Summary of the invention
The object of the invention is to overcome the deficiency of prior art, a kind of vulnerability scanning system and processing method thereof of network-oriented security evaluation are provided, the weak point that it exists on framework and assessment algorithm according to traditional vulnerability scanning system, a more rational scanning system model is proposed, adopt the assessment algorithm of fuzzy mathematics to carry out security evaluation to scanning result simultaneously, thereby improve the accuracy of assessment.
The technical solution adopted for the present invention to solve the technical problems is: a kind of vulnerability scanning system of network-oriented security evaluation, comprise the server end and the client that adopt C/S framework, this server end runs on Unix or Linux platform, and this client runs on windows platform;
This server end, comprising:
Scanning engine service module, is used for accepting the request of client, carries out scan task;
Plugin library, is used for the plug-in unit of memory check leak;
Vulnerability database, is used for storing leak data;
Scan history memory block, is used for memory scanning historical record data;
In server end: scanning engine service module respectively with plugin library, vulnerability database, scan history memory block is connected, scanning engine service module calls plug-in unit according to the request of client and from scan history memory block, reads corresponding scan history objective network is scanned from plugin library, and new scanning information is write in scan history memory block, scanning result is mated with vulnerability database and sees whether find leak, finally scanning result is sent to client simultaneously;
This client, comprising:
Scanning configuration module, provides an interface, allows user be configured the information of scan session, then configuration information is formed to sweep parameter file, and encryption sends to server end;
Scan report processing module, according to the vulnerability information in Chinese vulnerability database and scanning result Information generation scan report;
Assessment algorithm module, carries out computational analysis according to preset algorithm to scanning result, and forms security evaluation report;
Scanning result storehouse, is used for memory scanning result data;
Chinese vulnerability database, is used for storing Chinese leak data;
In client: assessment algorithm module is connected with scanning result storehouse, assessment algorithm module is transferred scanning result and according to preset algorithm, scanning result is carried out to computational analysis from scanning result storehouse, thereby forms security evaluation report; Scan report processing module is connected with Chinese vulnerability database, scanning result storehouse respectively, from Chinese vulnerability database, extracts vulnerability information, transfers scanning result information from scanning result storehouse, and generates scan report.
Described server end, also comprises:
Dispatching process module, is used for accepting the request of client, to scanning engine service module, sends driver sweep instruction;
Intrusion detection module, is used for monitoring network condition, judges whether network has extremely, starts scanning when abnormal having;
Rule base, is used for storage rule data;
In server end: dispatching process module is connected with scanning engine service module, dispatching process module driver sweep engine service module is carried out scan task; Intrusion detection module is connected with rule base, and intrusion detection module is monitored network condition and the rule in snoop results and rule base is compared to judge whether network occurs extremely;
Described client, also comprises:
Warning module, the startup scan instruction sending according to the intrusion detection module of server end produces alarm, by user, current network is scanned or the dispatching process module that automatically starts server end scans;
When the intrusion detection module of server end notes abnormalities, the intrusion detection module of server end sends startup scan instruction to the warning module of client, the warning module of client produces warning message, and the dispatching process module that automatically starts as required server end scans.
Described server end, also comprises:
Client validation module, the request that is used for accepting client is verified client certificate, and is sent server end certificate to client;
User certificate stack room, are used for storing subscriber information and client certificate;
In server end: client validation module is connected with user certificate stack room, client validation module is by the checking of comparing of the client certificate in the checking request of the client of acceptance and user certificate stack room;
Described client, also comprises:
Server end authentication module, is used for sending client certificate to server end, and reception server end certificate;
Certificate of service storehouse, is used for storage server information and server end certificate;
In client: server end authentication module is connected with certificate of service storehouse, server end authentication module is by the checking of comparing of the server end certificate in the server end certificate of reception and certificate of service storehouse.
Described server end, also comprises:
Leak expands and Chinesizing module, is used for setting up Chinese vulnerability database;
In server end: leak expansion is connected with Chinese vulnerability database with Chinesizing module.
The processing method of the vulnerability scanning of a kind of network-oriented security evaluation of the present invention, comprises following process:
Client is by being used certificate verification to be connected to the server end of appointment, and server end passes through client certificate;
Client terminal start-up scanning configuration module is configured and configuration information is sent to server end the network that will scan;
Server end starts the work of scanning engine service module, and the scanning engine service module of server end calls the plug-in unit in plugin library according to configuration parameter and reads the corresponding scan history in scan history memory block the network of appointment is scanned;
The scanning engine service module of server end writes new scanning information in scan history memory block; The scanning engine service module of server end mates to see whether find leak, finally scanning result is sent to client scanning result with vulnerability database simultaneously;
The storage of the scanning result of server end is accepted in the scanning result storehouse of client;
The assessment algorithm module of client is obtained scanning result information from scanning result storehouse, and according to preset algorithm, scanning result is carried out to computational analysis, and then forms security evaluation report;
The scan report processing module of client, according to the scanning result information of obtaining in the vulnerability information in Chinese vulnerability database and scanning result storehouse, generates scan report;
The intrusion detection module of server end, after server operation, is just caught the situation of packet on monitored network constantly, mates with the rule in rule base, judges on network, whether there are abnormal conditions;
When network has abnormal conditions, just notify the warning module in client, warning module produces reports to the police, by user, current network is scanned to or automatically start the dispatching process module of server end, by dispatching process module driver sweep engine service module, whole network is scanned.
The invention has the beneficial effects as follows: due to vulnerability scanning system and intruding detection system are combined, and introduce warning function and scheduling feature, make this vulnerability scanning system according to user's needs, to have selection on purpose the network that will assess to be carried out to vulnerability scanning and security evaluation; Due to the safety evaluation method of introducing based on fuzzy mathematics, and the method can carry out more objective a, security evaluation accurately to scanning result, makes whole scan report result more accurate.This system can be carried out system vulnerability scanning automatically, forms scan report result intuitively, can effectively prevent invasion simultaneously, and during in conjunction with relevant expertise value, can make whole network security assessment result more accurate and authoritative.
Below in conjunction with drawings and Examples, the present invention is described in further detail; But vulnerability scanning system and the processing method thereof of a kind of network-oriented security evaluation of the present invention are not limited to embodiment.
Embodiment
Embodiment, shown in Figure 2, the vulnerability scanning system of a kind of network-oriented security evaluation of the present invention, its vulnerability scanning system comprises server end 1 and the client 2 that adopts C/S framework, this server end 1 runs on Unix or Linux platform, and this client 2 runs on windows platform;
This server end 1, comprising:
Scanning engine service module 16, is used for accepting the request of client 2, carries out scan task; The Main Function of scanning engine service module 16 is to be responsible for from plugin library, choosing specific plug-in unit according to user's customization, coordinates respectively to scan the relation between plug-in unit, carries out scanning imaging system, result is deposited in scan history, and be responsible for sending to client;
Client validation module 19, the request that is used for accepting client 2 is verified client certificate, and is sent server end certificates to client 2; When server end 1 starts operation first, must carry out user profile setting, rule server setting, can produce a server end certificate afterwards; This module stores the certificate of user profile and client 2, supports that user adopts password or certificate game server;
Dispatching process module 17, is used for accepting the request of client 2, to scanning engine service module 16, sends driver sweep instruction; Configuration according to the user from client 2 to scan task schedule information, this module can regularly be carried out corresponding scan task, and automatically preserves scanning result;
Intrusion detection module 18, is used for monitoring network condition, judges whether network has extremely, starts scanning when abnormal having; This module is mainly catch constantly the situation of packet on monitored network and analyze, and mates, thereby judges on network, whether there are abnormal conditions, and start in time dispatching process module with the rule in rule base;
Plugin library 11, is used for the plug-in unit of memory check leak; Wherein, plug-in unit and leak are man-to-man relations, and a plug-in unit is responsible for checking a leak, and all plug-in units all leave in plugin library 11, and plug-in unit organizes together according to classification separately;
Vulnerability database 12, is used for storing leak data; When this model is carried out external scan, the information of returning from destination host or network and the information this vulnerability database 12 are matched, with this, judge whether destination host or network exist corresponding leak;
Rule base 13, is used for storage rule data;
User certificate stack room 14, are used for storing subscriber information and client certificate;
Scan history memory block 15, is used for memory scanning historical record data;
In server end 1: scanning engine service module 16 respectively with plugin library 11, vulnerability database 12, scan history memory block 15 is connected, scanning engine service module 16 calls plug-in unit and from scan history memory block 15, reads corresponding scan history objective network 3 is scanned from plugin library 11 according to the request of client 2, and new scanning information is write in scan history memory block 15, scanning result is mated and sees whether find leak with vulnerability database 12, finally scanning result is sent to client 2 simultaneously; Dispatching process module 17 is connected with scanning engine service module 16, and dispatching process module 17 driver sweep engine service modules 16 are carried out scan task; Intrusion detection module 18 is connected with rule base 13, and 18 pairs of network condition of intrusion detection module are monitored and the rule of 13 li of snoop results and rule bases is compared to judge whether objective network 3 occurs extremely; Client validation module 19 is connected with user certificate stack room 14, and client validation module 19 is by the checking of comparing of the client certificate in the checking request of the client of acceptance 2 and user certificate stack room 14;
This client 2, comprising:
Server end authentication module 205, is used for sending client certificate to server end 1, and reception server end certificate; Client 2 first connections during to server, can and be kept at client from server downloadable authentication; When client 2 is connected with server end 1, all want the server end certificate stored on checking client whether consistent with the certificate on current server end, while only having the two consistent, connecting could success;
Warning module 203, the startup scan instruction sending according to the intrusion detection module 18 of server end 1 produces alarm, by user, current network is scanned or the dispatching process module 17 that automatically starts server end 1 scans;
Scanning configuration module 201, provides an interface, allows user be configured the information of scan session, then configuration information is formed to sweep parameter file, and encryption sends to server end 1;
Scan report processing module 208, according to the vulnerability information in Chinese vulnerability database and scanning result Information generation scan report 209; Its scan report form has the forms such as txt, html; In order to make scan report visualize more, can also show leak hazard rating and leak family information with curve chart, pie chart and block diagram;
Leak expands and Chinesizing module 204, is used for setting up Chinese vulnerability database;
Assessment algorithm module 206, carries out computational analysis according to preset algorithm to scanning result, and forms security evaluation report 207;
Scanning result storehouse 202, is used for memory scanning result data;
Chinese vulnerability database 210, is used for storing Chinese leak data;
Certificate of service storehouse 211, is used for storage server information and server end certificate;
In client 2: server end authentication module 205 is connected with certificate of service storehouse 211, server end authentication module 205 is by the checking of comparing of the server end certificate in the server end certificate of reception and certificate of service storehouse 211; Assessment algorithm module 206 is connected with scanning result storehouse 202, and assessment algorithm module 206 is transferred scanning result and according to preset algorithm, scanning result carried out to computational analysis from scanning result storehouse 202, thereby forms security evaluation report 207; Scan report processing module 208 is connected with Chinese vulnerability database 210, scanning result storehouse 202 respectively, from Chinese vulnerability database 210, extracts vulnerability information, transfers scanning result information from scanning result storehouse 202, and generates scan report 209.
The vulnerability scanning system of a kind of network-oriented security evaluation of the present invention, above-mentioned warning module 203, mainly to be whether intrusion detection module 18 finds invasion according to IDS process on server, if find to produce alarm, user just can be scanned or automatically start dispatching process module 17 by warning module 203 current network and scan; Its workflow, shown in Figure 3:
Step S1, the startup scan instruction that warning module 203 sends according to invasion inspection module 18 produces alarm, execution step S2;
Step S2, by scan task warehouse-in, execution step S3;
Step S3, arranges subtask priority the highest, execution step S4;
Step S4, has judged whether that scan procedure moves, and as judgement has scan procedure to move, performs step S5, otherwise execution step S7;
Step S5, judge scan procedure whether move complete, as complete in scan procedure operation, perform step S7, otherwise execution step S6;
Step S6, judges whether scan procedure is stopped by force, as scan procedure is stopped by force, performs step step S7, otherwise gets back to step S5;
Step S7, starts dispatching process module 17 and scans.
The vulnerability scanning system of a kind of network-oriented security evaluation of the present invention, is mainly to provide an interface, allows user be configured the information of certain scan session, then configuration information is formed to sweep parameter file, and sends to server end, as shown in Figure 4.
The vulnerability scanning system of a kind of network-oriented security evaluation of the present invention, is expanded the Chinese vulnerability database of setting up with Chinesizing module 204 by above-mentioned leak, each field in its database is as follows:
Plug-in unit ID (PID): describe the ID that detects the required plug-in unit of certain leak;
Plugin name (PNAME): the title leak title that this plug-in unit is found of describing this plug-in unit;
Leak is described (DESCRIPTION): describe leak relevant information, make user further understand this leak;
Solution (SOLUTION): the solution of describing leak;
Consult (SEEALSO): describe the chained address that leak patch is downloaded;
Risk class (RISKFACTOR): describe the corresponding risk class of leak, user knows that according to this which leak is large to the harm of system, needs download patches immediately;
Reference resources (REFERENCE): describe the relevant reference information of leak therewith;
Plug-in version (COPYRIGHT): describe the corresponding copyright information of this plug-in unit;
Leak family (FAMILY): describe the corresponding family of this leak information;
Leak kind (CATEGORY): describe the corresponding kind of this leak;
CVE numbers (CVE): the CVE numbering of describing leak;
Flag bit (FLAG): describe this plugin information and whether Chinesized.
Wherein, the leak kind of this Chinese vulnerability database has following five kinds: Attack, Denial, Info, Scanner and Others.Its leak family is as shown in table 1, and the system security assessment that these leak families can be below provides certain reference role:
Table 1 leak family classification table
1, AIX local security checks |
22、Misc |
2, back door |
23、Netware |
3, heavy attack |
24, the network information service |
4, CGI abuse |
25, point-to-point file-sharing |
5, CGI abuse: XSS |
26, TCP device |
6、CISCO |
27, Red Hat local security checks |
7、
DebianLocal inspection
|
28, remote document access |
8, the Unix of acquiescence
Account |
29, remote procedure call |
9, denial of service |
30, service detection |
10, Fedora local security checks |
31, arrange |
11, pointer abuse |
32、
SlackwaraLocal security checks
|
12, fire compartment wall |
33, Simple Mail Transfer protocol problem |
13, FreeBSD local security checks |
34, Simple Network Management Protocol |
14、FTP |
35, Solaris local security checks |
15, Remote Acquisitioning shell |
36、
SuSFLocal security checks
|
16, Remote Acquisitioning root authority |
37、
UbuntuLocal security checks
|
17、General |
38, useless service |
18、
GentooLocal security checks
|
39, Web server |
19, HP-UX local security checks |
40、Windows |
20, Mac operating system local security checks |
41, Windows: Microsoft's bulletin |
21, Mandr ake local security checks |
42, Windows: user management |
According to the structure in above System Security Vulnerability storehouse and leak family, an example of structure is as shown in table 2:
System vulnerability example of table 2
The vulnerability scanning system of a kind of network-oriented security evaluation of the present invention, above-mentioned assessment algorithm module 206, its security evaluation one word comprises the intension of two aspects: one refers to the assessment of the randomness that security incident is occurred; It two refers to the damnous assessment of security incident.Based on this, with P, represent the randomness that security incident occurs, with C, represent the loss or the impact that after security incident occurs, cause, the risk that represents to reflect system safety hierarchy level with S, wherein the codomain of P, C is interval [0,1], risk S is actually the likelihood estimation that consequence occurs to produce with it in security incident:
S=f (probability of occurrence of security incident is estimated, and the loss after security incident occurs is estimated)
=1-(security incident is probability of happening not) * (the nonevent loss of security incident is estimated)
=1-(1-P)*(1-C)
=P+C-P*C
The assessment collection of definition risk S is { high safety, Generally Recognized as safe, low safety }, and its analog value is { 0.3,0.7,1.0}; If S < 0.3 is high safety system; S > 0.7 is low safety system; Fall between is Generally Recognized as safe system.
The invention allows for a kind of safety evaluation method based on fuzzy mathematics, and this safety evaluation method is applied to vulnerability scanning system.The performing step of this algorithm is as follows:
(1) set up set of factors
Set of factors is that to affect each factor of passing judgment on object be the ordinary set that element forms.Conventionally with capital U, represent, that is: U={u
1, u
2..., u
m, u
irepresent each influencing factor.These factors, have ambiguity in various degree conventionally.
When the randomness that security incident is occurred is assessed, suppose and affect the fragility that the principal element of system safety is system, i.e. system vulnerability.So set of factors U
1={ system vulnerability }.Assessment to security incident consequence influence degree, weighs three aspects of significant degree of the significant degree of the degree of dependence of information assets, the existing precautionary measures, existing control measure from tissue conventionally, so set of factors U
2={ assets, safeguard procedures, control measure }.
(2) set up and evaluate collection
Evaluate collection and be the set that judge forms the various evaluation results of passing judgment on object and may making.Conventionally with capital V, represent, i.e. V={v
1, v
2..., v
n, each element v
irepresent various possible total evaluation results.Carry out the object of fuzzy evaluation, considering on the basis of all influencing factors exactly, from evaluating to concentrate, select a best evaluation result.
When the randomness that security incident is occurred is assessed, the evaluation collection V being delimited according to fuzzy evaluation rule by expert
1={ little, less, general, larger, large }={ 0.1,0.3,0.5,0.7,1.0}; And when security incident consequence influence degree is assessed, determined evaluation collection V
2=low, lower, in, higher, height }={ 0.1,0.3,0.5,0.7,1.0}.
(3) set up weight sets and carry out fuzzy comprehensive evoluation
In order to reflect the significance level of each factor, to each factor u
i(i=1,2 ..., n) should give a corresponding flexible strategy a
i(i=1,2 ..., n), the set A being formed by each flexible strategy={ a
1, a
2..., a
n, be called factor weight sets, be called for short weight sets.And must meet
On affecting single factor (leak) of system safety, judge, its weight w
1=1.If this factor is to magnitude v
idegree of membership be a
i, a kind of definite degree of membership a is provided below
imethod as follows:
It (is leak title about vulnerability information that the defined leak of vulnerability scanning system harm severity level instruction card (as described in Table 3) and leak harm possibility grade instruction card (as described in Table 4) and vulnerability scanning system are scanned to what obtain, leak hazard rating, leak family, leak is described, leak solution etc.) offer expert, every expert can, according to the information of leak and own residing environment, provide the harm possibility grade flexible strategy of each leak.The assessed value of leak risk factors is:
The security incident probability of happening being caused by system vulnerability is so:
The method determines that degree of membership is more accurate, but more loaded down with trivial details, and when leak number increases, the workload of the method is relatively large.Therefore, can consider the family under leak in scan report to list, the harm possibility grade of the selected leak of the ratio family that expert occurs according to leak family calculates the assessed value R ' of leak risk factors.
Leak factor fuzzy appraisal set R={r1, r2, r3, r4, r5}, now a
ican use r
idetermine, formula is as follows:
Table 3 leak harm severity level instruction card
Table 4 leak harm possibility grade instruction card
Give set of factors U
2in the corresponding weights of each factor be W={w
1, w
2, w
3, meet
Expert is with reference to evaluating collection V
2to set of factors U
2in each factor evaluate, obtain single factor evaluation collection R
i, R
i={ r
i1, r
i2, r
i3, r
i4, r
i5, the degree of membership of each factor being passed judgment on to collection is row composition simple element evaluation matrix R:
Single factor fuzzy evaluation, only reflects that a factor is on passing judgment on the impact of object, and this is obviously inadequate, only has comprehensive all influencing factors, just can draw the evaluation result of science.Weight sets and single factor fuzzy evaluation matrix is synthetic, can obtain fuzzy comprehensive evoluation collection B, B=W*R.Therefore the extent of damage that, security incident causes after occurring:
C=B*V
2 T
Provide an example of this assessment algorithm of application below:
Experimental situation: use developed vulnerability scanning system to certain lab lan IP address be 210.34.55.~-210.34.55.~10 multiple hosts carry out vulnerability scanning, 2205 plug-in units have been selected in this time scanning configuration.
Utilize native system to carry out primary system security evaluation to scanning result above, whole evaluation process is mainly divided into following step:
(1) vulnerability scanning system scans in resulting scan report, and high harm leak number is 9, and middle harm leak number is 35, and low harm leak number is 8.
(2) expert is on affecting the set of factors U of security incident consequence
2={ assets, safeguard procedures, control measure } are given weights, W={0.3, and 0.4,0.3}, simultaneously with reference to evaluating collection V
2to U
2in each factor evaluate, obtain Judgement Matrix
Calculate C=0.486000.
(3) expert is according to the severity level of the descriptor of each leak and leak, pass judgment on the harm possibility grade of each leak, finally calculate security incident probability of happening P=0.335192, finally carrying out the risk S that fuzzy comprehensive evoluation obtains local area network (LAN) is 0.658289, therefore judges that this local area network (LAN) is Generally Recognized as safe system.
If endangering possibility grade according to leak family, expert selects, determine the words of the harm possibility grade of each leak, shown in selection result table 5 described as follows, finally calculate security incident probability of happening P=0.334808, finally carrying out the risk S that fuzzy comprehensive evoluation obtains local area network (LAN) is 0.658091, therefore judges that this local area network (LAN) is as Generally Recognized as safe system.
Table 5 leak harm possibility grade decision table
By the comparison of this two kinds of leak harm possibility grades system of selection, can find out that the two resulting evaluation result deviation is little, but second method has obviously greatly reduced expert's competition workload, so when the system vulnerability number of passing judgment on reaches certain quantity, can consider to adopt second method.Generally speaking, first method evaluation result is relatively accurate, but workload is large; Second method workload is less, but has certain error.
The processing method of the vulnerability scanning of a kind of network-oriented security evaluation of the present invention, comprises following process:
Client 2 is by being used certificate verification to be connected to the server end 1 of appointment, and server end 1 authenticates by client 2;
Client 2 starts 201 pairs of networks that will scan of scanning configuration module and is configured and configuration information is sent to server end 1;
Server end 1 starts 16 work of scanning engine service module, and the scanning engine service module 16 of server end 1 calls the plug-in unit in plugin library 11 according to configuration parameter and reads the corresponding scan history in scan history memory block 15 network of appointment is scanned;
The scanning engine service module 16 of server end 1 writes new scanning information in scan history memory block 15; The scanning engine service module 16 of server end 1 mates to see whether find leak scanning result with vulnerability database 12 simultaneously, finally scanning result is sent to client 2;
The storage of the scanning result of server end 1 is accepted in the scanning result storehouse 202 of client 2;
The assessment algorithm module 206 of client 2 is obtained scanning result information from scanning result storehouse 202, and according to preset algorithm, scanning result is carried out to computational analysis, and then forms security evaluation report 207;
The scan report processing module 208 of client 2, according to the scanning result information of obtaining in the vulnerability information in Chinese vulnerability database 210 and scanning result storehouse 202, generates scan report 209;
The intrusion detection module 18 of server end 1, after server operation, is just caught the situation of packet on monitored network constantly, mates with the rule of 13 li of rule bases, judges on network, whether there are abnormal conditions;
When network has abnormal conditions, just notify the warning module 203 in client 2, warning module 203 produces reports to the police, by user, current network is scanned to or automatically start the dispatching process module 17 of server end 1, by 16 pairs of whole networks of dispatching process module 17 driver sweep engine service modules, scan.
Above-described embodiment is only used for further illustrating vulnerability scanning system and the processing method thereof of a kind of network-oriented security evaluation of the present invention; but the present invention is not limited to embodiment; any simple modification, equivalent variations and modification that every foundation technical spirit of the present invention is done above embodiment, all fall into the protection range of technical solution of the present invention.