresponding to the test traffic data is filtered;
[0008] Based on the initial detection data and the target detection data, a risk detection result is determined; the risk detection result is used to characterize the monitoring risk of the monitoring platform.
[0009] In one embodiment, the test traffic data includes marker characters; the step of generating initial detection data containing the test traffic data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to the server includes:
[0010] Based on the marked character, generate initial detection data containing the marked character, and send a detection instruction containing the initial detection data to each server corresponding to a first server address in a preset first server address set;
[0011] The process of filtering the target detection data corresponding to the test traffic data from the data to be filtered includes:
[0012] In the data to be filtered, the data containing the marked characters is filtered to obtain the target detection data.
[0013] In one embodiment, determining the risk detection result based on the initial detection data and the target detection data includes:
[0014] Based on the source server address corresponding to the target detection data, a search is performed in the first server address corresponding to the initial detection data to obtain the deployed server address;
[0015] The first server address other than the already deployed server address is identified as a missing server address, and a risk detection result is generated based on the missing server address.
[0016] In one embodiment, the test traffic data includes preset security policy trigger data; the step of generating initial detection data containing the test traffic data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to the server includes:
[0017] Based on the preset security policy trigger data, initial detection data containing the preset security policy trigger data is generated, and a detection instruction containing the preset security policy trigger data is sent to each server corresponding to a second server address in a preset second server address set; the preset security policy trigger data is used to trigger the security policy in the monitoring platform to generate data to be filtered, including security policy response data.
[0018] The process of filtering the target detection data corresponding to the test traffic data from the data to be filtered includes:
[0019] From the data to be filtered, security policy response data corresponding to the preset security policy trigger data are filtered to obtain target detection data.
[0020] In one embodiment, determining the risk detection result based on the initial detection data and the target detection data includes:
[0021] Based on the target security trigger identifier contained in the target detection data, a search is performed in the preset security policy trigger data contained in the initial detection data to obtain the triggered security policy trigger data;
[0022] Preset security policy trigger data other than the already triggered security policy trigger data are identified as untriggered security policy trigger data;
[0023] The security policy category corresponding to the untriggered security policy trigger data is identified as the trigger failure policy category, and a risk detection result is generated based on the trigger failure policy category.
[0024] In one embodiment, the traffic data further includes business data, and the risk detection method further includes:
[0025] Use the data to be screened, excluding the target detection data, as reference data;
[0026] Based on the reference data, the security policy trigger data corresponding to the reference data is determined to obtain the reference trigger data;
[0027] Based on the reference trigger data and the preset security policy trigger data, new preset security policy trigger data is determined;
[0028] If the triggering conditions for the next risk detection are met, based on the new preset security policy trigger data, the process returns to the step of generating initial detection data containing the preset security policy trigger data.
[0029] In one embodiment, the step of returning to the execution of generating initial detection data containing the preset security policy trigger data based on the new preset security policy trigger data, upon reaching the trigger condition for the next risk detection, includes:
[0030] Upon reaching the next risk detection initiation time, based on the new preset security policy trigger data, return to the step of generating initial detection data containing the preset security policy trigger data; or...
[0031] Upon reaching the next risk detection cycle, based on the new preset security policy trigger data, the step of generating initial detection data containing the preset security policy trigger data is returned. In one embodiment, if the target detection data corresponding to the test traffic data is not found in the data to be filtered, the risk detection method further includes:
[0032] If the test traffic data includes a test identifier, then the first server address corresponding to the initial detection data is identified as a missing server address, and a risk detection result is generated based on the missing server address;
[0033] If the test traffic data includes preset security policy trigger data, then the security policy category set corresponding to the preset security policy trigger dataset is identified as the trigger failure policy category set, and the risk detection result is generated based on the trigger failure policy category set.
[0034] Secondly, this application also provides a risk detection system. The risk detection system includes a server, a mirroring device, a monitoring platform, and a risk detection terminal, wherein:
[0035] The monitoring risk assessment terminal is used to generate initial detection data containing test traffic data according to a preset detection data generation strategy, and send a detection instruction containing the initial detection data to the server.
[0036] The server is used to send traffic data, including the initial detection data, to the mirror device;
[0037] The mirroring device is used to mirror the traffic data, obtain mirrored data, and send the mirrored data to the monitoring platform;
[0038] The monitoring platform is used to determine the data to be filtered corresponding to the mirrored data based on a preset processing strategy;
[0039] The monitoring risk assessment terminal is also used to filter target detection data corresponding to the test traffic data from the data to be screened; determine the risk detection result based on the initial detection data and the target detection data; and the risk detection result is used to characterize the monitoring risk of the monitoring platform.
[0040] In one embodiment, the test traffic data includes marker characters; the monitoring risk assessment terminal is specifically used for:
[0041] Based on the marked character, generate initial detection data containing the marked character, and send a detection instruction containing the initial detection data to each server corresponding to a first server address in a preset first server address set;
[0042] In the data to be filtered, the data containing the marked characters is filtered to obtain the target detection data.
[0043] In one embodiment, the monitoring risk assessment terminal is specifically used for:
[0044] Based on the source server address corresponding to the target detection data, a search is performed in the first server address corresponding to the initial detection data to obtain the deployed server address;
[0045] The first server address other than the already deployed server address is identified as a missing server address, and a risk detection result is generated based on the missing server address.
[0046] In one embodiment, the monitoring risk assessment terminal is specifically used for:
[0047] Based on the preset security policy trigger data, initial detection data containing the preset security policy trigger data is generated, and a detection instruction containing the preset security policy trigger data is sent to each server corresponding to a second server address in a preset second server address set; the preset security policy trigger data is used to trigger the security policy in the monitoring platform to generate data to be filtered, including security policy response data.
[0048] From the data to be filtered, security policy response data corresponding to the preset security policy trigger data are filtered to obtain target detection data.
[0049] In one embodiment, the monitoring risk assessment terminal is specifically used for:
[0050] Based on the target security trigger identifier contained in the target detection data, a search is performed in the preset security policy trigger data contained in the initial detection data to obtain the triggered security policy trigger data;
[0051] Preset security policy trigger data other than the already triggered security policy trigger data are identified as untriggered security policy trigger data;
[0052] The security policy category corresponding to the untriggered security policy trigger data is identified as the trigger failure policy category, and a risk detection result is generated based on the trigger failure policy category.
[0053] In one embodiment, the traffic data further includes business data, and the monitoring risk assessment terminal is also used for:
[0054] Use the data to be screened, excluding the target detection data, as reference data;
[0055] Based on the reference data, the security policy trigger data corresponding to the reference data is determined to obtain the reference trigger data;
[0056] Based on the reference trigger data and the preset security policy trigger data, new preset security policy trigger data is determined;
[0057] If the triggering conditions for the next risk detection are met, based on the new preset security policy trigger data, the process returns to the step of generating initial detection data containing the preset security policy trigger data.
[0058] In one embodiment, the monitoring risk assessment terminal is specifically used for:
[0059] Upon reaching the next risk detection initiation time, based on the new preset security policy trigger data, return to the step of generating initial detection data containing the preset security policy trigger data; or...
[0060] Upon reaching the next risk detection cycle, based on the new preset security policy trigger data, the step of generating initial detection data containing the preset security policy trigger data is returned. In one embodiment, if the target detection data corresponding to the test traffic data is not found in the data to be filtered, the monitoring risk assessment terminal is further configured to:
[0061] If the test traffic data includes a test identifier, then the first server address corresponding to the initial detection data is identified as a missing server address, and a risk detection result is generated based on the missing server address;
[0062] If the test traffic data includes preset security policy trigger data, then the security policy category set corresponding to the preset security policy trigger dataset is identified as the trigger failure policy category set, and the risk detection result is generated based on the trigger failure policy category set.
[0063] Thirdly, this application also provides a risk detection device. The device includes:
[0064] The generation module is used to generate initial detection data containing test traffic data according to a preset detection data generation strategy, and send a detection instruction containing the initial detection data to the server. The detection instruction is used to instruct the server to send traffic data including the initial detection data to the mirroring device. The traffic data is used by the monitoring platform to mirror the traffic data through the mirroring device to obtain mirror data, and to determine the data to be filtered corresponding to the mirror data based on a preset processing strategy.
[0065] The filtering module is used to filter the target detection data corresponding to the test traffic data from the data to be filtered;
[0066] The first determining module is used to determine the risk detection result based on the initial detection data and the target detection data; the risk detection result is used to characterize the monitoring risk of the monitoring platform.
[0067] In one embodiment, the test traffic data includes marker characters; the generation module is specifically used for:
[0068] Based on the marked character, generate initial detection data containing the marked character, and send a detection instruction containing the initial detection data to each server corresponding to a first server address in a preset first server address set;
[0069] The filtering module is specifically used for:
[0070] In the data to be filtered, the data containing the marked characters is filtered to obtain the target detection data.
[0071] In one embodiment, the first determining module is specifically used for:
[0072] Based on the source server address corresponding to the target detection data, a search is performed in the first server address corresponding to the initial detection data to obtain the deployed server address;
[0073] The first server address other than the already deployed server address is identified as a missing server address, and a risk detection result is generated based on the missing server address.
[0074] In one embodiment, the test traffic data includes preset security policy trigger data; the generation module is specifically used for:
[0075] Based on the preset security policy trigger data, initial detection data containing the preset security policy trigger data is generated, and a detection instruction containing the preset security policy trigger data is sent to each server corresponding to a second server address in a preset second server address set; the preset security policy trigger data is used to trigger the security policy in the monitoring platform to generate data to be filtered, including security policy response data.
[0076] The filtering module is specifically used for:
[0077] From the data to be filtered, security policy response data corresponding to the preset security policy trigger data are filtered to obtain target detection data.
[0078] In one embodiment, the first determining module is specifically used for:
[0079] Based on the target security trigger identifier contained in the target detection data, a search is performed in the preset security policy trigger data contained in the initial detection data to obtain the triggered security policy trigger data;
[0080] Preset security policy trigger data other than the already triggered security policy trigger data are identified as untriggered security policy trigger data;
[0081] The security policy category corresponding to the untriggered security policy trigger data is identified as the trigger failure policy category, and a risk detection result is generated based on the trigger failure policy category.
[0082] In one embodiment, the traffic data further includes service data, and the risk detection device further includes:
[0083] The second determining module is used to use the data to be screened, other than the target detection data, as reference data;
[0084] The third determining module is used to determine the security policy triggering data corresponding to the reference data based on the reference data, and obtain the reference triggering data;
[0085] The fourth determining module is used to determine new preset security policy trigger data based on the reference trigger data and the preset security policy trigger data;
[0086] The update module is used to, upon reaching the triggering condition for the next risk detection, return to the step of generating initial detection data containing the preset security policy triggering data based on the new preset security policy triggering data.
[0087] In one embodiment, the update module is specifically used for:
[0088] Upon reaching the next risk detection initiation time, based on the new preset security policy trigger data, return to the step of generating initial detection data containing the preset security policy trigger data; or...
[0089] Upon reaching the next risk detection cycle, based on the new preset security policy trigger data, the step of generating initial detection data containing the preset security policy trigger data is returned. In one embodiment, if the target detection data corresponding to the test traffic data is not found in the data to be filtered, the risk detection device further includes:
[0090] The first identification module is used to identify the first server address corresponding to the initial detection data as a missing server address if the test traffic data includes a test identifier, and generate a risk detection result based on the missing server address.
[0091] The second identification module is used to identify the security policy category set corresponding to the preset security policy trigger dataset as the trigger failure policy category set if the test traffic data includes preset security policy trigger data, and generate the risk detection result based on the trigger failure policy category set.
[0092] Fourthly, this application also provides a computer device. The computer device includes a memory and a processor, the memory storing a computer program, and the processor executing the computer program to implement the steps described in the first aspect.
[0093] Fifthly, this application also provides a computer-readable storage medium. The computer-readable storage medium stores a computer program thereon, which, when executed by a processor, implements the steps described in the first aspect.
[0094] Sixthly, this application also provides a computer program product. The computer program product includes a computer program that, when executed by a processor, implements the steps described in the first aspect.
[0095] The aforementioned risk detection method, apparatus, computer equipment, storage medium, and computer program product generate initial detection data containing test traffic data according to a preset detection data generation strategy, and send a detection instruction containing the initial detection data to a server. The detection instruction instructs the server to send traffic data including the initial detection data to a mirror device. The traffic data is used by the monitoring platform to obtain mirrored data by mirroring the traffic data through the mirror device, and to determine the data to be filtered corresponding to the mirrored data based on a preset processing strategy. From the data to be filtered, target detection data corresponding to the test traffic data is selected. Based on the initial detection data and the target detection data, a risk detection result is determined. The risk detection result is used to characterize the monitoring risk of the monitoring platform. In the above scheme, target detection data can be obtained by filtering based on test traffic data, and the risk detection result can be determined based on the target detection data obtained from the monitoring platform and the initially sent detection data (i.e., the initial detection data), thereby assessing the monitoring risk of the monitoring platform in practical applications. Attached Figure Description
[0096] Figure 1 This is a diagram illustrating the application environment of a risk detection method in one embodiment;
[0097] Figure 2This is a flowchart illustrating a risk detection method in one embodiment;
[0098] Figure 3 This is a schematic diagram of the ICMP protocol message format in one embodiment;
[0099] Figure 4 This is a flowchart illustrating a method for determining risk detection results in one embodiment;
[0100] Figure 5 This is a flowchart illustrating the method for determining risk detection results in another embodiment;
[0101] Figure 6 Here is a block diagram of a risk detection system in one embodiment;
[0102] Figure 7 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0103] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0104] The risk detection method provided in this application can be applied to servers or systems including terminals and servers. This application example illustrates the application of this method to a system including terminals and servers (i.e., a risk detection system). Figure 1The risk detection system shown includes a server 102, a mirror device 104, a monitoring platform 106, and a monitoring risk assessment terminal 108. The server 102 and mirror device 104 are electrically connected, the mirror device 104 and monitoring platform 106 are communicatively connected, and the monitoring risk assessment terminal 108 is communicatively connected to both the monitoring platform 106 and the server 102. The number of servers 102 is greater than or equal to two. The correspondence between mirror devices 104 and servers 102 can be one mirror device 104 corresponding to multiple servers 102. Each mirror device 104 includes a switch 112 with traffic probes 110 deployed. There is at least one mirror device 104. The monitoring platform 106 monitors all mirror devices 104. The number of mirror devices 104 is a positive integer. In one embodiment, the monitoring risk assessment terminal 108 includes a detection parameter configuration unit 114, a detection data transmission unit 116, a monitoring risk assessment unit 118, and a risk detection result display unit 120. The detection parameter configuration unit 114 is used to configure the detection parameters of the monitoring risk assessment terminal 108. The detection parameters include the target server address, the initial risk detection initiation time, and the detection data generation strategy. The detection data sending unit 116 generates initial detection data according to the preset detection data generation strategy and sends a detection command containing the initial detection data to the corresponding target server address at the corresponding initial risk detection initiation time. The monitoring risk assessment unit 118 acquires mirror data from the monitoring platform 106 and filters the target detection data corresponding to the test traffic data in the mirror data based on a preset processing strategy; it also obtains the risk detection result based on the initial detection data and the target detection data. The risk detection result display unit 120 displays the risk detection result.
[0105] The monitoring risk assessment terminal 108 generates initial detection data containing test traffic data according to a preset detection data generation strategy, and sends a detection instruction containing the initial detection data to the server 102. Optionally, the test traffic data may contain marker characters or preset security policy trigger data. The detection instruction instructs the server 102 to send traffic data including the initial detection data to the mirror device 104. In one embodiment, the initial detection data is an ICMP (Internet Control Message Protocol) protocol message containing marker characters. In another embodiment, the initial detection data is HTTP request data containing preset security policy trigger data. The server 102 sends the traffic data containing the initial detection data to the mirror device 104. The mirror device 104 performs mirroring processing on the traffic data to obtain mirror data, and sends the mirror data to the monitoring platform 106. The traffic data is the data sent by the server 102 to the mirror device 104. The initial detection data is traffic data containing test traffic data. The mirror data is the data obtained after mirroring the traffic data. In other words, the mirrored data includes mirrored data containing initial detection data, where the mirrored data containing initial detection data is data obtained after mirroring the initial detection data. It can be understood that since one mirroring device 104 corresponds to multiple servers 102, the mirroring device 104 may receive traffic data sent from multiple servers 102 and mirror each traffic data separately to obtain multiple mirrored data. The monitoring platform 106 receives at least one mirrored data and, based on a preset processing strategy and the mirrored data, determines the data to be filtered corresponding to the mirrored data. Optionally, the data to be filtered can be mirrored data or security policy response data obtained based on the mirrored data. The security policy response data is response data triggered by security policy trigger data. The security policy trigger data included in the mirrored data is obtained by mirroring traffic data containing security policy trigger data. The security policy trigger data in the initial detection data is preset security policy trigger data. In one embodiment, the initial detection data is an ICMP protocol message containing a marker character. The monitoring platform 106 receives the mirrored data corresponding to the traffic data containing the ICMP protocol message containing the marker character and uses this mirrored data as the data to be filtered. In another embodiment, the initial detection data is HTTP request data containing preset security policy trigger data. The monitoring platform 106 receives mirror data corresponding to the traffic data including the HTTP request data containing the preset security policy trigger data, and generates security policy response data based on the security policy data contained in the mirror data. The security policy response data includes security policy response data corresponding to the preset security policy data.The monitoring platform 106 uses security policy response data as the data to be screened.
[0106] The monitoring risk assessment terminal 108 acquires the data to be filtered from the monitoring platform 106 and filters the target detection data corresponding to the test traffic data. In one embodiment, the test traffic data contains marker characters, and the target detection data corresponding to the test traffic data is mirrored data containing the marker characters. In another embodiment, the test traffic data contains preset security policy trigger data, and the target detection data corresponding to the test traffic data is security policy response data containing the preset security policy trigger data. The monitoring risk assessment terminal 108 obtains the risk detection result based on the initial detection data and the target detection data. For the specific method of determining the risk detection result, please refer to steps 206, steps 402 to 404, and steps 502 to 504.
[0107] In one embodiment, such as Figure 2 As shown, a risk detection method is provided, which can be applied to... Figure 1 Taking the risk detection system in China as an example, the following steps are included:
[0108] Step 202: Generate initial detection data containing test traffic data according to the preset detection data generation strategy, and send a detection command containing the initial detection data to the server.
[0109] The detection command is used to instruct the server to send traffic data, including initial detection data, to the mirror device; the traffic data is used by the monitoring platform to obtain mirror data by mirroring traffic data through the mirror device, and to determine the data to be filtered corresponding to the mirror data based on the preset processing strategy.
[0110] In this embodiment, the monitoring risk assessment terminal 108 generates initial detection data containing test traffic data according to a preset detection data generation strategy. The detection data generation strategy includes the initial risk detection initiation time, test traffic data, a target server address set, and the data acquisition time to be filtered. Optionally, the initial risk detection initiation time can be at least one detection initiation time. Optionally, the test traffic data can contain marker characters or preset security policy trigger data. The target server address set includes at least one target server address, and each target server address is the server address of the server to be monitored by the monitoring platform 106, such as... Figure 1The address of server 102 in the system. The set of target server addresses corresponding to test traffic data containing marker characters is the first set of server addresses; the set of target server addresses corresponding to test traffic data containing preset security policy trigger data is the second set of server addresses. The first set of server addresses may be equal to or different from the second set of server addresses. The monitoring risk assessment terminal 108 sends the initial detection data to the server to which each target server address in the target server address set belongs at the preset initial risk detection initiation time. Server 102 sends the initial detection data to mirror device 104, which performs mirror processing on the initial detection data to obtain mirror data, and then sends the mirror data to monitoring platform 106. Monitoring platform 106 obtains the data to be filtered based on the mirror data. Specifically, when the initial detection data contains marker characters, the data to be filtered is mirror data; when the initial detection data contains preset security policy trigger data, the data to be filtered is security policy response data. Among them, the security policy response data includes security policy trigger data and the type of security policy triggered by the security policy trigger data.
[0111] Step 204: In the data to be filtered, filter the target detection data corresponding to the test traffic data.
[0112] In this embodiment, the monitoring risk assessment terminal 108 crawls data to be filtered from the monitoring platform 106 at a preset data acquisition time. This data acquisition time is determined based on the initial risk detection initiation time. Specifically, the data acquisition time is the sum of the initial risk detection initiation time and the reserved data transmission time, which is a pre-set constant. Optionally, the data acquisition time can be at least one data acquisition time or a data acquisition cycle. The monitoring risk assessment terminal 108 filters the target detection data corresponding to the test traffic data from the data to be filtered. Specifically, if the test traffic data contains marker characters, the target detection data is the data to be filtered containing the marker characters (for ease of distinction, the marker characters in the target detection data are called target marker characters). The monitoring risk assessment terminal 108 filters the data to be filtered based on the marker characters, obtaining the target detection data by filtering the data containing the marker characters. If the test traffic data contains preset security policy trigger data, the target detection data is the data to be filtered containing the preset security policy trigger data. The monitoring risk assessment terminal 108 filters the data to be filtered based on preset security policy trigger data, obtaining target detection data. The preset security policy trigger data is at least one, and each preset security policy trigger data triggers one security policy. If there are multiple preset security policy trigger data, the monitoring risk assessment terminal 108 filters the data to be filtered based on each preset security policy trigger data, obtaining target detection data.
[0113] Step 206: Determine the risk detection results based on the initial detection data and the target detection data.
[0114] Among them, the risk detection results are used to characterize the monitoring risks of the monitoring platform.
[0115] In this embodiment, for each target detection data, the risk assessment terminal 108 obtains a risk detection result based on the initial detection data, the target detection data, and the detection strategy corresponding to the target detection data. Specifically, when the target detection data contains target marker characters, the detection strategy corresponding to the target detection data performs a search within a first service address set based on the source server address corresponding to the target detection data. When the target detection data contains preset security policy trigger data (for ease of distinction, the presence of preset security policy trigger data is referred to as a target security trigger identifier), the detection strategy corresponding to the target detection data performs a search within the preset security policy trigger data based on the target security trigger identifier. The risk detection result is generated based on the search results obtained from the search process.
[0116] In the aforementioned risk detection method, target detection data can be obtained by filtering test traffic data, and the risk detection result can be determined based on the target detection data and the initial detection data. It can be understood that the initial detection data is the data initially sent, while the target detection data is the data subsequently obtained from the monitoring platform. Therefore, the risk detection result determined based on the initially sent data and the data subsequently obtained from the monitoring platform can be used to assess the monitoring risks of the monitoring platform in practical applications.
[0117] In one embodiment, the test traffic data includes marker characters; generating initial detection data containing the test traffic data according to a preset detection data generation strategy, and sending the initial detection data to the server includes:
[0118] Based on the marker character, generate initial detection data containing the marker character, and send the initial detection data to the server corresponding to each first server address in the preset first server address set.
[0119] The target detection data corresponding to the test traffic data in the data to be filtered includes:
[0120] In the data to be filtered, the data containing the marked characters is filtered to obtain the target detection data.
[0121] In this embodiment, the monitoring risk assessment terminal 108 generates initial detection data containing the marked character. In one embodiment, the initial detection data is an ICMP (Internet Control Message Protocol) message. Specifically, the ICMP message is as follows: Figure 3As shown, an ICMP protocol message includes a Type, a Code, a Checksum, an Identifier, a Sequence Number, and a Special Date. The monitoring risk assessment terminal 108 encapsulates the preset marker character in the Special Date field of the ICMP protocol message, generating an ICMP protocol message containing the marker character. For example, the marker character could be 616161. The monitoring risk assessment terminal 108 sends the initial detection data containing the marker character to the server corresponding to each first server address in a preset first server address set. The first server address is the server address of the server to be monitored by the monitoring platform 106. Optionally, the first server address set may include the server addresses of all servers to be monitored by the monitoring platform 106, or it may include the server addresses of a portion of the servers to be monitored by the monitoring platform 106. The monitoring risk assessment terminal 108, based on the marker character, filters the data to be filtered from the data to be filtered to obtain the target detection data. In one embodiment, the data to be filtered is mirrored data. Specifically, the monitoring risk assessment terminal 108 filters the mirrored data containing the marked characters based on the marked characters to obtain target detection data.
[0122] In this embodiment, initial detection data containing the marker character is generated based on the marker character, and the initial detection data is sent to the server corresponding to the first server address. Target detection data is then obtained by filtering based on the marker character. This allows for rapid filtering of the target detection data from the data to be filtered, improving monitoring efficiency. Simultaneously, it enables accurate assessment of the monitoring risk posed by the monitoring platform 106 to a particular server.
[0123] In one embodiment, such as Figure 4 As shown, based on the initial detection data and the target detection data, the risk detection results include:
[0124] Step 402: Based on the source server address corresponding to the target detection data, search within the first server address corresponding to the initial detection data to obtain the deployed server address.
[0125] In this embodiment, for each target detection data, the monitoring risk assessment terminal 108 searches within the first server address corresponding to the initial detection data based on the source server address corresponding to the target detection data to obtain the deployed server address. The deployed server address is the first server address obtained by searching based on the source server address.
[0126] Step 404: Identify the first server address other than the deployed server address as the missing server address, and generate a risk detection result based on the missing server address.
[0127] In this embodiment, the monitoring risk assessment terminal 108 counts the deployed server addresses and identifies the first server address other than the deployed server addresses as a missing server address. The first server address can be either a deployed server address or a missing server address. For example, assuming the source server addresses corresponding to the target detection data include address 1 and address 2, and the first server addresses in the first server address set include address 1, address 2, and address 3, then the deployed server addresses include address 1 and address 2, and the missing server address includes address 3. The monitoring risk assessment terminal 108 generates a risk detection result based on the missing server addresses. The risk detection result includes the missing server addresses. Optionally, the risk detection result may also include the detection initiation time, the data acquisition time to be filtered, and the number of missing server addresses. The monitoring risk assessment terminal 108 displays the risk detection result. It can be understood that a missing server address is the server address of a server that the monitoring platform 106 wants to monitor but has not detected.
[0128] In this embodiment, by determining the deployed server addresses and missing server addresses from the first server addresses based on the source server addresses corresponding to the target detection data, a risk detection result is generated based on the missing server addresses. Thus, the monitoring risk assessment terminal 108 can assess the monitoring risk of the monitoring platform 106 based on the risk detection result, checking whether the monitoring platform 106 has missed monitoring any servers.
[0129] In one embodiment, the test traffic data includes preset security policy trigger data; generating initial detection data containing the test traffic data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to the server includes:
[0130] Based on the preset security policy trigger data, generate initial detection data containing the preset security policy trigger data, and send detection instructions containing the preset security policy trigger data to each server corresponding to each second server address in the preset second server address set.
[0131] The target detection data corresponding to the test traffic data in the data to be filtered includes:
[0132] From the data to be filtered, the security policy response data corresponding to the preset security policy trigger data is filtered to obtain the target detection data.
[0133] Among them, the preset security policy trigger data is used to trigger the security policies in the monitoring platform to generate data to be filtered, including security policy response data.
[0134] In this embodiment, the monitoring risk assessment terminal 108 generates initial detection data containing preset security policy trigger data based on preset security policy trigger data. The number of preset security policy trigger data is at least one, and each preset security policy trigger data triggers a specific security policy. The preset security policy trigger data is used to trigger security policies. If a security policy deployed on the monitoring platform 106 is triggered, the monitoring platform 106 generates security policy response data. The security policy response data is used to issue an alarm, indicating that a security policy in the monitoring platform 106 has been triggered. The security policy response data includes the security policy trigger data and the type of security policy triggered by the security policy trigger data. The security policy trigger data includes the preset security policy trigger data. It can be understood that the security policy types in the security policy type set corresponding to the preset security policy trigger dataset are the security policy types to be deployed by the monitoring platform 106. In one embodiment, the initial detection data is HTTP request data. Specifically, the monitoring risk assessment terminal 108 writes at least one preset security policy trigger data into the HTTP request data, generating HTTP request data containing the preset security policy trigger data. The monitoring risk assessment terminal 108 sends initial detection data containing preset security policy trigger data to each server corresponding to a preset second server address in the second server address set. The second server address is the server address of the server to be monitored by the monitoring platform 106. Optionally, the second server address set may include the server addresses of all servers to be monitored by the monitoring platform 106, or it may include at least one deployed server address. The method for confirming the deployed server address is the same as step 402 described above. Based on the preset security policy trigger data, the monitoring risk assessment terminal 108 filters the data to be filtered from the data to be filtered, obtaining target detection data. In one embodiment, the data to be filtered is security policy response data. Specifically, based on the preset security policy trigger data, the monitoring risk assessment terminal 108 filters the security policy response data from the security policy response data, obtaining target detection data.
[0135] In this embodiment, initial detection data containing preset security policy trigger data is generated based on the preset security policy trigger data, and the initial detection data is sent to the server corresponding to the second server address. Then, target detection data is obtained by filtering based on the preset security policy trigger data. In this way, target detection data can be quickly filtered from the data to be filtered, improving monitoring efficiency. At the same time, the monitoring risks of the security policies deployed in the monitoring platform 106 can be accurately assessed.
[0136] In one embodiment, such as Figure 5 As shown, based on the initial detection data and the target detection data, the risk detection results include:
[0137] Step 502: Based on the target security trigger identifier contained in the target detection data, search in the preset security policy trigger data contained in the initial detection data to obtain the triggered security policy trigger data.
[0138] In this embodiment, for each target security trigger identifier contained in the target detection data, the monitoring risk assessment terminal 108 searches within the preset security policy trigger data contained in the initial detection data based on each target security trigger identifier to obtain the triggered security policy trigger data. Here, the target security trigger identifier represents the trigger data of the target detection data. In one embodiment, the data to be filtered is security policy response data, and the target detection data is the security policy response data corresponding to the preset security policy trigger data. The triggered security policy trigger data is the preset security policy trigger data obtained based on the search of the target security trigger identifier.
[0139] Step 504: Identify the preset security policy trigger data other than the already triggered security policy trigger data as untriggered security policy trigger data.
[0140] In this embodiment, the risk assessment monitoring terminal 108 counts the triggered security policy trigger data and identifies the preset security policy trigger data other than the triggered security policy trigger data as non-triggered security policy trigger data. The preset security policy trigger data can be either the triggered security policy trigger data or the non-triggered security policy trigger data.
[0141] Step 506: Identify the security policy category corresponding to the untriggered security policy trigger data as the trigger failure policy category, and generate risk detection results based on the trigger failure policy category.
[0142] In this embodiment, the monitoring risk assessment terminal 108 identifies the security policy category corresponding to the untriggered security policy trigger data as a failed trigger policy category. Each type of security policy trigger data corresponds to triggering one security policy. The number of untriggered security policy trigger data is a non-negative integer. For example, assuming the untriggered security policy trigger data includes security policy trigger data 3, and the security policy category triggered by security policy trigger data 3 is security policy 3, then the monitoring risk assessment terminal 108 identifies security policy 3 corresponding to security policy trigger data 3 as a failed trigger policy category. It can be understood that a failed trigger policy category can be a security policy deployed on the monitoring platform 106 but not triggered, or it can be a security policy not deployed on the monitoring platform 106. The monitoring risk assessment terminal 108 generates a detection result based on the failed trigger policy categories. The detection result includes the failed trigger policy categories. Optionally, the detection result may also include the detection initiation time, the second detection data acquisition time, and the number of failed trigger policy categories. The monitoring risk assessment terminal 108 displays the detection results.
[0143] In this embodiment, by identifying the target security trigger identifier contained in the target detection data within the preset security policy trigger data, the triggered and untriggered security policy trigger data are determined. Based on the security policy category corresponding to the untriggered security policy trigger data, a detection result is generated. Thus, the monitoring risk assessment terminal 108 can assess the monitoring risk of the detection platform based on the detection result, checking whether the monitoring platform 106 has any failed security policy deployments or any missing security policies.
[0144] In one embodiment, traffic data also includes business data, and the risk detection method further includes:
[0145] Use the data to be screened, excluding the target detection data, as reference data; based on the reference data, determine the security policy trigger data corresponding to the reference data to obtain the reference trigger data; based on the reference trigger data and the preset security policy trigger data, determine the new preset security policy trigger data; if the triggering conditions for the next risk detection are met, based on the new preset security policy trigger data, return to the step of generating initial detection data containing the preset security policy trigger data according to the preset security policy trigger data.
[0146] The traffic data includes initial detection data and business data. Initial detection data is the traffic data sent from the monitoring risk assessment terminal 108 to the server 102, used to detect the monitoring risks of the monitoring platform 106. Business data is traffic data other than the initial detection data.
[0147] In this embodiment, when the target detection data is security policy response data corresponding to preset security policy trigger data, the monitoring risk assessment terminal 108 uses the data to be screened other than the target detection data as reference data. The data to be screened includes both target detection data and reference data. When the test traffic data contains preset security policy trigger data, the data to be screened is security policy response data, which includes security policy response data corresponding to the preset security policy trigger data (i.e., target detection data and reference data) and security policy response data corresponding to the business data (i.e., reference data). Based on the reference data, the monitoring risk assessment terminal 108 obtains the security policy trigger data corresponding to the reference data and uses this security policy trigger data as the reference trigger data. The monitoring risk assessment terminal 108 uses the reference trigger data and the original preset security policy trigger data as the new preset security policy trigger data. When the triggering condition for the next risk detection is met, the monitoring risk assessment terminal 108, based on the new preset security policy trigger data, returns to the step of generating initial detection data containing the preset security policy trigger data, and obtains a new risk detection result.
[0148] In this embodiment, the preset security policy trigger data is redefined based on reference data. The new preset security policy trigger data includes both the reference trigger data and the original preset security policy trigger data. Therefore, the preset security policy trigger data can be updated and supplemented in a timely manner, making risk detection based on the new preset security policy trigger data more comprehensive and the resulting risk detection results more reliable.
[0149] In one embodiment, upon meeting the triggering condition for the next risk detection, the step of returning to the execution of generating initial detection data containing the preset security policy triggering data based on the new preset security policy triggering data includes:
[0150] Upon reaching the next risk detection initiation time, based on the new preset security policy trigger data, the process returns to the step of generating initial detection data containing the preset security policy trigger data; or, upon reaching the next risk detection cycle, based on the new preset security policy trigger data, the process returns to the step of generating initial detection data containing the preset security policy trigger data. Here, the triggering condition for risk detection is either the risk detection initiation time or the risk detection cycle.
[0151] In this embodiment, upon reaching the next risk detection initiation time, the monitoring risk assessment terminal 108, based on new preset security policy trigger data, returns to the step of generating initial detection data containing the preset security policy trigger data, thereby obtaining a new risk detection result. Here, the risk detection initiation time is an element of a preset set of risk detection initiation times. The earliest risk detection initiation time in the set is the initial risk detection initiation time. The risk detection initiation time can be preset based on human experience.
[0152] Alternatively, upon reaching the next risk detection cycle, the risk assessment terminal 108, based on new preset security policy trigger data, returns to the step of generating initial detection data containing the preset security policy trigger data, thus obtaining a new risk detection result. Here, the risk detection cycle is a pre-set time. Reaching the next risk detection cycle means that the current time equals the sum of the initial risk detection initiation time and N risk detection cycles, where N is a positive integer.
[0153] In this embodiment, the triggering condition for risk detection can be either the time the risk detection is initiated or the risk detection cycle. Therefore, instead of manual timing detection, the monitoring platform automatically performs risk detection based on the triggering condition, improving detection efficiency.
[0154] In one embodiment, if no target detection data corresponding to the test traffic data is found in the data to be filtered, the risk detection method further includes:
[0155] If the test traffic data includes a test identifier, the first server address corresponding to the initial detection data is identified as a missing server address, and a risk detection result is generated based on the missing server address. If the test traffic data includes preset security policy trigger data, the security policy category set corresponding to the preset security policy trigger dataset is identified as a trigger failure policy category set, and a risk detection result is generated based on the trigger failure policy category set.
[0156] In this embodiment, if the monitoring risk assessment terminal 108 cannot find target detection data corresponding to the test traffic data in the data to be screened, and if the test traffic data includes a test identifier, the monitoring risk assessment terminal 108 identifies the first server address corresponding to the initial detection data as a missing server address. The monitoring risk assessment terminal 108 generates a risk detection result based on the missing server address. The first server address corresponding to the initial detection data is used to construct a first server address set. The missing server address is used to construct a missing server address set. Specifically, if the monitoring risk assessment terminal 108 cannot find target detection data corresponding to the test traffic data in the data to be screened, and if the test traffic data includes a test identifier, the monitoring risk assessment terminal 108 identifies the first server address set as a missing server address set and generates a risk detection result based on the missing server address set. If the monitoring risk assessment terminal 108 cannot find target detection data corresponding to the test traffic data in the data to be screened, and if the test traffic data includes preset security policy trigger data, the monitoring risk assessment terminal 108 identifies the security policy category set corresponding to the preset security policy trigger dataset as a trigger failure policy category set. The monitoring risk assessment terminal 108 generates risk detection results based on the set of trigger failure strategy categories.
[0157] In this embodiment, when no target detection data corresponding to the test traffic data can be found in the data to be filtered, a risk detection result is generated based on the missing server address or the triggered failure policy category. In this way, the monitoring risk assessment terminal 108 can assess the monitoring risk of the monitoring platform 106 based on the risk detection result, to see if the monitoring platform 106 has missed monitoring servers, or if there are any security policies that have failed to be deployed, or if there are any security policies that have been omitted from deployment.
[0158] It should be understood that although the steps in the flowcharts of the above embodiments are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the above embodiments may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages of other steps.
[0159] Based on the same inventive concept, this application also provides a risk detection system for implementing the risk detection method described above. The solution provided by this system is similar to the implementation scheme described in the above method; therefore, the specific limitations in one or more risk detection system embodiments provided below can be found in the limitations of the risk detection method described above, and will not be repeated here.
[0160] In one embodiment, such as Figure 1 As shown, a risk detection system is provided, which includes a server, a mirroring device, a monitoring platform, and a risk detection terminal, wherein:
[0161] The monitoring risk assessment terminal 108 is used to generate initial detection data containing test traffic data according to a preset detection data generation strategy, and send a detection command containing the initial detection data to the server.
[0162] Server 102 is used to send traffic data, including initial detection data, to the mirror device;
[0163] Mirroring device 104 is used to mirror traffic data, obtain mirrored data, and send the mirrored data to the monitoring platform;
[0164] Monitoring platform 106 is used to determine the data to be filtered corresponding to the mirrored data based on a preset processing strategy;
[0165] The monitoring risk assessment terminal 108 is also used to filter target detection data corresponding to test traffic data from the data to be screened; determine the risk detection results based on the initial detection data and the target detection data; and the risk detection results are used to characterize the monitoring risk of the monitoring platform 106.
[0166] In one embodiment, the test traffic data includes marker characters; the monitoring risk assessment terminal 108 is specifically used for:
[0167] Based on the marker character, generate initial detection data containing the marker character, and send a detection instruction containing the initial detection data to server 102 corresponding to each first server address in the preset first server address set;
[0168] In the data to be filtered, the data containing the marked characters is filtered to obtain the target detection data.
[0169] In one embodiment, the monitoring risk assessment terminal 108 is specifically used for:
[0170] Based on the source server address corresponding to the target detection data, a search is performed in the first server address corresponding to the initial detection data to obtain the deployed server address;
[0171] The first server address other than the already deployed server address is identified as the missing server address, and a risk detection result is generated based on the missing server address.
[0172] In one embodiment, the monitoring risk assessment terminal 108 is specifically used for:
[0173] Based on the preset security policy trigger data, initial detection data containing the preset security policy trigger data is generated, and a detection instruction containing the preset security policy trigger data is sent to the server 102 corresponding to each second server address in the preset second server address set; the preset security policy trigger data is used to trigger the security policy in the monitoring platform 106 to generate data to be filtered, including security policy response data.
[0174] From the data to be filtered, the security policy response data corresponding to the preset security policy trigger data is filtered to obtain the target detection data.
[0175] In one embodiment, the monitoring risk assessment terminal 108 is specifically used for:
[0176] Based on the target security trigger identifier contained in the target detection data, search in the preset security policy trigger data contained in the initial detection data to obtain the triggered security policy trigger data;
[0177] Preset security policy trigger data other than already triggered security policy trigger data will be identified as non-triggered security policy trigger data.
[0178] The security policy category corresponding to the security policy trigger data that was not triggered is identified as the trigger failure policy category, and risk detection results are generated based on the trigger failure policy category.
[0179] In one embodiment, the traffic data also includes business data, and the monitoring risk assessment terminal 108 is further used for:
[0180] Use the data to be screened, excluding the target detection data, as reference data;
[0181] Based on the reference data, determine the security policy trigger data corresponding to the reference data to obtain the reference trigger data;
[0182] Based on the reference trigger data and the preset security policy trigger data, determine the new preset security policy trigger data;
[0183] If the triggering conditions for the next risk detection are met, the process returns to the step of generating initial detection data containing the preset security policy triggering data, based on the new preset security policy triggering data.
[0184] In one embodiment, the monitoring risk assessment terminal 108 is specifically used for:
[0185] Upon reaching the next risk detection initiation time, based on the new preset security policy trigger data, return to the step of generating initial detection data containing the preset security policy trigger data; or...
[0186] Upon reaching the next risk detection cycle, based on the new preset security policy trigger data, the process returns to the step of generating initial detection data containing the preset security policy trigger data. In one embodiment, if no target detection data corresponding to the test traffic data is found in the data to be filtered, the monitoring risk assessment terminal 108 is further configured to:
[0187] If the test traffic data includes a test identifier, the first server address corresponding to the initial detection data will be identified as a missing server address, and a risk detection result will be generated based on the missing server address.
[0188] If the test traffic data includes data triggered by a preset security policy, the security policy category set corresponding to the preset security policy trigger dataset will be identified as the trigger failure policy category set, and a risk detection result will be generated based on the trigger failure policy category set.
[0189] Based on the same inventive concept, this application also provides a risk detection device for implementing the risk detection method described above. The solution provided by this device is similar to the solution described in the above method; therefore, the specific limitations in one or more risk detection device embodiments provided below can be found in the limitations of the risk detection method described above, and will not be repeated here.
[0190] In one embodiment, such as Figure 6 As shown, a risk detection device is provided, the device comprising:
[0191] The generation module 602 is used to generate initial detection data containing test traffic data according to a preset detection data generation strategy, and send a detection instruction containing the initial detection data to the server 102. The detection instruction is used to instruct the server 102 to send traffic data containing the initial detection data to the mirror device 104. The traffic data is used by the monitoring platform 106 to obtain mirror data through the mirror traffic data mirrored by the mirror device 104, and to determine the data to be filtered corresponding to the mirror data based on a preset processing strategy.
[0192] The filtering module 604 is used to filter the target detection data corresponding to the test traffic data from the data to be filtered;
[0193] The first determining module 606 is used to determine the risk detection result based on the initial detection data and the target detection data; the risk detection result is used to characterize the monitoring risk of the monitoring platform 106.
[0194] In one embodiment, the test traffic data includes marker characters; the generation module 602 is specifically used for:
[0195] Based on the marker character, generate initial detection data containing the marker character, and send a detection instruction containing the initial detection data to server 102 corresponding to each first server address in the preset first server address set;
[0196] Filtering module 604 is specifically used for:
[0197] In the data to be filtered, the data containing the marked characters is filtered to obtain the target detection data.
[0198] In one embodiment, the first determining module 606 is specifically used for:
[0199] Based on the source server address corresponding to the target detection data, a search is performed in the first server address corresponding to the initial detection data to obtain the deployed server address;
[0200] The first server address other than the already deployed server address is identified as the missing server address, and a risk detection result is generated based on the missing server address.
[0201] In one embodiment, the test traffic data includes preset security policy trigger data; the generation module 602 is specifically used for:
[0202] Based on the preset security policy trigger data, initial detection data containing the preset security policy trigger data is generated, and a detection instruction containing the preset security policy trigger data is sent to the server 102 corresponding to each second server address in the preset second server address set; the preset security policy trigger data is used to trigger the security policy in the monitoring platform 106 to generate data to be filtered, including security policy response data.
[0203] Filtering module 604 is specifically used for:
[0204] From the data to be filtered, the security policy response data corresponding to the preset security policy trigger data is filtered to obtain the target detection data.
[0205] In one embodiment, the first determining module 606 is specifically used for:
[0206] Based on the target security trigger identifier contained in the target detection data, search in the preset security policy trigger data contained in the initial detection data to obtain the triggered security policy trigger data;
[0207] Preset security policy trigger data other than already triggered security policy trigger data will be identified as non-triggered security policy trigger data.
[0208] The security policy category corresponding to the security policy trigger data that was not triggered is identified as the trigger failure policy category, and risk detection results are generated based on the trigger failure policy category.
[0209] In one embodiment, the traffic data also includes business data, and the risk detection device further includes:
[0210] The second determining module is used to use the data to be screened, excluding the target detection data, as reference data;
[0211] The third determination module is used to determine the security policy trigger data corresponding to the reference data based on the reference data, and obtain the reference trigger data;
[0212] The fourth determination module is used to determine new preset security policy trigger data based on reference trigger data and preset security policy trigger data.
[0213] The update module is used to, upon meeting the triggering conditions for the next risk detection, return to the step of generating initial detection data containing the preset security policy triggering data based on the new preset security policy triggering data.
[0214] In one embodiment, the update module is specifically used for:
[0215] Upon reaching the next risk detection initiation time, based on the new preset security policy trigger data, return to the step of generating initial detection data containing the preset security policy trigger data; or...
[0216] Upon reaching the next risk detection cycle, based on new preset security policy trigger data, the process returns to the step of generating initial detection data containing the preset security policy trigger data. In one embodiment, if no target detection data corresponding to the test traffic data is found in the data to be filtered, the risk detection device further includes:
[0217] The first identification module is used to identify the first server address corresponding to the initial detection data as a missing server address if the test traffic data includes a test identifier, and generate a risk detection result based on the missing server address.
[0218] The second identification module is used to identify the security policy category set corresponding to the preset security policy trigger dataset as the trigger failure policy category set if the test traffic data includes preset security policy trigger data, and generate risk detection results based on the trigger failure policy category set.
[0219] Each module in the aforementioned risk detection system can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in the processor of a computer device in hardware form or independent of it, or stored in the memory of the computer device in software form, so that the processor can call and execute the corresponding operations of each module.
[0220] In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 7 As shown, the computer device includes a processor, memory, input / output interfaces, a communication interface, a display unit, and an input device. The processor, memory, and input / output interfaces are connected via a system bus, and the communication interface, display unit, and input device are also connected to the system bus via the input / output interfaces. The processor provides computing and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input / output interfaces are used for exchanging information between the processor and external devices. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, mobile cellular networks, NFC (Near Field Communication), or other technologies. When executed by the processor, the computer program implements a risk detection method. The display unit is used to form a visually visible image and can be a display screen, a projection device, or a virtual reality imaging device. The display screen can be an LCD screen or an e-ink screen. The input device of the computer device can be a touch layer covering the display screen, or buttons, trackballs, or touchpads set on the casing of the computer device, or external keyboards, touchpads, or mice, etc.
[0221] Those skilled in the art will understand that Figure 7 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0222] In one embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the steps in the above-described method embodiments.
[0223] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon that, when executed by a processor, implements the steps in the above method embodiments.
[0224] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, implements the steps in the above method embodiments.
[0225] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data shall comply with the relevant laws, regulations and standards of the relevant countries and regions.
[0226] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, etc., and are not limited to these.
[0227] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
[0228] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A risk detection method, characterized in that, The method includes: According to a preset detection data generation strategy, initial detection data containing test traffic data is generated, and a detection instruction containing the initial detection data is sent to the server. The detection instruction is used to instruct the server to send traffic data including the initial detection data to the mirroring device. The traffic data is used by the monitoring platform to mirror the traffic data through the mirroring device to obtain mirror data, and to determine the data to be filtered corresponding to the mirror data based on a preset processing strategy. The test traffic data contains marker characters or preset security policy trigger data. Among the data to be filtered, target detection data corresponding to the test traffic data is filtered. The target detection data is the data to be filtered that contains the marker character, or the security policy response data corresponding to the preset security policy trigger data. Based on the initial detection data and the target detection data, a risk detection result is determined; the risk detection result is used to characterize the monitoring risk of the monitoring platform. The step of determining the risk detection result based on the initial detection data and the target detection data includes: searching in the first server address corresponding to the initial detection data according to the source server address corresponding to the target detection data to obtain the deployed server address; identifying the first server address other than the deployed server address as the missing server address, and generating the risk detection result based on the missing server address; Alternatively, based on the target security trigger identifier contained in the target detection data, a search is performed in the preset security policy trigger data contained in the initial detection data to obtain the triggered security policy trigger data; the preset security policy trigger data other than the triggered security policy trigger data is identified as the untriggered security policy trigger data; the security policy category corresponding to the untriggered security policy trigger data is identified as the trigger failure policy category, and a risk detection result is generated based on the trigger failure policy category.
2. The method according to claim 1, characterized in that, The step of generating initial detection data containing test traffic data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to the server includes: Based on the marked character, initial detection data containing the marked character is generated, and a detection instruction containing the initial detection data is sent to each server corresponding to a first server address in a preset first server address set.
3. The method according to claim 1, characterized in that, The step of generating initial detection data containing test traffic data according to a preset detection data generation strategy, and sending a detection instruction containing the initial detection data to the server includes: Based on the preset security policy trigger data, initial detection data containing the preset security policy trigger data is generated, and a detection instruction containing the preset security policy trigger data is sent to each server corresponding to a second server address in a preset second server address set; the preset security policy trigger data is used to trigger the security policy in the monitoring platform to generate data to be filtered, including security policy response data.
4. The method according to claim 1, characterized in that, The traffic data also includes business data, and the method further includes: Use the data to be screened, excluding the target detection data, as reference data; Based on the reference data, the security policy trigger data corresponding to the reference data is determined to obtain the reference trigger data; Based on the reference trigger data and the preset security policy trigger data, new preset security policy trigger data is determined; If the triggering conditions for the next risk detection are met, based on the new preset security policy trigger data, the process returns to the step of generating initial detection data containing the preset security policy trigger data.
5. The method according to claim 4, characterized in that, The step of generating initial detection data containing the preset security policy trigger data based on the new preset security policy trigger data, when the trigger condition for the next risk detection is met, includes: Upon reaching the next risk detection initiation time, based on the new preset security policy trigger data, return to the step of generating initial detection data containing the preset security policy trigger data; or... Upon reaching the next risk detection cycle, based on the new preset security policy trigger data, the process returns to the step of generating initial detection data containing the preset security policy trigger data.
6. The method according to any one of claims 1 to 5, characterized in that, If no target detection data corresponding to the test traffic data is found in the data to be filtered, the method further includes: If the test traffic data includes a test identifier, then the first server address corresponding to the initial detection data is identified as a missing server address, and a risk detection result is generated based on the missing server address; If the test traffic data includes preset security policy trigger data, then the security policy category set corresponding to the preset security policy trigger dataset is identified as the trigger failure policy category set, and the risk detection result is generated based on the trigger failure policy category set.
7. A risk detection system, characterized in that, The risk detection system is used to implement the risk detection method according to any one of claims 1-6, the system comprising a server, a mirroring device, a monitoring platform, and a risk detection monitoring terminal, wherein: The monitoring risk assessment terminal is used to generate initial detection data containing test traffic data according to a preset detection data generation strategy, and send a detection instruction containing the initial detection data to the server. The server is used to send traffic data, including the initial detection data, to the mirror device; The mirroring device is used to mirror the traffic data, obtain mirrored data, and send the mirrored data to the monitoring platform; The monitoring platform is used to determine the data to be filtered corresponding to the mirrored data based on a preset processing strategy; The monitoring risk assessment terminal is also used to filter target detection data corresponding to the test traffic data from the data to be screened; determine the risk detection result based on the initial detection data and the target detection data; and the risk detection result is used to characterize the monitoring risk of the monitoring platform.
8. A risk detection device, characterized in that, The risk detection device is used to implement the risk detection method according to any one of claims 1-6, and the device includes: The generation module is used to generate initial detection data containing test traffic data according to a preset detection data generation strategy, and send a detection instruction containing the initial detection data to the server. The detection instruction is used to instruct the server to send traffic data including the initial detection data to the mirroring device. The traffic data is used by the monitoring platform to mirror the traffic data through the mirroring device to obtain mirror data, and to determine the data to be filtered corresponding to the mirror data based on a preset processing strategy. The filtering module is used to filter the target detection data corresponding to the test traffic data from the data to be filtered; The first determining module is used to determine the risk detection result based on the initial detection data and the target detection data; the risk detection result is used to characterize the monitoring risk of the monitoring platform.
9. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.
10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.