CN110995717B - Message processing method and device, electronic equipment and vulnerability scanning system - Google Patents
Message processing method and device, electronic equipment and vulnerability scanning system Download PDFInfo
- Publication number
- CN110995717B CN110995717B CN201911244534.8A CN201911244534A CN110995717B CN 110995717 B CN110995717 B CN 110995717B CN 201911244534 A CN201911244534 A CN 201911244534A CN 110995717 B CN110995717 B CN 110995717B
- Authority
- CN
- China
- Prior art keywords
- target
- network message
- tested
- message
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a message processing method, a message processing device, electronic equipment and a vulnerability scanning system, wherein the method comprises the following steps: when a network message is received, detecting whether the network message is from a target tested system or not based on identification information of the target tested system; the target tested system is a tested system bound with a target proxy service in the proxy server; if so, analyzing the network message through the target agent service, and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data; otherwise, determining the network message as an illegal network message, and intercepting the network message. The method can effectively prevent potential security risks caused by malicious attackers utilizing the proxy service to carry out malicious access.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for processing a packet, an electronic device, and a vulnerability scanning system.
Background
With the continuous development of the internet and information technology, the information security problem and situation become more and more severe. The network attack technology is increasingly diversified and complicated, the attack tools are increasingly specialized, new types of vulnerabilities and threats continuously appear, and the difficulty of network security management is increased. It is important to timely and comprehensively discover system security vulnerabilities and effectively deal with them.
Vulnerability scanning is a mainstream security vulnerability discovery mode, and detects security vulnerabilities of a designated remote or local computer system through means such as scanning and the like based on a vulnerability database to discover a security detection (penetration attack) behavior of available vulnerabilities.
At present, a mainstream vulnerability scanning mode is implemented by the following mechanism: by statically deploying proxy service in a network, collecting HTTP (Hypertext Transfer Protocol) Protocol flow of a system to be tested, and performing vulnerability detection.
However, practice shows that in the vulnerability scanning scheme, when a malicious attacker learns the proxy address of the proxy service, malicious access and data theft can be performed through the proxy service, so that a high security risk exists.
Disclosure of Invention
In view of this, the present application provides a message processing method, a message processing apparatus, an electronic device, and a vulnerability scanning system.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of an embodiment of the present application, a method for processing a packet is provided, which is applied to a proxy server, and the method includes:
when a network message is received, detecting whether the network message comes from a target tested system or not based on identification information of the target tested system; the target tested system is a tested system bound with a target proxy service in the proxy server;
if so, analyzing the network message through the target agent service, and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data;
otherwise, determining the network message as an illegal network message, and intercepting the network message.
According to a second aspect of the embodiments of the present application, there is provided a packet processing method applied to a vulnerability scanning system, where the vulnerability scanning method includes a proxy server and a vulnerability scanning apparatus, and the method includes:
when the proxy server receives a network message, detecting whether the network message comes from a target tested system or not based on the identification information of the target tested system; the target tested system is a tested system bound with a target proxy service in the proxy server;
if so, the proxy server analyzes the network message through the target proxy service and stores the data obtained by analysis; otherwise, the target proxy server determines that the network message is an illegal network message and intercepts the network message;
and the vulnerability scanning device performs vulnerability scanning processing based on the stored data.
According to a third aspect of the embodiments of the present application, there is provided a packet processing apparatus, applied to a proxy server, the apparatus including:
a receiving unit, configured to receive a network packet;
the detection unit is used for detecting whether the network message is from the target tested system or not based on the identification information of the target tested system when the receiving unit receives the network message; the target tested system is a tested system bound with a target proxy service in the proxy server;
the analysis unit is used for analyzing the network message through the target agent service if the network message comes from the target tested system and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data;
and the processing unit is used for determining that the network message is an illegal network message and intercepting the network message if the network message is not from the target tested system.
According to a fourth aspect of embodiments of the present application, there is provided an electronic apparatus, including:
a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine executable instructions to implement the method provided by the first aspect.
According to a fifth aspect of the embodiments of the present application, there is provided a vulnerability scanning system, including a proxy server and a vulnerability scanning apparatus; wherein:
the proxy server is used for detecting whether the network message is from the target tested system or not based on the identification information of the target tested system when the network message is received; the target tested system is a tested system bound with a target proxy service in the proxy server;
the proxy server is also used for analyzing the network message through the target proxy service and storing the data obtained by analysis if the network message is true; otherwise, determining the network message as an illegal network message, and intercepting the network message;
and the vulnerability scanning device is used for carrying out vulnerability scanning processing based on the stored data.
According to the vulnerability scanning method, by establishing the binding relationship between the proxy service and the system to be tested, when a network message is received, whether the network message is from the target system to be tested bound by the target service is detected based on the identification information of the target system to be tested; if so, analyzing the network message through the target proxy service, and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data; otherwise, the received network message is determined to be an illegal network message, and the network message is intercepted, so that the potential security risk caused by malicious attackers utilizing the proxy service to carry out malicious access is effectively prevented.
Drawings
Fig. 1 is a schematic flowchart illustrating a message processing method according to an exemplary embodiment of the present application;
fig. 2 is a schematic flow chart illustrating another message processing method according to another exemplary embodiment of the present application;
fig. 3 is a schematic structural diagram of a message processing apparatus according to an exemplary embodiment of the present application;
fig. 4 is a schematic diagram illustrating a hardware structure of an electronic device according to an exemplary embodiment of the present application;
fig. 5 is a schematic structural diagram of a vulnerability scanning system according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a schematic flow chart of a vulnerability scanning method according to an embodiment of the present disclosure is shown in fig. 1, where the vulnerability scanning method may include the following steps:
it should be noted that the execution subject of steps S100 to S120 may be any proxy server, and the proxy server may be a single server or a server cluster running a proxy service.
Step S100, when a network message is received, detecting whether the network message is from a target tested system or not based on the identification information of the target tested system; if yes, go to step S110; otherwise, go to step S120; the target tested system is a tested system bound with the target proxy service in the proxy server.
In the embodiment of the application, in order to prevent a potential security risk caused by malicious access by a malicious attacker using the proxy service, a binding relationship between the tested system and the proxy service in the proxy server may be set, and the proxy server performs vulnerability scanning processing only on traffic from the bound tested system (the tested system bound with the proxy service running in the proxy server), and intercepts traffic not from the bound tested system.
For example, one or more proxy services may run in a proxy server, and a proxy service may be bound to a system under test or a plurality of systems under test.
For example, the proxy service may be one-to-one bound with the system under test.
When the proxy server receives the network packet, it may detect whether the network packet is from a system under test bound to the target proxy (referred to herein as a target system under test).
Illustratively, the target agent serves any agent running in the proxy server.
For example, the proxy server may store the identification information of the target system under test, and detect whether the received network packet is from the target system under test based on the identification information of the target system under test.
In one example, the identification information of the system under test may include, but is not limited to, a root address (e.g., an IP address or a domain name) of the system under test or a fingerprint characteristic of the system under test, or other characteristics that may uniquely identify the system under test, such as a company name, a platform name, a specified protocol format, a specified message format, or the like.
In one embodiment, in step S100, detecting whether the network packet comes from the target system under test based on the identification information of the target system under test may include:
comparing the source IP address/domain name of the network message with the IP address/domain name of the target system to be tested;
if the two are matched, determining that the network message comes from the target tested system;
otherwise, determining that the network message is not from the target tested system.
Illustratively, the identification information is taken as an IP address.
When the proxy server receives the network message, the proxy server can analyze the network message, obtain the source IP address of the network message, and compare the source IP address of the network message with the prestored root address of the target system to be tested to determine whether the source IP address and the root address are matched.
It should be noted that, if the pre-stored root address of the target system under test is the domain name of the target system under test, the proxy server may obtain an IP address matching the domain name based on the domain name of the target system under test, and further detect the network packet from the target system under test based on the IP address.
When the proxy server determines that the source IP address of the received network message is matched with the root address of the pre-stored target tested system, namely the source IP address is the same as the pre-stored IP address of the target tested system or is the pre-stored IP address corresponding to the domain name of the target tested system, determining that the network message is the network message from the target tested system; otherwise, determining that the network message is not the network message from the target tested system. And step S110, analyzing the network message, and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data.
In the embodiment of the application, when the proxy server determines that the received network message is from the target system to be tested, the proxy server can analyze the network message and store the analyzed data, and then the vulnerability scanning device can perform vulnerability scanning processing on the analyzed data stored in the proxy server.
For example, a specific implementation of the bug scanning processing performed by the bug scanning apparatus will be described below, and details of the embodiment of the present application are not described herein.
In an embodiment, in step S110, parsing the network packet may include:
determining a protocol adopted by the network message;
and if the protocol is an HTTPs protocol, decrypting the network message based on a preset certificate, and analyzing the decrypted network message.
For example, in order to implement parsing of the http protocol packet, the proxy server needs to be able to decrypt the http protocol packet, that is, the proxy server needs to obtain a certificate used when the measured system encrypts the http protocol packet.
Correspondingly, when the proxy server receives the network message and determines that the protocol adopted by the network message is the http protocol, the proxy server may decrypt the network message based on the preset certificate and analyze the decrypted network message.
Illustratively, the preset certificate is a certificate used by the target system under test for encrypting the http protocol packet.
In an embodiment, the parsing the network packet may include:
respectively analyzing the message header of the network message to obtain message header data of the network message, and analyzing the message body of the network message to obtain message body data of the network message; wherein, the message header data comprises authentication information.
For example, when the proxy server determines that the received network packet is a packet from the target system under test, the proxy server may parse the network packet through the target proxy service (if the received network packet is an http protocol packet, the network packet is decrypted and then parsed).
The target agent service can analyze the message header and the message body of the network message respectively, and store the message header data and the message body data obtained by analysis.
For example, for a packet header, the target proxy service may analyze the packet header, obtain authentication information therein, such as Cookies (browser cache), token (Token), and the like, and store the authentication information, so that when login verification is required, login verification is performed based on the authentication information, deep vulnerability scanning is performed, and problem location accuracy is improved.
It should be noted that the data obtained by analyzing the message by the target proxy service is not limited to the authentication information, and may also include other characteristic information in the header of the message, such as User-Agent (User Agent), host (Host), and the like.
And step S120, determining the network message as an illegal network message, and intercepting the network message.
In the embodiment of the application, when the proxy server determines that the received network message is not from the target system under test, the proxy server can determine that the network message is an illegal network message, intercept the network message, and disallow the network message to perform network access.
In an embodiment, if it is detected that the received packet is not from the target system under test, the vulnerability scanning method may further include:
discarding the network message; or the like, or, alternatively,
and recording the network message and giving an alarm.
For example, when the proxy server detects that the received network packet is not from the target system under test, the proxy server may discard the network packet, or may record the network packet and perform an alarm.
It can be seen that, in the method flow shown in fig. 1, by configuring the binding relationship between the tested system and the proxy server, the proxy server performs vulnerability scanning processing on the network packet from the tested system bound to the proxy server, instead of performing vulnerability scanning on the network packet not from the tested system bound to the proxy server, thereby effectively preventing a potential security risk caused by malicious access by a malicious attacker using the proxy service.
Referring to fig. 2, a schematic flow chart of a vulnerability scanning method according to an embodiment of the present disclosure is shown in fig. 2, where the vulnerability scanning method may include the following steps:
it should be noted that the vulnerability scanning method shown in fig. 2 may be applied to a vulnerability scanning system, and the vulnerability scanning system may include a management apparatus, a proxy server, and a vulnerability scanning apparatus.
And S200, when the management device receives a vulnerability scanning task aiming at the target tested system, distributing target agent service for the target tested system.
In this embodiment of the application, a management device in the vulnerability scanning system may provide a vulnerability scanning task submitting interface, and a vulnerability scanning task for a system under test (taking the target system under test as an example) may be provided through the vulnerability scanning interface.
For example, when the vulnerability scanning task is submitted through the vulnerability scanning interface, in addition to the identification information of the system to be tested, one or more of information such as the name of the system to be tested (which is convenient for the testers to record and track), the scanning speed (i.e. the testing frequency when the vulnerability scanning device performs dynamic vulnerability scanning), the system authentication mode (such as HTTP Basic authentication, abstract authentication, etc.), the login page (which is convenient for the testers to test the interface to be logged in), the user login information (which is convenient for the testers to log in), and the removal path (i.e. the path not required to perform vulnerability scanning) may be submitted.
When the management device receives the vulnerability scanning task for the target system under test, the target system under test can be allocated with a proxy service (referred to as a target proxy service herein).
Step S210, the management device sends the identification information of the target system to be tested to a target proxy server running the target proxy service, so that the target proxy server establishes a binding relationship between the target proxy service and the target system to be tested; and sending the proxy address of the target proxy service to the target system under test so that the target system under test is connected with the target proxy service based on the proxy address of the target proxy service.
In the embodiment of the application, when the management device receives a vulnerability scanning task for a target system under test and allocates a target proxy service to the target system under test, on one hand, the management device can send identification information of the target system under test to a proxy server (referred to as a target proxy server herein) running the target proxy service, so that the target proxy server establishes a binding relationship between the target proxy service and the target system under test; on the other hand, the proxy address of the target proxy service may be sent to the target system under test, so that the target system under test connects with the target proxy service based on the proxy address of the target proxy service.
For example, the identification information of the target system under test may include, but is not limited to, a root address (e.g., an IP address or a domain name) of the target system under test, or other features that may uniquely identify the target system under test, such as a fingerprint feature of the target system under test.
It should be appreciated that, in the embodiment of the present application, the management device allocates the proxy service to the system under test to serve as a specific implementation manner of allocating the proxy service to the system under test in the embodiment of the present application, but is not limited to the scope of the present application, that is, in the embodiment of the present application, the proxy service may be allocated to the system under test in other manners, such as in a static configuration manner, to establish a binding relationship between the system under test and the proxy service.
Accordingly, steps S200 to S210 are optional steps in the case where the tested system is assigned an agent service by the management apparatus. When the tested system is assigned with the agent service by other methods, the steps S200 to S210 may not be executed, and the vulnerability scanning system may not include the management device.
Step S220, when the target proxy server receives the network packet, it detects whether the network packet is from the target system under test based on the identification information of the target system under test. If yes, go to step S230; otherwise, go to step S250.
Step S230, the target proxy server analyzes the received network packet through the target proxy service, and stores the data obtained through analysis.
Step S240, the vulnerability scanning device performs vulnerability scanning processing based on the stored data.
Step S250, the target proxy server determines that the received network packet is an illegal network packet, and intercepts the network packet.
In the embodiment of the present application, the specific implementation of detecting, by the target proxy server, whether the received network packet is from the target system under test, and performing processing based on the detection result may refer to related implementation in the method flow shown in fig. 1, which is not described herein again in this embodiment of the present application.
In an embodiment, in step S200, after the allocating, by the management device, the target agent service to the target system under test, the method may further include:
sending a certificate to a target tested system so that the target tested system encrypts an HTTPs protocol message based on the certificate; and sending a certificate to the target proxy service so that the target proxy service decrypts the HTTPs protocol message from the target system under test based on the certificate.
For example, in order to enable the target proxy service to decrypt the http protocol packet from the target system under test, it is required to ensure that the target proxy service can obtain a certificate used by the target system under test to encrypt the http protocol packet.
Correspondingly, after the management device allocates the target agent service to the target system under test, on one hand, the management device can send a certificate for encrypting the http protocol message to the target system under test; on the other hand, the certificate may be sent to the target proxy service, and when the target proxy service receives the http protocol packet from the target system under test, the http protocol packet may be decrypted based on the certificate.
In this embodiment of the application, the vulnerability scanning device may perform static vulnerability scanning and dynamic vulnerability scanning based on the stored data, respectively.
For example, the vulnerability scanning apparatus may perform static vulnerability scanning based on the stored data, that is, through static analysis, detect whether there is a security vulnerability matching a known feature in the traffic data.
On the other hand, dynamic vulnerability scanning can be performed based on the stored flow data, namely, a replay message header is constructed according to the stored authentication information, the detection data is used for replacing specific data in the original message, then message replay is performed, system response data are obtained, and whether the system response data are matched with known vulnerability characteristics or not is detected.
In one embodiment, in step S200, the allocating, by the management device, a target proxy server for the target system under test may include:
the management device creates a target proxy service in the target proxy server and distributes the target proxy service to the target system under test.
Correspondingly, the vulnerability scanning method may further include:
and when the vulnerability scanning task aiming at the target tested system is completed, the management device destroys the target agent service.
For example, in order to improve resource utilization, the proxy service bound to the system under test may be created when there is a system under test that needs to be subjected to a vulnerability, and destroyed when the scanning task is completed.
When the management device receives a scan task for a target system under test, a target proxy service may be created in the target server.
For example, the target proxy service is run in a specified server or server cluster, i.e., the target proxy server may be the specified server or server cluster.
After the management device creates the target proxy service, the target proxy service may be assigned to the target system under test.
When the vulnerability scanning task for the target system under test is completed, for example, all network messages of the target system under test are detected, the management device may destroy the target agent service, that is, release the target agent service running in a designated server or a server cluster.
For example, when the agent service is destroyed by the management device, the agent service may be destroyed immediately, that is, when the vulnerability scanning task for the target system to be tested is completed, the agent service is destroyed immediately; or the agent service without the bug scanning task can be destroyed at regular time, for example, the agent service without the bug scanning task is destroyed at set time.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described below with reference to specific examples.
1. The management device in the vulnerability scanning system provides an interactive interface through which a user submits related information of the tested system and scanning configuration information, such as: a system name (example: a ' comprehensive management platform '), a system access root address (example: a ' 192.168.12.1 '), user login information (example: a user name ' user ', a password '), a scanning speed (example: slow), and the like.
2. The management device dynamically starts an agent service according to the information of the system to be tested, binds a system name (example: a comprehensive management platform), a system access root address (example: 192.168.12.1) and user login information (example: a user name (user) and a password (password)) with the agent service for subsequent uniqueness check.
3. The management device issues the generated proxy service address (example: 192.168.12.8.
4. When the proxy service receives the network message, determining whether the network message comes from the tested system or not based on the source IP of the network message and the pre-stored root address of the tested system, namely whether the source IP address of the network message is 192.168.12.1 or not; if yes, turning to step 5; otherwise, the network message (for example: the network message from 192.168.12.29) is discarded and "not tested system request is responded, and the network message is blocked".
5. The agent service judges that the tested system adopts the protocol according to the tested system information submitted by the user, and if the HTTPs protocol is adopted, the step 6 is carried out; if an unencrypted protocol such as HTTP is used, the process goes to step 7.
6. Aiming at the HTTPs protocol, the proxy service starts certificate verification to decrypt the encrypted network message, and then the step 7 is carried out;
7. analyzing a message header of a tested system, acquiring and storing authentication information for login verification, such as Cookies and Token (for example: cookies: token = '1288 add 6ff90ad 639'), and the like, analyzing a message body, and storing message header data and message body data.
8. The vulnerability scanning device performs static vulnerability scanning based on the stored data, namely, whether a security vulnerability matching with known characteristics exists in the stored data is detected through static analysis.
9. The vulnerability scanning device carries out dynamic vulnerability scanning based on the stored flow data, namely, a message header of a replay network message is constructed according to the stored authentication information, the detection data is used for replacing specific data in the original network message, then, the network message is replayed, system response data is obtained, and whether the system response data is matched with known vulnerability characteristics is detected.
10. After the network messages of all the tested systems are detected, the management device dynamically destroys the corresponding opened proxy service (for example, 192.168.12.8.
11. And giving a vulnerability detection report according to all the detection data.
12. And performing multi-dimensional statistical analysis according to the task data, the flow data and the detection result data, wherein the multi-dimensional statistical analysis comprises high vulnerability statistics, vulnerability threat level classification statistics, product family vulnerability statistics and the like.
In the embodiment of the application, by establishing the binding relationship between the proxy service and the tested system, when the network message is received, whether the network message is from the target tested system bound by the target service is detected based on the identification information of the target tested system; if so, analyzing the network message through the target agent service, and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data; otherwise, the received network message is determined to be an illegal network message, and the network message is intercepted, so that the potential security risk caused by malicious attackers utilizing the proxy service to carry out malicious access is effectively prevented.
The methods provided herein are described above. The following describes the apparatus provided in the present application:
referring to fig. 3, a message processing apparatus provided in an embodiment of the present application is applied to a proxy server, and the message processing apparatus includes:
a receiving unit, configured to receive a network packet;
the detection unit is used for detecting whether the network message is from the target tested system or not based on the identification information of the target tested system when the receiving unit receives the network message; the target tested system is a tested system bound with a target proxy service in the proxy server;
the analysis unit is used for analyzing the network message through the target agent service if the network message comes from the target tested system and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data;
and the processing unit is used for determining that the network message is an illegal network message and intercepting the network message if the network message is not from the target tested system.
In one embodiment, the detecting unit detects whether the network packet is from the target system under test based on identification information of the target system under test, including:
comparing the source IP address/domain name of the network message with the IP address/domain name of the target system to be tested;
if the network message and the target tested system are matched, determining that the network message comes from the target tested system;
otherwise, determining that the network message is not from the target tested system.
In one embodiment, the parsing unit parses the network packet, including:
determining a protocol adopted by the network message;
if the network message is a hypertext transfer protocol (HTTPs) protocol, decrypting the network message based on a preset certificate, and analyzing the decrypted network message; the preset certificate is used for decrypting the HTTPs protocol message by the target system to be tested.
In an embodiment, the parsing unit parses the network packet, including:
respectively analyzing the message header of the network message to obtain message header data of the network message, and analyzing the message body of the network message to obtain message body data of the network message; wherein the message header data includes authentication information.
In an embodiment, the processing unit is further configured to discard the network packet if the network packet is not from the target system under test; or, recording the network message and giving an alarm.
Correspondingly, the application also provides a hardware structure of the device shown in fig. 3. Referring to fig. 4, the hardware structure may include: a processor and a machine-readable storage medium having stored thereon machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement the methods disclosed in the above examples of the present application.
Based on the same application concept as the method, embodiments of the present application further provide a machine-readable storage medium, where several computer instructions are stored, and when the computer instructions are executed by a processor, the method disclosed in the above example of the present application can be implemented.
The machine-readable storage medium may be, for example, any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
Please refer to fig. 5, which is a schematic diagram illustrating a vulnerability scanning system according to an embodiment of the present disclosure, including a proxy server and a vulnerability scanning apparatus; wherein:
the management device is used for distributing target agent service for the target tested system when receiving a vulnerability scanning task aiming at the target tested system;
the management device is further configured to send the identification information of the target system under test to a target proxy server running the target proxy service, so that the target proxy server establishes a binding relationship between the target proxy service and the target system under test; sending the proxy address of the target proxy service to the target system under test so that the target system under test is connected with the target proxy service based on the proxy address of the target proxy service;
the proxy server is used for detecting whether the network message is from the target tested system or not based on the identification information of the target test system when the target proxy service is operated and the network message is received;
the proxy server is also used for analyzing the network message through the target proxy service and storing the data obtained by analysis if the network message is true; otherwise, determining the network message as an illegal network message, and intercepting the network message;
and the vulnerability scanning device is used for carrying out vulnerability scanning processing based on the stored data.
In one embodiment, the vulnerability scanning system shown in fig. 5 may further include: a management device; wherein:
the management device is used for distributing target agent service for the target tested system when receiving a vulnerability scanning task aiming at the target tested system;
the management device is further configured to send the identification information of the target system under test to a proxy server running the target proxy service, so that the proxy server establishes a binding relationship between the target proxy service and the target system under test; and sending the proxy address of the target proxy service to the target system under test so that the target system under test is connected with the target proxy service based on the proxy address of the target proxy service.
In one embodiment, after the management apparatus allocates the target proxy service to the target system under test, the method further includes:
sending a certificate to the target tested system so that the target tested system encrypts an HTTPs protocol message based on the certificate; and sending the certificate to the target proxy service so that the target proxy service decrypts the HTTPs protocol message from the target system under test based on the certificate.
In one embodiment, the allocating, by the management apparatus, a target proxy service to the target system under test includes:
the management device creates a target proxy service in the proxy server and distributes the target proxy service to the target system under test;
and when the vulnerability scanning task aiming at the target tested system is completed, the management device destroys the target agent service.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more pieces of software and/or hardware in the practice of the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (11)
1. A message processing method is applied to a proxy server, and is characterized by comprising the following steps:
when a network message is received, detecting whether the network message comes from a target tested system or not based on identification information of the target tested system; the target tested system is a tested system bound with a target proxy service in the proxy server, and the target proxy service and the target tested system are bound in a one-to-one mode; the target agent service is dynamically started, and after all network messages of a target system to be tested are detected, the target agent service is dynamically destroyed; the identification information of the target system under test comprises the characteristic of uniquely identifying the target system under test;
if so, analyzing the network message through the target agent service, and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data;
otherwise, determining the network message as an illegal network message, and intercepting the network message.
2. The method of claim 1, wherein the detecting whether the network packet is from the target system-under-test based on the identification information of the target system-under-test comprises:
comparing the source IP address/domain name of the network message with the IP address/domain name of the target system to be tested;
if the network message and the target system are matched, determining that the network message comes from the target system to be tested;
otherwise, determining the network message as the illegal network message.
3. The method of claim 1, wherein parsing the network packet comprises:
determining a protocol adopted by the network message;
if the network message is a hypertext transfer protocol (HTTPs) protocol, decrypting the network message based on a preset certificate, and analyzing the decrypted network message; and the preset certificate is used for decrypting the HTTPs protocol message by the target system to be tested.
4. The method of claim 1, wherein if it is detected that the network packet is not from the target system under test, the method further comprises:
discarding the network message; or the like, or, alternatively,
and recording the network message and giving an alarm.
5. A message processing method is applied to a vulnerability scanning system, and is characterized in that the vulnerability scanning system comprises a proxy server and a vulnerability scanning device, and the method comprises the following steps:
when the proxy server receives a network message, detecting whether the network message comes from a target tested system or not based on the identification information of the target test system; the target tested system is a tested system bound with a target proxy service in the proxy server, and the target proxy service and the target tested system are bound in a one-to-one mode; the target agent service is dynamically started, and after all network messages of a target system to be tested are detected, the target agent service is dynamically destroyed; the identification information of the target system under test comprises the characteristic of uniquely identifying the target system under test;
if so, the proxy server analyzes the network message through the target proxy service and stores the data obtained by analysis; otherwise, the target proxy server determines that the network message is an illegal network message and intercepts the network message;
and the vulnerability scanning device performs vulnerability scanning processing based on the stored data.
6. The method of claim 5, wherein the vulnerability scanning system further comprises: a management device;
the method further comprises the following steps:
when the management device receives a vulnerability scanning task aiming at a target tested system, distributing target agent service for the target tested system;
the management device sends the identification information of the target system to be tested to a proxy server running the target proxy service, so that the proxy server establishes a binding relationship between the target proxy service and the target system to be tested; and sending the proxy address of the target proxy service to the target system to be tested so that the target system to be tested is connected with the target proxy service based on the proxy address of the target proxy service.
7. The method of claim 6, wherein after the management device allocates the target agent service to the target system under test, the method further comprises:
sending a certificate to the target tested system so that the target tested system encrypts an HTTPs protocol message based on the certificate; and sending the certificate to the target proxy service so that the target proxy service decrypts the HTTPs protocol message from the target tested system based on the certificate.
8. The method of claim 6, wherein the managing device assigns a target agent service to the target system-under-test, comprising:
the management device creates a target proxy service in the proxy server and distributes the target proxy service to the target system under test;
the method further comprises the following steps:
and when the vulnerability scanning task aiming at the target tested system is completed, the management device destroys the target agent service.
9. A message processing device applied to a proxy server is characterized by comprising:
a receiving unit, configured to receive a network packet;
the detection unit is used for detecting whether the network message is from the target tested system or not based on the identification information of the target tested system when the receiving unit receives the network message; the target tested system is a tested system bound with a target proxy service in the proxy server, and the target proxy service and the target tested system are bound in a one-to-one mode; the target agent service is dynamically started, and after all network messages of a target system to be tested are detected, the target agent service is dynamically destroyed; the identification information of the target system under test comprises the characteristic of uniquely identifying the target system under test;
the analysis unit is used for analyzing the network message through the target agent service if the network message comes from the target tested system and storing the analyzed data so as to enable the vulnerability scanning device to perform vulnerability scanning processing based on the stored data;
and the processing unit is used for determining that the network message is an illegal network message and intercepting the network message if the network message is not from the target tested system.
10. An electronic device, comprising:
a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine executable instructions to implement the method steps of any of claims 1-4.
11. A vulnerability scanning system is characterized by comprising a proxy server and a vulnerability scanning device; wherein:
the proxy server is used for detecting whether the network message is from a target tested system or not based on the identification information of the target test system when the network message is received; the target tested system is a tested system bound with a target proxy service in the proxy server, and the target proxy service and the target tested system are bound in a one-to-one mode; the target agent service is dynamically started, and after all network messages of a target system to be tested are detected, the target agent service is dynamically destroyed; the identification information of the target tested system comprises a characteristic which uniquely identifies the target tested system;
the proxy server is also used for analyzing the network message through the target proxy service and storing the data obtained by analysis if the network message is true; otherwise, determining the network message as an illegal network message, and intercepting the network message;
and the vulnerability scanning device is used for carrying out vulnerability scanning processing based on the stored data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911244534.8A CN110995717B (en) | 2019-12-06 | 2019-12-06 | Message processing method and device, electronic equipment and vulnerability scanning system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911244534.8A CN110995717B (en) | 2019-12-06 | 2019-12-06 | Message processing method and device, electronic equipment and vulnerability scanning system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110995717A CN110995717A (en) | 2020-04-10 |
| CN110995717B true CN110995717B (en) | 2022-11-01 |
Family
ID=70091061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911244534.8A Active CN110995717B (en) | 2019-12-06 | 2019-12-06 | Message processing method and device, electronic equipment and vulnerability scanning system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110995717B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113032792B (en) * | 2021-04-12 | 2023-09-19 | 中国移动通信集团陕西有限公司 | System business vulnerability detection method, system, equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1521990A (en) * | 2003-01-28 | 2004-08-18 | 华为技术有限公司 | Fully dynamic distributed network service management system and service method thereof |
| CN1631007A (en) * | 2002-02-08 | 2005-06-22 | 艾利森电话股份有限公司 | System and method for establishing service access relation |
| CN106790085A (en) * | 2016-12-22 | 2017-05-31 | 国网新疆电力公司信息通信公司 | Vulnerability scanning method, apparatus and system |
| CN109309603A (en) * | 2018-11-02 | 2019-02-05 | 华青融天(北京)软件股份有限公司 | A kind of dynamic load balanced sharing method and device |
| CN109889514A (en) * | 2019-02-03 | 2019-06-14 | 郭丽 | A kind of certification scan method and web application scanning system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101330409B (en) * | 2008-08-01 | 2010-11-10 | 杭州华三通信技术有限公司 | Method and system for detecting network loophole |
| US9591021B2 (en) * | 2014-08-20 | 2017-03-07 | Mcafee, Inc. | Zero day threat detection using host application/program to user agent mapping |
| US9807058B2 (en) * | 2015-07-02 | 2017-10-31 | T-Mobile Usa, Inc. | Monitoring wireless data consumption |
| CN108573146A (en) * | 2017-03-07 | 2018-09-25 | 华为技术有限公司 | A kind of malice URL detection method and device |
| CN108173813B (en) * | 2017-12-08 | 2021-07-20 | 国网北京市电力公司 | Vulnerability detection method and device |
| CN110324311B (en) * | 2019-05-21 | 2022-05-17 | 平安科技(深圳)有限公司 | Vulnerability detection method and device, computer equipment and storage medium |
-
2019
- 2019-12-06 CN CN201911244534.8A patent/CN110995717B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1631007A (en) * | 2002-02-08 | 2005-06-22 | 艾利森电话股份有限公司 | System and method for establishing service access relation |
| CN1521990A (en) * | 2003-01-28 | 2004-08-18 | 华为技术有限公司 | Fully dynamic distributed network service management system and service method thereof |
| CN106790085A (en) * | 2016-12-22 | 2017-05-31 | 国网新疆电力公司信息通信公司 | Vulnerability scanning method, apparatus and system |
| CN109309603A (en) * | 2018-11-02 | 2019-02-05 | 华青融天(北京)软件股份有限公司 | A kind of dynamic load balanced sharing method and device |
| CN109889514A (en) * | 2019-02-03 | 2019-06-14 | 郭丽 | A kind of certification scan method and web application scanning system |
Non-Patent Citations (1)
| Title |
|---|
| 高校WAF+IPS+漏洞扫描安全防护体系的研究与应用;杨飞;《电子测试》;20181015(第20期);第1-4页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110995717A (en) | 2020-04-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108780485B (en) | Pattern matching based data set extraction | |
| CN106687971B (en) | Automatic code locking to reduce attack surface of software | |
| US10079841B2 (en) | Automated runtime detection of malware | |
| US20170034189A1 (en) | Remediating ransomware | |
| TW201642135A (en) | Detecting malicious files | |
| US20070101440A1 (en) | Auditing correlated events using a secure web single sign-on login | |
| CN113542253B (en) | Network flow detection method, device, equipment and medium | |
| CN108737110B (en) | Data encryption transmission method and device for preventing replay attack | |
| CN111447232A (en) | Network flow detection method and device | |
| US10073980B1 (en) | System for assuring security of sensitive data on a host | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN110113351B (en) | CC attack protection method and device, storage medium and computer equipment | |
| CN110581836B (en) | Data processing method, device and equipment | |
| CN115801442A (en) | Encrypted traffic detection method, security system and agent module | |
| CN110995717B (en) | Message processing method and device, electronic equipment and vulnerability scanning system | |
| Gomez et al. | Unsupervised detection and clustering of malicious tls flows | |
| US20230344861A1 (en) | Combination rule mining for malware signature generation | |
| CN112688963A (en) | Method, device and storage medium for gateway authorized access and external open service | |
| CN105164969A (en) | Instant messaging client recognition method and recognition system | |
| CN106850592A (en) | A kind of information processing method, server and terminal | |
| US9781158B1 (en) | Integrated paronymous network address detection | |
| US20230069731A1 (en) | Automatic network signature generation | |
| US20230082289A1 (en) | Automated fuzzy hash based signature collecting system for malware detection | |
| Long et al. | Cryptographic strength and machine learning security for low complexity IoT sensors | |
| Espinoza | The Nature of Ephemeral Secrets in Reverse Engineering Tasks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |