CN106570403A - Loophole harm degree identification method based on risk model - Google Patents
Loophole harm degree identification method based on risk model Download PDFInfo
- Publication number
- CN106570403A CN106570403A CN201610952631.2A CN201610952631A CN106570403A CN 106570403 A CN106570403 A CN 106570403A CN 201610952631 A CN201610952631 A CN 201610952631A CN 106570403 A CN106570403 A CN 106570403A
- Authority
- CN
- China
- Prior art keywords
- value
- leak
- loophole
- utilizability
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a loophole harm degree identification method based on a risk model. The loophole harm degree identification method based on a risk model includes the steps: 1) for a set loophole, according to the leakage information which can be obtained by means of the loophole, determining a potential loss value D of the loophole; 2) testing a target program where the loophole is, and according to the factor or condition influencing success of reproduction of the loophole, determining a reappearance value R of the loophole; 3) querying verification procedures PoC of the loophole or the published information, determining a utilizability value E of the loophole; 4) according to the user quantity of the application or component being subordinate to the loophole, determining the influenced user value A of the loophole; 5) according to the attack information of the loophole, determining a discoverability value D of the loophole; and 6) according to the obtained potential loss value D, the reappearance value R, the utilizability value E, the influenced user value A and the potential loss value D, determining the harm degree of the loophole. The loophole harm degree identification method based on a risk model accords with the practical loophole utilization scene, and simplifies calculation of loophole grade.
Description
Technical field
The present invention relates to a kind of leak extent of injury recognition methodss based on risk model, belong to networking technology area.
Background technology
Leak grade:Refer to a kind of mode that the order of severity of leak is showed with digital level.
General leak:Refer to result from certain general purpose module(Such as Wordpress, Nginx etc.)Leak, this leak
Appearance may affect numerous websites using the component, application.
The present invention relates to the hazard evaluation technology of leak.The system not being perfectly safe, becomes increasingly popular in the Internet
Today, various internet, applications, equipment access the Internet, while being that the life of people the Internet offers convenience, also bring wind
Danger, such as individual privacy are revealed.In these risks, major part is produced as leak causes, then in the field of network security,
Leak research is an important course, and how panoramic leak, the different extents of injury, different utilization scenes are commented
Estimate the extent of injury and importance of a leak, then need leak hazard evaluation, be typically marked using leak grade, etc.
The higher leak extent of injury of level is higher, and corresponding significance level is also higher.
In most leak rating calculation method, using being estimated and calculating according to the condition of leak itself, such as
The thinner leak such as the explosion time according to leak, the requirement to authority, vector of attack dimension of itself goes to carry out leak etc.
The assessment of level.
The utilization of leak is often carried out with reference to the scene of leak itself, with the prestige that a leak is played under different scenes
Power is not dependent on leak itself in most cases, and depends on scene and the business for using.
Traditional leak grade assessment mode, carries out the assessment of leak by the dimension of leak itself, to a certain degree may be used
To embody the extent of injury and significance level of leak, but in the case of with reference to business scenario, may be because of business scenario sheet
Body than large effect, causes the leak grade that may assess out harm actual with leak not meet leak.
Simultaneously as the complexity of leak, there is transmutability in itself dimension of many leaks, i.e., in varied situations, together
Perhaps situation is different for one index, and this also result in traditional leak grade assessment mode complexity.
Furthermore, traditional leak rating calculation mode, the computational methods of employing cover the dimension correspondence of numerous leaks itself
Value, computation complexity is quite high, and computing staff is had high demands, and not all people will readily appreciate that and calculate the grade that springs a leak.
The content of the invention
For technical problem present in prior art, it is an object of the invention to provide a kind of leakage based on risk model
Hole extent of injury recognition methodss.
The present invention is by based on risk model, carrying out the assessment of leak grade from relatively macroscopical angle, mainly covering latent
Loss, repeatability, utilizability, affected user, five dimensions of Finding possibility carry out leak grade assessment, by this five
Individual dimension establishes the model of high, normal, basic Three Estate respectively, carries out the calculating of leak grade.
The technical scheme is that:
A kind of leak extent of injury recognition methodss based on risk model, its step is:
1)For a setting leak, the potential loss of the leak is determined according to the leakage information that can be obtained using the leak
Value D;
2)Target program to there is the leak is tested, obtain the leak reappear in the target program it is successful because
Element or test condition;Then according to affecting, the leak reappears successful factor in the target program or test condition determines the leakage
The reproduction value R in hole;
3)The proving program PoC or the published information of the leak for inquiring about the leak determines the utilizability value of the leak
E;
4)According to belonging to the leak apply or component number of users, determine affected user value A of the leak;
5)According to the attack information of the leak, Finding possibility value D of the leak is determined;
6)According to potential loss value D obtained above, reproduction value R, utilizability value E, affected user value A and Ke Fa
Existing property value D, determines the extent of injury of the leak.
Further, the method for determining Finding possibility value D of the leak is:Leak position is determined according to the attack information of leak
Put and required condition, Finding possibility value D of the leak is then determined according to the leak position and required condition for determining.
Further, potential loss value D, reproduction value R, utilizability value E, affected user value A and can find
Property value D correspond to value in a same set point respectively, by potential loss value D, reproduction value R, utilizability value E, receive
Affect user's value A and Finding possibility value D to be added up, obtain the extent of injury of the leak.
Further, the extent of injury is potential loss value D described in, reproduction value R, utilizability value E, impacted
User's value A and Finding possibility value D carry out the corresponding hazard rating of cumulative accumulated value.
Further, the leakage information includes system authorization information, private data.
Further, the private data includes user cipher, private key.
Further, the method for determining utilizability value E of the leak is:According to the proving program PoC of the leak most
The time interval of the announcement time of early announcement time and the leak determines utilizability value E of the leak;Or according to the leak
Complexity determine utilizability value E of the leak.
Compared with prior art, the positive effect of the present invention is:
1. invention defines five vulnerability assessment latitudes combined with leak actual scene so that the harm of leak is more
It is easy to understand.
2. by setting up a kind of simple risk model carrying out the assessment of leak grade, in actual vulnerability exploit field of fitting
While scape, leak rating calculation method is simplified.
3., by the high, normal, basic situation of the every kind of risk latitude of formulation, allow vulnerability assessment to quantify to be easier.
By being estimated according to the assessment mode to extracting 100 leaks at random in existing more than 50,000 leak of Seebug
With artificial judgement, as a result prove that the assessment mode assessment result accuracy rate is 99%.
Description of the drawings
Flow charts of the Fig. 1 for the inventive method.
Specific embodiment
Below in conjunction with the accompanying drawings, preferred embodiment is elaborated.It should be emphasized that the description below is merely exemplary
, rather than in order to limit the scope of the present invention and its application.
1st, computing formula
The probability of degree of danger=generation × potential loss
The formula shows that the danger that specific threat is caused is equal to and threatens the probability for occurring to be multiplied by potential loss, and this shows
If attacking the consequence for occurring to cause;And the repeatability of leak, Finding possibility, utilizability, affected user value are then
Affect the probability for occurring.
2nd, risk definition
D potential loss:If defect is utilized, loss has much
R reproduction values:The difficulty for repeating to produce attack has much
E utilizability values:The difficulty launched a offensive has much
A impacted user's value:Represented with rough percent, how many user is affected
D Finding possibility values:Defect easily finds
3rd, risk model
4th, calculation
Certain leak is carried out grade assess when, respectively from potential loss, repeatability, utilizability, affected user,
Five dimensions of Finding possibility go belong to high, normal, basic which grade of the leak in each latitude matched according to risk model, obtain correspondence
The numeral of grade, wherein a height of 2, in be 1, low is 0, is then added the corresponding numeral of five dimensions, you can leaked
Hole grade, scope are 0-10, as final leak grade.
Leak grade=potential risk rank+repeatability rank+utilizability rank+affected user rank+Finding possibility
Substantially.
5th, sample calculation
Leak title:OpenSSL Heartbleed leaks
According to published vulnerability information(With reference to https://www.seebug.org/vuldb/ssvid-
89231)
Potential loss D:Attacker can read the up to data of 64KB from internal memory, these packets containing user cipher,
The sensitive informations such as private key, meet potential risk latitude【Reveal sensitive information】, belong to middle grade.
Reproduction value R:Target to there is leak is tested, it can be found that leak can reappear every time, is not existed
Any impact leak reappears successful factor or test condition, meets importance dimension【Attack can reappear every time, and not
Need time interval】, belong to high-grade.
Utilizability value E:Leak has proving program PoC in disclosed first time, directly by specifying IP address,
Perform script successfully can be utilized, and meet utilizability dimension【Programming new hand can be carried out this kind of at short notice
Attack】, belong to high-grade.
Affected user value A:OpenSSL is security socket layer cryptographic libraries, the quilt on the servers such as Windows, Linux
Widely use, be a world-class component, meet affected user dimension【All of user, default configuration, major customer】,
Belong to high-grade.
Finding possibility value D:The SSL functions supported by Openssl are a common functions, and the attack information of leak is in leak
The disclosed very first time comes forth, and leak position is clearly, it is not necessary to which correlated condition is debugged, and meets Finding possibility
【The information of open interpretation Attack.The defect that can be found in the most frequently used function, it will be apparent that】, belong to high-grade.
Final assessment result:
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto,
Any those familiar with the art the invention discloses technical scope in, the change or replacement that can be readily occurred in,
Should all be included within the scope of the present invention.Therefore, protection scope of the present invention should be with scope of the claims
It is defined.
Claims (7)
1. a kind of leak extent of injury recognition methodss based on risk model, its step is:
1) for a setting leak, potential loss value D of the leak is determined according to the leakage information that can be obtained using the leak;
2) target program to there is the leak is tested, obtain the leak reappear in the target program successful factor or
Test condition;Then according to affecting, the leak reappears successful factor in the target program or test condition determines the leak
Reproduction value R;
3) the proving program PoC or the published information of the leak for inquiring about the leak determines utilizability value E of the leak;
4) according to belonging to the leak apply or component number of users, determine affected user value A of the leak;
5) the attack information according to the leak, determines Finding possibility value D of the leak;
6) according to potential loss value D obtained above, reproduction value R, utilizability value E, affected user value A and Finding possibility
Value D, determines the extent of injury of the leak.
2. the method for claim 1, it is characterised in that the method for determining Finding possibility value D of the leak is:According to leakage
The attack information in hole determines leak position and required condition, and then being determined according to the leak position for determining and required condition should
Finding possibility value D of leak.
3. method as claimed in claim 1 or 2, it is characterised in that potential loss value D, reproduction value R, utilizability
Value E, affected user value A and Finding possibility value D respectively correspond to a same set point in value, by potential loss value D,
Reproduction value R, utilizability value E, affected user value A and Finding possibility value D are added up, and obtain the harm journey of the leak
Degree.
4. method as claimed in claim 3, it is characterised in that the extent of injury is potential loss value D, repeatability described in
Value R, utilizability value E, affected user value A and Finding possibility value D carry out the corresponding hazard rating of cumulative accumulated value.
5. the method for claim 1, it is characterised in that the leakage information includes system authorization information, private data.
6. method as claimed in claim 5, it is characterised in that the private data includes user cipher, private key.
7. the method for claim 1, it is characterised in that the method for determining utilizability value E of the leak is:According to this
The earliest announcement time of the proving program PoC of leak determines the available of the leak with the time interval of the announcement time of the leak
Property value E;Or utilizability value E of the leak is determined according to the complexity of the leak.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610952631.2A CN106570403A (en) | 2016-11-02 | 2016-11-02 | Loophole harm degree identification method based on risk model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610952631.2A CN106570403A (en) | 2016-11-02 | 2016-11-02 | Loophole harm degree identification method based on risk model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106570403A true CN106570403A (en) | 2017-04-19 |
Family
ID=58535122
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610952631.2A Pending CN106570403A (en) | 2016-11-02 | 2016-11-02 | Loophole harm degree identification method based on risk model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106570403A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108154034A (en) * | 2017-12-21 | 2018-06-12 | 北京知道创宇信息技术有限公司 | Leak analysis method and device based on WordPress |
| CN111290963A (en) * | 2020-03-03 | 2020-06-16 | 思客云(北京)软件技术有限公司 | Method, apparatus and computer-readable storage medium for classifying source code defects |
| CN112131574A (en) * | 2020-09-16 | 2020-12-25 | 上海中通吉网络技术有限公司 | Method, system and equipment for determining information security vulnerability level |
| CN112287352A (en) * | 2020-09-25 | 2021-01-29 | 长沙市到家悠享网络科技有限公司 | Software quality evaluation method, device and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101674302A (en) * | 2009-09-25 | 2010-03-17 | 联想网御科技(北京)有限公司 | Method and device for conducting security identification on information system |
-
2016
- 2016-11-02 CN CN201610952631.2A patent/CN106570403A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101674302A (en) * | 2009-09-25 | 2010-03-17 | 联想网御科技(北京)有限公司 | Method and device for conducting security identification on information system |
Non-Patent Citations (1)
| Title |
|---|
| 师惠忠: "《中国优秀硕士学位论文全文数据库 信息科技辑》", 15 April 2012 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108154034A (en) * | 2017-12-21 | 2018-06-12 | 北京知道创宇信息技术有限公司 | Leak analysis method and device based on WordPress |
| CN111290963A (en) * | 2020-03-03 | 2020-06-16 | 思客云(北京)软件技术有限公司 | Method, apparatus and computer-readable storage medium for classifying source code defects |
| CN112131574A (en) * | 2020-09-16 | 2020-12-25 | 上海中通吉网络技术有限公司 | Method, system and equipment for determining information security vulnerability level |
| CN112287352A (en) * | 2020-09-25 | 2021-01-29 | 长沙市到家悠享网络科技有限公司 | Software quality evaluation method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gondree et al. | Geolocation of data in the cloud | |
| CN106570403A (en) | Loophole harm degree identification method based on risk model | |
| CN106790294B (en) | A kind of 5G network security risk evaluation method | |
| CN104735055A (en) | Cross-domain security access control method based on credibility | |
| US11120122B2 (en) | Augmenting password generation and validation | |
| Alhaidary et al. | Vulnerability analysis for the authentication protocols in trusted computing platforms and a proposed enhancement of the offpad protocol | |
| US20170134418A1 (en) | System and method for a uniform measure and assessement of an institution's aggregate cyber security risk and of the institution's cybersecurity confidence index. | |
| KR20190073255A (en) | Device and method for managing risk of mobile malware behavior in mobiel operating system, recording medium for performing the method | |
| Kim et al. | Analysis of cyber attacks and security intelligence | |
| Wiefling et al. | Privacy considerations for risk-based authentication systems | |
| Chen et al. | Seeing the forest for the trees: Understanding security hazards in the {3GPP} ecosystem through intelligent analysis on change requests | |
| CN108229210A (en) | A kind of method, terminal and computer readable storage medium for protecting data | |
| CN106295423A (en) | A kind of method for exhibiting data and client | |
| Gregg | Certified ethical hacker (CEH) cert guide | |
| Swart et al. | Adaptation of the JDL model for multi-sensor national cyber security data fusion | |
| Mus et al. | Estonian voting verification mechanism revisited | |
| CN113329026B (en) | Attack capability determination method and system based on network target range vulnerability drilling | |
| CN112639784A (en) | Method and apparatus for attestation | |
| CN105718767A (en) | Information processing method and device based on risk identification | |
| Mohammad et al. | Cloud Computing: Issues and Security Challenges. | |
| Gregg | Certified Ethical Hacker (CEH) Version 9 Cert Guide | |
| Zhang | Smartphone app security: Vulnerabilities and implementations | |
| Shrivastava et al. | Wifi data leakage detection | |
| CN115632882B (en) | Illegal network attack detection method, computer equipment and medium | |
| Swart et al. | Multi sensor national cyber security data fusion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170419 |
|
| RJ01 | Rejection of invention patent application after publication |