CN111291384A - Vulnerability scanning method and device and electronic equipment - Google Patents

Vulnerability scanning method and device and electronic equipment Download PDF

Info

Publication number
CN111291384A
CN111291384A CN202010347141.6A CN202010347141A CN111291384A CN 111291384 A CN111291384 A CN 111291384A CN 202010347141 A CN202010347141 A CN 202010347141A CN 111291384 A CN111291384 A CN 111291384A
Authority
CN
China
Prior art keywords
plug
task
vulnerability scanning
scanning
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010347141.6A
Other languages
Chinese (zh)
Other versions
CN111291384B (en
Inventor
周少鹏
毕志城
王滨
万里
何承润
姚铮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Hikvision Digital Technology Co Ltd
Original Assignee
Hangzhou Hikvision Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Hikvision Digital Technology Co Ltd filed Critical Hangzhou Hikvision Digital Technology Co Ltd
Priority to CN202010347141.6A priority Critical patent/CN111291384B/en
Publication of CN111291384A publication Critical patent/CN111291384A/en
Application granted granted Critical
Publication of CN111291384B publication Critical patent/CN111291384B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a vulnerability scanning method, a vulnerability scanning device and electronic equipment, wherein the method comprises the following steps: when a scanning plug-in creating instruction is received, generating a target vulnerability scanning plug-in for scanning a target vulnerability through an online editing mode based on plug-in information in the creating instruction; generating a debugging task based on the target vulnerability scanning plug-in and the debugging target information; executing the debugging task, and debugging the target vulnerability scanning plug-in based on the execution result so as to enable the debugged target vulnerability scanning plug-in to meet the preset condition; and executing a vulnerability scanning task based on the debugged target vulnerability scanning plug-in. The method can simplify the development process of the vulnerability scanning plug-in, shorten the development time and improve the development efficiency.

Description

Vulnerability scanning method and device and electronic equipment
Technical Field
The present application relates to the field of information security technologies, and in particular, to a vulnerability scanning method and apparatus, and an electronic device.
Background
With the continuous development of the internet and information technology, the information security problem and situation become more and more severe. The network attack technology is increasingly diversified and complicated, the attack tools are increasingly specialized, new vulnerability and threats continuously appear, and the difficulty of network security management is increased. It is important to timely and comprehensively discover system security vulnerabilities and effectively deal with them.
Vulnerability scanning refers to detecting the security vulnerability of a designated remote or local computer system by means of scanning and the like based on a vulnerability database, and finding out a security detection (penetration attack) behavior of available vulnerabilities. The vulnerability scanner comprises different types such as network missing scanning, host missing scanning, database missing scanning and the like.
The traditional vulnerability scanning scheme mainly comprises two scanning schemes: one is that through the plug-in numbering, call NASL (Nessus Attacking Scripting Language) script engine, load, explain, carry out NASL script, carry on the security test to the computer system or network, return the result through analyzing the measured object, judge whether there is corresponding security vulnerability; and the other method comprises the steps of acquiring basic parameter information of the vulnerability scanning plug-in through a specified interface, determining the vulnerability scanning plug-in corresponding to the basic parameter information according to the basic parameter information and the input mode corresponding to the specified interface, and scanning vulnerabilities based on the vulnerability scanning plug-in stored in a vulnerability scanning plug-in database.
However, practice shows that the traditional vulnerability scanning scheme needs to rely on a third-party security scanner, the plug-in script format is fixed, plug-in scripts of other formats or languages cannot be used, the adaptability is poor, the plug-in scripts cannot be developed rapidly, and the plug-in script development requirement of a short time and a large task amount is not met.
Disclosure of Invention
In view of the above, the present application provides a vulnerability scanning method, apparatus and electronic device.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of an embodiment of the present application, there is provided a vulnerability scanning method, including:
when a scanning plug-in creating instruction is received, generating a target vulnerability scanning plug-in for scanning a target vulnerability through an online editing mode based on plug-in information in the creating instruction;
generating a debugging task based on the target vulnerability scanning plug-in and debugging target information;
executing the debugging task, and debugging the target vulnerability scanning plug-in based on an execution result so as to enable the debugged target vulnerability scanning plug-in to meet a preset condition;
and executing a vulnerability scanning task based on the debugged target vulnerability scanning plug-in.
According to a second aspect of the embodiments of the present application, there is provided a vulnerability scanning apparatus, including:
the system comprises an editing unit, a processing unit and a processing unit, wherein the editing unit is used for generating a target vulnerability scanning plug-in for scanning a target vulnerability in an online editing mode based on plug-in information in a creation instruction when the creation instruction of the scanning plug-in is received;
the generating unit is used for generating a debugging task based on the target vulnerability scanning plug-in and debugging target information;
the debugging unit is used for executing the debugging task and debugging the target vulnerability scanning plug-in based on an execution result so as to enable the debugged target vulnerability scanning plug-in to meet a preset condition;
and the scanning unit is used for executing the vulnerability scanning task based on the debugged target vulnerability scanning plug-in.
According to a third aspect of embodiments of the present application, there is provided an electronic apparatus including:
a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is used for executing machine executable instructions to realize the vulnerability scanning method.
According to the vulnerability scanning method, when a scanning plug-in creating instruction is received, a target vulnerability scanning plug-in for scanning a target vulnerability is generated in an online editing mode based on plug-in information in the creating instruction; generating a debugging task based on the target vulnerability scanning plug-in and the debugging target information; the debugging task is executed, the target vulnerability scanning plug-in is debugged based on the execution result, so that the debugged target vulnerability scanning plug-in meets the preset condition, and then the vulnerability scanning task is executed based on the debugged target vulnerability scanning plug-in, thereby simplifying the development flow of the vulnerability scanning plug-in, shortening the development time, improving the development efficiency, completing the development of the large-scale vulnerability scanning plug-in a short time, and further realizing efficient and rapid vulnerability scanning.
Drawings
Fig. 1 is a schematic flowchart illustrating a vulnerability scanning method according to an exemplary embodiment of the present application;
FIG. 2 is a flowchart illustrating an exemplary implementation of a data collection task for executing target information of the task based on a debugged target data collection script according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram illustrating a method for constructing a plug-in vulnerability scanning framework based on online plug-in editing according to an exemplary embodiment of the present application;
FIG. 4 is a schematic diagram illustrating a process of vulnerability scanning plug-in development and vulnerability scanning based on a plug-in vulnerability scanning framework edited by an online plug-in according to an exemplary embodiment of the present application;
fig. 5 is a schematic structural diagram of a vulnerability scanning apparatus according to an exemplary embodiment of the present application;
fig. 6 is a schematic diagram of a hardware structure of the apparatus shown in fig. 5 according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to make the technical solutions provided in the embodiments of the present application better understood and make the above objects, features and advantages of the embodiments of the present application more comprehensible, the technical solutions in the embodiments of the present application are described in further detail below with reference to the accompanying drawings.
Referring to fig. 1, a schematic flow chart of a data acquisition method according to an embodiment of the present disclosure is shown in fig. 1, where the data acquisition method may include the following steps:
step S100, when a scanning plug-in creating instruction is received, a target vulnerability scanning plug-in for scanning a target vulnerability is generated in an online editing mode based on plug-in information in the creating instruction.
In the embodiment of the present application, a target vulnerability does not refer to a certain vulnerability, but refers to any vulnerability that can be scanned by using the technical scheme provided by the embodiment of the present application, and the embodiment of the present application is not repeated in the following.
In the embodiment of the application, in order to simplify the development process of the vulnerability scanning plug-in, online plug-in editing can be realized and the plug-in development process can be simplified based on an online editing technology.
When a scanning plug-in creating instruction is received, a process of editing vulnerability scanning plug-ins online can be triggered, and based on plug-in information included in the creating instruction, a scanning plug-in (referred to as a target vulnerability scanning plug-in herein) for scanning a target vulnerability is generated in an online editing mode.
Illustratively, the plug-in information includes plug-in identification information, such as a plug-in name. The plug-in name may be determined based on identification information of the corresponding vulnerability.
For example, assuming the vulnerability name is vulnerability a, the plug-in name may be vulnerability a scanning plug-in.
Illustratively, the plug-in information may also include, but is not limited to, one or more of vulnerability threat level, influencing components, influencing versions, vulnerability cause, solutions, and the like.
And S110, generating a debugging task based on the target vulnerability scanning plug-in and the debugging target information.
In this embodiment of the application, in order to implement online debugging of the vulnerability scanning plug-in, when the target vulnerability scanning plug-in is generated in the manner described in step S100, a debugging task may be generated based on the target vulnerability scanning plug-in and the debugging target information, and used for online debugging of the vulnerability scanning plug-in the subsequent flow.
Illustratively, the debugging target information includes scanning target information when debugging the target vulnerability scanning plug-in, for example, a device IP address and a port existing with the target vulnerability.
And step S120, executing the debugging task, and debugging the target vulnerability scanning plug-in based on the execution result so as to enable the debugged target vulnerability scanning plug-in to meet the preset condition.
In this embodiment of the application, when the debugging task is generated in the manner described in step S110, the debugging of the target vulnerability scanning plug-in may be implemented by executing the debugging task, so that the debugged target vulnerability scanning plug-in meets the preset condition, that is, the result of vulnerability scanning performed on the device corresponding to the debugging target information by using the debugged target vulnerability scanning plug-in meets the requirement.
For example, when the debugging task is generated in the manner described in step S110, the debugging task may be issued to the message queue, the debugging task may be acquired from the message queue by the plug-in execution engine, and the acquired debugging task may be executed.
For example, the debugging tasks in the message queue may be scheduled based on the priority of each debugging task in the message queue.
In one example, the debugging flow of the vulnerability scanning plug-in is as follows:
1. when a target vulnerability scanning plug-in is generated in an online editing mode and a debugging instruction is received, codes of the target vulnerability scanning plug-in can be transmitted into a background plug-in execution engine, the plug-in execution engine edits the codes and runs, and vulnerability scanning is carried out on debugging target information based on the target vulnerability scanning plug-in the motion process so as to generate an execution result;
2. the execution result is transmitted to the Web front end by the plug-in execution engine through an interface;
3. the Web front end receives the execution result and renders and displays the execution result to a code operation result area;
4. and determining whether the plug-in meets the requirements or not based on the code running result, and completing one debugging action.
And step S130, executing a vulnerability scanning task based on the debugged target vulnerability scanning plug-in.
In the embodiment of the application, when the debugging of the target vulnerability scanning plug-in is completed, the vulnerability scanning task can be executed based on the debugged target vulnerability scanning plug-in.
Therefore, in the method flow shown in fig. 1, by online editing and debugging of the vulnerability scanning plug-in, the vulnerability scanning plug-in development flow is simplified, the development time is shortened, the development efficiency is improved, and large-scale vulnerability scanning plug-in development can be completed in a short time, so that efficient and rapid vulnerability scanning is realized.
In one embodiment of the present application, in step S100, generating a target vulnerability scanning plug-in for scanning a target vulnerability by an online editing manner based on plug-in information in a creation instruction includes:
outputting a plug-in online editing interface based on the plug-in information in the creating instruction;
and generating a target vulnerability scanning plug-in based on a plug-in editing instruction input through the plug-in online editing interface.
Illustratively, when a plug-in creating instruction for the target vulnerability scanning is received, a plug-in online editing interface can be output, plug-in information can be displayed in the plug-in online editing interface, and a user can perform online editing of the vulnerability scanning plug-in a manner of inputting the plug-in editing instruction through the plug-in online editing interface.
For example, a user may edit the page online to write the specific content of the plug-in based on the name of the plug-in displayed in the online editing interface and other plug-in information, such as vulnerability threat level, affected component, affected version, vulnerability cause, solution, and the like.
In one example, a vulnerability scanning plug-in template can be further provided in the plug-in online editing interface, and a user can realize online editing of the vulnerability scanning plug-in by modifying the vulnerability scanning plug-in template in the plug-in online editing interface to obtain a target vulnerability scanning plug-in.
Accordingly, the target vulnerability scanning plug-in can be generated based on the plug-in editing instructions input through the plug-in online editing interface.
In one embodiment of the present application, as shown in fig. 2, the executing of the bug scanning task based on the debugged target bug scanning plug-in may be implemented by the following steps:
step S131, when a vulnerability scanning task creation instruction is received, task information is determined, and the task information comprises a task name, a task target and a task type.
Step S132, generating a task to be executed based on the task name, issuing the task to be executed to a message queue, and storing task information.
And step S133, scheduling the tasks to be executed in the message queue by adopting an asynchronous calling mode based on the priority of each task to be executed in the message queue.
And S134, calling vulnerability scanning plug-ins corresponding to task types included in the task information for any scheduled task to be executed based on the corresponding task information, and carrying out vulnerability scanning on task targets included in the task information.
For example, when the debugging of the target vulnerability scanning plug-in is completed in the manner described in step S120, the task information may be determined when the vulnerability scanning task creation instruction is received.
For example, when creating the vulnerability scanning task, the task information that can be submitted may include, but is not limited to, a task name, a task target (which may include a scanning target address (IP address or domain name) and a scanning target port), and a task type, for example, a full-volume plug-in scanning (i.e., performing vulnerability scanning using all plug-ins in the plug-in set), a web vulnerability class plug-in scanning (i.e., performing vulnerability scanning using plug-ins in the plug-in set of which the type is the web vulnerability class), a host vulnerability class plug-in scanning (i.e., performing vulnerability scanning using plug-ins in the plug-in set of which the type is the web vulnerability class), or a specified plug-in scanning (i.e., performing vulnerability scanning using plug-ins specified in the plug-ins.
And when the task information is determined, generating a task to be executed based on the task name, issuing the task to be executed to a message queue, and storing the corresponding task information.
When the tasks to be executed are scheduled, the tasks to be executed in the message queue can be scheduled by adopting an asynchronous calling mode based on the priority of each task to be executed in the message queue.
For any scheduled task to be executed, a corresponding vulnerability scanning plug-in can be determined based on the task type in the corresponding task information, and the vulnerability scanning plug-in is called to scan the task target included in the task information.
For example, the to-be-executed task and the corresponding task information may be associated based on a task name.
It should be noted that the task information may also include information of a submitter of the scanning task (such as a name, a department to which the scanning task belongs, and so on, which is convenient for managing the scanning task) and task parameters, such as a scanning speed. In one example, the debugging task and the task to be executed may be issued to different message queues respectively.
For example, the debugging task is issued to a debugging task message queue (which may be referred to as a first message queue), and the task to be executed is issued to a task to be executed message queue (which may be referred to as a second message queue).
In another example, the debugging task and the task to be executed (including the timing scanning task and the instant scanning task) can be issued to the same message queue.
Illustratively, the debugging task has a higher priority than the task to be executed in the same message queue.
For example, in order to improve vulnerability scanning efficiency, an asynchronous task scheduling mode may be adopted to schedule the to-be-executed tasks in the message queue.
Correspondingly, when the task needs to be executed, the task to be executed in the message queue can be scheduled by adopting an asynchronous task scheduling mode based on the priority of each task to be executed in the message queue.
It should be noted that, for the timing scanning task, the task information may further include timing information (i.e., time information for performing vulnerability scanning).
In one example, after executing the vulnerability scanning task based on the debugged target vulnerability scanning plug-in, the method may further include:
filtering the vulnerability scanning result to filter invalid data;
and analyzing the filtered vulnerability scanning result, and storing data based on the analysis result.
Illustratively, after calling the debugged target vulnerability scanning plug-in to perform vulnerability scanning, the vulnerability scanning result can be filtered to filter invalid data, and the filtered vulnerability scanning result is analyzed to extract required data, identify the false report data, and store the extracted required data.
Exemplary, invalid data may include, but is not limited to:
1. port information, component information, version information and the like of unspecified vulnerabilities obtained after vulnerability scanning;
2. after vulnerability scanning, responding invalid network data packets;
the required data includes, but is not limited to:
1. scanning port information, component information, version information and the like corresponding to the vulnerability;
2. scanning response network data packets of URL addresses corresponding to the loopholes, and the like;
false positive data includes, but is not limited to:
1. in the vulnerability scanning process, false alarm caused by network problems, for example, a port is actually in an open state, but due to network congestion, if a scanning result is that the port is in a closed state, repeated port scanning confirmation is required.
2. If it is determined that there may be a false positive according to the characteristic value of the response network data packet or the response status code, an auxiliary means is required to be adopted for further verification.
It should be noted that after the debugged bug scanning plug-in is called to capture data, the bug scanning result can be filtered, and the bug scanning result can be subjected to data format normalization, false alarm data analysis (so that the false alarm result can be automatically processed in the subsequent flow, and the labor cost and time cost of later scanning result analysis are reduced), and the like, so as to further simplify the difficulty of data analysis and improve the data analysis efficiency.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described below with reference to specific examples.
Taking a plug-in vulnerability scanning framework system based on online plug-in editing as an example, the framework system will be explained first.
In this embodiment, the plug-in vulnerability scanning framework system based on online plug-in editing may include:
the front-end web task console module comprises functions of task creation, task detail display, task state control (running, stopping, debugging, editing and timing), speed control, running data statistics and the like.
The online editing and debugging module comprises an online code editor (for compiling bug scanning plug-in) and a dynamic debugger (for dynamic debugging bug scanning plug-in);
the result display module is used for displaying the scanning result of the vulnerability scanning task;
and the message queue module is used for data transmission among the modules of the system, helping the modules to decouple from each other and realizing distribution.
Illustratively, the message queue supports message middleware such as redis, rabbitmq or kafka.
And the plug-in execution engine module is used for executing the plug-in script codes written by the online editor and returning an execution result.
The task scheduling module is used for determining task priority and performing asynchronous scheduling, timing scheduling, exception handling and the like of the tasks according to the priority, so that the concurrency characteristic of the system is improved;
the task execution module is used for calling the vulnerability scanning plug-in set to carry out vulnerability scanning test on the tested target;
and the data analysis module is used for filtering invalid information in original scanning data generated by vulnerability scanning and carrying out data formatting and false alarm data processing.
And the data storage module is used for storing task data, operation data, result data and user data.
Illustratively, the data storage module supports databases such as mysql, sqlite, mongodb, redis, elastic search, and the like;
and the system monitoring module is used for monitoring the real-time running condition of the task and performing abnormal alarm and processing.
The following describes a method for constructing a plug-in vulnerability scanning framework based on online plug-in editing.
In this embodiment, the method for constructing the plugin vulnerability scanning framework based on online plugin editing may include the following steps:
step 1, constructing a front-end web task management and control interface, comprising the following steps: the method comprises the following functions of task new construction, task detail display, task state control (operation, stop, debugging, editing and timing), speed control, data statistics and the like;
for example, the task management and control interface in step 1 may include functions of task group control, task deletion, task detail display, and the like, so as to optimize controllability of the vulnerability scanning task.
Step 2, constructing a front-end plug-in online editing and debugging page, wherein the front-end plug-in online editing and debugging page comprises an online editor (also called an online code editor and used for compiling vulnerability scanning plug-ins) and a dynamic debugger (dynamically debugging vulnerability scanning plug-ins);
for example, the online editing and debugging interface in step 2 may include an online editor and a dynamic debugger, and may further include a data stream displayer (for displaying a data stream of the written vulnerability scanning plug-in during running), so that the real-time vulnerability scanning process may be better known in the vulnerability scanning process, and further, the vulnerability scanning progress may be known in time and an abnormal situation occurring in the vulnerability scanning process may be discovered.
And 3, constructing a front-end result display page for displaying the vulnerability scanning result.
Illustratively, the result display page may be used for displaying the vulnerability scanning result data, and also displaying multidimensional task data, result data statistical analysis and the like to optimize a task result display effect.
And 4, constructing a message queue module for data transmission among all modules of the system, helping all modules to decouple mutually and realizing distribution.
And 5, constructing a plug-in execution engine for executing the vulnerability scanning plug-in written by the online editor and returning an execution result.
And 6, constructing a task scheduling module for determining task priority, performing asynchronous scheduling, timing scheduling, exception handling and the like of the tasks according to the priority, and improving the concurrency characteristic of the system.
For example, tasks in a message queue may be partitioned into multiple different sub-queues based on task attributes.
For example, the real-time scanning task, the timing scanning task, and the debugging task may be divided into different sub-queues, where the priority of the debugging task is the highest, the priority of the real-time scanning task is the next, and the priority of the timing scanning task is the lowest.
The priority of each debugging task can be determined according to the time sequence of tasks issued to the message queue, for example, the priority of the debugging task issued to the message queue first is higher than the priority of the debugging task issued to the message queue later, or determined according to other strategies.
The priority of each instant scanning task can be determined according to the time sequence of tasks issued to the message queue, for example, the priority of the instant scanning task issued to the message queue first is higher than the priority of the instant scanning task issued to the message queue later, or determined according to other strategies.
The priority of each timing scan task may be determined based on timing information, such as the higher the priority of a timing scan task that arrives earlier in timing time.
The task scheduling module can adopt a multi-process or/and multi-thread mode to realize asynchronous scheduling of each task in the message queue.
And the exception handling of the task scheduling module mainly comprises the step of scheduling the task which is unsuccessfully scheduled again based on the preset maximum scheduling times when the task scheduling fails until the task scheduling succeeds or the task scheduling times reach the preset maximum scheduling times.
Illustratively, the task scheduling module in step 6 may include functions such as task speed scheduling, in addition to task priority scheduling, timing scheduling, exception handling, and the like.
And 7, constructing a vulnerability scanning module for asynchronously calling the vulnerability scanning plug-in set and scanning a target system, wherein the response time is long because the webpage operation is I/O operation, and the vulnerability scanning time can be greatly saved by asynchronous scanning.
And 8, constructing a data processing module for filtering invalid data in the vulnerability scanning result, formatting the vulnerability scanning result and processing the false alarm data in the vulnerability scanning result.
Illustratively, the data parsing module in step 8 may include data format normalization, false alarm data parsing, and the like, in addition to the data filtering function.
And 9, constructing a data storage module for storing task data, operation data, result data and user data.
Exemplary, task data may include, but is not limited to:
1. debugging task data, such as information of a scanning target name, a scanning target address and port, a task state and the like;
2. scanning task data, such as information of a scanning target name, a scanning target address and port, a scanning type, a task state and the like;
the operational data may include, but is not limited to:
1. task operation process data, and scanning process data;
the resulting data may be, but is not limited to:
1. debugging task scanning result data;
2. scanning task result data;
user data may include, but is not limited to:
1. user authentication data;
2. the user scans the configuration data.
And step 10, constructing a system monitoring module for monitoring the real-time running condition of the task and performing abnormal alarm and processing.
In one example, as shown in fig. 3, the method for building a plug-in vulnerability scanning framework based on online plug-in editing may include the following steps:
step 1, constructing a front-end web task management and control interface based on a web front-end technology, wherein the method comprises the following steps: the method comprises the following functions of task new construction, task detail display, task state control (running, stopping, debugging, editing and timing), speed control, data statistics and the like.
And 2, constructing a front-end plug-in online editing and debugging page based on the rich text technology and the web front-end technology, wherein the front-end plug-in online editing and debugging page comprises an online code editor (for compiling bug scanning plug-ins) and a dynamic debugger (for dynamically debugging bug scanning plug-ins).
And 3, constructing a front-end result display page based on the web front-end technology, and displaying the vulnerability scanning result.
And 4, constructing a message queue module based on various message middleware, transmitting data among modules of the system, helping the modules to be decoupled with each other and realizing distribution.
And 5, constructing a plug-in execution engine based on the virtualization technology, wherein the plug-in execution engine is used for executing the vulnerability scanning plug-in script codes written by the online editor, and returning an execution result.
And 6, constructing a task scheduling module based on the asynchronous scheduling technology, and determining the task priority, performing asynchronous scheduling, timing scheduling, exception handling and the like of the tasks according to the priority, and improving the concurrency characteristic of the system.
And 7, constructing a vulnerability scanning module based on multi-process, multi-thread and coroutine technologies, wherein the vulnerability scanning module is used for asynchronously calling a vulnerability scanning plug-in set and scanning a target system.
And 8, constructing a data processing module based on a data cleaning technology, and filtering the vulnerability scanning result to filter invalid data, analyzing the filtered vulnerability scanning result, extracting required data, identifying false alarm data, performing data format standardization processing on the extracted required data, and analyzing the false alarm data.
And 9, constructing a data storage module based on the various databases, wherein the data storage module is used for storing task data, operation data, result data and user data.
And step 10, constructing a system monitoring module for monitoring the real-time running condition of the task and performing abnormal alarm and processing.
In the following, by taking the system device deployed with the plug-in vulnerability scanning framework based on online plug-in editing as an example, the process of vulnerability scanning plug-in development and vulnerability scanning by the plug-in vulnerability scanning framework based on online plug-in editing in this example is described in detail, and a specific implementation process of the process is shown in fig. 4, and may include the following steps:
step 1, setting detection loopholes: an Elasticsearch unauthorized access vulnerability;
for example, the problem of unauthorized access is common to the Elasticsearch service, and an attacker can usually request a 9200 or 9300 open server to carry out malicious attack.
Step 2, the system provides a web console, clicks the web console to establish a new plug-in, fills in a plug-in name 'Elasticissearch unauthorized access vulnerability scanning plug-in', fills in other plug-in information such as vulnerability threat level, influence component, influence version, vulnerability cause, solution and the like, and then enters an online editing page to write the specific content of the plug-in;
step 3, in the writing process, clicking 'operation', transmitting a debugging task into a message queue, executing the vulnerability scanning plug-in through a plug-in execution engine, dynamically debugging the vulnerability scanning plug-in based on a returned result, and observing the data flow scanned by the vulnerability scanning plug-in by clicking 'data flow';
step 4, the plug-in execution engine acquires a debugging task from the message queue, executes the vulnerability scanning plug-in and returns a vulnerability scanning result;
step 5, completing writing of the vulnerability scanning plug-in, clicking 'storage', and storing the written vulnerability scanning plug-in;
step 6, setting a measured target: www.test.com, respectively;
step 7, the system provides a web console, clicks the new task of the web console, fills in the task name of the Test platform, the target address of www.test.com, clicks the new task and creates the task;
step 8, clicking the task state of the Test plugin, selecting 'running' (5 optional states in total), clicking 'scanning rate control', and selecting a scanning speed;
step 9, after the task parameters are configured, clicking 'start', issuing the task to be executed to a message queue, and storing the task information to a data storage module;
illustratively, the task information may include, but is not limited to, a task name, a task target (including a scan target address and port), a scan task type, scan task submitter information, and scan parameters, among others.
Step 10, an asynchronous task scheduling module acquires an execution task, determines a priority and schedules the execution task;
step 11, the vulnerability scanning module determines a corresponding vulnerability scanning plug-in according to the task type in the task information and calls the vulnerability scanning plug-in to scan vulnerabilities;
step 12, the data processing module filters the vulnerability scanning result, filters invalid data, analyzes the data, extracts required data, identifies misreported data, standardizes the format of the required data and stores the standardized data in the data storage module;
step 13, the operation monitoring module acquires task operation state data from the data storage module and performs display and exception handling;
and step 14, the result display module acquires the vulnerability scanning result from the data storage module and performs display and statistical analysis.
In the embodiment of the application, when a scanning plug-in creating instruction is received, a target vulnerability scanning plug-in for scanning a target vulnerability is generated in an online editing mode based on plug-in information in the creating instruction; generating a debugging task based on the target vulnerability scanning plug-in and the debugging target information; the debugging task is executed, the target vulnerability scanning plug-in is debugged based on the execution result, so that the debugged target vulnerability scanning plug-in meets the preset condition, and then the vulnerability scanning task is executed based on the debugged target vulnerability scanning plug-in, thereby simplifying the development flow of the vulnerability scanning plug-in, shortening the development time, improving the development efficiency, completing the development of the large-scale vulnerability scanning plug-in a short time, and further realizing efficient and rapid vulnerability scanning.
The methods provided herein are described above. The following describes the apparatus provided in the present application:
referring to fig. 5, a schematic structural diagram of a vulnerability scanning apparatus according to an embodiment of the present disclosure is shown in fig. 5, where the vulnerability scanning apparatus may include:
the system comprises an editing unit, a processing unit and a processing unit, wherein the editing unit is used for generating a target vulnerability scanning plug-in for scanning a target vulnerability in an online editing mode based on plug-in information in a creation instruction when the creation instruction of the scanning plug-in is received;
the generating unit is used for generating a debugging task based on the target vulnerability scanning plug-in and debugging target information;
the debugging unit is used for executing the debugging task and debugging the target vulnerability scanning plug-in based on an execution result so as to enable the debugged target vulnerability scanning plug-in to meet a preset condition;
and the scanning unit is used for executing the vulnerability scanning task based on the debugged target vulnerability scanning plug-in.
In one embodiment, the editing unit generates a target vulnerability scanning plug-in for scanning a target vulnerability in an online editing manner based on the plug-in information in the creation instruction, and includes:
outputting a plug-in online editing interface based on the plug-in information in the creating instruction;
and generating the target vulnerability scanning plug-in based on a plug-in editing instruction input through the plug-in online editing interface.
In one embodiment, the online editing interface comprises a vulnerability scanning plug-in template;
the editing unit generates the target vulnerability scanning plug-in based on a plug-in editing instruction input through the plug-in online editing interface, and the method comprises the following steps:
and editing the vulnerability scanning plug-in template based on the received editing instruction aiming at the vulnerability scanning plug-in template so as to generate the target vulnerability scanning plug-in.
In one embodiment, the scanning unit executes the bug scanning task based on the debugged target bug scanning plug-in, including:
when a vulnerability scanning task creating instruction is received, task information is determined, wherein the task information comprises a task name, a task target and a task type;
generating a task to be executed based on the task name, issuing the task to be executed to a message queue, and storing the task information;
scheduling the tasks to be executed in the message queue in an asynchronous calling mode based on the priority of each task to be executed in the message queue;
and calling a vulnerability scanning plug-in corresponding to the task type included in the task information for any scheduled task to be executed based on the corresponding task information, and scanning the vulnerability.
In one embodiment, after the scanning unit executes the bug scanning task based on the debugged target bug scanning plug-in, the method further includes:
filtering the vulnerability scanning result to filter invalid data;
analyzing the filtered vulnerability scanning result, and storing data based on the analysis result
Correspondingly, the application also provides a hardware structure of the device shown in fig. 5. Referring to fig. 6, the hardware structure may include: a processor and a machine-readable storage medium having stored thereon machine-executable instructions executable by the processor; the processor is configured to execute machine-executable instructions to implement the methods disclosed in the above examples of the present application.
Based on the same application concept as the method, embodiments of the present application further provide a machine-readable storage medium, where several computer instructions are stored, and when the computer instructions are executed by a processor, the method disclosed in the above example of the present application can be implemented.
The machine-readable storage medium may be, for example, any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (11)

1. A vulnerability scanning method is characterized by comprising the following steps:
when a scanning plug-in creating instruction is received, generating a target vulnerability scanning plug-in for scanning a target vulnerability through an online editing mode based on plug-in information in the creating instruction;
generating a debugging task based on the target vulnerability scanning plug-in and debugging target information;
executing the debugging task, and debugging the target vulnerability scanning plug-in based on an execution result so as to enable the debugged target vulnerability scanning plug-in to meet a preset condition;
and executing a vulnerability scanning task based on the debugged target vulnerability scanning plug-in.
2. The method of claim 1, wherein generating a target vulnerability scanning plug-in for scanning a target vulnerability by an online editing manner based on plug-in information in the creation instruction comprises:
outputting a plug-in online editing interface based on the plug-in information in the creating instruction;
and generating the target vulnerability scanning plug-in based on a plug-in editing instruction input through the plug-in online editing interface.
3. The method of claim 2, wherein the online editing interface comprises a vulnerability scanning plug-in template;
the generating of the target vulnerability scanning plug-in based on the plug-in editing instruction input through the plug-in online editing interface comprises:
and editing the vulnerability scanning plug-in template based on the received editing instruction aiming at the vulnerability scanning plug-in template so as to generate the target vulnerability scanning plug-in.
4. The method of claim 1, wherein executing the vulnerability scanning task based on the debugged target vulnerability scanning plugin comprises:
when a vulnerability scanning task creating instruction is received, task information is determined, wherein the task information comprises a task name, a task target and a task type;
generating a task to be executed based on the task name, issuing the task to be executed to a message queue, and storing the task information;
scheduling the tasks to be executed in the message queue in an asynchronous calling mode based on the priority of each task to be executed in the message queue;
and calling a vulnerability scanning plug-in corresponding to the task type included in the task information for any scheduled task to be executed based on the corresponding task information, and scanning the vulnerability.
5. The method of claim 1, wherein after executing the vulnerability scanning task based on the debugged target vulnerability scanning plugin, further comprising:
filtering the vulnerability scanning result to filter invalid data;
and analyzing the filtered vulnerability scanning result, and storing data based on the analysis result.
6. A vulnerability scanning apparatus, comprising:
the system comprises an editing unit, a processing unit and a processing unit, wherein the editing unit is used for generating a target vulnerability scanning plug-in for scanning a target vulnerability in an online editing mode based on plug-in information in a creation instruction when the creation instruction of the scanning plug-in is received;
the generating unit is used for generating a debugging task based on the target vulnerability scanning plug-in and debugging target information;
the debugging unit is used for executing the debugging task and debugging the target vulnerability scanning plug-in based on an execution result so as to enable the debugged target vulnerability scanning plug-in to meet a preset condition;
and the scanning unit is used for executing the vulnerability scanning task based on the debugged target vulnerability scanning plug-in.
7. The apparatus according to claim 6, wherein the editing unit generates a target vulnerability scanning plug-in for scanning a target vulnerability by an online editing manner based on the plug-in information in the creation instruction, and includes:
outputting a plug-in online editing interface based on the plug-in information in the creating instruction;
and generating the target vulnerability scanning plug-in based on a plug-in editing instruction input through the plug-in online editing interface.
8. The apparatus of claim 7, wherein the online editing interface comprises a vulnerability scanning plug-in template;
the editing unit generates the target vulnerability scanning plug-in based on a plug-in editing instruction input through the plug-in online editing interface, and the method comprises the following steps:
and editing the vulnerability scanning plug-in template based on the received editing instruction aiming at the vulnerability scanning plug-in template so as to generate the target vulnerability scanning plug-in.
9. The apparatus of claim 6, wherein the scanning unit executes vulnerability scanning tasks based on the debugged target vulnerability scanning plugin, and comprises:
when a vulnerability scanning task creating instruction is received, task information is determined, wherein the task information comprises a task name, a task target and a task type;
generating a task to be executed based on the task name, issuing the task to be executed to a message queue, and storing the task information;
scheduling the tasks to be executed in the message queue in an asynchronous calling mode based on the priority of each task to be executed in the message queue;
and calling a vulnerability scanning plug-in corresponding to the task type included in the task information for any scheduled task to be executed based on the corresponding task information, and scanning the vulnerability.
10. The apparatus of claim 6, wherein after the scanning unit executes the vulnerability scanning task based on the debugged target vulnerability scanning plugin, the scanning unit further comprises:
filtering the vulnerability scanning result to filter invalid data;
and analyzing the filtered vulnerability scanning result, and storing data based on the analysis result.
11. An electronic device, comprising:
a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor; the processor is configured to execute machine executable instructions to implement the method steps of any of claims 1-5.
CN202010347141.6A 2020-04-28 2020-04-28 Vulnerability scanning method and device and electronic equipment Active CN111291384B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010347141.6A CN111291384B (en) 2020-04-28 2020-04-28 Vulnerability scanning method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010347141.6A CN111291384B (en) 2020-04-28 2020-04-28 Vulnerability scanning method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN111291384A true CN111291384A (en) 2020-06-16
CN111291384B CN111291384B (en) 2020-09-08

Family

ID=71021085

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010347141.6A Active CN111291384B (en) 2020-04-28 2020-04-28 Vulnerability scanning method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN111291384B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112565244A (en) * 2020-12-03 2021-03-26 星优选有限公司 Active risk monitoring method, system and equipment for website projects
CN112632559A (en) * 2020-12-24 2021-04-09 北京天融信网络安全技术有限公司 Vulnerability automatic verification method, device, equipment and storage medium
CN112926061A (en) * 2021-05-11 2021-06-08 腾讯科技(深圳)有限公司 Plug-in processing method and device
CN113609491A (en) * 2021-08-02 2021-11-05 中通服咨询设计研究院有限公司 Plug-in vulnerability automatic scanning method based on message queue
CN113672300A (en) * 2021-08-17 2021-11-19 绿盟科技集团股份有限公司 Plug-in scheduling method and device and storage medium
CN114143075A (en) * 2021-11-29 2022-03-04 国网北京市电力公司 Security vulnerability early warning method and device and electronic equipment
CN114691502A (en) * 2022-03-21 2022-07-01 阿里巴巴(中国)有限公司 Code file scanning method and device based on integrated development environment platform
CN115134167A (en) * 2022-08-02 2022-09-30 杭州安恒信息技术股份有限公司 Vulnerability scanning method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101122866A (en) * 2007-09-12 2008-02-13 中兴通讯股份有限公司 Programme code translating and compiling method in integrated development environment
CN103942497A (en) * 2013-09-11 2014-07-23 杭州安恒信息技术有限公司 Forensics type website vulnerability scanning method and system
CN104636146A (en) * 2015-03-05 2015-05-20 北京掌中经纬技术有限公司 Online visual customizing method and system
CN108537042A (en) * 2018-04-04 2018-09-14 上海有云信息技术有限公司 Self-defined plug-in unit generation method, device, equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101122866A (en) * 2007-09-12 2008-02-13 中兴通讯股份有限公司 Programme code translating and compiling method in integrated development environment
CN103942497A (en) * 2013-09-11 2014-07-23 杭州安恒信息技术有限公司 Forensics type website vulnerability scanning method and system
CN104636146A (en) * 2015-03-05 2015-05-20 北京掌中经纬技术有限公司 Online visual customizing method and system
CN108537042A (en) * 2018-04-04 2018-09-14 上海有云信息技术有限公司 Self-defined plug-in unit generation method, device, equipment and storage medium

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112565244B (en) * 2020-12-03 2022-06-21 星优选有限公司 Active risk monitoring method, system and equipment for website projects
CN112565244A (en) * 2020-12-03 2021-03-26 星优选有限公司 Active risk monitoring method, system and equipment for website projects
CN112632559A (en) * 2020-12-24 2021-04-09 北京天融信网络安全技术有限公司 Vulnerability automatic verification method, device, equipment and storage medium
CN112926061A (en) * 2021-05-11 2021-06-08 腾讯科技(深圳)有限公司 Plug-in processing method and device
CN113609491A (en) * 2021-08-02 2021-11-05 中通服咨询设计研究院有限公司 Plug-in vulnerability automatic scanning method based on message queue
CN113609491B (en) * 2021-08-02 2024-01-26 中通服咨询设计研究院有限公司 Plug-in vulnerability automatic scanning method based on message queue
CN113672300A (en) * 2021-08-17 2021-11-19 绿盟科技集团股份有限公司 Plug-in scheduling method and device and storage medium
CN113672300B (en) * 2021-08-17 2023-12-26 绿盟科技集团股份有限公司 Plug-in scheduling method, device and storage medium
CN114143075A (en) * 2021-11-29 2022-03-04 国网北京市电力公司 Security vulnerability early warning method and device and electronic equipment
CN114143075B (en) * 2021-11-29 2024-05-28 国网北京市电力公司 Security vulnerability early warning method, device and electronic equipment
CN114691502A (en) * 2022-03-21 2022-07-01 阿里巴巴(中国)有限公司 Code file scanning method and device based on integrated development environment platform
CN115134167A (en) * 2022-08-02 2022-09-30 杭州安恒信息技术股份有限公司 Vulnerability scanning method, device, equipment and storage medium
CN115134167B (en) * 2022-08-02 2024-04-12 杭州安恒信息技术股份有限公司 Vulnerability scanning method, vulnerability scanning device, vulnerability scanning equipment and storage medium

Also Published As

Publication number Publication date
CN111291384B (en) 2020-09-08

Similar Documents

Publication Publication Date Title
CN111291384B (en) Vulnerability scanning method and device and electronic equipment
Rouillard Real-time Log File Analysis Using the Simple Event Correlator (SEC).
CN103927484B (en) Rogue program behavior catching method based on Qemu simulator
CN107038107A (en) A kind of method and device for obtaining application interim card information
CN110765464B (en) Vulnerability detection method, device, equipment and computer storage medium
CN108241580B (en) Client program testing method and terminal
CN112463581B (en) Method and system for carrying out fuzzy test on distributed system
US10528456B2 (en) Determining idle testing periods
US10509719B2 (en) Automatic regression identification
CN106529304B (en) A kind of Android applies concurrent leakage location
US10534700B2 (en) Separating test verifications from test executions
US11436133B2 (en) Comparable user interface object identifications
CN112565278A (en) Attack capturing method and honeypot system
CN116346456A (en) Business logic vulnerability attack detection model training method and device
CN113935041A (en) Vulnerability detection system and method for real-time operating system equipment
CN111221744B (en) Data acquisition method and device and electronic equipment
CN110069400A (en) Loophole test report generation method, device, computer equipment and storage medium
US7653742B1 (en) Defining and detecting network application business activities
WO2016190869A1 (en) Determining potential test actions
CN111723375A (en) Software security vulnerability detection method based on runtime non-execution mode
CN114629711B (en) Method and system for detecting special Trojan horse on Windows platform
CN111190813B (en) Android application network behavior information extraction system and method based on automatic testing
CN111414253A (en) Garbage collection GC information processing method, Java virtual machine and computer storage medium
Quante Online construction of dynamic object process graphs
JP7302223B2 (en) Script detection device, method and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant