Network security situation awareness system-based operation risk assessment method
By dynamically comparing the enterprise certificate trust list with the CA authority list, and combining the risk assessment results of blind zone data packets, certificates are supplemented and eliminated, which solves the problem of risk misjudgment of blind zone data packets in encrypted traffic and improves the detection accuracy and real-time performance of the network security situation awareness system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ZHANGJIAKOU POWER SUPPLY COMPANY OF STATE GRID JINBEI ELECTRIC POWER COMPANY
- Filing Date
- 2026-04-21
- Publication Date
- 2026-06-19
Smart Images

Figure CN122247736A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of system risk management technology, specifically a method for assessing operational risks based on a network security situation awareness system. Background Technology
[0002] In the current network security protection system, enterprise data transmission faces a contradiction between the continuously rising proportion of encrypted traffic and insufficient detection capabilities. With the widespread adoption of the HTTPS protocol, traditional security detection technologies based on plaintext parsing struggle to identify threats hidden in encrypted channels, creating "blind spot packets." When assessing the risks of blind spot packets, enterprises rely on their own maintained certificate trust lists. However, these lists often suffer from outdated update mechanisms and insufficient compatibility with public trust systems, leading to frequent misjudgments. Specifically, when Certificate Authorities (CAs) update their certificate trust lists (e.g., revoke vulnerable certificates or add trusted certificates), if enterprises fail to synchronize in a timely manner, they may misjudge legitimate traffic as risky or let real attacks slip by. Simultaneously, private certificates or self-signed certificates issued by enterprise-owned CAs are easily misjudged as malicious certificates because they are not on public trust lists, or similar certificates forged by attackers may be overlooked due to enterprises' over-reliance on their own certificates. Furthermore, existing technologies lack dynamic verification mechanisms for enterprise certificate trust lists. When the trust lists are inaccurate, the initial risk assessment results of blind spot packets may be significantly different from reality and cannot be automatically corrected. Traditional certificate transparency analysis relies on public CT logs, which are insufficient to cover enterprise private certificate scenarios. This leads to legitimate private certificates being misjudged or malicious certificates evading detection. These issues collectively result in enterprises facing challenges such as high false positive rates and lagging defenses in encrypted traffic risk assessments.
[0003] To this end, the present invention provides a method for assessing operational risks based on a network security situation awareness system. Summary of the Invention
[0004] To address the shortcomings of existing technologies, this application discloses an operational risk assessment method based on a network security situation awareness system to solve at least one technical problem mentioned in the background. This invention dynamically compares and updates the enterprise certificate trust list with the authoritative CA institution list, and combines the risk assessment results of blind zone data packets with certificate transparency analysis to achieve accurate supplementation and elimination of certificates, thereby automatically correcting risk assessment biases, reducing false positive rates, and improving the accuracy and real-time performance of enterprise encrypted traffic threat detection.
[0005] The technical solution adopted by this invention to solve its technical problem is: a method for assessing operational risks based on a network security situation awareness system, comprising:
[0006] Decrypt the data packets, identify blind spot data packets when the enterprise transmits data over the network based on the data packet decryption results, and obtain the enterprise certificate trust list for the initial risk assessment of the blind spot data packets;
[0007] Perform certificate comparison and analysis on the enterprise certificate trust list and the certificate trust list issued by the CA authority to determine whether there is a suspected blind spot data packet risk misjudgment;
[0008] If it exists, update the enterprise's certificate trust list according to the certificate trust list published by the CA authority, and reassess the risk of blind spot data packets;
[0009] Compare the initial risk assessment results and the risk reassessment results of the blind zone data packets. If the results are consistent, it means that there is no misjudgment of the risk of blind zone data packets. If they are inconsistent, the certificate supplement set and certificate elimination set are determined based on the results of updating the enterprise's certificate trust list based on the certificate trust list issued by the CA institution.
[0010] The certificates of the blind zone data packets are identified by comparing them with the certificate supplement set and the certificate expiration set. If the certificate of the blind zone data packet is located in the certificate supplement set, it indicates that there is a risk of misjudgment of the blind zone data packet. If the certificate of the blind zone data packet is located in the certificate expiration set, the certificate transparency analysis of the blind zone data packet is performed to determine whether there is a risk of misjudgment of the blind zone data packet.
[0011] Furthermore, the data packet decryption results include fully parsed, not fully parsed, and completely unparsable;
[0012] If the packet cannot be parsed at all, mark it as a blind zone packet;
[0013] If the packet cannot be fully parsed, mark it as a packet to be analyzed;
[0014] If it is a complete resolution, no operation will be performed;
[0015] Based on the data packet to be analyzed, a baseline range of meta-feature data for the data packet is constructed. If the capacity and transmission time interval of the data packet to be analyzed are not within the baseline range of meta-feature data, or are not both within the baseline range of meta-feature data, the capacity deviation value and transmission time interval deviation value of the data packet to be analyzed are calculated respectively, and the meta-feature deviation value of the data packet to be analyzed is obtained by summing them.
[0016] If the deviation value of the meta-feature is greater than or equal to the deviation threshold of the meta-feature, the data packet to be analyzed will be marked as a blind zone data packet.
[0017] Furthermore, the capacity deviation value of the data packet to be analyzed is obtained as follows:
[0018] The absolute difference between the capacity of the data packet to be analyzed and the nearest endpoint of the data packet capacity baseline range is calculated, and then the ratio of the calculated value to the data packet capacity baseline range value is calculated to obtain the capacity deviation value of the data packet to be analyzed. The data packet capacity baseline range value is the deviation between the maximum and minimum values within the data packet capacity baseline range.
[0019] The method for obtaining the transmission interval deviation value of the data packet to be analyzed is as follows:
[0020] The absolute difference between the transmission time interval of the data packet to be analyzed and the nearest endpoint value of the data packet transmission baseline range is calculated, and then the ratio is calculated with the data packet transmission baseline range value to obtain the transmission interval deviation value of the data packet to be analyzed. The data packet transmission baseline range value is the deviation between the maximum and minimum values within the data packet transmission baseline range.
[0021] Furthermore, the baseline range of the meta-feature data includes the baseline range of data packet capacity and the baseline range of data packet transmission;
[0022] The process of constructing the baseline range of the meta-feature data is as follows:
[0023] A1, based on the enterprise's historical transmission data, obtain the data packet capacity and transmission time interval during multiple transmissions, and summarize and integrate them to obtain the capacity sequence and transmission time interval sequence.
[0024] A2 uses the K-means algorithm to cluster capacity sequences and transmission time interval sequences, specifically including:
[0025] A21, determine the number of clusters K using the elbow rule;
[0026] A22, randomly select K data packet sizes as the initial cluster centers;
[0027] A23, allocates the capacity or transmission time interval of each data packet to the cluster to which the nearest cluster center belongs;
[0028] A24, recalculate the average of all data packet capacity or transmission time intervals in each cluster, and use it as the new cluster center;
[0029] A25, repeat steps A23-A24 until the cluster center no longer changes or the preset maximum number of iterations is reached;
[0030] A3 outputs the clustering results, selects the largest cluster, and constructs the baseline range of the meta-feature data, which is: the mean of the largest cluster ± 2 times the standard deviation of the largest cluster.
[0031] Furthermore, the method for determining whether there is a potential risk of misjudgment of blind zone data packets is as follows:
[0032] If the certificates in the enterprise's certificate trust list are all the same as the certificates in the certificate trust list issued by the CA authority, it means that there is no risk of misjudging the risk of blind data packets.
[0033] If at least one certificate in the enterprise certificate trust list is different from all the certificates in the certificate trust list issued by the CA authority, it indicates that there may be a risk of misjudgment of blind data packets.
[0034] Furthermore, the process of updating the enterprise certificate trust list based on the certificate trust list published by the CA authority and reassessing the risk of blind spot data packets is as follows:
[0035] Delete certificates that are not listed in the certificate trust list published by the CA authority from the enterprise certificate trust list, and add certificates that are not listed in the enterprise certificate trust list from the CA authority's certificate trust list to the enterprise certificate trust list to complete the update of the enterprise certificate trust list;
[0036] If the certificate of the blind zone data packet is in the updated enterprise certificate trust list, the risk is reassessed as low risk;
[0037] If the certificate for the blind zone data packet is not in the updated enterprise certificate trust list, the risk is reassessed as high risk.
[0038] Furthermore, the method for determining the certificate supplement set and the certificate expiration set is as follows:
[0039] When updating an enterprise's certificate trust list based on the certificate trust list published by a CA authority, the deleted certificates are aggregated to form a certificate elimination set, and the added certificates are aggregated to form a certificate supplement set.
[0040] Furthermore, the process of performing certificate transparency analysis on blind zone data packets is as follows:
[0041] Based on the enterprise CT log system, obtain the certificate issuance frequency and certificate submission interval of blind zone data packets in the historical transmission period, process and analyze to obtain the certificate issuance value and certificate submission value, and sum and output the certificate authentication value.
[0042] If the certificate authentication value is less than or equal to the certificate authentication threshold, it means that there is no risk misjudgment of the data packets in the blind zone;
[0043] If the certificate authentication value is greater than the certificate authentication threshold, it indicates that there is a risk of misjudgment in the blind zone data packets.
[0044] Furthermore, the certificate issuance value is obtained in the following way:
[0045] The certificate issuance frequency of the data packets in the blind zone is obtained within the historical transmission period, and the absolute difference between the certificate issuance frequency and the preset issuance frequency is calculated to obtain the issuance frequency difference. The ratio of the issuance frequency difference to the preset issuance frequency is then calculated to obtain the certificate issuance value.
[0046] Furthermore, the method for obtaining the certificate submission value is as follows:
[0047] Obtain the issuance and submission times of the certificates for the data packets in the blind zone within the historical transmission cycle, and calculate the time interval difference to obtain the signing and submission interval time.
[0048] If the interval between submissions is greater than MMD, it indicates an abnormal certificate submission.
[0049] The frequency of certificate submission anomalies within the historical transmission cycle is statistically analyzed, and the ratio is calculated with the certificate issuance frequency within the historical transmission cycle to obtain the certificate submission anomaly value.
[0050] Based on certificate submission anomalies, the deviation between the submission interval time of certificate submission anomalies and MMD is calculated to obtain the submission over-limit interval. All submission over-limit intervals are averaged to obtain the average submission over-limit interval. The ratio of the average submission over-limit interval to MMD is calculated to obtain the certificate submission over-limit value.
[0051] Summing the certificate submission exception value and the certificate submission over-limit value, output the certificate submission value.
[0052] The beneficial effects of this invention are as follows: Based on the data packet decryption results, blind zone data packets during network data transmission by an enterprise are identified. The enterprise's certificate trust list is obtained during the initial risk assessment of these blind zone data packets. A certificate comparison analysis is performed between the enterprise's certificate trust list and the certificate trust list issued by the CA (Certificate Authority) to determine if there is a suspected misjudgment of risk related to blind zone data packets. If so, the enterprise's certificate trust list is updated based on the certificate trust list issued by the CA, and the risk of the blind zone data packets is reassessed. The initial risk assessment result and the reassessment result are compared. If the results are consistent, it indicates that there is no misjudgment of risk related to blind zone data packets. If they are inconsistent, the risk is determined based on the certificate issued by the CA. The update of the enterprise certificate trust list determines the certificate supplement set and certificate expiration set. The certificate of the blind packet is identified by comparing it with the certificate supplement set and the certificate expiration set. If the certificate of the blind packet is in the certificate supplement set, it indicates that there is a risk misjudgment of the blind packet. If the certificate of the blind packet is in the certificate expiration set, the certificate transparency analysis of the blind packet is performed to determine whether there is a risk misjudgment of the blind packet. This invention verifies and analyzes the risk assessment of data packets by comparing data packet certificates during enterprise data transmission, solving the problems of data packet risk misjudgment caused by the lag in updating the enterprise certificate trust list and the problem of data packet risk misjudgment caused by the enterprise's own certificates. Attached Figure Description
[0053] The invention will now be further described with reference to the accompanying drawings.
[0054] Figure 1 This is a flowchart illustrating the steps of the operational risk assessment method based on a network security situation awareness system as described in this embodiment of the invention.
[0055] Figure 2 This is a schematic block diagram illustrating the logical judgment of the operational risk assessment method based on a network security situation awareness system as described in an embodiment of the present invention. Detailed Implementation
[0056] To make the technical means, creative features, objectives and effects of this invention easier to understand, the invention will be further described below in conjunction with specific embodiments.
[0057] Example 1: Please refer to Figure 1-2 As shown in the embodiment of the present invention, the operational risk assessment method based on a network security situation awareness system includes the following steps:
[0058] Step 1: Identify blind spot data packets when the enterprise transmits data over the network based on the data packet decryption results, and obtain the enterprise certificate trust list for the initial risk assessment of the blind spot data packets;
[0059] In step one, the process of identifying blind spot data packets during network data transmission by the enterprise based on the data packet decryption results is as follows:
[0060] When enterprises transmit network data, the decryption results of data packets (network data packets encrypted and transmitted via SSL / TLS protocol during network data transmission) are obtained. The data packet decryption results include fully parsed, not fully parsed, and completely unparsable.
[0061] Full parsing means that when the system has a legitimate decryption key (such as obtained through an enterprise's internal key management system), or uses technologies such as SSL offloading devices and man-in-the-middle proxies to parse data packets, it can obtain the complete plaintext content of the data packets;
[0062] "Cannot be fully parsed" means that the system cannot obtain the complete plaintext content, but can extract some metadata information, such as packet size, transmission time interval, source IP and destination IP, port number, and TLS handshake information.
[0063] Completely unresolvable means that the system has neither the decryption key nor can it obtain valid information about the data packet through other means;
[0064] If the data packet decryption result shows that it cannot be parsed at all, then the data packet is marked as a blind zone data packet;
[0065] If the data packet decryption result shows that it cannot be completely parsed, then the data packet is marked as a data packet to be analyzed;
[0066] If the data packet decryption result shows that it is fully parsed, the network security situation awareness system can determine the security risk of the data packet since it can parse the data packet content, and therefore does not perform the data packet marking process.
[0067] Based on the data packets to be analyzed, a baseline range of meta-feature data about the data packets is constructed according to the enterprise's historical transmission data. The baseline range of meta-feature data includes the baseline range of data packet capacity and the baseline range of data packet transmission. The capacity and transmission time interval of the data packets to be analyzed are compared with the baseline range of data packet capacity and the baseline range of data packet transmission, respectively.
[0068] If the capacity and transmission time interval of the data packet to be analyzed are both within the baseline range of the meta-feature data, then the data packet to be analyzed is marked as a normal data packet.
[0069] If the capacity and transmission time interval of the data packet to be analyzed are not within the range of the meta-feature data baseline or are not both within the range of the meta-feature data baseline, then calculate the capacity deviation value and transmission time interval deviation value of the data packet to be analyzed respectively, and sum them to obtain the meta-feature deviation value of the data packet to be analyzed.
[0070] If the deviation value of the meta-feature is greater than or equal to the deviation threshold of the meta-feature, the data packet to be analyzed will be marked as a blind zone data packet;
[0071] If the deviation value of the meta-feature is less than the deviation threshold of the meta-feature, the data packet to be analyzed will be marked as a normal data packet.
[0072] Understandably, the meta-feature deviation value reflects the degree of deviation between the capacity of the data packet to be analyzed and the capacity baseline range, and the degree of deviation between the transmission time interval and the transmission time baseline. The greater the deviation, the higher the possibility that the data packet has a security risk.
[0073] The capacity deviation value of the data packet to be analyzed is obtained as follows:
[0074] The absolute difference between the capacity of the data packet to be analyzed and the nearest data packet capacity baseline range endpoint value is calculated to obtain the capacity difference of the data packet to be analyzed. The capacity difference is then proportionally calculated to the data packet capacity baseline range value to obtain the capacity deviation value of the data packet to be analyzed.
[0075] Among them, the data packet capacity baseline range value is the deviation between the maximum and minimum values within the data packet capacity baseline range;
[0076] The method for obtaining the transmission interval deviation value of the data packet to be analyzed is as follows:
[0077] The absolute difference between the transmission time interval of the data packet to be analyzed and the nearest endpoint value of the data packet transmission baseline range is calculated to obtain the transmission time interval difference of the data packet to be analyzed. The ratio of the transmission time interval difference to the data packet transmission baseline range value is calculated to obtain the transmission interval deviation value of the data packet to be analyzed.
[0078] Among them, the data packet transmission baseline range value is the deviation between the maximum and minimum values within the data packet transmission baseline range;
[0079] The process of constructing the baseline range of meta-feature data for data packets based on the enterprise's historical transmission data is as follows:
[0080] A1, based on the enterprise's historical transmission data, obtain the data packet capacity and transmission time interval during multiple transmissions, and summarize and integrate them to obtain the capacity sequence and transmission time interval sequence.
[0081] A2 uses the K-means algorithm to cluster capacity sequences and transmission time interval sequences, specifically including:
[0082] A21, determine the number of clusters K using the elbow rule;
[0083] A22, randomly select K data packet sizes as the initial cluster centers;
[0084] A23, allocates the capacity or transmission time interval of each data packet to the cluster to which the nearest cluster center belongs;
[0085] A24, recalculate the average of all data packet capacity or transmission time intervals in each cluster, and use it as the new cluster center;
[0086] A25, repeat steps A23-A24 until the cluster center no longer changes or the preset maximum number of iterations is reached;
[0087] A3 outputs the clustering results, selects the largest cluster, and constructs the baseline range of the meta-feature data, that is, the baseline range of the meta-feature data is: the mean of the largest cluster ± 2 times the standard deviation of the largest cluster;
[0088] Understandably, when conducting risk assessments of blind zone data packets that cannot be parsed, enterprises will compare and verify the certificates (SSL / TLS certificates) of the blind zone data packets with the enterprise's certificate trust list to determine whether the blind zone data packets pose a security risk.
[0089] The initial risk assessment of the blind zone data packets includes high risk and low risk.
[0090] High risk indicates that the certificate containing the blind spot data is not in the enterprise's certificate trust list, while low risk indicates that the certificate containing the blind spot data is in the enterprise's certificate trust list.
[0091] Step 2: Compare and analyze the enterprise's certificate trust list and the certificate trust list published by the CA authority to determine whether there are any suspected blind spot data packet risks or misjudgments.
[0092] In step two, the process of comparing and analyzing the enterprise's certificate trust list and the certificate trust list published by the CA authority is as follows:
[0093] If the certificates in the enterprise's certificate trust list are all the same as the certificates in the certificate trust list issued by the CA authority, it means that there is no risk of misjudging the risk of blind data packets.
[0094] If at least one certificate in the enterprise certificate trust list is different from all the certificates in the certificate trust list issued by the CA authority, it indicates that there may be a blind spot data packet risk misjudgment.
[0095] It is understandable that, due to the possibility of manual or other update delays in an enterprise's certificate trust list, there may be discrepancies between the enterprise's certificate trust list and the certificate trust list published by the CA authority. In this case, the network security situation awareness system may make incorrect comparisons when performing certificate comparisons, leading to misjudgments of the risk of data packets.
[0096] Step 3: If it exists, update the enterprise's certificate trust list according to the certificate trust list published by the CA authority, and reassess the risk of blind spot data packets;
[0097] In step three, the process of updating the enterprise's certificate trust list based on the certificate trust list published by the CA authority is as follows:
[0098] Delete certificates that are not listed in the certificate trust list published by the CA authority from the enterprise certificate trust list, and add certificates that are not listed in the enterprise certificate trust list from the CA authority's certificate trust list to the enterprise certificate trust list to complete the update of the enterprise certificate trust list;
[0099] In step three, the process of reassessing the risk of blind zone data packets is as follows:
[0100] If the certificate of the blind zone data packet is in the updated enterprise certificate trust list, the risk is reassessed as low risk;
[0101] If the certificate of the blind zone data packet is not in the updated enterprise certificate trust list, the risk is reassessed as high risk;
[0102] Step 4: Compare the initial risk assessment results and the risk reassessment results of the blind zone data packets. If the results are consistent, it means that there is no misjudgment of the risk of blind zone data packets. If they are inconsistent, determine the certificate supplement set and certificate elimination set based on the updated certificate trust list of the enterprise based on the certificate trust list issued by the CA institution.
[0103] In step four, the initial risk assessment results and the risk reassessment results of the blind zone data packets will be compared. If both the initial risk assessment results and the risk reassessment results show high risk or low risk, the results are consistent. Otherwise, they are inconsistent. If they are consistent, it means that there is no misjudgment of the risk of the blind zone data packets.
[0104] Understandably, if the assessment results are consistent after the enterprise certificate trust list is updated, it means that the initial risk assessment results of the blind zone data packets are accurate and the network security situation awareness system has not made a misjudgment.
[0105] In step four, the method for determining the certificate supplement set and certificate expiration set is as follows:
[0106] When updating an enterprise's certificate trust list based on the certificate trust list published by a CA authority, the deleted certificates are aggregated to form a certificate elimination set, and the added certificates are aggregated to form a certificate supplement set.
[0107] Understandably, if there is a discrepancy, the purpose of determining the certificate supplement set and certificate revocation set is to:
[0108] Function 1: The certificate supplement set is obtained by aggregating certificates that exist in the certificate trust list issued by the CA authority but not in the enterprise certificate trust list. The certificate supplement set is used to determine whether the certificate of the blind zone data packet belongs to the certificate supplement set. If it does, it means that the network security situation awareness system made an error when comparing blind zone data packets due to the lag in the enterprise certificate trust list, resulting in a misjudgment of the risk of the blind zone data packets.
[0109] Function Two: The certificate expiration set is obtained by aggregating certificates that exist in the enterprise's certificate trust list but not in the CA's certificate trust list. This set is used to determine whether a certificate in a blind zone data packet belongs to the certificate expiration set. If it does, subsequent certificate transparency analysis can be performed to ultimately identify potential risks in blind zone data packets. The reason for performing this analysis if a certificate belongs to the certificate expiration set is that the certificates within it are unique to the enterprise's certificate trust list. However, it's possible that the enterprise might be using its own certificates, resulting in certificates that don't fall within the scope of CA-issued certificates. Therefore, to prevent this situation from causing potential risks in blind zone data packets, certificate transparency analysis is performed.
[0110] Step 5: Assign the certificate of the blind zone data packet to the certificate supplement set and the certificate expiration set respectively. If the certificate of the blind zone data packet is in the certificate supplement set, it indicates that there is a risk misjudgment of the blind zone data packet. If the certificate of the blind zone data packet is in the certificate expiration set, perform certificate transparency analysis of the blind zone data packet to determine whether there is a risk misjudgment of the blind zone data packet.
[0111] In step five, the certificates of the blind zone data packets are identified by their affiliation to the certificate supplement set and certificate expiration set, respectively.
[0112] If the certificate of the blind zone data packet is located in the certificate supplement set, it indicates that there is a risk of misjudgment of the blind zone data packet.
[0113] It is understandable that the lag in the enterprise certificate trust list causes errors in the network security situation awareness system when comparing blind zone data packets, leading to misjudgment of the risks of blind zone data packets.
[0114] If the certificate of the blind zone data packet is within the certificate expiration set, the process of performing certificate transparency analysis on the blind zone data packet is as follows: (issuance frequency and satisfaction of MMD).
[0115] Based on the enterprise CT log system, obtain the certificate issuance frequency (number of times) of the blind zone data packets in the historical transmission cycle, and calculate the absolute difference with the preset issuance frequency to obtain the issuance frequency difference. Then, calculate the ratio of the issuance frequency difference to the preset issuance frequency to obtain the certificate issuance value.
[0116] Based on the enterprise CT log system, obtain the issuance time and submission time of the certificate for the blind zone data packet within the historical transmission cycle, calculate the time interval difference, obtain the signing and submission interval time, and compare it with the preset MMD (maximum merge delay).
[0117] If the interval between submissions is greater than MMD, it indicates an abnormal certificate submission.
[0118] If the interval between submissions is less than or equal to MMD, it indicates that the certificate submission is normal.
[0119] The frequency of certificate submission anomalies within the historical transmission cycle is statistically analyzed, and the ratio is calculated with the certificate issuance frequency within the historical transmission cycle to obtain the certificate submission anomaly value.
[0120] Based on certificate submission anomalies, the deviation between the submission interval time of certificate submission anomalies and MMD is calculated to obtain the submission over-limit interval. All submission over-limit intervals are averaged to obtain the average submission over-limit interval. The ratio of the average submission over-limit interval to MMD is calculated to obtain the certificate submission over-limit value.
[0121] Sum the certificate submission exception value and the certificate submission over-limit value, and output the certificate submission value;
[0122] Sum the certificate issuance value and the certificate submission value, and output the certificate authentication value.
[0123] In some embodiments, the certificate authentication value is compared with the certificate authentication threshold;
[0124] If the certificate authentication value is less than or equal to the certificate authentication threshold, it means that there is no risk misjudgment of the data packets in the blind zone;
[0125] If the certificate authentication value is greater than the certificate authentication threshold, it indicates that there is a risk of misjudgment in the blind zone data packets;
[0126] Understandably, the certificate authentication value reflects the issuance deviation and abnormality of the issuance interval of the certificate corresponding to the blind zone data packet. If the issuance deviation and abnormality of the issuance interval are small, it reflects that the certificate is highly trustworthy. Since enterprises may use their own certificates, when conducting the initial risk assessment of the blind zone data packet, if the certificate of the blind zone data packet is in the enterprise's certificate trust list, the initial risk assessment is low risk. If the issuance deviation and abnormality of the issuance interval are small, it reflects that the certificate is highly trustworthy, indicating that the blind zone data packet is low risk and that the network security perception system does not have the risk of misjudgment. If the issuance deviation and abnormality of the issuance interval are high, it reflects that the certificate is low trustworthy, indicating that the blind zone data packet is high risk. However, if the certificate of the blind zone data packet is in the enterprise's certificate trust list, the initial risk assessment is low risk. The inconsistent risk results indicate that there is a risk of misjudgment of the blind zone data packet.
[0127] The technical solution of this invention is as follows: Identify blind zone data packets during network data transmission based on the data packet decryption result, and obtain the enterprise certificate trust list used for the initial risk assessment of the blind zone data packets. Perform certificate comparison analysis between the enterprise certificate trust list and the certificate trust list issued by the CA institution to determine if there is a suspected misjudgment of blind zone data packet risk. If so, update the enterprise certificate trust list according to the certificate trust list issued by the CA institution, and reassess the risk of the blind zone data packets. Compare the initial risk assessment result and the reassessment result of the blind zone data packets. If the results are consistent, it indicates that there is no misjudgment of blind zone data packet risk; if they are inconsistent, the risk is determined based on the certificate trust list issued by the CA institution. The invention uses a certificate trust list to update the enterprise certificate trust list, determining the certificate supplement set and certificate expiration set. It then identifies the certificate of the blind zone data packet by comparing it with these sets. If the certificate of the blind zone data packet is in the certificate supplement set, it indicates a potential misjudgment of the risk. If the certificate of the blind zone data packet is in the certificate expiration set, a certificate transparency analysis is performed to determine if a misjudgment of the risk exists. This invention verifies and analyzes the risk assessment of data packets by comparing their certificates during data transmission, solving the problems of delayed updates to the enterprise certificate trust list leading to misjudgments of data packet risk, as well as misjudgments caused by the enterprise's own certificates.
[0128] The foregoing has shown and described the basic principles, main features, and advantages of the present invention. Those skilled in the art should understand that the present invention is not limited to the above embodiments. The embodiments and descriptions in the specification are merely illustrative of the principles of the invention. Various changes and modifications can be made to the invention without departing from its spirit and scope, and all such changes and modifications fall within the scope of the present invention as claimed. The scope of protection of the present invention is defined by the appended claims and their equivalents.
Claims
1. A method for operational risk assessment based on a cyber security situation awareness system, characterized in that: include: Identify blind spot data packets when the enterprise transmits data over the network based on the data packet decryption results, and obtain the enterprise certificate trust list for the initial risk assessment of the blind spot data packets; Perform certificate comparison and analysis on the enterprise certificate trust list and the certificate trust list issued by the CA authority to determine whether there is a suspected blind spot data packet risk misjudgment; If it exists, update the enterprise's certificate trust list according to the certificate trust list published by the CA authority, and reassess the risk of blind spot data packets; Compare the initial risk assessment results and the risk reassessment results of the blind zone data packets. If the results are consistent, it means that there is no misjudgment of the risk of blind zone data packets. If they are inconsistent, the certificate supplement set and certificate elimination set are determined based on the results of updating the enterprise's certificate trust list based on the certificate trust list issued by the CA institution. The certificates of the blind zone data packets are identified by comparing them with the certificate supplement set and the certificate expiration set. If the certificate of the blind zone data packet is located in the certificate supplement set, it indicates that there is a risk of misjudgment of the blind zone data packet. If the certificate of the blind zone data packet is located in the certificate expiration set, the certificate transparency analysis of the blind zone data packet is performed to determine whether there is a risk of misjudgment of the blind zone data packet.
2. The method for operating risk assessment based on network security situation awareness system according to claim 1, characterized in that: The data packet decryption results include fully parsed, not fully parsed, and completely unparsable; If the packet cannot be parsed at all, mark it as a blind zone packet; If the packet cannot be fully parsed, mark it as a packet to be analyzed; If it is a complete resolution, no operation will be performed; Based on the data packet to be analyzed, a baseline range of meta-feature data for the data packet is constructed. If the capacity and transmission time interval of the data packet to be analyzed are not within the baseline range of meta-feature data, or are not both within the baseline range of meta-feature data, the capacity deviation value and transmission time interval deviation value of the data packet to be analyzed are calculated respectively, and the meta-feature deviation value of the data packet to be analyzed is obtained by summing them. If the deviation value of the meta-feature is greater than or equal to the deviation threshold of the meta-feature, the data packet to be analyzed will be marked as a blind zone data packet.
3. The method of claim 2, wherein the method further comprises: The capacity deviation value of the data packet to be analyzed is obtained as follows: The absolute difference between the capacity of the data packet to be analyzed and the nearest endpoint of the data packet capacity baseline range is calculated, and then the ratio of the calculated value to the data packet capacity baseline range value is calculated to obtain the capacity deviation value of the data packet to be analyzed. The data packet capacity baseline range value is the deviation between the maximum and minimum values within the data packet capacity baseline range. The method for obtaining the transmission interval deviation value of the data packet to be analyzed is as follows: The absolute difference between the transmission time interval of the data packet to be analyzed and the nearest endpoint value of the data packet transmission baseline range is calculated, and then the ratio is calculated with the data packet transmission baseline range value to obtain the transmission interval deviation value of the data packet to be analyzed. The data packet transmission baseline range value is the deviation between the maximum and minimum values within the data packet transmission baseline range.
4. The method for operating risk assessment based on network security situation awareness system according to claim 2, characterized in that: The baseline range of the meta-feature data includes the baseline range of data packet capacity and the baseline range of data packet transmission. The process of constructing the baseline range of the meta-feature data is as follows: A1, based on the enterprise's historical transmission data, obtain the data packet capacity and transmission time interval during multiple transmissions, and summarize and integrate them to obtain the capacity sequence and transmission time interval sequence. A2 uses the K-means algorithm to cluster capacity sequences and transmission time interval sequences, specifically including: A21, determine the number of clusters K using the elbow rule; A22, randomly select K data packet sizes as the initial cluster centers; A23, allocates the capacity or transmission time interval of each data packet to the cluster to which the nearest cluster center belongs; A24, recalculate the average of all data packet capacity or transmission time intervals in each cluster, and use it as the new cluster center; A25, repeat steps A23-A24 until the cluster center no longer changes or the preset maximum number of iterations is reached; A3 outputs the clustering results, selects the largest cluster, and constructs the baseline range of the meta-feature data, which is: the mean of the largest cluster ± 2 times the standard deviation of the largest cluster.
5. The method for operating risk assessment based on network security situation awareness system according to claim 1, characterized in that: The method for determining whether there is a potential risk of misjudgment due to blind zone data packets is as follows: If the certificates in the enterprise's certificate trust list are all the same as the certificates in the certificate trust list issued by the CA authority, it means that there is no risk of misjudging the risk of blind data packets. If at least one certificate in the enterprise certificate trust list is different from all the certificates in the certificate trust list issued by the CA authority, it indicates that there may be a risk of misjudgment of blind data packets.
6. The method of cyber security posture based system operational risk assessment as claimed in claim 1, wherein: The process of updating the enterprise's certificate trust list based on the certificate trust list published by the CA authority and reassessing the risk of blind spot data packets is as follows: Delete certificates that are not listed in the certificate trust list published by the CA authority from the enterprise certificate trust list, and add certificates that are not listed in the enterprise certificate trust list from the CA authority's certificate trust list to the enterprise certificate trust list to complete the update of the enterprise certificate trust list; If the certificate of the blind zone data packet is in the updated enterprise certificate trust list, the risk is reassessed as low risk; If the certificate for the blind zone data packet is not in the updated enterprise certificate trust list, the risk is reassessed as high risk.
7. The method of operating a cyber-security situation-aware system-based operational risk assessment system of claim 6, wherein: The method for determining the certificate supplement set and certificate expiration set is as follows: When updating an enterprise's certificate trust list based on the certificate trust list published by a CA authority, the deleted certificates are aggregated to form a certificate elimination set, and the added certificates are aggregated to form a certificate supplement set.
8. The method of operating a cyber-security situation-aware system-based operational risk assessment system of claim 7, wherein: The process of performing certificate transparency analysis on blind zone data packets is as follows: Based on the enterprise CT log system, obtain the certificate issuance frequency and certificate submission interval of blind zone data packets in the historical transmission period, process and analyze to obtain the certificate issuance value and certificate submission value, and sum and output the certificate authentication value. If the certificate authentication value is less than or equal to the certificate authentication threshold, it means that there is no risk misjudgment of the data packets in the blind zone; If the certificate authentication value is greater than the certificate authentication threshold, it indicates that there is a risk of misjudgment in the blind zone data packets.
9. The method for operating risk assessment based on network security situation awareness system according to claim 8, characterized in that: The certificate issuance value is obtained in the following way: The certificate issuance frequency of the data packets in the blind zone is obtained within the historical transmission period, and the absolute difference between the certificate issuance frequency and the preset issuance frequency is calculated to obtain the issuance frequency difference. The ratio of the issuance frequency difference to the preset issuance frequency is then calculated to obtain the certificate issuance value.
10. The operational risk assessment method based on a network security situation awareness system according to claim 8, characterized in that: The method for obtaining the certificate submission value is as follows: Obtain the issuance and submission times of the certificates for the data packets in the blind zone within the historical transmission cycle, and calculate the time interval difference to obtain the signing and submission interval time. If the interval between submissions is greater than MMD, it indicates an abnormal certificate submission. The frequency of certificate submission anomalies within the historical transmission cycle is statistically analyzed, and the ratio is calculated with the certificate issuance frequency within the historical transmission cycle to obtain the certificate submission anomaly value. Based on certificate submission anomalies, the deviation between the submission interval time of certificate submission anomalies and MMD is calculated to obtain the submission over-limit interval. All submission over-limit intervals are averaged to obtain the average submission over-limit interval. The ratio of the average submission over-limit interval to MMD is calculated to obtain the certificate submission over-limit value. Summing the certificate submission exception value and the certificate submission over-limit value, output the certificate submission value.