CN108712396A - Networked asset management and loophole governing system - Google Patents
Networked asset management and loophole governing system Download PDFInfo
- Publication number
- CN108712396A CN108712396A CN201810395830.7A CN201810395830A CN108712396A CN 108712396 A CN108712396 A CN 108712396A CN 201810395830 A CN201810395830 A CN 201810395830A CN 108712396 A CN108712396 A CN 108712396A
- Authority
- CN
- China
- Prior art keywords
- loophole
- fingerprint
- networked
- host
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
A kind of networked asset management and loophole governing system, which includes networked asset information collection subsystem comprising:Basic information collection module finds networked hosts, the fingerprint recognition of host operating system is carried out, to detect the OS Type of remote target host;Application component fingerprint-collection module finds to include one or more application programs or the component finger print information in the version, serve port, protocol interaction feature of web application or component;Fragility sensing module carries out perception analysis to the fragility of networked hosts and application system, finds loophole that may be present in networked hosts, its system, service, application component;Loophole is disposed and fix tool module, in such a way that loophole administers personnel's operation and/or automatic running, for networked hosts and its system, service, the loophole progress loophole disposition of application component and/or the reparation found.The system can quickly, accurately be found and the security breaches of timely restoration information system.
Description
Technical field
The present invention relates to security of information assets, especially a kind of networked asset management and loophole governing system.
Background technology
Information systems internetting space is made of countless nodes, each node be one access network IT assets (or
Claim information assets), information assets include host operating system, the network equipment, safety equipment, database, middleware, using group
Part.Information assets is most basic most important carrier in information security management.With going from strength to strength for intra-enterprise business, business
Information-based high speed development, various businesses support platform and management system become increasingly complex, and information assets such as server, storage are set
The standby, network equipment, safety equipment quantity are cumulative, and type is also more and more abundant, bring the Assets Management of administrator
More difficult.In the course of time, a large amount of dereliction assets, corpse assets are produced, these assets long-time unmanned maintenances cause to deposit
In more known bugs and configuration violation.More seriously these assets are difficult to be included within the scope of administrator's daily maintenance,
Very big hidden danger is brought for enterprise security, becomes the weakness of enterprise information security.
By taking power grid as an example, common power information equipment, such as server, interchanger, router, power communication terminal, intelligence
Energy transformer equipment etc. will influence the normal regular supply obtained with electrical power services of power information, no once safety problem occurs
But inconvenience is brought to the daily production and living of people, will also result in great economic loss.
Currently, country is higher and higher to the attention degree of network security, and effective management of IT assets is just more important.IT is provided
Production is most basic most important carrier in information security management, differentiates IT assets, grasps to comprehensive no dead angle assets information meaning
Justice is great.Meanwhile on the basis of finding out assets information, whether the protection of the dangerous risk in awareness network space is effective, such as
Influence of the service that the network equipment is run with the presence or absence of known bugs and physical address, the loophole newly exposed to the network equipment
How range carries out the information such as repairing for known bugs, this safe condition that will be helpful to accurately grasp enterprise is simultaneously effective
It solves to threaten risk.
Meanwhile with the rapid development of internet, the security breaches of disparate networks assets and information system are information securities
Major hidden danger.Security breaches are that information system generates in each stage (processes such as design, realization, O&M) of life cycle
Certain class problem, these problems can have an impact the safety (confidentiality, integrality, availability) of system.Due to software defect,
Using the error configurations with information technoloy equipment, and conventional mistake and other reasons, can all there be new loophole to occur daily general at present
Vulnerability scanning is periodically carried out using vulnerability scanning system or periodically carries out safety inspection to find then security breaches are repaired
Reinforcement, there is following deficiencies:
Manual operation is relied on, automation, standardized instrument are lacked;
There are hysteresis qualitys with disposition for the discovery of loophole;
The information of information assets is not grasped completely, it is difficult to promptly and accurately find loophole and reparation.
Wherein, a kind of networked asset management and loophole governing system how to be established, realize much sooner, effectively, reliably, it is accurate
Networked asset information really is acquired, and finds and repair security breaches in time, is prior art urgent problem to be solved.
Invention content
It is a primary object of the present invention in view of the deficiencies of the prior art, provide a kind of networked asset management to administer with loophole
System.
To achieve the above object, the present invention uses following technical scheme:
A kind of networked asset management and loophole governing system, including networked asset information collection subsystem, the network money
Producing information collection subsystem includes:
Basic information collection module is configured to find networked hosts, carries out the fingerprint recognition of host operating system, with
Detect the OS Type of remote target host;
Application component fingerprint-collection module is configured to find include the version of web application or component, services
One or more application programs in port, protocol interaction feature or component finger print information;
Fragility sensing module is configured to carry out perception analysis to the fragility of networked hosts and its system, with hair
Existing operating system, service, application component tender spots, find in networked hosts, its system, service, application component there may be
Loophole;
Loophole is disposed and fix tool module, in such a way that loophole administers personnel's operation and/or automatic running, for institute
Networked hosts and its system, service, the loophole progress loophole disposition of application component and/or the reparation found, to realize that loophole is controlled
Reason.
Further:
The basic information collection module receives answer number by sending a series of TCP and UDP message packet to destination host
According to packet, and each data item in reply data packet is detected, then compared with fingerprint database, detected far by analyzing comparison
The OS Type of journey destination host.
The basic information collection module receives answer number by sending a series of TCP and UDP message packet to destination host
According to packet, and each data item in reply data packet is detected, then compared with fingerprint database, detected far by analyzing comparison
The OS Type of journey destination host.
The basic information collection module includes:
Detecting host submodule is configured to according to setting strategy, and objective area is converted into IP by inquiry IP address library
Range sets multiple scan procedures and/or thread according to scanning, and detection target machine corresponding port, each port receives one kind
Legal response packet then judges that open-ended, each host then judge that host is survived, will deposit only there are one open port
The IP of host living, the port of opening and protocol information deposit mobile host computers library;Preferably, the setting strategy includes scanning target
Area, scan protocols, port range, the scanning technique used and evade technology;
Topology Discovery submodule is configured to send specific detection packet, find each node in network with
And their interconnected relationships;Preferably, the node includes router and host;
System fingerprint information collects submodule, is configured to utilize the finger for establishing different operating system, different agreement stack
Line database detects TCP the and UDP reply data packets of destination host, identifying system and Protocol fingerprint information;
It services finger print information and collects submodule, be configured to be sent to from the corresponding detection fingerprint of service fingerprint base selection
Corresponding port is matched by the fingerprint in the packet of return, is judged whether containing corresponding component.
The system fingerprint information collect submodule identified using ICP/IP protocol stack fingerprint different operating system and
Equipment, it is preferable that the system fingerprint information is collected submodule and is configured in the following way to carry out system identification:
Sorts of systems feature is analyzed, the fingerprint characteristic of known system is established, this fingerprint characteristic deposit system fingerprint library is made
For the sample database of fingerprint comparison;
Initialization system detection task selects the destination host of detecting, then activation system detection task;The task is chosen respectively
An opening and a port closed are selected, is sent to by pre-set TCP/UDP/ICMP data packets, detection is returned
The data packet returned simultaneously generates a system fingerprint according to the data packet of return;Preferably, the destination host is from mobile host computers
Selection;
The fingerprint that detection generates is compared with system fingerprint library, searches matched system;
Preferably, if system can not be matched accurately, possible system is determined in a probabilistic manner.
The application component fingerprint-collection module by carry out based on Web service, service end instruction, Web Development Frameworks,
One or more in Web applications, front end library and third party's component recognition collect finger print information.
Wherein Web Development Frameworks are identified by using Component service Detection Techniques, wherein being detected by the application component page
Which kind of language technology and Component service Detection Techniques detection Web site backstage use, wherein detecting skill by the serviced component page
Art come detect Web application, preferably capture website one or several pages differentiate to the fingerprint matches of fingerprint base it is corresponding
Web application, wherein using page Detection Techniques detection Web spaces, preferably page Detection Techniques include passing through the page
CLASSID be identified.
The fragility sensing module carries out in system vulnerability scanning, database vulnerability scanning, Web application vulnerability scannings
It is one or more;Preferably, the vulnerability database that the fragility sensing module is established by backstage carries out certainly the loophole scanned
Dynamic matching, and automatically confirm that the CVE numbers of loophole and whether have Land use systems.
Vulnerability scanning is based on Port Scanning Technology, on the port and port that destination host unlatching is learnt after port scan
Network service, these relevant informations are matched with the vulnerability database being provided previously, wherein by simulation this system is attacked
Hitter's method is checked whether with the presence of the loophole for meeting matching condition;Preferably, aggressive safety is carried out to target host systems
Vulnerability scanning, it is preferred to use test weak tendency password, if simulated strike success, showing target host systems, there are security breaches.
Using rule-based matching technique, the network system vulnerability database of formation constitutes corresponding on basis herein
With rule, the work of vulnerability scanning is carried out automatically by scanner program, if being matched the condition of satisfaction, be considered as there are loophole,
Client is returned the result to after the completion of detection;Preferably, if the rule not being matched, forbid the network connection of system;It is excellent
Selection of land, loophole data are detached from scan code, to be updated to scanning engine.
The networked asset information collection subsystem further includes with the one or more of lower module:
Task management module is configured to receive assignment instructions, dispatches multiple collection modules and completes corresponding appoint by strategy
Business dynamically monitors the running state information of each collection module in real time and carries out load balancing and the allotment of task in real time,
To ensure that each collection module can reasonably work;
Data filtering module is configured to acquisition strategies and is matched to initial data, to the data of redundancy into
Row filtering;
Data transmission module is configured to gathered data being sent to and the networked asset information by hidden subnet
The management subsystem of collection subsystem connection.
The networked asset management further includes one or more in following subsystem with loophole governing system:
Subsystem is managed, is configured and data displaying, query analysis and operation management function is provided, and is data manipulation people
Member provides human-computer interaction interface and carries out corresponding business operation;
Bug excavation subsystem is configured and provides bug excavation tool, builds the general operations environment of bug excavation, real
Now to the bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, is configured the verification environment for providing structure loophole and vulnerability exploit method, to leakage
Hole is verified using sample, and assesses the effect of vulnerability exploit;
Security tool subsystem is configured offer security tool, including be directed to destination OS and intended application into
Row penetration attack, and realize that long-term control is kept.
Beneficial effects of the present invention:
A kind of networked asset management of present invention offer and loophole governing system, pass through networked asset information therein and collect son
System can in time, reliably detect the mobile host computers for finding particular network area, and realize to its operating system and apply group
The collection of part information, and by fragility sensing module, carrying out targetedly vulnerability information based on the case where detection collects, right
The fragility of networked hosts and application system carries out perception analysis, finds the tender spots of operating system, service, application component, is
Penetration attack/test provides data supporting and utilizes resource, finally searches out in networked hosts, its system, service, application component
Loophole that may be present.By loophole disposition and fix tool module (loophole dispose can be utilized with fix tool module it is known
Computer equipment such as host and display human interface device, the network equipment and computer on run various information peace
The realizations such as full processing software), can loophole administer personnel operate and/or automatic running by way of, come to being found
Networked hosts and its system, service, the loophole progress loophole disposition of application component and/or reparation, to realize that loophole is administered.Due to
Networked asset information collection subsystem in the present invention can accurately and reliably find the security breaches of networked information system, this is
Realize that loophole is quickly administered, the security breaches of restoration information system provide advantage and good guarantee in time.Meanwhile
The present invention can also be achieved asset identification and management, and perceive the function that provides the foundation for the detection of assets and the change of assets.
Description of the drawings
Fig. 1 is the networked asset management and loophole governing system structure diagram of an embodiment of the present invention;
Fig. 2 is the vulnerability scanning system assumption diagram based on network system vulnerability database in the preferred embodiment of the present invention.
Specific implementation mode
It elaborates below to embodiments of the present invention.It is emphasized that following the description is only exemplary,
The range being not intended to be limiting of the invention and its application.
Refering to fig. 1, in one embodiment, a kind of networked asset management and loophole governing system, including networked asset are believed
Collection subsystem is ceased, which includes:Basic information collection module is configured to find networking
Host carries out the fingerprint recognition of host operating system, to detect the OS Type of remote target host;Application component refers to
Line collection module is configured in the version, serve port, protocol interaction feature that discovery includes web application or component
One or more application programs or component finger print information;Fragility sensing module is configured to networked hosts and application
The fragility of system carries out perception analysis, to find the tender spots of operating system, service, application component, find networked hosts, its
Loophole that may be present in system, service, application component;Loophole dispose with fix tool module, by loophole administer personnel into
Row operation and/or automatic running mode, for found networked hosts and its system, service, application component loophole into
Row loophole is disposed and/or is repaired, to realize that loophole is administered.If those skilled in the art can be appreciated, so-called leakage in the present invention
Hole is disposed and fix tool module, can utilize human interface devices, the nets such as well known computer equipment such as host and display
The realizations such as the various information security processing softwares run in network equipment and computer, and can be by manual operation and/or automatic
The mode of operation executes loophole disposition and reparation task.
Based on the present invention, loophole can be established and administer control platform, according to the system type and application component of networked hosts,
It carries out targetedly vulnerability information to collect, and carries out manual or automatic loophole improvement.
In some embodiments, networked asset information collection subsystem collects (including master by using network foundation information
Machine discovery, port scan, operating system are detected, using detecting and IP address library) and fragility cognition technology, it can be found that specific
Mobile host computers in network area, and realize and its OS Type and version, application component type and version information are collected,
Targetedly vulnerability information is carried out according to system type and application component to collect.
In some embodiments, IP address positioning, detecting host and port can be used in networked asset information collection subsystem
Scanning, operating system and application type detecting, network application scanning, vulnerability scanning, advanced escape technology (AET), fire wall/
IDS such as evades at the technologies, realizes networked asset information collection.
In an exemplary embodiment, networked asset information collection subsystem includes basic information collection module, application component
Fingerprint-collection module and fragility sensing module.
(1) basic information collection module
This module is configured to find networked hosts, and carries out the fingerprint recognition of host operating system.By to target
Host sends a series of TCP and UDP message packet, receives reply data packet, and detect each data item in reply data packet,
It is compared again with fingerprint database, the OS Type of remote target host can be detected finally by analysis comparison.
In a preferred embodiment, basic information collection module specifically includes:
Detecting host submodule:Detecting host module sets strategy, including scanning objective area, scanning association according to user
View, port range, the scanning technique used and evade technology etc., objective area is converted into IP ranges, root by inquiry IP address library
It is scanned into (line) journey according to scanning setting is multiple, detection target machine corresponding port, each port receives legal time a kind of
It should wrap, then judge that open-ended, each host then judge that host is survived, by the IP for host of surviving, open only there are one open port
The port put and protocol information deposit mobile host computers library.
Topology Discovery submodule:Network topology is a kind of table of interconnecting relation between the entity of each interconnection in network
Show.Topological structure is usually modeled as a figure, and equipment (router, host etc.) is represented with node, is represented and is connected with Bian Lai
Relationship (physically or logically).Topology Discovery be by sending specific detection packet, find each node in network and it
Interconnected relationship.
System fingerprint information collects submodule:Utilize the fingerprint database for establishing different operating system, different agreement stack, inspection
Survey TCP the and UDP reply data packets of destination host, identifying system and Protocol fingerprint information.
It is preferable to use ICP/IP protocol stack fingerprints for this system to identify different operating system and equipment.In RFC specifications,
There is no mandatory provisions for some realizations of place to TCP/IP, thus may have the specific of oneself in different TCP/IP schemes
Mode.This system is mainly that the type of operating system is judged according to the difference in these details.In preferred embodiment
In, specific implementation is as follows:
First, sorts of systems feature is analyzed, the fingerprint characteristic of known system is established, this fingerprint characteristic is stored in system fingerprint
Library, the sample database as fingerprint comparison;
Initialization system detection task selects the destination host (preferably being selected from mobile host computers, avoid ineffective detection) of detecting,
Then activation system detection task;The task selects an opening (open) and closes the port of (closed), Xiang Qifa respectively
The excessively pre-set TCP/UDP/ICMP data packets of the warp let-off generate a system fingerprint according to the data packet of return;
The fingerprint that detection generates is compared with system fingerprint library, searches matched system;
If can not match, possible system is enumerated with Probability Forms.
It services finger print information and collects submodule:Corresponding detection fingerprint is chosen since servicing fingerprint base to be sent to accordingly
Fingerprint matching judges whether containing corresponding component in the packet that port passes through return.
(2) application component fingerprint-collection module
This module is configured to find the fingers such as version, serve port, the protocol interaction feature of web application or component
Line information.
This module can be supported to be based on Web service, service end instruction, Web Development Frameworks, Web applications, front end library and third party
The identifications such as component.
Web Development Frameworks are a kind of service routines, and server externally provides service by some port, handles from client
The request sent out, such as the Tomcat containers in JAVA, IIS the or PWS frames of ASP, this module is detected by using Component service
Technology can identify Web Development Frameworks, for example can detect Tomcat frames by sending finger print information " URI/status ".
Application component page Detection Techniques and service Component service Detection Techniques detection Web site backstage can be used in this module
Using which kind of language, specific method includes by meta information, script labels, header information, session, error
The fingerprints such as certain contents of page including webpage judge.
Serviced component page Detection Techniques can be used to realize the detection of Web applications in this module.By capture website one
A or several pages can differentiate corresponding web application with the fingerprint matches of fingerprint base.
The spaces page Detection Techniques detection Web can be used.For example, being identified by the CLASSID of the page etc.
(3) fragility sensing module
This module is configured to perceive the fragility of networked hosts and application system, analyze, discovery operating system,
It services, the tender spots of application component, integrated system vulnerability scanning, database vulnerability scanning, Web application vulnerability scannings etc. are a variety of
Whether tool can carry out Auto-matching by the vulnerability database that backstage is established to loophole, and automatically confirm that the CVE numbers of loophole with
There are Land use systems.
In a preferred embodiment, there is the fragility sensing module a kind of loophole based on network system vulnerability database to sweep
Architecture is retouched, as shown in Figure 2.
Vulnerability-scanning technology is built upon on the basis of Port Scanning Technology.From the analysis and collection to attack
From the point of view of loophole, the overwhelming majority is both for some network service, that is, is directed to some specific port.Therefore, exist
In preferred embodiment, the Vulnerability-scanning technology used is scanned with thinking same as Port Scanning Technology to carry out.Vulnerability scanning
Technology preferably by the following method come check destination host whether there is loophole:Learn what destination host was opened after port scan
Network service on port and port, the vulnerability database progress that these relevant informations and Network Vulnerability Scanning System are provided
Match.By simulating the attacking ways to this system, check whether with the presence of the loophole for meeting matching condition.Preferably, to target
Host system carries out aggressive security scan, such as test weak tendency password.If simulated strike success, shows target master
There are security breaches for machine system.
This system uses rule-based matching technique, i.e., according to security expert to network system security loophole, Hei Kegong
It hits the analysis of case and practical experience that system manager configures network system security, forms the leakage of standard set network system
Cave depot constitutes corresponding matching rule on basis herein, the work of vulnerability scanning is initiatively carried out by scanner program.Preferably
Forbid the network connection of system if the rule not being matched in ground.
In preferred embodiment, the system vulnerability library provided by vulnerability scanning system is matched, if meeting condition, depending on
For there are loopholes.Client is returned the result to after the completion of the detection of server, and generates intuitive report.In server end
Rule match library can be the set of many shared routings, store various scanning attack methods.Loophole data are from scan code
Separation, enables users to voluntarily be updated scanning engine.
In a more preferred embodiment, present networks assets information collection subsystem can also include task management module.
(4) task management module
Task management module is configured to receive assignment instructions, and dispatches multiple collection modules and complete corresponding appoint by strategy
Business, task management module need dynamically to monitor the running state information of each collection module in real time and carry out task in real time
Load balancing and allotment, to ensure that each collection module can reasonably work.
In a more preferred embodiment, present networks assets information collection subsystem can also include data filtering module.
(5) data filtering module
Data filtering module is configured to match initial data by acquisition strategies, is carried out to the data of redundancy
Filter.
In a more preferred embodiment, present networks assets information collection subsystem can also include data transmission module.
(6) data transmission module
Data transmission module is configured is sent to management subsystem by gathered data by hidden subnet.
The networked asset management of the present invention collects son with loophole governing system using the networked asset information of above-described embodiment
System, the detectable mobile host computers for finding particular network area of networked asset information collection subsystem, and realize to operate it and be
The collection of system and application component information, and carry out targetedly vulnerability information and collect, it is provided for subsequent penetration attack/test
Data supporting and utilize resource, to the present invention networked asset management and loophole governing system can much sooner, effectively, can
It leans on, accurately acquire networked asset information, so as to preferably find simultaneously the security breaches of restoration information system in time.
In a preferred embodiment, the networked asset management and loophole governing system can also include in following subsystem
It is one or more:
Subsystem is managed, is configured and data displaying, query analysis and operation management function is provided, and is data manipulation people
Member provides human-computer interaction interface and carries out corresponding business operation;
Bug excavation subsystem is configured and provides bug excavation tool, builds the general operations environment of bug excavation, real
Now to the bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, is configured the verification environment for providing structure loophole and vulnerability exploit method, to leakage
Hole is verified using sample, and assesses the effect of vulnerability exploit;
Security tool subsystem is configured offer security tool, including be directed to destination OS and intended application into
Row penetration attack, and realize that long-term control is kept.
Preferably but not compulsorily, as shown in Figure 1, the networked asset management of the present invention and loophole governing system include network
Assets information collection subsystem and management subsystem.Specifically, management subsystem can be provided to information gathering subsystem, loophole digging
The ability that the results such as subsystem, vulnerability exploit verification subsystem, security tool carry out data displaying is dug, it can also be to above system
Operation management is carried out, while providing the work system of a query analysis, this system includes a regulation management pattern
A series of analysis tool of task processing environment and man-machine interactives allows analysis personnel that can complete various data by it
Analysis task.In addition, there is system individual operation desktop (workbench) and converging information for different rights user to show
Interface.Eventually by the configuration management in the complete paired data area of the system and the analysis displaying of Various types of data and report, and it is data
Operating personnel provide human-computer interaction interface and carry out corresponding business operation.
Preferably but not compulsorily, networked asset management of the invention can further include leakage with loophole governing system
Excavate subsystem in hole.Bug excavation subsystem is based on typical bug excavation technological means, by integrated bug excavation tool and
The bug excavation tool for developing customization, builds the general operations environment of bug excavation, and destination OS and target are answered in realization
Vulnerability exploit sample is developed with the bug excavation of software, and for newfound loophole.
Preferably but not compulsorily, networked asset management of the invention can further include leakage with loophole governing system
Hole utilizes verification subsystem.The verification environment that loophole and vulnerability exploit method can be built verifies vulnerability exploit sample,
And assess the effect of vulnerability exploit.
Preferably but not compulsorily, networked asset management of the invention can further include peace with loophole governing system
Full tool subsystem.It can be directed to destination OS with customized development security tool and intended application carries out penetration attack, and
Realize that long-term control is kept.
In further embodiments, a kind of networked asset management and loophole administering method, wherein using aforementioned any implementation
The asset identification systems of example, search out loophole that may be present in networked hosts, its system, service, application component, to be directed to
The loophole found carries out loophole disposition and loophole reparation, to realize that loophole is quickly administered.
The above content is specific/preferred embodiment further description made for the present invention is combined, cannot recognize
The specific implementation of the fixed present invention is confined to these explanations.For those of ordinary skill in the art to which the present invention belongs,
Without departing from the inventive concept of the premise, some replacements or modification can also be made to the embodiment that these have been described,
And these are substituted or variant all shall be regarded as belonging to protection scope of the present invention.
Claims (10)
1. a kind of networked asset management and loophole governing system, including networked asset information collection subsystem, which is characterized in that institute
Stating networked asset information collection subsystem includes:
Basic information collection module is configured to find networked hosts, carries out the fingerprint recognition of host operating system, with detection
Go out the OS Type of remote target host;
Application component fingerprint-collection module, be configured to find include the version of web application or component, serve port,
One or more application programs in protocol interaction feature or component finger print information;
Fragility sensing module is configured to carry out perception analysis to the fragility of networked hosts and its system, to find to grasp
Make the tender spots of system, service, application component, finds leakage that may be present in networked hosts, its system, service, application component
Hole;
Loophole dispose with fix tool module, in such a way that loophole administers personnel's operation and/or automatic running, for being found
Networked hosts and its system, service, application component loophole carry out loophole disposition and/or reparation, to realize that loophole is administered.
2. the asset management system as described in claim 1, which is characterized in that the basic information collection module is by target
Host sends a series of TCP and UDP message packet, receives reply data packet, and detect each data item in reply data packet,
It is compared again with fingerprint database, the OS Type of remote target host is detected by analyzing comparison.
3. networked asset management as claimed in claim 1 or 2 and loophole governing system, which is characterized in that the basic information
Collection module includes:
Detecting host submodule is configured to according to setting strategy, and objective area is converted into IP ranges by inquiry IP address library,
Multiple scan procedures and/or thread are set according to scanning, detection target machine corresponding port, each port receives one kind and meeting rule
Response packet then then judges that open-ended, each host then judge that host is survived, by host of surviving only there are one open port
IP, opening port and protocol information deposit mobile host computers library;Preferably, setting strategy include scanning objective area,
Scan protocols, port range, the scanning technique used and evade technology;
Topology Discovery submodule is configured to send specific detection packet, find each node in network and it
Interconnected relationship;Preferably, the node includes router and host;
System fingerprint information collects submodule, is configured to utilize the fingerprint number for establishing different operating system, different agreement stack
According to library, TCP the and UDP reply data packets of destination host, identifying system and Protocol fingerprint information are detected;
It services finger print information and collects submodule, be configured to be sent to accordingly from the corresponding detection fingerprint of service fingerprint base selection
Port, matched, judged whether containing corresponding component by the fingerprint in the packet of return.
4. networked asset management as claimed in claim 3 and loophole governing system, which is characterized in that the system fingerprint information
It collects submodule and identifies different operating system and equipment using ICP/IP protocol stack fingerprint, it is preferable that the system fingerprint
Information is collected submodule and is configured in the following way to carry out system identification:
Sorts of systems feature is analyzed, the fingerprint characteristic of known system is established, by this fingerprint characteristic deposit system fingerprint library, as finger
The sample database of line comparison;
Initialization system detection task selects the destination host of detecting, then activation system detection task;The task selects one respectively
The port of a opening and a closing, is sent to, by pre-set TCP/UDP/ICMP data packets, detect return
Data packet simultaneously generates a system fingerprint according to the data packet of return;Preferably, the destination host is selected from mobile host computers;
The fingerprint that detection generates is compared with system fingerprint library, searches matched system;
Preferably, if system can not be matched accurately, possible system is determined in a probabilistic manner.
5. such as Claims 1-4 any one of them networked asset management and loophole governing system, which is characterized in that described to answer
With component fingerprint-collection module by carry out based on Web service, service end instruction, Web Development Frameworks, Web application, front end library and
One or more in third party's component recognition collect finger print information, wherein being identified by using Component service Detection Techniques
Web Development Frameworks use wherein detecting Web site backstage by application component page Detection Techniques and Component service Detection Techniques
Which kind of language preferably captures the one or several of website wherein detecting Web applications by serviced component page Detection Techniques
The page differentiates corresponding web application with the fingerprint matches of fingerprint base, wherein empty using page Detection Techniques detection Web
Between, preferably page Detection Techniques include being identified by the CLASSID of the page.
6. such as networked asset management described in any one of claim 1 to 5 and loophole governing system, which is characterized in that described crisp
Weak property sensing module carries out one or more in system vulnerability scanning, database vulnerability scanning, Web application vulnerability scannings;It is excellent
Selection of land, the vulnerability database that the fragility sensing module is established by backstage carry out Auto-matching to the loophole scanned, and automatic
Confirm the CVE numbers of loophole and whether has Land use systems.
7. networked asset management as claimed in claim 6 and loophole governing system, which is characterized in that vulnerability scanning is based on port
Scanning technique learns the network service on the port and port of destination host unlatching after port scan, these correlations are believed
It ceases and is matched with the vulnerability database being provided previously, wherein by simulating the attacking ways to this system, checked whether satisfaction
Loophole with condition exists;Preferably, aggressive security scan is carried out to target host systems, it is preferred to use test is weak
Gesture password, if simulated strike success, showing target host systems, there are security breaches.
8. networked asset management as claimed in claims 6 or 7 and loophole governing system, which is characterized in that using rule-based
Matching technique, the network system vulnerability database of formation, herein basis on constitute corresponding matching rule, it is automatic by scanner program
The work for carrying out vulnerability scanning is considered as there are loophole, detection returns the result to after the completion if being matched the condition of satisfaction
Client;Preferably, if the rule not being matched, forbid the network connection of system;Preferably, loophole data are from scan code
Middle separation, to be updated to scanning engine.
9. such as claim 1 to 8 any one of them networked asset management and loophole governing system, which is characterized in that the net
Network assets information collection subsystem further includes with the one or more of lower module:
Task management module is configured to receive assignment instructions, dispatches multiple collection modules and completes corresponding task by strategy, moves
It monitors to state the running state information of each collection module in real time and carries out load balancing and the allotment of task in real time, to ensure
Each collection module can reasonably work;
Data filtering module is configured to acquisition strategies and is matched to initial data, is carried out to the data of redundancy
Filter;
Data transmission module is configured to gathered data being sent to by hidden subnet and be collected with the networked asset information
The management subsystem of subsystem connection.
10. networked asset management as described in any one of claim 1 to 9 and loophole governing system, which is characterized in that further include
It is one or more in following subsystem:
Subsystem is managed, is configured and data displaying, query analysis and operation management function is provided, and carried for data manipulation personnel
Corresponding business operation is carried out for human-computer interaction interface;
Bug excavation subsystem is configured and provides bug excavation tool, builds the general operations environment of bug excavation, realization pair
The bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, is configured the verification environment for providing structure loophole and vulnerability exploit method, to loophole profit
It is verified with sample, and assesses the effect of vulnerability exploit;
Security tool subsystem is configured offer security tool, including is directed to destination OS and intended application is oozed
Attack thoroughly, and realize that long-term control is kept.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810395830.7A CN108712396A (en) | 2018-04-27 | 2018-04-27 | Networked asset management and loophole governing system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810395830.7A CN108712396A (en) | 2018-04-27 | 2018-04-27 | Networked asset management and loophole governing system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108712396A true CN108712396A (en) | 2018-10-26 |
Family
ID=63868710
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810395830.7A Pending CN108712396A (en) | 2018-04-27 | 2018-04-27 | Networked asset management and loophole governing system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108712396A (en) |
Cited By (30)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109413104A (en) * | 2018-12-11 | 2019-03-01 | 中国电子科技网络信息安全有限公司 | A kind of stateless TCP network scanning method |
CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
CN109544349A (en) * | 2018-11-29 | 2019-03-29 | 广东电网有限责任公司 | One kind being based on networked asset information collecting method, device, equipment and storage medium |
CN109583711A (en) * | 2018-11-13 | 2019-04-05 | 合肥优尔电子科技有限公司 | A kind of security risk assessment whole process management system |
CN109600371A (en) * | 2018-12-08 | 2019-04-09 | 公安部第三研究所 | A kind of network layer leakage location and method |
CN109613899A (en) * | 2018-12-21 | 2019-04-12 | 国家计算机网络与信息安全管理中心 | A method of the industrial control system security risk assessment based on allocation list |
CN109684588A (en) * | 2018-12-24 | 2019-04-26 | 北京神州绿盟信息安全科技股份有限公司 | A kind of asset management system and method |
CN109698821A (en) * | 2018-11-23 | 2019-04-30 | 广东电网有限责任公司信息中心 | Transregional vulnerability database is shared and cooperative disposal system and method |
CN110109696A (en) * | 2019-05-10 | 2019-08-09 | 重庆天蓬网络有限公司 | A kind of method of data collection |
CN110311931A (en) * | 2019-08-02 | 2019-10-08 | 杭州安恒信息技术股份有限公司 | Assets automatic discovering method and device |
CN110830488A (en) * | 2019-11-13 | 2020-02-21 | 云南电网有限责任公司电力科学研究院 | Network security risk analysis and restoration method for electric power monitoring system |
CN110868404A (en) * | 2019-11-05 | 2020-03-06 | 北京航空航天大学 | Industrial control equipment automatic identification method based on TCP/IP fingerprint |
CN111092857A (en) * | 2019-11-20 | 2020-05-01 | 深圳供电局有限公司 | Information security early warning method and device, computer equipment and storage medium |
CN111104677A (en) * | 2019-12-18 | 2020-05-05 | 哈尔滨安天科技集团股份有限公司 | Vulnerability patch detection method and device based on CPE (customer premise Equipment) specification |
CN111240994A (en) * | 2020-01-20 | 2020-06-05 | 北京国舜科技股份有限公司 | Vulnerability processing method and device, electronic equipment and readable storage medium |
CN111538994A (en) * | 2020-04-20 | 2020-08-14 | 中科三清科技有限公司 | System security detection and repair method, device, storage medium and terminal |
CN111931182A (en) * | 2020-07-10 | 2020-11-13 | 苏州浪潮智能科技有限公司 | Automatic security vulnerability scanning system and method |
CN112347485A (en) * | 2020-11-10 | 2021-02-09 | 远江盛邦(北京)网络安全科技股份有限公司 | Multi-engine vulnerability acquisition and automatic penetration processing method |
CN112688806A (en) * | 2020-12-18 | 2021-04-20 | 国家工业信息安全发展研究中心 | Method and system for presenting network assets |
CN112804241A (en) * | 2021-01-25 | 2021-05-14 | 豪越科技有限公司 | Intelligent monitoring method and system for computer room network |
CN113238536A (en) * | 2021-06-04 | 2021-08-10 | 西安热工研究院有限公司 | Industrial control system network vulnerability identification method and device and related equipment thereof |
CN113449306A (en) * | 2021-09-02 | 2021-09-28 | 湖南省佳策测评信息技术服务有限公司 | Security vulnerability early warning method and system based on software source code analysis |
CN114500024A (en) * | 2022-01-19 | 2022-05-13 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
CN114826726A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Network asset vulnerability detection method and device, computer equipment and storage medium |
CN114866315A (en) * | 2022-04-29 | 2022-08-05 | 广州市昊恒信息科技有限公司 | Digital safety management method for IT assets |
CN115296936A (en) * | 2022-10-08 | 2022-11-04 | 四川安洵信息技术有限公司 | Automatic method and system for assisting detection of anti-network crime |
CN115314276A (en) * | 2022-08-03 | 2022-11-08 | 厦门国际银行股份有限公司 | Security check management system, method and terminal equipment |
CN115529146A (en) * | 2021-06-25 | 2022-12-27 | 中国移动通信集团设计院有限公司 | Network security vulnerability processing system and method |
CN116074214A (en) * | 2022-12-28 | 2023-05-05 | 四川新网银行股份有限公司 | Enterprise IT asset discovery and identification system and method based on network exposure surface |
CN116915476A (en) * | 2023-07-29 | 2023-10-20 | 上海螣龙科技有限公司 | Fingerprint identification method, system, equipment and medium of host operating system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
CN106230800A (en) * | 2016-07-25 | 2016-12-14 | 恒安嘉新(北京)科技有限公司 | A kind of to assets active probe with the method for leak early warning |
CN106790190A (en) * | 2016-12-30 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of Vulnerability Management system and method |
CN106973071A (en) * | 2017-05-24 | 2017-07-21 | 北京匡恩网络科技有限责任公司 | A kind of vulnerability scanning method and apparatus |
CN107094158A (en) * | 2017-06-27 | 2017-08-25 | 四维创智(北京)科技发展有限公司 | The fragile analysis system of one kind automation intranet security |
US20180103054A1 (en) * | 2016-10-10 | 2018-04-12 | BugCrowd, Inc. | Vulnerability Detection in IT Assets by utilizing Crowdsourcing techniques |
-
2018
- 2018-04-27 CN CN201810395830.7A patent/CN108712396A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104363236A (en) * | 2014-11-21 | 2015-02-18 | 西安邮电大学 | Automatic vulnerability validation method |
CN106230800A (en) * | 2016-07-25 | 2016-12-14 | 恒安嘉新(北京)科技有限公司 | A kind of to assets active probe with the method for leak early warning |
US20180103054A1 (en) * | 2016-10-10 | 2018-04-12 | BugCrowd, Inc. | Vulnerability Detection in IT Assets by utilizing Crowdsourcing techniques |
CN106790190A (en) * | 2016-12-30 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of Vulnerability Management system and method |
CN106973071A (en) * | 2017-05-24 | 2017-07-21 | 北京匡恩网络科技有限责任公司 | A kind of vulnerability scanning method and apparatus |
CN107094158A (en) * | 2017-06-27 | 2017-08-25 | 四维创智(北京)科技发展有限公司 | The fragile analysis system of one kind automation intranet security |
Cited By (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
CN109583711B (en) * | 2018-11-13 | 2020-11-06 | 合肥优尔电子科技有限公司 | Safety risk assessment overall process management system |
CN109583711A (en) * | 2018-11-13 | 2019-04-05 | 合肥优尔电子科技有限公司 | A kind of security risk assessment whole process management system |
CN109698821A (en) * | 2018-11-23 | 2019-04-30 | 广东电网有限责任公司信息中心 | Transregional vulnerability database is shared and cooperative disposal system and method |
CN109544349A (en) * | 2018-11-29 | 2019-03-29 | 广东电网有限责任公司 | One kind being based on networked asset information collecting method, device, equipment and storage medium |
CN109600371A (en) * | 2018-12-08 | 2019-04-09 | 公安部第三研究所 | A kind of network layer leakage location and method |
CN109413104A (en) * | 2018-12-11 | 2019-03-01 | 中国电子科技网络信息安全有限公司 | A kind of stateless TCP network scanning method |
CN109613899A (en) * | 2018-12-21 | 2019-04-12 | 国家计算机网络与信息安全管理中心 | A method of the industrial control system security risk assessment based on allocation list |
CN109684588A (en) * | 2018-12-24 | 2019-04-26 | 北京神州绿盟信息安全科技股份有限公司 | A kind of asset management system and method |
CN110109696A (en) * | 2019-05-10 | 2019-08-09 | 重庆天蓬网络有限公司 | A kind of method of data collection |
CN110311931A (en) * | 2019-08-02 | 2019-10-08 | 杭州安恒信息技术股份有限公司 | Assets automatic discovering method and device |
CN110868404B (en) * | 2019-11-05 | 2020-11-24 | 北京航空航天大学 | Industrial control equipment automatic identification method based on TCP/IP fingerprint |
CN110868404A (en) * | 2019-11-05 | 2020-03-06 | 北京航空航天大学 | Industrial control equipment automatic identification method based on TCP/IP fingerprint |
CN110830488A (en) * | 2019-11-13 | 2020-02-21 | 云南电网有限责任公司电力科学研究院 | Network security risk analysis and restoration method for electric power monitoring system |
CN111092857A (en) * | 2019-11-20 | 2020-05-01 | 深圳供电局有限公司 | Information security early warning method and device, computer equipment and storage medium |
CN111104677A (en) * | 2019-12-18 | 2020-05-05 | 哈尔滨安天科技集团股份有限公司 | Vulnerability patch detection method and device based on CPE (customer premise Equipment) specification |
CN111104677B (en) * | 2019-12-18 | 2023-12-26 | 安天科技集团股份有限公司 | Vulnerability patch detection method and device based on CPE specification |
CN111240994A (en) * | 2020-01-20 | 2020-06-05 | 北京国舜科技股份有限公司 | Vulnerability processing method and device, electronic equipment and readable storage medium |
CN111538994A (en) * | 2020-04-20 | 2020-08-14 | 中科三清科技有限公司 | System security detection and repair method, device, storage medium and terminal |
CN111931182A (en) * | 2020-07-10 | 2020-11-13 | 苏州浪潮智能科技有限公司 | Automatic security vulnerability scanning system and method |
CN111931182B (en) * | 2020-07-10 | 2022-06-21 | 苏州浪潮智能科技有限公司 | Automatic security vulnerability scanning system and method |
CN112347485A (en) * | 2020-11-10 | 2021-02-09 | 远江盛邦(北京)网络安全科技股份有限公司 | Multi-engine vulnerability acquisition and automatic penetration processing method |
CN112688806A (en) * | 2020-12-18 | 2021-04-20 | 国家工业信息安全发展研究中心 | Method and system for presenting network assets |
CN112804241A (en) * | 2021-01-25 | 2021-05-14 | 豪越科技有限公司 | Intelligent monitoring method and system for computer room network |
CN113238536A (en) * | 2021-06-04 | 2021-08-10 | 西安热工研究院有限公司 | Industrial control system network vulnerability identification method and device and related equipment thereof |
CN115529146A (en) * | 2021-06-25 | 2022-12-27 | 中国移动通信集团设计院有限公司 | Network security vulnerability processing system and method |
CN113449306A (en) * | 2021-09-02 | 2021-09-28 | 湖南省佳策测评信息技术服务有限公司 | Security vulnerability early warning method and system based on software source code analysis |
CN114500024A (en) * | 2022-01-19 | 2022-05-13 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
CN114500024B (en) * | 2022-01-19 | 2024-03-22 | 恒安嘉新(北京)科技股份公司 | Network asset management method, device, equipment and storage medium |
CN114826726A (en) * | 2022-04-22 | 2022-07-29 | 南方电网数字电网研究院有限公司 | Network asset vulnerability detection method and device, computer equipment and storage medium |
CN114826726B (en) * | 2022-04-22 | 2024-02-23 | 南方电网数字电网研究院有限公司 | Network asset vulnerability detection method, device, computer equipment and storage medium |
CN114866315A (en) * | 2022-04-29 | 2022-08-05 | 广州市昊恒信息科技有限公司 | Digital safety management method for IT assets |
CN115314276A (en) * | 2022-08-03 | 2022-11-08 | 厦门国际银行股份有限公司 | Security check management system, method and terminal equipment |
CN115296936A (en) * | 2022-10-08 | 2022-11-04 | 四川安洵信息技术有限公司 | Automatic method and system for assisting detection of anti-network crime |
CN116074214A (en) * | 2022-12-28 | 2023-05-05 | 四川新网银行股份有限公司 | Enterprise IT asset discovery and identification system and method based on network exposure surface |
CN116915476A (en) * | 2023-07-29 | 2023-10-20 | 上海螣龙科技有限公司 | Fingerprint identification method, system, equipment and medium of host operating system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108712396A (en) | Networked asset management and loophole governing system | |
CN108011893A (en) | A kind of asset management system based on networked asset information gathering | |
CN108183895B (en) | Network asset information acquisition system | |
CN109525427A (en) | Distributed assets information detection method and system | |
CN109327461A (en) | Distributed asset identification and change cognitive method and system | |
CN108769064A (en) | Realize the distributed asset identification and change cognitive method and system that loophole is administered | |
KR101883400B1 (en) | detecting methods and systems of security vulnerability using agentless | |
Mukherjee et al. | Network intrusion detection | |
CN110324310A (en) | Networked asset fingerprint identification method, system and equipment | |
Cunningham et al. | Evaluating intrusion detection systems without attacking your friends: The 1998 DARPA intrusion detection evaluation | |
Burbeck et al. | Adwice–anomaly detection with real-time incremental clustering | |
CN108809951A (en) | A kind of penetration testing frame suitable for industrial control system | |
CN106888106A (en) | The extensive detecting system of IT assets in intelligent grid | |
CN101695033A (en) | Network fragility analyzing system based on privilege lift | |
CN110336827A (en) | A kind of Modbus Transmission Control Protocol fuzz testing method based on exception field positioning | |
CN114679292B (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
Al-Sanjary et al. | Comparison and detection analysis of network traffic datasets using K-means clustering algorithm | |
Li et al. | An approach to model network exploitations using exploitation graphs | |
CN114978614A (en) | IP asset rapid scanning processing system | |
CN115186136A (en) | Knowledge graph structure for network attack and defense confrontation | |
Abushwereb et al. | Attack based DoS attack detection using multiple classifier | |
Li et al. | A hierarchical mobile‐agent‐based security operation center | |
Aguirre-Anaya et al. | A new procedure to detect low interaction honeypots | |
Sen et al. | On holistic multi-step cyberattack detection via a graph-based correlation approach | |
Touloumis et al. | Vulnerabilities Manager, a platform for linking vulnerability data sources |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181026 |
|
RJ01 | Rejection of invention patent application after publication |