CN113987519A - Vulnerability rule base generation method and device, electronic equipment, storage medium and system - Google Patents
Vulnerability rule base generation method and device, electronic equipment, storage medium and system Download PDFInfo
- Publication number
- CN113987519A CN113987519A CN202111307750.XA CN202111307750A CN113987519A CN 113987519 A CN113987519 A CN 113987519A CN 202111307750 A CN202111307750 A CN 202111307750A CN 113987519 A CN113987519 A CN 113987519A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- information
- asset
- host
- asset information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application provides a vulnerability rule base generation method, a vulnerability rule base generation device, electronic equipment, a storage medium and a vulnerability rule base generation system. The method comprises the following steps: carrying out asset scanning on the host to obtain asset information corresponding to the host; acquiring corresponding vulnerability information from corresponding vulnerability publishing paths according to the asset information; generating a corresponding vulnerability detection rule according to the vulnerability information; and constructing a vulnerability rule base of the host, the assets and the vulnerability detection rules according to the asset information of each host and the vulnerability detection rules corresponding to each asset information, wherein the vulnerability rule base comprises a plurality of pieces of asset information, and each piece of asset information comprises an asset identifier, a host identifier of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identifiers. According to the method and the device, the vulnerability detection rules corresponding to the asset information are generated by taking the asset information as guidance, so that the vulnerability rule base only contains the vulnerability detection rules corresponding to the asset information in the host, and the occupation of the memory is reduced.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a vulnerability rule base generation method, apparatus, electronic device, storage medium, and system.
Background
With the rapid development of internet technology, the problem of network security is increasingly highlighted, and once information leakage is caused by attack behaviors such as illegal intrusion in the current computer network application, extremely bad results can be caused. In order to guarantee the information security and the application security of the user, a comprehensive vulnerability discovery and evaluation system is generally required to be deployed. The system deeply detects the vulnerabilities and weaknesses existing in the network host by scanning the on-line assets, provides a rectification method and suggestions, helps an administrator to repair the vulnerabilities, and comprehensively improves the overall security of the network host.
Because the network attack mode is fast in updating and iteration, the system needs to be capable of detecting the newly-added bug, before the newly-added bug can be identified, an administrator cannot usually identify the risk existing in the host asset through scanning, and at the moment, the host asset faces the attacked risk. Therefore, the vulnerability discovery and evaluation system is required to sense as soon as possible and have the capability of detecting newly added vulnerabilities, help an administrator discover host asset risks and security vulnerabilities and repair the vulnerabilities, eliminate potential safety hazards to the greatest extent and guarantee network security.
In the prior art, new vulnerability information is acquired by periodically scanning a national information security vulnerability library (CNNVD), vulnerability announcements of application manufacturers and the like, and the newly added vulnerability information is brought into a locally maintained vulnerability rule library, so that the local vulnerability rule library contains more vulnerability information and occupies more internal memory.
Disclosure of Invention
An object of the present invention is to provide a method, an apparatus, an electronic device, a storage medium, and a system for generating a bug rule base, so as to reduce occupation of a system memory.
In a first aspect, an embodiment of the present application provides a method for generating a vulnerability rule base, including: carrying out asset scanning on the host to obtain asset information corresponding to the host; acquiring corresponding vulnerability information from corresponding vulnerability publishing paths according to the asset information; generating a corresponding vulnerability detection rule according to the vulnerability information; the method comprises the steps of establishing a vulnerability rule base of the host, the assets and the vulnerability detection rules according to asset information of each host and vulnerability detection rules corresponding to each asset information, wherein the vulnerability rule base comprises a plurality of pieces of asset information, each piece of asset information comprises an asset identification, a host identification of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identification.
According to the method and the device, the vulnerability detection rules corresponding to the asset information are generated by taking the asset information as guidance, so that the vulnerability rule base only contains the vulnerability detection rules corresponding to the asset information in the host, and the occupation of the memory is reduced.
In any embodiment, the generating a corresponding vulnerability detection rule according to the vulnerability information includes: analyzing the vulnerability information to obtain asset information related to the corresponding vulnerability; and receiving risk early warning configuration information corresponding to the vulnerability information, and generating vulnerability detection rules according to the asset information, vulnerability publishing paths and risk early warning configuration information related to the vulnerability. According to the method and the device, vulnerability detection of the assets can be accurately and quickly achieved by generating the vulnerability detection rules.
In any embodiment, the method further comprises: acquiring a target vulnerability detection rule in target asset information from the vulnerability rule base according to a preset period; wherein the target asset information is any one of the plurality of pieces of asset information; and detecting the vulnerability of the target host in the target asset information by using the target vulnerability detection rule to obtain a detection result. According to the method and the device, vulnerability detection is carried out on the resources in the target host by using the target vulnerability detection rules in the vulnerability rule base, so that risk early warning of the target host is achieved.
In any embodiment, each piece of asset information further comprises a risk early warning configuration, wherein the risk early warning configuration comprises an early warning mode; after obtaining the detection result, the method further comprises: and if the detection result comprises the host with the target vulnerability, performing early warning according to an early warning mode corresponding to the target vulnerability. In the embodiment of the application, if the host with the target vulnerability is found, early warning is carried out so that a user can process the target vulnerability in time.
In any embodiment, the method further comprises: acquiring new vulnerability information from vulnerability publishing paths corresponding to the asset information periodically; and updating the vulnerability rule base according to the new vulnerability information. According to the embodiment of the application, the vulnerability rule base is updated regularly, so that vulnerability information of assets contained in the vulnerability rule base is more comprehensive, and early warning can be performed on the host more accurately.
In any embodiment, the asset information includes a surviving host, an open port, an operating system, a service, an application, and a version number of the application.
In a second aspect, an embodiment of the present application provides a vulnerability rule base generation apparatus, including: the scanning module is used for carrying out asset scanning on the host computer to obtain asset information corresponding to the host computer; the vulnerability acquisition module is used for acquiring corresponding vulnerability information from the corresponding vulnerability publishing path according to the asset information; the rule generating module is used for generating a corresponding vulnerability detection rule according to the vulnerability information; the rule base building module is used for building a vulnerability rule base of the host, the assets and the vulnerability detection rules according to the asset information of each host and the vulnerability detection rules corresponding to each asset information, the vulnerability rule base comprises a plurality of pieces of asset information, each piece of asset information comprises an asset identification, a host identification of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identification.
In a third aspect, an embodiment of the present application provides an electronic device, including: the system comprises a processor, a memory and a bus, wherein the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor being capable of performing the method of the first aspect when invoked by the program instructions.
In a fourth aspect, an embodiment of the present application provides a non-transitory computer-readable storage medium, including: the non-transitory computer readable storage medium stores computer instructions that cause the computer to perform the method of the first aspect.
In a fifth aspect, an embodiment of the present application provides a vulnerability detection system, a server and a host, where the server is in communication connection with the host; the server is configured to perform the method of the first aspect.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flow chart of a vulnerability rule base generation method provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a vulnerability rule base generation apparatus provided in the embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure;
fig. 4 is an architecture diagram of a vulnerability detection system according to an embodiment of the present application.
Detailed Description
In order to solve the problem that an existing vulnerability rule base occupies a large system memory, the embodiment of the application provides a vulnerability rule base generation method. The vulnerability rule base constructed in the embodiment of the application only contains the vulnerability information of the assets corresponding to the host, so that the vulnerability rule base occupies less memory.
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Fig. 1 is a schematic flow chart of a vulnerability rule base generation method provided in an embodiment of the present application, and as shown in fig. 1, a main body executing the method is a server, and the method includes:
step 101: and carrying out asset scanning on the host to obtain asset information corresponding to the host. The number of the hosts can be one or more, and the hosts are in communication connection with the server. The server may scan assets loaded on the host computer for asset information. It will be appreciated that asset information may include live hosts, open ports, operating systems, services, applications, version numbers of the applications, and the like. For the case where multiple hosts are communicatively coupled to the server, the asset information corresponding to each host may not be the same. After the asset information corresponding to each host is obtained, a corresponding relationship between the asset information and the host may be constructed, for example: the CentOS 7 operating system corresponds to the host 1, the host 2, and the host 3; the hosts on which tomcat 8.5.60 applications are installed are host 2, host 3, and host 4. That is, one piece of asset information may be maintained, and all network hosts may be searched backwards by each piece of asset information corresponding to a unique asset number.
Through the method, the server can classify and integrate the assets of all the hosts, and each piece of asset information can be independently used for judging whether the vulnerability exists or not or judging whether the vulnerability exists or not based on which vulnerability identification strategy. Meanwhile, each part of independent asset information is directly associated with a vulnerability monitoring rule, namely the way in which the system monitors the newly added vulnerability and the method for processing the newly added vulnerability information.
Step 102: and acquiring corresponding vulnerability information from the corresponding vulnerability publishing path according to the asset information.
Wherein, the vulnerability publishing path corresponding to the Apache Tomcat asset is as follows: http:// tomcat. apache. org/security. html, the vulnerability publishing path corresponding to Oracle assets is: https:// www.oracle.com/security-alerts, meanwhile, the vulnerability database NVD is used as an authoritative vulnerability publishing platform, and the corresponding vulnerability publishing path is as follows: https:// nv. The vulnerability platform corresponding to the vulnerability publishing path publishes the relevant information of the vulnerability when the vulnerability appears. Therefore, the server can periodically acquire the corresponding vulnerability information from the vulnerability publishing path corresponding to the asset information.
Step 103: and generating a corresponding vulnerability detection rule according to the vulnerability information.
After acquiring the vulnerability information, the server analyzes the vulnerability information to acquire description information about the vulnerability in the vulnerability information, wherein the description information contains which asset has the vulnerability. Therefore, the corresponding vulnerability detection rules can be generated according to the vulnerability information. For example: for example, the AikCms asset downloads vulnerability data in json format in the NVD vulnerability publishing path, and the cpe _ match field is analyzed to obtain asset description information AikCms: AikCms:2.0, namely that the AIkcms version 2.0 has the vulnerability. The generated vulnerability detection rule is to detect whether the version of the AikCms asset is 2.0, and if so, the AikCms asset contains a vulnerability.
Step 104: the method comprises the steps of establishing a vulnerability rule base of the host, the assets and the vulnerability detection rules according to asset information of each host and vulnerability detection rules corresponding to each asset information, wherein the vulnerability rule base comprises a plurality of pieces of asset information, each piece of asset information comprises an asset identification, a host identification of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identification.
The asset identification is used for indicating the uniqueness of the assets, namely, each asset corresponds to a unique asset identification, and the corresponding asset identifications are different if the versions of the assets with the same names are different. The asset identification may be preset for each asset in advance. The host identifier is used to indicate the uniqueness of the host, that is, the host identifiers corresponding to different hosts are different, and the host identifier may be a MAC address of the host or an equipment serial number set by the host during production. In practical applications, an asset may correspond to multiple vulnerabilities, and thus, one asset information may include at least one vulnerability detection rule.
According to the method and the device, the vulnerability detection rules corresponding to the asset information are generated by taking the asset information as guidance, so that the vulnerability rule base only contains the vulnerability detection rules corresponding to the asset information in the host, and the occupation of the memory is reduced.
On the basis of the foregoing embodiment, the generating a corresponding vulnerability detection rule according to the vulnerability information includes:
analyzing the vulnerability information to obtain asset information related to the corresponding vulnerability;
and receiving risk early warning configuration information corresponding to the vulnerability information, and generating vulnerability detection rules according to the asset information, vulnerability publishing paths and risk early warning configuration information related to the vulnerability.
In a specific implementation process, after acquiring vulnerability information from a platform issuing vulnerabilities, a server analyzes the vulnerability information, thereby acquiring information related to vulnerabilities, including: and the method comprises asset information of the vulnerability, a vulnerability number, vulnerability description and the like.
For example: and downloading vulnerability information in a json format from the AikCms asset in the NVD vulnerability publishing path, and analyzing a 'cpe _ match' field in the vulnerability information to obtain asset description information AikCms, AikCms and 2.0, namely representing that the AikCms 2.0 version has the vulnerability. And analyzing the 'CVE _ data _ meta' field to obtain an asset number, and analyzing the 'description' field to obtain a vulnerability description.
For another example, the CentOS asset issues vulnerability information in a manufacturer announcement path http:// lists.centos.org/personal mail/CentOS-announce/to obtain the latest announcement information, analyzes the 'Upstream details at' field, obtains the information such as vulnerability number and vulnerability description, and generates vulnerability detection rules according to the obtained rpm packet information.
After the information related to the vulnerability is obtained, the vulnerability description is sent to an administrator terminal, and the administrator determines risk early warning configuration information according to the vulnerability description. Wherein, the vulnerability level can be divided into low, medium and high. Higher ratings indicate greater vulnerability. The monitoring interval refers to the interval of time during which the assets involved in the vulnerability are scanned. The early warning mode refers to a mode for early warning after the vulnerability is found, and specifically, the early warning mode can be a mode for sending an email to a pre-specified terminal; sending short messages and making calls to a pre-designated mobile terminal; and popping up early warning prompt information in a pop-up window mode, and the like.
And generating a vulnerability detection rule according to the asset information, vulnerability publishing path and risk early warning configuration information related to the vulnerability. After the vulnerability information is obtained according to the vulnerability publishing path and the asset information related to the vulnerability is analyzed, the generated funnel detection rule is to compare the asset information on the host with the asset information related to the vulnerability.
According to the method and the device, vulnerability detection is carried out on the resources in the target host by using the target vulnerability detection rules in the vulnerability rule base, so that risk early warning of the target host is achieved.
On the basis of the above embodiment, the method further includes:
acquiring a target vulnerability detection rule in target asset information from the vulnerability rule base according to a preset period; wherein the target asset information is any one of the plurality of pieces of asset information;
and detecting the vulnerability of the target host in the target asset information by using the target vulnerability detection rule to obtain a detection result.
In a specific implementation process, the preset period is a preset time interval, for example, it may be daily, weekly or no two weeks, and the specific period may be set according to actual situations. The target asset information is any one of a plurality of pieces of asset information included in the vulnerability rule base, and the obtained asset information is called target asset information. Therefore, in the embodiment of the application, the server performs vulnerability detection on the corresponding assets by using each piece of asset information in the vulnerability rule base according to the preset period to obtain the detection result. And the detection result is whether the host contains the target vulnerability.
In another embodiment, since each vulnerability detection rule in the vulnerability rule base includes a monitoring time interval, the server may perform scanning according to the monitoring time interval of each vulnerability detection rule.
According to the embodiment of the application, the vulnerability rule base is updated regularly, so that vulnerability information of assets contained in the vulnerability rule base is more comprehensive, and early warning can be performed on the host more accurately.
On the basis of the above embodiment, each piece of asset information further includes risk early warning configuration, and the risk early warning configuration includes an early warning mode; after obtaining the detection result, the method further comprises:
and if the detection result comprises the host with the target vulnerability, performing early warning according to an early warning mode corresponding to the target vulnerability.
In a specific implementation process, if a host containing a target vulnerability exists, early warning is carried out according to an early warning mode corresponding to the target vulnerability. As shown in the above embodiment, each vulnerability has a pre-configured early warning mode, and early warning is performed according to the early warning mode corresponding to the target vulnerability. It can be understood that the purpose of early warning is to inform relevant personnel in time and to deal with vulnerabilities in time.
On the basis of the above embodiment, the method further includes:
acquiring new vulnerability information from vulnerability publishing paths corresponding to the asset information periodically;
and updating the vulnerability rule base according to the new vulnerability information.
In a specific implementation process, because new vulnerabilities of each asset may appear at variable times, new vulnerability information may be periodically obtained from vulnerability publishing paths corresponding to each asset information, vulnerability detection rules are generated according to the new vulnerability information, and the new vulnerability detection rules are added to corresponding asset information in a vulnerability rule base.
Fig. 2 is a schematic structural diagram of a vulnerability rule base generation apparatus provided in the embodiment of the present application, where the apparatus may be a module, a program segment, or a code on an electronic device. It should be understood that the apparatus corresponds to the above-mentioned embodiment of the method of fig. 1, and can perform various steps related to the embodiment of the method of fig. 1, and the specific functions of the apparatus can be referred to the description above, and the detailed description is appropriately omitted here to avoid redundancy. The device comprises: the system comprises a scanning module 201, a vulnerability obtaining module 202, a rule generating module 203 and a rule base constructing module 204, wherein:
the scanning module 201 is configured to perform asset scanning on a host to obtain asset information corresponding to the host;
the vulnerability obtaining module 202 is configured to obtain corresponding vulnerability information from corresponding vulnerability publishing paths according to each asset information;
the rule generating module 203 is configured to generate a corresponding vulnerability detecting rule according to the vulnerability information;
the rule base building module 204 is configured to build a vulnerability rule base of the hosts, the assets, and the vulnerability detection rules according to the asset information of each host and the vulnerability detection rules corresponding to each asset information, where the vulnerability rule base includes a plurality of pieces of asset information, each piece of asset information includes an asset identifier, a host identifier of a host that includes a corresponding asset, and the vulnerability detection rules corresponding to the asset identifiers.
On the basis of the foregoing embodiment, the rule generating module 203 is specifically configured to:
analyzing the vulnerability information to obtain asset information related to the corresponding vulnerability;
and receiving risk early warning configuration information corresponding to the vulnerability information, and generating vulnerability detection rules according to the asset information, vulnerability publishing paths and risk early warning configuration information related to the vulnerability.
On the basis of the above embodiment, the apparatus further includes a vulnerability detection module, configured to:
acquiring a target vulnerability detection rule in target asset information from the vulnerability rule base according to a preset period; wherein the target asset information is any one of the plurality of pieces of asset information;
and detecting the vulnerability of the target host in the target asset information by using the target vulnerability detection rule to obtain a detection result.
On the basis of the above embodiment, each piece of asset information further includes risk early warning configuration, and the risk early warning configuration includes an early warning mode; the device also comprises an early warning module used for:
and if the detection result comprises the host with the target vulnerability, performing early warning according to an early warning mode corresponding to the target vulnerability.
On the basis of the above embodiment, the apparatus further includes an updating module configured to:
acquiring new vulnerability information from vulnerability publishing paths corresponding to the asset information periodically;
and updating the vulnerability rule base according to the new vulnerability information.
On the basis of the above embodiment, the asset information includes a live host, an open port, an operating system, a service, an application, and a version number of the application.
Fig. 3 is a schematic structural diagram of an entity of an electronic device provided in an embodiment of the present application, and as shown in fig. 3, the electronic device includes: a processor (processor)301, a memory (memory)302, and a bus 303; wherein,
the processor 301 and the memory 302 complete communication with each other through the bus 303;
the processor 301 is configured to call program instructions in the memory 302 to perform the methods provided by the above-mentioned method embodiments, including: carrying out asset scanning on the host to obtain asset information corresponding to the host; acquiring corresponding vulnerability information from corresponding vulnerability publishing paths according to the asset information; generating a corresponding vulnerability detection rule according to the vulnerability information; the method comprises the steps of establishing a vulnerability rule base of the host, the assets and the vulnerability detection rules according to asset information of each host and vulnerability detection rules corresponding to each asset information, wherein the vulnerability rule base comprises a plurality of pieces of asset information, each piece of asset information comprises an asset identification, a host identification of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identification.
The processor 301 may be an integrated circuit chip having signal processing capabilities. The Processor 301 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Which may implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory 302 may include, but is not limited to, Random Access Memory (RAM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Erasable Read Only Memory (EPROM), Electrically Erasable Read Only Memory (EEPROM), and the like.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the above-mentioned method embodiments, for example, comprising: carrying out asset scanning on the host to obtain asset information corresponding to the host; acquiring corresponding vulnerability information from corresponding vulnerability publishing paths according to the asset information; generating a corresponding vulnerability detection rule according to the vulnerability information; the method comprises the steps of establishing a vulnerability rule base of the host, the assets and the vulnerability detection rules according to asset information of each host and vulnerability detection rules corresponding to each asset information, wherein the vulnerability rule base comprises a plurality of pieces of asset information, each piece of asset information comprises an asset identification, a host identification of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identification.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided by the above method embodiments, for example, including: carrying out asset scanning on the host to obtain asset information corresponding to the host; acquiring corresponding vulnerability information from corresponding vulnerability publishing paths according to the asset information; generating a corresponding vulnerability detection rule according to the vulnerability information; the method comprises the steps of establishing a vulnerability rule base of the host, the assets and the vulnerability detection rules according to asset information of each host and vulnerability detection rules corresponding to each asset information, wherein the vulnerability rule base comprises a plurality of pieces of asset information, each piece of asset information comprises an asset identification, a host identification of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identification.
Fig. 4 is an architecture diagram of a vulnerability detection system according to an embodiment of the present disclosure, as shown in fig. 4, the system includes a server 401 and a plurality of hosts 402, the number of the hosts 402 may be multiple, the plurality of hosts 402 are respectively communicatively connected to the server 401, and for convenience of drawing, only two hosts 402 are shown in fig. 4 according to the embodiment of the present disclosure and communicatively connected to the server 401 through a network. The server 401 is configured to execute the methods provided by the foregoing method embodiments, so as to generate a corresponding vulnerability rule base for the assets included in the communicatively connected host 402, and perform vulnerability detection on the host 402 by using the vulnerability rule base.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A vulnerability rule base generation method is characterized by comprising the following steps:
carrying out asset scanning on the host to obtain asset information corresponding to the host;
acquiring corresponding vulnerability information from corresponding vulnerability publishing paths according to the asset information;
generating a corresponding vulnerability detection rule according to the vulnerability information;
the method comprises the steps of establishing a vulnerability rule base of the host, the assets and the vulnerability detection rules according to asset information of each host and vulnerability detection rules corresponding to each asset information, wherein the vulnerability rule base comprises a plurality of pieces of asset information, each piece of asset information comprises an asset identification, a host identification of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identification.
2. The method of claim 1, wherein generating corresponding vulnerability detection rules according to the vulnerability information comprises:
analyzing the vulnerability information to obtain asset information related to the corresponding vulnerability;
and receiving risk early warning configuration information corresponding to the vulnerability information, and generating vulnerability detection rules according to the asset information, vulnerability publishing paths and risk early warning configuration information related to the vulnerability.
3. The method of claim 1, further comprising:
acquiring a target vulnerability detection rule in target asset information from the vulnerability rule base according to a preset period; wherein the target asset information is any one of the plurality of pieces of asset information;
and detecting the vulnerability of the target host in the target asset information by using the target vulnerability detection rule to obtain a detection result.
4. The method of claim 3, wherein each of the asset information further comprises a risk pre-warning configuration, the risk pre-warning configuration comprising a pre-warning mode; after obtaining the detection result, the method further comprises:
and if the detection result comprises the host with the target vulnerability, performing early warning according to an early warning mode corresponding to the target vulnerability.
5. The method of claim 1, further comprising:
acquiring new vulnerability information from vulnerability publishing paths corresponding to the asset information periodically;
and updating the vulnerability rule base according to the new vulnerability information.
6. The method of claim 1, wherein the asset information comprises a surviving host, an open port, an operating system, a service, an application, and a version number of the application.
7. A vulnerability rule base generation device, comprising:
the scanning module is used for carrying out asset scanning on the host computer to obtain asset information corresponding to the host computer;
the vulnerability acquisition module is used for acquiring corresponding vulnerability information from the corresponding vulnerability publishing path according to the asset information;
the rule generating module is used for generating a corresponding vulnerability detection rule according to the vulnerability information;
the rule base building module is used for building a vulnerability rule base of the host, the assets and the vulnerability detection rules according to the asset information of each host and the vulnerability detection rules corresponding to each asset information, the vulnerability rule base comprises a plurality of pieces of asset information, each piece of asset information comprises an asset identification, a host identification of the host containing the corresponding asset, and the vulnerability detection rules corresponding to the asset identification.
8. An electronic device, comprising: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1-6.
9. A non-transitory computer-readable storage medium storing computer instructions which, when executed by a computer, cause the computer to perform the method of any one of claims 1-6.
10. The vulnerability detection system is characterized by comprising a server and a host, wherein the server is in communication connection with the host; the server is adapted to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111307750.XA CN113987519A (en) | 2021-11-05 | 2021-11-05 | Vulnerability rule base generation method and device, electronic equipment, storage medium and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111307750.XA CN113987519A (en) | 2021-11-05 | 2021-11-05 | Vulnerability rule base generation method and device, electronic equipment, storage medium and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113987519A true CN113987519A (en) | 2022-01-28 |
Family
ID=79746834
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111307750.XA Pending CN113987519A (en) | 2021-11-05 | 2021-11-05 | Vulnerability rule base generation method and device, electronic equipment, storage medium and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113987519A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115459951A (en) * | 2022-08-09 | 2022-12-09 | 东风汽车集团股份有限公司 | Vulnerability early warning method, device, equipment and readable storage medium |
| CN116049820A (en) * | 2022-08-12 | 2023-05-02 | 荣耀终端有限公司 | Rogue application detection method, electronic device and communication system |
| CN116069380A (en) * | 2023-02-02 | 2023-05-05 | 安芯网盾(北京)科技有限公司 | Rule-based host asset detection method, device and readable storage medium |
| CN116248397A (en) * | 2023-03-13 | 2023-06-09 | 成都知道创宇信息技术有限公司 | Vulnerability detection method, device, electronic device and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140245376A1 (en) * | 2013-02-25 | 2014-08-28 | Beyondtrust Software, Inc. | Systems and methods of risk based rules for application control |
| CN111565184A (en) * | 2020-04-29 | 2020-08-21 | 杭州安恒信息技术股份有限公司 | Network security assessment device, method, equipment and medium |
| CN112702300A (en) * | 2019-10-22 | 2021-04-23 | 华为技术有限公司 | Security vulnerability defense method and device |
-
2021
- 2021-11-05 CN CN202111307750.XA patent/CN113987519A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140245376A1 (en) * | 2013-02-25 | 2014-08-28 | Beyondtrust Software, Inc. | Systems and methods of risk based rules for application control |
| CN112702300A (en) * | 2019-10-22 | 2021-04-23 | 华为技术有限公司 | Security vulnerability defense method and device |
| CN111565184A (en) * | 2020-04-29 | 2020-08-21 | 杭州安恒信息技术股份有限公司 | Network security assessment device, method, equipment and medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115459951A (en) * | 2022-08-09 | 2022-12-09 | 东风汽车集团股份有限公司 | Vulnerability early warning method, device, equipment and readable storage medium |
| CN116049820A (en) * | 2022-08-12 | 2023-05-02 | 荣耀终端有限公司 | Rogue application detection method, electronic device and communication system |
| CN116069380A (en) * | 2023-02-02 | 2023-05-05 | 安芯网盾(北京)科技有限公司 | Rule-based host asset detection method, device and readable storage medium |
| CN116069380B (en) * | 2023-02-02 | 2023-09-12 | 安芯网盾(北京)科技有限公司 | Rule-based host asset detection method, device and readable storage medium |
| CN116248397A (en) * | 2023-03-13 | 2023-06-09 | 成都知道创宇信息技术有限公司 | Vulnerability detection method, device, electronic device and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113987519A (en) | Vulnerability rule base generation method and device, electronic equipment, storage medium and system | |
| CN110933101B (en) | Security event log processing method, device and storage medium | |
| CN110929259B (en) | Process security verification white list generation method and device | |
| CN106828362B (en) | Safety testing method and device for automobile information | |
| CN107196895B (en) | Network attack tracing implementation method and device | |
| CN109086182B (en) | Automatic database alarming method and terminal equipment | |
| CN107835228B (en) | Instruction processing method and device based on dynamic generalized routing | |
| CN111294347B (en) | Safety management method and system for industrial control equipment | |
| CN108111346B (en) | Method and device for determining frequent item set in alarm correlation analysis and storage medium | |
| CN114598506B (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| CN109889511B (en) | Process DNS activity monitoring method, equipment and medium | |
| CN113438225A (en) | Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium | |
| CN113765850A (en) | Internet of things anomaly detection method and device, computing equipment and computer storage medium | |
| CN115314319A (en) | Network asset identification method and device, electronic equipment and storage medium | |
| CN111372077A (en) | Camera control method and device, terminal equipment and storage medium | |
| CN110737565B (en) | Data monitoring method and device, electronic equipment and storage medium | |
| CN115174192B (en) | Application security protection method and device, electronic equipment and storage medium | |
| CN111310242B (en) | Method and device for generating device fingerprint, storage medium and electronic device | |
| CN113098852B (en) | Log processing method and device | |
| CN114281774A (en) | Log identification method and device, electronic equipment and storage medium | |
| CN109788001B (en) | Suspicious internet protocol address discovery method, user equipment, storage medium and device | |
| CN117034210B (en) | Event image generation method and device, storage medium and electronic equipment | |
| CN115208671B (en) | Firewall configuration method, device, electronic equipment and storage medium | |
| CN118779924A (en) | Equipment safety assessment method, device, equipment and medium | |
| CN115509941A (en) | Data interface testing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220128 |