CN111901327B - Cloud network vulnerability mining method and device, electronic equipment and medium - Google Patents

Cloud network vulnerability mining method and device, electronic equipment and medium Download PDF

Info

Publication number
CN111901327B
CN111901327B CN202010706037.1A CN202010706037A CN111901327B CN 111901327 B CN111901327 B CN 111901327B CN 202010706037 A CN202010706037 A CN 202010706037A CN 111901327 B CN111901327 B CN 111901327B
Authority
CN
China
Prior art keywords
vulnerability
data
target
determining
test
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010706037.1A
Other languages
Chinese (zh)
Other versions
CN111901327A (en
Inventor
熊昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202010706037.1A priority Critical patent/CN111901327B/en
Priority to PCT/CN2020/122283 priority patent/WO2021135532A1/en
Publication of CN111901327A publication Critical patent/CN111901327A/en
Application granted granted Critical
Publication of CN111901327B publication Critical patent/CN111901327B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a testing technology and provides a cloud network vulnerability mining method, a cloud network vulnerability mining device, electronic equipment and a cloud network vulnerability mining medium. The method includes the steps of determining a tested object according to a vulnerability mining request, determining an application field to which the tested object belongs, obtaining a flow packet from the application field, analyzing the flow packet to obtain a target field and a target protocol, generating test data according to the target field and the target protocol, testing the tested object by using the test data to obtain a test result, determining the test data with the test result being an abnormal result as target data, determining a vulnerability type and a vulnerability grade to which the target data belongs, storing the mapping relation of the target data, the vulnerability type and the vulnerability grade to obtain a vulnerability data table. The method and the device can improve the generation efficiency of the test data and the excavation efficiency of vulnerability excavation. In addition, the invention also relates to a block chain technology, and the vulnerability data table can be stored in the block chain.

Description

Cloud network vulnerability mining method and device, electronic equipment and medium
Technical Field
The invention relates to the technical field of testing, in particular to a cloud network vulnerability mining method and device, electronic equipment and a medium.
Background
In the development process of cloud underlying network products, the safety test of the products is an essential process. At present, a fuzzy testing method is usually adopted to test newly developed cloud underlying network products, in the existing fuzzy testing method, under the condition that a source code of a tested network product is unknown, testing data is constructed through a brute-force method, and the constructed testing data is used for testing the tested network product. However, the test data constructed by the break-force method is random, so that the test result has a certain randomness, which is not favorable for the evaluation of the test result. In addition, the efficiency of constructing test data by using the brute-force method is low, and the efficiency of vulnerability mining is low.
Disclosure of Invention
In view of the above, it is necessary to provide a cloud network vulnerability discovery method, apparatus, electronic device and medium, which can not only improve the generation efficiency of test data, but also improve the discovery efficiency of vulnerability discovery.
A cloud network vulnerability mining method comprises the following steps:
when a vulnerability mining request is received, determining a tested object according to the vulnerability mining request;
determining the application field of the tested object and obtaining a flow packet from the application field;
analyzing the flow packet to obtain a target field and a target protocol;
generating test data according to the target field and the target protocol;
testing the tested object by using the test data to obtain a test result, wherein the test result comprises an abnormal result;
determining the test data with the test result being the abnormal result as target data;
and determining the vulnerability type to which the target data belongs, and determining the vulnerability grade to which the target data belongs according to the vulnerability type and the abnormal result.
According to a preferred embodiment of the present invention, the determining the measured object according to the vulnerability mining request includes:
acquiring all idle threads from a preset thread connection pool, and acquiring the processing rate of each idle thread;
determining the highest processing rate according to the processing rate, and determining an idle thread corresponding to the highest processing rate as a target thread;
analyzing the method body of the vulnerability mining request by using the target thread to obtain data information carried by the vulnerability mining request;
acquiring a preset label;
acquiring information corresponding to the preset label from the data information as an object identifier;
and determining the measured object according to the object identification.
According to a preferred embodiment of the present invention, the acquiring the traffic packet from the application domain includes:
detecting whether any data packet in the application field carries a processing request;
when detecting that the arbitrary data packet carries a processing request, determining the arbitrary data packet as an effective data packet, and acquiring the effective data packet;
calculating the obtaining quantity of the effective data packets;
and when the acquisition quantity is larger than the preset quantity, stopping acquiring the effective data packets, and determining the acquired effective data packets as the flow packets.
According to the preferred embodiment of the present invention, the analyzing the traffic packet to obtain the target field and the target protocol includes:
splitting the flow packet to obtain a message header and flow data;
acquiring all first labels in the message header;
analyzing the protocols to which all the first tags belong, and determining the analyzed protocols as the target protocols;
and acquiring all second labels in the flow data, and determining all the second labels as the target fields.
According to a preferred embodiment of the present invention, the generating test data according to the target field and the target protocol comprises:
generating a data template corresponding to the target protocol;
selecting a field matched with the target protocol from the target field as a data field;
randomly splicing the data fields to obtain a field pair, wherein the field pair comprises a plurality of data fields;
and filling the field pairs into the data template to obtain the test data.
According to a preferred embodiment of the present invention, the determining the type of the vulnerability to which the target data belongs and determining the vulnerability level to which the target data belongs according to the vulnerability type and the abnormal result includes:
acquiring the test time of the target data, and acquiring a test log from the tested object;
obtaining an exception explanation corresponding to the test time from the test log;
determining the vulnerability type according to the abnormal description;
determining a vulnerability description corresponding to the vulnerability type from a configuration table;
and when the vulnerability indication is detected to be the same as the abnormal indication, determining the grade corresponding to the vulnerability indication as the vulnerability grade.
According to a preferred embodiment of the present invention, after determining the vulnerability class to which the target data belongs according to the vulnerability type and the abnormal result, the method further includes:
storing the target data, the mapping relation between the vulnerability type and the vulnerability grade to obtain a vulnerability data table;
acquiring a request number of the vulnerability mining request;
generating prompt information according to the request number and the vulnerability data table;
encrypting the prompt message by adopting a symmetric encryption algorithm to obtain a ciphertext;
determining a request grade according to the request number, and determining a sending mode according to the request grade;
and sending the ciphertext to the terminal equipment of the appointed contact person in the sending mode.
A cloud network vulnerability discovery device, the cloud network vulnerability discovery device comprising:
the device comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining a tested object according to a vulnerability mining request when the vulnerability mining request is received;
the acquisition unit is used for determining the application field of the measured object and acquiring a flow packet from the application field;
the analysis unit is used for analyzing the flow packet to obtain a target field and a target protocol;
the generating unit is used for generating test data according to the target field and the target protocol;
the test unit is used for testing the tested object by utilizing the test data to obtain a test result, and the test result comprises an abnormal result;
the determining unit is further configured to determine test data of which the test result is the abnormal result as target data;
the determining unit is further configured to determine a vulnerability type to which the target data belongs, and determine a vulnerability grade to which the target data belongs according to the vulnerability type and the abnormal result.
According to a preferred embodiment of the present invention, the determining, according to the vulnerability mining request, a measured object includes:
acquiring all idle threads from a preset thread connection pool, and acquiring the processing rate of each idle thread;
determining the highest processing rate according to the processing rate, and determining an idle thread corresponding to the highest processing rate as a target thread;
analyzing the method body of the vulnerability mining request by using the target thread to obtain data information carried by the vulnerability mining request;
acquiring a preset label;
acquiring information corresponding to the preset label from the data information as an object identifier;
and determining the measured object according to the object identifier.
According to a preferred embodiment of the present invention, the acquiring unit acquiring the traffic packet from the application domain includes:
detecting whether any data packet in the application field carries a processing request;
when detecting that the arbitrary data packet carries a processing request, determining the arbitrary data packet as an effective data packet, and acquiring the effective data packet;
calculating the acquisition quantity of the effective data packets;
and when the acquired number is larger than the preset number, stopping acquiring the effective data packets, and determining the acquired effective data packets as the flow packets.
According to a preferred embodiment of the present invention, the parsing unit is specifically configured to:
splitting the flow packet to obtain a message header and flow data;
acquiring all first labels in the message header;
analyzing the protocols to which all the first tags belong, and determining the analyzed protocols as the target protocols;
and acquiring all second tags in the traffic data, and determining all second tags as the target fields.
According to a preferred embodiment of the present invention, the generating unit generating the test data according to the target field and the target protocol includes:
generating a data template corresponding to the target protocol;
selecting a field matched with the target protocol from the target field as a data field;
randomly splicing the data fields to obtain a field pair, wherein the field pair comprises a plurality of data fields;
and filling the field pairs into the data template to obtain the test data.
According to a preferred embodiment of the present invention, the determining unit determines the type of the vulnerability to which the target data belongs, and determines the vulnerability level to which the target data belongs according to the vulnerability type and the abnormal result includes:
acquiring the test time of the target data, and acquiring a test log from the tested object;
acquiring an abnormal description corresponding to the test time from the test log;
determining the type of the vulnerability according to the abnormal description;
determining a vulnerability specification corresponding to the vulnerability type from a configuration table;
and when the vulnerability indication is detected to be the same as the abnormal indication, determining the grade corresponding to the vulnerability indication as the vulnerability grade.
According to a preferred embodiment of the invention, the device further comprises:
the storage unit is used for storing the target data, the mapping relation between the vulnerability type and the vulnerability grade to obtain a vulnerability data table after determining the vulnerability grade to which the target data belongs according to the vulnerability type and the abnormal result;
the obtaining unit is further configured to obtain a request number of the vulnerability discovery request;
the generating unit is further used for generating prompt information according to the request number and the vulnerability data table;
the encryption unit is used for encrypting the prompt message by adopting a symmetric encryption algorithm to obtain a ciphertext;
the determining unit is used for determining the request grade according to the request number and determining the sending mode according to the request grade;
and the sending unit is used for sending the ciphertext to the terminal equipment of the appointed contact person in the sending mode.
An electronic device, the electronic device comprising:
a memory storing at least one instruction; and
and the processor executes the instructions stored in the memory to realize the cloud network vulnerability mining method.
A computer-readable storage medium having at least one instruction stored therein, the at least one instruction being executable by a processor in an electronic device to implement the cloud network vulnerability mining method.
According to the technical scheme, the object to be tested is determined according to the vulnerability mining request, the object to be tested can be accurately determined, the obtained flow packet can be suitable for testing the object to be tested by obtaining the flow packet in the application field, the generated test data can be provided with the field and the protocol of a real scene by analyzing the target field and the target protocol obtained by analyzing the flow packet to generate the test data, the vulnerability encountered by the object to be tested in the real scene can be reflected, meanwhile, the generation efficiency of the test data can be improved through the target field and the target protocol, the mining efficiency of vulnerability mining is further improved, the vulnerability type of the target data is determined, the vulnerability grade of the target data is determined according to the vulnerability type and the abnormal result, and the abnormal result generated by the target data can be classified, and the vulnerability analysis is facilitated.
Drawings
Fig. 1 is a flowchart of a cloud network vulnerability discovery method according to a preferred embodiment of the present invention.
Fig. 2 is a functional block diagram of a cloud network vulnerability discovery apparatus according to a preferred embodiment of the present invention.
Fig. 3 is a schematic structural diagram of an electronic device according to a preferred embodiment of the method for implementing cloud network vulnerability discovery.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in detail with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a flowchart illustrating a cloud network vulnerability discovery method according to a preferred embodiment of the present invention. The order of the steps in the flow chart may be changed and some steps may be omitted according to different needs.
The cloud network vulnerability mining method is applied to one or more electronic devices, wherein the electronic devices are devices capable of automatically performing numerical calculation and/or information processing according to preset or stored instructions, and the hardware of the electronic devices includes but is not limited to a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device and the like.
The electronic device may be any electronic product capable of performing human-computer interaction with a user, for example, a Personal computer, a tablet computer, a smart phone, a Personal Digital Assistant (PDA), a game machine, an Internet Protocol Television (IPTV), an intelligent wearable device, and the like.
The electronic device may also include a network device and/or a user device. The network device includes, but is not limited to, a single network server, a server group consisting of a plurality of network servers, or a Cloud Computing (Cloud Computing) based Cloud consisting of a large number of hosts or network servers.
The Network where the electronic device is located includes, but is not limited to, the internet, a wide area Network, a metropolitan area Network, a local area Network, a Virtual Private Network (VPN), and the like.
And S10, when receiving the vulnerability mining request, determining the tested object according to the vulnerability mining request.
In at least one embodiment of the present invention, the vulnerability discovery request may be triggered by a developer in charge of the object to be tested, or may be triggered automatically after the object to be tested is developed, which is not limited in the present invention.
In at least one embodiment of the present invention, the information carried by the vulnerability discovery request includes, but is not limited to: a preset tag, an object identifier, a request number, etc.
In at least one embodiment of the present invention, the determining, by the electronic device, the object under test according to the vulnerability mining request includes:
acquiring all idle threads from a preset thread connection pool, and acquiring the processing rate of each idle thread;
determining the highest processing rate according to the processing rate, and determining an idle thread corresponding to the highest processing rate as a target thread;
analyzing the method body of the vulnerability mining request by using the target thread to obtain data information carried by the vulnerability mining request;
acquiring a preset label;
acquiring information corresponding to the preset label from the data information as an object identifier;
and determining the measured object according to the object identifier.
The method of the vulnerability discovery request is analyzed through the determined target thread, the target thread with the highest processing speed is utilized for analysis, the analysis efficiency can be improved, in addition, the message header of the vulnerability discovery request does not need to be analyzed, the time for analyzing the message header of the vulnerability discovery request can be saved, and then the tested object can be accurately determined through the mapping relation of the preset label and the object identification.
And S11, determining the application field of the measured object, and acquiring the flow packet from the application field.
In at least one embodiment of the present invention, the application field refers to a scene in which the measurand is applied, for example, the application field may be a cloud infrastructure network.
In at least one embodiment of the present invention, the traffic packet refers to a data packet carrying a processing request, for example, the traffic packet may be a forwarding request, an exchange request, a reassembly request, or the like.
In at least one embodiment of the present invention, the electronic device determines the application field according to an application scene of the measured object.
By determining the application field, the acquired flow packet can be suitable for the test of the tested object.
In at least one embodiment of the present invention, the obtaining, by the electronic device, a traffic packet from the application domain includes:
detecting whether any data packet in the application field carries a processing request or not;
when detecting that the arbitrary data packet carries a processing request, determining the arbitrary data packet as an effective data packet, and acquiring the effective data packet;
calculating the obtaining quantity of the effective data packets;
and when the acquisition quantity is larger than the preset quantity, stopping acquiring the effective data packets, and determining the acquired effective data packets as the flow packets.
The preset number may be set in a user-defined manner, which is not limited in the present invention.
With the above embodiment, not only can it be ensured that the acquired traffic packets are all valid, but also the acquisition number of the traffic packets can be ensured.
And S12, analyzing the flow packet to obtain a target field and a target protocol.
In at least one embodiment of the present invention, the target field refers to a field in which the traffic packet exists, and the target protocol refers to a protocol in which the traffic packet exists, for example: the target protocol may be the TCP protocol or the like.
In at least one embodiment of the present invention, the analyzing, by the electronic device, the traffic packet to obtain a target field and a target protocol includes:
splitting the flow packet to obtain a message header and flow data;
acquiring all first labels in the message header;
analyzing the protocols to which all the first tags belong, and determining the analyzed protocols as the target protocols;
and acquiring all second tags in the traffic data, and determining all second tags as the target fields.
By the implementation mode, the target field and the target protocol can be quickly acquired.
And S13, generating test data according to the target field and the target protocol.
In at least one embodiment of the present invention, the generating, by the electronic device, the test data according to the target field and the target protocol includes:
generating a data template corresponding to the target protocol;
selecting a field matched with the target protocol from the target field as a data field;
randomly splicing the data fields to obtain a field pair, wherein the field pair comprises a plurality of data fields;
and filling the field pairs into the data template to obtain the test data.
In the above-described embodiment, the test data can be provided with not only the target field and the target protocol but also the same data format as the generated test data, and the test efficiency of the object to be tested can be improved.
And S14, testing the tested object by using the test data to obtain a test result, wherein the test result comprises an abnormal result.
In at least one embodiment of the invention, the test results further include normal results.
In at least one embodiment of the present invention, the electronic device tests the object to be tested by using the test data, and obtaining a test result includes:
and when the feedback result of any test data is not received within the preset time, the electronic equipment determines the test result of any test data as an abnormal result.
And S15, determining the test data with the test result being the abnormal result as the target data.
In at least one embodiment of the present invention, the target data refers to test data of which the test result is the abnormal result.
S16, determining the vulnerability type of the target data, and determining the vulnerability grade of the target data according to the vulnerability type and the abnormal result.
In at least one embodiment of the present invention, the vulnerability type includes: the service rejection type, the data packet abnormal loss type, the bottom layer network product performance degradation type, the bottom layer product mechanism damage type and the like.
In at least one embodiment of the present invention, the vulnerability class includes: l1, L2, L3, L4 and the like.
In at least one embodiment of the present invention, the determining, by the electronic device, a vulnerability type to which the target data belongs, and determining, according to the vulnerability type and the abnormal result, a vulnerability class to which the target data belongs includes:
acquiring the test time of the target data, and acquiring a test log from the tested object;
acquiring an abnormal description corresponding to the test time from the test log;
determining the vulnerability type according to the abnormal description;
determining a vulnerability specification corresponding to the vulnerability type from a configuration table;
and when the vulnerability description is detected to be the same as the abnormal description, determining the grade corresponding to the vulnerability description as the vulnerability grade.
The vulnerability type of the target data can be determined by obtaining the abnormal description, and the vulnerability grade can be accurately determined by detecting whether the abnormal description is the same as the vulnerability description or not.
In at least one embodiment of the present invention, after determining the vulnerability class to which the target data belongs according to the vulnerability type and the abnormal result, the method further includes:
storing the target data, the mapping relation between the vulnerability type and the vulnerability grade to obtain a vulnerability data table;
acquiring a request number of the vulnerability mining request;
generating prompt information according to the request number and the vulnerability data table;
encrypting the prompt message by adopting a symmetric encryption algorithm to obtain a ciphertext;
determining a request grade according to the request number, and determining a sending mode according to the request grade;
and sending the ciphertext to the terminal equipment of the appointed contact person in the sending mode.
Wherein the request level includes, but is not limited to: level one, level two, etc.
Further, the sending method includes, but is not limited to: mail mode, telephone mode, etc.
Through the embodiment, the appointed contact person can be informed to receive the vulnerability data table in time after the vulnerability data table is generated, meanwhile, the prompt information is encrypted, so that the safety of the prompt information is improved, and in addition, the ciphertext can be sent in a proper sending mode.
It is emphasized that, to further ensure the privacy and security of the vulnerability data table, the vulnerability data table may also be stored in a node of a blockchain.
According to the technical scheme, the invention can determine the object to be tested according to the vulnerability mining request, can accurately determine the object to be tested, can make the obtained flow packet suitable for the test of the object to be tested by obtaining the flow packet on the application field, can make the generated test data have the field and protocol of the real scene by analyzing the target field and the target protocol obtained by the flow packet to generate the test data, is favorable for reflecting the vulnerability met by the object to be tested in the real scene, and can improve the generation efficiency of the test data by the target field and the target protocol to further improve the mining efficiency of vulnerability mining, determine the vulnerability type of the target data, determine the vulnerability grade of the target data according to the vulnerability type and the abnormal result, and classify the abnormal result generated by the target data, and the vulnerability analysis is facilitated.
Fig. 2 is a functional block diagram of a cloud network vulnerability discovery apparatus according to a preferred embodiment of the present invention. The cloud network vulnerability mining device 11 includes a determining unit 110, an obtaining unit 111, a parsing unit 112, a generating unit 113, a testing unit 114, a storage unit 115, an encrypting unit 116 and a sending unit 117. The module/unit referred to in the present invention means a series of computer program segments capable of being executed by the processor 13 and performing a fixed function, and stored in the memory 12. In the present embodiment, the functions of the modules/units will be described in detail in the following embodiments.
When receiving a vulnerability discovery request, the determining unit 110 determines a tested object according to the vulnerability discovery request.
In at least one embodiment of the present invention, the vulnerability discovery request may be triggered by a developer in charge of the object to be tested, or may be triggered automatically after the object to be tested is developed, which is not limited in the present invention.
In at least one embodiment of the present invention, the information carried by the vulnerability discovery request includes, but is not limited to: a preset tag, an object identifier, a request number, and the like.
In at least one embodiment of the present invention, the determining unit 110 determines the object under test according to the vulnerability mining request, which includes:
acquiring all idle threads from a preset thread connection pool, and acquiring the processing rate of each idle thread;
determining the highest processing rate according to the processing rate, and determining an idle thread corresponding to the highest processing rate as a target thread;
analyzing the method body of the vulnerability mining request by using the target thread to obtain data information carried by the vulnerability mining request;
acquiring a preset label;
acquiring information corresponding to the preset label from the data information as an object identifier;
and determining the measured object according to the object identification.
The method of the vulnerability discovery request is analyzed through the determined target thread, the target thread with the highest processing speed is used for analyzing, the analyzing efficiency can be improved, in addition, the message header of the vulnerability discovery request does not need to be analyzed, the time for analyzing the message header of the vulnerability discovery request can be saved, and then the tested object can be accurately determined through the mapping relation between the preset label and the object identification.
The obtaining unit 111 determines an application field to which the object to be measured belongs, and obtains a traffic packet from the application field.
In at least one embodiment of the present invention, the application field refers to a scene in which the measurand is applied, for example, the application field may be a cloud infrastructure network.
In at least one embodiment of the present invention, the traffic packet refers to a data packet carrying a processing request, for example, the traffic packet may be a forwarding request, an exchange request, a reassembly request, or the like.
In at least one embodiment of the present invention, the obtaining unit 111 determines the application field according to an application scene of the measured object.
By determining the application field, the acquired traffic packet can be suitable for testing the tested object.
In at least one embodiment of the present invention, the obtaining unit 111 obtains the traffic packet from the application domain, including:
detecting whether any data packet in the application field carries a processing request or not;
when detecting that the arbitrary data packet carries a processing request, determining the arbitrary data packet as an effective data packet, and acquiring the effective data packet;
calculating the obtaining quantity of the effective data packets;
and when the acquired number is larger than the preset number, stopping acquiring the effective data packets, and determining the acquired effective data packets as the flow packets.
The preset number may be set in a user-defined manner, which is not limited in the present invention.
By the above embodiment, not only can the acquired traffic packets be ensured to be valid, but also the acquired number of the traffic packets can be ensured.
The parsing unit 112 parses the traffic packet to obtain a target field and a target protocol.
In at least one embodiment of the present invention, the target field refers to a field where the traffic packet exists, and the target protocol refers to a protocol where the traffic packet exists, for example: the target protocol may be the TCP protocol or the like.
In at least one embodiment of the present invention, the analyzing unit 112 analyzes the traffic packet to obtain a target field and a target protocol includes:
splitting the flow packet to obtain a message header and flow data;
acquiring all first labels in the message header;
analyzing the protocols to which all the first tags belong, and determining the analyzed protocols as the target protocols;
and acquiring all second labels in the flow data, and determining all the second labels as the target fields.
By the implementation mode, the target field and the target protocol can be quickly acquired.
The generating unit 113 generates test data according to the target field and the target protocol.
In at least one embodiment of the present invention, the generating unit 113 generates the test data according to the target field and the target protocol, including:
generating a data template corresponding to the target protocol;
selecting a field matched with the target protocol from the target field as a data field;
randomly splicing the data fields to obtain a field pair, wherein the field pair comprises a plurality of data fields;
and filling the field pairs into the data template to obtain the test data.
In the above-described embodiment, the test data can be provided with not only the target field and the target protocol but also the same data format as the generated test data, and the test efficiency of the object to be tested can be improved.
The test unit 114 tests the object to be tested by using the test data to obtain a test result, where the test result includes an abnormal result.
In at least one embodiment of the invention, the test results further include normal results.
In at least one embodiment of the present invention, the testing unit 114 tests the tested object by using the test data, and obtaining the test result includes:
when the feedback result of any test data is not received within the preset time, the test unit 114 determines the test result of any test data as an abnormal result.
The determination unit 110 determines test data of which test result is the abnormal result as target data.
In at least one embodiment of the present invention, the target data refers to test data whose test result is the abnormal result.
The determining unit 110 determines a vulnerability type to which the target data belongs, and determines a vulnerability class to which the target data belongs according to the vulnerability type and the abnormal result.
In at least one embodiment of the present invention, the vulnerability types include: the type of denial of service, the type of abnormal loss of data packets, the type of performance degradation of bottom layer network products, the type of mechanism destruction of bottom layer products, etc.
In at least one embodiment of the present invention, the vulnerability class includes: l1, L2, L3, L4 and the like.
In at least one embodiment of the present invention, the determining unit 110 determines the type of the vulnerability to which the target data belongs, and determines the vulnerability level to which the target data belongs according to the vulnerability type and the abnormal result includes:
acquiring the test time of the target data, and acquiring a test log from the tested object;
obtaining an exception explanation corresponding to the test time from the test log;
determining the type of the vulnerability according to the abnormal description;
determining a vulnerability description corresponding to the vulnerability type from a configuration table;
and when the vulnerability indication is detected to be the same as the abnormal indication, determining the grade corresponding to the vulnerability indication as the vulnerability grade.
The vulnerability type of the target data can be determined by obtaining the abnormal description, and the vulnerability grade can be accurately determined by detecting whether the abnormal description is the same as the vulnerability description or not.
In at least one embodiment of the present invention, after determining the vulnerability class to which the target data belongs according to the vulnerability type and the abnormal result, the storage unit 115 stores the target data, the mapping relationship between the vulnerability type and the vulnerability class, and obtains a vulnerability data table;
the obtaining unit 111 obtains a request number of the vulnerability discovery request;
the generating unit 113 generates prompt information according to the request number and the vulnerability data table;
the encryption unit 116 encrypts the prompt message by using a symmetric encryption algorithm to obtain a ciphertext;
the determining unit 110 determines a request level according to the request number, and determines a sending mode according to the request level;
the sending unit 117 sends the ciphertext to the terminal device of the designated contact in the sending manner.
Wherein the request level includes, but is not limited to: level one, level two, etc.
Further, the sending method includes, but is not limited to: mail mode, telephone mode, etc.
Through the embodiment, the appointed contact person can be informed to receive the vulnerability data table in time after the vulnerability data table is generated, meanwhile, the prompt information is encrypted, so that the safety of the prompt information is improved, and in addition, the ciphertext can be sent in a proper sending mode.
It is emphasized that, to further ensure the privacy and security of the vulnerability data table, the vulnerability data table may also be stored in a node of a blockchain.
According to the technical scheme, the object to be tested is determined according to the vulnerability mining request, the object to be tested can be accurately determined, the obtained flow packet can be suitable for testing the object to be tested by obtaining the flow packet in the application field, the generated test data can be provided with the field and the protocol of a real scene by analyzing the target field and the target protocol obtained by analyzing the flow packet to generate the test data, the vulnerability encountered by the object to be tested in the real scene can be reflected, meanwhile, the generation efficiency of the test data can be improved through the target field and the target protocol, the mining efficiency of vulnerability mining is further improved, the vulnerability type of the target data is determined, the vulnerability grade of the target data is determined according to the vulnerability type and the abnormal result, and the abnormal result generated by the target data can be classified, and the analysis of the loophole is facilitated.
Fig. 3 is a schematic structural diagram of an electronic device according to a preferred embodiment of the method for implementing cloud network vulnerability discovery according to the present invention.
In one embodiment of the present invention, the electronic device 1 includes, but is not limited to, a memory 12, a processor 13, and a computer program, such as a cloud vulnerability discovery program, stored in the memory 12 and executable on the processor 13.
It will be appreciated by those skilled in the art that the schematic diagram is merely an example of the electronic device 1, and does not constitute a limitation of the electronic device 1, and may include more or less components than those shown, or combine some components, or different components, for example, the electronic device 1 may further include an input-output device, a network access device, a bus, etc.
The Processor 13 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. The processor 13 is an operation core and a control center of the electronic device 1, and is connected with various parts of the whole electronic device 1 by various interfaces and lines, and executes an operating system of the electronic device 1 and various installed application programs, program codes and the like.
The processor 13 executes the operating system of the electronic device 1 and various installed application programs. The processor 13 executes the application program to implement the steps in the above-described embodiments of the cloud network vulnerability mining method, such as the steps shown in fig. 1.
Alternatively, the processor 13, when executing the computer program, implements the functions of the modules/units in the above device embodiments, for example:
when a vulnerability mining request is received, determining a tested object according to the vulnerability mining request;
determining the application field of the object to be tested, and acquiring a flow packet from the application field;
analyzing the flow packet to obtain a target field and a target protocol;
generating test data according to the target field and the target protocol;
testing the tested object by using the test data to obtain a test result, wherein the test result comprises an abnormal result;
determining the test data with the test result being the abnormal result as target data;
and determining the vulnerability type to which the target data belongs, and determining the vulnerability grade to which the target data belongs according to the vulnerability type and the abnormal result.
Illustratively, the computer program may be partitioned into one or more modules/units, which are stored in the memory 12 and executed by the processor 13 to implement the present invention. The one or more modules/units may be a series of computer program instruction segments capable of performing certain functions, which are used for describing the execution process of the computer program in the electronic device 1. For example, the computer program may be divided into the determination unit 110, the acquisition unit 111, the analysis unit 112, the generation unit 113, the test unit 114, the storage unit 115, the encryption unit 116, and the transmission unit 117.
The memory 12 can be used for storing the computer programs and/or modules, and the processor 13 implements various functions of the electronic device 1 by running or executing the computer programs and/or modules stored in the memory 12 and calling data stored in the memory 12. The memory 12 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the electronic device, and the like. Further, the memory 12 may include a non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other non-volatile solid state storage device.
The memory 12 may be an external memory and/or an internal memory of the electronic device 1. Further, the memory 12 may be a memory in a physical form, such as a memory stick, a TF Card (Trans-flash Card), and the like.
The integrated modules/units of the electronic device 1 may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as separate products. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments described above may be implemented.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying said computer program code, a recording medium, a usb-disk, a removable hard disk, a magnetic diskette, an optical disk, a computer Memory, a Read-Only Memory (ROM).
The block chain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism, an encryption algorithm and the like. A block chain (Blockchain), which is essentially a decentralized database, is a string of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, which is used for verifying the validity (anti-counterfeiting) of the information and generating a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, an application service layer, and the like.
Referring to fig. 1, the memory 12 in the electronic device 1 stores a plurality of instructions to implement a cloud network vulnerability mining method, and the processor 13 can execute the plurality of instructions to implement:
when a vulnerability mining request is received, determining a tested object according to the vulnerability mining request;
determining the application field of the object to be tested, and acquiring a flow packet from the application field;
analyzing the flow packet to obtain a target field and a target protocol;
generating test data according to the target field and the target protocol;
testing the tested object by using the test data to obtain a test result, wherein the test result comprises an abnormal result;
determining the test data with the test result being the abnormal result as target data;
and determining the type of the vulnerability to which the target data belongs, and determining the vulnerability grade to which the target data belongs according to the vulnerability type and the abnormal result.
Specifically, the processor 13 may refer to the description of the relevant steps in the embodiment corresponding to fig. 1 for a specific implementation method of the instruction, which is not described herein again.
In the embodiments provided in the present invention, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
Furthermore, it will be obvious that the term "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the system claims may also be implemented by one unit or means in software or hardware. The terms second, etc. are used to denote names, but not any particular order.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims (10)

1. A cloud network vulnerability mining method is characterized by comprising the following steps:
when a vulnerability mining request is received, determining a tested object according to the vulnerability mining request;
determining the application field of the object to be tested, and acquiring a flow packet from the application field, wherein the application field is a cloud underlying network;
analyzing the flow packet to obtain a target field and a target protocol;
generating test data according to the target field and the target protocol;
testing the tested object by using the test data to obtain a test result, wherein the test result comprises an abnormal result;
determining the test data with the test result being the abnormal result as target data;
and determining the type of the vulnerability to which the target data belongs, and determining the vulnerability grade to which the target data belongs according to the vulnerability type and the abnormal result.
2. The cloud network vulnerability mining method of claim 1, wherein the determining a measurand according to the vulnerability mining request comprises:
acquiring all idle threads from a preset thread connection pool, and acquiring the processing rate of each idle thread;
determining the highest processing rate according to the processing rate, and determining an idle thread corresponding to the highest processing rate as a target thread;
analyzing the message of the vulnerability discovery request by using the target thread to obtain data information carried by the vulnerability discovery request;
acquiring a preset label;
acquiring information corresponding to the preset label from the data information as an object identifier;
and determining the measured object according to the object identification.
3. The cloud network vulnerability mining method of claim 1, wherein the obtaining of the traffic packets from the application domain comprises:
detecting whether any data packet in the application field carries a processing request or not;
when detecting that the arbitrary data packet carries a processing request, determining the arbitrary data packet as an effective data packet, and acquiring the effective data packet;
calculating the acquisition quantity of the effective data packets;
and when the acquisition quantity is larger than the preset quantity, stopping acquiring the effective data packets, and determining the acquired effective data packets as the flow packets.
4. The cloud network vulnerability mining method of claim 1, wherein the parsing the traffic packet to obtain a target field and a target protocol comprises:
splitting the flow packet to obtain a message header and flow data;
acquiring all first labels in the message header;
analyzing the protocols to which all the first tags belong, and determining the analyzed protocols as the target protocols;
and acquiring all second tags in the traffic data, and determining all second tags as the target fields.
5. The cloud network vulnerability mining method of claim 1, wherein the generating test data according to the target field and the target protocol comprises:
generating a data template corresponding to the target protocol;
selecting a field matched with the target protocol from the target field as a data field;
randomly splicing the data fields to obtain a field pair, wherein the field pair comprises a plurality of data fields;
and filling the field pairs into the data template to obtain the test data.
6. The cloud network vulnerability mining method of claim 1, wherein the determining a vulnerability type to which the target data belongs and determining a vulnerability class to which the target data belongs according to the vulnerability type and the abnormal result comprises:
acquiring the test time of the target data, and acquiring a test log from the tested object;
obtaining an exception explanation corresponding to the test time from the test log;
determining the vulnerability type according to the abnormal description;
determining a vulnerability description corresponding to the vulnerability type from a configuration table;
and when the vulnerability description is detected to be the same as the abnormal description, determining the grade corresponding to the vulnerability description as the vulnerability grade.
7. The cloud network vulnerability mining method of claim 1, wherein after determining a vulnerability class to which the target data belongs according to the vulnerability type and the abnormal result, the method further comprises:
storing the target data, the mapping relation between the vulnerability type and the vulnerability grade to obtain a vulnerability data table;
acquiring a request number of the vulnerability mining request;
generating prompt information according to the request number and the vulnerability data table;
encrypting the prompt message by adopting a symmetric encryption algorithm to obtain a ciphertext;
determining a request grade according to the request number, and determining a sending mode according to the request grade;
and sending the ciphertext to the terminal equipment of the appointed contact person in the sending mode.
8. The utility model provides a cloud network vulnerability mining devices, its characterized in that cloud network vulnerability mining devices includes:
the device comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining a tested object according to a vulnerability mining request when the vulnerability mining request is received;
the acquisition unit is used for determining the application field of the object to be tested and acquiring a flow packet from the application field, wherein the application field is a cloud underlying network;
the analysis unit is used for analyzing the flow packet to obtain a target field and a target protocol;
the generating unit is used for generating test data according to the target field and the target protocol;
the test unit is used for testing the tested object by using the test data to obtain a test result, and the test result comprises an abnormal result;
the determining unit is further configured to determine test data of which a test result is the abnormal result as target data;
the determining unit is further configured to determine a vulnerability type to which the target data belongs, and determine a vulnerability grade to which the target data belongs according to the vulnerability type and the abnormal result.
9. An electronic device, characterized in that the electronic device comprises:
a memory storing at least one instruction; and
a processor executing instructions stored in the memory to implement the cloud network vulnerability mining method of any of claims 1 to 7.
10. A computer-readable storage medium characterized by: the computer-readable storage medium has stored therein at least one instruction that is executed by a processor in an electronic device to implement the cloud network vulnerability mining method of any of claims 1-7.
CN202010706037.1A 2020-07-21 2020-07-21 Cloud network vulnerability mining method and device, electronic equipment and medium Active CN111901327B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010706037.1A CN111901327B (en) 2020-07-21 2020-07-21 Cloud network vulnerability mining method and device, electronic equipment and medium
PCT/CN2020/122283 WO2021135532A1 (en) 2020-07-21 2020-10-20 Cloud network vulnerability discovery method, apparatus, electronic device, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010706037.1A CN111901327B (en) 2020-07-21 2020-07-21 Cloud network vulnerability mining method and device, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN111901327A CN111901327A (en) 2020-11-06
CN111901327B true CN111901327B (en) 2022-07-26

Family

ID=73190724

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010706037.1A Active CN111901327B (en) 2020-07-21 2020-07-21 Cloud network vulnerability mining method and device, electronic equipment and medium

Country Status (2)

Country Link
CN (1) CN111901327B (en)
WO (1) WO2021135532A1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112989355B (en) * 2021-02-08 2024-04-12 中国农业银行股份有限公司 Vulnerability threat perception method, device, storage medium and equipment
CN113098847B (en) * 2021-03-16 2023-03-24 四块科技(天津)有限公司 Supply chain management method, system, storage medium and electronic device
CN113098902A (en) * 2021-04-29 2021-07-09 深圳融安网络科技有限公司 Method and device for managing vulnerability of network equipment, management terminal equipment and storage medium
CN113836008B (en) * 2021-09-13 2023-10-27 支付宝(杭州)信息技术有限公司 Method and system for performing fuzzy test on virtual machine monitor
CN114157461B (en) * 2021-11-22 2023-08-01 绿盟科技集团股份有限公司 Industrial control protocol data stream processing method, device, equipment and storage medium
CN114338436A (en) * 2021-12-28 2022-04-12 深信服科技股份有限公司 Network traffic file identification method and device, electronic equipment and medium
CN114553563B (en) * 2022-02-25 2023-11-24 北京华云安信息技术有限公司 Verification method and device without back display loopholes, electronic equipment and readable storage medium
CN115174194A (en) * 2022-06-30 2022-10-11 浙江极氪智能科技有限公司 System vulnerability mining method, device, equipment and storage medium
CN116070111B (en) * 2022-11-17 2023-08-04 北京东方通科技股份有限公司 Auxiliary decision method and system for big data mining based on AI
CN115549862B (en) * 2022-12-05 2023-03-31 大方智造(天津)科技有限公司 MES system concurrency performance test data receiving method based on dynamic analysis
CN117574393B (en) * 2024-01-16 2024-03-29 国网浙江省电力有限公司 Method, device, equipment and storage medium for mining loopholes of information terminal

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8281401B2 (en) * 2005-01-25 2012-10-02 Whitehat Security, Inc. System for detecting vulnerabilities in web applications using client-side application interfaces
CN101431809B (en) * 2008-10-28 2010-09-01 中国科学院研究生院 OBEX protocol bug excavation method and system
CN105827613B (en) * 2016-04-14 2019-02-12 广东电网有限责任公司电力科学研究院 A kind of test method and system for substation's industrial control equipment information security
CN107046526A (en) * 2016-12-28 2017-08-15 北京邮电大学 Distributed heterogeneous network hole method for digging based on Fuzzing algorithms
CN110209583B (en) * 2019-06-03 2024-01-16 中国银联股份有限公司 Security test method, security test device, security test system, security test equipment and security test storage medium
CN110348220A (en) * 2019-06-28 2019-10-18 北京威努特技术有限公司 A kind of bug excavation method, loophole repair verification method, device and electronic equipment
CN110390202B (en) * 2019-07-30 2021-06-18 中国工商银行股份有限公司 Method, device, system, equipment and medium for detecting business logic loophole
CN110598419A (en) * 2019-08-08 2019-12-20 腾讯云计算(北京)有限责任公司 Block chain client vulnerability mining method, device, equipment and storage medium
CN111177729B (en) * 2019-12-17 2023-03-10 腾讯云计算(北京)有限责任公司 Program bug test method and related device
CN111294345B (en) * 2020-01-20 2022-03-25 支付宝(杭州)信息技术有限公司 Vulnerability detection method, device and equipment

Also Published As

Publication number Publication date
CN111901327A (en) 2020-11-06
WO2021135532A1 (en) 2021-07-08

Similar Documents

Publication Publication Date Title
CN111901327B (en) Cloud network vulnerability mining method and device, electronic equipment and medium
CN112669138B (en) Data processing method and related equipment
CN112035258A (en) Data processing method, device, electronic equipment and medium
CN112751852A (en) Data transmission method and related equipment
CN110912927B (en) Method and device for detecting control message in industrial control system
CN106687981A (en) System and methods for automated detection of input and output validation and resource management vulnerability
JP2012094161A (en) Merging multi-line log entries
CN112559831A (en) Link monitoring method and device, computer equipment and medium
CN112287329A (en) Service instance checking method and device, electronic equipment and storage medium
CN112511340A (en) Data transmission method and device, electronic equipment and storage medium
CN111814441A (en) Report generation method and device, electronic equipment and storage medium
CN112015663A (en) Test data recording method, device, equipment and medium
CN112329043A (en) Information encryption processing method, device, computer equipment and medium
CN111814045A (en) Data query method and device, electronic equipment and storage medium
CN114301670B (en) Terminal authentication method, device, equipment and medium based on IPV6 address
CN113918467A (en) Financial system testing method, device, equipment and storage medium
CN113098852A (en) Log processing method and device
CN112711696A (en) Request access method, device, electronic equipment and storage medium
CN112738175B (en) Request processing method and related equipment
CN115119197B (en) Wireless network risk analysis method, device, equipment and medium based on big data
CN116663026A (en) Block chain-based data processing method and device, electronic equipment and medium
CN111277626A (en) Server upgrading method and device, electronic equipment and medium
CN112395319B (en) Cache sharing method and device, server and storage medium
CN114268559B (en) Directional network detection method, device, equipment and medium based on TF-IDF algorithm
CN114925033A (en) Information uplink method, device, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant