CN111859404A - Method, device, electronic equipment and medium for detecting system vulnerability of computer - Google Patents
Method, device, electronic equipment and medium for detecting system vulnerability of computer Download PDFInfo
- Publication number
- CN111859404A CN111859404A CN202010754892.XA CN202010754892A CN111859404A CN 111859404 A CN111859404 A CN 111859404A CN 202010754892 A CN202010754892 A CN 202010754892A CN 111859404 A CN111859404 A CN 111859404A
- Authority
- CN
- China
- Prior art keywords
- target
- computer
- vulnerability detection
- sample
- copy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The disclosure provides a method, an apparatus, an electronic device and a medium for detecting system vulnerabilities of a computer. The method may include: and acquiring a detected target in the computer, wherein the detected target is in a file package form. The above method may further comprise: and making a target copy of the detected target based on a strategy in a strategy set, wherein the strategy enables the vulnerability detection result of the copy of the sample target in the computer to be consistent with the vulnerability detection result of the sample target. The above method may further comprise: and carrying out vulnerability detection on the target copy so as to realize vulnerability detection on the detected target.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, an electronic device, and a medium for detecting a system vulnerability of a computer.
Background
The information sharing and interaction among computers are realized through the internet, the threat from the outside is endless, and a System vulnerability (System Vulnerabilities) refers to a defect or error existing in the logic design of application software or an operating System, and in some cases, the System vulnerability is utilized by a lawless person to attack or control the computers by implanting trojans or viruses and the like through the network, so that important data in the computers are damaged, and even the computers can be damaged irreversibly. To avoid the potential safety hazards caused by system vulnerabilities, it is desirable to be able to detect and fix system vulnerabilities in computers before a threat comes.
In the course of implementing the disclosed concept, the inventors found that there are at least the following problems in the prior art: in the conventional vulnerability detection method, vulnerability scanning is mostly performed on an application program in a computer or an operating system of the computer, and in the detection process, the operation of a detected target is influenced to a greater or lesser extent, and if the detected target is serious, the operation of the detected target is abnormal, so that network service is stopped or the system is down.
Disclosure of Invention
In view of the above, the present disclosure provides a method, an apparatus, an electronic device, and a medium for detecting a system vulnerability of a computer.
One aspect of the present disclosure provides a method of system vulnerability detection of a computer. The method may include: and acquiring a detected target in the computer, wherein the detected target is in a file package form. The above method may further comprise: and making a target copy of the detected target based on a strategy in a strategy set, wherein the strategy enables the vulnerability detection result of the copy of the sample target in the computer to be consistent with the vulnerability detection result of the sample target. The above method may further comprise: and carrying out vulnerability detection on the target copy so as to realize vulnerability detection on the detected target.
According to an embodiment of the present disclosure, the target replica is a lightweight replica or a duplicate replica. The total number of files of the lightweight copy is smaller than that of the detected target. The duplicate copy is a duplicate version of the probed object.
According to an embodiment of the present disclosure, when the target copy is a lightweight copy, the method may further include: and constructing a strategy set, wherein the strategy set comprises M strategies aiming at M different types of operating systems, and M is more than or equal to 2. Wherein, the constructing the policy set may include: the method comprises the steps of obtaining a sample target set in a computer, wherein the sample target set comprises T sample targets of M different types, T is larger than or equal to M and larger than or equal to 2, each type at least has one sample target, and the sample targets are in a file package form. The building policy set may further include: for each sample object in each of the M types, an initial model is made, the initial model being a duplicate version of the sample object. The building policy set may further include: the initial model of each sample target in each type is trained to derive a lightweight model for each sample target in each type. The vulnerability detection result of the lightweight model is consistent with the vulnerability detection result of the initial model, and the lightweight model is a lightweight version obtained after at least one non-core file in the initial model is extracted. The building policy set may further include: and selecting files with the common ownership rate of more than a preset proportion in the lightweight models of all the sample targets as core files aiming at the lightweight models of all the sample targets in each type, wherein the core files form a strategy aiming at each type.
According to an embodiment of the present disclosure, the training includes: basic training process, and circulating the basic training process. The basic training process comprises the following steps: and extracting the file and verifying the extracting effect. The file extraction comprises the following steps: and performing file extraction on the input model to obtain a residual model. The verification pull-out effect comprises: and measuring whether the vulnerability detection results of the residual models are consistent with the vulnerability detection results of the initial models. The input model of the first basic training is the initial model. The process of circulating the basic training comprises the following steps: and under the condition that the vulnerability detection results are consistent, taking the residual model obtained by the last basic training as an input model, and performing file extraction and verification extraction effect operation. If the vulnerability detection results of the continuous R times of file extraction are consistent, R is larger than or equal to 2, and the vulnerability detection results obtained by extracting any file are inconsistent in the R +1 time of file extraction, the non-core file in the initial model is extracted at the moment, and the residual model obtained by extracting any file in the 1 st to the R th times is used as the lightweight model.
According to an embodiment of the present disclosure, the process of cycling through the basic training further includes: and under the condition that the vulnerability detection results are inconsistent, the file extraction performed by the last input model is cancelled, and the file which is independent from the file extracted before or partially overlapped with the file extracted before is selected to perform file extraction again on the last input model.
According to the embodiment of the disclosure, the strategy set comprises M strategies aiming at M different types of operating systems, wherein M is larger than or equal to 2, each strategy in the M strategies comprises a core file, and the core file enables vulnerability detection results of copies of sample targets in a computer to be consistent with vulnerability detection results of the sample targets. The making of the target copy of the detected target based on the policies in the policy set may include: and determining the strategy to be adopted by the detected target according to the type of the operating system of the computer. The making of the target copy of the detected target based on the policies in the policy set may include: and extracting the non-core file from the detected target based on the strategy to be adopted by the detected target so as to reserve the core file to obtain a lightweight copy of the detected target. The making of the target copy of the detected target based on the policies in the policy set may include: and packaging, transcoding and re-expressing the lightweight copy of the detected target to obtain a target copy conforming to a computer expression form.
According to an embodiment of the present disclosure, the method further includes: and acquiring a first attribute characteristic of the detected target, wherein the first attribute characteristic is used for representing the network security attribute of the detected target. The method further comprises the following steps: and acquiring a second attribute characteristic of the target copy, wherein the second attribute characteristic is used for representing the network security attribute of the target copy. The method further comprises the following steps: and checking the reliability of the target copy according to whether the first attribute characteristic and the second attribute characteristic are consistent.
According to the embodiment of the disclosure, under the condition that the first attribute feature and the second attribute feature are consistent, the target copy is regarded as having reliability, and vulnerability detection is carried out on the target copy with reliability. And under the condition that the first attribute characteristic and the second attribute characteristic are inconsistent, the target copy is not considered to have reliability, and strategies in the strategy set are optimized so that the target copy has reliability.
According to an embodiment of the present disclosure, the optimizing the policy may include: increasing the number of sample targets aiming at the type of the operating system of the computer to obtain a sample target set after capacity expansion; the method comprises the steps of making an initial model of all sample targets aiming at the type of the operating system of the computer, training the initial model to obtain a lightweight model, and selecting a core file from the lightweight model aiming at all sample targets in the type of the operating system of the computer to obtain an optimized strategy. Alternatively, the optimizing the policy may include: when the initial model is trained to obtain a lightweight model, the lightweight model is continuously trained to extract more non-core files to obtain a more lightweight model; core files are selected from the more lightweight models for all sample targets in the type of operating system of the computer, and the optimized strategy is obtained. Alternatively, the optimizing the policy may include: and increasing the value of the preset proportion to obtain the optimized strategy.
A second aspect of the present disclosure provides an apparatus for system vulnerability detection of a computer. The above-mentioned device includes: the system comprises a detected target obtaining module, a target copy making module and a vulnerability detecting module. The detected object acquisition module is used for acquiring a detected object in a computer, and the detected object is in a file package form. The target copy making module is used for making a target copy of the detected target based on the strategy in the strategy set. The strategy enables the vulnerability detection result of the copy of the sample target in the computer to be consistent with the vulnerability detection result of the sample target. The vulnerability detection module is used for carrying out vulnerability detection on the target copy so as to realize vulnerability detection on the detected target.
A third aspect of the present disclosure provides an electronic device. The electronic device includes: one or more processors; and storage means for storing one or more programs. Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement any of the methods mentioned in the present disclosure.
A fourth aspect of the disclosure provides a computer-readable storage medium. The above-described computer-readable storage medium has stored thereon executable instructions that, when executed by a processor, cause the processor to implement any of the methods mentioned in the present disclosure.
According to the embodiment of the disclosure, by making the target copy of the detected target and performing vulnerability detection based on the target copy, no influence is caused on the detected target in the vulnerability detection process, and the problems that in the prior art, the operation of the detected target is influenced to a greater or lesser extent when computer system vulnerability detection is performed, the operation of the detected target is abnormal when the computer system vulnerability detection is performed, and further network service is stopped or the system is down are caused can be solved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario of a method, an apparatus, an electronic device, and a medium for system vulnerability detection of a computer according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of system vulnerability detection of a computer, according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a method of system vulnerability detection of a computer, according to another embodiment of the present disclosure;
fig. 4 schematically illustrates a detailed flowchart of operation S10 according to an embodiment of the present disclosure;
fig. 5 schematically illustrates a detailed operation procedure diagram of operation S10 according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a structural schematic of a sample target set according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates an implementation process diagram for building a policy set according to an embodiment of the disclosure;
FIG. 8 schematically illustrates a detailed flow chart for training an initial model for each sample target in each type, in accordance with an embodiment of the present disclosure;
fig. 9 schematically illustrates a detailed flowchart of operation S12 according to an embodiment of the present disclosure;
FIG. 10 schematically illustrates a flow chart of a method of system vulnerability detection of a computer, according to yet another embodiment of the present disclosure;
FIG. 11 is a block diagram schematically illustrating an apparatus for system vulnerability detection of a computer, according to an embodiment of the present disclosure;
FIG. 12 is a block diagram schematically illustrating an apparatus for system vulnerability detection of a computer, according to another embodiment of the present disclosure;
FIG. 13 schematically illustrates a block diagram of a policy set building module according to an embodiment of the present disclosure; and
fig. 14 schematically shows a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a method and a device for detecting system vulnerabilities of a computer, electronic equipment and a medium. The method may include: and acquiring a detected target in the computer, wherein the detected target is in a file package form. The above method may further comprise: and making a target copy of the detected target based on a strategy in a strategy set, wherein the strategy enables the vulnerability detection result of the copy of the sample target in the computer to be consistent with the vulnerability detection result of the sample target. The above method may further comprise: and carrying out vulnerability detection on the target copy so as to realize vulnerability detection on the detected target.
The following describes an application scenario of a method, an apparatus, an electronic device, and a medium for detecting a system vulnerability of a computer according to an embodiment of the present disclosure with reference to fig. 1.
Fig. 1 schematically illustrates an application scenario of a method, an apparatus, an electronic device, and a medium for system vulnerability detection of a computer according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
Referring to fig. 1, in the prior art, computers 1 share and interact information via the internet.
The computer 1 is a computer in a broad sense, and may be any one of a desktop computer 101, a notebook computer 102, a tablet computer 103, a mobile phone 104, and a server 105.
In the computer 1 of the present disclosure, the computer itself has a computer system, which may also be referred to as an operating system, and various application software (programs) may also be installed on the computer. Such as shopping-type applications, web browser applications, search-type applications, instant messaging tools, mailbox clients, social platform applications, etc. (just examples).
The system bugs of the present disclosure refer to bugs or errors on the operating system and the application programs.
Since the application software or the operating system of the computer 1 inevitably has some defects or errors in logic design, the system vulnerability of the computer is objectively present. In some cases, the system bug is utilized by lawless persons to attack or control the computer by implanting trojan horses or viruses in the network. In the conventional vulnerability detection method, vulnerability scanning is mostly performed on application software in the computer 1 or an operating system of the computer 1, as indicated by an arrow indicated to the left in fig. 1. The inventor finds that the manner of directly scanning the computer for vulnerabilities causes the operation of the computer to be more or less affected, and may cause the abnormal operation of the detected target in a serious case, thereby causing the computer to stop network services or causing the system of the computer to be down (dead halt).
In view of this, embodiments of the present disclosure provide a method for detecting a system vulnerability of a computer, in which a target copy of a detected target is made, and vulnerability detection is performed based on the target copy, so that no influence is caused on the detected target in a vulnerability detection process, and the problem that in the prior art, when computer system vulnerability detection is performed, operation of the detected target is more or less influenced, and if the detected target is serious, operation of the detected target is abnormal, and thus a network service is stopped or a system is down is caused can be at least partially solved.
In a first exemplary embodiment of the present disclosure, a method of system vulnerability detection of a computer is provided.
FIG. 2 schematically shows a flow chart of a method of system vulnerability detection of a computer according to an embodiment of the present disclosure.
According to an embodiment of the present disclosure, referring to fig. 2, the method for detecting a system vulnerability of a computer may include the following operations: s11, S12, and S13.
In operation S11, a detected object in the computer is acquired, the detected object being in the form of a package of files.
In operation S12, a target copy of the probed object is made based on a policy in a policy set, where the policy is such that the vulnerability detection result of the copy of the sample object in the computer system is consistent with the vulnerability detection result of the sample object.
In operation S13, vulnerability detection is performed on the target copy to implement vulnerability detection on the detected target.
In the embodiment of the disclosure, a user can randomly select a detected object in a computer or select the detected object in the computer according to actual test requirements, for example, the detected object is an application program or an operating system, or both. The detected objects in the computer are in the form of file packages.
In operation S11, the manner of acquiring the detected object in the computer may be a direct acquisition manner or an indirect acquisition manner. The detected object obtaining module is used for obtaining the detected object in the computer, and the detected object obtaining module may be hardware and/or software located in the computer, or may be hardware and/or software located outside the computer. For example, in one example, when an instruction of the detected object input by the user is received, the detected object acquiring module acquires the detected object directly. Or, the computer includes a control module, the control module interacts with the user side, and after the control module receives an instruction of the detected target input by the user, the control module transmits the instruction to the detected target obtaining module, so that the detected target obtaining module indirectly obtains the detected target in the computer.
In operation S12, the process of making the target copy of the probed object needs to be performed based on a policy in the policy set, where the policy is such that the vulnerability detection result of the copy of the sample object in the computer system is consistent with the vulnerability detection result of the sample object.
In order to avoid the influence on the operation of the computer in the vulnerability detection, the target copy of the detected target is implemented in other devices or media independent of the computer when being manufactured, so that the device/module for manufacturing the target copy of the detected target is independent of the computer where the detected target is located. For example, the means/module for making a copy of the detected object is a detected object making module, and the detected object making module and the detected object obtaining module have wired or wireless communication functions.
According to an embodiment of the present disclosure, a policy set includes M policies for M different types of operating systems, M ≧ 2, M being a positive integer. The type of operating system may be, for example: windows, Linux, ios, android, or the like. Each of the M policies includes a core file, and the core file enables vulnerability detection results of copies of sample targets in the computer to be consistent with vulnerability detection results of the sample targets.
According to an embodiment of the present disclosure, the target copy is a lightweight copy or a duplicate copy. The total number of files of the lightweight copy is smaller than that of the detected target. The duplicate copy is a duplicate version of the probed object. Making a target copy of the probed object based on the policy may be: directly taking the copy version of the detected target as a target copy; or the following steps: and taking a lightweight copy obtained after extracting the non-core file of the detected target as a target copy. The non-core file may be a data payload that does not affect the vulnerability detection results. The concept as opposed to non-core files is the core file, which is a key file that has an impact on the outcome of the vulnerability detection.
The copy version is completely the same as the detected target, so the result of vulnerability detection based on the copy version is completely consistent with the result of vulnerability detection directly performed on the detected target. The lightweight version helps to save storage space, and the detection efficiency is high.
In operation S13, by performing vulnerability detection on the target copy, vulnerability detection on the detected target is achieved, and the detection process does not need to directly perform vulnerability scanning or detection on the computer and has no influence on the system operation of the computer.
Fig. 3 schematically shows a flowchart of a method of system vulnerability detection of a computer according to another embodiment of the present disclosure.
According to an embodiment of the present disclosure, referring to the dashed box in fig. 3, the method may further include an operation S10 of constructing a policy set, in addition to operations S11 to S13.
When the target copy is a lightweight copy, the structure of the policy set is more complex than when the target copy is a duplicate copy.
When the target copy is a duplicate copy, the policy in the policy set is to copy the detected target to make a target copy, as shown in a model 0.0 illustrated in fig. 5, operation S10 for constructing the policy set may be omitted, and only the detected target needs to be copied to make a target copy, as shown in operation S201 in fig. 5, at this time, the similarity between the detected target and the target copy is 100%, and it is assumed that the data load (or referred to as a non-core file) in the detected target is 0%, and vulnerability detection is performed on the detected target and the target copy (duplicate copy) based on the vulnerability detection model, and as shown in operation S202 in fig. 5, the obtained vulnerability detection results are completely the same.
The process of how to construct the policy set when the target copy is a lightweight copy is described in detail below with reference to fig. 4-8.
Fig. 4 schematically illustrates a detailed flowchart of operation S10 according to an embodiment of the present disclosure; fig. 5 schematically illustrates a detailed operation procedure diagram of operation S10 according to an embodiment of the present disclosure; FIG. 6 schematically illustrates a structural schematic of a sample target set according to an embodiment of the present disclosure; FIG. 7 schematically illustrates an implementation process diagram for building a policy set according to an embodiment of the disclosure; FIG. 8 schematically shows a detailed flow chart for training an initial model for each sample target in each type, according to an embodiment of the present disclosure.
According to an embodiment of the present disclosure, the policy set includes M policies for M different types of operating systems, M ≧ 2, M being a positive integer. Referring to FIG. 4, the above operation S10 of constructing a policy set includes the following sub-operations: s101, S102, S103 and S104.
In sub-operation S101, a sample target set in a computer is obtained, where the sample target set includes T sample targets of M different types, where T is greater than or equal to M and greater than or equal to 2, each type has at least one sample target, and the sample targets are in the form of a file package.
In sub-operation S102, for each sample object in each of the M types, an initial model is made, the initial model being a duplicate version of the sample object.
In sub-operation S103, the initial model of each sample target in each type is trained to obtain a lightweight model of each sample target in each type.
In sub-operation S104, for the lightweight models of all sample targets in each type, a file having a common share rate of the lightweight models of all sample targets of a preset ratio or more is selected as a core file, and the core file constitutes a policy for each type.
Referring to fig. 6, in sub-operation S101, the sample object set 100 includes T sample objects 11, which are respectively for M different types of operating systems, each type having at least one sample object. In fig. 6, sample objects for the same operating system type are placed together, and different pattern fills are used to illustrate the sample objects, so as to visually illustrate differences between the sample objects. The sample objects are in the form of file packages, and there may be no identical files between sample objects in the form of respective file packages, for example, between a first sample object and a second sample object, which are independent of each other; the first sample object and the second sample object have at least one file in common, i.e. there is an intersection of files between two file bundles, or as a file with partial repetition between sample objects (as opposed to full repetition, where both sample objects are identical).
In sub-operation S102, for each sample object in each of the M types, an initial model is made, the initial model being a duplicate version of the sample object.
The same operation is performed for all sample objects in each type, taking the partial sample objects for type 1 illustrated in fig. 7 as an example, here schematically illustrated by the three sample objects in the first column, and for each sample object 11 in type 1, an initial model 11 'is made, the initial model 11' being a replicated version of the sample object.
In sub-operation S103, the initial model of each sample target in each type is trained to obtain a lightweight model of each sample target in each type.
The vulnerability detection result of the lightweight model is consistent with the vulnerability detection result of the initial model, and the lightweight model is a lightweight version obtained after at least one non-core file in the initial model is extracted.
The sub-operation S103 may be trained by machine learning, deep learning, and the like.
According to the embodiment of the disclosure, it is difficult to directly determine which files are core files that must be reserved, and by adopting an inverse algorithm, some files are extracted experimentally to detect the residual model, and light-weighted versions containing the core files are obtained after unnecessary non-core files are extracted step by step.
Continuing with FIG. 7, the initial model 11 'of each sample object 11 in type 1 is trained to obtain a lightweight model 12 of each sample object 11 in type 1. to illustrate the relationship between the lightweight model 12 and the initial model 11', different pattern labels are used inside the model in FIG. 7 to illustrate different files, some of which are core files and some of which are data payloads belonging to non-core files.
There are M training sets for the types of M different operating systems, as shown in fig. 5, and with reference to operation S203, in each training set, the initial model may be gradually extracted from the file according to actual needs. The training process is substantially a process of gradually extracting the non-core files in the initial model, the extraction degree is determined according to actual needs, and all the non-core files can be extracted, so that the similarity between the lightweight model and the initial model is minimum, and the optimal training degree is achieved; electricity may be an intermediate state lightweight model that extracts portions of the non-core document. Such as models 1.1, … …, model 1.N, illustrated in FIG. 5, where N ≧ 2, and N is a positive integer, the proportion of files to be extracted is varied stepwise until an optimal level of training is reached. In operation S204, training the initial model based on training sets of different types of operating systems, in which the initial model of each sample target in type 1 is trained to obtain a lightweight model; the initial model of each sample target in type 2 is trained to obtain a lightweight model, and so on, the initial model of each sample target in type M is trained to obtain a lightweight model.
For the training set of type 1 as an example, the initial model 11' of each sample target 11 is trained to obtain the lightweight load 12, as shown in fig. 5 and 7. For example, in the model 1.1, assuming that the data load is 1%, extracting 1% of files (data loads) from a sample object to obtain a copy, wherein the similarity between the copy and the sample object is 99%, respectively performing vulnerability detection on the sample object and the copy based on a vulnerability detection module, and if the vulnerability detection result of the sample object is consistent with the vulnerability detection result of the copy, indicating that the extracted files are a real data load (non-core files) with increased possibility; if the vulnerability detection result of the sample target is inconsistent with the vulnerability detection result of the copy, it indicates that the possibility that the extracted file is a real data load (non-core file) is reduced, and the above operations may be repeated until all or part of the data load (non-core file) is extracted, as illustrated in fig. 7, a circle indicates the non-core file, and after 1% of the non-core files are extracted from the initial model 11', the non-core file may exist in the obtained lightweight model 12, as illustrated by a dotted circle. Through the training process, training for all sample targets of type 1 results in the corresponding lightweight model 12. One lightweight model 12 corresponds to one sample target.
It should be noted that, for simplicity of representation, the target illustrated in fig. 5 may refer to a target to be detected, or may refer to a sample target, the target in the training set refers to the sample target, and the target in the model 0.0 refers to the detected target.
In sub-operation S104, for the lightweight models of all sample targets in each type, a file having a common share rate of the lightweight models of all sample targets of a preset ratio or more is selected as a core file, and the core file constitutes a policy for each type.
Referring to operation S201 in fig. 5, different policy sets are generated according to different operating system types. Referring to fig. 7, taking all sample targets of type 1, … …, and type 1 in type M as an example, a file with a common ownership rate of more than a preset ratio in a lightweight model of all sample targets of the same type is taken as a core file, for example, the preset ratio is 50%, 60%, 70%, 80%, 90%, 95%, or other values, the preset ratio may be adjusted according to actual needs, in the case illustrated in fig. 7, the preset ratio is 60%, files indicated by dotted circles do not exist, files indicated by five stars are files that all exist in the lightweight model of all sample targets, and files indicated by five stars are taken as one core file; the file indicated by the heptagonal star exists in both the two sample objects, and in the case of only three sample objects, the common ownership rate of the file indicated by the heptagonal star is 2/3 ═ 67.77%, and at this time, the file indicated by the heptagonal star can also be used as one core file, so that the policy for the type 1 is the two core files indicated by the pentagonal star and the heptagonal star.
As can be seen from the above process, the quality of the strategy and whether the strategy obtained based on the sample target is suitable for the detected target depend on at least one of the following factors: the capacity of the sample target set, or the number of sample targets; the degree to which non-core files are extracted; the preset proportion is set to be high and low. The more the number of sample targets is, the more thoroughly the non-core files are extracted, the smaller the similarity between the obtained lightweight model and the initial model is, and the higher the preset proportion is, the more the strategy in the constructed strategy library can reflect the real core files under different operating system types.
According to an embodiment of the present disclosure, referring to fig. 8, the sub-operation S103 of training the initial model of each sample target in each type includes: a process of basic training S103a, and a process of looping the above basic training S103 b.
The basic training process S103a includes: an operation 1031a of file pull-out and an operation S1032a of verifying the pull-out effect. The operation S1031a of file extraction includes: and performing file extraction on the input model to obtain a residual model.
Operation S1032a of verifying the pull-out effect includes: and measuring whether the vulnerability detection results of the residual models are consistent with the vulnerability detection results of the initial models.
The process S103b of looping the basic training includes: and under the condition that the vulnerability detection results are consistent, taking the residual model obtained by the last basic training as an input model, and performing file extraction and verification extraction effect operation.
The process S103b of looping the basic training further includes: and under the condition that the vulnerability detection results are inconsistent, the file extraction performed by the last input model is cancelled, and the file which is independent from the file extracted before or partially overlapped with the file extracted before is selected to perform file extraction again on the last input model.
The initial input model is an initial model, and the file extracting operation S1031a may include: and extracting the first part file of the initial model. The first partial file described herein is a partial number of files in the initial model in the form of a file package, and the proportion of the number of extracted first partial files to the total number of files in the initial model may be set according to actual needs, and may be, for example, 1%, 2%, or other values. After the initial model is subjected to the first file extraction (corresponding to a first loop), whether the vulnerability detection result of the first residual model after the initial model is extracted from the first part of files is consistent with the vulnerability detection result of the initial model is measured. If the detection results are consistent, in the process of circulating the basic training, the residual model is used as an input model, and the basic training operation is repeated. Referring to operation S1030 in fig. 8, if the detection results are inconsistent, a file that is independent from the previously extracted file or has a partial overlap is selected for extraction.
The process of cycling through basic training S103b may include, in particular: under the condition that the vulnerability detection results are consistent, taking a first residual model as an input model, and implementing the basic training process on the first residual model; if the vulnerability detection results of the continuous R times of file extraction are consistent, R is larger than or equal to 2, and the vulnerability detection results obtained by extracting any file are inconsistent in the R +1 time of file extraction, as shown in S103c, at this time, the non-core files in the initial model are all extracted, and the residual model obtained by extracting any file in the 1 st, 2 nd, … … th and R times is used as a lightweight model. The remaining model of the R-th order is preferably used as a lightweight model.
Fig. 9 schematically shows a detailed flowchart of operation S12 according to an embodiment of the present disclosure.
Referring to fig. 9, operation S12 may include the following sub-operations: s121, S122 and S123.
In sub-operation S121, a policy to be employed by the detected object is determined according to the type of the operating system of the computer.
Because the policy library has corresponding policies for different types of operating systems, the policy to be adopted can be determined according to the type of the operating system of the computer where the detected target is located.
In sub-operation S122, the non-core file is extracted from the detected target based on the policy to be adopted by the detected target, so as to keep the core file to obtain a light-weight copy of the detected target.
In sub-operation S123, the lightweight copy of the detected target is subjected to packaging, transcoding, and re-expression processing to obtain a target copy conforming to a computer expression form.
The way to encapsulate the lightweight copy may be: adding file type, package time, head and tail TAG (TAG), etc. Transcoding is an operation for making the lightweight copy capable of performing re-expression, and the re-expression is to fill the content of the lightweight copy after transcoding into a computer expression template to obtain a target copy conforming to the computer expression form.
FIG. 10 schematically illustrates a flow chart of a method of system vulnerability detection of a computer, according to yet another embodiment of the present disclosure.
According to the embodiment of the disclosure, the lightweight model obtained based on the sample target training can ensure that the vulnerability detection result of the sample target is the same as the vulnerability detection result of the sample target, and the probability can ensure that the vulnerability detection result of the target copy made by the detected target based on the above strategy is consistent with the detected target, but there will be a very small probability that the vulnerability detection result of the target copy made by the detected target may not be consistent with the vulnerability detection structure of the detected target, so that, in order to further improve the reliability of the target copy for vulnerability detection, the method includes the following operations: S10-S13 may include the following operations as shown by the dashed boxes in FIG. 10, in addition to operations S11-S13: s14, S15, S16 and S17, the arrangement is helpful for ensuring the reliability of the target copy made by the detected target according to the strategy, so that the process of detecting the vulnerability of the detected target by adopting the target copy can be directly and equivalently carried out.
In operation S14, a first attribute feature of the detected object is obtained, where the first attribute feature is used to characterize the network security attribute of the detected object.
In operation S15, a second attribute characteristic of the target copy is obtained, where the second attribute characteristic is used to characterize the network security attribute of the target copy.
The first attribute feature and the second attribute feature include: static features and dynamic features. Static features include, but are not limited to, at least one of the following: network address, open network port, MAC address, computer number (ID), system critical directory, etc. Dynamic characteristics include, but are not limited to, at least one of the following: analyzing the data packet responded by the detected target/target copy to obtain characteristics, and analyzing and disassembling the data packet characteristics returned to the detected target/target copy to obtain the characteristics.
In operation S16, the reliability of the target copy is checked according to whether the first attribute characteristic and the second attribute characteristic are consistent.
According to the embodiment of the present disclosure, in the case that the first attribute feature and the second attribute feature are consistent, operation S13 is performed, and when the first attribute feature and the second attribute feature are consistent, the target copy is regarded as having reliability, and vulnerability detection is performed on the target copy having reliability.
In the case where the first attribute characteristic and the second attribute characteristic are not consistent, operation S17 is performed, and when the first attribute characteristic and the second attribute characteristic are not consistent, the target copy is regarded as not having reliability, and the policy in the policy set is optimized so that the target copy has reliability.
According to an embodiment of the present disclosure, the optimizing the policy may include: and increasing the number of sample targets aiming at the type of the operating system of the computer to obtain a sample target set after capacity expansion. The following operations S102, S103, and S104 are performed on all sample objects of the type of the operating system of the computer: the method comprises the steps of manufacturing an initial model, training the initial model to obtain a lightweight model, and selecting a core file from the lightweight model aiming at all sample targets in the type of the operating system of the computer to obtain an optimized strategy.
Alternatively, the optimizing the policy may include: when the initial model is trained to obtain a lightweight model, the lightweight model is continuously trained to extract more non-core files to obtain a more lightweight model; core files are selected from the more lightweight models for all sample targets in the type of operating system of the computer, and the optimized strategy is obtained.
Alternatively, the optimizing the policy may include: increasing the value of the preset ratio, for example, increasing the preset ratio from 60% to 80%, results in an optimized strategy.
A second exemplary embodiment of the present disclosure provides an apparatus for system vulnerability detection of a computer.
Fig. 11 schematically shows a block diagram of an apparatus for system vulnerability detection of a computer according to an embodiment of the present disclosure.
Referring to fig. 11, the apparatus 2 for detecting a system vulnerability of a computer according to the present embodiment includes: a detected object acquisition module 21, an object copy making module 22 and a vulnerability detection module 23.
The detected object obtaining module 21 is configured to obtain a detected object in a computer, where the detected object is in a file package.
The target copy making module 22 is configured to make a target copy of the detected target based on the policies in the policy set. The strategy enables the vulnerability detection result of the copy of the sample target in the computer to be consistent with the vulnerability detection result of the sample target.
The vulnerability detection module 23 is configured to perform vulnerability detection on the target copy, so as to implement vulnerability detection on the detected target.
Fig. 12 is a block diagram schematically illustrating an apparatus for system vulnerability detection of a computer according to another embodiment of the present disclosure.
According to an embodiment of the present disclosure, referring to fig. 12, which is indicated by a dashed box, the apparatus 2 may include the following modules in addition to the detected object obtaining module 21, the object copy making module 22, and the vulnerability detecting module 23: policy set building module 20.
The policy set building module 20 is configured to build a policy, where the policy makes the vulnerability detection result of the copy of the sample target in the computer system consistent with the vulnerability detection result of the sample target.
According to an embodiment of the present disclosure, the apparatus 2 may further include: an attribute feature acquisition module 24, a target copy checking module 25, and a policy set optimization module 27.
The attribute feature acquiring module 24 is configured to acquire a first attribute feature of the detected target, where the first attribute feature is used to characterize a network security attribute of the detected target; and the system is also used for obtaining a second attribute characteristic of the target copy, wherein the second attribute characteristic is used for characterizing the network security attribute of the target copy.
The target copy checking module 25 is configured to check the reliability of the target copy according to whether the first attribute characteristic and the second attribute characteristic are consistent.
The policy set optimization module 27 is configured to optimize the policy in the policy set to make the target copy reliable if the first attribute characteristic and the second attribute characteristic are inconsistent.
FIG. 13 schematically shows a block diagram of a policy set building module according to an embodiment of the present disclosure.
Referring to fig. 13, the policy set building module 20 includes the following sub-modules: a sample target set obtaining sub-module 201, an initial model making sub-module 202, a model training sub-module 203 and a core file selecting sub-module 204.
The sample object set obtaining sub-module 201 is configured to obtain a sample object set in a computer. The sample target set comprises T sample targets of M different types, wherein T is more than or equal to M and more than or equal to 2, each type at least has one sample target, and the sample targets are in a file package form.
The initial modeling sub-module 202 is configured to, for each sample object in each of the M types, model an initial model, which is a duplicate of the sample object.
The model training sub-module 203 is configured to train the initial model of each sample target in each type to obtain a lightweight model of each sample target in each type.
The core file selection sub-module 204 is configured to select, as a core file, a file having a common ownership rate of more than a preset ratio in the lightweight models of all the sample targets for the lightweight models of all the sample targets in each type, where the core file constitutes a policy for each type.
Any number of modules, sub-modules, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules and sub-modules according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any number of the policy set construction module 20, the detected object acquisition module 21, the object copy making module 22, the vulnerability detection module 23, the attribute feature acquisition module 24, the object copy verification module 25 and the policy set optimization module 27 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the policy set construction module 20, the detected object acquisition module 21, the object copy making module 22, the vulnerability detection module 23, the attribute feature acquisition module 24, the object copy verification module 25, and the policy set optimization module 27 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementation manners of software, hardware, and firmware, or by a suitable combination of any of them. Alternatively, at least one of the policy set construction module 20, the detected object acquisition module 21, the object copy making module 22, the vulnerability detection module 23, the attribute feature acquisition module 24, the object copy verification module 25 and the policy set optimization module 27 may be at least partially implemented as a computer program module that, when executed, may perform corresponding functions.
A third exemplary embodiment of the present disclosure provides an electronic apparatus. The electronic device includes: one or more processors; and storage means for storing one or more programs. Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement any of the methods mentioned in the present disclosure.
Fig. 14 schematically shows a block diagram of an electronic device according to an embodiment of the present disclosure. Fig. 14 is only one example of an electronic device and should not bring any limitations to the function and scope of use of the disclosed embodiments.
As shown in fig. 14, the electronic device 5 according to the embodiment of the present disclosure includes a processor 501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 501 may also include onboard memory for caching purposes. Processor 501 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM 503, various programs and data necessary for the operation of the electronic apparatus 5 are stored. The processor 501, the ROM502, and the RAM 503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM502 and/or the RAM 503. Note that the programs may also be stored in one or more memories other than the ROM502 and the RAM 503. The processor 501 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 5 may also include an input/output (I/O) interface 505, input/output (I/O) interface 505 also being connected to bus 504. The electronic device 5 may also include one or more of the following components connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a Local Area Network (LAN) card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program, when executed by the processor 501, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
A fourth exemplary embodiment of the present disclosure provides a computer-readable storage medium. The above-described computer-readable storage medium has stored thereon executable instructions that, when executed by a processor, cause the processor to implement any of the methods mentioned in the present disclosure. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
The computer-readable storage medium may be included in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable storage medium and the computer on which the detected object is located are two devices independent of each other, and the two devices can be electrically and/or communicatively connected with each other.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM502 and/or RAM 503 and/or one or more memories other than ROM502 and RAM 503 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (12)
1. A method of system vulnerability detection of a computer, the method comprising:
acquiring a detected target in the computer, wherein the detected target is in a file package form;
making a target copy of the detected target based on a strategy in a strategy set, wherein the strategy enables the vulnerability detection result of the copy of the sample target in the computer to be consistent with the vulnerability detection result of the sample target; and
and carrying out vulnerability detection on the target copy so as to realize vulnerability detection on the detected target.
2. The method of claim 1, the target replicas being light-weight replicas or replicated replicas, the light-weight replicas having a total number of files that is less than the total number of files of the probed target, the replicated replicas being replicated versions of the probed target.
3. The method of claim 2, wherein when the target replica is a lightweight replica, the method further comprises: constructing a strategy set, wherein the strategy set comprises M strategies aiming at M different types of operating systems, and M is more than or equal to 2;
wherein the constructing a policy set comprises:
acquiring a sample target set in the computer, wherein the sample target set comprises T sample targets of M different types, T is more than or equal to M and is more than or equal to 2, each type at least has one sample target, and the sample targets are in a file package form;
for each sample object in each of the M types, making an initial model, the initial model being a replicated version of the sample object;
training an initial model of each sample target in each type to obtain a lightweight model of each sample target in each type, wherein a vulnerability detection result of the lightweight model is consistent with a vulnerability detection result of the initial model, and the lightweight model is a lightweight version obtained after at least one non-core file in the initial model is extracted; and
and selecting files with the common ownership rate of more than a preset proportion in the lightweight models of all the sample targets as core files aiming at the lightweight models of all the sample targets in each type, wherein the core files form a strategy aiming at each type.
4. The method of claim 3, wherein the training comprises: a basic training process, and a cyclic basic training process;
the basic training process comprises the following steps: file extraction and verification of extraction effect; the file extraction comprises: performing file extraction on the input model to obtain a residual model; the verification of the pull-out effect comprises the following steps: measuring whether the vulnerability detection result of the residual model is consistent with the vulnerability detection result of the initial model; the input model of the first basic training is the initial model;
the process of cycling the basic training includes:
under the condition that the vulnerability detection results are consistent, the residual model obtained by the last basic training is used as an input model, and file extraction and extraction effect verification are carried out;
and if the vulnerability detection results of the continuous R times of file extraction are consistent, R is more than or equal to 2, and the vulnerability detection results obtained by extracting any file are inconsistent in the R +1 time of file extraction, at the moment, the non-core file in the initial model is extracted, and the residual model obtained by extracting any file in the 1 st to the R th times is used as a lightweight model.
5. The method of claim 4, wherein the cycling the basic training process further comprises:
and under the condition that the vulnerability detection results are inconsistent, the file extraction performed by the last input model is cancelled, and the file which is independent from the file extracted before or partially overlapped with the file extracted before is selected to perform file extraction again on the last input model.
6. The method of claim 1, wherein the set of policies includes M policies for M different types of operating systems, M ≧ 2, each of the M policies including a core file that keeps a vulnerability detection result of a copy of a sample object in the computer consistent with a vulnerability detection result of the sample object;
the making of the target copy of the detected target based on the policies in the policy set includes:
determining a strategy to be adopted by the detected target according to the type of an operating system of the computer;
extracting a non-core file from the detected target based on a strategy to be adopted by the detected target so as to reserve the core file to obtain a lightweight copy of the detected target; and
and packaging, transcoding and re-expressing the lightweight copy of the detected target to obtain a target copy conforming to the computer expression form.
7. The method of claim 3, wherein the method further comprises:
acquiring a first attribute characteristic of the detected target, wherein the first attribute characteristic is used for representing the network security attribute of the detected target;
acquiring a second attribute characteristic of the target copy, wherein the second attribute characteristic is used for representing the network security attribute of the target copy; and
and verifying the reliability of the target copy according to whether the first attribute characteristic and the second attribute characteristic are consistent.
8. The method of claim 7, wherein,
under the condition that the first attribute features and the second attribute features are consistent, the target copy is regarded as having reliability, and vulnerability detection is carried out on the target copy with reliability;
and in the case that the first attribute characteristic and the second attribute characteristic are inconsistent, regarding that the target copy has no reliability, and optimizing the strategies in the strategy set so that the target copy has reliability.
9. The method of claim 8, wherein optimizing the policy comprises:
increasing the number of sample targets aiming at the type of the operating system of the computer to obtain a sample target set after capacity expansion; performing operations of making an initial model for all sample targets of the type of the operating system of the computer, training the initial model to obtain a lightweight model, and selecting a core file from the lightweight model for all sample targets of the type of the operating system of the computer to obtain an optimized strategy;
alternatively, the first and second electrodes may be,
when an initial model is trained to obtain a lightweight model, the lightweight model is continuously trained to extract more non-core files to obtain a more lightweight model; selecting a core file from the more lightweight model for all sample targets in the type of the operating system of the computer to obtain an optimized strategy;
alternatively, the first and second electrodes may be,
and increasing the value of the preset proportion to obtain the optimized strategy.
10. An apparatus of system vulnerability detection of a computer, the apparatus comprising:
a detected target obtaining module, configured to obtain a detected target in the computer, where the detected target is in a file package form;
the target copy making module is used for making a target copy of the detected target based on a strategy in a strategy set, wherein the strategy enables the vulnerability detection result of the copy of the sample target in the computer to be consistent with the vulnerability detection result of the sample target; and
and the vulnerability detection module is used for carrying out vulnerability detection on the target copy so as to realize vulnerability detection on the detected target.
11. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-9.
12. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010754892.XA CN111859404B (en) | 2020-07-30 | 2020-07-30 | Method, device, electronic equipment and medium for detecting system loopholes of computer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010754892.XA CN111859404B (en) | 2020-07-30 | 2020-07-30 | Method, device, electronic equipment and medium for detecting system loopholes of computer |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111859404A true CN111859404A (en) | 2020-10-30 |
| CN111859404B CN111859404B (en) | 2023-09-05 |
Family
ID=72946133
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010754892.XA Active CN111859404B (en) | 2020-07-30 | 2020-07-30 | Method, device, electronic equipment and medium for detecting system loopholes of computer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111859404B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170111384A1 (en) * | 2015-10-16 | 2017-04-20 | SecludIT | Method for detecting vulnerabilities in a virtual production server of a virtual or cloud computer system |
| CN106953860A (en) * | 2017-03-20 | 2017-07-14 | 腾讯科技(深圳)有限公司 | A kind of data scanning method and scanning server |
| CN109165508A (en) * | 2018-07-25 | 2019-01-08 | 安徽三实信息技术服务有限公司 | A kind of external device access safety control system and its control method |
| CN109684836A (en) * | 2017-10-18 | 2019-04-26 | 卡巴斯基实验室股份制公司 | Use the system and method for housebroken machine learning model detection malicious file |
-
2020
- 2020-07-30 CN CN202010754892.XA patent/CN111859404B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170111384A1 (en) * | 2015-10-16 | 2017-04-20 | SecludIT | Method for detecting vulnerabilities in a virtual production server of a virtual or cloud computer system |
| CN106953860A (en) * | 2017-03-20 | 2017-07-14 | 腾讯科技(深圳)有限公司 | A kind of data scanning method and scanning server |
| CN109684836A (en) * | 2017-10-18 | 2019-04-26 | 卡巴斯基实验室股份制公司 | Use the system and method for housebroken machine learning model detection malicious file |
| CN109165508A (en) * | 2018-07-25 | 2019-01-08 | 安徽三实信息技术服务有限公司 | A kind of external device access safety control system and its control method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111859404B (en) | 2023-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8949996B2 (en) | Transforming unit tests for security testing | |
| US9390270B2 (en) | Security testing using semantic modeling | |
| US20170262358A1 (en) | Determining test case efficiency | |
| US20120131387A1 (en) | Managing automated and manual application testing | |
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| US8938648B2 (en) | Multi-entity test case execution workflow | |
| CN106355092B (en) | System and method for optimizing anti-virus measurement | |
| US10572373B2 (en) | Automated test generation for multi-interface and multi-platform enterprise virtualization management environment | |
| EP4122163A1 (en) | Causality determination of upgrade regressions via comparisons of telemetry data | |
| CN113114680A (en) | Detection method and detection device for file uploading vulnerability | |
| US11005877B2 (en) | Persistent cross-site scripting vulnerability detection | |
| CN113362173A (en) | Anti-duplication mechanism verification method, anti-duplication mechanism verification system, electronic equipment and storage medium | |
| CN111859404A (en) | Method, device, electronic equipment and medium for detecting system vulnerability of computer | |
| CN116225622A (en) | Docker-based PaaS application parameter template testing method | |
| US9057764B2 (en) | Detection of unchecked signals in circuit design verification | |
| US11347533B2 (en) | Enhanced virtual machine image management system | |
| US8918873B1 (en) | Systems and methods for exonerating untrusted software components | |
| CN111597101B (en) | SDK access state detection method, computer equipment and computer readable storage medium | |
| US11163650B2 (en) | Proactive data recovery system and method | |
| CN114553551A (en) | Method and device for testing intrusion prevention system | |
| US20170329688A1 (en) | Replicating test code and test data into a cache with non-naturally aligned data boundaries | |
| US20220004484A1 (en) | Systems and methods for training systems to detect software bugs | |
| US20140157413A1 (en) | Application testing system and method | |
| CN114817036A (en) | Decision tree testing method and device, electronic equipment and storage medium | |
| CN114253789A (en) | Method, device, equipment and storage medium for verifying graceful shutdown of container |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |