CN106997437B - System vulnerability protection method and device - Google Patents

System vulnerability protection method and device Download PDF

Info

Publication number
CN106997437B
CN106997437B CN201710121236.4A CN201710121236A CN106997437B CN 106997437 B CN106997437 B CN 106997437B CN 201710121236 A CN201710121236 A CN 201710121236A CN 106997437 B CN106997437 B CN 106997437B
Authority
CN
China
Prior art keywords
vulnerability
vertex
authority
incidence relation
relation graph
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710121236.4A
Other languages
Chinese (zh)
Other versions
CN106997437A (en
Inventor
马锐
胡昌振
王龙
严祎明
陈思谕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201710121236.4A priority Critical patent/CN106997437B/en
Publication of CN106997437A publication Critical patent/CN106997437A/en
Application granted granted Critical
Publication of CN106997437B publication Critical patent/CN106997437B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Testing Of Short-Circuits, Discontinuities, Leakage, Or Incorrect Line Connections (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a system vulnerability protection method and a system vulnerability protection device, wherein the method comprises the following steps: detecting a vulnerability in a target system; acquiring authority classification of a target system, and constructing an incidence relation graph between vulnerabilities of the target system based on the authority classification; calculating the core degree of the incidence relation graph according to the constructed incidence relation graph among the vulnerabilities, and determining the core vulnerability of the target system; and repairing the core loophole to realize the protection of the target system. The system vulnerability protection scheme of the embodiment establishes an incidence relation graph among vulnerabilities in a grading manner based on the authority of a target system, reveals incidence relations among the vulnerabilities by adopting a kernel theory, finds vulnerabilities with highest overall influence on the vulnerability incidence relation graph, determines key vulnerabilities in the system, achieves high-efficiency protection on the vulnerabilities, and improves the security of the system.

Description

System vulnerability protection method and device
Technical Field
The invention relates to the technical field of software security, in particular to a system vulnerability protection method and device.
Background
Due to the defects and shortcomings of the information system in the aspects of hardware, software, protocols, security strategies and the like, security holes inevitably exist in the information products and the information system, and the holes are important factors causing security threats of the information system. In order to reduce the loss caused by the exploit, it is necessary to make security work before the system or software is attacked. However, because of the numerous vulnerabilities, although one vulnerability can be filled, serious resource waste or high cost is required, and it is difficult to determine whether an ideal protection effect can be achieved after the vulnerabilities are repaired. If some loopholes are caused by some undetected loophole, new loopholes can be generated as long as conditions are met after the loopholes are repaired, so that the phenomenon that a large number of loopholes are obviously eliminated but the ideal protection effect is not achieved is caused.
Therefore, in the prior art, the bug protection carries out repair processing on a single bug, so that the actual processing complexity is high, the response time is long, and the processing efficiency and the bug repair pertinence cannot be guaranteed.
Disclosure of Invention
The invention provides a system vulnerability protection method and device, and aims to solve the problems that in the prior art, vulnerability protection complexity is high, response time is long, and processing efficiency and vulnerability repair pertinence cannot be guaranteed.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
according to one aspect of the present invention, a system vulnerability protection method is provided, which includes:
detecting a vulnerability in a target system;
acquiring authority classification of a target system, and constructing an incidence relation graph between vulnerabilities of the target system based on the authority classification;
calculating the core degree of the incidence relation graph according to the constructed incidence relation graph among the vulnerabilities, and determining the core vulnerability of the target system;
and repairing the core loophole to realize the protection of the target system.
According to another aspect of the present invention, there is provided a system vulnerability protecting device, including:
the vulnerability detection unit is used for detecting vulnerabilities in the target system;
the incidence relation graph building unit is used for obtaining the authority classification of the target system and building an incidence relation graph between the vulnerabilities of the target system based on the authority classification;
the core vulnerability determining unit is used for calculating the core degree of the incidence relation graph according to the constructed incidence relation graph among the vulnerabilities and determining the core vulnerability of the target system;
and the protection unit is used for repairing the core loophole so as to realize protection on the target system.
The invention has the beneficial effects that: after the system vulnerability is detected, the system vulnerability protection scheme of the embodiment of the invention establishes the incidence relation graph among the vulnerabilities based on the authority classification and the authority promotion of the system, and analyzes the incidence relation among the vulnerabilities by calculating the core degree of the incidence relation graph so as to find out the core vulnerability which has the largest influence on the vulnerability incidence relation graph and repair the core vulnerability so as to realize the system protection. Compared with the prior art, the incidence relation among the vulnerabilities, particularly the authority utilization characteristic relation, is considered, so that the core vulnerabilities can be repaired together when the vulnerabilities are repaired, and the beneficial effect that the number of vulnerability processing is reduced is achieved. The complexity of system protection is reduced, the efficient protection of the loophole is realized, and the safety of the system is improved.
Drawings
Fig. 1 is a flowchart illustrating a system vulnerability exploiting protection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a vulnerability association relationship diagram according to an embodiment of the present invention;
FIG. 3 is a diagram of a specific example of the association graph shown in FIG. 2;
fig. 4 is a block diagram of a system vulnerability protection apparatus according to an embodiment of the present invention.
Detailed Description
The design concept of the invention is as follows: there are complex interrelations between vulnerabilities of the system, including exploitation characteristic relationships when vulnerabilities are exploited, and the like. For the current situation, when performing system protection, just as early vulnerability research, only a certain vulnerability itself needs to be analyzed singly, and the correlation relationship between vulnerabilities needs to be analyzed by considering the complex interaction existing between vulnerabilities. Based on the above, the embodiment of the invention constructs the incidence relation graph representing the incidence relation between the vulnerabilities according to the authority classification and the authority promotion of the system, reveals the incidence relation between the vulnerabilities by adopting a kernel theory, analyzes the connectivity of the vulnerability incidence relation graph based on the failure point, finds the vulnerability or vulnerability set which has the largest influence on the overall connectivity of the vulnerability incidence relation graph, determines the key vulnerability in the system, and repairs the key vulnerability, thereby realizing the beneficial effects of repairing other associated vulnerabilities together, reducing the vulnerability processing quantity, reducing the processing complexity and realizing the high-efficiency protection of the system vulnerability.
Several terms related to the embodiments of the present invention will be described first.
And (3) vulnerability association: the vulnerability is a complex mutual relation existing among the vulnerabilities, and vulnerability association referred to by the invention mainly comprises an utilization characteristic relation when the vulnerabilities are utilized.
Joint node and link attacks: the method is an attack mode in which a plurality of vulnerabilities are continuously utilized to build an attack path, so that an attacker can bypass the system security protection by acquiring higher system authority when no directly available vulnerability exists, and other attack purposes are achieved. For example, an attacker first promotes the authority to a local user by using an input verification vulnerability, and then injects vulnerability acquisition data by using a code requiring the authority of the local user. In such an attack, the associations between vulnerabilities are closely related to system permissions and permission promotion and translation.
And (4) permission promotion: the method is characterized in that an attacker with low authority obtains certain authority promotion by successfully utilizing a certain vulnerability with authority promotion characteristics, so that higher system authority can be obtained under the unauthorized condition.
Nuclear power theory: the method is a theory for researching the basic structure and basic properties of the system by using the stability and connectivity of the nuclear and nuclear scale characterization system. The kernel is the most critical and most core main element in a system, and is the main body and the key of the system; for any given system, there is a core of the system; different systems have different types of cores, the core degree is a tool for measuring the system cores, and the main task of applying the core degree theory to solve the corresponding technical problem is to use the core degree to search the system cores.
Example one
Fig. 1 is a schematic flow chart of a system vulnerability protection method according to an embodiment of the present invention, and as shown in fig. 1, the system vulnerability protection method according to the embodiment includes the following steps:
s101, detecting a vulnerability in a target system;
step S102, obtaining authority classification of a target system, and constructing an incidence relation graph between vulnerabilities of the target system based on the authority classification;
step S103, calculating the core degree of the incidence relation graph according to the constructed incidence relation graph among the vulnerabilities, and determining the core vulnerabilities of the target system;
and step S104, repairing the core loophole to realize the protection of the target system.
As can be seen from the method shown in fig. 1, the method for protecting a system vulnerability establishes an incidence relation graph between vulnerabilities in a hierarchical manner based on the permissions of a single determined system, finds a vulnerability having the greatest influence on the whole vulnerability incidence relation graph, determines a core vulnerability in the system, and repairs the core vulnerability, thereby implementing efficient protection on the vulnerability and improving the security of the system.
In order to solve the technical problem of low protection efficiency caused by singly analyzing the vulnerability in the prior art, the scheme of the embodiment of the invention mainly comprises the following steps:
firstly, aiming at vulnerabilities such as joint node and link attack, and combining the authority classification of a system and the authority promotion of the vulnerabilities, establishing a vulnerability association relation graph. When the vulnerability incidence relation graph is established, clustering processing is carried out on vulnerabilities with the same or similar actual attack effect, so that the scale of the vulnerability incidence relation graph is controlled in a small scale only related to the number of authority levels, and the processing efficiency is improved.
Then, from the perspective of revealing the structural characteristics of the graph, a core and a kernel degree are introduced, the connectivity and the stability of the graph are comprehensively considered, key vulnerability nodes in the vulnerability association relation graph are evaluated, and the association relation between vulnerabilities is analyzed.
And finally, protecting the system loophole according to the determined core of the system, and improving the safety of the system.
The following description will be given in conjunction with examples of the present invention.
Example two
For a vulnerability, the basis for its privilege elevation is privilege hierarchy. In this embodiment, the authority of a certain system is divided into a plurality of levels from high to low, for example, named as { O, l ] from high to low1,l2,…,lnWhere, the authority l1The method comprises the following steps of indicating root-level authority, namely system administrator authority; the authority O indicates that other attack objectives except for the purpose of promoting the authority are achieved, and the other attack objectives refer to acquiring confidential data, causing a target system to crash or monitoring and the like, and the level is a special authority level, and the vulnerability of the level is not calculated independently in the subsequent vulnerability processing. In addition, the privilege hierarchy may be slightly different for different systems, which relates to the specific system security configuration. In the practical application process, the processing should be performed according to the authority classification condition of the system to be protected, and is not limited to the example here.
As mentioned above, the privilege elevation refers to an action of an attacker in a low privilege level to elevate his or her privilege level by successfully utilizing a certain vulnerability with privilege elevation feature, that is, when there is a vulnerability, the attacker can directly get the low-level privilege level liPromotion to higher level of privilege ljIn time, the vulnerability may also allow an attacker to reach the privilege level li-1,li-2,…,lj+1To exploit the vulnerability of the level; when the vulnerability enables the attacker to reach the highest level authority, other vulnerabilities do not need to be borrowed, because the intention of the attack is already reached (namely, the highest level authority is obtained).
The aforementioned rights elevation relationship is an enumeration of the elevation from a lower level right to a higher level right, and may be represented as the following table 1:
start authority Terminating rights Permission lifting action
ln ln-1 ln→ln-1
ln ln-2 ln→ln-2
ln …… ……
ln l1 ln→l1
ln O ln→O
ln-1 ln-2 ln-1→ln-2
ln-1 …… ……
ln-1 l1 ln-1→l1
ln-1 O ln-1→O
…… …… ……
l2 l1 l2→l1
l2 O l2→O
TABLE 1
In Table 1, each row represents a privilege elevation path of the vulnerability, e.g., the first row represents the vulnerability from the starting privilege lnPromotion to Authority ln-1
It should be noted that, the vulnerabilities in the system can be divided into two types, namely, privilege elevation and no privilege elevation, and the privilege O in table 1 is a privilege set for the vulnerability without privilege elevation, that is, the termination level of privilege elevation is uniformly set as O for vulnerabilities which achieve the purpose of attack without privilege elevation.
In practice, whether the vulnerability has authority promotion action or not can be obtained through the description information of the vulnerability. Specifically, the acquisition methods are not completely the same for different vulnerability information. The permission promoting action of the vulnerability in this embodiment is obtained by describing the vulnerability, for example, the vulnerability information description of CVE (Common Vulnerabilities & Exposures, Common vulnerability disclosure). CVE is an internationally well-known library of security vulnerabilities and is a list of standardized names for known vulnerabilities and security flaws that are mission-oriented to more quickly and efficiently identify, discover, and fix a security vulnerability of a software product.
And searching the description information of the vulnerability in a universal vulnerability disclosure (CVE) vulnerability database according to the detected vulnerability number of each vulnerability, and analyzing the initial permission level and the termination permission level of permission promotion of each vulnerability.
Specifically, a vulnerability formalized description mode such as "… allows DEMAND" to GAIN (permission change and attack purpose implementation) "is recorded in the vulnerability information of the CVE. Analyzing the corresponding content in the sentence can judge whether the authority of a bug is improved or not and whether the attack purpose is achieved or not.
According to the embodiment of the invention, the relationship between the vulnerabilities is determined by the authority improving action, so that after the authority classification and the authority improving action of the vulnerabilities are determined, an association model (in the embodiment, the association model is an association relation graph) between the vulnerabilities can be established.
Establishing an incidence relation graph among vulnerabilities of a target system based on permission classification needs to consider three aspects, namely, firstly, determining the layer number of the incidence relation graph, secondly, determining the vertex of the incidence relation graph, and thirdly, determining the edge of the incidence relation graph.
For the three aspects, in this embodiment, the number of layers of the association graph is determined according to the number of levels of authority classification, the vertex of the association graph is determined according to the authority promotion path of the vulnerability of the target system, and the edge of the association graph is determined according to the vertex and the authority promotion path of the vulnerability corresponding to the vertex. The details are as follows.
First, the number of layers is determined
The number of layers of the association relationship graph between the vulnerabilities of a certain system is determined by the number of levels of authority hierarchy of the system, that is, the number of levels of authority hierarchy of the system is equal to the number of layers of the association relationship graph, for example, the authority of a target system is divided into four levels, then the constructed association relationship graph comprises four layers, and each layer is correspondingly constructed according to the authority level.
Second, determining the vertex
Determining a vertex of an incidence relation graph according to an authority promotion path of a vulnerability of a target system, which specifically comprises the following steps: acquiring the initial authority level and the termination authority level of the detected authority promotion of each vulnerability, clustering the vulnerabilities with the same initial authority level and termination authority level, correspondingly taking the vulnerabilities as a vertex of an association relation graph, and counting the number of the vulnerabilities with the same initial authority level and termination authority level as the weight value of the vertex;
that is to say, regarding the vertex of the vulnerability association relationship graph, in this embodiment, a vulnerability is still selected as the vertex, but if the vulnerability association relationship graph is determined by a vulnerability, because each system can be divided into a plurality of permission levels, and directional connections exist between vulnerabilities of different levels, the obtained vulnerability association relationship graph is too huge, the processing complexity is high, and the processing efficiency is affected. In contrast, in this embodiment, holes are used as vertices of the association relationship graph, but instead of allocating one vertex for each hole, different types of holes with the same privilege-granting action are aggregated, and the aggregated holes with the same privilege-granting action are used as one vertex to obtain a hole association relationship graph with a limited vertex. Different types here refer to different threat types of vulnerabilities, such as buffer overflow vulnerabilities and digital error vulnerabilities. The specific treatment process is as follows:
according to the system authority promotion, if a certain system has authority classification { O, l1,l2,…,lnWhen the vulnerability association relationship diagram is constructed for the system, the vulnerability association relationship diagram has n layers, and the vertexes of the vulnerability association relationship diagram are (n, n-1), (n, n-2), …, (n,1), (n, O), (n-1, n-2), (n-1, n-3), …, (n-1,1), (n-1, O), …, (3,2), (3,1), (3, O), (2,1), (2, O), (1, -, (O, -). In a binary group representing a vertex of the incidence relation graph, a 1 st element represents an initial level of a vulnerability with authority lifting action, namely the level of the vertex in the vulnerability incidence relation graph; element 2 represents the ending level of the vulnerability for which there is an authority elevation action.
For example, if there are three vulnerabilities A, B, C, where vulnerability A is located in privilege l4Vulnerability B is in authority l3Vulnerability C is in authority l2Then there are vulnerability vertices (4,3), (4,2), (4,1), (4, O), (3,2), (3,1), (3, O), (2,1), (2, O), (1, -, (O, -).
It should be noted that, in the vertex (1, -) here, the 1 st element indicates that the initial level of the vulnerability is administrator level, and the 2 nd element "-" indicates that the vertex has no successor nodes. In (O, -) the 1 st element indicates that the initial level of the vulnerability is directly for attack purposes other than delegation, and the 2 nd element "-" indicates that the vertex has no successor nodes.
As can be seen from the above, in this embodiment, the vertex of the vulnerability association relationship graph is not a single vulnerability of different categories, nor is it all vulnerabilities of each level, but is obtained by clustering vulnerabilities according to different authority promotion actions. That is to say, for vulnerability nodes with different authority levels of the incidence relation, based on the authority promotion relation, the initial vulnerability node is divided according to different termination authority levels to which the initial vulnerability node is promoted, so as to form nodes in the vulnerability incidence relation graph.
In addition, because the vulnerability clustering is adopted in the embodiment, each vertex in the vulnerability association relationship graph represents a certain number of vulnerabilities, for example, if there is a vertex (i-1, i-2), it indicates that there is a vulnerability represented by li-1Level of vulnerability toi-2The privilege escalation action of the level loopholes, if the loopholes with the same privilege escalation action exist, the number of the loopholes is Ci-1,i-2Then the vertex (i-1, i-2) has the weight Ci-1,i-2
Third, determining edges
After the vertex of the vulnerability association relationship graph is determined, the edge in the vulnerability association relationship graph also needs to be determined. The present embodiment determines whether an edge exists between the first vertex (i, j) and the second vertex (k, m) by:
when the values of i, j, k and m satisfy i > k and j < ═ k and m < j, then there is one directed edge pointing from the first vertex (i, j) to the second vertex (k, m);
wherein i represents the initial authority level of authority promotion of the vulnerability corresponding to the first vertex, j represents the termination authority level of authority promotion of the vulnerability corresponding to the first vertex, k represents the initial authority level of authority promotion of the vulnerability corresponding to the second vertex, and m represents the termination authority level of authority promotion of the vulnerability corresponding to the second vertex.
Note: the terms "first" and "second" are used herein only to distinguish two vertices, and may be understood as names of the vertices.
That is, in this embodiment, the edge of the vulnerability association relationship graph is determined by the permission promotion action of the vulnerability and the vulnerability vertex name.
The above-mentioned condition for determining the edge is obtained based on the following rule:
if the vertex (i-m, i-m-n) exists in the vulnerability association relation graph, the existence of the vertex is represented by li-mLevel of vulnerability toi-m-nAnd (4) a privilege giving action of the level vulnerability, so that an edge connected to all the vertexes of the (i-m-n) th level in the vulnerability incidence relation graph by the vertex necessarily exists in the vulnerability incidence relation graph.
Meanwhile, when considering the vulnerability association relationship, since the high-level authority user can utilize the vulnerability of the low-level authority, that is, transitivity exists between authority promotion, if there are four vulnerabilities A, B, C, D, wherein vulnerability a is located in authority liVulnerability B is in authority li-1Vulnerability C is in authority li-2Vulnerability D is located in authority li-3When l isi-1Level vulnerability B empowers to li-3When level bug D, implies a bug of li-1Level vulnerability B empowers to li-2Level C, then li-2Level vulnerability C empowers to li-3An act of level vulnerability D. Therefore, the corresponding edge is also considered in the vulnerability association relationship graph. That is, the vertices (i-m, i-m-n) are also connected to some nodes in the middle layers (excluding the front and rear layers) between the i-m and i-m-n layers.
And the number of the first and second groups,
(III) the vertices (i-m, i-m-n) are not connected to all nodes in the middle layer (excluding the front and rear layers) of the two layers i-m and i-m-n, and connecting edges are set only when the nodes in the middle layer point to a higher level than i-m-n.
The function of the rule (three) is to further exclude invalid edges from the edges determined by the rule (two), thereby controlling the scale of the graph and reducing the complexity of the processing. Invalid edge means that on an attack path, a subsequent vulnerability fails to raise the authority above the level that the preceding vulnerability has reached.
For example, if there are vertices (4,2) and (3,2),according to the rule (three) of edge determination, the edge from vertex (4,2) to vertex (3,2) is an insignificant edge because the two vertices (4,2) and (3,2) have a level 2 of authority promotion termination, where (4,2) can promote the authority to l2Then lift the (3,2) to l2It has no meaning, so the edge connecting (4,2) and (3,2) is an invalid edge and should not appear in the vulnerability association relationship graph.
After the vertex and the edge of the vulnerability incidence relation graph are determined, the vulnerability incidence relation graph can be established, and the incidence relation graph established in the embodiment is a directed point weighted graph because the authority promotion is directional.
It should be noted that the purpose of constructing the association graph is to determine a core of the association graph, so as to find a core point vulnerability.
Specifically, how to define and calculate the kernel and the kernel of the vulnerability association relationship diagram to describe the connectivity, stability and reliability of the vulnerability association relationship diagram, further analyze the key vulnerability in the vulnerability association relationship (namely, the kernel of the system), further perform vulnerability analysis and protection on the basis, and also be a key point for utilizing the kernel theory to perform vulnerability analysis.
In order to obtain the core degree of the vulnerability association relationship graph, the undirected weightless graph is firstly analyzed. In conventional graph analysis, the connectivity and stability of a graph are generally described in terms of cut sets, point connectivity, edge connectivity, and the like. The point connectivity is that the graph is disconnected after the least number of vertexes in the graph are removed, and the number of removed vertexes is the connectivity; the edge connectivity refers to how many edges in the graph are removed at least and the graph is not connected. However, with this analysis method, two graphs having significantly different structures may appear, and the connectivity is the same, so this analysis method cannot accurately determine the connectivity of the graphs, and thus cannot accurately determine the core of the graphs.
In contrast, the present embodiment proposes a method for calculating the degree of coring of the directed point weighted graph suitable for the vulnerability association relationship graph. The embodiment of the invention mainly considers the property of the vulnerability exploitation relation in the process of researching the directed graph, namely the privilege escalation action of the vulnerability. When there is a right-hand action from low level A to high level B, there is a line A → B. Such a graph has the property that the starting level has no predecessor nodes and the ending level has no successor nodes. Thus, for such a graph, the system's kernel is calculated by the fail point in this embodiment.
The failure point refers to a point (vulnerability) in the vulnerability association relationship graph, which is called a failure point if the point meets any one of the following conditions.
(i) The point of all predecessors or all successors is lost;
(ii) losing the starting point of all successors;
(iii) the end point of all the precursors is lost.
The calculation process of the degree of kernel of the weighted graph with the directed points is as follows:
g is a directed graph, each vertex represents an authority lifting action, the weight of the vertex is the total number of loopholes conforming to the authority lifting action, C (G) represents a set formed by all point cut sets in G, and the set is called
h(G)=max{|w(G-S)|-|S|,S∈C(G)}
The core of the graph is shown in the specification, wherein | w (G-S) | represents the sum of the weights or weights of the top points which become the failure points after S is removed (i.e., the total number of holes with the same authority lifting action), | S | represents the sum of the weights or weights of the removed top points (i.e., the total number of holes), and S represents the set of the top points which can generate the failure points.
After the kernel and the core degree of the vulnerability incidence relation graph are calculated, the kernel points of the vulnerability incidence relation graph can be analyzed, and vulnerability protection can be carried out according to the analyzed kernel points. The process of analyzing the core points is: determining a corresponding core vertex according to the calculated core degree of the incidence relation graph G, and taking a vulnerability corresponding to the core vertex as a core vulnerability; in practice, when protection is actually performed, the vulnerability patch corresponding to the core vulnerability can be searched according to the determined core vulnerability and the corresponding relation between the vulnerability and the vulnerability patch, and the vulnerability patch corresponding to the core vulnerability is repaired, so that protection of the target system is achieved, vulnerability protection efficiency is improved, and safety of the system is improved.
EXAMPLE III
The present embodiment describes an application of the system vulnerability protection method with a specific example.
In the embodiment, a four-layer authority hierarchical model is used as a vulnerability association basic model, and a 360-degree security guard is used as a vulnerability scanning tool to perform an experiment on a Windows platform (namely, a target system).
Step 301: determining a vulnerability incidence relation graph based on a four-layer authority model;
the four-layer privilege hierarchy model of the embodiment includes four categories, namely, a system administrator (Root), a local common user (localuer), a Remote authenticated user (Remote authenticated user), and a Remote unauthenticated user (Remote unauthenticated user). The four types of permissions are numbered respectively as: the first, the second, the third and the fourth.
The authority promotion action is determined on the basis of the authority hierarchical model, namely determining which elements are contained in the authority promotion vector set, for example, for the four-level authority hierarchy, the authority promotion vector set comprises ″ (l)4,l1)”“(l4,l2)”“(l4,l3)”“(l3,l2)”“(l3,l1)”“(l2,l1) The method comprises the following steps of determining a permission lifting action on the basis of a permission classification model, wherein the permission lifting action is determined on the basis of the permission classification model, and the permission lifting action of a specific vulnerability is determined, but the permission lifting action is determined according to the number of possible permission lifting actions of all vulnerabilities detected in a system.
In this embodiment, by analyzing the CVE vulnerability description information, a vulnerability formalized description manner such as "… allows DEMAND" to GAIN (permission change and attack goal implementation) "can be summarized. Based on the description information, whether the authority of the specific object is improved or not can be judged, and whether the attack purpose is achieved or not can be judged. Specifically, the current permission level of the vulnerability is given by the utilization condition in the vulnerability text description information, so that the starting point of the permission lifting action can be obtained. And the 'permission change and attack purpose implementation' in the text description information represents the end point of permission promotion of each vulnerability. The combination of the starting point and the ending point can obtain the authority elevating action, which is expressed by a vector, namely, the starting level → the ending level. In addition, for different vulnerabilities, the starting point of the authority elevating action may correspond to different authority levels (mapped to the vulnerability association relationship graph, that is, corresponding to different levels in the graph), and is not all the starting level in the vulnerability association graph.
By carrying out statistical analysis on the vulnerability information, the permission can be obtained by three initial levels, namely a remote unauthenticated visitor, a remote authenticated visitor and a local common user, and three termination levels, namely a remote authenticated visitor, a local common user and a system administrator; there are six rights lift vectors in total from the starting level to the ending level, as shown in table 2.
Initial level Termination level Simplified representation
Remote unauthenticated visitor Remote authenticated visitor ④→③
Remote unauthenticated visitor Local general user ④→②
Remote unauthenticated visitor System administrator ④→①
Remote authenticated visitor General localHousehold ③→②
Remote authenticated visitor System administrator ③→①
Local general user System administrator ②→①
TABLE 2
Table 2 represents a rights elevation model of the vulnerability, and the starting level and the ending level of the rights elevation of the vulnerability are shown in table 2.
In addition, since the purpose of authority promotion may be to obtain only high-level authority, when analyzing the association relationship between vulnerabilities using an authority promotion model, it is necessary to clearly distinguish between the attack purposes of authority promotion and non-authority promotion that can achieve the attack purpose. In the embodiment, the termination level of the authority promotion of the vulnerability which achieves the attack purpose without the authority promotion is uniformly set as O. That is, in this embodiment, the privilege level to which the privileged vulnerability can be upgraded can be analyzed; for the loophole without authority-lifting, the authority cannot be lifted, but some other attack purpose is achieved. Therefore, the purpose of achieving the attack is taken as a high-level authority, and in this sense, the scheme of the embodiment comprehensively considers the privilege-granting vulnerability and the non-privilege-granting vulnerability.
Fig. 2 is a schematic diagram of an association diagram of a vulnerability according to an embodiment of the present invention, referring to fig. 2, in this embodiment, based on the association diagram established in table 2, in fig. 2, each vertex represents a set of vertices of a permission lifting action, where x is a set of vertices of a permission lifting actioniThe weight value representing the vertex, i.e. the number of holes of the same weight-raising action, e.g. vertex (l)4,l2) Representing promotion of a fourth level of privilege (remote unauthenticated visitor) to a second level of privilege (local ordinary)A user). x is the number of2The vulnerability indicating the existence of such a delegation action is x2In FIG. 2, the vertices O are shown as concentric circles, unlike other vertices, because the rights O indicate that attack objectives other than promoting administrator rights are achieved, and attacks from other vertices are intended to obtain administrator rights for the system, i.e., rights ①, and to take advantage of the administrator rights.
Step 302: and after the vulnerability association diagram of the four-layer authority model is determined, analyzing the actual environment.
Firstly, 360 security guards are used for scanning the vulnerabilities to detect 29 vulnerabilities in total, the description of the patch can be found by using a security bulletin number in the microsoft security technology center, wherein the description of the vulnerabilities repaired by the patch is provided, and the corresponding CVE number is provided, and one patch can repair a plurality of vulnerabilities, namely a plurality of CVE vulnerabilities. The obtained vulnerability correspondence is shown in table 3.
Figure GDA0002486798360000121
Figure GDA0002486798360000131
Figure GDA0002486798360000141
TABLE 3
Table 3 is a comparison table of vulnerability patches and right-lifting actions, and the CVE vulnerability number and the corresponding right-lifting action corresponding to each patch can be seen from table 3.
Note: some of the patches in table 3 that do not have corresponding security bulletin numbers are function enhanced patches, and only the patch numbers are listed.
In addition, in table 3, although some patches have different numbers, the corresponding CVE vulnerabilities have the same number, that is, vulnerabilities corresponding to repairs are the same. This is because in an actual environment, there may be a case where a plurality of vulnerabilities exhibit the same state, and therefore statistics of the vulnerabilities are unified according to different vulnerabilities, and finally, when the core degree is calculated based on the association relationship diagram, since the vulnerabilities are the same, the calculation is not repeated, but rather, a certain weight is added to the vulnerability, which is within a reasonable range.
Next, the number of vulnerabilities of each node is obtained through statistics, as shown in table 4.
Figure GDA0002486798360000151
TABLE 4
Table 4 is a vulnerability right-lifting action statistical table, and the number of vulnerabilities corresponding to each vertex can be seen from table 4.
And finally, establishing a complete vulnerability incidence relation graph, namely a directed point weighted graph, wherein fig. 3 is a schematic diagram of a specific example of the incidence relation graph shown in fig. 2, and as shown in fig. 3, the complete vulnerability incidence relation graph of fig. 3 can be obtained by correspondingly filling the specific data obtained through statistics into the incidence relation graph shown in fig. 2.
Step 303: the weighted graph with the directed points is substituted into the formula for calculating the degree of kernel of the weighted graph with the directed points, and the degree of kernel h (x) is 25, and the set of the kernel points is (l)4,l2)、(l4,l3) And (l)3,l2)。
The core point set is a set of core responses obtained according to a core calculation formula, and represents a vertex set in the vulnerability association relation graph. The authority promotion action of the vulnerability corresponding to the kernel can be obtained through the description of the patch, so that the vertex corresponding to the vulnerability can be obtained, and the kernel point set is also used for describing the vertex corresponding to the vulnerability.
In actual calculation, the vertexes or vertex sets are exhaustively removed to sequentially simulate and calculate corresponding kernel degrees, a value with the maximum kernel degree is used as a kernel of a system, and the removed vertexes or vertex sets at the moment are used as kernel sets. It should be noted that, on the basis of the existing core degree concept, the embodiment of the present invention provides a calculation formula of the core degree of the directed point weighted graph, which is suitable for the embodiment of the present invention, and finds the core point of the system based on the new calculation formula of the core degree, so as to determine the core vulnerability, thereby implementing high-efficiency protection on the vulnerability. The following is a brief description of the process of calculating the degree of certainty using the degree of certainty calculation formula:
when the set of the core points is assumed to be (l)4,l2)、(l4,l3) And (l)3,l2) When the three vertices in fig. 3 are removed, the vertices connected to these vertices may become failure points: (l)2,l1) Since the predecessor node (l)4,l2) And (l)3,l2) All the points are removed, so that the points become failure points, and the weight corresponding to the top points of the failure points, namely the number of the loopholes is 33; (l)2And O) similarly, becoming a failure point, and becoming the weight corresponding to the peak of the failure point, namely, the number of loopholes is 3; (l)3,l1) The weight value is 0, so the weight value is not considered; (l)3O) since there is no predecessor node (l)4,l3) The number of holes is 1, which is the weight corresponding to the vertex serving as the failure point. After all the relevant nodes are processed, other points cannot become failure points, and then the sum of the weight values of the top points which become the failure points is obtained through the calculation formula of the nuclear degree in the embodiment: 33+3+1 equals 37, and the number of removed vertices | S | is the sum of the weights of the vertices corresponding to the kernel set: 1+1+ 10-12, so h (g) 37-12-25. Here, in this embodiment, since there are three vertices to be removed, | S | may be a sum of weights of the three vertices when calculating the kernel level, and in practice, | S | may be only a weight of the removed vertex when calculating the kernel level if only one vertex is removed. In addition, since the number of vertices is small, the calculation is performed by enumeration, and finally, the kernel set is (l)4,l2)、(l4,l3) And (l)3,l2) H (g) obtained below is the maximum.
After the kernel set is obtained, the corresponding patch number can be obtained by looking up table 3 as follows: KB3124275MS 16-001; KB3124001MS 16-005; KB3081320MS 15-121; KB3097991MS 15-118; KB3097995MS 15-118; KB3098780MS 15-118; KB3076895MS 15-084. A total of 7 checkpoint patches. The number of core point patches calculated here is 7, and the number of core point holes may exceed 7, the number being determined by the correspondence in table 3.
Step 304: after the corresponding bug is obtained, searching the patch number and repairing the patch;
for the core point patches, the vulnerability patches are repaired by adopting 360 security guards, and after the patch is repaired, the system is found to be only left with 18 patches, namely, the total number of the patches in the system is reduced by 11 patches. However, the actually detected core point patches are only 7, and thus, the following results are obtained: a certain association relationship exists between the vulnerabilities corresponding to the 7 core point patches and the vulnerabilities corresponding to the remaining 4 patches, and after the 7 patches are repaired, other vulnerabilities are repaired accordingly, that is, the other 4 patches are indirectly repaired. The calculated vulnerability detection protection efficiency for this system is 11/7-157%,
it should be noted that the protection efficiency of this embodiment refers to: the number of effective holes is reduced/the number of repaired holes, and the number of effective holes is the number of failure point holes plus the number of repaired holes, so that the protection efficiency is one hundred percent at the lowest. For example, if 1 bug is repaired and the number of the reduced bugs is 1, the protection efficiency is 100%, and if 1 bug is repaired and 2 bugs are reduced, the protection efficiency is 200%, it can be known through the above calculation process that the protection efficiency of the bug in this embodiment is 157%, which is greater than 100%, and the efficiency exceeding 100% is realized by the repairing method based on the incidence relation of the bugs in this embodiment.
It can be seen that the method of the embodiment has a significant effect on improving the protection efficiency of the vulnerability.
Example four
Fig. 4 is a block diagram of a system vulnerability protection apparatus according to an embodiment of the present invention, and referring to fig. 4, the system vulnerability protection apparatus 400 includes:
a vulnerability detection unit 401, configured to detect a vulnerability in a target system;
an association relationship establishing unit 402, configured to obtain an authority hierarchy of the target system, and establish an association relationship graph between vulnerabilities of the target system based on the authority hierarchy;
a core vulnerability determining unit 403, configured to calculate a core degree of the association graph according to the constructed association graph between vulnerabilities, and determine a core vulnerability of the target system;
and the protection unit 404 is configured to repair the core vulnerability to implement protection on the target system.
In an embodiment of the present invention, the association graph constructing unit 402 is specifically configured to determine the number of layers of the association graph according to the number of levels of the permission hierarchy, determine a vertex of the association graph according to a permission lifting path of a vulnerability of a target system, and determine an edge of the association graph according to the vertex and the permission lifting path of the vulnerability corresponding to the vertex.
In one embodiment of the present invention, the incidence relation graph building unit 402, including a vertex building subunit and an edge building subunit,
the vertex construction subunit is used for acquiring the initial authority level and the termination authority level of the detected authority promotion of each vulnerability, clustering the vulnerabilities with the same initial authority level and termination authority level, correspondingly taking the clustered vulnerabilities as a vertex of the association relation graph, and counting the number of the vulnerabilities with the same initial authority level and termination authority level as the weight value of the vertex;
an edge construction subunit for determining whether an edge exists between the first vertex (i, j) and the second vertex (k, m) by:
when the values of i, j, k and m satisfy i > k and j < ═ k and m < j, then there is one directed edge pointing from the first vertex (i, j) to the second vertex (k, m);
wherein i represents the initial authority level of authority promotion of the vulnerability corresponding to the first vertex, j represents the termination authority level of authority promotion of the vulnerability corresponding to the first vertex, k represents the initial authority level of authority promotion of the vulnerability corresponding to the second vertex, and m represents the termination authority level of authority promotion of the vulnerability corresponding to the second vertex.
In an embodiment of the present invention, the core vulnerability determining unit 403 is specifically configured to calculate the core degree of the association graph G according to the following formula:
h(G)=max{|w(G-S)|-|S|,S∈C(G)}
wherein, c (G) represents a set formed by all point cut sets in the association graph G, | w (G-S) | represents a weight value or a sum of weight values of the vertices of the failure points formed by subtracting S from G, | S | represents a weight value or a sum of weight values of the subtracted vertices, S represents a set of vertices capable of generating the failure points, and a failure point is a vertex in the association graph G which satisfies one of the following conditions:
the point of all predecessors or all successors is lost; the starting point of all successors is lost; the end point of all the precursors is lost.
And determining a corresponding core vertex according to the calculated core degree of the incidence relation graph G, and taking the vulnerability corresponding to the core vertex as a core vulnerability.
It should be noted that the system bug protection device of this embodiment corresponds to the system bug protection method, so that the working process of the system bug protection device of this embodiment may refer to the description of the foregoing method embodiment, and is not described herein again.
In summary, the method and the device for protecting the system vulnerability establish the association relationship between vulnerabilities, particularly the permission utilization characteristic relationship, so that other vulnerabilities associated with the core vulnerability can be repaired together only by repairing the core vulnerability when the vulnerability is repaired, the vulnerability processing quantity is reduced, the complexity of system protection is reduced, the pertinence of repair is ensured, the efficient protection of the vulnerability is realized, and the safety of the system is improved.
While the foregoing is directed to embodiments of the present invention, other modifications and variations of the present invention may be devised by those skilled in the art in light of the above teachings. It should be understood by those skilled in the art that the foregoing detailed description is for the purpose of illustrating the invention rather than the foregoing detailed description, and that the scope of the invention is defined by the claims.

Claims (8)

1. A system vulnerability protection method is characterized by comprising the following steps:
detecting a vulnerability in a target system;
acquiring authority classification of a target system, and constructing an incidence relation graph between vulnerabilities of the target system based on the authority classification;
calculating the core degree of the incidence relation graph according to the constructed incidence relation graph among the vulnerabilities, and determining the core vulnerability of a target system;
repairing the core loophole to realize protection of a target system;
the method for building the incidence relation graph among the vulnerabilities of the target system based on the permission hierarchy comprises the following steps:
determining the number of layers of the incidence relation graph according to the number of grades of the permission hierarchy, determining a vertex of the incidence relation graph according to a permission lifting path of the vulnerability of the target system, and determining an edge of the incidence relation graph according to the vertex and the permission lifting path of the vulnerability corresponding to the vertex;
determining a vertex of the incidence relation graph according to the authority promotion path of the vulnerability of the target system comprises:
acquiring the initial authority level and the termination authority level of the detected authority promotion of each vulnerability, clustering the vulnerabilities with the same initial authority level and termination authority level, correspondingly taking the vulnerabilities as a vertex of an association relation graph, and counting the number of the vulnerabilities with the same initial authority level and termination authority level as the weight value of the vertex;
the incidence relation graph is a weighted graph with directed points.
2. The method of claim 1,
determining the edge of the association graph according to the vertex and the authority promotion path of the vulnerability corresponding to the vertex comprises:
determining whether an edge exists between the first vertex (i, j) and the second vertex (k, m) by:
when the values of i, j, k and m satisfy i > k and j < ═ k and m < j, then there is one directed edge pointing from the first vertex (i, j) to the second vertex (k, m);
wherein i represents the initial authority level of authority promotion of the vulnerability corresponding to the first vertex, j represents the termination authority level of authority promotion of the vulnerability corresponding to the first vertex, k represents the initial authority level of authority promotion of the vulnerability corresponding to the second vertex, and m represents the termination authority level of authority promotion of the vulnerability corresponding to the second vertex.
3. The method according to claim 2, wherein the calculating the core degree of the incidence relation graph according to the constructed incidence relation graph among the vulnerabilities and the determining the core vulnerability of the target system comprises: calculating the core degree of the incidence relation graph G by the following formula:
h(G)=max{|w(G-S)|-|S|,S∈C(G)}
wherein, C (G) represents a set formed by all point cut sets in the incidence relation graph G, | w (G-S) | represents the weight value or the sum of the weight values of the top points of the failure points formed by subtracting S from G, | S | represents the weight value or the sum of the weight values of the subtracted top points, and S represents a set capable of generating the top points of the failure points;
the failure point refers to a vertex in the incidence relation graph G which meets one of the following conditions:
the point of all predecessors or all successors is lost;
the starting point of all successors is lost;
the end point of all the precursors is lost.
4. The method according to claim 3, wherein the calculating the core degree of the incidence relation graph according to the constructed incidence relation graph among the vulnerabilities and determining the core vulnerability of the target system further comprises:
determining a corresponding core vertex according to the calculated core degree of the incidence relation graph G, and taking a vulnerability corresponding to the core vertex as a core vulnerability;
and repairing the core loophole to realize the protection of the target system.
5. The method of claim 2, wherein obtaining a starting permission level and a terminating permission level for permission elevation for each detected vulnerability comprises:
and searching the description information of the vulnerability in a vulnerability database according to the detected vulnerability number of each vulnerability, and analyzing the initial permission level and the termination permission level of permission promotion of each vulnerability.
6. A system vulnerability protection device, comprising:
the vulnerability detection unit is used for detecting vulnerabilities in the target system;
the incidence relation graph building unit is used for obtaining the authority classification of the target system and building an incidence relation graph between the vulnerabilities of the target system based on the authority classification;
the core vulnerability determining unit is used for calculating the core degree of the incidence relation graph according to the constructed incidence relation graph among the vulnerabilities and determining the core vulnerability of the target system;
the protection unit is used for repairing the core loophole so as to realize protection on a target system;
the incidence relation graph building unit is specifically used for determining the number of layers of the incidence relation graph according to the number of levels of authority classification, determining a vertex of the incidence relation graph according to an authority promotion path of the vulnerability of the target system, and determining an edge of the incidence relation graph according to the vertex and the authority promotion path of the vulnerability corresponding to the vertex;
the incidence relation graph building unit comprises a vertex building subunit,
the vertex construction subunit is used for acquiring the initial authority level and the termination authority level of the detected authority promotion of each vulnerability, clustering the vulnerabilities with the same initial authority level and termination authority level, correspondingly taking the clustered vulnerabilities as a vertex of an association relation graph, and counting the number of the vulnerabilities with the same initial authority level and termination authority level as the weight value of the vertex;
the incidence relation graph is a weighted graph with directed points.
7. The apparatus of claim 6, wherein the incidence relation graph constructing unit further comprises an edge constructing subunit,
the edge construction subunit is configured to determine whether an edge exists between the first vertex (i, j) and the second vertex (k, m) by:
when the values of i, j, k and m satisfy i > k and j < ═ k and m < j, then there is one directed edge pointing from the first vertex (i, j) to the second vertex (k, m);
wherein i represents the initial authority level of authority promotion of the vulnerability corresponding to the first vertex, j represents the termination authority level of authority promotion of the vulnerability corresponding to the first vertex, k represents the initial authority level of authority promotion of the vulnerability corresponding to the second vertex, and m represents the termination authority level of authority promotion of the vulnerability corresponding to the second vertex.
8. The apparatus according to claim 7, wherein the core vulnerability determining unit is specifically configured to calculate the core degree of the incidence relation graph G by using the following formula:
h(G)=max{|w(G-S)|-|S|,S∈C(G)}
wherein, C (G) represents the set formed by all the point cut sets in the incidence relation graph G, | w (G-S) | represents the weight value or the sum of the weight values of the top points of the failure points formed by subtracting S from G, | S | represents the weight value or the sum of the weight values of the subtracted top points, S represents the set of the top points which can generate the failure points,
the failure point refers to a vertex in the incidence relation graph G which meets one of the following conditions:
the point of all predecessors or all successors is lost;
the starting point of all successors is lost;
the end point of all predecessors is lost;
and determining a corresponding core vertex according to the calculated core degree of the incidence relation graph G, and taking the vulnerability corresponding to the core vertex as a core vulnerability.
CN201710121236.4A 2017-03-02 2017-03-02 System vulnerability protection method and device Active CN106997437B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710121236.4A CN106997437B (en) 2017-03-02 2017-03-02 System vulnerability protection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710121236.4A CN106997437B (en) 2017-03-02 2017-03-02 System vulnerability protection method and device

Publications (2)

Publication Number Publication Date
CN106997437A CN106997437A (en) 2017-08-01
CN106997437B true CN106997437B (en) 2020-09-11

Family

ID=59431063

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710121236.4A Active CN106997437B (en) 2017-03-02 2017-03-02 System vulnerability protection method and device

Country Status (1)

Country Link
CN (1) CN106997437B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110881050A (en) * 2019-12-20 2020-03-13 万翼科技有限公司 Security threat detection method and related product
CN111918027B (en) * 2020-07-02 2021-07-06 杭州齐圣科技有限公司 Intelligent community security method based on Internet of things
CN111881456A (en) * 2020-07-29 2020-11-03 江苏云从曦和人工智能有限公司 Security risk management and control method, device, equipment and medium
US11930046B2 (en) 2021-06-17 2024-03-12 Xerox Corporation System and method for determining vulnerability metrics for graph-based configuration security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101695033A (en) * 2009-09-25 2010-04-14 上海交通大学 Network fragility analyzing system based on privilege lift
US20100242114A1 (en) * 2009-03-20 2010-09-23 Achilles Guard, Inc. D/B/A Critical Watch System and method for selecting and applying filters for intrusion protection system within a vulnerability management system
CN105991521A (en) * 2015-01-30 2016-10-05 阿里巴巴集团控股有限公司 Network risk assessment method and network risk assessment device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100242114A1 (en) * 2009-03-20 2010-09-23 Achilles Guard, Inc. D/B/A Critical Watch System and method for selecting and applying filters for intrusion protection system within a vulnerability management system
CN101695033A (en) * 2009-09-25 2010-04-14 上海交通大学 Network fragility analyzing system based on privilege lift
CN105991521A (en) * 2015-01-30 2016-10-05 阿里巴巴集团控股有限公司 Network risk assessment method and network risk assessment device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
系统核度力量在核心竞争力识别中的应用;黄璐艳;《中国优秀硕士学位论文全文数据库 经济与管理科学辑》;20070331;第1-53页 *

Also Published As

Publication number Publication date
CN106997437A (en) 2017-08-01

Similar Documents

Publication Publication Date Title
CN106997437B (en) System vulnerability protection method and device
Bryant et al. A novel kill-chain framework for remote security log analysis with SIEM software
Sun et al. Surveying and analyzing security, privacy and trust issues in cloud computing environments
Xiaolin et al. A Markov game theory-based risk assessment model for network information system
US20180144132A1 (en) Kind of android malicious code detection method on the base of community structure analysis
CN101950338A (en) Bug repair method based on hierarchical bug threat assessment
WO2022021977A1 (en) Underground industry account detection method and apparatus, computer device, and medium
Hu et al. Attack scenario reconstruction approach using attack graph and alert data mining
Lakhno et al. Design of adaptive system of detection of cyber-attacks, based on the model of logical procedures and the coverage matrices of features
CN106326737A (en) System and method for detecting harmful files executable on a virtual stack machine
CN105072214A (en) C&amp;C domain name identification method based on domain name feature
CN110011976B (en) Network attack destruction capability quantitative evaluation method and system
CN117879970B (en) Network security protection method and system
CN110855649A (en) Method and device for detecting abnormal process in server
Zhao et al. An anomaly intrusion detection method based on improved k-means of cloud computing
CN112749097B (en) Performance evaluation method and device for fuzzy test tool
CN109583056A (en) A kind of network-combination yarn tool performance appraisal procedure and system based on emulation platform
Wolf et al. The PASTA threat model implementation in the IoT development life cycle
Bhuiyan et al. API vulnerabilities: Current status and dependencies
Alhassan et al. A fuzzy classifier-based penetration testing for web applications
CN110855654B (en) Vulnerability risk quantitative management method and system based on flow mutual access relation
Fathurrahmad et al. Automatic Scanner Tools Analysis As A Website Penetration Testing: Automatic Scanner Tools Analysis As A Website Penetration Testing
Wang et al. Network computer security hidden dangers and vulnerability mining technology
CN108763067B (en) Software attack mode incidence relation analysis method
Lin et al. A survey of the key technology of software vulnerability mining

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant