US20210226979A1 - Vulnerability scanning method, server and system - Google Patents

Vulnerability scanning method, server and system Download PDF

Info

Publication number
US20210226979A1
US20210226979A1 US16/099,815 US201816099815A US2021226979A1 US 20210226979 A1 US20210226979 A1 US 20210226979A1 US 201816099815 A US201816099815 A US 201816099815A US 2021226979 A1 US2021226979 A1 US 2021226979A1
Authority
US
United States
Prior art keywords
scan
task
proxy node
host
scheduling center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US16/099,815
Other versions
US11070580B1 (en
Inventor
Haihan Wang
Younan Xu
Qifu Zhong
Chunyi Shi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Assigned to WANGSU SCIENCE & TECHNOLOGY CO.,LTD. reassignment WANGSU SCIENCE & TECHNOLOGY CO.,LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SHI, Chunyi, XU, Younan, WANG, HAIHAN, ZHONG, Qifu
Application granted granted Critical
Publication of US11070580B1 publication Critical patent/US11070580B1/en
Publication of US20210226979A1 publication Critical patent/US20210226979A1/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/563Data redirection of data network streams
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/63Routing a service request depending on the request content or context

Abstract

A vulnerability scanning method includes: identifying a host service running on a target host and creating a scan task that matches the identified host service; issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a web site resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center.

Description

    FIELD OF THE DISCLOSURE
  • The present disclosure generally relates to the field of Internet technology and, more particularly, relates to a vulnerability scanning method, a server, and a system thereof.
    • BACKGROUND
  • With the continuous development of Internet technology, the problem of information security on the Internet has become increasingly prominent. At present, cyber-attacks exploiting computer vulnerability and network system flaws have become an important way for criminals to seek private interests and commit crimes. In order to fix computer vulnerabilities in time, it is usually necessary to employ a vulnerability scanning tool to scan a computer so as to detect existing or potential vulnerabilities in the computer.
  • When a traditional vulnerability scanning tool scans a computer, the scanning content is pre-customized. The vulnerability scanning tool may execute a one-time scan of the pre-customized scanning content, thereby detecting potential vulnerabilities defined in the scanning content. However, this vulnerability scanning method has a major limitation. The content scanned for the computer can be only limited to the pre-customized content. For different computers, the customized scanning content may be not applicable, or a full vulnerability scan cannot be conducted on these computers. Therefore, the accuracy of vulnerability scanning in the existing technologies is not high enough.
    • BRIEF SUMMARY OF THE DISCLOSURE
  • The purpose of the present disclosure is to provide a vulnerability scanning method, a server, and a system thereof, which may improve the accuracy of vulnerability scanning.
  • To achieve the above purpose, in one aspect, the present disclosure provides a vulnerability scanning method. The method includes: identifying a host service running on a target host and creating a scan task that matches the identified host service; issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and is executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
  • To achieve the above purpose, in another aspect, the present disclosure further provides a server. The server comprises a memory and a processor, where the memory stores computer programs that, when executed by the processor, implement the following steps: identifying a host service running on a target host and creating a scan task that matches the identified host service; issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
  • To achieve the above purpose, in another aspect, the present disclosure further provides a vulnerability scanning system. The system comprises a server, a task scheduling center, and a proxy node, where: the server is configured to identify a host service running on a target host, create a scan task that matches the identified host service, issue the created scan task to a task scheduling center, determine whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, if there exists the specified host service in the identified host service, issue again a scan subtask corresponding to the specified host service to the task scheduling center, and receive a scan result fed back by the proxy node; the task scheduling center is configured to receive the scan task or scan subtask issued by the server, and place the received scan task or scan subtask in a task queue; and the proxy node is configured to acquire at least one scan task or scan subtask from the task scheduling center, execute the at least one scan task or scan subtask for the target host to obtain a scan result, and feed back the obtained scan result to the server.
  • As can be seen from the above, the technical solutions provided by the present disclosure may issue scan tasks multiple times when executing vulnerability scanning on a target host, and each issued scan task is determined based on an identification of a service, a website, or a component on the host. Specifically, when a host service is identified on the target host, the server may issue a scan task corresponding to the host service to the task scheduling center. If the identified host service contains a specified host service that signifies a website resource, the server may issue again a scan subtask for the specified host service. Compared to the previously issued scan task, the scan subtask may scan possible vulnerabilities in the specified host service more comprehensively. After issuing the scan subtask for the specified host service that signifies the website resource, a page address associated with the website resource may also continue to be collected. For the collected page address, the server may further issue a page application scan task, so that possible vulnerabilities on a page of the website may be further scanned. Further, a web fingerprint corresponding to the collected page address may be identified. By matching the web fingerprint with the preset fingerprint database, it may be determined whether a specified page component exists in the page of the website. If there exists the specified page component, the server may further issue a page component scan task, so that the specified page component with possible vulnerabilities can be scanned. As can be seen from the above, the technical solutions provided by the present disclosure generate the corresponding scan tasks each time based on the results identified from the host, and issue the scan tasks multiple times, so that the target host can be deliberately scanned deeper and deeper. In addition, the technical solutions provided by the present disclosure may not only scan the host, but also scan the websites that are operated and maintained on the host, so that a more comprehensive scanning process can be achieved. In terms of system architecture, by adopting a distributed scanning mode of the server and proxy nodes, a mode of multiple proxy nodes scanning in parallel may be employed to improve the efficiency of vulnerability scanning. Therefore, the technical solutions provided by the present disclosure may not only improve the accuracy of vulnerability scanning, but also the efficiency of the vulnerability scanning.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • To make the technical solutions in the embodiments of the present disclosure clearer, a brief introduction of the accompanying drawings consistent with descriptions of the embodiments will be provided hereinafter. It is to be understood that the following described drawings are merely some embodiments of the present disclosure. Based on the accompanying drawings and without creative efforts, persons of ordinary skill in the art may derive other drawings.
  • FIG. 1 is a schematic diagram of a system architecture according to some embodiments of the present disclosure;
  • FIG. 2 is a flowchart of a vulnerability scanning method according to some embodiments of the present disclosure;
  • FIG. 3 is a flowchart of vulnerability scanning according to some embodiments of the present disclosure;
  • FIG. 4 is a schematic structural diagram of a server according to some embodiments of the present disclosure;
  • FIG. 5 is an interactive diagram of different entities according to some embodiments of the present disclosure; and
  • FIG. 6 is a schematic structural diagram of a computer terminal according to some embodiments of the present disclosure.
    •  DETAILED DESCRIPTION
  • To make the objectives, technical solutions, and advantages of the present disclosure clearer, specific embodiments of the present disclosure will be made in detail with reference to the accompanying drawings.
    • Embodiment 1
  • The technical solutions provided by the present disclosure may be applied to a system architecture shown in FIG. 1. Referring to FIG. 1, the system architecture may include a server, a task scheduling center, and a proxy node. The server may be configured to create a scan task for vulnerability scanning, the task scheduling center may receive a scan task issued by the server, and the proxy node may acquire a scan task from the task scheduling center, execute the acquired scan task for the corresponding host to obtain a scan result related to the host. The scan result may be reported by the proxy node to the server.
  • In the present disclosure, the system architecture may be deployed in a manner of a distributed system. There may be a plurality of proxy nodes. Each proxy node may be connected to the task scheduling center. Some proxy nodes may obtain different scan tasks for the same host, and these proxy nodes may execute the acquired scan tasks in parallel, thereby improving the efficiency of vulnerability scanning.
  • The present disclosure provides a vulnerability scanning method, which may be applied to the above system architecture. Referring to FIG. 2 and FIG. 3, the method may include the following steps. The server may be the execution entity of the following steps S11 to S15.
  • S11: identifying a host service running on a target host and creating a scan task that matches the identified host service.
  • In the disclosed embodiment, the target host may be a host to be scanned for vulnerability. When issuing a scan task for the target host, the server may first identify the host services running on the target host. Specifically, external service detection may be performed on the target host so as to detect the Internet-facing assets of the target host. Subsequently, vulnerability scanning may be executed on these Internet-facing assets. In addition, not all attacks come from external networks. Some attacks may also come from applications inside the target host. In this situation, the server may also perform internal application detection on the target host so as to detect the assets inside the target host.
  • In the disclosed embodiment, the above-detected assets may all serve as host services running on the target host. After detecting an existence of a host service running on the target host, the server may query the preset vulnerability database to identify the type of vulnerability that matches the host service. The significance of this process is that the server will not blindly issue scan tasks for all the host services, but only issue corresponding scan tasks for the host services that may have a vulnerability. In this way, after identifying the type of vulnerability that matches the host service, the server may create a scan task corresponding to the type of vulnerability. Here, the scan task corresponding to the type of vulnerability may server as the scan task that matches the host service.
  • S13: issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result.
  • In the disclosed embodiment, after creating a scan task for the target host, the server may issue the scan task to the task scheduling center. After receiving the scan task, the task scheduling center may place the scan task in a task queue to wait for the proxy node to acquire the scan task.
  • In the disclosed embodiment, a proxy node may selectively acquire a scan task from the task scheduling center based on its own instant load status. Specifically, a proxy node may include a load balancing module. The load balancing module may obtain the current load parameters of the proxy node when the proxy node is about to acquire a scan task from the task scheduling center. The load parameters may include, for example, the instant CPU usage of the proxy node, the memory usage, the number of processing scan tasks, and the like. The load balancing module may comprehensively calculate the current load value of the proxy node based on the load parameters. The higher the load value, the lower the proxy node's ability to handle scan tasks. In this way, the load balancing module may determine the number of scan tasks expected to be acquired from the task scheduling center based on the instant load value of the proxy node. Specifically, the load balancing module may store in advance a mapping relationship table between load values and the number of tasks. In the mapping relationship table, the load values may be divided into ranges, and the number of tasks corresponding to each range may be obtained. In this way, after the instant load value of the proxy node is determined, the number of scan tasks expected to be acquired may be determined through the mapping relationship table.
  • In the disclosed embodiment, after obtaining the scan task for the target host, the proxy node may execute the acquired scan task through a scan interface provided in advance by the target host. During the execution of the scan task, possible vulnerabilities with respect to the host service may be detected on the target host. When the execution of the scan task is completed, a scan result may be summarized based on the vulnerability information obtained through the scanning. The scan result may be fed back to the server by the proxy node.
  • S15: receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
  • In the disclosed embodiment, a server may receive the scan result fed back by the proxy node. The scan result is a result of a preliminary scanning of the host service. The above-noted scan task may be a shallow scanning of the host service that may have a vulnerability. For some important host services, no detailed scanning will be further executed. Accordingly, in the disclosed embodiment, the scan tasks may be issued multiple times in a deeper and deeper manner. Specifically, the server may determine whether a specified host service exists in the identified host service. The specified host service may signify an existence of a website resource running on the target host. Since websites are usually accessed by a large number of users, a specified host service within the website resource may be a relatively important service on the target host and may be a service that is easily attacked. For example, the specified host service is an HTTP service. In real applications, when it is detected that the HTTP service is enabled on the target host, the server may again create a scan subtask for the HTTP service. This scan subtask may execute additional scanning for the website resource.
  • In some embodiments, the server may collect the page address associated with the website resource when an HTTP service is detected to exist on the target host. The page address may be a page Uniform Resource Locator (URL) existing on the website. After the page address associated with the website resource is collected, a page application scan task corresponding to the page address may be created. The page application scan task may scan for possible vulnerabilities on a page of the website. Compared to the above-noted scan tasks for general host services on the target host, a page application scan task may execute vulnerability scanning more finely for a page of the website associated with the HTTP service. In this way, in the disclosed embodiment, the scan subtask created by the server may be a page application scan task.
  • In the disclosed embodiment, after creating a page application scan task, the server may again issue the page application scan task to the task scheduling center. In this way, the proxy node may continue to acquire at least one page application scan task from the task scheduling center. Corresponding scan result for the page may be obtained after the proxy node executes the at least one page application scan task for the target host. The scan result may be also fed back to the server.
  • In some embodiments, a plurality of page components may be included in a webpage. The page components may be identified by a web fingerprint. Specifically, after collecting the page address, a web fingerprint of the page address may be further identified. In real applications, the web fingerprint corresponding to the page address may be identified by the keywords in the webpage, MD5 code of a specified file, keywords in the page address, or the TAG mode of the page address. After identifying the web fingerprint, the server may match the identified web fingerprint with the preset fingerprint database, so as to determine whether the identified web fingerprint is the specified web fingerprint existing in the preset fingerprint database. It is very likely that a page component signified by a specified web fingerprint has a vulnerability. Therefore, in the disclosed embodiment, when it is determined that the identified web fingerprint is a specified web fingerprint existing in the preset fingerprint database, vulnerability scanning may be further executed for the page component corresponding to the web fingerprint.
  • Specifically, in the disclosed embodiment, the server may create a page component scan task, and the page component scan task may be configured to scan a page component included in the webpage corresponding to the page address. After creating the page component scan task, the server may again issue the created page component scan task to the task scheduling center, so that the proxy node obtains at least one page component scan task from the task scheduling center. In this way, after the proxy node executes the at least one page component scan task for the target host, a page component scan result corresponding to the target host may be obtained.
  • As can be seen from the above, when executing vulnerability scanning on the target host, the scan tasks may be issued multiple times. Each time, the issued scan task is determined based on the identification of a service, a website, or a component on the host. Not only may the host be scanned for the vulnerability, a website on the host may be also scanned for the vulnerability, and a webpage component may be scanned as well. As the scan tasks are issued multiple times, the scanning process for the target host will become finer and finer. Different from the scanning methods using the customized content in the existing technologies, the technical solutions of the present disclosure may issue different scan tasks for different hosts, and the scanning depth also deepens as the number of times of scanning increases, thereby achieving comprehensive and accurate vulnerability scanning.
  • In real applications, due to different operators, the network environments where hosts are located may vary greatly. In the existing technologies, when a host is scanned, it is very likely that the communication with the to-be-scanned host may not be established due to network reasons, or the communication is slow. In view of this, in the disclosed embodiment of the present disclosure, a matching proxy node may be selectively employed to execute a scan task based on the network environment where the target host is located. Specifically, when a target host needs to be scanned, the network environment where the target host is located may be identified. For example, the operator corresponding to the network currently utilized by the target host may be identified, and the current geographical location of the target host may also be determined. Subsequently, a target proxy node that matches the identified network environment may be determined. For example, the determined target proxy node may be on the same network as the operator of the target host, and the target proxy node is relatively close to the target host. In an actual application scenario, the target proxy node that matches the target host may be selected by means of a content delivery network. In this way, a scan task may be subsequently acquired from the task scheduling center by the target proxy node, and the acquired scan task is executed by the target proxy node for the target host. Due to the same network environment, it is possible to maintain a good communication connection, so that the problem of low scanning efficiency due to the difference in the network environment may be avoided.
  • In some embodiments, after selecting a proxy node that matches the network environment where the target host is located to execute the scan task and obtain the scan result, in order to improve the upload efficiency of the scan result, a transmission path for feeding back the scan result may be purposely selected in the content delivery network. The network environment where each proxy node is located in the transmission path may match the network environment where the target host is located. In this way, the server may identify the network environment where the target host is located, and receive and identify the scan result reported by the proxy node that matches the identified network environment.
  • In some embodiments, some ports on the target host may generate serious vulnerability. If access control measures are not set in these ports and these ports are set to open directly, data leakage of the target host may occur. Therefore, in the disclosed embodiment, a specified port of the target host may be periodically scanned at a specified interval. The specified port may be an above-noted port that needs to set access control measures. When the scan result indicates that the specified port does not have access control measures, it indicates that the specified port may lead to data leakage. In this situation, a warning message may be generated for the specified port to remind the administrator of the target host to take corresponding actions in time, or new matching access control measures may be added based on the scan result.
  • In some embodiments, a scan task may be also flexibly configured on the server side. Specifically, various scan parameters for executing a scan task may be customized on the server side. The scan parameters may be, for example, a defined scan depth, the number of times of scanning, and the like. In this way, the scanning parameters may define a scanning mode corresponding to the scan task. Sequentially, when a successive proxy node executes the scan task, it may execute the scan task according to the scan mode defined by the scan parameters. The purpose of this process is to flexibly configure a vulnerability scanning process based on the requirements of users.
    • Embodiment 2
  • Referring to FIG. 4, the present disclosure further provides a server. The server comprises a memory and a process, where the memory stores computer programs that, when executed by the processor, implement the following steps:
  • S11: identifying a host service running on a target host and creating a scan task that matches the identified host service;
  • S13: issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and
  • S15: receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a web site resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
  • In some embodiments, the computer programs, when executed by the processor, further implement the following steps:
  • collecting a page address associated with the website resource, and creating a page application scan task corresponding to the page address; and
  • issuing again the created page application scan task to the task scheduling center, to allow the proxy node to acquire at least one page application scan task from the task scheduling center, where the proxy node executes the at least one page application scan task for the target host, and obtain a scan result corresponding to the page address.
  • In some embodiments, the computer programs, when executed by the processor, further implement the following steps:
  • identifying a web fingerprint of the page address, matching the web fingerprint with a preset fingerprint database, and if the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, creating a page component scan task; and
  • issuing again the created page component scan task to the task scheduling center, to allow the proxy node to acquire at least one page component scan task from the task scheduling center, where the proxy node executes the at least one page component scan task for the target host, and obtain a page component scan result corresponding to the target host.
    • Embodiment 3
  • Referring to FIG. 1 and FIG. 5, the present disclosure further provides a vulnerability scanning system. The system comprises a server, a task scheduling center, and a proxy node, where:
  • the server is configured to identify a host service running on a target host, create a scan task that matches the identified host service, issue the created scan task to a task scheduling center, determine whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, if there exists the specified host service in the identified host service, issue again a scan subtask corresponding to the specified host service to the task scheduling center, and receive a scan result fed back by the proxy node;
  • the task scheduling center is configured to receive the scan task or scan subtask issued by the server, and place the received scan task or scan subtask in a task queue; and
  • the proxy node is configured to acquire at least one scan task or scan subtask from the task scheduling center, execute the at least one scan task or scan subtask for the target host to obtain a scan result, and feed back the obtained scan result to the server.
  • In the disclosed embodiment, there may be multiple proxy nodes, each of which may be connected to the task scheduling center. Some of the proxy nodes may acquire different scan tasks for the same host, and these proxy nodes may execute the acquired scan tasks in parallel, thereby improving the efficiency of vulnerability scanning.
  • In some embodiments, the server is further configured to collect a page address associated with the website resource, create a page application scan task corresponding to the page address, and issue again the created page application scan task to the task scheduling center.
  • In some embodiments, after collecting the page address associated with the website resource, the server is further configured to identify a web fingerprint of the page address, and match the web fingerprint with a preset fingerprint database. If the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, the server creates a page component scan task, and issues again the created page component scan task to the task scheduling center.
  • In some embodiments, the server is further configured to identify a network environment where the target host is located, and determine a target proxy node that matches the identified network environment, so as to acquire a scan task or scan subtask from the task scheduling center through the target proxy node. Further, the target proxy node executes the acquired scan task or scan subtask for the target host.
  • In some embodiments, the proxy node further includes an address lookup module, and the address lookup module is configured to determine a target proxy node that matches a network environment where the target host is located and report the scan result through the determined target proxy node to the server.
  • In some embodiments, the proxy node further includes a load balancing module, and the load balancing module is configured to obtain current load parameters of the proxy node, and determine the number of scan tasks or scan subtasks that are expected to be acquired from the task scheduling center based on the load parameters. Specifically, the proxy node may selectively acquire a scan task from the task scheduling center based on its instant load status. The load balancing module may acquire the instant load parameters of the proxy node when the proxy node is about to acquire a scan task from the task scheduling center. The load parameters may include, for example, the instant CPU usage of the proxy node, the memory usage, the number of processing scan tasks, and the like. The load balancing module may comprehensively calculate the current load value of the proxy node based on the load parameters. The higher the load value, the lower the proxy node's ability to handle scan tasks. In this way, the load balancing module may determine the number of scan tasks expected to be acquired from the task scheduling center based on the instant load value of the proxy node. Specifically, the load balancing module may store in advance a mapping relationship table between load values and the number of tasks. In the mapping relationship table, the load values may be divided into ranges, and the number of tasks corresponding to each range may be obtained. In this way, after the instant load value of the proxy node is determined, the number of scan tasks expected to be acquired may be determined through the mapping relationship table.
  • Referring to FIG. 6, in the present disclosure, the technical solutions of the disclosed embodiments may be applied to a computer terminal 10 shown in FIG. 6. The computer terminal 10 may include one or more (only one is shown in the figure) processors 102 (a processor 102 may include, but is not limited to, a processing device such as a micro-controller MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission device 106 for communication purpose. Persons of ordinary skill in the art may understand that the structure shown in FIG. 6 is provided by way of illustration, but not by way of limitation of the structures of the above-described electronic devices. For example, the computer terminal 10 may also include more or fewer components than those shown in FIG. 6, or have a different configuration than that shown in FIG. 6.
  • The memory 104 may be used to store software programs and modules of application software. The processor 102 implements various functional applications and data processing by executing software programs and modules stored in the memory 104. The memory 104 may include a high-speed random access memory, and a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some applications, the memory 104 may further include a memory remotely disposed with respect to the processor 102, which may be connected to the computer terminal 10 through a network. Examples of such network may include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
  • The transmission device 106 is configured to receive or transmit data via the network. The aforementioned specific examples of the network may include a wireless network provided by the communication provider of the computer terminal 10. In one application, the transmission device 106 includes a network interface controller (NIC). The transmission device 106 may be connected to other network devices through the base stations, so as to communicate with the Internet. In another application, the transmission device 106 may be a Radio Frequency (RF) module that is configured to communicate with the Internet via a wireless approach.
  • As can be seen from the above, the technical solutions provided by the present disclosure may issue scan tasks multiple times when executing vulnerability scanning on a target host, and each issued scan task is determined based on an identification of a host service, a website, or a component on the host. Specifically, when a host service is identified on the target host, the server may issue a scan task corresponding to the host service to the task scheduling center. If the identified host service contains a specified host service that signifies a website resource, the server may issue again a scan subtask for the specified host service. Compared to the previously issued scan task, the scan subtask may scan possible vulnerabilities in the specified host service more comprehensively. After issuing the scan subtask for the specified host service that signifies the website resource, a page address associated with the website resource may also continue to be collected. For the collected page address, the server may further issue a page application scan task, so that possible vulnerabilities in a page of the website may be further scanned. Further, a web fingerprint corresponding to the collected page address may be identified. By matching the web fingerprint with the preset fingerprint database, it may be determined whether a specified page component exists in the page of the website. If there exists the specified page component, the server may further issue a page component scan task, so that the specified page component with possible vulnerabilities can be scanned. As can be seen from the above, the technical solutions provided by the present disclosure generate the corresponding scan tasks each time based on the results identified from the host, and issue the scan tasks multiple times, so that the target host can be deliberately scanned deeper and deeper. In addition, the technical solutions provided by the present disclosure may not only scan the host, but also scan the websites that are operated and maintained on the host, so that a more comprehensive scanning process can be achieved. In terms of system architecture, by adopting a distributed scanning mode of the server and proxy nodes, a mode of multiple proxy nodes scanning in parallel may be employed to improve the efficiency of vulnerability scanning. Therefore, the technical solutions provided by the present disclosure may not only improve the accuracy of vulnerability scanning, but also the efficiency of the vulnerability scanning.
  • Through the foregoing description of the disclosed embodiments, it is clear to those skilled in the art that the various embodiments may be implemented in the form of software with a necessary general hardware platform, or implemented in the form of hardware. In light of this understanding, the above technical solutions, or essentially the parts that contribute to the existing technologies, may take the form of software products. The computer software products may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, or an optical disc, that includes a set of instructions to direct a computing device (may be a personal computer, a server, or a network device, etc.) to implement each disclosed embodiment or part of the described methods of the disclosed embodiments.
  • Although the present disclosure has been described as above with reference to some preferred embodiments, these embodiments should not be constructed as limiting the present disclosure. Any modifications, equivalent replacements, and improvements made without departing from the spirit and principle of the present disclosure shall fall within the scope of the protection of the present disclosure.

Claims (17)

What is claimed is:
1. A vulnerability scanning method, comprising:
identifying a host service running on a target host and creating a scan task that matches the identified host service;
issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, wherein the proxy node executes the at least one scan task for the target host, and obtains a scan result; and
receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, wherein the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, wherein the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
2. The method according to claim 1, wherein creating the scan task that matches the identified host service includes:
searching a preset vulnerability database for a type of vulnerability that matches the identified host service; and
creating a scan task for the type of vulnerability, and setting the created scan task as the scan task that matches the identified host service.
3. The method according to claim 1, wherein the scan subtask includes a page application scan task, and issuing again the scan subtask corresponding to the specified host service to the task scheduling center includes:
collecting a page address associated with the website resource, and creating the page application scan task corresponding to the page address; and
issuing again the created page application scan task to the task scheduling center, to allow the proxy node to acquire at least one page application scan task from the task scheduling center, wherein the proxy node executes the at least one page application scan task for the target host, and obtain a scan result corresponding to the page address.
4. The method according to claim 3, after collecting the page address associated with the website resource, the method further includes:
identifying a web fingerprint of the page address, matching the web fingerprint with a preset fingerprint database, and if the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, creating a page component scan task; and
issuing again the created page component scan task to the task scheduling center, to allow the proxy node to acquire at least one page component scan task from the task scheduling center, wherein the proxy node executes the at least one page component scan task for the target host, and obtain a page component scan result corresponding to the target host.
5. The method according to claim 1, further comprising:
identifying a network environment where the target host is located, and determining a target proxy node that matches the identified network environment; and
acquiring the scan task from the task scheduling center through the target proxy node, and executing the acquired scan task for the target host by the target proxy node.
6. The method according to claim 1, wherein receiving the scan result fed back by the proxy node includes:
identifying a network environment where the target host is located, and receiving the scan result reported by a proxy node that matches the identified network environment.
7. The method according to claim 1, further comprising:
periodically scanning a specified port of the target host according to a specified time interval, and when the scan result indicates that the specified port does not have access control measures, generating a warning message for the specified port.
8. The method according to claim 1, wherein the scan task includes scan parameters, and the scan parameters are used to define a scan mode corresponding to the scan task, and the proxy node executes the scan task according to the scan mode defined by the scan parameters.
9. A server, comprising a memory and a processor, wherein the memory stores computer programs that, when executed by the processor, implement the following steps:
identifying a host service running on a target host and creating a scan task that matches the identified host service;
issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, wherein the proxy node executes the at least one scan task for the target host, and obtains a scan result; and
receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, wherein the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, wherein the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
10. The server according to claim 9, wherein the computer programs, when executed by the processor, further implement the following steps:
collecting a page address associated with the website resource, and creating a page application scan task corresponding to the page address; and
issuing again the created page application scan task to the task scheduling center, to allow the proxy node to acquire at least one page application scan task from the task scheduling center, wherein the proxy node executes the at least one page application scan task for the target host, and obtain a scan result corresponding to the page address.
11. The server according to claim 10, wherein the computer programs, when executed by the processor, further implement the following steps:
identifying a web fingerprint of the page address, matching the web fingerprint with a preset fingerprint database, and if the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, creating a page component scan task; and
issuing again the created page component scan task to the task scheduling center, to allow the proxy node to acquire at least one page component scan task from the task scheduling center, wherein the proxy node executes the at least one page component scan task for the target host, and obtain a page component scan result corresponding to the target host.
12. A vulnerability scanning system, comprising a server, a task scheduling center, and a proxy node, wherein:
the server is configured to identify a host service running on a target host, create a scan task that matches the identified host service, issue the created scan task to a task scheduling center, determine whether there exists a specified host service in the identified host service, wherein the specified host service signifies an existence of a website resource running on the target host, if there exists the specified host service in the identified host service, issue again a scan subtask corresponding to the specified host service to the task scheduling center, and receive a scan result fed back by the proxy node;
the task scheduling center is configured to receive the scan task or scan subtask issued by the server, and place the received scan task or scan subtask in a task queue; and
the proxy node is configured to acquire at least one scan task or scan subtask from the task scheduling center, execute the at least one scan task or scan subtask for the target host to obtain a scan result, and feed back the obtained scan result to the server.
13. The system according to claim 12, wherein the server is further configured to collect a page address associated with the website resource, create a page application scan task corresponding to the page address, and issue again the created page application scan task to the task scheduling center.
14. The system according to claim 13, after collecting the page address associated with the website resource, the server is further configured to identify a web fingerprint of the page address, match the web fingerprint with a preset fingerprint database, if the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, create a page component scan task, and issue again the created page component scan task to the task scheduling center.
15. The system according to claim 12, wherein the server is further configured to identify a network environment where the target host is located, and determine a target proxy node that matches the identified network environment, so as to acquire a scan task or scan subtask from the task scheduling center through the target proxy node, wherein the acquired scan task or scan subtask is executed by the target proxy node for the target host.
16. The system according to claim 12, wherein the proxy node further includes an address lookup module, and the address lookup module is configured to determine a target proxy node that matches a network environment where the target host is located and report the scan result through the determined target proxy node to the server.
17. The system according to claim 12, wherein the proxy node further includes a load balancing module, and the load balancing module is configured to acquire current load parameters of the proxy node, and determine the number of scan tasks or scan subtasks that are expected to be acquired from the task scheduling center based on the load parameters.
US16/099,815 2018-02-07 2018-02-28 Vulnerability scanning method, server and system Active 2039-07-16 US11070580B1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201810124877.XA CN108282489B (en) 2018-02-07 2018-02-07 vulnerability scanning method, server and system
CN201810124877.X 2018-02-07
CN201810124877X 2018-02-07
PCT/CN2018/077557 WO2019153384A1 (en) 2018-02-07 2018-02-28 Vulnerability scanning method and system, and server

Publications (2)

Publication Number Publication Date
US11070580B1 US11070580B1 (en) 2021-07-20
US20210226979A1 true US20210226979A1 (en) 2021-07-22

Family

ID=62807910

Family Applications (1)

Application Number Title Priority Date Filing Date
US16/099,815 Active 2039-07-16 US11070580B1 (en) 2018-02-07 2018-02-28 Vulnerability scanning method, server and system

Country Status (4)

Country Link
US (1) US11070580B1 (en)
EP (1) EP3751811A4 (en)
CN (1) CN108282489B (en)
WO (1) WO2019153384A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NL2026468A (en) * 2019-12-19 2021-08-11 Group Ib Tds Ltd Method and system for determining network vulnerabilities

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2676247C1 (en) 2018-01-17 2018-12-26 Общество С Ограниченной Ответственностью "Группа Айби" Web resources clustering method and computer device
RU2681699C1 (en) 2018-02-13 2019-03-12 Общество с ограниченной ответственностью "Траст" Method and server for searching related network resources
CN108810025A (en) * 2018-07-19 2018-11-13 平安科技(深圳)有限公司 A kind of security assessment method of darknet, server and computer-readable medium
CN109347892B (en) * 2018-08-03 2021-09-03 奇安信科技集团股份有限公司 Internet industrial asset scanning processing method and device
CN109327471B (en) * 2018-11-29 2021-07-13 广东电网有限责任公司信息中心 Vulnerability discovery and emergency verification implementation method
CN109981653B (en) * 2019-03-28 2021-07-23 上海中通吉网络技术有限公司 Web vulnerability scanning method
CN110309667B (en) * 2019-04-16 2022-08-30 网宿科技股份有限公司 Website hidden link detection method and device
CN111580946A (en) * 2020-04-28 2020-08-25 北京达佳互联信息技术有限公司 Port scanning method, device, equipment and storage medium
CN111786947B (en) * 2020-05-18 2021-10-29 北京邮电大学 Attack graph generation method and device, electronic equipment and storage medium
CN112115457B (en) * 2020-08-24 2022-08-05 国网福建省电力有限公司 Power terminal access method and system
CN112839047B (en) * 2021-01-15 2023-03-21 杭州安恒信息技术股份有限公司 Asset vulnerability scanning method, device, equipment and medium on cloud platform
US11822672B1 (en) * 2021-02-04 2023-11-21 Cisco Technology, Inc. Systems and methods for scanning images for vulnerabilities
CN113672934A (en) * 2021-08-09 2021-11-19 中汽创智科技有限公司 Security vulnerability scanning system and method, terminal and storage medium
CN114900341B (en) * 2022-04-24 2023-11-03 京东科技信息技术有限公司 Scanning detection method, device, system, equipment and medium in hybrid cloud environment

Family Cites Families (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7243148B2 (en) * 2002-01-15 2007-07-10 Mcafee, Inc. System and method for network vulnerability detection and reporting
US7398399B2 (en) * 2003-12-12 2008-07-08 International Business Machines Corporation Apparatus, methods and computer programs for controlling performance of operations within a data processing system or network
CN1558605A (en) * 2004-01-19 2004-12-29 上海交通大学 Method for realizing loophole scanning
CN1870493A (en) * 2006-06-15 2006-11-29 北京华景中天信息技术有限公司 Scanning method for network station leakage
US7950056B1 (en) * 2006-06-30 2011-05-24 Symantec Corporation Behavior based processing of a new version or variant of a previously characterized program
US9239745B1 (en) * 2006-09-28 2016-01-19 Whitehat Security, Inc. Method and apparatus for managing security vulnerability lifecycles
US20100107257A1 (en) * 2008-10-29 2010-04-29 International Business Machines Corporation System, method and program product for detecting presence of malicious software running on a computer system
US8365290B2 (en) * 2009-05-15 2013-01-29 Frederick Young Web application vulnerability scanner
CN101605134B (en) * 2009-06-30 2012-10-17 成都市华为赛门铁克科技有限公司 Method, device and system for network security scanning
US8776169B2 (en) * 2010-03-30 2014-07-08 Authentic8, Inc. Disposable browsers and authentication techniques for a secure online user environment
US8671182B2 (en) * 2010-06-22 2014-03-11 Sourcefire, Inc. System and method for resolving operating system or service identity conflicts
US9246932B2 (en) * 2010-07-19 2016-01-26 Sitelock, Llc Selective website vulnerability and infection testing
CN102104601B (en) * 2011-01-14 2013-06-12 无锡市同威科技有限公司 Web vulnerability scanning method and device based on infiltration technology
CN102523218B (en) 2011-12-16 2015-04-08 北京神州绿盟信息安全科技股份有限公司 Network safety protection method, equipment and system thereof
US9407653B2 (en) * 2012-04-10 2016-08-02 Mcafee, Inc. Unified scan management
CN103870334B (en) * 2012-12-18 2017-05-31 中国移动通信集团公司 A kind of method for allocating tasks and device of extensive vulnerability scanning
CN103065095A (en) * 2013-01-29 2013-04-24 四川大学 WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology
WO2014151061A2 (en) * 2013-03-15 2014-09-25 Authentic8, Inc. Secure web container for a secure online user environment
EP3091465B1 (en) * 2014-03-13 2019-03-06 Nippon Telegraph and Telephone Corporation Monitoring device, monitoring method, and monitoring program
CN104980309B (en) 2014-04-11 2018-04-20 北京奇安信科技有限公司 website security detection method and device
CN104392175B (en) * 2014-11-26 2018-05-29 华为技术有限公司 Cloud application attack processing method, apparatus and system in a kind of cloud computing system
US9606854B2 (en) * 2015-08-13 2017-03-28 At&T Intellectual Property I, L.P. Insider attack resistant system and method for cloud services integrity checking
CN105429955B (en) * 2015-10-30 2018-12-11 西安四叶草信息技术有限公司 A kind of detection method of long-range loophole
US9977894B2 (en) * 2015-11-18 2018-05-22 Red Hat, Inc. Virtual machine malware scanning
WO2018089612A1 (en) * 2016-11-09 2018-05-17 Dev/Con Detect, Inc. Digital auditing system and method for detecting unauthorized activities on websites
RU2638001C1 (en) * 2017-02-08 2017-12-08 Акционерное общество "Лаборатория Касперского" System and method of antivirus server productivity reserve part isolation for anti-virus scanning of web-page
US10630724B2 (en) * 2017-09-12 2020-04-21 Zscaler, Inc. Systems and methods for network vulnerability assessment and protection of Wi-fi networks using a cloud-based security system
US20190222587A1 (en) * 2018-01-15 2019-07-18 GamaSec Ltd System and method for detection of attacks in a computer network using deception elements
US10944770B2 (en) * 2018-10-25 2021-03-09 EMC IP Holding Company LLC Protecting against and learning attack vectors on web artifacts

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NL2026468A (en) * 2019-12-19 2021-08-11 Group Ib Tds Ltd Method and system for determining network vulnerabilities

Also Published As

Publication number Publication date
CN108282489B (en) 2020-01-31
EP3751811A4 (en) 2021-03-31
WO2019153384A1 (en) 2019-08-15
CN108282489A (en) 2018-07-13
US11070580B1 (en) 2021-07-20
EP3751811A1 (en) 2020-12-16

Similar Documents

Publication Publication Date Title
US11070580B1 (en) Vulnerability scanning method, server and system
US10574698B1 (en) Configuration and deployment of decoy content over a network
US9847965B2 (en) Asset detection system
EP2837157B1 (en) Network address repository management
EP2837159B1 (en) System asset repository management
EP3170091B1 (en) Method and server of remote information query
US11050787B1 (en) Adaptive configuration and deployment of honeypots in virtual networks
US20150347751A1 (en) System and method for monitoring data in a client environment
WO2018113730A1 (en) Method and apparatus for detecting network security
US20160366176A1 (en) High-level reputation scoring architecture
WO2020106479A1 (en) Cybersecurity vulnerability classification and remediation based on network utilization
US10122722B2 (en) Resource classification using resource requests
Moon et al. Accurately Measuring Global Risk of Amplification Attacks using {AmpMap}
US9027106B2 (en) Organizational attribution of user devices
US9871810B1 (en) Using tunable metrics for iterative discovery of groups of alert types identifying complex multipart attacks with different properties
US11063975B2 (en) Malicious content detection with retrospective reporting
CN113904843B (en) Analysis method and device for abnormal DNS behaviors of terminal
US11140183B2 (en) Determining criticality of identified enterprise assets using network session information
CN109194621B (en) Method, device and system for detecting traffic hijacking
KR102022984B1 (en) Web Based SSO Service Method
US20230224275A1 (en) Preemptive threat detection for an information system
US20240106852A1 (en) Automatic detection of application programming interface (api) attack surfaces
US20240020390A1 (en) Vulnerability assessment of machine images in development phase
Bennett Search Engines That Scan For Internet-Connected Services: Classification and Empirical Study
Moon et al. Accurately Measuring Global Risk of Amplification Attacks using AmpMap (CMU-CyLab-19-004)

Legal Events

Date Code Title Description
AS Assignment

Owner name: WANGSU SCIENCE & TECHNOLOGY CO.,LTD., CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WANG, HAIHAN;XU, YOUNAN;ZHONG, QIFU;AND OTHERS;SIGNING DATES FROM 20180316 TO 20181015;REEL/FRAME:047451/0691

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCF Information on status: patent grant

Free format text: PATENTED CASE