CN112035843A - Vulnerability processing method and device, electronic equipment and storage medium - Google Patents
Vulnerability processing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112035843A CN112035843A CN202010842837.6A CN202010842837A CN112035843A CN 112035843 A CN112035843 A CN 112035843A CN 202010842837 A CN202010842837 A CN 202010842837A CN 112035843 A CN112035843 A CN 112035843A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- determining
- plug
- detection
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention is suitable for the field of data security, and provides a vulnerability processing method, a vulnerability processing device, electronic equipment and a storage medium, wherein the vulnerability processing method comprises the following steps: detecting the vulnerability of the system to obtain a detection result; determining whether the set characteristics of the vulnerability meet set conditions or not under the condition that the detection result represents that the system has the vulnerability; and under the condition that the set characteristics meet set conditions, performing vulnerability repair on the vulnerability.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a vulnerability processing method and apparatus, an electronic device, and a storage medium.
Background
Vulnerabilities are defects of electronic equipment in hardware, software, specific implementation of protocols or system security policies, so that an attacker can access or damage the system without authorization, and harm is caused to the system of the electronic equipment. At present, in the related art, a vulnerability is directly repaired under the condition that the vulnerability is detected. However, the repair of some vulnerabilities may change the source code of the electronic device, possibly causing a system crash or performance degradation of the electronic device.
Disclosure of Invention
In order to solve the above problem, embodiments of the present invention provide a vulnerability processing method, apparatus, electronic device, and storage medium, so as to at least solve the problem that repairing all vulnerabilities in the related art may cause system crash or performance degradation of the electronic device.
The technical scheme of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a vulnerability processing method, where the method includes:
detecting the vulnerability of the system to obtain a detection result;
determining whether the set characteristics of the vulnerability meet set conditions or not under the condition that the detection result represents that the system has the vulnerability;
and under the condition that the set characteristics meet set conditions, performing vulnerability repair on the vulnerability.
In the foregoing solution, determining whether the set characteristic of the vulnerability meets a set condition includes:
extracting a characteristic value from a code corresponding to the vulnerability; the characteristic value represents a code character string of a code corresponding to the vulnerability;
determining that the set characteristics of the loophole meet set conditions under the condition that the characteristic values are stored in a set database; the setting database stores characteristic values corresponding to the loopholes.
In the foregoing solution, determining whether the set characteristic of the vulnerability meets a set condition includes:
running the system on a virtual machine;
determining a first parameter; the first parameter represents the performance of the system running on the virtual machine after bug fixing;
and determining that the setting characteristics of the loophole meet the setting conditions under the condition that the first parameter is larger than the setting value.
In the above scheme, the method further comprises:
acquiring vulnerability attack events collected by a server; the system is abnormal due to the vulnerability corresponding to the vulnerability attack event;
determining a hotspot event in the vulnerability attack events; the hot event represents the corresponding loopholes, so that system abnormity of electronic equipment with the quantity larger than a set quantity is caused, and/or the risk value of the corresponding loopholes is larger than a set value; the risk value characterizes the damage degree of the vulnerability to the system;
determining a characteristic value of a vulnerability corresponding to the hotspot event;
and writing the characteristic value of the vulnerability corresponding to the hotspot event into the set database.
In the above scheme, the vulnerability detection is performed on the system to obtain a detection result, which includes:
utilizing a vulnerability detection plug-in a vulnerability detection plug-in library to detect the vulnerability of the system to obtain a detection result; vulnerability detection plug-ins in the vulnerability detection plug-in library correspond to characteristic values in the set database one by one;
under the condition that the detection result represents that the system has the vulnerability, determining whether the set characteristics of the vulnerability meet set conditions or not comprises the following steps:
determining a vulnerability detection plug-in for detecting the vulnerability;
utilizing a vulnerability detection plug-in corresponding to the vulnerability detection plug-in a vulnerability plug-in library to exploit the vulnerability; the vulnerability exploitation plug-ins in the vulnerability exploitation plug-in library correspond to the vulnerability detection plug-ins in the vulnerability detection plug-in library one to one;
and under the condition that the vulnerability is successfully utilized by the vulnerability, determining that the set characteristics of the vulnerability meet set conditions.
In the above scheme, the method further comprises:
determining a vulnerability grade corresponding to the vulnerability;
and sending alarm information based on the vulnerability grade.
In the foregoing scheme, the performing vulnerability repair on the vulnerability includes:
acquiring identification information of the vulnerability;
determining a repair strategy corresponding to the identification information;
and performing vulnerability repair on the vulnerability based on the repair strategy.
In a second aspect, an embodiment of the present invention provides a vulnerability processing apparatus, where the apparatus includes:
the detection module is used for detecting the vulnerability of the system to obtain a detection result;
the determining module is used for determining whether the set characteristics of the vulnerability meet set conditions or not under the condition that the detection result represents that the system has the vulnerability;
and the repairing module is used for repairing the bug under the condition that the set characteristics meet the set conditions.
In a third aspect, an embodiment of the present invention provides an electronic device, which includes a processor and a memory, where the processor and the memory are connected to each other, where the memory is used to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the steps of the vulnerability handling method provided in the first aspect of the embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer-readable storage medium stores a computer program. The computer program, when executed by a processor, implements the steps of the vulnerability handling method as provided by the first aspect of the embodiments of the present invention.
According to the embodiment of the invention, the detection result is obtained by detecting the vulnerability of the system. And under the condition that the detection result represents that the system has the loophole, determining whether the set characteristics of the loophole meet the set conditions. And under the condition that the set characteristics of the vulnerability meet the set conditions, performing vulnerability repair on the vulnerability. Compared with the related technology for repairing all bugs, the embodiment of the invention can repair the bugs only under the condition that the set characteristics of the bugs meet the set conditions, thereby avoiding system breakdown or performance deterioration of electronic equipment after some bugs are repaired.
Drawings
Fig. 1 is a schematic diagram illustrating an implementation flow of a vulnerability handling method according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an implementation flow of another vulnerability handling method according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating an implementation flow of another vulnerability handling method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an implementation flow of another vulnerability handling method according to an embodiment of the present invention;
fig. 5 is a schematic diagram of an implementation flow of another vulnerability handling method according to an embodiment of the present invention;
fig. 6 is a schematic diagram of an implementation flow of another vulnerability handling method according to an embodiment of the present invention;
fig. 7 is a schematic diagram illustrating an implementation flow of another vulnerability handling method according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a vulnerability handling process according to an embodiment of the present invention;
fig. 9 is a schematic diagram of a vulnerability handling apparatus according to an embodiment of the present invention;
fig. 10 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a computer system, some bugs may jeopardize the data security of the computer system, and for such bugs, the bugs must be repaired in time to prevent the bugs from being utilized by the bugs. The exploitation of the vulnerability is an important way for hackers to obtain the control authority of the system. A hacker finds a vulnerability easy to attack from the computer system and then acquires computer authority by using the vulnerability, thereby realizing control of the computer system. There are also vulnerabilities that are vulnerabilities that do not pose a hazard to the computer system, but fixing these vulnerabilities can cause a system crash or performance degradation of the computer. For such vulnerabilities, no repair is made, but rather better. At present, the related art solves the vulnerability by repairing the vulnerability when the vulnerability is detected, and the vulnerability cannot be selectively repaired according to the specific situation of the vulnerability.
In view of the above disadvantages of the related art, embodiments of the present invention provide a method for bug treatment, which can selectively perform bug fixing according to specific situations of a bug. In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Referring to fig. 1, fig. 1 is a schematic diagram illustrating an implementation flow of a vulnerability processing method according to an embodiment of the present invention, where an execution subject of the vulnerability processing method may be an electronic device such as a mobile phone, a tablet computer, a desktop computer, and a server, and the vulnerability processing method includes:
and S101, detecting the vulnerability of the system to obtain a detection result.
Here, the vulnerability detection of the system includes vulnerability detection of defects existing in the system itself, and also includes vulnerability detection of user data stored in a system disk. Vulnerabilities include errors in software code writing, improper system configuration, password theft, and the like.
Vulnerability detection can be divided into detection of known vulnerabilities and detection of unknown vulnerabilities. The detection of the known vulnerability can detect whether the published vulnerability exists in the system through a security scanning technology; and the purpose of unknown vulnerability detection is to discover vulnerabilities that may exist in the system but have not yet been discovered.
Here, unknown vulnerability detection techniques may use source code scanning, disassembly scanning, environmental fault injection, and the like. Source code scanning and disassembling scanning are static vulnerability detection technologies, and a software program does not need to be run to analyze possible vulnerabilities in a system. Environmental fault injection is a dynamic vulnerability detection technique that requires the use of an executable program to test for vulnerabilities present in a system.
And detecting the vulnerability of the system by using the method to obtain a detection result.
S102, determining whether the set characteristics of the vulnerability meet set conditions or not under the condition that the detection result represents that the system has the vulnerability.
In a case that a vulnerability is detected in the system, referring to fig. 2, in an embodiment, the determining whether the set characteristic of the vulnerability meets a set condition includes:
s201, extracting a characteristic value from a code corresponding to the vulnerability; and the characteristic value represents the code character string of the code corresponding to the vulnerability.
Extracting a characteristic value from the code corresponding to the vulnerability, wherein the characteristic value can be an information Digest Algorithm (MD 5) value or a Secure Hash Algorithm 1(SHA 1) value and the like which can be used for characterizing the code string corresponding to the vulnerability.
The MD5 value and the SHA1 value have constancy, and as long as the code corresponding to the vulnerability does not change, the MD5 value and the SHA1 value extracted from the code corresponding to the vulnerability each time are the same.
S202, under the condition that the characteristic values are stored in a setting database, determining that the setting characteristics of the loopholes meet setting conditions; the setting database stores characteristic values corresponding to the loopholes.
The setting database stores characteristic values corresponding to the bugs, that is, as long as the electronic device detects the bugs in the setting database, the bugs need to be repaired.
In practical application, the setting database may store feature values corresponding to vulnerabilities for which an exploit event has occurred historically or may be exploited. The characteristic value is in a set database, and the vulnerability is a dangerous vulnerability. Under the circumstance, the vulnerability needs to be repaired in an emergency, so that the vulnerability is prevented from being utilized by hackers, and the data security of the system is protected.
Referring to fig. 3, in the foregoing embodiment, the vulnerability processing method further includes:
s301, acquiring vulnerability attack events collected by a server; and the system is abnormal due to the vulnerability corresponding to the vulnerability attack event.
Here, the server may be an intelligence platform in the network, and the intelligence platform is used for collecting intelligence such as threat events and attack events occurring in the network. An attack event refers to a vulnerability attack event in a network that causes damage to a user's computer system and property.
S302, determining a hotspot event in the vulnerability attack event; the hot event represents the corresponding loopholes, so that system abnormity of electronic equipment with the quantity larger than a set quantity is caused, and/or the risk value of the corresponding loopholes is larger than a set value; the risk value characterizes the degree of damage to the system by the vulnerability.
Here, a hotspot event refers to an attack event with a large impact range and/or a large hazard in an attack event.
The vulnerability causes system abnormality of electronic equipment with the quantity larger than the set quantity, which indicates that the influence range is large; and the risk value of the leak is greater than a set value, which indicates that the hazard is large.
The correspondence between the vulnerability and the risk value may be predetermined, for example, if the vulnerability is a high risk vulnerability, the high risk vulnerability may cause a system crash or may be controlled by a hacker, and the risk value is higher. If the vulnerability is a low-risk vulnerability, the risk value is low because the system cannot be connected with the network or is stuck due to the low-level vulnerability.
And S303, determining the characteristic value of the vulnerability corresponding to the hotspot event.
And analyzing the hot event, determining the vulnerability corresponding to the hot event, and extracting the characteristic value of the vulnerability corresponding to the hot event.
S304, writing the characteristic value of the vulnerability corresponding to the hotspot event into the set database.
And writing the characteristic value corresponding to the hotspot event into a set database so as to enlarge the detection range of the vulnerability of the electronic equipment.
In an embodiment, a plurality of electronic devices are in communication connection with a server, each electronic device connected with the server sends a feature value corresponding to a detected vulnerability to the server, the server combines the feature values sent by each electronic device into a data table, duplicate feature values in the data table are eliminated, and only one feature value is reserved for each feature value. The server then sends the data table to each electronic device. And each electronic device writes all the characteristic values in the data table into the setting database. In this way, the setting database not only includes the characteristic value corresponding to the bug detected by the setting database, but also includes the characteristic value corresponding to the bug detected by other electronic equipment connected with the server, so that the detection range of the bug of the electronic equipment can be expanded.
In an embodiment, the detecting vulnerability of the system to obtain a detection result includes:
utilizing a vulnerability detection plug-in a vulnerability detection plug-in library to detect the vulnerability of the system to obtain a detection result; and the vulnerability detection plug-ins in the vulnerability detection plug-in library correspond to the characteristic values in the set database one by one.
The electronic equipment stores a vulnerability detection plug-in library, and vulnerability detection plug-ins in the vulnerability detection plug-in library correspond to characteristic values in the set database one by one. That is, one vulnerability detection plug-in may detect one type of vulnerability. And carrying out vulnerability detection on the system by using the vulnerability detection plug-in the vulnerability detection plug-in library, wherein the vulnerability detection plug-in can be detected as long as the system has a vulnerability corresponding to the characteristic value in the set database.
Referring to fig. 4, in the above embodiment, determining whether the set characteristic of the vulnerability meets the set condition when the detection result indicates that the system has the vulnerability includes:
s401, determining the vulnerability detection plug-in for detecting the vulnerability.
And if detecting that the system has a bug, determining the bug detection plug-in which detects the bug. The vulnerability detection plug-in has a corresponding relation with the characteristic value of the vulnerability, and the corresponding vulnerability detection plug-in can be determined according to the characteristic value of the vulnerability.
S402, utilizing a vulnerability plug-in corresponding to the vulnerability detection plug-in a vulnerability plug-in library to exploit the vulnerability; and the vulnerability utilization plug-ins in the vulnerability utilization plug-in library correspond to the vulnerability detection plug-ins in the vulnerability detection plug-in library one to one.
And the vulnerability detection plug-ins in the vulnerability plug-in library correspond to the vulnerability detection plug-ins in the vulnerability detection plug-in library one to one, the corresponding vulnerability plug-ins are determined according to the determined vulnerability detection plug-ins, and the vulnerability is utilized by utilizing the vulnerability plug-ins.
Exploit refers to exploiting vulnerabilities in a system using an exploit plug-in to gain control of the system.
S403, determining that the set characteristics of the vulnerability meet set conditions under the condition that the vulnerability is successfully utilized.
And if the vulnerability can be successfully utilized by the vulnerability exploiting plug-in, determining that the set characteristics of the vulnerability meet set conditions, and carrying out vulnerability repairing on the vulnerability by the electronic equipment for the vulnerability meeting the set conditions.
Referring to fig. 5, in an embodiment, the determining whether the set characteristic of the vulnerability meets the set condition includes:
s501, operating the system on the virtual machine.
And creating a virtual machine on the electronic equipment, running the system on the virtual machine, and configuring a system environment consistent with the electronic equipment. For example, if a 1909 version of the window10 system is running on the electronic device, then the system running on the virtual machine is also a 1909 version of the window10 system, and other system environments need to be configured consistently, such as disks, memory, etc.
In practical applications, a virtual machine can be created by VMware, which is a piece of virtual machine creation software.
S502, determining a first parameter; the first parameter characterizes performance of the system running on the virtual machine after bug fixing.
The first parameter represents the performance of the system running on the virtual machine after bug fixing, namely the bug of the system running on the virtual machine is fixed, and the first parameter of the system after bug fixing is determined.
Here, the first parameter may be an operation speed of the electronic device, and the operation speed is an important index for measuring the performance of the computer. The computing speed of an electronic device refers to the number of instructions Per Second that the electronic device can execute, and is generally described by "Million instructions Per Second" (mips, Million Instruction Per Second). The faster the operation speed, the stronger the system performance of the electronic device.
S503, determining that the setting characteristics of the loophole meet the setting conditions under the condition that the first parameter is larger than the set value.
And if the first parameter is larger than the set value, determining that the set characteristic of the vulnerability meets the set condition, and representing the electronic equipment by the set condition to repair the vulnerability. The first parameter is greater than the set value, which indicates that the performance of the system of the electronic device after bug fixing is not affected, and in this case, the bug of the system of the electronic device is fixed.
In practical applications, a second parameter may be determined when determining the first parameter, where the second parameter characterizes performance of a system running on the virtual machine before the bug fix. And comparing the second parameter with the first parameter, and repairing the vulnerability if the first parameter is not smaller than the second parameter. The first parameter is not smaller than the second parameter, which indicates that the system performance will not be deteriorated after bug fixing, so that the bug can be fixed.
And S103, performing vulnerability repair on the vulnerability under the condition that the set characteristics meet set conditions.
And under the condition that the set characteristics of the vulnerability meet the set conditions, the electronic equipment repairs the vulnerability.
According to the embodiment of the invention, the detection result is obtained by detecting the vulnerability of the system. And under the condition that the detection result represents that the system has the loophole, determining whether the set characteristics of the loophole meet the set conditions. And under the condition that the set characteristics of the vulnerability meet the set conditions, performing vulnerability repair on the vulnerability. Compared with the related technology for repairing all bugs, the embodiment of the invention can repair the bugs only under the condition that the set characteristics of the bugs meet the set conditions, thereby avoiding system breakdown or performance deterioration of electronic equipment after some bugs are repaired.
Referring to fig. 6, in an embodiment, the vulnerability processing method further includes:
s601, determining the vulnerability grade corresponding to the vulnerability.
Here, the vulnerability may be classified according to the risk level of the vulnerability, for example, if the vulnerability jeopardizes the system security of the electronic device, the vulnerability is classified as a first-level vulnerability; if the system safety is not endangered, the system is divided into two levels of bugs.
In practical application, a data table can be created, and the characteristic value and the vulnerability level of the vulnerability are written into the data table correspondingly. And after the characteristic value is determined, querying a data table to obtain the vulnerability grade of the vulnerability.
And S602, sending alarm information based on the vulnerability grade.
And different vulnerability grades correspond to different alarm information. If the vulnerability is a first-level vulnerability which harms the system safety, alarming information can be sent to a user by telephone and short message at the same time, and the alarming information comprises information such as vulnerability grade and the like. If the vulnerability is a second-level vulnerability which does not harm the system safety, only short messages can be sent to the user to send alarm information.
Referring to fig. 7, in an embodiment, the performing vulnerability fixing on the vulnerability includes:
s701, acquiring the identification information of the vulnerability.
The identification information of the vulnerability is the unique identity of the vulnerability, and here, the identification information of the vulnerability may be a characteristic value of the vulnerability.
S702, determining a repair strategy corresponding to the identification information.
Here, the identification information of the vulnerability and the corresponding repair policy may be stored in the database, and the corresponding repair policy may be read according to the identification information.
For example, if a vulnerability is harmful to the system, the corresponding repair policy may be patching, updating code, etc. If the vulnerability does not harm the system and the performance of the system is deteriorated due to the vulnerability repair, the corresponding repair strategy is to not repair the vulnerability.
S703, performing vulnerability repair on the vulnerability based on the repair strategy.
And a corresponding repair strategy is selected according to the specific condition of the vulnerability to repair the vulnerability, so that the system safety can be maintained, and the system performance can be ensured.
Referring to fig. 8, fig. 8 is a schematic diagram of a vulnerability processing flow provided in an application embodiment of the present invention, where the vulnerability processing flow includes:
s801, collecting intelligence.
By calling Application Programming Interface (API) of each information platform, real-time information updated every day in the information platform is obtained and stored in an information library.
S802, acquiring the hotspot event.
And acquiring attack event information from an information library, and screening out hot events in the attack events according to the influence range and the harmfulness of the attack events. The hotspot event refers to a vulnerability attack event which is caused by a recent attacker or an attack organization through some attack means and has high harmfulness and great influence.
And S803, extracting the vulnerability in the hotspot event.
And extracting the loopholes in the hot spot events, and writing the loopholes in the hot spot events into a leakage library.
And S804, detecting the vulnerability.
And detecting the vulnerability of the system to detect whether the vulnerability exists in the system. Vulnerability detection can be divided into detection of known vulnerabilities and detection of unknown vulnerabilities. The detection of the known vulnerability can detect whether the published vulnerability exists in the system through a security scanning technology; and the purpose of unknown vulnerability detection is to discover vulnerabilities that may exist in the system but have not yet been discovered. Here, unknown vulnerability detection techniques may use source code scanning, disassembly scanning, environmental fault injection, and the like. Source code scanning and disassembling scanning are static vulnerability detection technologies, and a software program does not need to be run to analyze possible vulnerabilities in a system. Environmental fault injection is a dynamic vulnerability detection technique that requires the use of an executable program to test for vulnerabilities present in a system.
Here, it may be detected whether the system has the same vulnerability as the vulnerability in the vulnerability library.
In practical application, the vulnerability detection plug-in library stores vulnerability detection plug-ins corresponding to vulnerabilities in the vulnerability library, and the vulnerability detection plug-ins in the vulnerability detection plug-in library are in one-to-one relation with vulnerabilities in the vulnerability library. And detecting the vulnerability of the system by using the vulnerability detection plug-in the vulnerability detection plug-in library.
And S805, judging whether the system has a vulnerability.
If the system has a bug, S806 is performed. If the system does not have a vulnerability, S807 is performed.
And S806, sending a common alarm to inform the user.
And S807, triggering a security event to inform the user of system security.
If no leak is detected, a security event is triggered to inform that no leak exists in the system and the system belongs to a security state.
And S808, whether the vulnerability can be utilized.
Utilizing a vulnerability detection plug-in corresponding to the vulnerability detection plug-in a vulnerability plug-in library to exploit the vulnerability; and the vulnerability utilization plug-ins in the vulnerability utilization plug-in library correspond to the vulnerability detection plug-ins in the vulnerability detection plug-in library one to one.
And (4) utilizing the vulnerability, wherein the vulnerability is a high-risk vulnerability and needs emergency repair and alarm.
If the vulnerability can be utilized, S809 is executed, the alarm level is raised, and the user is notified.
And S809, sending a serious alarm to inform the user.
And S810, vulnerability defense.
The defense strategy is also in corresponding relation with the vulnerability in the vulnerability database, if an alarm event is triggered (irrelevant to the alarm level), the system starts the defense strategy corresponding to the vulnerability to defend the vulnerability, and informs a user that the defense strategy is started.
And S811, vulnerability repair.
The repairing strategy corresponding to the bug can be stored in the database, the bug is repaired by using the repairing strategy of patching, updating codes and the like, and the user is informed after the repairing is finished.
Compared with the related technology for repairing all bugs, the application embodiment of the invention can only repair the bugs under the condition that the bugs can be utilized, thereby avoiding the possibility of poor system performance caused by repairing some bugs.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The technical means described in the embodiments of the present invention may be arbitrarily combined without conflict.
In addition, in the embodiments of the present invention, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.
Referring to fig. 9, fig. 9 is a schematic diagram of a vulnerability processing apparatus according to an embodiment of the present invention, as shown in fig. 9, the apparatus includes: the device comprises a detection module, a determination module and a repair module.
The detection module is used for detecting the vulnerability of the system to obtain a detection result;
the determining module is used for determining whether the set characteristics of the vulnerability meet set conditions or not under the condition that the detection result represents that the system has the vulnerability;
and the repairing module is used for repairing the bug under the condition that the set characteristics meet the set conditions.
The determining module is specifically configured to:
extracting a characteristic value from a code corresponding to the vulnerability; the characteristic value represents a code character string of a code corresponding to the vulnerability;
determining that the set characteristics of the loophole meet set conditions under the condition that the characteristic values are stored in a set database; the setting database stores characteristic values corresponding to the loopholes.
The determining module is specifically configured to:
running the system on a virtual machine;
determining a first parameter; the first parameter represents the performance of the system running on the virtual machine after bug fixing;
and determining that the setting characteristics of the loophole meet the setting conditions under the condition that the first parameter is larger than the setting value.
The device further comprises:
the acquisition module is used for acquiring vulnerability attack events collected by the server; the system is abnormal due to the vulnerability corresponding to the vulnerability attack event;
the hot event determining module is used for determining the hot event in the vulnerability attack events; the hot event represents the corresponding loopholes, so that system abnormity of electronic equipment with the quantity larger than a set quantity is caused, and/or the risk value of the corresponding loopholes is larger than a set value; the risk value characterizes the damage degree of the vulnerability to the system;
the characteristic value determining module is used for determining the characteristic value of the vulnerability corresponding to the hotspot event;
and the writing module is used for writing the characteristic value of the vulnerability corresponding to the hotspot event into the set database.
The detection module is specifically configured to:
utilizing a vulnerability detection plug-in a vulnerability detection plug-in library to detect the vulnerability of the system to obtain a detection result; vulnerability detection plug-ins in the vulnerability detection plug-in library correspond to characteristic values in the set database one by one;
the determining module is specifically configured to:
determining a vulnerability detection plug-in for detecting the vulnerability;
utilizing a vulnerability detection plug-in corresponding to the vulnerability detection plug-in a vulnerability plug-in library to exploit the vulnerability; the vulnerability exploitation plug-ins in the vulnerability exploitation plug-in library correspond to the vulnerability detection plug-ins in the vulnerability detection plug-in library one to one;
and under the condition that the vulnerability is successfully utilized by the vulnerability, determining that the set characteristics of the vulnerability meet set conditions.
The device further comprises:
the alarm module is used for determining the vulnerability grade corresponding to the vulnerability; and sending alarm information based on the vulnerability grade.
The repair module is specifically configured to:
acquiring identification information of the vulnerability;
determining a repair strategy corresponding to the identification information;
and performing vulnerability repair on the vulnerability based on the repair strategy.
The encoding string includes:
message digest algorithm MD5 values.
It should be noted that: in the vulnerability processing apparatus provided in the foregoing embodiment, when performing data processing, only the division of the modules is exemplified, and in practical applications, the processing distribution may be completed by different modules as needed, that is, the internal structure of the apparatus may be divided into different modules to complete all or part of the processing described above. In addition, the vulnerability processing apparatus and the vulnerability processing method provided by the embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments in detail and are not described herein again.
Fig. 10 is a schematic diagram of an electronic device according to an embodiment of the present invention. The electronic device includes: cell phones, tablets, servers, etc. As shown in fig. 10, the electronic apparatus of this embodiment includes: a processor, a memory, and a computer program stored in the memory and executable on the processor. The processor, when executing the computer program, implements the steps in the various method embodiments described above, such as steps 101 to 103 shown in fig. 1. Alternatively, the processor, when executing the computer program, implements the functions of the modules in the above device embodiments, such as the functions of the detection module, the determination module, and the repair module shown in fig. 9.
Illustratively, the computer program may be partitioned into one or more modules that are stored in the memory and executed by the processor to implement the invention. The one or more modules may be a series of computer program instruction segments capable of performing certain functions, which are used to describe the execution of the computer program in the electronic device.
The electronic device may include, but is not limited to, a processor, a memory. Those skilled in the art will appreciate that fig. 10 is merely an example of an electronic device and is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or different components, e.g., the electronic device may also include input-output devices, network access devices, buses, etc.
The Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may be an internal storage module of the electronic device, such as a hard disk or a memory of the electronic device. The memory may also be an external storage device of the electronic device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the electronic device. Further, the memory may also include both an internal storage module and an external storage device of the electronic device. The memory is used for storing the computer program and other programs and data required by the electronic device. The memory may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned functional modules and modules are illustrated as examples, and in practical applications, the above-mentioned functional allocation may be performed by different functional modules and modules according to requirements, that is, the internal structure of the apparatus is divided into different functional modules or modules to perform all or part of the above-mentioned functions. In the embodiments, each functional module and each module may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module, and the integrated modules may be implemented in a form of hardware or a form of software functional modules. In addition, specific names of the functional modules and modules are only used for distinguishing the functional modules and the modules from each other, and are not used for limiting the protection scope of the present application. The modules and the specific working processes of the modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus/electronic device and method may be implemented in other ways. For example, the above-described apparatus/electronic device embodiments are merely illustrative, and for example, the modules or the division of modules are merely one logical division, and there may be other divisions when actually implemented, for example, a plurality of modules or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing module, or each of the modules may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated modules/modules, if implemented in the form of software functional modules and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.
Claims (10)
1. A vulnerability handling method, the method comprising:
detecting the vulnerability of the system to obtain a detection result;
determining whether the set characteristics of the vulnerability meet set conditions or not under the condition that the detection result represents that the system has the vulnerability;
and under the condition that the set characteristics meet set conditions, performing vulnerability repair on the vulnerability.
2. The method of claim 1, wherein determining whether the set characteristic of the vulnerability meets a set condition comprises:
extracting a characteristic value from a code corresponding to the vulnerability; the characteristic value represents a code character string of a code corresponding to the vulnerability;
determining that the set characteristics of the loophole meet set conditions under the condition that the characteristic values are stored in a set database; the setting database stores characteristic values corresponding to the loopholes.
3. The method of claim 1, wherein determining whether the set characteristic of the vulnerability meets a set condition comprises:
running the system on a virtual machine;
determining a first parameter; the first parameter represents the performance of the system running on the virtual machine after bug fixing;
and determining that the setting characteristics of the loophole meet the setting conditions under the condition that the first parameter is larger than the setting value.
4. The method of claim 2, further comprising:
acquiring vulnerability attack events collected by a server; the system is abnormal due to the vulnerability corresponding to the vulnerability attack event;
determining a hotspot event in the vulnerability attack events; the hot event represents the corresponding loopholes, so that system abnormity of electronic equipment with the quantity larger than a set quantity is caused, and/or the risk value of the corresponding loopholes is larger than a set value; the risk value characterizes the damage degree of the vulnerability to the system;
determining a characteristic value of a vulnerability corresponding to the hotspot event;
and writing the characteristic value of the vulnerability corresponding to the hotspot event into the set database.
5. The method of claim 2, wherein the detecting the vulnerability of the system to obtain the detection result comprises:
utilizing a vulnerability detection plug-in a vulnerability detection plug-in library to detect the vulnerability of the system to obtain a detection result; vulnerability detection plug-ins in the vulnerability detection plug-in library correspond to characteristic values in the set database one by one;
under the condition that the detection result represents that the system has the vulnerability, determining whether the set characteristics of the vulnerability meet set conditions or not comprises the following steps:
determining a vulnerability detection plug-in for detecting the vulnerability;
utilizing a vulnerability detection plug-in corresponding to the vulnerability detection plug-in a vulnerability plug-in library to exploit the vulnerability; the vulnerability exploitation plug-ins in the vulnerability exploitation plug-in library correspond to the vulnerability detection plug-ins in the vulnerability detection plug-in library one to one;
and under the condition that the vulnerability is successfully utilized by the vulnerability, determining that the set characteristics of the vulnerability meet set conditions.
6. The method of claim 1, further comprising:
determining a vulnerability grade corresponding to the vulnerability;
and sending alarm information based on the vulnerability grade.
7. The method of claim 1, wherein the vulnerability fixing the vulnerability comprises:
acquiring identification information of the vulnerability;
determining a repair strategy corresponding to the identification information;
and performing vulnerability repair on the vulnerability based on the repair strategy.
8. A vulnerability processing apparatus, comprising:
the detection module is used for detecting the vulnerability of the system to obtain a detection result;
the determining module is used for determining whether the set characteristics of the vulnerability meet set conditions or not under the condition that the detection result represents that the system has the vulnerability;
and the repairing module is used for repairing the bug under the condition that the set characteristics meet the set conditions.
9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the vulnerability processing method according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the vulnerability processing method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010842837.6A CN112035843A (en) | 2020-08-20 | 2020-08-20 | Vulnerability processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010842837.6A CN112035843A (en) | 2020-08-20 | 2020-08-20 | Vulnerability processing method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112035843A true CN112035843A (en) | 2020-12-04 |
Family
ID=73579919
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010842837.6A Pending CN112035843A (en) | 2020-08-20 | 2020-08-20 | Vulnerability processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112035843A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615848A (en) * | 2020-12-14 | 2021-04-06 | 北京达佳互联信息技术有限公司 | Vulnerability repair state detection method and system |
| CN113779561A (en) * | 2021-09-09 | 2021-12-10 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN114329486A (en) * | 2021-12-24 | 2022-04-12 | 中电信数智科技有限公司 | Asset vulnerability management method and device, electronic equipment and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103258165A (en) * | 2013-05-10 | 2013-08-21 | 华为技术有限公司 | Processing method and device for leak evaluation |
| CN104573525A (en) * | 2014-12-19 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Special information service software vulnerability fixing system based on white lists |
| CN104618178A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug online evaluation method and device |
| CN105095769A (en) * | 2015-08-28 | 2015-11-25 | 中国航天科工集团第二研究院七〇六所 | Information service software vulnerability detection method |
| CN105912931A (en) * | 2016-05-23 | 2016-08-31 | 北京北信源软件股份有限公司 | Method and system for repairing off-line virtual machine bug under virtualization environment |
| CN107480533A (en) * | 2017-08-08 | 2017-12-15 | 深圳市腾讯计算机系统有限公司 | A kind of method, apparatus and device of leak reparation |
| CN107528860A (en) * | 2017-10-12 | 2017-12-29 | 中国科学院计算机网络信息中心 | Network security method of testing, system and storage medium |
| CN108363926A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of loophole defence method and system |
| CN108537042A (en) * | 2018-04-04 | 2018-09-14 | 上海有云信息技术有限公司 | Self-defined plug-in unit generation method, device, equipment and storage medium |
| CN110457909A (en) * | 2019-08-15 | 2019-11-15 | 腾讯科技(深圳)有限公司 | Loophole restorative procedure, device and the computer equipment of virutal machine memory |
| CN111062040A (en) * | 2019-12-19 | 2020-04-24 | 成都烽创科技有限公司 | Method for determining unknown vulnerability, server and computer readable storage medium |
-
2020
- 2020-08-20 CN CN202010842837.6A patent/CN112035843A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103258165A (en) * | 2013-05-10 | 2013-08-21 | 华为技术有限公司 | Processing method and device for leak evaluation |
| CN104573525A (en) * | 2014-12-19 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Special information service software vulnerability fixing system based on white lists |
| CN104618178A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug online evaluation method and device |
| CN105095769A (en) * | 2015-08-28 | 2015-11-25 | 中国航天科工集团第二研究院七〇六所 | Information service software vulnerability detection method |
| CN105912931A (en) * | 2016-05-23 | 2016-08-31 | 北京北信源软件股份有限公司 | Method and system for repairing off-line virtual machine bug under virtualization environment |
| CN107480533A (en) * | 2017-08-08 | 2017-12-15 | 深圳市腾讯计算机系统有限公司 | A kind of method, apparatus and device of leak reparation |
| CN107528860A (en) * | 2017-10-12 | 2017-12-29 | 中国科学院计算机网络信息中心 | Network security method of testing, system and storage medium |
| CN108363926A (en) * | 2017-10-19 | 2018-08-03 | 北京安天网络安全技术有限公司 | A kind of loophole defence method and system |
| CN108537042A (en) * | 2018-04-04 | 2018-09-14 | 上海有云信息技术有限公司 | Self-defined plug-in unit generation method, device, equipment and storage medium |
| CN110457909A (en) * | 2019-08-15 | 2019-11-15 | 腾讯科技(深圳)有限公司 | Loophole restorative procedure, device and the computer equipment of virutal machine memory |
| CN111062040A (en) * | 2019-12-19 | 2020-04-24 | 成都烽创科技有限公司 | Method for determining unknown vulnerability, server and computer readable storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615848A (en) * | 2020-12-14 | 2021-04-06 | 北京达佳互联信息技术有限公司 | Vulnerability repair state detection method and system |
| CN112615848B (en) * | 2020-12-14 | 2023-03-14 | 北京达佳互联信息技术有限公司 | Vulnerability repair state detection method and system |
| CN113779561A (en) * | 2021-09-09 | 2021-12-10 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN113779561B (en) * | 2021-09-09 | 2024-03-01 | 安天科技集团股份有限公司 | Kernel vulnerability processing method and device, storage medium and electronic equipment |
| CN114329486A (en) * | 2021-12-24 | 2022-04-12 | 中电信数智科技有限公司 | Asset vulnerability management method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11347843B2 (en) | Asset-based security systems and methods | |
| CN112035843A (en) | Vulnerability processing method and device, electronic equipment and storage medium | |
| US8966624B2 (en) | System and method for securing an input/output path of an application against malware with a below-operating system security agent | |
| US10956575B2 (en) | Determine malware using firmware | |
| RU2646352C2 (en) | Systems and methods for using a reputation indicator to facilitate malware scanning | |
| US8601273B2 (en) | Signed manifest for run-time verification of software program identity and integrity | |
| US9087199B2 (en) | System and method for providing a secured operating system execution environment | |
| US8549648B2 (en) | Systems and methods for identifying hidden processes | |
| CN103413090B (en) | The detection of Malware and the system and method for process on data storage device | |
| CN109155774B (en) | System and method for detecting security threats | |
| KR101265173B1 (en) | Apparatus and method for inspecting non-portable executable files | |
| JP6680437B2 (en) | System and method for detecting unknown vulnerabilities in a computing process | |
| EP3168770B1 (en) | Executing process monitoring | |
| CN110119619B (en) | System and method for creating anti-virus records | |
| CN113660224A (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| EP3172692A1 (en) | Remedial action for release of threat data | |
| US10204036B2 (en) | System and method for altering application functionality | |
| Rudie et al. | Technical analysis of the nso group’s pegasus spyware | |
| JP2023534502A (en) | Advanced ransomware detection | |
| CN113632432A (en) | Method and device for judging attack behavior and computer storage medium | |
| CN109784051B (en) | Information security protection method, device and equipment | |
| KR20110087826A (en) | Method for detecting malware using vitual machine | |
| CN105354497A (en) | Computer protection apparatus and method | |
| CN116204876A (en) | Abnormality detection method, apparatus, and storage medium | |
| WO2021144978A1 (en) | Attack estimation device, attack estimation method, and attack estimation program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |