CN111310195A - Security vulnerability management method, device, system, equipment and storage medium - Google Patents
Security vulnerability management method, device, system, equipment and storage medium Download PDFInfo
- Publication number
- CN111310195A CN111310195A CN202010226681.9A CN202010226681A CN111310195A CN 111310195 A CN111310195 A CN 111310195A CN 202010226681 A CN202010226681 A CN 202010226681A CN 111310195 A CN111310195 A CN 111310195A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- security
- security vulnerability
- information
- industrial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Abstract
The invention belongs to the technical field of industrial information security, and particularly relates to a security vulnerability management method, device, system, equipment and storage medium. The security vulnerability management method comprises the following steps: acquiring a security vulnerability data set, and screening out industrial information security vulnerabilities from the security vulnerability data set; analyzing the data structure information of the industrial information security vulnerability, and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources; and integrating the industrial information security vulnerabilities fused with vulnerability description information into a security vulnerability library. According to the security vulnerability management method provided by the embodiment of the invention, security vulnerabilities from various different sources are screened, and vulnerability description information is fused aiming at the industrial information security vulnerabilities, so that the description of the same industrial information security vulnerability is more complete, and the security vulnerability library has high availability and information completeness.
Description
Technical Field
The invention belongs to the technical field of industrial information security, and particularly relates to a security vulnerability management method, device, system, equipment and storage medium.
Background
A security hole is a defect in hardware, software, a specific implementation of a protocol, or a system security policy, so that an attacker can access or destroy the system without authorization, and in order to reduce or avoid the destruction of the system by the attacker, the security hole is usually collected and researched.
Currently, management of industrial information security vulnerabilities mainly focuses on sub-fields such as vulnerability mining and vulnerability scanning, and values of industrial information security vulnerability libraries in collection, management, operation, service and other aspects are generally ignored. Therefore, the existing technology in the traditional IT field is only required to be collected and processed aiming at the security vulnerabilities in a single aspect, and the vulnerability information integration requirement of multiple sources of the industrial information security vulnerabilities cannot be met.
Therefore, a technology capable of effectively performing integration processing on complex sources of security vulnerabilities of an industrial information system is lacked in the prior art.
Disclosure of Invention
The embodiment of the invention aims to provide a security vulnerability management method, and aims to solve the problem that the prior art cannot effectively integrate and process complex sources of security vulnerabilities of an industrial information system.
The embodiment of the invention is realized in such a way that a security vulnerability management method comprises the following steps:
acquiring security vulnerability data sets of at least two different sources, and screening out industrial information security vulnerabilities from the security vulnerability data sets;
analyzing the data structure information of the industrial information security vulnerability, and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources;
and integrating the industrial information security vulnerabilities fused with vulnerability description information into a security vulnerability library.
Another objective of an embodiment of the present invention is to provide a security vulnerability management apparatus, including:
the system comprises an industrial information security vulnerability acquisition module, a security vulnerability analysis module and a security vulnerability analysis module, wherein the industrial information security vulnerability acquisition module is used for acquiring security vulnerability data sets of at least two different sources and screening out industrial information security vulnerabilities from the security vulnerability data sets;
the vulnerability description information fusion module is used for analyzing the data structure information of the industrial information security vulnerability and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources;
and the vulnerability set management module is used for collecting the industrial information security vulnerabilities fused with vulnerability description information into a security vulnerability library.
Another objective of an embodiment of the present invention is to provide a security vulnerability management system, including:
a vulnerability source platform storing a security vulnerability data set;
and the security vulnerability management device is used for acquiring the security vulnerability data set, screening out industrial information security vulnerabilities according to the security vulnerability data set, and integrating the industrial information security vulnerabilities into a security vulnerability library.
It is another object of the embodiments of the present invention to provide a computer device, which includes a memory and a processor, wherein the memory stores a computer program, and the computer program, when executed by the processor, causes the processor to execute the steps of the security vulnerability management method.
It is another object of the embodiments of the present invention to provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the processor is enabled to execute the steps of the security vulnerability management method.
According to the security vulnerability management method provided by the embodiment of the invention, security vulnerabilities from various different sources are screened, vulnerability description information is fused aiming at industrial information security vulnerabilities, and the description of the same industrial information security vulnerability is more complete, so that the security vulnerability library has high availability and information completeness.
Drawings
Fig. 1 is an application environment diagram of a security vulnerability management method according to an embodiment of the present invention;
fig. 2 is a flowchart of a security vulnerability management method according to an embodiment of the present invention;
fig. 3 is a flowchart for fusing vulnerability description information according to an embodiment of the present invention;
fig. 4 is a flowchart of determining whether the same industrial information is a security vulnerability according to an embodiment of the present invention;
FIG. 5 is a flowchart of security vulnerabilities dataset acquisition and processing provided by an embodiment of the present invention;
fig. 6 is a block diagram of a security vulnerability management apparatus according to an embodiment of the present invention;
fig. 7 is a block diagram of a vulnerability description information fusion module in the security vulnerability management apparatus according to the embodiment of the present invention;
fig. 8 is a block diagram of a security vulnerability management system according to an embodiment of the present invention;
FIG. 9 is a block diagram showing an internal configuration of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It will be understood that, as used herein, the terms "first," "second," and the like may be used herein to describe various elements, but these elements are not limited by these terms unless otherwise specified. These terms are only used to distinguish one element from another. For example, a first xx script may be referred to as a second xx script, and similarly, a second xx script may be referred to as a first xx script, without departing from the scope of the present application.
Fig. 1 is a diagram of an application environment of a security vulnerability management method according to an embodiment of the present invention, as shown in fig. 1, the application environment includes a terminal 110, a computer device 120, and a vulnerability source platform 130.
The terminal 110 may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like.
The computer device 120 may be an independent physical server or terminal, may also be a server cluster formed by a plurality of physical servers, and may be a cloud server providing basic cloud computing services such as a cloud server, a cloud database, a cloud storage, and a CDN.
The vulnerability source platform 130 is specifically a platform for generating or collecting vulnerabilities including industrial information security vulnerabilities and other types of vulnerabilities in various industrial application environments, and may specifically be, for example, an open information security vulnerability library, a vulnerability database mined by internal research of an enterprise, a vulnerability database collected by a vulnerability response platform, and the like.
In the embodiment of the present invention, the terminal 110, the computer device 120, and the vulnerability source platform 130 may perform three-party communication, the security vulnerability management method may be run on the terminal 110 or the computer device 120, the computer device 120 side obtains the security vulnerability data of the vulnerability source platform 130, screens out the industrial information security vulnerabilities, and fuses vulnerability description information of the same industrial information security vulnerability of at least two different sources, so as to integrate the industrial information security vulnerabilities of multiple sources, so that the description information of each industrial information security vulnerability is more comprehensive, and a perfect security vulnerability library is conveniently established.
Example one
As shown in fig. 2, in an embodiment, a security vulnerability management method is provided, and this embodiment is mainly exemplified by applying the method to the computer device 120 in fig. 1. A security vulnerability management method specifically comprises the following steps:
step S202, acquiring security vulnerability data sets of at least two different sources, and screening out industrial information security vulnerabilities from the security vulnerability data sets;
step S204, analyzing the data structure information of the industrial information security vulnerability, and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources;
and step S206, collecting the industrial information security vulnerabilities fused with the vulnerability description information into a security vulnerability library.
In the embodiment of the present invention, the source of the security vulnerability data set may be a security vulnerability data set for a certain industrial control system, or may be a security vulnerability database of a plurality of industrial control systems included in the whole enterprise, or may be other security vulnerability databases disclosed by the network, because the industrial control systems and the network sources to which the security vulnerability data set is directed are different, the data structures of substantially the same security vulnerabilities in the security vulnerability data set are different. Specifically, the embodiment of the present invention takes public information security vulnerability database, security vulnerability database mined by enterprise internal research, and security vulnerability database collected by vulnerability response platform as multiple sources of security vulnerability data set for example, and those skilled in the art can understand that the above sources are only used for example, and are not strictly limited to the sources of security vulnerability data set.
Specifically, the public information security vulnerability database commonly used in the field may include platforms from CVE, CNVD, CNNVD, CICSVD, NVD, etc., all of which belong to public vulnerability information publishing platforms, and the data source may be obtained from an official website thereof. The mode of specifically acquiring the security vulnerability data sets of the CVE platform and the CNNVD platform can be a program which is developed by a PYTHON programming language and automatically acquires the XML format file, and the XML file is analyzed according to respective data rules of the vulnerability library.
In addition, for a security vulnerability database excavated by the internal research of an enterprise, a security vulnerability data uploading platform, such as an industrial information security vulnerability information inputting platform, can be used for manually inputting information by security vulnerability management personnel to form a security vulnerability data file with uniform format and standard content. With respect to specific recorded contents, the embodiments of the present invention can be simply listed as follows: the system comprises a unique vulnerability identification, a vulnerability name, vulnerability entry time, vulnerability release time, latest modification description, CVE-ID, CVE-LINK, CNVD-ID, CNVD-LINK, CNNVD-ID, CNNVD-LINK, CICSVD-ID, CICSVD-LINK, NVD-ID, NVD-LINK, hazard level, vulnerability type, vulnerability description, reference LINK, influence equipment, CPE, industry related, patch/independent, patch description, vulnerability LINK, vulnerability score, remark and the like. Of course, the above description is only an example, and those skilled in the art may design the security vulnerability data mined by the internal research of the enterprise autonomously according to the actual situation, and the above description is only explained as the source of the security vulnerability data.
In the embodiment of the invention, the fusion of the vulnerability description information is a processing process for obtaining more accurate and complete security vulnerability description by combining, correlating and combining the vulnerability description information.
Specifically, in an embodiment, as shown in fig. 3, the step S204 may specifically include the following steps:
step S302, judging whether the industrial information security vulnerabilities of at least two different sources belong to the same industrial information security vulnerability of different data structures according to the data structure information, if so, then:
step S304, judging whether the contents of the same description fields in the vulnerability description information of the same industrial information security vulnerability of at least two different sources are consistent, if not, then:
and S306, selecting the content of the same description field according to a preset data structure priority rule to complete the fusion of vulnerability description information.
In the embodiment of the invention, if a meaningful value exists in the same description field in the industrial information security vulnerabilities from at least two different sources in the respective database files, in order to more accurately determine the actual meaning of the field, it is necessary to select and determine a more representative meaning, and the description field is added according to the priority rules of the respective data structures of the industrial information security vulnerabilities in which the different description fields are located. For example, for vulnerability description, the vulnerability description field of the aforementioned vulnerability disclosure platform CNVD has the characteristics of more detail, more accuracy, easier reading and the like compared with other sources, and then the CNVD is set to be the highest in the priority rule of the vulnerability description field, and in this case, the vulnerability description field content of the CNVD is selected to be added to the vulnerability description information of the industrial information security vulnerability to make the same description field definite, so that the description and definition of the industrial information security vulnerability are more representative, and the security vulnerability library is facilitated to be perfected.
In addition, in the embodiment of the present invention, when analyzing the data structure information of the industrial information security vulnerability, because there may exist an industrial information security vulnerability that does not originate from different data structures, such an industrial information security vulnerability may be obtained from only one platform, except that the vulnerability description information of the same industrial information security vulnerability from at least two different sources is fused, the method further includes:
and aggregating the industrial information security vulnerabilities without a different data structure to the security vulnerability library.
In the embodiment of the invention, the industrial information security vulnerabilities with a plurality of sources and a single source are correspondingly processed, so that the industrial information security vulnerabilities can be more comprehensively collected, and the security vulnerability library is richer.
In addition, after the vulnerability information is fused, the vacant part existing after the descriptive information of the industrial information security vulnerability is fused can be filled up by means of single-field information extraction and multi-field joint enrichment, and the purpose of newly adding vulnerability fields and contents thereof can be achieved. For example, in a security vulnerability database mined by enterprise internal research, no record is recorded for the industry fields to which the industrial information security vulnerabilities from multiple sources, and the enrichment of the industry fields to which the enterprise or product is mainly applied can be realized by adding the industry fields in the industry enterprise/product field table in advance.
In an embodiment, as shown in fig. 4, step S302 may specifically include the following steps:
step S402, determining vulnerability numbers of industrial information security vulnerabilities of at least two different sources according to data structure information, wherein if the vulnerability numbers are the same, the at least two industrial information security vulnerabilities are the same industrial information security vulnerability;
step S404, judging whether the data structures of the same industrial information security vulnerabilities of at least two different sources are the same according to the data structure information.
Specifically, for the same industrial information security vulnerability, there are various numbers due to different sources of the vulnerability data sets, for example: CVE number, CNVD number, CNNVD number, etc. The CVE number is the most widely and authoritative vulnerability number actually used in the industry. The database files of the non-CVE data sources all have CVE number fields. Therefore, whether the same industrial information security hole exists can be determined by using the CVE number as a correlation point.
In an embodiment, the step S302 determines, according to the data structure information, whether the industrial information security vulnerabilities of at least two different sources belong to the same industrial information security vulnerability of different data structures, and if yes, the method specifically includes the following steps:
and extracting the description field which only appears in the vulnerability description information of one industrial information security vulnerability, and using the description field as the vulnerability description information of the same industrial information security vulnerability to complete the fusion of vulnerability description information.
In the embodiment of the invention, the description fields appearing in the same industrial information security vulnerability of at least two different sources and appearing in only one industrial information security vulnerability of the two different sources are merged and integrated, so that the same industrial information security vulnerability can be more comprehensively described, and the attribute information of the industrial information security vulnerability can be completely completed.
In an embodiment, as shown in fig. 5, step S202 may specifically include the following steps:
step S502, acquiring security vulnerability data sets of at least two different sources;
step S504, a security vulnerability data set is screened according to a preset industrial information security vulnerability dictionary table, and if vulnerability description information contained in the security vulnerability data set is matched with the content of the industrial information security vulnerability dictionary table, the corresponding security vulnerability is an industrial information security vulnerability.
Specifically, the public information security vulnerability database and the security vulnerability database collected by the vulnerability response platform not only include industrial information security vulnerabilities, but also include a large number of IT field information security vulnerabilities, so that the distinction between the two needs to be realized, and the industrial information security vulnerabilities are accurately extracted. In the embodiment of the invention, the acquired security vulnerability data set is screened and filtered according to the preset industrial information security vulnerability dictionary table, and if the fields of the vulnerability, such as products, manufacturers, vulnerability names and the like, which relate to the product, manufacturer and vulnerability are matched with the dictionary table, the vulnerability is considered as the industrial information security vulnerability.
In addition, the dictionary table of the industrial information security vulnerabilities is used for judging whether a certain vulnerability to be classified is an industrial information security vulnerability or not, and the necessary adjustment is carried out on the dictionary table along with the increase of industrial enterprises and products thereof, the launching of new products of the original industrial enterprises and other situations, and can be realized through the investigation of official product release channels of the industrial manufacturers and an industrial product summarizing platform.
In the embodiment of the invention, for the stages of acquiring the security vulnerability data set, fusing vulnerability description information and the like, continuous operation can be realized by means of setting a timing task and triggering the task. On one hand, an automatic operation task is set, and processes of collecting a security vulnerability data set, screening industrial information security vulnerabilities, fusing vulnerability description information of a plurality of data sources, enriching vulnerability description information and the like can be achieved without manual intervention. On the other hand, the requirement of updating the safe leakage library in real time is met. Wherein, the updating frequency is different for different security vulnerability data set sources, and the corresponding automation task period is also set to a suitable value, which is not further stated herein.
According to the security vulnerability management method provided by the embodiment of the invention, security vulnerabilities from various different sources are screened, vulnerability description information is fused aiming at industrial information security vulnerabilities, and the description of the same industrial information security vulnerability is more complete, so that the security vulnerability library has high availability and information completeness.
Example two
As shown in fig. 6, in an embodiment, a security vulnerability management apparatus is provided, which may be integrated in the computer device 120, and specifically includes:
the industrial information security vulnerability obtaining module 610 is used for obtaining security vulnerability data sets of at least two different sources and screening out industrial information security vulnerabilities from the security vulnerability data sets;
the vulnerability description information fusion module 620 is used for analyzing the data structure information of the industrial information security vulnerability and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources;
and the vulnerability set management module 630 is used for setting the industrial information security vulnerabilities fused with the vulnerability description information into a security vulnerability library.
In the embodiment of the present invention, the source of the security vulnerability data set may be a security vulnerability data set for a certain industrial control system, or may be a security vulnerability database of a plurality of industrial control systems included in the whole enterprise, or may be other security vulnerability databases disclosed by the network, because the industrial control systems and the network sources to which the security vulnerability data set is directed are different, the data structures of substantially the same security vulnerabilities in the security vulnerability data set are different. Specifically, the embodiment of the present invention takes public information security vulnerability database, security vulnerability database mined by enterprise internal research, and security vulnerability database collected by vulnerability response platform as multiple sources of security vulnerability data set for example, and those skilled in the art can understand that the above sources are only used for example, and are not strictly limited to the sources of security vulnerability data set.
Specifically, the foregoing embodiments of the public information security vulnerability database, the security vulnerability database mined by the enterprise internal research, and the security vulnerability database collected by the vulnerability response platform have been described in detail by way of example, and will not be described again.
In the embodiment of the invention, the fusion of the vulnerability description information is a processing process for obtaining more accurate and complete security vulnerability description by combining, correlating and combining the vulnerability description information.
Specifically, in an embodiment, as shown in fig. 7, the vulnerability description information fusion module 620 may specifically include:
the vulnerability identity determination unit 621 is configured to determine, according to the data structure information, whether the industrial information security vulnerabilities of at least two different sources belong to the same industrial information security vulnerability of different data structures, if yes:
the description information determining unit 622 is configured to determine whether contents of the same description field in vulnerability description information of the same industrial information security vulnerability of at least two different sources are consistent, and if not, then:
and the description information fusion unit 623 is configured to select the content of the same description field according to a preset data structure priority rule, so as to complete fusion of vulnerability description information.
In the embodiment of the invention, if a meaningful value exists in the same description field in the industrial information security vulnerabilities from at least two different sources in the respective database files, in order to more accurately determine the actual meaning of the field, it is necessary to select and determine a more representative meaning, and the description field is added according to the priority rules of the respective data structures of the industrial information security vulnerabilities in which the different description fields are located. For example, for vulnerability description, the vulnerability description field of the aforementioned vulnerability disclosure platform CNVD has the characteristics of more detail, more accuracy, easier reading and the like compared with other sources, and then the CNVD is set to be the highest in the priority rule of the vulnerability description field, and in this case, the vulnerability description field content of the CNVD is selected to be added to the vulnerability description information of the industrial information security vulnerability to make the same description field definite, so that the description and definition of the industrial information security vulnerability are more representative, and the security vulnerability library is facilitated to be perfected.
In addition, in the embodiment of the present invention, when analyzing the data structure information of the industrial information security vulnerability, because there may be an industrial information security vulnerability that does not originate from different data structures, such an industrial information security vulnerability may be obtained from only one platform, the vulnerability description information fusion module 620 not only fuses vulnerability description information of the same industrial information security vulnerability from at least two different sources, but also is used for aggregating the industrial information security vulnerability that does not originate from different data structures into the security vulnerability library.
In the embodiment of the invention, the industrial information security vulnerabilities with a plurality of sources and a single source are correspondingly processed, so that the industrial information security vulnerabilities can be more comprehensively collected, and the security vulnerability library is richer.
In addition, after the vulnerability information is fused, the vacant part existing after the descriptive information of the industrial information security vulnerability is fused can be filled up by means of single-field information extraction and multi-field joint enrichment, and the purpose of newly adding vulnerability fields and contents thereof can be achieved. For example, in a security vulnerability database mined by enterprise internal research, no record is recorded for the industry fields to which the industrial information security vulnerabilities from multiple sources, and the enrichment of the industry fields to which the enterprise or product is mainly applied can be realized by adding the industry fields in the industry enterprise/product field table in advance.
In an embodiment, when the vulnerability identity determination unit 621 determines whether the industrial information security vulnerabilities belong to the same industrial information security vulnerability, the vulnerability identity determination unit may specifically include the following steps:
determining vulnerability numbers of industrial information security vulnerabilities of at least two different sources according to the data structure information, wherein if the vulnerability numbers are the same, the at least two industrial information security vulnerabilities are the same industrial information security vulnerability;
and judging whether the data structures of the same industrial information security vulnerabilities of at least two different sources are the same or not according to the data structure information.
Specifically, for the same industrial information security vulnerability, there are various numbers due to different sources of the vulnerability data sets, for example: CVE number, CNVD number, CNNVD number, etc. The CVE number is the most widely and authoritative vulnerability number actually used in the industry. The database files of the non-CVE data sources all have CVE number fields. Therefore, whether the same industrial information security hole exists can be determined by using the CVE number as a correlation point.
In an embodiment, the vulnerability identity determination unit 621 determines whether the industrial information security vulnerabilities from at least two different sources belong to the same industrial information security vulnerability of different data structures, and if yes, the method specifically includes the following steps:
and extracting the description field which only appears in the vulnerability description information of one industrial information security vulnerability, and using the description field as the vulnerability description information of the same industrial information security vulnerability to complete the fusion of vulnerability description information.
In the embodiment of the invention, the description fields appearing in the same industrial information security vulnerability of at least two different sources and appearing in only one industrial information security vulnerability of the two different sources are merged and integrated, so that the same industrial information security vulnerability can be more comprehensively described, and the attribute information of the industrial information security vulnerability can be completely completed.
In an embodiment, the acquiring of the security vulnerability data set and the screening of the industrial information security vulnerability by the industrial information security vulnerability acquiring module 610 may specifically include the following steps:
acquiring security vulnerability data sets of at least two different sources;
and screening the security vulnerability data set according to a preset industrial information security vulnerability dictionary table, and if vulnerability description information contained in the security vulnerability data set is matched with the content of the industrial information security vulnerability dictionary table, determining that the corresponding security vulnerability is an industrial information security vulnerability.
Specifically, the public information security vulnerability database and the security vulnerability database collected by the vulnerability response platform not only include industrial information security vulnerabilities, but also include a large number of IT field information security vulnerabilities, so that the distinction between the two needs to be realized, and the industrial information security vulnerabilities are accurately extracted. In the embodiment of the invention, the acquired security vulnerability data set is screened and filtered according to the preset industrial information security vulnerability dictionary table, and if the fields of the vulnerability, such as products, manufacturers, vulnerability names and the like, which relate to the product, manufacturer and vulnerability are matched with the dictionary table, the vulnerability is considered as the industrial information security vulnerability.
In addition, the dictionary table of the industrial information security vulnerabilities is used for judging whether a certain vulnerability to be classified is an industrial information security vulnerability or not, and the necessary adjustment is carried out on the dictionary table along with the increase of industrial enterprises and products thereof, the launching of new products of the original industrial enterprises and other situations, and can be realized through the investigation of official product release channels of the industrial manufacturers and an industrial product summarizing platform.
In the embodiment of the invention, for the stages of acquiring the security vulnerability data set, fusing vulnerability description information and the like, continuous operation can be realized by means of setting a timing task and triggering the task. On one hand, an automatic operation task is set, and processes of collecting a security vulnerability data set, screening industrial information security vulnerabilities, fusing vulnerability description information of a plurality of data sources, enriching vulnerability description information and the like can be achieved without manual intervention. On the other hand, the requirement of updating the safe leakage library in real time is met. Wherein, the updating frequency is different for different security vulnerability data set sources, and the corresponding automation task period is also set to a suitable value, which is not further stated herein.
According to the security vulnerability management device provided by the embodiment of the invention, security vulnerabilities from various different sources are screened, vulnerability description information is fused aiming at industrial information security vulnerabilities, and the description of the same industrial information security vulnerability is more complete, so that the security vulnerability library has high availability and information completeness.
EXAMPLE III
As shown in fig. 8, in an embodiment, a security vulnerability management system is provided, which specifically includes:
in the embodiment of the invention, the vulnerability source platform can be a public information security vulnerability library 100, a vulnerability database 200 mined by enterprise internal research and a vulnerability database 300 collected by a vulnerability response platform, and the previous embodiments of the vulnerability source platform are described in detail and are not described again in further detail;
the security vulnerability management apparatus 400 in the foregoing embodiment is configured to obtain a security vulnerability data set, screen out an industrial information security vulnerability according to the security vulnerability data set, and aggregate the industrial information security vulnerability into a security vulnerability library.
According to the security vulnerability management system provided by the embodiment of the invention, security vulnerabilities of various vulnerability source platforms are screened, vulnerability description information is fused aiming at industrial information security vulnerabilities, and description of the same industrial information security vulnerability is more complete, so that a security vulnerability library has high availability and information completeness.
Example four
In one embodiment, a computer device is proposed, the computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
acquiring security vulnerability data sets of at least two different sources, and screening out industrial information security vulnerabilities from the security vulnerability data sets;
analyzing the data structure information of the industrial information security vulnerability, and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources;
and integrating the industrial information security vulnerabilities fused with vulnerability description information into a security vulnerability library.
FIG. 9 is a diagram illustrating an internal structure of a computer device in one embodiment. The computer device may be specifically an independent physical server or a terminal, may also be a server cluster formed by a plurality of physical servers, and may be a cloud server providing basic cloud computing services such as a cloud server, a cloud database, a cloud storage, and a CDN. But not limited thereto, the smart phone, the tablet computer, the notebook computer, the desktop computer, the smart speaker, the smart watch, and the like may also be used. As shown in fig. 9, the computer apparatus includes a processor, a memory, a network interface, an input device, and a display screen linked by a system bus. Wherein the memory includes a non-volatile storage medium and an internal memory. The non-volatile storage medium of the computer device stores an operating system and also stores a computer program, and when the computer program is executed by a processor, the computer program can enable the processor to realize the security vulnerability management method. The internal memory may also store a computer program, and the computer program, when executed by the processor, may cause the processor to perform the security breach management method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the architecture shown in fig. 9 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
EXAMPLE five
In one embodiment, a computer readable storage medium is provided, having a computer program stored thereon, which, when executed by a processor, causes the processor to perform the steps of:
acquiring security vulnerability data sets of at least two different sources, and screening out industrial information security vulnerabilities from the security vulnerability data sets;
analyzing the data structure information of the industrial information security vulnerability, and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources;
and integrating the industrial information security vulnerabilities fused with vulnerability description information into a security vulnerability library.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only show some embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A security vulnerability management method is characterized by comprising the following steps:
acquiring security vulnerability data sets of at least two different sources, and screening out industrial information security vulnerabilities from the security vulnerability data sets;
analyzing the data structure information of the industrial information security vulnerability, and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources;
and integrating the industrial information security vulnerabilities fused with vulnerability description information into a security vulnerability library.
2. The method according to claim 1, wherein the analyzing the data structure information of the industrial information security vulnerability and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources specifically comprises:
judging whether the industrial information security vulnerabilities of at least two different sources belong to the same industrial information security vulnerability of different data structures according to the data structure information, if so, then:
judging whether the contents of the same description fields in the vulnerability description information of the industrial information security vulnerabilities of at least two different sources are consistent, if not, then:
and selecting the content of the same description field according to a preset data structure priority rule to complete the fusion of vulnerability description information.
3. The method according to claim 2, wherein the determining, according to the data structure information, whether the industrial information security vulnerabilities from at least two different sources belong to a same industrial information security vulnerability of different data structures specifically includes:
determining vulnerability numbers of the industrial information security vulnerabilities of at least two different sources according to the data structure information, wherein if the vulnerability numbers are the same, the at least two industrial information security vulnerabilities are the same industrial information security vulnerability;
and judging whether the data structures of the same industrial information security vulnerabilities of at least two different sources are the same or not according to the data structure information.
4. The method according to claim 2, wherein the determining, according to the data structure information, whether the industrial information security vulnerabilities from at least two different sources belong to a same industrial information security vulnerability of different data structures, if yes, further includes:
and extracting the description field which only appears in the vulnerability description information of one industrial information security vulnerability, and using the description field as the vulnerability description information of the same industrial information security vulnerability to complete the fusion of vulnerability description information.
5. The method according to claim 1, wherein the acquiring of the security vulnerability data sets from at least two different sources and the screening of the industrial information security vulnerability from the security vulnerability data sets specifically comprises:
acquiring security vulnerability data sets of at least two different sources;
and screening the security vulnerability data set according to a preset industrial information security vulnerability dictionary table, and if vulnerability description information contained in the security vulnerability data set is matched with the content of the industrial information security vulnerability dictionary table, determining that the security vulnerability is an industrial information security vulnerability.
6. The method for security vulnerability management according to claim 1, wherein the analyzing the data structure information of the industrial information security vulnerability and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources further comprises:
and aggregating the industrial information security vulnerabilities without a different data structure to the security vulnerability library.
7. A security breach management device, comprising:
the system comprises an industrial information security vulnerability acquisition module, a security vulnerability analysis module and a security vulnerability analysis module, wherein the industrial information security vulnerability acquisition module is used for acquiring security vulnerability data sets of at least two different sources and screening out industrial information security vulnerabilities from the security vulnerability data sets;
the vulnerability description information fusion module is used for analyzing the data structure information of the industrial information security vulnerability and fusing vulnerability description information of the same industrial information security vulnerability from at least two different sources;
and the vulnerability set management module is used for collecting the industrial information security vulnerabilities fused with vulnerability description information into a security vulnerability library.
8. A security breach management system, comprising:
a vulnerability source platform storing a security vulnerability data set;
the security vulnerability management apparatus of claim 7, configured to obtain the security vulnerability data sets from at least two different sources, screen out an industrial information security vulnerability according to the security vulnerability data sets, and aggregate the industrial information security vulnerability into a security vulnerability library.
9. A computer arrangement comprising a memory and a processor, the memory having stored therein a computer program that, when executed by the processor, causes the processor to carry out the steps of the security breach management method of any of claims 1 to 6.
10. A computer-readable storage medium, having a computer program stored thereon, which, when executed by a processor, causes the processor to perform the steps of the security breach management method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010226681.9A CN111310195A (en) | 2020-03-27 | 2020-03-27 | Security vulnerability management method, device, system, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010226681.9A CN111310195A (en) | 2020-03-27 | 2020-03-27 | Security vulnerability management method, device, system, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111310195A true CN111310195A (en) | 2020-06-19 |
Family
ID=71160830
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010226681.9A Pending CN111310195A (en) | 2020-03-27 | 2020-03-27 | Security vulnerability management method, device, system, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111310195A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113179245A (en) * | 2021-03-19 | 2021-07-27 | 北京双湃智安科技有限公司 | Network security emergency response method, system, computer equipment and storage medium |
| CN113206823A (en) * | 2021-03-19 | 2021-08-03 | 北京双湃智安科技有限公司 | Industrial information safety monitoring method and device, computer equipment and storage medium |
| CN113434864A (en) * | 2021-06-25 | 2021-09-24 | 国汽(北京)智能网联汽车研究院有限公司 | Management method and management system for vehicle networking cave depot |
| CN114021156A (en) * | 2022-01-05 | 2022-02-08 | 北京华云安信息技术有限公司 | Method, device and equipment for organizing vulnerability automatic aggregation and storage medium |
| CN114817929A (en) * | 2022-04-19 | 2022-07-29 | 北京天防安全科技有限公司 | Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070061571A1 (en) * | 2005-09-09 | 2007-03-15 | Hammes Peter S | System and method for managing security testing |
| CN1940951A (en) * | 2005-09-22 | 2007-04-04 | 阿尔卡特公司 | Safety loophole information aggregation |
| CN104836855A (en) * | 2015-04-30 | 2015-08-12 | 国网四川省电力公司电力科学研究院 | Web application safety situation assessment system based on multi-source data fusion |
| CN107609179A (en) * | 2017-09-29 | 2018-01-19 | 北京神州绿盟信息安全科技股份有限公司 | A kind of data processing method and equipment |
| CN107609402A (en) * | 2017-09-05 | 2018-01-19 | 中国科学院计算机网络信息中心 | A kind of processing method of security breaches, device and storage medium |
| CN107835153A (en) * | 2017-09-29 | 2018-03-23 | 桂林电子科技大学 | A kind of fragility situation data fusion method |
| CN110351250A (en) * | 2019-06-18 | 2019-10-18 | 国家计算机网络与信息安全管理中心 | A kind of multi-data source security knowledge collects system |
-
2020
- 2020-03-27 CN CN202010226681.9A patent/CN111310195A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070061571A1 (en) * | 2005-09-09 | 2007-03-15 | Hammes Peter S | System and method for managing security testing |
| CN1940951A (en) * | 2005-09-22 | 2007-04-04 | 阿尔卡特公司 | Safety loophole information aggregation |
| CN104836855A (en) * | 2015-04-30 | 2015-08-12 | 国网四川省电力公司电力科学研究院 | Web application safety situation assessment system based on multi-source data fusion |
| CN107609402A (en) * | 2017-09-05 | 2018-01-19 | 中国科学院计算机网络信息中心 | A kind of processing method of security breaches, device and storage medium |
| CN107609179A (en) * | 2017-09-29 | 2018-01-19 | 北京神州绿盟信息安全科技股份有限公司 | A kind of data processing method and equipment |
| CN107835153A (en) * | 2017-09-29 | 2018-03-23 | 桂林电子科技大学 | A kind of fragility situation data fusion method |
| CN110351250A (en) * | 2019-06-18 | 2019-10-18 | 国家计算机网络与信息安全管理中心 | A kind of multi-data source security knowledge collects system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113179245A (en) * | 2021-03-19 | 2021-07-27 | 北京双湃智安科技有限公司 | Network security emergency response method, system, computer equipment and storage medium |
| CN113206823A (en) * | 2021-03-19 | 2021-08-03 | 北京双湃智安科技有限公司 | Industrial information safety monitoring method and device, computer equipment and storage medium |
| CN113179245B (en) * | 2021-03-19 | 2023-01-13 | 北京双湃智安科技有限公司 | Network security emergency response method, system, computer equipment and storage medium |
| CN113434864A (en) * | 2021-06-25 | 2021-09-24 | 国汽(北京)智能网联汽车研究院有限公司 | Management method and management system for vehicle networking cave depot |
| CN114021156A (en) * | 2022-01-05 | 2022-02-08 | 北京华云安信息技术有限公司 | Method, device and equipment for organizing vulnerability automatic aggregation and storage medium |
| CN114817929A (en) * | 2022-04-19 | 2022-07-29 | 北京天防安全科技有限公司 | Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111310195A (en) | Security vulnerability management method, device, system, equipment and storage medium | |
| CN109446068B (en) | Interface test method, device, computer equipment and storage medium | |
| JP6058246B2 (en) | Information processing apparatus, information processing method, and program | |
| CN110674360B (en) | Tracing method and system for data | |
| CN112861496A (en) | Report generation display method and device, computer equipment and readable storage medium | |
| CN109361628B (en) | Message assembling method and device, computer equipment and storage medium | |
| CN113326081A (en) | Static resource processing method and device, computer equipment and storage medium | |
| CN110737719A (en) | Data synchronization method, device, equipment and computer readable storage medium | |
| WO2021120628A1 (en) | Blockchain-based sensitive word detection method and apparatus, computer device and computer-readable storage medium | |
| CN111353143A (en) | Sensitive authority detection method and device and storage medium | |
| US20220237240A1 (en) | Method and apparatus for collecting information regarding dark web | |
| CN113672692B (en) | Data processing method, data processing device, computer equipment and storage medium | |
| CN109542764B (en) | Webpage automatic testing method and device, computer equipment and storage medium | |
| CN110019076B (en) | Method, device and equipment for constructing multi-system log data and readable storage medium | |
| CN111209061A (en) | Method and device for filling in user information, computer equipment and storage medium | |
| CN112148545A (en) | Security baseline detection method and security baseline detection system of embedded system | |
| CN115766258B (en) | Multi-stage attack trend prediction method, equipment and storage medium based on causal relationship graph | |
| KR20200077204A (en) | System on vulnerability and management of IT devices | |
| CN111193606B (en) | Equipment configuration parameter comparison method and device, storage medium and computer equipment | |
| US20220050839A1 (en) | Data profiling and monitoring | |
| CN108959486B (en) | Audit field information acquisition method and device, computer equipment and storage medium | |
| CN107741956B (en) | Log searching method based on web container configuration file | |
| CN110414228B (en) | Computer virus detection method and device, storage medium and computer equipment | |
| CN109376536B (en) | Cookie acquisition method, cookie acquisition device, computer equipment and storage medium | |
| CN113297583A (en) | Vulnerability risk analysis method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200619 |