CN112765613A - Vulnerability detection method and system for vehicle-mounted terminal system - Google Patents
Vulnerability detection method and system for vehicle-mounted terminal system Download PDFInfo
- Publication number
- CN112765613A CN112765613A CN202110118777.8A CN202110118777A CN112765613A CN 112765613 A CN112765613 A CN 112765613A CN 202110118777 A CN202110118777 A CN 202110118777A CN 112765613 A CN112765613 A CN 112765613A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- information
- attack
- vehicle
- attack mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 26
- 238000000034 method Methods 0.000 claims abstract description 30
- 238000004458 analytical method Methods 0.000 claims abstract description 21
- 238000010276 construction Methods 0.000 claims description 7
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 description 24
- 230000006870 function Effects 0.000 description 6
- 230000003068 static effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000009411 base construction Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a vulnerability detection method and system for a vehicle-mounted terminal system, wherein the method comprises the following steps: collecting basic information of a vehicle-mounted terminal system; performing predicate analysis modeling, abstracting the basic information into a predicate expression form, and generating the log information in the predicate form; analyzing the vulnerability description opened in the vulnerability information base to form vulnerability information in an attack mode form; and realizing an attack mode instantiation algorithm according to the log information in the predicate form and the vulnerability information in the attack mode form, and generating a combined vulnerability report in the attack graph form. The invention not only can detect a plurality of isolated loopholes, but also can detect the combined loopholes among the loopholes, thereby better ensuring the safety and the reliability of the vehicle-mounted terminal system.
Description
Technical Field
The invention belongs to the field of software testing, and particularly relates to a vulnerability detection method and system for a vehicle-mounted terminal system.
Background
In recent years, the technology of the internet of vehicles is rapidly developed, and more vehicles use vehicle-mounted terminal systems, such as a navigation system, intelligent driving, Bluetooth music and the like, so that people can go out more conveniently and quickly. However, the emerging vehicle-mounted terminal system has a low safety protection function, is directly connected with an external system, and has various vulnerability risks, and the vulnerabilities become main attack targets of attackers, not only cause the loss of vehicle property, but also possibly threaten the life safety of vehicle users. However, the vulnerability detection technology for the vehicle-mounted terminal system is still in a starting stage.
The existing vulnerability detection technology is more specific to the detection of a PC (personal computer) end, and less specific to a vehicle-mounted terminal, and only can detect a plurality of isolated vulnerabilities. However, the vulnerabilities are often connected, and once the contacts are utilized by illegal personnel to attack the host, the contacts bring great harm to the host. The damage is not only concealed, but also improves the success probability of the attack. For example, in a certain vehicle-mounted terminal system, there is a vulnerability a, the authority of a remote visitor can be improved to be a common user of the system, the visitor can only search some common data, and cannot access more system resources, so that the threat of a single vulnerability a to the system is negligible. However, if there is a bug B that can promote the general user right to be root in the system, the remote visitor may acquire the root right of the system, and further may acquire more important data of the system. It can be seen that the consequences of vulnerability a (promoting visitors to user rights) are amplified by vulnerability B, which is a combined vulnerability, i.e. a- > B, which can have more serious consequences.
Disclosure of Invention
In view of the above technical problems, the present invention provides a method and a system for detecting a vulnerability of a vehicle-mounted terminal system, which can better detect a combined vulnerability.
The technical scheme for solving the technical problems is as follows:
in a first aspect, the present invention provides a vulnerability detection method for a vehicle-mounted terminal system, including:
collecting basic information of a vehicle-mounted terminal system;
performing predicate analysis modeling, abstracting the basic information into a predicate expression form, and generating the log information in the predicate form;
analyzing the vulnerability description opened in the vulnerability information base to form vulnerability information in an attack mode form;
and realizing an attack mode instantiation algorithm according to the log information in the predicate form and the vulnerability information in the attack mode form, and generating a combined vulnerability report in the attack graph form.
Further, the collecting of the basic information of the vehicle-mounted terminal system specifically includes:
injecting a vulnerability into a vehicle-mounted terminal system by utilizing a TCP (Transmission control protocol), and acquiring an existing vulnerability and an open port returned by the vehicle-mounted terminal system;
using an Nmap scanning tool to designate a target node, sending a request based on a UDP (user Datagram protocol) to the vehicle-mounted terminal system, and acquiring service information of the running of a node host returned by the vehicle-mounted terminal system;
and sending a request to the vehicle-mounted terminal system by using an SNMP (simple network management protocol), and acquiring the related network topology information of the designated node returned by the vehicle-mounted terminal system.
Further, the performing predicate analysis modeling specifically includes: and performing predicate modeling in a structural data structure mode.
Further, the analyzing the vulnerability description opened in the vulnerability information base to form vulnerability information in an attack mode form specifically includes:
and extracting the preconditions and the consequences of each vulnerability in the vulnerability information base, and extracting the common points of the preconditions and the consequences of each vulnerability to form vulnerability information in an attack mode.
Further, the description form of the vulnerability information is < Name, Class, Vuls, Var, Pre, Eff >, wherein the Name is the Name of the attack mode; the Vuls set comprises all the vulnerabilities which can be utilized by the attack mode; var is a variable set, each variable of which is represented by a vector < v, t >, where v is an argument and t is the type of type to which the argument belongs, and includes: host IP, service name, vulnerability name, protocol, port number and file access authority; pre and Eff represent the preconditions and consequences, respectively, that the attack pattern can be exploited, i.e. the preconditions that occur and the consequences to the host.
Further, the implementing an attack mode instantiation algorithm according to the log information and the vulnerability information to generate a combined vulnerability report in the form of an attack graph specifically includes:
matching the premise in the vulnerability information in the attack mode form according to the log information in the predicate form, instantiating the vulnerability information in the attack mode form if the matching is successful, and associating the vulnerability information in the attack mode form with the vulnerability information in other attack mode forms if the consequence in the vulnerability information in the attack mode form is the premise of the vulnerability information in other attack mode forms, circulating in this way, finally forming an atomic attack set of a directed graph structure, generating an attack graph, outputting a combined vulnerability result, and completing vulnerability detection.
Further, the implementing an attack mode instantiation algorithm according to the log information and the vulnerability information to generate a combined vulnerability report in the form of an attack graph specifically includes:
if the matching fails, terminating the instantiation process of the attack mode, and not instantiating the rest of premises in the vulnerability information in the attack mode.
In a second aspect, the present invention provides a vulnerability detection system for a vehicle-mounted terminal system, including:
the log collection module is used for collecting basic information of the vehicle-mounted terminal system;
the structured modeling module is used for executing predicate analysis modeling, abstracting the basic information into a predicate expression form and generating the log information in the predicate form;
the vulnerability database module is used for analyzing the vulnerability description opened in the vulnerability information base to form vulnerability information in an attack mode form;
and the attack graph construction module is used for realizing an attack mode instantiation algorithm according to the log information in the predicate form and the vulnerability information in the attack mode form and generating a combined vulnerability report in the attack graph form.
Further, the log collection module is specifically configured to:
injecting a vulnerability into a vehicle-mounted terminal system by utilizing a TCP (Transmission control protocol), and acquiring an existing vulnerability and an open port returned by the vehicle-mounted terminal system;
using an Nmap scanning tool to designate a target node, sending a request based on a UDP (user Datagram protocol) to the vehicle-mounted terminal system, and acquiring service information of the running of a node host returned by the vehicle-mounted terminal system;
and sending a request to the vehicle-mounted terminal system by using an SNMP (simple network management protocol), and acquiring the related network topology information of the designated node returned by the vehicle-mounted terminal system.
Further, the structural modeling module is specifically configured to: and performing predicate modeling in a structural data structure mode.
Further, the vulnerability database module is specifically configured to:
and extracting the preconditions and the consequences of each vulnerability in the vulnerability information base, and extracting the common points of the preconditions and the consequences of each vulnerability to form vulnerability information in an attack mode.
Further, the description form of the vulnerability information is < Name, Class, Vuls, Var, Pre, Eff >, wherein the Name is the Name of the attack mode; the Vuls set comprises all the vulnerabilities which can be utilized by the attack mode; var is a variable set, each variable of which is represented by a vector < v, t >, where v is an argument and t is the type of type to which the argument belongs, and includes: host IP, service name, vulnerability name, protocol, port number and file access authority; pre and Eff represent the preconditions and consequences, respectively, that the attack pattern can be exploited, i.e. the preconditions that occur and the consequences to the host.
Further, the attack graph construction module is specifically configured to:
matching the premise in the vulnerability information in the attack mode form according to the log information in the predicate form, instantiating the vulnerability information in the attack mode form if the matching is successful, and associating the vulnerability information in the attack mode form with the vulnerability information in other attack mode forms if the consequence in the vulnerability information in the attack mode form is the premise of the vulnerability information in other attack mode forms, circulating in this way, finally forming an atomic attack set of a directed graph structure, generating an attack graph, outputting a combined vulnerability result, and completing vulnerability detection.
Further, the attack graph construction module is specifically further configured to:
if the matching fails, terminating the instantiation process of the attack mode, and not instantiating the rest of premises in the vulnerability information in the attack mode.
In a third aspect, the present invention provides a terminal device, including:
a processor; and
a memory having executable code stored thereon, which when executed by the processor, causes the processor to perform the above method.
In a fourth aspect, the present invention provides a non-transitory machine-readable storage medium having stored thereon executable code which, when executed by a processor of an electronic device, causes the processor to perform the above-described method.
The invention has the beneficial effects that: on the basis of a dynamic analysis technology, a vulnerability information base in an attack mode form is designed, predicate analysis modeling is carried out on basic information in the system, vulnerability information of the vulnerability information base is matched, an attack graph is constructed, and a relation between vulnerabilities, namely combination vulnerabilities, is obtained, so that the safety and the reliability of the vehicle-mounted terminal system are better guaranteed.
Drawings
FIG. 1 is a diagram of the Nessus architecture;
fig. 2 is an operation schematic diagram of a vulnerability detection system for a vehicle-mounted terminal system according to an embodiment of the present invention;
fig. 3 is a flowchart of an implementation of an instantiated attack pattern algorithm according to an embodiment of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
The existing vulnerability detection technology is more specific to the detection of a PC (personal computer) end, and less specific to a vehicle-mounted terminal, and only can detect a plurality of isolated vulnerabilities. The method mainly comprises a static analysis technology and a dynamic debugging technology. The static analysis technology mainly analyzes the system program source code, finds out function call and function return with incorrect design, and often solves the hazards of buffer overflow, authority promotion and the like caused by the program design problem; the dynamic debugging technology directly injects a vulnerability into a system for testing when the system service operates, so that the system is exposed to the existing problems, and the vulnerability library information is matched to determine whether the vulnerability exists. Such as the vulnerability detection tool, news.
Nessus is a network vulnerability scanning system. It consists of five parts:
(1) a scanning engine: and the scanning engine selects a corresponding data packet or a corresponding scanning plug-in according to a scanning strategy set by a user to comprehensively scan the target system and discover the security loopholes in the system. It is the main component of the scanner.
(2) User configuration console: the user sets the target system to be scanned, and the scanning strategy to be employed, by configuring the console. Typically, the console may be a client or a web browser.
(3) Scanning a knowledge base: the scanning knowledge base monitors the current active scanning, provides the relevant information of the vulnerability to be scanned to the scanning engine, and simultaneously receives the scanning result returned by the scanning engine.
(4) Vulnerability database (or scanning method library): the vulnerability database comprises various vulnerability information of various operating systems and instructions for detecting vulnerabilities, and is formed according to analysis of security experts on security vulnerabilities and hacker attack cases of the network system and actual experience of system administrators on security configuration of the network system. The scanning method library (plug-in library) contains simulated attack methods aiming at various vulnerabilities. The specific database to be selected is determined according to the vulnerability detection technology to be adopted. If the rule-based matching technology is adopted, a vulnerability database is used, and if a simulated attack method (i.e. a plug-in technology) is used, a scanning method library is used.
(5) Results storage and report generation tool: and generating a scanning report according to the scanning result in the scanning knowledge base, and storing the scanning report. The architecture of the Nessus vulnerability scanning tool is shown in FIG. 1.
The static analysis technology has large limitation, can only detect bugs related to the aspect of program design, cannot detect the threat of bugs in service operation in a system, can only analyze a source program, and cannot detect a non-open-source program. Compared with a static analysis technology, the dynamic debugging technology can detect more bugs, but the technology can only detect isolated bugs existing in a system, and a combined bug which causes more harm to the system cannot be detected better.
The invention mainly solves the problem of providing a vulnerability detection method and system. Aiming at a vehicle-mounted terminal system, the system designs a vulnerability information base in an attack mode form on the basis of a dynamic analysis technology, performs Predicate (Predicate) analysis modeling on basic information in the system, matches vulnerability information of the vulnerability information base and constructs an attack graph to obtain a relation between vulnerabilities, namely a combined vulnerability.
Fig. 2 is an operation schematic diagram of a vulnerability detection system for a vehicle-mounted terminal system according to an embodiment of the present invention, and as shown in fig. 2, the system includes:
the log collection module is used for collecting basic information of the vehicle-mounted terminal system;
specifically, the invention aims at detecting the vulnerability of the vehicle-mounted terminal system in the vehicle-mounted terminal environment, the vehicle-mounted terminal environment is provided with a plurality of vehicle-mounted terminal systems to be tested, the narrow vehicle-mounted terminal system is a vehicle-mounted entertainment system (IVI) providing interactive functions of navigation, music playing and the like, and the narrow vehicle-mounted terminal system is a complex system formed by electronic units with the functions of calculation, transmission, storage and the like on an automobile from the technical perspective. Besides IVI, the system also comprises important parts such as Bluetooth, WI-FI, a cellular network, an Electronic Control Unit (ECU), CAN and the like. The CAN is a bus of internal communication, is used for connecting components such as an ECU (electronic control unit), an IVI (integrated circuit), and the like, and is responsible for transmitting instructions to each component, and the components complete final tasks; the ECU calculates the information transmitted by the CAN according to an internal program and sends the result to an execution component. The IVI directly interacts with an external network through the Wi-Fi and the mobile cellular network, the possibility of the existing loopholes is the largest, and the method mainly detects the loopholes of the IVI.
As shown in fig. 2, the log collection module is used to collect basic information on the vehicle-mounted terminal system, including services, open ports, IP addresses, user permissions, and existing isolated vulnerabilities of the system. The function of collecting the information is to provide input for subsequent structured modeling of the information and detection of combined vulnerabilities. The method comprises the steps of using a vulnerability scanning tool Nessus, injecting vulnerabilities into a vehicle-mounted terminal system by using a TCP (transmission control protocol), acquiring existing vulnerabilities and open ports in the system, and returning; using an Nmap scanning tool to specify a target node, sending a request based on a UDP protocol, and returning service information of the running of a node host; and sending a request to the vehicle-mounted terminal system by using an SNMP (simple network management protocol), and returning relevant network topology information of the specified node, such as a host address and the like.
And the structured modeling module is used for executing predicate analysis modeling, abstracting the basic information into a predicate expression form and generating the log information in the predicate form.
Specifically, the structural modeling module is used for abstracting and describing the collected basic information of the vehicle-mounted terminal system, so that the structural modeling module is matched with an attack mode, a vulnerability which can form a combined vulnerability is detected, and the construction complexity is greatly reduced. In order to formally describe basic information of a vehicle-mounted terminal system, the invention uses Predicate (Predicate) for modeling, and abstracts the basic information into a representation form of the Predicate, such as: vulExists (h: HostID, sn: ServiceName, cveId: VulID) indicates that service sn on host h has a vulnerability cveId.
And the vulnerability database module is used for analyzing the vulnerability description opened in the vulnerability information base to form vulnerability information in an attack mode form.
Specifically, the vulnerability database module comprises a vulnerability information base and a vulnerability knowledge base. The vulnerability information base is an open vulnerability database and stores all known CVE vulnerability information in the world at present. The vulnerability knowledge base is used for storing vulnerability information in an attack mode form by analyzing and modeling vulnerability information in the vulnerability information base. The attack mode is that on the basis of analyzing a large amount of vulnerability information, the 'precondition' and 'consequence' of vulnerability occurrence are extracted, and the common points of the two are extracted to form an abstract form for describing the vulnerability. The attack pattern is not a description of a vulnerability but a description of a class of vulnerabilities. Each attack pattern is described by < Name, Vuls, Var, Pre, Eff >. Name is the Name of the attack pattern; the Vuls set comprises all vulnerabilities which can be utilized by the attack mode, and if the Class value is beta, the Vuls is phi; var is a set of variables, each variable represented by a vector < v, t >, where v is an argument and t is the type of type to which the argument belongs, including: host (Host IP), ServiceName, CveID (vulnerability name), Protocol, Port, Access. For example, <8080, Port > indicates Port number 8080; < mysql, ServiceName > indicates that the system runs mysql service; pre and Eff represent the preconditions and consequences, respectively, that the attack pattern can be exploited, i.e. the preconditions that occur and the consequences to the host.
For example, table 1 is an attack pattern description of "memory overflow causes to obtain system ROOT rights". Wherein Root _ buff is the name of the attack mode; vuls describes that the mode is abstracted by the loopholes CVE-2003-0245, CVE-2006-2372 and the like; var represents all variables in the attack mode, wherein s and d represent a source host and a destination host respectively, sn represents a service running on the host, cveId represents a vulnerability ID, pro represents a used protocol, such as a TCP protocol, and port represents an open port number; pre indicates that this attack pattern can be generated on the premise that: firstly, a target host d runs a service sn, uses a pro protocol and opens a port number; secondly, a service sn running on the target host d has a vulnerability cveId; using pro protocol to communicate with port number opened between source host computer s and destination host computer d; the source host s can be executed by an attacker by using the ROOT authority; eff indicates that the attack pattern can produce the following consequences: firstly, a target host d obtains ROOT authority by an attacker; ② service sn on the destination host d refuses service.
TABLE 1 memory overflow results in obtaining system ROOT authority
And the attack graph construction module is used for realizing an attack mode instantiation algorithm according to the log information in the predicate form and the vulnerability information in the attack mode form and generating a combined vulnerability report in the attack graph form.
Specifically, the attack graph building module matches a precondition (Pre) in the attack mode according to information in a predicate form in the target environment obj, if the precondition (Pre) is matched, the attack mode is instantiated, the result (Eff) of the attack mode is possibly the precondition of other attack modes, namely the result caused by one vulnerability is the precondition of other vulnerabilities, so that the vulnerabilities are associated, the loop is repeated, an atomic attack set of a directed graph structure is finally formed, an attack graph is generated, a combined vulnerability result is output, and vulnerability detection is completed.
The invention provides a vulnerability detection method for a vehicle-mounted terminal system, which comprises the following steps:
step 1, collecting basic information of the vehicle-mounted terminal system.
Specifically, all the work of the invention is completed on one working machine, and the basic information of the vehicle-mounted terminal system, including the service used on the current system, the open port, the system IP address, the existing isolated loophole of the system and the like, is collected through the log collection module. Using a vulnerability scanning tool Nessus, sending an ACK request by using a TCP (transmission control protocol) to detect an opened port in the system and return port information, then injecting a vulnerability into the opened port by using the TCP, exposing the vulnerability information of the system and returning; using an Nmap scanning tool to specify a target node, sending a request based on a UDP protocol, and returning service information of the running of a node host; and sending a request to the vehicle-mounted terminal system by using an SNMP (simple network management protocol), and returning relevant network topology information of the specified node, such as a host address and the like. These pieces of information are collected together in the basic _ logs directory of the working machine as input in step 2.
And 2, performing predicate analysis modeling, abstracting the basic information into a predicate expression form, and generating the log information in the predicate form.
Specifically, in the structured modeling module, the basic information obtained in step 1 is used as input, predicate analysis modeling is performed, and basic information such as vulnerability existing in the system, an opened port, existing service and the like is abstracted into a predicate expression form and is used as input in step 4.
The predicate modeling is carried out by adopting a structural data structure mode, basic information is abstracted into 7 predicates, and the predicates are designed into a structural body in the data structure to be displayed and used more clearly, such as the structural body vulExists, which comprises member variables h, sn, cveId and VuliD. The specifically designed structures are shown in table 2.
TABLE 2 predicate description
And 3, analyzing the opened vulnerability description in the vulnerability information base to form vulnerability information in an attack mode form.
Specifically, in the vulnerability database module, vulnerability descriptions opened in the vulnerability information base are analyzed to form vulnerability descriptions in an attack mode form. The attack mode is that on the basis of analyzing a large amount of vulnerability information, the 'precondition' and 'consequence' of vulnerability occurrence are extracted, and the common points of the two are extracted to form an abstract form for describing the vulnerability. Each attack mode is described by < Name, Class, Vuls, Var, Pre, Eff >, is stored in the vulnerability knowledge base and is used as input in step 4.
And 4, implementing an attack mode instantiation algorithm according to the log information in the predicate form and the vulnerability information in the attack mode form, and generating a combined vulnerability report in the attack graph form.
Specifically, in the vulnerability database module, vulnerability descriptions opened in the vulnerability information base are analyzed to form vulnerability descriptions in an attack mode form. The attack mode is that on the basis of analyzing a large amount of vulnerability information, the 'precondition' and 'consequence' of vulnerability occurrence are extracted, and the common points of the two are extracted to form an abstract form for describing the vulnerability. Each attack mode is described by < Name, Class, Vuls, Var, Pre, Eff >, is stored in the vulnerability knowledge base and is used as input in step 4.
Fig. 3 shows a flowchart of an implementation of the instantiation attack pattern algorithm, which is detailed as follows:
in S201, traversing each predicate f in the target environment obj;
in S202, let the atomic attack set Ack on ffInitialized to null, AckfPre represents the precondition of the instantiated attack mode, and the predicate f is necessarily contained in the AP.Pre;
in S203, for the predicate f, traversing each attack mode AP in the vulnerability information base, and executing S201 after the traversal is finished;
in S204, it is determined whether the ap.pre matches f, if so, S205 is executed, otherwise, S203 is executed, and the AP is continuously traversed;
in S205, an atomic attack set Ack ═ Φ is initialized;
in S206, a value range phi of the attack pattern AP with respect to f is obtainedfDomain (AP, f). Value range phifThe method refers to a set of other preconditions except for the precondition of matching f in the precondition of the attack mode AP.
In S207, the range Φ is traversedfJudging whether all the values lambda are in the target environment obj, if so, executing S208, otherwise, executing S203;
in S208, the attack pattern is instantiated, and ack.pre ═ Φ is causedf∪f,Ack.Eff=AP.Eff;
In S209, Ackf=AckfAdding the value of Ack. eff into the target environment obj by using the value of { Ack }, wherein the consequence can be the premise of forming other vulnerabilities, forming a combined vulnerability, and returning to the step S203;
and repeating the steps S201-S209 until the algorithm is terminated, and outputting the atomic attack set.
The invention provides a vulnerability detection method and system for a vehicle-mounted terminal system, which can detect a plurality of isolated vulnerabilities and can detect combined vulnerabilities among the vulnerabilities on the basis of a dynamic analysis technology, so that the safety and reliability of the vehicle-mounted terminal system are better ensured.
It should be noted that the detection of the combined vulnerability is completed by constructing the attack graph, the key points are the target environment modeling technology and the vulnerability knowledge base construction technology, and the Predicate (Predicate) analysis modeling and attack mode construction technology is adopted in the invention, in addition to the technologies of the AGML modeling technology, the LAMBDA modeling language, the Horn modeling language and the like. Compared with the methods, the modeling technology provided by the invention can reduce the complexity of modeling.
The reader should understand that in the description of this specification, reference to the description of the terms "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the modules and units in the above described system embodiment may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A vulnerability detection method for a vehicle-mounted terminal system is characterized by comprising the following steps:
collecting basic information of a vehicle-mounted terminal system;
performing predicate analysis modeling, abstracting the basic information into a predicate expression form, and generating the log information in the predicate form;
analyzing the vulnerability description opened in the vulnerability information base to form vulnerability information in an attack mode form;
and realizing an attack mode instantiation algorithm according to the log information in the predicate form and the vulnerability information in the attack mode form, and generating a combined vulnerability report in the attack graph form.
2. The method according to claim 1, wherein the collecting of the basic information of the vehicle-mounted terminal system specifically comprises:
injecting a vulnerability into a vehicle-mounted terminal system by utilizing a TCP (Transmission control protocol), and acquiring an existing vulnerability and an open port returned by the vehicle-mounted terminal system;
using an Nmap scanning tool to designate a target node, sending a request based on a UDP (user Datagram protocol) to the vehicle-mounted terminal system, and acquiring service information of the running of a node host returned by the vehicle-mounted terminal system;
and sending a request to the vehicle-mounted terminal system by using an SNMP (simple network management protocol), and acquiring the related network topology information of the designated node returned by the vehicle-mounted terminal system.
3. The method of claim 1, wherein performing predicate analysis modeling specifically comprises: and performing predicate modeling in a structural data structure mode.
4. The method according to claim 1, wherein the analyzing the vulnerability description opened in the vulnerability information base to form vulnerability information in an attack mode form specifically comprises:
and extracting the preconditions and the consequences of each vulnerability in the vulnerability information base, and extracting the common points of the preconditions and the consequences of each vulnerability to form vulnerability information in an attack mode.
5. The method of claim 4, wherein the vulnerability information is described in the form of < Name, Class, Vuls, Var, Pre, Eff >, wherein Name is the Name of the attack mode; the Vuls set comprises all the vulnerabilities which can be utilized by the attack mode; var is a variable set, each variable of which is represented by a vector < v, t >, where v is an argument and t is the type of type to which the argument belongs, and includes: host IP, service name, vulnerability name, protocol, port number and file access authority; pre and Eff represent the preconditions and consequences, respectively, that the attack pattern can be exploited, i.e. the preconditions that occur and the consequences to the host.
6. The method according to claim 5, wherein the implementing an attack pattern instantiation algorithm according to the log information and the vulnerability information to generate a combined vulnerability report in the form of an attack graph specifically comprises:
matching the premise in the vulnerability information in the attack mode form according to the log information in the predicate form, instantiating the vulnerability information in the attack mode form if the matching is successful, and associating the vulnerability information in the attack mode form with the vulnerability information in other attack mode forms if the consequence in the vulnerability information in the attack mode form is the premise of the vulnerability information in other attack mode forms, circulating in this way, finally forming an atomic attack set of a directed graph structure, generating an attack graph, outputting a combined vulnerability result, and completing vulnerability detection.
7. The method according to claim 6, wherein the implementing an attack pattern instantiation algorithm according to the log information and the vulnerability information to generate a combined vulnerability report in the form of an attack graph further comprises:
if the matching fails, terminating the instantiation process of the attack mode, and not instantiating the rest of premises in the vulnerability information in the attack mode.
8. The utility model provides a vulnerability detection system to vehicle-mounted terminal system which characterized in that includes:
the log collection module is used for collecting basic information of the vehicle-mounted terminal system;
the structured modeling module is used for executing predicate analysis modeling, abstracting the basic information into a predicate expression form and generating the log information in the predicate form;
the vulnerability database module is used for analyzing the vulnerability description opened in the vulnerability information base to form vulnerability information in an attack mode form;
and the attack graph construction module is used for realizing an attack mode instantiation algorithm according to the log information in the predicate form and the vulnerability information in the attack mode form and generating a combined vulnerability report in the attack graph form.
9. A terminal device, comprising:
a processor; and
a memory having executable code stored thereon, which when executed by the processor, causes the processor to perform the method of any one of claims 1-7.
10. A non-transitory machine-readable storage medium having executable code stored thereon, wherein the executable code, when executed by a processor of an electronic device, causes the processor to perform the method of any of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110118777.8A CN112765613A (en) | 2021-01-28 | 2021-01-28 | Vulnerability detection method and system for vehicle-mounted terminal system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110118777.8A CN112765613A (en) | 2021-01-28 | 2021-01-28 | Vulnerability detection method and system for vehicle-mounted terminal system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112765613A true CN112765613A (en) | 2021-05-07 |
Family
ID=75706433
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110118777.8A Pending CN112765613A (en) | 2021-01-28 | 2021-01-28 | Vulnerability detection method and system for vehicle-mounted terminal system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112765613A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113438225A (en) * | 2021-06-23 | 2021-09-24 | 江苏智能网联汽车创新中心有限公司 | Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium |
CN113792296A (en) * | 2021-08-24 | 2021-12-14 | 中国电子科技集团公司第三十研究所 | Vulnerability combination method and system based on clustering |
CN114003301A (en) * | 2021-09-15 | 2022-02-01 | 惠州市德赛西威智能交通技术研究院有限公司 | Vehicle-mounted terminal information safety protection software configuration method and system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1694454A (en) * | 2005-05-10 | 2005-11-09 | 西安交通大学 | Active network safety loophole detector |
CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
-
2021
- 2021-01-28 CN CN202110118777.8A patent/CN112765613A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1694454A (en) * | 2005-05-10 | 2005-11-09 | 西安交通大学 | Active network safety loophole detector |
CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113438225A (en) * | 2021-06-23 | 2021-09-24 | 江苏智能网联汽车创新中心有限公司 | Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium |
CN113792296A (en) * | 2021-08-24 | 2021-12-14 | 中国电子科技集团公司第三十研究所 | Vulnerability combination method and system based on clustering |
CN113792296B (en) * | 2021-08-24 | 2023-05-30 | 中国电子科技集团公司第三十研究所 | Cluster-based vulnerability combining method and system |
CN114003301A (en) * | 2021-09-15 | 2022-02-01 | 惠州市德赛西威智能交通技术研究院有限公司 | Vehicle-mounted terminal information safety protection software configuration method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112765613A (en) | Vulnerability detection method and system for vehicle-mounted terminal system | |
Zhang et al. | An IoT honeynet based on multiport honeypots for capturing IoT attacks | |
CN112383546B (en) | Method for processing network attack behavior, related equipment and storage medium | |
CN111651757B (en) | Method, device, equipment and storage medium for monitoring attack behaviors | |
Saxena et al. | FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. | |
Sheyner | Scenario graphs and attack graphs | |
RU2485577C1 (en) | Method of increasing reliability of detecting malicious software | |
US8464346B2 (en) | Method and system simulating a hacking attack on a network | |
US8359653B2 (en) | Portable program for generating attacks on communication protocols and channels | |
CN114329489A (en) | Web application program vulnerability attack detection method, server, electronic equipment and storage medium | |
CN112287355B (en) | Vulnerability detection method and device, computer equipment and storage medium | |
Rivera et al. | ROSploit: Cybersecurity tool for ROS | |
Suratkar et al. | An adaptive honeypot using Q-Learning with severity analyzer | |
CN117610026B (en) | Honey point vulnerability generation method based on large language model | |
Grégio et al. | An ontology of suspicious software behavior | |
Alasmary et al. | SHELLCORE: Automating malicious IoT software detection using shell commands representation | |
Chen et al. | URadar: Discovering Unrestricted File Upload Vulnerabilities via Adaptive Dynamic Testing | |
CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
CN113726825A (en) | Network attack event countercheck method, device and system | |
Yang et al. | HIDS-DT: An effective hybrid intrusion detection system based on decision tree | |
CN114205153B (en) | Self-adaptive penetration test method for complex defense mechanism | |
Ma et al. | Communication-based attacks detection in android applications | |
CN111027063A (en) | Method, device, electronic equipment and storage medium for preventing terminal from infecting worm | |
Sarraute et al. | Simulation of computer network attacks | |
CN114389863A (en) | Honeypot interaction method and device, honeypot network, honeypot equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |