CN108712396A - Networked asset management and loophole governing system - Google Patents

Networked asset management and loophole governing system Download PDF

Info

Publication number
CN108712396A
CN108712396A CN201810395830.7A CN201810395830A CN108712396A CN 108712396 A CN108712396 A CN 108712396A CN 201810395830 A CN201810395830 A CN 201810395830A CN 108712396 A CN108712396 A CN 108712396A
Authority
CN
China
Prior art keywords
loophole
fingerprint
networked
host
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810395830.7A
Other languages
Chinese (zh)
Inventor
陈志华
王文佳
麦浩镔
吉威炎
罗成威
刘洋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Security Test And Appraisal Center Guangdong Province
Original Assignee
Information Security Test And Appraisal Center Guangdong Province
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Security Test And Appraisal Center Guangdong Province filed Critical Information Security Test And Appraisal Center Guangdong Province
Priority to CN201810395830.7A priority Critical patent/CN108712396A/en
Publication of CN108712396A publication Critical patent/CN108712396A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

A kind of networked asset management and loophole governing system, which includes networked asset information collection subsystem comprising:Basic information collection module finds networked hosts, the fingerprint recognition of host operating system is carried out, to detect the OS Type of remote target host;Application component fingerprint-collection module finds to include one or more application programs or the component finger print information in the version, serve port, protocol interaction feature of web application or component;Fragility sensing module carries out perception analysis to the fragility of networked hosts and application system, finds loophole that may be present in networked hosts, its system, service, application component;Loophole is disposed and fix tool module, in such a way that loophole administers personnel's operation and/or automatic running, for networked hosts and its system, service, the loophole progress loophole disposition of application component and/or the reparation found.The system can quickly, accurately be found and the security breaches of timely restoration information system.

Description

Networked asset management and loophole governing system
Technical field
The present invention relates to security of information assets, especially a kind of networked asset management and loophole governing system.
Background technology
Information systems internetting space is made of countless nodes, each node be one access network IT assets (or Claim information assets), information assets include host operating system, the network equipment, safety equipment, database, middleware, using group Part.Information assets is most basic most important carrier in information security management.With going from strength to strength for intra-enterprise business, business Information-based high speed development, various businesses support platform and management system become increasingly complex, and information assets such as server, storage are set The standby, network equipment, safety equipment quantity are cumulative, and type is also more and more abundant, bring the Assets Management of administrator More difficult.In the course of time, a large amount of dereliction assets, corpse assets are produced, these assets long-time unmanned maintenances cause to deposit In more known bugs and configuration violation.More seriously these assets are difficult to be included within the scope of administrator's daily maintenance, Very big hidden danger is brought for enterprise security, becomes the weakness of enterprise information security.
By taking power grid as an example, common power information equipment, such as server, interchanger, router, power communication terminal, intelligence Energy transformer equipment etc. will influence the normal regular supply obtained with electrical power services of power information, no once safety problem occurs But inconvenience is brought to the daily production and living of people, will also result in great economic loss.
Currently, country is higher and higher to the attention degree of network security, and effective management of IT assets is just more important.IT is provided Production is most basic most important carrier in information security management, differentiates IT assets, grasps to comprehensive no dead angle assets information meaning Justice is great.Meanwhile on the basis of finding out assets information, whether the protection of the dangerous risk in awareness network space is effective, such as Influence of the service that the network equipment is run with the presence or absence of known bugs and physical address, the loophole newly exposed to the network equipment How range carries out the information such as repairing for known bugs, this safe condition that will be helpful to accurately grasp enterprise is simultaneously effective It solves to threaten risk.
Meanwhile with the rapid development of internet, the security breaches of disparate networks assets and information system are information securities Major hidden danger.Security breaches are that information system generates in each stage (processes such as design, realization, O&M) of life cycle Certain class problem, these problems can have an impact the safety (confidentiality, integrality, availability) of system.Due to software defect, Using the error configurations with information technoloy equipment, and conventional mistake and other reasons, can all there be new loophole to occur daily general at present Vulnerability scanning is periodically carried out using vulnerability scanning system or periodically carries out safety inspection to find then security breaches are repaired Reinforcement, there is following deficiencies:
Manual operation is relied on, automation, standardized instrument are lacked;
There are hysteresis qualitys with disposition for the discovery of loophole;
The information of information assets is not grasped completely, it is difficult to promptly and accurately find loophole and reparation.
Wherein, a kind of networked asset management and loophole governing system how to be established, realize much sooner, effectively, reliably, it is accurate Networked asset information really is acquired, and finds and repair security breaches in time, is prior art urgent problem to be solved.
Invention content
It is a primary object of the present invention in view of the deficiencies of the prior art, provide a kind of networked asset management to administer with loophole System.
To achieve the above object, the present invention uses following technical scheme:
A kind of networked asset management and loophole governing system, including networked asset information collection subsystem, the network money Producing information collection subsystem includes:
Basic information collection module is configured to find networked hosts, carries out the fingerprint recognition of host operating system, with Detect the OS Type of remote target host;
Application component fingerprint-collection module is configured to find include the version of web application or component, services One or more application programs in port, protocol interaction feature or component finger print information;
Fragility sensing module is configured to carry out perception analysis to the fragility of networked hosts and its system, with hair Existing operating system, service, application component tender spots, find in networked hosts, its system, service, application component there may be Loophole;
Loophole is disposed and fix tool module, in such a way that loophole administers personnel's operation and/or automatic running, for institute Networked hosts and its system, service, the loophole progress loophole disposition of application component and/or the reparation found, to realize that loophole is controlled Reason.
Further:
The basic information collection module receives answer number by sending a series of TCP and UDP message packet to destination host According to packet, and each data item in reply data packet is detected, then compared with fingerprint database, detected far by analyzing comparison The OS Type of journey destination host.
The basic information collection module receives answer number by sending a series of TCP and UDP message packet to destination host According to packet, and each data item in reply data packet is detected, then compared with fingerprint database, detected far by analyzing comparison The OS Type of journey destination host.
The basic information collection module includes:
Detecting host submodule is configured to according to setting strategy, and objective area is converted into IP by inquiry IP address library Range sets multiple scan procedures and/or thread according to scanning, and detection target machine corresponding port, each port receives one kind Legal response packet then judges that open-ended, each host then judge that host is survived, will deposit only there are one open port The IP of host living, the port of opening and protocol information deposit mobile host computers library;Preferably, the setting strategy includes scanning target Area, scan protocols, port range, the scanning technique used and evade technology;
Topology Discovery submodule is configured to send specific detection packet, find each node in network with And their interconnected relationships;Preferably, the node includes router and host;
System fingerprint information collects submodule, is configured to utilize the finger for establishing different operating system, different agreement stack Line database detects TCP the and UDP reply data packets of destination host, identifying system and Protocol fingerprint information;
It services finger print information and collects submodule, be configured to be sent to from the corresponding detection fingerprint of service fingerprint base selection Corresponding port is matched by the fingerprint in the packet of return, is judged whether containing corresponding component.
The system fingerprint information collect submodule identified using ICP/IP protocol stack fingerprint different operating system and Equipment, it is preferable that the system fingerprint information is collected submodule and is configured in the following way to carry out system identification:
Sorts of systems feature is analyzed, the fingerprint characteristic of known system is established, this fingerprint characteristic deposit system fingerprint library is made For the sample database of fingerprint comparison;
Initialization system detection task selects the destination host of detecting, then activation system detection task;The task is chosen respectively An opening and a port closed are selected, is sent to by pre-set TCP/UDP/ICMP data packets, detection is returned The data packet returned simultaneously generates a system fingerprint according to the data packet of return;Preferably, the destination host is from mobile host computers Selection;
The fingerprint that detection generates is compared with system fingerprint library, searches matched system;
Preferably, if system can not be matched accurately, possible system is determined in a probabilistic manner.
The application component fingerprint-collection module by carry out based on Web service, service end instruction, Web Development Frameworks, One or more in Web applications, front end library and third party's component recognition collect finger print information.
Wherein Web Development Frameworks are identified by using Component service Detection Techniques, wherein being detected by the application component page Which kind of language technology and Component service Detection Techniques detection Web site backstage use, wherein detecting skill by the serviced component page Art come detect Web application, preferably capture website one or several pages differentiate to the fingerprint matches of fingerprint base it is corresponding Web application, wherein using page Detection Techniques detection Web spaces, preferably page Detection Techniques include passing through the page CLASSID be identified.
The fragility sensing module carries out in system vulnerability scanning, database vulnerability scanning, Web application vulnerability scannings It is one or more;Preferably, the vulnerability database that the fragility sensing module is established by backstage carries out certainly the loophole scanned Dynamic matching, and automatically confirm that the CVE numbers of loophole and whether have Land use systems.
Vulnerability scanning is based on Port Scanning Technology, on the port and port that destination host unlatching is learnt after port scan Network service, these relevant informations are matched with the vulnerability database being provided previously, wherein by simulation this system is attacked Hitter's method is checked whether with the presence of the loophole for meeting matching condition;Preferably, aggressive safety is carried out to target host systems Vulnerability scanning, it is preferred to use test weak tendency password, if simulated strike success, showing target host systems, there are security breaches.
Using rule-based matching technique, the network system vulnerability database of formation constitutes corresponding on basis herein With rule, the work of vulnerability scanning is carried out automatically by scanner program, if being matched the condition of satisfaction, be considered as there are loophole, Client is returned the result to after the completion of detection;Preferably, if the rule not being matched, forbid the network connection of system;It is excellent Selection of land, loophole data are detached from scan code, to be updated to scanning engine.
The networked asset information collection subsystem further includes with the one or more of lower module:
Task management module is configured to receive assignment instructions, dispatches multiple collection modules and completes corresponding appoint by strategy Business dynamically monitors the running state information of each collection module in real time and carries out load balancing and the allotment of task in real time, To ensure that each collection module can reasonably work;
Data filtering module is configured to acquisition strategies and is matched to initial data, to the data of redundancy into Row filtering;
Data transmission module is configured to gathered data being sent to and the networked asset information by hidden subnet The management subsystem of collection subsystem connection.
The networked asset management further includes one or more in following subsystem with loophole governing system:
Subsystem is managed, is configured and data displaying, query analysis and operation management function is provided, and is data manipulation people Member provides human-computer interaction interface and carries out corresponding business operation;
Bug excavation subsystem is configured and provides bug excavation tool, builds the general operations environment of bug excavation, real Now to the bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, is configured the verification environment for providing structure loophole and vulnerability exploit method, to leakage Hole is verified using sample, and assesses the effect of vulnerability exploit;
Security tool subsystem is configured offer security tool, including be directed to destination OS and intended application into Row penetration attack, and realize that long-term control is kept.
Beneficial effects of the present invention:
A kind of networked asset management of present invention offer and loophole governing system, pass through networked asset information therein and collect son System can in time, reliably detect the mobile host computers for finding particular network area, and realize to its operating system and apply group The collection of part information, and by fragility sensing module, carrying out targetedly vulnerability information based on the case where detection collects, right The fragility of networked hosts and application system carries out perception analysis, finds the tender spots of operating system, service, application component, is Penetration attack/test provides data supporting and utilizes resource, finally searches out in networked hosts, its system, service, application component Loophole that may be present.By loophole disposition and fix tool module (loophole dispose can be utilized with fix tool module it is known Computer equipment such as host and display human interface device, the network equipment and computer on run various information peace The realizations such as full processing software), can loophole administer personnel operate and/or automatic running by way of, come to being found Networked hosts and its system, service, the loophole progress loophole disposition of application component and/or reparation, to realize that loophole is administered.Due to Networked asset information collection subsystem in the present invention can accurately and reliably find the security breaches of networked information system, this is Realize that loophole is quickly administered, the security breaches of restoration information system provide advantage and good guarantee in time.Meanwhile The present invention can also be achieved asset identification and management, and perceive the function that provides the foundation for the detection of assets and the change of assets.
Description of the drawings
Fig. 1 is the networked asset management and loophole governing system structure diagram of an embodiment of the present invention;
Fig. 2 is the vulnerability scanning system assumption diagram based on network system vulnerability database in the preferred embodiment of the present invention.
Specific implementation mode
It elaborates below to embodiments of the present invention.It is emphasized that following the description is only exemplary, The range being not intended to be limiting of the invention and its application.
Refering to fig. 1, in one embodiment, a kind of networked asset management and loophole governing system, including networked asset are believed Collection subsystem is ceased, which includes:Basic information collection module is configured to find networking Host carries out the fingerprint recognition of host operating system, to detect the OS Type of remote target host;Application component refers to Line collection module is configured in the version, serve port, protocol interaction feature that discovery includes web application or component One or more application programs or component finger print information;Fragility sensing module is configured to networked hosts and application The fragility of system carries out perception analysis, to find the tender spots of operating system, service, application component, find networked hosts, its Loophole that may be present in system, service, application component;Loophole dispose with fix tool module, by loophole administer personnel into Row operation and/or automatic running mode, for found networked hosts and its system, service, application component loophole into Row loophole is disposed and/or is repaired, to realize that loophole is administered.If those skilled in the art can be appreciated, so-called leakage in the present invention Hole is disposed and fix tool module, can utilize human interface devices, the nets such as well known computer equipment such as host and display The realizations such as the various information security processing softwares run in network equipment and computer, and can be by manual operation and/or automatic The mode of operation executes loophole disposition and reparation task.
Based on the present invention, loophole can be established and administer control platform, according to the system type and application component of networked hosts, It carries out targetedly vulnerability information to collect, and carries out manual or automatic loophole improvement.
In some embodiments, networked asset information collection subsystem collects (including master by using network foundation information Machine discovery, port scan, operating system are detected, using detecting and IP address library) and fragility cognition technology, it can be found that specific Mobile host computers in network area, and realize and its OS Type and version, application component type and version information are collected, Targetedly vulnerability information is carried out according to system type and application component to collect.
In some embodiments, IP address positioning, detecting host and port can be used in networked asset information collection subsystem Scanning, operating system and application type detecting, network application scanning, vulnerability scanning, advanced escape technology (AET), fire wall/ IDS such as evades at the technologies, realizes networked asset information collection.
In an exemplary embodiment, networked asset information collection subsystem includes basic information collection module, application component Fingerprint-collection module and fragility sensing module.
(1) basic information collection module
This module is configured to find networked hosts, and carries out the fingerprint recognition of host operating system.By to target Host sends a series of TCP and UDP message packet, receives reply data packet, and detect each data item in reply data packet, It is compared again with fingerprint database, the OS Type of remote target host can be detected finally by analysis comparison.
In a preferred embodiment, basic information collection module specifically includes:
Detecting host submodule:Detecting host module sets strategy, including scanning objective area, scanning association according to user View, port range, the scanning technique used and evade technology etc., objective area is converted into IP ranges, root by inquiry IP address library It is scanned into (line) journey according to scanning setting is multiple, detection target machine corresponding port, each port receives legal time a kind of It should wrap, then judge that open-ended, each host then judge that host is survived, by the IP for host of surviving, open only there are one open port The port put and protocol information deposit mobile host computers library.
Topology Discovery submodule:Network topology is a kind of table of interconnecting relation between the entity of each interconnection in network Show.Topological structure is usually modeled as a figure, and equipment (router, host etc.) is represented with node, is represented and is connected with Bian Lai Relationship (physically or logically).Topology Discovery be by sending specific detection packet, find each node in network and it Interconnected relationship.
System fingerprint information collects submodule:Utilize the fingerprint database for establishing different operating system, different agreement stack, inspection Survey TCP the and UDP reply data packets of destination host, identifying system and Protocol fingerprint information.
It is preferable to use ICP/IP protocol stack fingerprints for this system to identify different operating system and equipment.In RFC specifications, There is no mandatory provisions for some realizations of place to TCP/IP, thus may have the specific of oneself in different TCP/IP schemes Mode.This system is mainly that the type of operating system is judged according to the difference in these details.In preferred embodiment In, specific implementation is as follows:
First, sorts of systems feature is analyzed, the fingerprint characteristic of known system is established, this fingerprint characteristic is stored in system fingerprint Library, the sample database as fingerprint comparison;
Initialization system detection task selects the destination host (preferably being selected from mobile host computers, avoid ineffective detection) of detecting, Then activation system detection task;The task selects an opening (open) and closes the port of (closed), Xiang Qifa respectively The excessively pre-set TCP/UDP/ICMP data packets of the warp let-off generate a system fingerprint according to the data packet of return;
The fingerprint that detection generates is compared with system fingerprint library, searches matched system;
If can not match, possible system is enumerated with Probability Forms.
It services finger print information and collects submodule:Corresponding detection fingerprint is chosen since servicing fingerprint base to be sent to accordingly Fingerprint matching judges whether containing corresponding component in the packet that port passes through return.
(2) application component fingerprint-collection module
This module is configured to find the fingers such as version, serve port, the protocol interaction feature of web application or component Line information.
This module can be supported to be based on Web service, service end instruction, Web Development Frameworks, Web applications, front end library and third party The identifications such as component.
Web Development Frameworks are a kind of service routines, and server externally provides service by some port, handles from client The request sent out, such as the Tomcat containers in JAVA, IIS the or PWS frames of ASP, this module is detected by using Component service Technology can identify Web Development Frameworks, for example can detect Tomcat frames by sending finger print information " URI/status ".
Application component page Detection Techniques and service Component service Detection Techniques detection Web site backstage can be used in this module Using which kind of language, specific method includes by meta information, script labels, header information, session, error The fingerprints such as certain contents of page including webpage judge.
Serviced component page Detection Techniques can be used to realize the detection of Web applications in this module.By capture website one A or several pages can differentiate corresponding web application with the fingerprint matches of fingerprint base.
The spaces page Detection Techniques detection Web can be used.For example, being identified by the CLASSID of the page etc.
(3) fragility sensing module
This module is configured to perceive the fragility of networked hosts and application system, analyze, discovery operating system, It services, the tender spots of application component, integrated system vulnerability scanning, database vulnerability scanning, Web application vulnerability scannings etc. are a variety of Whether tool can carry out Auto-matching by the vulnerability database that backstage is established to loophole, and automatically confirm that the CVE numbers of loophole with There are Land use systems.
In a preferred embodiment, there is the fragility sensing module a kind of loophole based on network system vulnerability database to sweep Architecture is retouched, as shown in Figure 2.
Vulnerability-scanning technology is built upon on the basis of Port Scanning Technology.From the analysis and collection to attack From the point of view of loophole, the overwhelming majority is both for some network service, that is, is directed to some specific port.Therefore, exist In preferred embodiment, the Vulnerability-scanning technology used is scanned with thinking same as Port Scanning Technology to carry out.Vulnerability scanning Technology preferably by the following method come check destination host whether there is loophole:Learn what destination host was opened after port scan Network service on port and port, the vulnerability database progress that these relevant informations and Network Vulnerability Scanning System are provided Match.By simulating the attacking ways to this system, check whether with the presence of the loophole for meeting matching condition.Preferably, to target Host system carries out aggressive security scan, such as test weak tendency password.If simulated strike success, shows target master There are security breaches for machine system.
This system uses rule-based matching technique, i.e., according to security expert to network system security loophole, Hei Kegong It hits the analysis of case and practical experience that system manager configures network system security, forms the leakage of standard set network system Cave depot constitutes corresponding matching rule on basis herein, the work of vulnerability scanning is initiatively carried out by scanner program.Preferably Forbid the network connection of system if the rule not being matched in ground.
In preferred embodiment, the system vulnerability library provided by vulnerability scanning system is matched, if meeting condition, depending on For there are loopholes.Client is returned the result to after the completion of the detection of server, and generates intuitive report.In server end Rule match library can be the set of many shared routings, store various scanning attack methods.Loophole data are from scan code Separation, enables users to voluntarily be updated scanning engine.
In a more preferred embodiment, present networks assets information collection subsystem can also include task management module.
(4) task management module
Task management module is configured to receive assignment instructions, and dispatches multiple collection modules and complete corresponding appoint by strategy Business, task management module need dynamically to monitor the running state information of each collection module in real time and carry out task in real time Load balancing and allotment, to ensure that each collection module can reasonably work.
In a more preferred embodiment, present networks assets information collection subsystem can also include data filtering module.
(5) data filtering module
Data filtering module is configured to match initial data by acquisition strategies, is carried out to the data of redundancy Filter.
In a more preferred embodiment, present networks assets information collection subsystem can also include data transmission module.
(6) data transmission module
Data transmission module is configured is sent to management subsystem by gathered data by hidden subnet.
The networked asset management of the present invention collects son with loophole governing system using the networked asset information of above-described embodiment System, the detectable mobile host computers for finding particular network area of networked asset information collection subsystem, and realize to operate it and be The collection of system and application component information, and carry out targetedly vulnerability information and collect, it is provided for subsequent penetration attack/test Data supporting and utilize resource, to the present invention networked asset management and loophole governing system can much sooner, effectively, can It leans on, accurately acquire networked asset information, so as to preferably find simultaneously the security breaches of restoration information system in time.
In a preferred embodiment, the networked asset management and loophole governing system can also include in following subsystem It is one or more:
Subsystem is managed, is configured and data displaying, query analysis and operation management function is provided, and is data manipulation people Member provides human-computer interaction interface and carries out corresponding business operation;
Bug excavation subsystem is configured and provides bug excavation tool, builds the general operations environment of bug excavation, real Now to the bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, is configured the verification environment for providing structure loophole and vulnerability exploit method, to leakage Hole is verified using sample, and assesses the effect of vulnerability exploit;
Security tool subsystem is configured offer security tool, including be directed to destination OS and intended application into Row penetration attack, and realize that long-term control is kept.
Preferably but not compulsorily, as shown in Figure 1, the networked asset management of the present invention and loophole governing system include network Assets information collection subsystem and management subsystem.Specifically, management subsystem can be provided to information gathering subsystem, loophole digging The ability that the results such as subsystem, vulnerability exploit verification subsystem, security tool carry out data displaying is dug, it can also be to above system Operation management is carried out, while providing the work system of a query analysis, this system includes a regulation management pattern A series of analysis tool of task processing environment and man-machine interactives allows analysis personnel that can complete various data by it Analysis task.In addition, there is system individual operation desktop (workbench) and converging information for different rights user to show Interface.Eventually by the configuration management in the complete paired data area of the system and the analysis displaying of Various types of data and report, and it is data Operating personnel provide human-computer interaction interface and carry out corresponding business operation.
Preferably but not compulsorily, networked asset management of the invention can further include leakage with loophole governing system Excavate subsystem in hole.Bug excavation subsystem is based on typical bug excavation technological means, by integrated bug excavation tool and The bug excavation tool for developing customization, builds the general operations environment of bug excavation, and destination OS and target are answered in realization Vulnerability exploit sample is developed with the bug excavation of software, and for newfound loophole.
Preferably but not compulsorily, networked asset management of the invention can further include leakage with loophole governing system Hole utilizes verification subsystem.The verification environment that loophole and vulnerability exploit method can be built verifies vulnerability exploit sample, And assess the effect of vulnerability exploit.
Preferably but not compulsorily, networked asset management of the invention can further include peace with loophole governing system Full tool subsystem.It can be directed to destination OS with customized development security tool and intended application carries out penetration attack, and Realize that long-term control is kept.
In further embodiments, a kind of networked asset management and loophole administering method, wherein using aforementioned any implementation The asset identification systems of example, search out loophole that may be present in networked hosts, its system, service, application component, to be directed to The loophole found carries out loophole disposition and loophole reparation, to realize that loophole is quickly administered.
The above content is specific/preferred embodiment further description made for the present invention is combined, cannot recognize The specific implementation of the fixed present invention is confined to these explanations.For those of ordinary skill in the art to which the present invention belongs, Without departing from the inventive concept of the premise, some replacements or modification can also be made to the embodiment that these have been described, And these are substituted or variant all shall be regarded as belonging to protection scope of the present invention.

Claims (10)

1. a kind of networked asset management and loophole governing system, including networked asset information collection subsystem, which is characterized in that institute Stating networked asset information collection subsystem includes:
Basic information collection module is configured to find networked hosts, carries out the fingerprint recognition of host operating system, with detection Go out the OS Type of remote target host;
Application component fingerprint-collection module, be configured to find include the version of web application or component, serve port, One or more application programs in protocol interaction feature or component finger print information;
Fragility sensing module is configured to carry out perception analysis to the fragility of networked hosts and its system, to find to grasp Make the tender spots of system, service, application component, finds leakage that may be present in networked hosts, its system, service, application component Hole;
Loophole dispose with fix tool module, in such a way that loophole administers personnel's operation and/or automatic running, for being found Networked hosts and its system, service, application component loophole carry out loophole disposition and/or reparation, to realize that loophole is administered.
2. the asset management system as described in claim 1, which is characterized in that the basic information collection module is by target Host sends a series of TCP and UDP message packet, receives reply data packet, and detect each data item in reply data packet, It is compared again with fingerprint database, the OS Type of remote target host is detected by analyzing comparison.
3. networked asset management as claimed in claim 1 or 2 and loophole governing system, which is characterized in that the basic information Collection module includes:
Detecting host submodule is configured to according to setting strategy, and objective area is converted into IP ranges by inquiry IP address library, Multiple scan procedures and/or thread are set according to scanning, detection target machine corresponding port, each port receives one kind and meeting rule Response packet then then judges that open-ended, each host then judge that host is survived, by host of surviving only there are one open port IP, opening port and protocol information deposit mobile host computers library;Preferably, setting strategy include scanning objective area, Scan protocols, port range, the scanning technique used and evade technology;
Topology Discovery submodule is configured to send specific detection packet, find each node in network and it Interconnected relationship;Preferably, the node includes router and host;
System fingerprint information collects submodule, is configured to utilize the fingerprint number for establishing different operating system, different agreement stack According to library, TCP the and UDP reply data packets of destination host, identifying system and Protocol fingerprint information are detected;
It services finger print information and collects submodule, be configured to be sent to accordingly from the corresponding detection fingerprint of service fingerprint base selection Port, matched, judged whether containing corresponding component by the fingerprint in the packet of return.
4. networked asset management as claimed in claim 3 and loophole governing system, which is characterized in that the system fingerprint information It collects submodule and identifies different operating system and equipment using ICP/IP protocol stack fingerprint, it is preferable that the system fingerprint Information is collected submodule and is configured in the following way to carry out system identification:
Sorts of systems feature is analyzed, the fingerprint characteristic of known system is established, by this fingerprint characteristic deposit system fingerprint library, as finger The sample database of line comparison;
Initialization system detection task selects the destination host of detecting, then activation system detection task;The task selects one respectively The port of a opening and a closing, is sent to, by pre-set TCP/UDP/ICMP data packets, detect return Data packet simultaneously generates a system fingerprint according to the data packet of return;Preferably, the destination host is selected from mobile host computers;
The fingerprint that detection generates is compared with system fingerprint library, searches matched system;
Preferably, if system can not be matched accurately, possible system is determined in a probabilistic manner.
5. such as Claims 1-4 any one of them networked asset management and loophole governing system, which is characterized in that described to answer With component fingerprint-collection module by carry out based on Web service, service end instruction, Web Development Frameworks, Web application, front end library and One or more in third party's component recognition collect finger print information, wherein being identified by using Component service Detection Techniques Web Development Frameworks use wherein detecting Web site backstage by application component page Detection Techniques and Component service Detection Techniques Which kind of language preferably captures the one or several of website wherein detecting Web applications by serviced component page Detection Techniques The page differentiates corresponding web application with the fingerprint matches of fingerprint base, wherein empty using page Detection Techniques detection Web Between, preferably page Detection Techniques include being identified by the CLASSID of the page.
6. such as networked asset management described in any one of claim 1 to 5 and loophole governing system, which is characterized in that described crisp Weak property sensing module carries out one or more in system vulnerability scanning, database vulnerability scanning, Web application vulnerability scannings;It is excellent Selection of land, the vulnerability database that the fragility sensing module is established by backstage carry out Auto-matching to the loophole scanned, and automatic Confirm the CVE numbers of loophole and whether has Land use systems.
7. networked asset management as claimed in claim 6 and loophole governing system, which is characterized in that vulnerability scanning is based on port Scanning technique learns the network service on the port and port of destination host unlatching after port scan, these correlations are believed It ceases and is matched with the vulnerability database being provided previously, wherein by simulating the attacking ways to this system, checked whether satisfaction Loophole with condition exists;Preferably, aggressive security scan is carried out to target host systems, it is preferred to use test is weak Gesture password, if simulated strike success, showing target host systems, there are security breaches.
8. networked asset management as claimed in claims 6 or 7 and loophole governing system, which is characterized in that using rule-based Matching technique, the network system vulnerability database of formation, herein basis on constitute corresponding matching rule, it is automatic by scanner program The work for carrying out vulnerability scanning is considered as there are loophole, detection returns the result to after the completion if being matched the condition of satisfaction Client;Preferably, if the rule not being matched, forbid the network connection of system;Preferably, loophole data are from scan code Middle separation, to be updated to scanning engine.
9. such as claim 1 to 8 any one of them networked asset management and loophole governing system, which is characterized in that the net Network assets information collection subsystem further includes with the one or more of lower module:
Task management module is configured to receive assignment instructions, dispatches multiple collection modules and completes corresponding task by strategy, moves It monitors to state the running state information of each collection module in real time and carries out load balancing and the allotment of task in real time, to ensure Each collection module can reasonably work;
Data filtering module is configured to acquisition strategies and is matched to initial data, is carried out to the data of redundancy Filter;
Data transmission module is configured to gathered data being sent to by hidden subnet and be collected with the networked asset information The management subsystem of subsystem connection.
10. networked asset management as described in any one of claim 1 to 9 and loophole governing system, which is characterized in that further include It is one or more in following subsystem:
Subsystem is managed, is configured and data displaying, query analysis and operation management function is provided, and carried for data manipulation personnel Corresponding business operation is carried out for human-computer interaction interface;
Bug excavation subsystem is configured and provides bug excavation tool, builds the general operations environment of bug excavation, realization pair The bug excavation of destination OS and intended application software;
Vulnerability exploit verifies subsystem, is configured the verification environment for providing structure loophole and vulnerability exploit method, to loophole profit It is verified with sample, and assesses the effect of vulnerability exploit;
Security tool subsystem is configured offer security tool, including is directed to destination OS and intended application is oozed Attack thoroughly, and realize that long-term control is kept.
CN201810395830.7A 2018-04-27 2018-04-27 Networked asset management and loophole governing system Pending CN108712396A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810395830.7A CN108712396A (en) 2018-04-27 2018-04-27 Networked asset management and loophole governing system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810395830.7A CN108712396A (en) 2018-04-27 2018-04-27 Networked asset management and loophole governing system

Publications (1)

Publication Number Publication Date
CN108712396A true CN108712396A (en) 2018-10-26

Family

ID=63868710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810395830.7A Pending CN108712396A (en) 2018-04-27 2018-04-27 Networked asset management and loophole governing system

Country Status (1)

Country Link
CN (1) CN108712396A (en)

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109413104A (en) * 2018-12-11 2019-03-01 中国电子科技网络信息安全有限公司 A kind of stateless TCP network scanning method
CN109525427A (en) * 2018-11-12 2019-03-26 广东省信息安全测评中心 Distributed assets information detection method and system
CN109544349A (en) * 2018-11-29 2019-03-29 广东电网有限责任公司 One kind being based on networked asset information collecting method, device, equipment and storage medium
CN109583711A (en) * 2018-11-13 2019-04-05 合肥优尔电子科技有限公司 A kind of security risk assessment whole process management system
CN109600371A (en) * 2018-12-08 2019-04-09 公安部第三研究所 A kind of network layer leakage location and method
CN109613899A (en) * 2018-12-21 2019-04-12 国家计算机网络与信息安全管理中心 A method of the industrial control system security risk assessment based on allocation list
CN109684588A (en) * 2018-12-24 2019-04-26 北京神州绿盟信息安全科技股份有限公司 A kind of asset management system and method
CN109698821A (en) * 2018-11-23 2019-04-30 广东电网有限责任公司信息中心 Transregional vulnerability database is shared and cooperative disposal system and method
CN110109696A (en) * 2019-05-10 2019-08-09 重庆天蓬网络有限公司 A kind of method of data collection
CN110311931A (en) * 2019-08-02 2019-10-08 杭州安恒信息技术股份有限公司 Assets automatic discovering method and device
CN110830488A (en) * 2019-11-13 2020-02-21 云南电网有限责任公司电力科学研究院 Network security risk analysis and restoration method for electric power monitoring system
CN110868404A (en) * 2019-11-05 2020-03-06 北京航空航天大学 Industrial control equipment automatic identification method based on TCP/IP fingerprint
CN111092857A (en) * 2019-11-20 2020-05-01 深圳供电局有限公司 Information security early warning method and device, computer equipment and storage medium
CN111104677A (en) * 2019-12-18 2020-05-05 哈尔滨安天科技集团股份有限公司 Vulnerability patch detection method and device based on CPE (customer premise Equipment) specification
CN111240994A (en) * 2020-01-20 2020-06-05 北京国舜科技股份有限公司 Vulnerability processing method and device, electronic equipment and readable storage medium
CN111538994A (en) * 2020-04-20 2020-08-14 中科三清科技有限公司 System security detection and repair method, device, storage medium and terminal
CN111931182A (en) * 2020-07-10 2020-11-13 苏州浪潮智能科技有限公司 Automatic security vulnerability scanning system and method
CN112347485A (en) * 2020-11-10 2021-02-09 远江盛邦(北京)网络安全科技股份有限公司 Multi-engine vulnerability acquisition and automatic penetration processing method
CN112688806A (en) * 2020-12-18 2021-04-20 国家工业信息安全发展研究中心 Method and system for presenting network assets
CN112804241A (en) * 2021-01-25 2021-05-14 豪越科技有限公司 Intelligent monitoring method and system for computer room network
CN113238536A (en) * 2021-06-04 2021-08-10 西安热工研究院有限公司 Industrial control system network vulnerability identification method and device and related equipment thereof
CN113449306A (en) * 2021-09-02 2021-09-28 湖南省佳策测评信息技术服务有限公司 Security vulnerability early warning method and system based on software source code analysis
CN114500024A (en) * 2022-01-19 2022-05-13 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and storage medium
CN114826726A (en) * 2022-04-22 2022-07-29 南方电网数字电网研究院有限公司 Network asset vulnerability detection method and device, computer equipment and storage medium
CN114866315A (en) * 2022-04-29 2022-08-05 广州市昊恒信息科技有限公司 Digital safety management method for IT assets
CN115296936A (en) * 2022-10-08 2022-11-04 四川安洵信息技术有限公司 Automatic method and system for assisting detection of anti-network crime
CN115314276A (en) * 2022-08-03 2022-11-08 厦门国际银行股份有限公司 Security check management system, method and terminal equipment
CN115529146A (en) * 2021-06-25 2022-12-27 中国移动通信集团设计院有限公司 Network security vulnerability processing system and method
CN116074214A (en) * 2022-12-28 2023-05-05 四川新网银行股份有限公司 Enterprise IT asset discovery and identification system and method based on network exposure surface
CN116915476A (en) * 2023-07-29 2023-10-20 上海螣龙科技有限公司 Fingerprint identification method, system, equipment and medium of host operating system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN106230800A (en) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 A kind of to assets active probe with the method for leak early warning
CN106790190A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of Vulnerability Management system and method
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN107094158A (en) * 2017-06-27 2017-08-25 四维创智(北京)科技发展有限公司 The fragile analysis system of one kind automation intranet security
US20180103054A1 (en) * 2016-10-10 2018-04-12 BugCrowd, Inc. Vulnerability Detection in IT Assets by utilizing Crowdsourcing techniques

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN106230800A (en) * 2016-07-25 2016-12-14 恒安嘉新(北京)科技有限公司 A kind of to assets active probe with the method for leak early warning
US20180103054A1 (en) * 2016-10-10 2018-04-12 BugCrowd, Inc. Vulnerability Detection in IT Assets by utilizing Crowdsourcing techniques
CN106790190A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of Vulnerability Management system and method
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN107094158A (en) * 2017-06-27 2017-08-25 四维创智(北京)科技发展有限公司 The fragile analysis system of one kind automation intranet security

Cited By (36)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109525427A (en) * 2018-11-12 2019-03-26 广东省信息安全测评中心 Distributed assets information detection method and system
CN109583711B (en) * 2018-11-13 2020-11-06 合肥优尔电子科技有限公司 Safety risk assessment overall process management system
CN109583711A (en) * 2018-11-13 2019-04-05 合肥优尔电子科技有限公司 A kind of security risk assessment whole process management system
CN109698821A (en) * 2018-11-23 2019-04-30 广东电网有限责任公司信息中心 Transregional vulnerability database is shared and cooperative disposal system and method
CN109544349A (en) * 2018-11-29 2019-03-29 广东电网有限责任公司 One kind being based on networked asset information collecting method, device, equipment and storage medium
CN109600371A (en) * 2018-12-08 2019-04-09 公安部第三研究所 A kind of network layer leakage location and method
CN109413104A (en) * 2018-12-11 2019-03-01 中国电子科技网络信息安全有限公司 A kind of stateless TCP network scanning method
CN109613899A (en) * 2018-12-21 2019-04-12 国家计算机网络与信息安全管理中心 A method of the industrial control system security risk assessment based on allocation list
CN109684588A (en) * 2018-12-24 2019-04-26 北京神州绿盟信息安全科技股份有限公司 A kind of asset management system and method
CN110109696A (en) * 2019-05-10 2019-08-09 重庆天蓬网络有限公司 A kind of method of data collection
CN110311931A (en) * 2019-08-02 2019-10-08 杭州安恒信息技术股份有限公司 Assets automatic discovering method and device
CN110868404B (en) * 2019-11-05 2020-11-24 北京航空航天大学 Industrial control equipment automatic identification method based on TCP/IP fingerprint
CN110868404A (en) * 2019-11-05 2020-03-06 北京航空航天大学 Industrial control equipment automatic identification method based on TCP/IP fingerprint
CN110830488A (en) * 2019-11-13 2020-02-21 云南电网有限责任公司电力科学研究院 Network security risk analysis and restoration method for electric power monitoring system
CN111092857A (en) * 2019-11-20 2020-05-01 深圳供电局有限公司 Information security early warning method and device, computer equipment and storage medium
CN111104677A (en) * 2019-12-18 2020-05-05 哈尔滨安天科技集团股份有限公司 Vulnerability patch detection method and device based on CPE (customer premise Equipment) specification
CN111104677B (en) * 2019-12-18 2023-12-26 安天科技集团股份有限公司 Vulnerability patch detection method and device based on CPE specification
CN111240994A (en) * 2020-01-20 2020-06-05 北京国舜科技股份有限公司 Vulnerability processing method and device, electronic equipment and readable storage medium
CN111538994A (en) * 2020-04-20 2020-08-14 中科三清科技有限公司 System security detection and repair method, device, storage medium and terminal
CN111931182A (en) * 2020-07-10 2020-11-13 苏州浪潮智能科技有限公司 Automatic security vulnerability scanning system and method
CN111931182B (en) * 2020-07-10 2022-06-21 苏州浪潮智能科技有限公司 Automatic security vulnerability scanning system and method
CN112347485A (en) * 2020-11-10 2021-02-09 远江盛邦(北京)网络安全科技股份有限公司 Multi-engine vulnerability acquisition and automatic penetration processing method
CN112688806A (en) * 2020-12-18 2021-04-20 国家工业信息安全发展研究中心 Method and system for presenting network assets
CN112804241A (en) * 2021-01-25 2021-05-14 豪越科技有限公司 Intelligent monitoring method and system for computer room network
CN113238536A (en) * 2021-06-04 2021-08-10 西安热工研究院有限公司 Industrial control system network vulnerability identification method and device and related equipment thereof
CN115529146A (en) * 2021-06-25 2022-12-27 中国移动通信集团设计院有限公司 Network security vulnerability processing system and method
CN113449306A (en) * 2021-09-02 2021-09-28 湖南省佳策测评信息技术服务有限公司 Security vulnerability early warning method and system based on software source code analysis
CN114500024A (en) * 2022-01-19 2022-05-13 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and storage medium
CN114500024B (en) * 2022-01-19 2024-03-22 恒安嘉新(北京)科技股份公司 Network asset management method, device, equipment and storage medium
CN114826726A (en) * 2022-04-22 2022-07-29 南方电网数字电网研究院有限公司 Network asset vulnerability detection method and device, computer equipment and storage medium
CN114826726B (en) * 2022-04-22 2024-02-23 南方电网数字电网研究院有限公司 Network asset vulnerability detection method, device, computer equipment and storage medium
CN114866315A (en) * 2022-04-29 2022-08-05 广州市昊恒信息科技有限公司 Digital safety management method for IT assets
CN115314276A (en) * 2022-08-03 2022-11-08 厦门国际银行股份有限公司 Security check management system, method and terminal equipment
CN115296936A (en) * 2022-10-08 2022-11-04 四川安洵信息技术有限公司 Automatic method and system for assisting detection of anti-network crime
CN116074214A (en) * 2022-12-28 2023-05-05 四川新网银行股份有限公司 Enterprise IT asset discovery and identification system and method based on network exposure surface
CN116915476A (en) * 2023-07-29 2023-10-20 上海螣龙科技有限公司 Fingerprint identification method, system, equipment and medium of host operating system

Similar Documents

Publication Publication Date Title
CN108712396A (en) Networked asset management and loophole governing system
CN108011893A (en) A kind of asset management system based on networked asset information gathering
CN108183895B (en) Network asset information acquisition system
CN109525427A (en) Distributed assets information detection method and system
CN109327461A (en) Distributed asset identification and change cognitive method and system
CN108769064A (en) Realize the distributed asset identification and change cognitive method and system that loophole is administered
KR101883400B1 (en) detecting methods and systems of security vulnerability using agentless
Mukherjee et al. Network intrusion detection
CN110324310A (en) Networked asset fingerprint identification method, system and equipment
Cunningham et al. Evaluating intrusion detection systems without attacking your friends: The 1998 DARPA intrusion detection evaluation
Burbeck et al. Adwice–anomaly detection with real-time incremental clustering
CN108809951A (en) A kind of penetration testing frame suitable for industrial control system
CN106888106A (en) The extensive detecting system of IT assets in intelligent grid
CN101695033A (en) Network fragility analyzing system based on privilege lift
CN110336827A (en) A kind of Modbus Transmission Control Protocol fuzz testing method based on exception field positioning
CN114679292B (en) Honeypot identification method, device, equipment and medium based on network space mapping
Al-Sanjary et al. Comparison and detection analysis of network traffic datasets using K-means clustering algorithm
Li et al. An approach to model network exploitations using exploitation graphs
CN114978614A (en) IP asset rapid scanning processing system
CN115186136A (en) Knowledge graph structure for network attack and defense confrontation
Abushwereb et al. Attack based DoS attack detection using multiple classifier
Li et al. A hierarchical mobile‐agent‐based security operation center
Aguirre-Anaya et al. A new procedure to detect low interaction honeypots
Sen et al. On holistic multi-step cyberattack detection via a graph-based correlation approach
Touloumis et al. Vulnerabilities Manager, a platform for linking vulnerability data sources

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181026

RJ01 Rejection of invention patent application after publication