Network security detection method, device, equipment, medium and program product
By performing vulnerability scanning and security baseline scanning on the target system, generating transaction datasets, filtering out frequent itemsets, determining association rules, and combining Bayesian networks for risk assessment, the problem of inaccurate security detection results in existing technologies is solved, and a comprehensive analysis and accurate assessment of system network security is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA MOBILE INFORMATION TECHNOLOGY CO LTD
- Filing Date
- 2026-04-30
- Publication Date
- 2026-07-14
Smart Images

Figure CN122394922A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of information security technology, and in particular to a network security detection method, apparatus, equipment, medium and program product. Background Technology
[0002] In today's digital age, cybersecurity has become a significant challenge for businesses and individuals. With increasingly frequent and complex cyberattacks, vulnerability detection and security baseline scanning have become crucial. Vulnerability detection involves regularly checking systems, applications, and network devices for potential vulnerabilities and security weaknesses, and promptly remediating these issues to prevent hackers from exploiting them. Security baseline scanning, on the other hand, assesses whether the security configuration of systems and networks conforms to best practices and standards, establishing a solid foundation for security.
[0003] In related technologies, vulnerability scanning and security baseline scanning can only provide information on specific aspects of a system and cannot comprehensively assess the overall security of the system. System security requires comprehensive consideration of multiple factors such as vulnerabilities, configuration, and access control; separate scanning cannot provide a comprehensive security assessment. Therefore, existing network security detection methods suffer from low accuracy in security detection results. Summary of the Invention
[0004] This application provides a network security detection method, apparatus, device, medium, and program product, which can solve the problem of low accuracy of security detection results in existing network security detection methods.
[0005] In a first aspect, embodiments of this application provide a network security detection method, the method comprising: The target system is subjected to vulnerability scanning and security baseline scanning to obtain vulnerability scanning result datasets and security baseline scanning result datasets. The vulnerability scanning result dataset includes multiple vulnerability scanning result datasets, each corresponding one-to-one with multiple objects in the target system. Each vulnerability scanning result dataset is the scanning result data obtained by performing vulnerability scanning on the corresponding object, and is used to indicate whether the target system has vulnerabilities of at least one vulnerability type. The security baseline scanning result dataset includes multiple security baseline scanning result datasets, each corresponding one-to-one with the multiple objects. Each security baseline scanning result dataset is the result data obtained by performing security baseline scanning on the corresponding object, and includes at least one configuration rule. Based on the vulnerability scan result dataset and the security baseline scan result dataset, a transaction dataset is constructed. The transaction dataset includes multiple transaction data, each of which corresponds one-to-one with the multiple objects. The transaction data is used to indicate the vulnerability scan result data and the security baseline scan result data of the corresponding object. A frequent itemset is selected from the transaction dataset. The frequent itemset includes N frequent items, each of which includes at least one type of vulnerability and at least one configuration rule. The support of the frequent itemset is greater than a preset support threshold. The support of the frequent itemset is the percentage of transaction data including the frequent itemset in the transaction dataset, where N is an integer greater than 1. Based on the preset confidence level and the frequent itemset, an association rule is determined. The association rule includes a first frequent item and a second frequent item. The first frequent item and the second frequent item are two different frequent items in the frequent itemset. The confidence level between the first frequent item and the second frequent item included in the association rule is greater than the preset confidence level. Based on the association rules, security risk detection results for the target system are generated.
[0006] Optionally, filtering frequent itemsets from the transaction dataset includes: Multiple first elements are selected from the transaction dataset. The multiple first elements include all elements in the transaction dataset whose support is greater than the preset support threshold. The support of the first element is the proportion of the number of transaction data including the first element in the transaction dataset. The first element is any kind of vulnerability or configuration rule in the transaction dataset. From the plurality of first elements, at least two first elements are randomly selected to form M candidate options, where M is an integer greater than N; Select N frequent items whose support is greater than the preset support threshold from the M candidate items.
[0007] Optionally, the confidence level between the first frequent item and the second frequent item included in the association rule is the ratio of the first support and the second support, wherein the first support is the proportion of transaction data including the first frequent item in the transaction dataset, and the second support is the proportion of transaction data including the second frequent item in the transaction dataset.
[0008] Optionally, generating the security risk detection result of the target system based on the association rule includes: Based on the association rules, L first nodes and H second nodes are created. The L first nodes correspond one-to-one with the L vulnerabilities in the association rules, and the H second nodes correspond one-to-one with the H configuration rules in the association rules. Based on the historical security risk data of the target system, L first conditional probability tables are created, each corresponding to one of the L first nodes. Each first conditional probability table includes H first conditional probabilities, which correspond one-to-one with the H second nodes. Each first conditional probability includes a first probability and a second probability. The first probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node meet the security standards. The second probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node do not meet the security standards. Based on the historical security risk data, create H second conditional probability tables that correspond one-to-one with the H second nodes. The second conditional probability table includes a third probability and a fourth probability. The third probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node meets the security standard, and the fourth probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node does not meet the security standard. Based on the vulnerability scan result dataset and the security baseline scan result dataset, the L first conditional probability tables and the H second conditional probability tables are updated to obtain the updated L first conditional probability tables and the updated H second conditional probability tables. Based on the updated L first conditional probability tables and the updated H second conditional probability tables, the security risk detection result of the target system is determined.
[0009] Optionally, after generating the security risk detection result of the target system based on the association rule, the method further includes: From the L first nodes and the H second nodes, at least one target node corresponding to a preset attack event is determined, wherein the preset attack event includes at least one vulnerability or at least one configuration rule in the transaction dataset; From the updated L first conditional probability tables and the updated H second conditional probability tables, determine at least one conditional probability table corresponding to the at least one target node; Based on the at least one conditional probability table, calculate the success probability of the preset attack event.
[0010] Optionally, after calculating the attack success probability of the preset attack event based on the at least one conditional probability table, the method further includes: If the success probability of the preset attack event is greater than the preset probability, and the solution library can find the attack time and the corresponding first security decision for the preset attack event, then the first security decision is obtained and executed. If the success probability of the preset attack event is greater than the preset probability, and no attack time or corresponding first security decision can be found in the solution library, a second security decision for the preset attack event is generated, and the preset attack event and the second security decision are stored in the solution library.
[0011] Secondly, embodiments of this application also provide a network security detection device, the device comprising: The scanning module is used to perform vulnerability scanning and security baseline scanning on the target system, obtaining vulnerability scanning result datasets and security baseline scanning result datasets. The vulnerability scanning result dataset includes multiple vulnerability scanning result datasets, each corresponding one-to-one with multiple objects in the target system. The vulnerability scanning result dataset is the scanning result data obtained by performing vulnerability scanning on the corresponding object, and is used to indicate whether the target system has vulnerabilities of at least one vulnerability type. The security baseline scanning result dataset includes multiple security baseline scanning result datasets, each corresponding one-to-one with the multiple objects. The security baseline scanning result data is the result data obtained by performing security baseline scanning on the corresponding object, and includes at least one configuration rule. A construction module is used to construct a transaction dataset based on the vulnerability scan result dataset and the security baseline scan result dataset. The transaction dataset includes multiple transaction data, which correspond one-to-one with the multiple objects. The transaction data is used to indicate the vulnerability scan result data and the security baseline scan result data of the corresponding object. A filtering module is used to filter out frequent itemsets from the transaction dataset. The frequent itemsets include N frequent items, each frequent item including at least one type of vulnerability and at least one configuration rule. The support of the frequent items is greater than a preset support threshold. The support of the frequent items is the percentage of transaction data including the frequent items in the transaction dataset, where N is an integer greater than 1. The determination module is used to determine association rules based on a preset confidence level and the frequent itemset. The association rules include a first frequent item and a second frequent item, wherein the first frequent item and the second frequent item are two different frequent items in the frequent itemset, and the confidence level between the first frequent item and the second frequent item included in the association rule is greater than the preset confidence level. The generation module is used to generate security risk detection results for the target system based on the association rules.
[0012] Thirdly, embodiments of this application also provide an electronic device, including a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the computer program, when executed by the processor, implements the steps of the network security detection method as described in the first aspect.
[0013] Fourthly, embodiments of this application also provide a computer-readable storage medium storing a computer program, which, when executed by a processor, implements the steps of the network security detection method as described in the first aspect.
[0014] Fifthly, a computer program product is provided, including computer instructions that, when executed by a processor, implement the steps of the network security detection method as described in the first aspect.
[0015] In this embodiment, vulnerability scan results and security baseline scan results of the target system are mapped one-to-one to generate transaction data. Each object corresponds to one transaction data entry, containing both the object's vulnerability and baseline information. This solves the problem of data fragmentation, integrating two originally independent types of data into a single data structure, providing a unified foundation for subsequent correlation analysis. High-frequency combinations of vulnerabilities and configuration rules are identified from the transaction dataset—combinations where the support of both exceeds a threshold. These combinations indicate that the two events did not occur simultaneously by chance. Based on frequent itemsets, conditional association relationships, i.e., association rules, are filtered out using confidence levels. Analysis of these association rules moves beyond viewing vulnerabilities and configurations in isolation; instead, it reveals causal or co-occurring relationships between them, upgrading security assessment from a single point to a correlational approach. This method enables a more comprehensive analysis of the target system's network security, resulting in more accurate security detection results. Attached Figure Description
[0016] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0017] Figure 1 This is one of the flowcharts of the network security detection method provided in the embodiments of this application; Figure 2 This is the second flowchart of the network security detection method provided in the embodiments of this application; Figure 3 This is a structural diagram of a network security detection device provided in an embodiment of this application; Figure 4 This is a structural diagram of an electronic device provided in an embodiment of this application. Detailed Implementation
[0018] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0019] This application provides a network security detection method.
[0020] See Figure 1 , Figure 1 This is a flowchart of the network security detection method provided in the embodiments of this application, such as... Figure 2 As shown, the system to which the network security detection method is applied includes: Management platform: Used for users to set up scanning tasks, view scanning results and risk assessment reports, etc.
[0021] Vulnerability scanning module: Responsible for scanning the target system for vulnerabilities, obtaining vulnerability information and storing it in the vulnerability database.
[0022] Baseline Scan Module: Responsible for performing baseline scans on the configuration of the target system, checking whether the configuration items meet the security baseline standards, and storing the results in the baseline database.
[0023] Data association module: Obtains data from vulnerability databases and baseline databases, uses the Apriori algorithm to perform data association analysis, and discovers the association rules between vulnerability scan results and baseline scan results.
[0024] Probabilistic graphical model module: Makes predictions based on the correlation rules between vulnerability scan results and baseline scan results to obtain complete correlation rules; Results Display Module: Presents the scan results and correlation analysis results to the user in an intuitive way.
[0025] Risk assessment module: Based on the scan results and correlation analysis, a comprehensive assessment of the security risks of the target system is conducted, and a risk assessment report is generated.
[0026] like Figure 1 As shown, the method includes the following steps: Step 101: Perform vulnerability scanning and security baseline scanning on the target system to obtain a vulnerability scanning result dataset and a security baseline scanning result dataset. The vulnerability scanning result dataset includes multiple vulnerability scanning result datasets, each corresponding one-to-one with multiple objects in the target system. The vulnerability scanning result dataset is the scanning result data obtained by performing vulnerability scanning on the corresponding object, and is used to indicate whether the target system has vulnerabilities of at least one vulnerability type. The security baseline scanning result dataset includes multiple security baseline scanning result datasets, each corresponding one-to-one with the multiple objects. The security baseline scanning result dataset is the result data obtained by performing security baseline scanning on the corresponding object, and includes at least one configuration rule.
[0027] During scan task initialization, the system generates a corresponding scan task configuration file based on the task information set by the user and stores it in the baseline scan module and the vulnerability scan module. Specifically, users set up scanning tasks through the management platform, which means defining crawler measurements, including selecting crawling targets (such as IP address ranges, specific servers, initial URLs to be crawled, etc.), determining the scan type (vulnerability scan, baseline scan, or a combination of both), configuring crawling parameters (such as scan depth, scan time, etc.), and defining crawling restrictions (such as domain name restrictions, URL format restrictions, etc.).
[0028] The main operation process of the vulnerability scanning module is as follows: Upon receiving a scanning task, the crawler sends HTTP requests to the initial URL set by the user, retrieves the response content, and parses the URL links within it. After obtaining the URLs and their corresponding HTTP requests and responses, the crawler encapsulates them into request-response objects. These encapsulated request-response objects are placed in a crawler queue for further processing; the queue can be managed using a first-in, first-out (FIFO) method. The crawler retrieves request-response objects from the queue, analyzes the URL links within them, and extracts new URLs. It performs deduplication, filtering (URLs that conform to the policy), and validation on the parsed new URLs to ensure that the URLs in the queue meet the pre-defined crawling conditions. It continuously retrieves URLs from the queue for parsing and adds new URLs to the queue until the preset crawling depth or other limits are reached.
[0029] Since the obtained URL data may contain duplicate data and other unrelated data, the acquired URL data can be cleaned, and then vulnerability detection can be performed on the cleaned data. During vulnerability detection, IAST can be used first to test and obtain the file and code location of the vulnerability, thus identifying the initial vulnerability. Then, DAST can be used to attack the initial vulnerability to identify the actual existing vulnerabilities. When attacking with DAST, the corresponding attack parameters can be continuously adjusted to improve the accuracy of the detection results. For example, adjusting the content, length, and type of payloads allows for the attempt of different attack methods, increasing the probability of vulnerability detection. Payload content: such as SQL injection, cross-site scripting (XSS), etc., including special characters, SQL statements, HTML tags, etc. Payload length: includes different length ranges such as short, medium, and long; Payload types include strings, numbers, and special characters. Request methods: such as GET, POST, PUT, DELETE, etc.; Cookie and Header parameters: Add different Cookie and Header parameters to the HTTP request. You can try modifying the value of the Cookie, adding new Header parameters, etc. Adjust parameters in the HTTP request headers, such as User-Agent, Referer, Cookie, etc. Adjust the depth of the attack, including recursion depth and parameter depth; Adjust the attack speed, including the number of concurrent attacks and latency; Adjusting the attack speed appropriately based on the target system's performance and response can reduce the impact on the target system and improve detection effectiveness.
[0030] After identifying the actual vulnerability, save the data to obtain the vulnerability scan results.
[0031] The main operation procedure of the baseline scanning module is as follows: The system receives security alarm events uploaded by the sensing system, analyzes each security alarm event, determines the event type of the security alarm event, removes security alarm events with the same content, and merges security alarm events of the same type. When merging, a preset classification table can be set to extract key information from each security alarm time and determine the corresponding main category from the classification table based on the key information. For example: Security alert event 1: IP address: 192.168.1.1; Timestamp: 2022-01-15 10:30:00; Description: Abnormal network traffic was detected from IP address 192.168.1.1; Security alert event 2: IP address: 192.168.1.1; Timestamp: 2022-01-15 10:35:00; Description: IP address 192.168.1.1 initiated a large number of TCP connection requests; After analysis, it was found that the two security alerts involved the same IP address and described abnormal network traffic and a large number of TCP connection requests. Based on this key information, the two events can be categorized into the "Network Scan" main category using a pre-defined classification table, and then merged into a single network scan event.
[0032] Step 102: Based on the vulnerability scan result dataset and the security baseline scan result dataset, construct a transaction dataset. The transaction dataset includes multiple transaction data, which correspond one-to-one with the multiple objects. The transaction data is used to indicate the vulnerability scan result data and the security baseline scan result data of the corresponding object.
[0033] In this step, from the vulnerability scan result dataset obtained by scanning the target system and the security baseline scan result dataset, targeting specific objects, the vulnerability scan result data and security baseline scan result data corresponding to each object are summarized to form a transaction dataset. The transaction data for each object in the target system is summarized to obtain a transaction dataset. The transaction dataset can take the following form: Transaction data 1: {A, B, C}, Transaction data 2: {A, B}, Transaction data 3: {A, C}, where A, B, and C represent a vulnerability or a configuration rule.
[0034] Step 103: Select a frequent itemset from the transaction dataset. The frequent itemset includes N frequent items. The frequent itemset includes at least one type of vulnerability and at least one configuration rule. The support of the frequent itemset is greater than a preset support threshold. The support of the frequent itemset is the proportion of transaction data including the frequent itemset in the transaction dataset. N is an integer greater than 1.
[0035] In this step, frequent items refer to "high-frequency combinations of elements" in the transaction dataset. For example, in the example above, A and B appear twice, A and C appear twice, and A, B, and C appear once, with support of 66%, 66%, and 33% respectively. If the support threshold is 50%, then A, B, and A, C are frequent items.
[0036] Frequent items can filter out "valuable element combinations", laying the foundation for generating association rules in the future.
[0037] Step 104: Based on the preset confidence level and the frequent itemset, determine the association rule. The association rule includes a first frequent item and a second frequent item. The first frequent item and the second frequent item are two different frequent items in the frequent itemset. The confidence level between the first frequent item and the second frequent item included in the association rule is greater than the preset confidence level.
[0038] After obtaining frequent itemsets, pairwise combinations of these frequent itemsets yield multiple combinations. Calculating the confidence level between the first and second most frequent itemsets in each combination determines the association rules. Association rules are the "implied relationships between elements" mined from frequent itemsets. In other words, they transform the situation where "vulnerability scanning and baseline scanning were originally two independent processes with unrelated data" into "mining out the causal / co-occurrence relationship between the two through association rules, such as non-compliance of configuration X and vulnerability A, proving that "baseline configuration defects will lead to the occurrence of vulnerabilities," thus achieving "integrated scanning data."
[0039] Step 105: Based on the association rules, generate the security risk detection results of the target system.
[0040] The association rules are analyzed to obtain the security risk detection results of the target system.
[0041] In the network security detection method provided in this application, vulnerability scan results and security baseline scan results of the target system are mapped one-to-one to generate transaction data. Each object corresponds to one transaction data entry, which includes both the object's vulnerability and baseline information. This solves the problem of data fragmentation, integrating two originally independent types of data into a single data structure, providing a unified foundation for subsequent correlation analysis. High-frequency combinations of vulnerabilities and configuration rules are identified from the transaction dataset; these combinations, where the support of both exceeds a threshold, indicate that their simultaneous occurrence is not accidental. Based on frequent itemsets, conditional correlation relationships, i.e., correlation rules, are filtered out using confidence levels. Analysis of these correlation rules moves beyond viewing vulnerabilities and configurations in isolation; instead, it reveals causal or accompanying relationships between them, upgrading security assessment from a single point to a correlational approach. This method enables a more comprehensive analysis of the target system's network security, resulting in more accurate security detection results.
[0042] Optionally, filtering frequent itemsets from the transaction dataset includes: Multiple first elements are selected from the transaction dataset. The multiple first elements include all elements in the transaction dataset whose support is greater than the preset support threshold. The support of the first element is the proportion of the number of transaction data including the first element in the transaction dataset. The first element is any kind of vulnerability or configuration rule in the transaction dataset. From the plurality of first elements, at least two first elements are randomly selected to form M candidate options, where M is an integer greater than N; Select N frequent items whose support is greater than the preset support threshold from the M candidate items.
[0043] In this embodiment, the entire transaction dataset is first scanned, and the support (i.e., the frequency of the item's occurrence in the dataset) of each item (each element) is calculated. For example, if the vulnerability CVE-2021-1234 is found to occur in 30 out of 100 transactions, its support is 30%. Based on a preset minimum support threshold (e.g., min_support = 5%), frequent 1-itemsets are generated. For example, all individual vulnerabilities or baseline configuration items with a support greater than or equal to 5% constitute a frequent 1-itemet (i.e., the first element).
[0044] Based on frequent (k-1)-itemsets, candidate k-itemsets are generated through join operations. During the generation of candidate k-itemsets, a pruning strategy is employed to remove candidate sets that are unlikely to become frequent itemsets. If a (k-1)-subset of a candidate k-itemset is not in a frequent (k-1)-itemset, the candidate k-itemset can be pruned, thereby reducing computational cost. Specifically, when generating candidate k-itemsets, firstly, all possible candidate k-itemsets are generated by pairwise concatenation of frequent (k-1)-itemsets. For example, given transaction data 1: {A, B, C}, transaction data 2: {A, B}, and transaction data 3: {A, C}, with a minimum support threshold set to 50%, the frequent 1-itemsets generated are {A}, {B}, and {C}. This is because A appears in all three transactions (100%), B appears in two transactions (66.7%), and C appears in two transactions (66.7%). By pairwise concatenation of these itemsets, candidate 2-itemsets {A, B}, {A, C}, and {B, C} are generated. Next, the generated candidate k-itemsets are pruned, which involves checking whether all (k-1) subsets of each candidate k-itemset are frequent. Specifically, this can be done by determining the support of each (k-1) subset of the generated candidate k-itemsets in each transaction. For example, {A, B} appears in two transactions (transaction data 1 and transaction data 2) with a support of 66.7%, {A, C} appears only in transaction data 3 with a support of 33.3%, and {B, C} appears only in transaction data 1 with a support of 33.3%. Obviously, {A, C} and {B, C} are less than 50% and are therefore considered infrequent, while {A, B} is considered frequent.
[0045] If a candidate k-itemset has an infrequent subset, it is removed from the candidate set. If a candidate k-itemset has a subset that is infrequent, the candidate set is pruned and no longer considered. In this way, the final remaining candidate k-itemsets are the candidate k-itemsets (i.e., {A, B} in the example above).
[0046] Calculate the support of each subset in the candidate K-itemset (as explained in the example above), filter out itemsets in the candidate itemset whose support is lower than min_support, and obtain frequent 2-itemsets; repeat the above steps to generate frequent 3-itemsets, frequent 4-itemsets, until no new frequent itemsets can be generated; For each frequent itemset, generate all possible subsets of it and calculate the confidence of these rules, confidence(X). >Y)=support(X∪Y) / support(X). Based on the minimum confidence threshold (min_confidence), filter out the association rules that meet the conditions, and output the frequent itemsets and association rules: Suppose there are three data transactions: Transaction data 1: {A, B, C, D}; Transaction data 2: {A, C}; Transaction data 3: {B, D, E}; First, calculate the support of each item. For example, if item A appears twice in transaction data 1 and transaction data 2, the support is approximately 2 / 3 ≈ 67%. Similarly, calculate the support of other items, and then filter out the frequent 1-itemsets based on the support threshold (e.g., 50%).
[0047] Next, candidate 2-itemsets are generated by pairwise combinations of frequent 1-itemsets, such as {A, B}, {A, C}, etc. The support of the candidate 2-itemsets is then calculated, and a support threshold is used for filtering to obtain frequent 2-itemsets.
[0048] In this embodiment, a single high-frequency element (the first element) is first selected, and then these elements are combined to form a candidate set, instead of directly combining all elements. This can eliminate low-frequency elements with insufficient support in advance, significantly reducing the number of subsequent candidate sets, reducing computational load, and improving algorithm efficiency.
[0049] Optionally, the confidence level between the first frequent item and the second frequent item included in the association rule is the ratio of the first support and the second support, wherein the first support is the proportion of transaction data including the first frequent item in the transaction dataset, and the second support is the proportion of transaction data including the second frequent item in the transaction dataset.
[0050] In this embodiment, after determining the frequent itemsets, the association rules are then determined. For example, for a frequent 2-itemset {A,C}, two rules can be generated: {A}→{C} and {C}→{A}. Then, the confidence level is calculated for each rule, using the formula confidence(X→Y)=support(X∪Y) / support(X). If the confidence level is greater than or equal to the minimum confidence threshold (e.g., 80%), the rule is retained.
[0051] Specifically, the process of generating association rules is as follows: For a frequent itemset, items in the frequent itemset can be paired to obtain multiple rules in the form of "X→Y", where X and Y are non-intersecting subsets of the itemset. Rules are generated by forming different antecedents and consequents. For example, for a frequent 2-itemset {A, C}, two rules can be generated: {A}→{C} and {C}→{A}. For larger frequent itemsets, such as {A, B, C}, more rules can be generated, such as {A}→{B, C}, {B}→{A, C}, etc. The confidence level is then obtained by calculating support(X∪Y) / support(X). Only rules with confidence levels meeting a certain threshold are retained as association rules.
[0052] In this embodiment, the confidence level is calculated using the formula "number of transactions containing two frequent items ÷ number of transactions containing only the first frequent item," directly quantifying the probability that "when the first frequent item appears, the second frequent item also appears." This calculation method transforms association rules from "qualitative associations" into "quantitative probabilities," more accurately reflecting the credibility of the rules and providing clear numerical basis for subsequent risk assessment.
[0053] Optionally, generating the security risk detection result of the target system based on the association rule includes: Based on the association rules, L first nodes and H second nodes are created. The L first nodes correspond one-to-one with the L vulnerabilities in the association rules, and the H second nodes correspond one-to-one with the H configuration rules in the association rules. Based on the historical security risk data of the target system, L first conditional probability tables are created, each corresponding to one of the L first nodes. Each first conditional probability table includes H first conditional probabilities, which correspond one-to-one with the H second nodes. Each first conditional probability includes a first probability and a second probability. The first probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node meet the security standards. The second probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node do not meet the security standards. Based on the historical security risk data, create H second conditional probability tables that correspond one-to-one with the H second nodes. The second conditional probability table includes a third probability and a fourth probability. The third probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node meets the security standard, and the fourth probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node does not meet the security standard. Based on the vulnerability scan result dataset and the security baseline scan result dataset, the L first conditional probability tables and the H second conditional probability tables are updated to obtain the updated L first conditional probability tables and the updated H second conditional probability tables. Based on the updated L first conditional probability tables and the updated H second conditional probability tables, the security risk detection result of the target system is determined.
[0054] In this embodiment, after discovering the association rules, a Bayesian network structure can be constructed first. The nodes and edges in the Bayesian network are defined as follows: L first nodes corresponding one-to-one with the L vulnerabilities in the association rules, and H second nodes corresponding one-to-one with the H configuration rules in the association rules. For example, if a strong association is found between vulnerability A and baseline configuration item X (i.e., they belong to two items in the association rules), a node representing vulnerability A and a node representing configuration item X are created in the Bayesian network, pointing from the configuration item X node to the vulnerability A node, indicating that the state of configuration item X may affect the probability of vulnerability A being exploited. Furthermore, the network structure can be improved by referring to the knowledge of security experts and historical security risk data.
[0055] Next, using historical configuration audit data or system configuration statistics, a conditional probability table is determined for each node. For example, for the vulnerability A node, one of the first conditional probabilities includes: if configuration item X meets security standards, the probability of vulnerability A being exploited is P(A=exploited|X=compliant) = 0.1; if configuration item X does not meet security standards, the probability of vulnerability A being exploited is P(A=exploited|X=non-compliant) = 0.7. For the baseline configuration item node, the second conditional probability table also needs to determine its probabilities under different states. For example, the probability that configuration item X meets security standards is P(X=compliant) = 0.8, and the probability that it does not meet security standards is P(X=non-compliant) = 0.2.
[0056] After determining the L first conditional probability tables and H second conditional probability tables, the actual detected vulnerabilities and configuration item states are input into the Bayesian network as evidence. For example, if vulnerability A is detected in a scan and configuration item X does not meet security standards, this information is input as evidence. The probability of each node in the network is updated using the Bayesian network's inference mechanism. For example, based on the above evidence, the overall risk probability of the system being attacked is recalculated. Assuming that the probability of the system being attacked is P(attack) = 0.3 in the absence of evidence, after inputting the above evidence, the probability is updated according to the Bayesian network's inference formula: P(Attack | A = Exists, X = Does Not Meet) = [P(A = Exists, X = Does Not Meet | Attack) × P(Attack)] / P(A = Exists, X = Does Not Meet); Wherein, P(A=existence, X=non-compliance|attack) is the probability that vulnerability A exists and configuration item X does not comply when an attack occurs, which can be calculated using the conditional probability table and network structure in a Bayesian network; P(A=existence, X=non-compliance) is the marginal probability that vulnerability A exists and configuration item X does not comply, which can also be calculated using the network structure and probability table.
[0057] By using the above method, the L first conditional probability tables and H second conditional probability tables are updated to obtain the updated L first conditional probability tables and the updated H second conditional probability tables.
[0058] By using the updated L first conditional probability tables and the updated H second conditional probability tables, system security risks under different combinations of vulnerabilities and configuration item states can be predicted. For example, the probability of the system being attacked in the future if vulnerability A and vulnerability B coexist and configuration item X does not meet the standard can be predicted.
[0059] In this embodiment, a Bayesian network of nodes is constructed based on association rules, and a conditional probability table is generated by combining historical security data. This transforms the "association between vulnerabilities and configurations" into calculable probability values (such as the probability of a vulnerability being exploited when the configuration is non-compliant), upgrading security risk from "qualitative description" to "quantitative calculation." This more accurately reflects the actual risk level of the system and avoids vague risk assessments. The conditional probability table is dynamically updated based on real-time vulnerability / baseline scan results. When the system's configuration status or vulnerability situation changes, the model's probability data is updated synchronously, ensuring that the risk assessment results are always consistent with the current system state.
[0060] Optionally, after generating the security risk detection result of the target system based on the association rule, the method further includes: From the L first nodes and the H second nodes, at least one target node corresponding to a preset attack event is determined, wherein the preset attack event includes at least one vulnerability or at least one configuration rule in the transaction dataset; From the updated L first conditional probability tables and the updated H second conditional probability tables, determine at least one conditional probability table corresponding to the at least one target node; Based on the at least one conditional probability table, calculate the success probability of the preset attack event.
[0061] In this embodiment, an attack tree is constructed based on high-risk vulnerabilities and baseline configuration issues obtained through Bayesian network inference. The main attack targets of the system (such as sensitive data leakage or complete system control) are designated as the root node, and various means to achieve these targets (such as exploiting specific vulnerabilities or disrupting baseline configuration items) are designated as child nodes. The branching structure in the attack tree is determined based on the relationship between vulnerabilities and baseline configuration items. For example, if vulnerabilities A and B coexist and baseline configuration item X does not meet the standard, an attack path may be formed, achieving the attack target of sensitive data leakage. The attack tree can be displayed graphically, with each node representing an attack step or condition, and leaf nodes representing the final attack method.
[0062] Based on the probability values of each node in the Bayesian network and the structure of the attack tree, the success probability of each attack path in the attack tree is calculated. For example, for attack path 1 (exploiting vulnerability A), its success probability is the probability that vulnerability A is exploited in the Bayesian network, P(A = exploited) = 0.6. For attack path 2 (exploiting vulnerability B and baseline configuration item X does not meet the standard), its success probability is P(B = exploited) × P(X = does not meet the standard) = 0.4 × 0.2 = 0.08. The dependencies between attack paths can also be considered; for example, the success of some attack paths requires prerequisites for other paths. For example, the success of attack path 3 (exploiting vulnerability C) requires that attack path 1 (exploiting vulnerability A) has already succeeded, so the success probability of attack path 3 is P(A = exploited) × P(C = exploited | A = exploited) = 0.6 × 0.3 = 0.18. In this way, the success probability of each attack path can be calculated more accurately, and the risk level of different attack paths can be assessed.
[0063] Regarding the method of combining probability values and dependencies, and using the structure of the attack tree to determine the success probability: First, determine the event represented by each node in the network and its probability of occurrence. For example, the probability of vulnerability A being exploited is 0.6, and the probability of baseline configuration item X not conforming to the standard is 0.2. Analyze the dependencies between different attack paths. For example, the success of path 3 (exploiting vulnerability C) depends on the success of path 1 (exploiting vulnerability A). For attack paths without dependencies, directly use the probability of the corresponding node as its success probability. For example, the success probability of path 1 is 0.6, and the success probability of path 2 (exploiting vulnerability B and baseline configuration item X not conforming to the standard) is 0.4 × 0.2 = 0.08. For attack paths with dependencies, use conditional probability to calculate. For example, the success probability of path 3 is the success probability of path 1 multiplied by the conditional probability of path 3 succeeding given the success of path 1, i.e., 0.6 × 0.3 = 0.18.
[0064] Preconditions refer to the conditions that an attack step must be completed before another attack step, or the success of one attack step depends on the result of another attack step. There are two types: explicit preconditions and implicit preconditions. Explicit preconditions are conditions that the attack must complete sequentially, while implicit preconditions are conditions that must be met ideally, but may be bypassed in practice. Preconditions can be obtained through attack tree extraction.
[0065] Analyze the success probability of each attack path in the attack tree to identify critical attack points. For example, vulnerabilities and configuration items involved in attack paths with a success probability above a certain threshold (e.g., 0.5) are considered critical attack points. These critical points are weak links in system security and require priority protection measures. A comprehensive assessment of critical attack points is conducted, considering both the impact of the attack path (e.g., the damage caused, the scope of impact) and the cost (e.g., the technical difficulty of the attack, the resource consumption). For example, some attack paths may have a high success probability but cause less damage or have a high cost, thus their actual threat may be relatively low. By comprehensively considering these factors, the most critical attack points requiring attention and intervention are determined.
[0066] Optionally, the success probability of a preset attack event (such as the success rate of an attack "Exploiting vulnerability A + non-compliant configuration X") can be directly calculated using the conditional probability table of a Bayesian network.
[0067] This upgrades security risks from "qualitative risk descriptions" to "quantitative probability values," allowing for a more precise assessment of the threat level of different attack paths. Based on the numerical value of the attack success probability, high-risk attack paths (such as paths with a success rate ≥ 50%) can be quickly identified and marked as critical attack points.
[0068] Security personnel can prioritize hardening these high-probability paths (such as fixing configuration X and blocking vulnerability A) to avoid generalized protection and improve the utilization efficiency of protection resources.
[0069] In an optional embodiment, an association table is formed based on the obtained predicted system security risk probabilities under different combinations of vulnerability and configuration item states and the corresponding key attack points. At the same time, a confidence level is generated for each security baseline corresponding to a vulnerability or for each vulnerability corresponding to a security baseline. During subsequent detection, if a security baseline violation is detected, the vulnerability with the highest confidence level is directly determined based on the association table. If a vulnerability is determined, the corresponding security baseline violation with the highest confidence level is directly determined, and the association table is updated in real time based on the confidence level.
[0070] Optionally, after calculating the attack success probability of the preset attack event based on the at least one conditional probability table, the method further includes: If the success probability of the preset attack event is greater than the preset probability, and the solution library can find the attack time and the corresponding first security decision for the preset attack event, then the first security decision is obtained and executed. If the success probability of the preset attack event is greater than the preset probability, and no attack time or corresponding first security decision can be found in the solution library, a second security decision for the preset attack event is generated, and the preset attack event and the second security decision are stored in the solution library.
[0071] This embodiment is executed by the risk assessment module, and the main operation process is as follows: Establish a vulnerability solution database containing solutions and remediation suggestions for known vulnerabilities. Based on the type and severity of the vulnerability, provide corresponding solutions for each vulnerability. By matching vulnerability analysis results with the vulnerability solution database, automatically generate vulnerability solutions. Finally, based on the generated vulnerability solutions, promptly fix the vulnerabilities existing in the system. Furthermore, the results of security baseline scans can be used as guidance to identify key configuration items and security baseline requirements in the system. Determining the system's security configuration scope based on these results helps clarify the goals and scope of vulnerability scanning. Based on the configuration issues and security risks discovered in the security baseline scans, vulnerability scanning strategies can be optimized. Scanning parameters, frequency, or depth can be adjusted to better uncover potential vulnerabilities in the system. Appropriate patching strategies can be developed based on the configuration issues and vulnerabilities identified in the security baseline scans.
[0072] It should also be noted that the main operation process of the results display module is as follows: The results display module presents vulnerability scan results, baseline scan results, and correlation analysis results to users in an intuitive way. This includes, but is not limited to, list displays, chart analysis, and correlation graphs, enabling users to clearly understand the system's security status and risk distribution.
[0073] In this application's method, a web crawler automatically acquires and parses URL links to perform vulnerability scanning on the system, automatically discovering vulnerabilities and improving the efficiency and accuracy of vulnerability detection. Receiving and parsing security alert events, and generating security baseline scan results based on rules and weights, enables real-time monitoring and assessment of the system's security status, allowing for timely detection and response to security threats. Through frequent itemset and association rule mining algorithms, the correlation between vulnerability scan results and security baseline scan results is discovered, enabling in-depth analysis of the relationship between system vulnerabilities and the security baseline, contributing to a comprehensive improvement in system security. A vulnerability solution database is established, providing corresponding solutions for each vulnerability and automatically generating vulnerability solutions, enabling rapid and effective responses to vulnerabilities in the system, improving system security and stability. Data association analysis is performed using algorithms, and based on this, probabilistic graphical models (Bayesian networks and attack trees) are introduced. This not only uncovers the association rules between vulnerability scan results and baseline scan results but also quantitatively analyzes and predicts system security risks, providing strong support for security decision-making.
[0074] See Figure 3 , Figure 3 This is a structural diagram of a network security detection device provided in an embodiment of this application. Figure 3 As shown, the device 300 includes: The scanning module 301 is used to perform vulnerability scanning and security baseline scanning on the target system to obtain a vulnerability scanning result dataset and a security baseline scanning result dataset. The vulnerability scanning result dataset includes multiple vulnerability scanning result datasets, which correspond one-to-one with multiple objects in the target system. The vulnerability scanning result datasets are the scanning result data obtained by performing vulnerability scanning on the corresponding objects. The vulnerability scanning result datasets are used to indicate whether the target system has vulnerabilities of at least one vulnerability type. The security baseline scanning result dataset includes multiple security baseline scanning result datasets, which correspond one-to-one with the multiple objects. The security baseline scanning result datasets are the result data obtained by performing security baseline scanning on the corresponding objects. The security baseline scanning result datasets include at least one configuration rule. The construction module 302 is used to construct a transaction dataset based on the vulnerability scan result dataset and the security baseline scan result dataset. The transaction dataset includes multiple transaction data, which correspond one-to-one with the multiple objects. The transaction data is used to indicate the vulnerability scan result data and the security baseline scan result data of the corresponding object. The filtering module 303 is used to filter out frequent itemsets in the transaction dataset. The frequent itemsets include N frequent items, and the frequent itemsets include at least one type of vulnerability and at least one configuration rule. The support of the frequent itemsets is greater than a preset support threshold. The support of the frequent itemsets is the proportion of transaction data including the frequent itemsets in the transaction dataset, where N is an integer greater than 1. The determination module 304 is used to determine an association rule based on a preset confidence level and the frequent itemset. The association rule includes a first frequent item and a second frequent item. The first frequent item and the second frequent item are two different frequent items in the frequent itemset. The confidence level between the first frequent item and the second frequent item included in the association rule is greater than the preset confidence level. The generation module 305 is used to generate the security risk detection results of the target system based on the association rules.
[0075] Optionally, the filtering module 303 is also used for: Multiple first elements are selected from the transaction dataset. The multiple first elements include all elements in the transaction dataset whose support is greater than the preset support threshold. The support of the first element is the proportion of the number of transaction data including the first element in the transaction dataset. The first element is any kind of vulnerability or configuration rule in the transaction dataset. From the plurality of first elements, at least two first elements are randomly selected to form M candidate options, where M is an integer greater than N; Select N frequent items whose support is greater than the preset support threshold from the M candidate items.
[0076] Optionally, the confidence level between the first frequent item and the second frequent item included in the association rule is the ratio of the first support and the second support, wherein the first support is the proportion of transaction data including the first frequent item in the transaction dataset, and the second support is the proportion of transaction data including the second frequent item in the transaction dataset.
[0077] Optionally, the generation module 305 is also used for: Based on the association rules, L first nodes and H second nodes are created. The L first nodes correspond one-to-one with the L vulnerabilities in the association rules, and the H second nodes correspond one-to-one with the H configuration rules in the association rules. Based on the historical security risk data of the target system, L first conditional probability tables are created, each corresponding to one of the L first nodes. Each first conditional probability table includes H first conditional probabilities, which correspond one-to-one with the H second nodes. Each first conditional probability includes a first probability and a second probability. The first probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node meet the security standards. The second probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node do not meet the security standards. Based on the historical security risk data, create H second conditional probability tables that correspond one-to-one with the H second nodes. The second conditional probability table includes a third probability and a fourth probability. The third probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node meets the security standard, and the fourth probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node does not meet the security standard. Based on the vulnerability scan result dataset and the security baseline scan result dataset, the L first conditional probability tables and the H second conditional probability tables are updated to obtain the updated L first conditional probability tables and the updated H second conditional probability tables. Based on the updated L first conditional probability tables and the updated H second conditional probability tables, the security risk detection result of the target system is determined.
[0078] Optionally, the device 300 is also used for: From the L first nodes and the H second nodes, at least one target node corresponding to a preset attack event is determined, wherein the preset attack event includes at least one vulnerability or at least one configuration rule in the transaction dataset; From the updated L first conditional probability tables and the updated H second conditional probability tables, determine at least one conditional probability table corresponding to the at least one target node; Based on the at least one conditional probability table, calculate the success probability of the preset attack event.
[0079] Optionally, the device 300 is also used for: If the success probability of the preset attack event is greater than the preset probability, and the solution library can find the attack time and the corresponding first security decision for the preset attack event, then the first security decision is obtained and executed. If the success probability of the preset attack event is greater than the preset probability, and no attack time or corresponding first security decision can be found in the solution library, a second security decision for the preset attack event is generated, and the preset attack event and the second security decision are stored in the solution library.
[0080] The network security detection device in this application embodiment can perform... Figure 1 The entire process of the network security detection method shown is identical to the one that achieves the same beneficial effects, and will not be repeated here to avoid duplication.
[0081] This application also provides an electronic device. Since the principle by which the electronic device solves the problem is similar to the network security detection method in this application, the implementation of this electronic device can refer to the implementation of the above-described network security detection method; repeated details will not be elaborated further. Figure 4 As shown, the electronic device according to an embodiment of this application includes: a processor 400, configured to read a program from a memory 420 and execute the following processes: The target system is subjected to vulnerability scanning and security baseline scanning to obtain vulnerability scanning result datasets and security baseline scanning result datasets. The vulnerability scanning result dataset includes multiple vulnerability scanning result datasets, each corresponding one-to-one with multiple objects in the target system. Each vulnerability scanning result dataset is the scanning result data obtained by performing vulnerability scanning on the corresponding object, and is used to indicate whether the target system has vulnerabilities of at least one vulnerability type. The security baseline scanning result dataset includes multiple security baseline scanning result datasets, each corresponding one-to-one with the multiple objects. Each security baseline scanning result dataset is the result data obtained by performing security baseline scanning on the corresponding object, and includes at least one configuration rule. Based on the vulnerability scan result dataset and the security baseline scan result dataset, a transaction dataset is constructed. The transaction dataset includes multiple transaction data, each of which corresponds one-to-one with the multiple objects. The transaction data is used to indicate the vulnerability scan result data and the security baseline scan result data of the corresponding object. A frequent itemset is selected from the transaction dataset. The frequent itemset includes N frequent items, each of which includes at least one type of vulnerability and at least one configuration rule. The support of the frequent itemset is greater than a preset support threshold. The support of the frequent itemset is the percentage of transaction data including the frequent itemset in the transaction dataset, where N is an integer greater than 1. Based on the preset confidence level and the frequent itemset, an association rule is determined. The association rule includes a first frequent item and a second frequent item. The first frequent item and the second frequent item are two different frequent items in the frequent itemset. The confidence level between the first frequent item and the second frequent item included in the association rule is greater than the preset confidence level. Based on the association rules, security risk detection results for the target system are generated.
[0082] Among them, Figure 4 In this context, the bus architecture can include any number of interconnected buses and bridges, specifically linking various circuits together, represented by one or more processors (processor 400) and memory (memory 420). The bus architecture can also link various other circuits such as peripheral devices, voltage regulators, and power management circuits, which are well known in the art and therefore will not be described further herein. A bus interface provides the interface. Processor 400 is responsible for managing the bus architecture and general processing, and memory 420 can store data used by processor 400 during operation.
[0083] Optionally, the processor 400 is configured to read the program from the memory 420 and execute the following processes: Multiple first elements are selected from the transaction dataset. The multiple first elements include all elements in the transaction dataset whose support is greater than the preset support threshold. The support of the first element is the proportion of the number of transaction data including the first element in the transaction dataset. The first element is any kind of vulnerability or configuration rule in the transaction dataset. From the plurality of first elements, at least two first elements are randomly selected to form M candidate options, where M is an integer greater than N; Select N frequent items whose support is greater than the preset support threshold from the M candidate items.
[0084] Optionally, the confidence level between the first frequent item and the second frequent item included in the association rule is the ratio of the first support and the second support, wherein the first support is the proportion of transaction data including the first frequent item in the transaction dataset, and the second support is the proportion of transaction data including the second frequent item in the transaction dataset.
[0085] Optionally, the processor 400 is configured to read the program from the memory 420 and execute the following processes: Based on the association rules, L first nodes and H second nodes are created. The L first nodes correspond one-to-one with the L vulnerabilities in the association rules, and the H second nodes correspond one-to-one with the H configuration rules in the association rules. Based on the historical security risk data of the target system, L first conditional probability tables are created, each corresponding to one of the L first nodes. Each first conditional probability table includes H first conditional probabilities, which correspond one-to-one with the H second nodes. Each first conditional probability includes a first probability and a second probability. The first probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node meet the security standards. The second probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node do not meet the security standards. Based on the historical security risk data, create H second conditional probability tables that correspond one-to-one with the H second nodes. The second conditional probability table includes a third probability and a fourth probability. The third probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node meets the security standard, and the fourth probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node does not meet the security standard. Based on the vulnerability scan result dataset and the security baseline scan result dataset, the L first conditional probability tables and the H second conditional probability tables are updated to obtain the updated L first conditional probability tables and the updated H second conditional probability tables. Based on the updated L first conditional probability tables and the updated H second conditional probability tables, the security risk detection result of the target system is determined.
[0086] Optionally, the processor 400 is configured to read the program from the memory 420 and execute the following processes: From the L first nodes and the H second nodes, at least one target node corresponding to a preset attack event is determined, wherein the preset attack event includes at least one vulnerability or at least one configuration rule in the transaction dataset; From the updated L first conditional probability tables and the updated H second conditional probability tables, determine at least one conditional probability table corresponding to the at least one target node; Based on the at least one conditional probability table, calculate the success probability of the preset attack event.
[0087] Optionally, the processor 400 is configured to read the program from the memory 420 and execute the following processes: If the success probability of the preset attack event is greater than the preset probability, and the solution library can find the attack time and the corresponding first security decision for the preset attack event, then the first security decision is obtained and executed. If the success probability of the preset attack event is greater than the preset probability, and no attack time or corresponding first security decision can be found in the solution library, a second security decision for the preset attack event is generated, and the preset attack event and the second security decision are stored in the solution library.
[0088] This application also provides a computer-readable storage medium storing a computer program. When executed by a processor, this computer program implements the various processes of the above-described network security detection method embodiments and achieves the same technical effects. To avoid repetition, it will not be described again here. The computer-readable storage medium may be a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, etc.
[0089] This application also provides a computer program product, including computer instructions, which, when executed by a processor, implement the above-described... Figure 1 The various processes of the network security detection method embodiment shown are all capable of achieving the same technical effect, and will not be described again here to avoid repetition.
[0090] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.
[0091] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk) and includes several instructions to cause a terminal (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the various embodiments of this application.
[0092] The embodiments of this application have been described above with reference to the accompanying drawings. However, this application is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of this application without departing from the spirit and scope of the claims, and all of these forms are within the protection scope of this application.
Claims
1. A network security detection method, characterized in that, The method includes: The target system is subjected to vulnerability scanning and security baseline scanning to obtain vulnerability scanning result datasets and security baseline scanning result datasets. The vulnerability scanning result dataset includes multiple vulnerability scanning result datasets, each corresponding one-to-one with multiple objects in the target system. Each vulnerability scanning result dataset is the scanning result data obtained by performing vulnerability scanning on the corresponding object, and is used to indicate whether the target system has vulnerabilities of at least one vulnerability type. The security baseline scanning result dataset includes multiple security baseline scanning result datasets, each corresponding one-to-one with the multiple objects. Each security baseline scanning result dataset is the result data obtained by performing security baseline scanning on the corresponding object, and includes at least one configuration rule. Based on the vulnerability scan result dataset and the security baseline scan result dataset, a transaction dataset is constructed. The transaction dataset includes multiple transaction data, each of which corresponds one-to-one with the multiple objects. The transaction data is used to indicate the vulnerability scan result data and the security baseline scan result data of the corresponding object. A frequent itemset is selected from the transaction dataset. The frequent itemset includes N frequent items, each of which includes at least one type of vulnerability and at least one configuration rule. The support of the frequent itemset is greater than a preset support threshold. The support of the frequent itemset is the percentage of transaction data including the frequent itemset in the transaction dataset, where N is an integer greater than 1. Based on the preset confidence level and the frequent itemset, an association rule is determined. The association rule includes a first frequent item and a second frequent item. The first frequent item and the second frequent item are two different frequent items in the frequent itemset. The confidence level between the first frequent item and the second frequent item included in the association rule is greater than the preset confidence level. Based on the association rules, security risk detection results for the target system are generated.
2. The method according to claim 1, characterized in that, The step of filtering frequent itemsets from the transaction dataset includes: Multiple first elements are selected from the transaction dataset. The multiple first elements include all elements in the transaction dataset whose support is greater than the preset support threshold. The support of the first element is the proportion of the number of transaction data including the first element in the transaction dataset. The first element is any kind of vulnerability or configuration rule in the transaction dataset. From the plurality of first elements, at least two first elements are randomly selected to form M candidate options, where M is an integer greater than N; Select N frequent items whose support is greater than the preset support threshold from the M candidate items.
3. The method according to claim 2, characterized in that, The confidence level between the first frequent item and the second frequent item in the association rule is the ratio of the first support and the second support, wherein the first support is the proportion of transaction data including the first frequent item in the transaction dataset, and the second support is the proportion of transaction data including the second frequent item in the transaction dataset.
4. The method according to any one of claims 1 to 3, characterized in that, The step of generating security risk detection results for the target system based on the association rules includes: Based on the association rules, L first nodes and H second nodes are created. The L first nodes correspond one-to-one with the L vulnerabilities in the association rules, and the H second nodes correspond one-to-one with the H configuration rules in the association rules. Based on the historical security risk data of the target system, L first conditional probability tables are created, each corresponding to one of the L first nodes. Each first conditional probability table includes H first conditional probabilities, which correspond one-to-one with the H second nodes. Each first conditional probability includes a first probability and a second probability. The first probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node meet the security standards. The second probability is used to characterize the probability that the vulnerability corresponding to the corresponding first node will be exploited when the configuration rules corresponding to the corresponding second node do not meet the security standards. Based on the historical security risk data, create H second conditional probability tables that correspond one-to-one with the H second nodes. The second conditional probability table includes a third probability and a fourth probability. The third probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node meets the security standard, and the fourth probability is used to characterize the probability that the configuration rule corresponding to the corresponding second node does not meet the security standard. Based on the vulnerability scan result dataset and the security baseline scan result dataset, the L first conditional probability tables and the H second conditional probability tables are updated to obtain the updated L first conditional probability tables and the updated H second conditional probability tables. Based on the updated L first conditional probability tables and the updated H second conditional probability tables, the security risk detection result of the target system is determined.
5. The method according to claim 4, characterized in that, After generating the security risk detection results of the target system based on the association rules, the method further includes: From the L first nodes and the H second nodes, at least one target node corresponding to a preset attack event is determined, wherein the preset attack event includes at least one vulnerability or at least one configuration rule in the transaction dataset; From the updated L first conditional probability tables and the updated H second conditional probability tables, determine at least one conditional probability table corresponding to the at least one target node; Based on the at least one conditional probability table, calculate the success probability of the preset attack event.
6. The method according to claim 5, characterized in that, After calculating the attack success probability of the preset attack event based on the at least one conditional probability table, the method further includes: If the success probability of the preset attack event is greater than the preset probability, and the solution library can find the attack time and the corresponding first security decision for the preset attack event, then the first security decision is obtained and executed. If the success probability of the preset attack event is greater than the preset probability, and no attack time or corresponding first security decision can be found in the solution library, a second security decision for the preset attack event is generated, and the preset attack event and the second security decision are stored in the solution library.
7. A network security detection device, characterized in that, The device includes: The scanning module is used to perform vulnerability scanning and security baseline scanning on the target system, obtaining vulnerability scanning result datasets and security baseline scanning result datasets. The vulnerability scanning result dataset includes multiple vulnerability scanning result datasets, each corresponding one-to-one with multiple objects in the target system. The vulnerability scanning result dataset is the scanning result data obtained by performing vulnerability scanning on the corresponding object, and is used to indicate whether the target system has vulnerabilities of at least one vulnerability type. The security baseline scanning result dataset includes multiple security baseline scanning result datasets, each corresponding one-to-one with the multiple objects. The security baseline scanning result data is the result data obtained by performing security baseline scanning on the corresponding object, and includes at least one configuration rule. A construction module is used to construct a transaction dataset based on the vulnerability scan result dataset and the security baseline scan result dataset. The transaction dataset includes multiple transaction data, which correspond one-to-one with the multiple objects. The transaction data is used to indicate the vulnerability scan result data and the security baseline scan result data of the corresponding object. A filtering module is used to filter out frequent itemsets from the transaction dataset. The frequent itemsets include N frequent items, each frequent item including at least one type of vulnerability and at least one configuration rule. The support of the frequent items is greater than a preset support threshold. The support of the frequent items is the percentage of transaction data including the frequent items in the transaction dataset, where N is an integer greater than 1. The determination module is used to determine association rules based on a preset confidence level and the frequent itemset. The association rules include a first frequent item and a second frequent item, wherein the first frequent item and the second frequent item are two different frequent items in the frequent itemset, and the confidence level between the first frequent item and the second frequent item included in the association rule is greater than the preset confidence level. The generation module is used to generate security risk detection results for the target system based on the association rules.
8. An electronic device, characterized in that, It includes a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the computer program, when executed by the processor, implements the steps of the network security detection method as described in any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, implements the steps of the network security detection method as described in any one of claims 1 to 6.
10. A computer program product, characterized in that, It includes computer instructions that, when executed by a processor, implement the steps of the network security detection method as described in any one of claims 1 to 6.