CN113051571A - Method and device for detecting false alarm vulnerability and computer equipment - Google Patents

Method and device for detecting false alarm vulnerability and computer equipment Download PDF

Info

Publication number
CN113051571A
CN113051571A CN201911374600.3A CN201911374600A CN113051571A CN 113051571 A CN113051571 A CN 113051571A CN 201911374600 A CN201911374600 A CN 201911374600A CN 113051571 A CN113051571 A CN 113051571A
Authority
CN
China
Prior art keywords
information
vulnerability
false positive
suspected
false
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911374600.3A
Other languages
Chinese (zh)
Other versions
CN113051571B (en
Inventor
陈珍文
贺嘉
陶亚勋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Henan Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Henan Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Henan Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201911374600.3A priority Critical patent/CN113051571B/en
Publication of CN113051571A publication Critical patent/CN113051571A/en
Application granted granted Critical
Publication of CN113051571B publication Critical patent/CN113051571B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention provides a method and a device for detecting a false alarm vulnerability and computer equipment, wherein the method comprises the following steps: acquiring first suspected false-positive vulnerability information, determining a security type corresponding to the first suspected false-positive vulnerability information, and determining a situation coefficient of the security type; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. By the embodiment of the invention, the problem that in the prior art, a large amount of manpower and material resources are wasted because a large amount of time is spent on verifying the bugs in the bug scanning report one by one to eliminate the false alarm bugs is solved, and the detection efficiency of the false alarm bugs is further improved.

Description

Method and device for detecting false alarm vulnerability and computer equipment
Technical Field
The invention relates to the technical field of mobile communication, in particular to a method and a device for detecting a false alarm vulnerability and computer equipment.
Background
At present, because security holes may exist in an operating system, a middleware, a database and the like which are relied on by the stable operation of the service support network, background data may be leaked due to the holes, and an important service system may be paralyzed in a severe case, it is very important to perform hole scanning on the operating system, the middleware, the database and the like which are relied on by the stable operation of the service support network.
Although the vulnerability scanning tool can be used for discovering the potential safety hazards of an operating system, middleware, a database and the like which are relied on by the stable operation of the service supporting network, a considerable number of false alarm vulnerabilities may exist in vulnerability scanning reports obtained by the vulnerability scanning tool.
However, to verify whether a bug in a bug scanning report is a false-positive bug, a tester is often required to have certain knowledge about various bug principles and scanning bugs, which puts higher requirements on the capability of the tester, and the tester is required to spend a large amount of time to verify the bugs in the bug scanning report one by one to eliminate the false-positive bugs, thereby wasting a large amount of manpower and material resources.
Disclosure of Invention
The embodiment of the invention aims to provide a method, a device and computer equipment for detecting false-alarm bugs, which are used for solving the problems that in the prior art, a large number of false-alarm bugs exist in bug scanning reports, and a large amount of time is needed for manually verifying the bugs in the false-alarm scanning reports one by one to eliminate the false-alarm bugs, so that a large amount of manpower and material resources are wasted.
In order to solve the above technical problem, the embodiment of the present invention is implemented as follows:
in a first aspect, an embodiment of the present invention provides a method for detecting a false alarm vulnerability, including:
acquiring first suspected false alarm vulnerability information;
determining a security type corresponding to the first suspected false positive vulnerability information;
determining a situation coefficient of the security type;
and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining that the first suspected false-positive vulnerability information is false-positive vulnerability information.
In a second aspect, an embodiment of the present invention provides a device for detecting a false alarm vulnerability, including:
the first acquisition module is used for acquiring first suspected false alarm vulnerability information;
a first determining module, configured to determine a security type corresponding to the first suspected false positive vulnerability information;
the second determination module is used for determining the situation coefficient of the safety type;
and the third determining module is used for determining that the first suspected false-positive vulnerability information is false-positive vulnerability information under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between the first vulnerability characteristic value of the first suspected false-positive vulnerability information and the second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value.
In a third aspect, an embodiment of the present invention provides a computer device, including a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete mutual communication through a bus; the memory is used for storing a computer program; the processor is configured to execute the program stored in the memory, and implement the steps of the method for detecting a false alarm bug according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for detecting a false alarm bug according to the first aspect are implemented.
According to the method, the device and the computer equipment for detecting the false alarm, disclosed by the embodiment of the invention, the security type corresponding to the first suspected false alarm information is determined by acquiring the first suspected false alarm information, and the situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a first flowchart of a method for detecting a false alarm bug according to an embodiment of the present invention;
fig. 2 is a second flowchart of a method for detecting a false alarm bug according to an embodiment of the present invention;
fig. 3 is a third flowchart illustrating a method for detecting a false alarm bug according to an embodiment of the present invention;
fig. 4 is a fourth flowchart illustrating a method for detecting a false alarm bug according to an embodiment of the present invention;
fig. 5 is a fifth flowchart illustrating a method for detecting a false alarm vulnerability according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating a module composition of a device for detecting a false alarm bug according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method and a device for detecting a false alarm vulnerability and computer equipment.
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, an execution main body of the method may be a server, where the server may be an independent server or a server cluster composed of multiple servers, and the server may be a server capable of detecting whether vulnerability information in an obtained vulnerability scanning report is false-positive vulnerability information, and the method may implement automatic detection on whether vulnerability information in a vulnerability scanning report is false-positive vulnerability. The method may specifically comprise the steps of:
in S101, first suspected false positive vulnerability information is obtained.
The first suspected false-positive vulnerability information may be suspected false-positive vulnerability information in a plurality of vulnerability information included in the acquired vulnerability scanning report. The vulnerability scanning report may be vulnerability scanning result information obtained by a third-party vulnerability scanning tool. For example, the vulnerability scanning report may be network vulnerability scanning result information obtained by a network vulnerability scanner scanning a specified network interface of a scanned device. Or, the vulnerability scanning report may be database scanning result information obtained by the database vulnerability scanner scanning the database of the scanned device. Alternatively, the vulnerability scanning report may also be scanning result information obtained by scanning the operating system of the scanned device by the operating system vulnerability scanner. Alternatively, the vulnerability scanning report may also be scanning result information obtained by the host vulnerability scanner scanning the host of the scanned device. Or, the vulnerability scanning report may also be vulnerability scanning result information obtained by scanning the middleware of the scanned device by the middleware vulnerability scanner.
In implementation, because security holes may exist in an operating system, a middleware, a database, and the like, which are relied on by the stable operation of the service support network, and these holes may cause background data leakage and may cause a breakdown of an important service system in a severe case, it is very important to perform hole scanning on the operating system, the middleware, the database, and the like, which are relied on by the stable operation of the service support network. At present, potential safety hazards existing in an operating system, middleware, a database and the like which are relied on by the stable operation of a business support network can be found by utilizing a vulnerability scanning tool, but a considerable number of false alarm vulnerabilities may exist in vulnerability scanning reports obtained by the vulnerability scanning tool. However, to verify whether a bug in a bug scanning report is a false-positive bug, a tester is often required to have certain knowledge about various bug principles and scanning bugs, which puts higher requirements on the capability of the tester, and the tester is required to spend a large amount of time to verify the bugs in the bug scanning report one by one to eliminate the false-positive bugs, thereby wasting a large amount of manpower and material resources. Therefore, the embodiments of the present invention provide a technical solution to solve the above problems, and refer to the following contents.
Taking the example that the server acquires the first suspected false alarm vulnerability information through the third-party vulnerability scanning tool, the server may acquire address information of the third-party vulnerability scanning tool in advance, send instruction information for acquiring a scanning report to the third-party vulnerability scanning tool through the acquired address information, and after receiving the instruction information, the third-party vulnerability scanning tool returns a vulnerability scanning report generated after scanning the scanned device to the server. And then, the server analyzes and processes the acquired vulnerability scanning report and screens out first suspected false-positive vulnerability information.
In S102, a security type corresponding to the first suspected false positive vulnerability information is determined.
The security types comprise one or more of code types, configuration types, password types, communication types and attack types.
In implementation, the server may obtain, according to the address information of the scanned device in the obtained bug scanning report, a data packet related to a process in which each service occurs in the server within a preset time period. And obtaining data packets corresponding to the substitution code class, the configuration class, the password class, the communication class and the attack class from the obtained data packets related to the services. And then, according to the identification information of the first suspected false-positive vulnerability information, finding vulnerability description information corresponding to the first suspected false-positive vulnerability information in the acquired vulnerability scanning report, and analyzing and processing the vulnerability description information to obtain a security type corresponding to the first suspected false-positive vulnerability information.
In S103, the situation coefficient of the security type is determined.
The situation coefficient may reflect an influence situation of a security type corresponding to the first suspected false positive vulnerability information in a current network, and if the situation coefficient is smaller, it may be stated that the probability that the security type corresponding to the first suspected false positive vulnerability information has a network security threat is smaller, that is, the probability that the scanned object may be attacked is smaller. If the situation coefficient is larger, it can be shown that the probability that the security type corresponding to the first suspected false positive vulnerability information has the network security threat is larger, that is, the probability that the scanned object may be attacked is larger.
In implementation, after determining the security type corresponding to the first suspected false alarm vulnerability information, the server may determine the adhesion degree of the data packets corresponding to the security type by using the similarity between every two data packets in the obtained data packets corresponding to the security type and the number of the data packets corresponding to the security type, and then determine the situation coefficient of the security type based on the obtained adhesion degree.
In S104, when the situation coefficient is smaller than a first preset threshold and a difference between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold, the first suspected false-positive vulnerability information is determined as false-positive vulnerability information.
The first vulnerability characteristic value may be a characteristic value obtained by analyzing and calculating vulnerability characteristics of the first suspected false-positive vulnerability information. The vulnerability characteristics of the first suspected false positive vulnerability information may be vulnerability characteristics obtained through vulnerability scanning reports. The second vulnerability characteristic value may be a characteristic value obtained by analyzing and calculating vulnerability characteristics in the data packet corresponding to the security type.
In implementation, considering that the situation coefficient may reflect an influence situation of the security type corresponding to the first suspected false positive vulnerability information in the current network, that is, under the condition that the situation coefficient is greater than a first preset threshold, it may be stated that the probability that the security type corresponding to the first suspected false positive vulnerability information has a network security threat is higher, that is, the probability that the scanned object may be attacked is higher, and at this time, in order to avoid unnecessary loss, the first suspected false positive vulnerability is determined to be vulnerability information. Under the condition that the situation coefficient is smaller than a first preset threshold value, it can be stated that the probability that the security type corresponding to the first suspected false-positive vulnerability information has network security threat is low, at this time, in order to further reduce the situation of vulnerability false-positive, a first vulnerability characteristic of the first suspected false-positive vulnerability information and a second vulnerability characteristic of a data packet corresponding to the security type need to be analyzed, whether the deviation between the first vulnerability characteristic and the second vulnerability characteristic is too large is judged, and if the deviation between the first vulnerability characteristic and the second vulnerability characteristic is judged to be large, the first suspected false-positive vulnerability information can be determined to be false-positive vulnerability information.
Specifically, the method for determining the deviation between the first vulnerability characteristic and the second vulnerability characteristic may be: and calculating the first vulnerability characteristics through a first preset algorithm to obtain characteristic values of the first vulnerability characteristics, namely the first vulnerability characteristic values. And calculating the second vulnerability characteristics through a second preset algorithm to obtain characteristic values of the second vulnerability characteristics, namely second vulnerability characteristic values. It should be noted that the first preset algorithm and the second preset algorithm may be the same or different.
According to the detection method of the false alarm vulnerability, the security type corresponding to the first suspected false alarm vulnerability information is determined by acquiring the first suspected false alarm vulnerability information, and the situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
As shown in fig. 2, the specific processing manner of S102 may be various, and an alternative processing manner is provided below, which may specifically refer to the processing of S1021 to S1024.
In S1021, vulnerability description information of the first suspected false positive vulnerability information is obtained.
The vulnerability description information may be description information corresponding to first suspected false-positive vulnerability information in the obtained vulnerability scanning report. The vulnerability description information may include: version information of the scanned object, vulnerability type information, vulnerability generation reason information, vulnerability existence position information, which ways an attacker may utilize the vulnerability, and information of influences on a system and user software.
In implementation, the server may search, according to the obtained identification information of the first suspected false-positive vulnerability information, vulnerability description information corresponding to the identification information of the first suspected false-positive vulnerability information in a vulnerability scanning report.
In S1022, semantic analysis is performed on the vulnerability description information to obtain an analysis result.
In an implementation, for example, after the server acquires the vulnerability description information of the first suspected false positive vulnerability information i through the processing of the above S1021, the server may perform semantic analysis on the vulnerability description information to obtain an analysis result,
in S1023, the analysis result is matched with the plurality of security types, and the matching degrees with the plurality of security types are obtained.
In practice, the following can be expressed by the formula:
Figure BDA0002340581880000071
calculating the matching degree between the analysis result and each safety type, wherein AijThe matching degree W between the analysis result of the first suspected false alarm vulnerability information i and the security type j can be representedijThe method can be represented as the degree of association between the device type and the security type j in the first suspected false positive vulnerability information i, and the degree of association can be obtained through big data cluster analysis. XiThe risk level in the first suspected false positive vulnerability information i may be weighted.
It should be noted that the vulnerability scanning report acquired by the server carries a risk level corresponding to the first suspected false positive vulnerability information, where the risk level may be a risk degree of the scanned object being maliciously attacked due to the existence of the first suspected false positive vulnerability information. The risk level may be represented by high, medium, low. The risk level is high, which indicates that the scanned object has a higher risk degree of being maliciously attacked due to the existence of the first suspected false positive vulnerability information. The risk level is medium, which indicates that the risk degree of the scanned object being maliciously attacked due to the existence of the first suspected false alarm vulnerability information is general. The risk level is low, which indicates that the scanned object has a low risk degree of being maliciously attacked due to the existence of the first suspected false positive vulnerability information. The weights corresponding to the above risk levels can be shown in table 1:
TABLE 1
Risk rating Weight of
Height of Wij
In 0.6*Wij
Is low in 0.1*Wij
In S1024, the security type with the highest matching degree is determined as the security type corresponding to the first suspected false positive vulnerability information.
In implementation, the server matches the obtained analysis result with the code class, the configuration class, the password class, the communication class, the design class, and the attack class respectively through the processing of S1023, and determines the security type (e.g., the configuration class) with the highest matching degree as the security type corresponding to the first suspected false alarm hole information if the obtained analysis result has a matching degree of 40% with the code class, a matching degree of 90% with the configuration class, a matching degree of 50% with the password class, a matching degree of 60% with the communication class, a matching degree of 70% with the design class, and a matching degree of 80% with the attack class.
As shown in fig. 3, the specific processing manner of S103 may be various, and an alternative processing manner is provided below, which may specifically refer to the processing of S1031 to S1035 described below.
And S1031, obtaining scanned equipment information corresponding to the first suspected false alarm vulnerability information.
The scanned device information may be address information (e.g., IP address information) of the scanned device.
In implementation, the server may obtain, according to the identification information of the first suspected false-positive vulnerability information, address information of the scanned device corresponding to the identification information of the first suspected false-positive vulnerability information in the obtained vulnerability scanning report.
S1032, a plurality of first data packets generated in the interaction process between the scanned device and the network within the preset time period are obtained.
The first data packet is a data packet related to each service generated in the interaction process of the scanned device and the network.
In implementation, after the server obtains the address information of the scanned device corresponding to the first suspected false alarm vulnerability information through the processing in S1031, the server may obtain, according to the obtained address information, a plurality of first data packets generated during the interaction process between the scanned device and the network in a preset time period from the scanned device.
It should be noted that, in order to ensure accurate determination of the subsequently obtained situation coefficient, a plurality of first data packets generated in the interaction process between the scanned device and the network need to be acquired within a preset time period before the current time.
S1033, a plurality of second packets corresponding to the security type are screened out from the plurality of acquired first packets.
In an implementation, the server may filter the plurality of first packets according to the security type from among the plurality of acquired first packets through the process of S1032, for example, filter the plurality of first packets according to a code class, a configuration class, a password class, a communication class, and an attack class, and acquire second packets corresponding to the code class, the configuration class, the password class, the communication class, and the attack class, respectively.
S1034, determining the adhesion degree between the plurality of second data packets.
Wherein, the adhesion degree is the similarity between every two data packets.
In implementation, after the server screens out the plurality of second packets corresponding to the security types through the processing in S1033, the adhesion degree between the second packets may be determined for the plurality of second packets corresponding to each security type.
Specifically, for example, the security type is a configuration class, the number of second packets corresponding to the configuration class is j, and each second packet includes M characteristics, where the characteristics may be a packet size of each second packet, or a packet length of each second packet. The adhesion degree is the sum/j of the similarity between every two second data packets. The similarity between any two second data packets u, v ═ first eigenvalue of the first eigenvalue of u/v) + (second eigenvalue of the second eigenvalue of u/v) +...... + (mth eigenvalue of u/v) ]. The configuration class similarity mean value is calculated according to the similarity between every two second data packets corresponding to the historical configuration class, or is a preset value defined in advance.
S1035, determining a situation coefficient of the security type based on the adhesion degree.
In an implementation, after the server determines the adhesion degree between the plurality of second packets corresponding to the security type through the processing of S1034, the server may determine the situation coefficient of the security type based on the adhesion degree.
Specifically, taking the security type as the configuration class as an example, the situation coefficient of the security type is
Figure BDA0002340581880000091
Wherein T1 is the degree of adhesion between packets in the configuration class, and the second packet loss rate, σ, in the configuration class1Is a preset influence factor.
As shown in fig. 4, before the step S101 of acquiring the first suspected false positive vulnerability information, the following steps S001 to S005 are also included.
S001, acquiring a vulnerability scanning report, wherein the vulnerability scanning report comprises: at least one of address information of a scanned device, a device type of the scanned device, vulnerability description information, and scanned object related information, where the scanned object related information includes: at least one of operating system version information, middleware version information, database version information, and software version information.
It should be noted that the content of the vulnerability scanning report obtained by the server is related to a third-party vulnerability scanning tool, and the content in the vulnerability scanning report is not specifically limited in this specification, but at least includes at least one of address information (such as an IP address) of a scanned device, a device type, a risk level, a vulnerability identification, vulnerability discovery time, vulnerability description information, and scanned object related information, where the scanned object related information includes: at least one of operating system version information, middleware version information, database version information, and software version information.
And S002, acquiring characteristic information of the scanned device according to the address information of the scanned device, wherein the characteristic information of the scanned device at least comprises the related information of the scanned object.
In implementation, the server may obtain address information and an authorized account of the scanned device in the vulnerability scanning report according to the identification information of the first suspected false-positive vulnerability, and log in the scanned device corresponding to the first suspected false-positive vulnerability information to obtain the feature information of the scanned device. Alternatively, the scanned device feature information may be acquired by means of a preset script.
It should be noted that the obtained scanned device characteristic information may be the same as or different from the content of the scanned object related information corresponding to the first suspected false positive vulnerability information, but the scanned device characteristic information is not less than the content of the scanned object related information corresponding to the first suspected false positive vulnerability information.
And S003, under the condition that the characteristic information of the scanned equipment is not matched with the related information of the scanned object in the vulnerability scanning report, determining the vulnerability information corresponding to the related information of the scanned object in the vulnerability scanning report as first false alarm vulnerability information.
And S004, screening out a vulnerability misinformation rule matched with the first misinformation vulnerability information from a vulnerability misinformation rule base.
Before the step is executed, the method further includes: and establishing a vulnerability false alarm rule base, wherein the vulnerability false alarm rule base can be a basis for quickly positioning which vulnerability information is false alarm vulnerability information in the follow-up process.
Specifically, the side leakage holes of the service support network device mainly include the following aspects: hosts (Redhat, HP-UX, AIX, SUSE, CentOS, etc.), databases (Oracle, Mysql), middleware (Websphere, Tomcat), etc. Therefore, a vulnerability false report rule base which depends on the CVE and takes the operating system, the software version, the repair package and the patch set version as rules can be established according to the repairing mode of the security vulnerability of the operating system, the database and the middleware and the information of the security patch, the patch set and the repair package which are officially released by the operating system, the database and the middleware, and the specific steps are as follows:
and acquiring vulnerability information, vulnerability characteristics and a repair version from the official website vulnerability public page of the operating system. According to the false alarm of the bug for different operating systems, the false alarm of different versions of the same operating system and the false alarm of the same version of the same operating system, building bug false alarm screening knowledge bases of different levels according to the three standards of the bug feature and the false alarm of the repair version, and building bug false alarm rules according to the bug feature and the repair version.
Specifically, the operating system bug misinformation rule may be: aiming at the Redhat operating system, three rules of 'according to CVE number + operating system type', 'CVE number + operating system version' and 'CVE number + operating system version + software version' are established by taking the vulnerability influence range and the repair version which are officially released by the red cap as the basis. Alternatively, the "CVE number + OS version + software version" rule may be determined for the HP-UX operating system. Alternatively, a "CVE number + operating system type" rule may also be determined for the AIX operating system. The database (Oracle) bug false alarm rule may be: and taking a database patch set + CVE number set as a rule. The vulnerability misinformation rule of the middleware (Websphere) can be as follows: and taking a middleware repair packet, a middleware version number and a CVE number set as a rule. In addition, the vulnerability false-alarm rule can be updated subsequently according to the vulnerability scanning result and the official release condition.
In implementation, after the server determines the vulnerability information corresponding to the scanned object related information as the first false-positive vulnerability information through the processing of the above S003, a vulnerability false-positive rule matching the first false-positive vulnerability information can be screened out from the vulnerability false-positive rule base.
Specifically, because the first false-positive vulnerability information carries CVE number information, the server may screen out a vulnerability false-positive rule matched with the first false-positive vulnerability information from a vulnerability false-positive rule base according to the CVE number information in the first false-positive vulnerability information, where the vulnerability false-positive rule may be a plurality of vulnerability false-positive rules identical to the CVE number information.
And S005, under the condition that the scanned equipment characteristic information is not matched with the bug false alarm rule, determining the first false alarm bug information as the first suspected false alarm bug information.
In implementation, after the server screens out a bug false-positive rule matching the first false-positive bug information in the bug false-positive rule base through the processing of the above S004, the server may match the feature information of the scanned device with the screened bug false-positive rule, and may determine the first false-positive bug information as the first suspected false-positive bug information when the feature information of the scanned device is not matched with the bug false-positive rule.
As shown in fig. 5, after determining the situation coefficient of the security type in S103, the following processing procedures from S105 to S108 are also included.
In S105, a first support degree of the first suspected false positive vulnerability information is determined according to the situation coefficient of the security type.
The first support degree refers to the probability that the first suspected false-positive vulnerability information is false-positive vulnerability information.
In consideration of the fact that different devices have different security risks for the same security type, the description fully considers the association among the device type, the security type and the security risk in the process of determining the security type, so that the method provided by the proposal is more consistent with the real situation of the vulnerability scanning object, and the vulnerability misinformation screening accuracy is improved.
In implementation, after determining the situation coefficient of the security type through the processing in S103, the server may determine first weight information of the first suspected false-positive vulnerability information according to the risk level of the first suspected false-positive vulnerability information; and then, determining a first support degree of the first suspected false-positive vulnerability information according to first weight information of the first suspected false-positive vulnerability information, a first association degree between the equipment type corresponding to the first suspected false-positive vulnerability information and the security type corresponding to the first suspected false-positive vulnerability information, and a situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information. The risk level may be a risk degree of the scanned object being attacked due to the existence of the first suspected false positive vulnerability information.
Specifically, the vulnerability false-positive information further includes a risk level of the vulnerability information, and the server may determine the risk level of the first suspected false-positive vulnerability information according to the identification information of the first suspected false-positive vulnerability information, and determine the first weight information X of the first suspected false-positive vulnerability information according to the corresponding relationship between the risk level and the weight in table 1i. Then, the server according to the first weight information X of the first suspected false alarm loophole informationiA first association degree W between the equipment type corresponding to the first suspected false positive vulnerability information and the security type corresponding to the first suspected false positive vulnerability information1 and a situation coefficient S of a security type corresponding to the first suspected false positive vulnerability information, and determining a first support degree R1 of the first suspected false positive vulnerability information, wherein,
Figure BDA0002340581880000121
the first weight information X of the first suspected false alarm vulnerability informationiWhen the risk level is high, the corresponding first weight information X is shown in Table 1iIs WijWhen the risk level is middle, the corresponding first weight information XiIs 0.6WijWhen the risk level is low, the corresponding first weight information XiIs 0.1Wij
In S106, second suspected false alarm vulnerability information of the scanned device is determined according to the obtained characteristic information of the scanned device and the vulnerability false alarm rule.
In consideration of the fact that the scanned device may have a vulnerability risk, which may affect the accuracy of determining whether the first suspected false-positive vulnerability information is false-positive vulnerability information, the server also needs to determine the second suspected false-positive vulnerability information existing in the scanned device.
In implementation, the server determines second suspected false-positive vulnerability information of the scanned device according to the acquired feature information of the scanned device and vulnerability description information of the vulnerability false-positive rule.
In S107, a second support degree of the second suspected false positive vulnerability information is determined.
The second support degree may be a probability that the scanned device has a vulnerability (a second suspected false positive vulnerability).
In implementation, the server may determine a risk level of the second suspected false-positive vulnerability information according to the obtained scanned device feature information and vulnerability description information of the vulnerability false-positive rule, determine second weight information of the second suspected false-positive vulnerability information according to the risk level, and then determine a second support degree of the second suspected false-positive vulnerability information according to the second weight information, a second association degree between the device type of the scanned device and a security type corresponding to the second suspected false-positive vulnerability information.
Specifically, the server may determine a risk level of second suspected false-positive vulnerability information according to the acquired feature information of the scanned device and vulnerability description information of the vulnerability false-positive rule, and determine second weight information X of the second suspected false-positive vulnerability information according to a corresponding relationship between the risk level and the weight in table 1i. Then, the server performs the process according to the second weight information XiDetermining a second support degree R2 of the second suspected false positive vulnerability information according to a second association degree W2 between the equipment type of the scanned equipment and the security type corresponding to the second suspected false positive vulnerability information, wherein,
Figure BDA0002340581880000122
second weight information X of the second suspected false positive vulnerability informationiWhen the risk level is high, the corresponding second weight information X is shown in Table 1iIs WijWhen the risk level is middle, the corresponding second weight information XiIs 0.6WijWhen the risk level is low, the corresponding second weight information XiIs 0.1Wij
In S108, when it is detected that the first support degree and the second support degree satisfy the preset rule, it is determined that the first suspected false positive vulnerability information is false positive vulnerability information.
In an implementation, when the server detects that the first support degree R2< α × R1 is detected, the first suspected false positive vulnerability information may be determined as false positive vulnerability information, where α is a preset rate false positive coefficient.
As can be seen from the technical solutions provided in the embodiments of the present specification, a security type corresponding to first suspected false-positive vulnerability information is determined by obtaining the first suspected false-positive vulnerability information, and a situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
The detection method for the false alarm bug provided by the embodiment is based on the same technical concept, the embodiment of the present invention further provides a detection device for the false alarm bug, fig. 6 is a schematic diagram of modules of the detection device for the false alarm bug provided by the embodiment of the present invention, the detection device for the false alarm bug is used for executing the detection method for the false alarm bug described in fig. 1 to 5, and as shown in fig. 6, the detection device for the false alarm bug comprises:
a first obtaining module 601, configured to obtain first suspected false-positive vulnerability information;
a first determining module 602, configured to determine a security type corresponding to the first suspected false positive vulnerability information;
a second determining module 603, configured to determine a situation coefficient of the security type;
a third determining module 604, configured to determine that the first suspected false-positive vulnerability information is false-positive vulnerability information when the situation coefficient is smaller than a first preset threshold and a difference between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is greater than a second preset threshold.
As can be seen from the technical solutions provided in the embodiments of the present specification, a security type corresponding to first suspected false-positive vulnerability information is determined by obtaining the first suspected false-positive vulnerability information, and a situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
Optionally, the first determining module 602 includes:
a first obtaining unit, configured to obtain vulnerability description information of the first suspected false-positive vulnerability information;
the analysis unit is used for carrying out semantic analysis on the vulnerability description information to obtain an analysis result;
the matching unit is used for matching the analysis result with a plurality of security types to obtain the matching degree with the plurality of security types;
and the first determining unit is used for determining the security type with the highest matching degree as the security type corresponding to the first suspected false positive vulnerability information.
Optionally, the second determining module 603 includes:
a second obtaining unit, configured to obtain scanned device information corresponding to the first suspected false positive vulnerability information;
the third acquisition unit is used for acquiring a plurality of first data packets generated in the interaction process of the scanned equipment and the network within a preset time period;
the screening unit is used for screening a plurality of second data packets corresponding to the security types from the plurality of acquired first data packets;
a second determining unit configured to determine a degree of adhesion between the plurality of second packets;
and the third determining unit is used for determining the situation coefficient of the safety type based on the adhesion degree.
Optionally, the apparatus further comprises:
a second obtaining module, configured to obtain a vulnerability scanning report, where the vulnerability scanning report includes: at least one of address information of a scanned device, a device type of the scanned device, vulnerability description information, and scanned object related information, where the scanned object related information includes: at least one of operating system version information, middleware version information, database version information and software version information;
a third obtaining module, configured to obtain feature information of the scanned device according to address information of the scanned device, where the feature information of the scanned device at least includes information related to the scanned object;
a fourth determining module, configured to determine vulnerability information corresponding to the scanned object related information in the vulnerability scanning report as first false-positive vulnerability information when the scanned device feature information does not match the scanned object related information in the vulnerability scanning report;
the screening module is used for screening a vulnerability false alarm rule matched with the first false alarm vulnerability information from a vulnerability false alarm rule base;
and the fifth determining module is used for determining the first false alarm vulnerability information as first suspected false alarm vulnerability information under the condition that the scanned equipment characteristic information is not matched with the vulnerability false alarm rule.
Optionally, the apparatus further comprises:
a sixth determining module, configured to determine, according to the situation coefficient of the security type, a first support degree of the first suspected false positive vulnerability information;
a seventh determining module, configured to determine second suspected false alarm vulnerability information of the scanned device according to the acquired feature information of the scanned device and the vulnerability false alarm rule;
an eighth determining module, configured to determine a second support degree of the second suspected false positive vulnerability information;
and the ninth determining module is used for determining the first suspected false alarm vulnerability information as false alarm vulnerability information under the condition that the first support degree and the second support degree are detected to meet a preset rule.
Optionally, the vulnerability false-positive rule includes a risk level of vulnerability information, and the sixth determining module includes:
a fourth determining unit, configured to determine, according to the risk level of the first suspected false positive vulnerability information, first weight information of the first suspected false positive vulnerability information;
a fifth determining unit, configured to determine a first support degree of the first suspected false positive information according to first weight information of the first suspected false positive information, a first association degree between a device type corresponding to the first suspected false positive information and a security type corresponding to the first suspected false positive information, and a situation coefficient of the security type corresponding to the first suspected false positive information.
Optionally, the eighth determining module includes:
a sixth determining unit, configured to determine a risk level of the second suspected false-positive vulnerability information according to the acquired feature information of the scanned device and vulnerability description information of the vulnerability false-positive rule;
a seventh determining unit, configured to determine, according to the risk level, second weight information of the second suspected false positive vulnerability information;
an eighth determining unit, configured to determine a second support degree of the second suspected false positive vulnerability information according to the second weight information, a second association degree between the device type of the scanned device and the security type corresponding to the second suspected false positive vulnerability information.
As can be seen from the technical solutions provided in the embodiments of the present specification, a security type corresponding to first suspected false-positive vulnerability information is determined by obtaining the first suspected false-positive vulnerability information, and a situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
The detection device for the false alarm bug provided by the embodiment of the invention can realize each process in the embodiment corresponding to the detection method for the false alarm bug, and is not repeated here for avoiding repetition.
It should be noted that the detection apparatus for a false alarm bug according to the embodiment of the present invention and the detection method for a false alarm bug according to the embodiment of the present invention are based on the same inventive concept, and therefore specific implementation of the embodiment may refer to implementation of the detection method for a false alarm bug, and repeated details are not described herein.
Based on the same technical concept, the embodiment of the present invention further provides a computer device for executing the method for detecting a false alarm bug, and fig. 7 is a schematic structural diagram of a computer device for implementing the embodiments of the present invention, as shown in fig. 7. Computer devices may vary widely in configuration or performance and may include one or more processors 701 and memory 702, with one or more stored applications or data stored in memory 702. Memory 702 may be, among other things, transient storage or persistent storage. The application program stored in memory 702 may include one or more modules (not shown), each of which may include a series of computer-executable instructions for a computing device. Still further, the processor 701 may be configured to communicate with the memory 702 to execute a series of computer-executable instructions in the memory 702 on a computer device. The computer apparatus may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input-output interfaces 705, one or more keyboards 706.
In this embodiment, the computer device includes a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete mutual communication through a bus; the memory is used for storing a computer program; the processor is used for executing the program stored in the memory and realizing the following method steps:
acquiring first suspected false alarm vulnerability information;
determining a security type corresponding to the first suspected false positive vulnerability information;
determining a situation coefficient of the security type;
and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining that the first suspected false-positive vulnerability information is false-positive vulnerability information.
An embodiment of the present application further provides a computer-readable storage medium, in which a computer program is stored, and when executed by a processor, the computer program implements the following method steps:
acquiring first suspected false alarm vulnerability information;
determining a security type corresponding to the first suspected false positive vulnerability information;
determining a situation coefficient of the security type;
and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining that the first suspected false-positive vulnerability information is false-positive vulnerability information.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1.一种误报漏洞的检测方法,其特征在于,包括:1. a detection method of false alarm vulnerability, is characterized in that, comprises: 获取第一疑似误报漏洞信息;Obtain the first suspected false positive vulnerability information; 确定与所述第一疑似误报漏洞信息相对应的安全类型;determining the security type corresponding to the first suspected false positive vulnerability information; 确定所述安全类型的态势系数;determining a situational factor for said security type; 在所述态势系数小于第一预设阈值,且所述第一疑似误报漏洞信息的第一漏洞特征值与所述安全类型所对应的第二漏洞特征值之间的差值大于第二预设阈值的情况下,确定所述第一疑似误报漏洞信息为误报漏洞信息。When the situation coefficient is smaller than the first preset threshold, and the difference between the first vulnerability characteristic value of the first suspected false positive vulnerability information and the second vulnerability characteristic value corresponding to the security type is greater than the second predetermined threshold In the case of setting a threshold, it is determined that the first suspected false positive vulnerability information is false positive vulnerability information. 2.根据权利要求1所述的方法,其特征在于,所述确定与所述第一疑似误报漏洞信息相对应的安全类型,包括:2. The method according to claim 1, wherein the determining the security type corresponding to the first suspected false positive vulnerability information comprises: 获取所述第一疑似误报漏洞信息的漏洞描述信息;Obtain the vulnerability description information of the first suspected false positive vulnerability information; 对所述漏洞描述信息进行语义分析,得到分析结果;Perform semantic analysis on the vulnerability description information to obtain an analysis result; 将所述分析结果与多个安全类型进行匹配,得到与多个所述安全类型的匹配度;Matching the analysis result with a plurality of security types to obtain a degree of matching with a plurality of the security types; 将匹配度最高的安全类型确定为与所述第一疑似误报漏洞信息相对应的安全类型。The security type with the highest matching degree is determined as the security type corresponding to the first suspected false positive vulnerability information. 3.根据权利要求1所述的方法,其特征在于,所述确定所述安全类型的态势系数,包括:3. The method according to claim 1, wherein the determining the situational coefficient of the security type comprises: 获取与所述第一疑似误报漏洞信息相对应的被扫描设备信息;Obtain the scanned device information corresponding to the first suspected false positive vulnerability information; 获取预设时间段内,被扫描设备与网络交互过程中所产生的多个第一数据包;Acquire a plurality of first data packets generated during the interaction between the scanned device and the network within a preset time period; 从获取到的多个所述第一数据包中,筛选出与所述安全类型相对应的多个第二数据包;Screening out a plurality of second data packets corresponding to the security type from the obtained plurality of first data packets; 确定多个所述第二数据包之间的粘合度;determining a degree of cohesion between a plurality of the second data packets; 基于所述粘合度,确定所述安全类型的态势系数。Based on the degree of adhesion, a situational factor for the security type is determined. 4.根据权利要求1所述的方法,其特征在于,在所述获取第一疑似误报漏洞信息之前,还包括:4. The method according to claim 1, wherein before the acquiring the first suspected false positive vulnerability information, further comprising: 获取漏洞扫描报告,其中,所述漏洞扫描报告包括:被扫描设备的地址信息、被扫描设备的设备类型、漏洞描述信息以及被扫描对象相关信息中的至少一种,所述被扫描对象相关信息包括:操作系统版本信息、中间件版本信息、数据库版本信息、软件版本信息中至少一种;Obtain a vulnerability scan report, wherein the vulnerability scan report includes at least one of: address information of the scanned device, device type of the scanned device, vulnerability description information, and scanned object related information, the scanned object related information Including: at least one of operating system version information, middleware version information, database version information, and software version information; 根据所述被扫描设备的地址信息,获取所述被扫描设备特征信息,其中,所述被扫描设备特征信息至少包括所述被扫描对象相关信息;Acquire feature information of the scanned device according to the address information of the scanned device, wherein the feature information of the scanned device includes at least information related to the scanned object; 在所述被扫描设备特征信息与所述漏洞扫描报告中的所述被扫描对象相关信息不匹配的情况下,将所述漏洞扫描报告中的与所述被扫描对象相关信息相对应的漏洞信息确定为第一误报漏洞信息;In the case that the feature information of the scanned device does not match the relevant information of the scanned object in the vulnerability scanning report, the vulnerability information corresponding to the relevant information of the scanned object in the vulnerability scanning report Determined to be the first false positive vulnerability information; 在漏洞误报规则库中筛选出与所述第一误报漏洞信息相匹配的漏洞误报规则;Screening out a vulnerability false positive rule matching the first false positive vulnerability information in the vulnerability false positive rule base; 在所述被扫描设备特征信息与所述漏洞误报规则不匹配的情况下,将所述第一误报漏洞信息确定为第一疑似误报漏洞信息。In the case that the characteristic information of the scanned device does not match the vulnerability false positive rule, the first false positive vulnerability information is determined as the first suspected false positive vulnerability information. 5.根据权利要求4所述的方法,其特征在于,在所述确定所述安全类型的态势系数之后,还包括:5. The method according to claim 4, wherein after the determining the situation coefficient of the security type, further comprising: 根据所述安全类型的态势系数,确定所述第一疑似误报漏洞信息的第一支持度;determining the first support degree of the first suspected false positive vulnerability information according to the situation coefficient of the security type; 根据获取到的所述被扫描设备特征信息以及所述漏洞误报规则确定被扫描设备的第二疑似误报漏洞信息;Determine the second suspected false positive vulnerability information of the scanned device according to the acquired feature information of the scanned device and the vulnerability false positive rule; 确定所述第二疑似误报漏洞信息的第二支持度;determining a second degree of support for the second suspected false positive vulnerability information; 在检测到所述第一支持度与所述第二支持度满足预设规则的情况下,确定所述第一疑似误报漏洞信息为误报漏洞信息。In a case where it is detected that the first support degree and the second support degree satisfy a preset rule, it is determined that the first suspected false positive vulnerability information is false positive vulnerability information. 6.根据权利要求5所述的方法,其特征在于,所述漏洞误报规则中包括漏洞信息的风险等级,所述根据所述安全类型的态势系数,确定所述第一疑似误报漏洞信息的第一支持度,包括:6 . The method according to claim 5 , wherein the vulnerability false positive rule includes the risk level of the vulnerability information, and the first suspected false positive vulnerability information is determined according to the situation coefficient of the security type. 7 . first degree of support, including: 根据所述第一疑似误报漏洞信息的风险等级,确定所述第一疑似误报漏洞信息的第一权重信息;determining the first weight information of the first suspected false positive vulnerability information according to the risk level of the first suspected false positive vulnerability information; 根据所述第一疑似误报漏洞信息的第一权重信息、所述第一疑似误报漏洞信息所对应的设备类型与所述第一疑似误报漏洞信息对应的安全类型之间的第一关联程度,以及所述第一疑似误报漏洞信息对应的安全类型的态势系数,确定所述第一疑似误报漏洞信息的第一支持度。According to the first weight information of the first suspected false positive vulnerability information, the first association between the device type corresponding to the first suspected false positive vulnerability information and the security type corresponding to the first suspected false positive vulnerability information degree, and the situation coefficient of the security type corresponding to the first suspected false positive vulnerability information, to determine the first support degree of the first suspected false positive vulnerability information. 7.根据权利要求5所述的方法,其特征在于,所述确定所述第二疑似误报漏洞信息的第二支持度,包括:7. The method according to claim 5, wherein the determining the second support degree of the second suspected false positive vulnerability information comprises: 根据获取到的所述被扫描设备特征信息以及所述漏洞误报规则的漏洞描述信息,确定所述第二疑似误报漏洞信息的风险等级;Determine the risk level of the second suspected false positive vulnerability information according to the acquired feature information of the scanned device and the vulnerability description information of the vulnerability false positive rule; 根据所述风险等级,确定所述第二疑似误报漏洞信息的第二权重信息;determining the second weight information of the second suspected false positive vulnerability information according to the risk level; 根据所述第二权重信息、被扫描设备的设备类型与所述第二疑似误报漏洞信息对应的安全类型之间的第二关联程度,确定所述第二疑似误报漏洞信息的第二支持度。According to the second degree of association between the second weight information, the device type of the scanned device and the security type corresponding to the second suspected false positive vulnerability information, the second support of the second suspected false positive vulnerability information is determined Spend. 8.一种误报漏洞的检测装置,其特征在于,包括:8. A false alarm vulnerability detection device, characterized in that, comprising: 第一获取模块,用于获取第一疑似误报漏洞信息;a first obtaining module, configured to obtain the first suspected false positive vulnerability information; 第一确定模块,用于确定与所述第一疑似误报漏洞信息相对应的安全类型;a first determining module, configured to determine a security type corresponding to the first suspected false positive vulnerability information; 第二确定模块,用于确定所述安全类型的态势系数;a second determining module, configured to determine the situational coefficient of the security type; 第三确定模块,用于在所述态势系数小于第一预设阈值,且所述第一疑似误报漏洞信息的第一漏洞特征值与所述安全类型所对应的第二漏洞特征值之间的差值大于第二预设阈值的情况下,确定所述第一疑似误报漏洞信息为误报漏洞信息。a third determining module, configured to be between the first vulnerability feature value of the first suspected false positive vulnerability information and the second vulnerability feature value corresponding to the security type when the situation coefficient is smaller than the first preset threshold and the first vulnerability feature value corresponding to the security type In the case where the difference is greater than the second preset threshold, it is determined that the first suspected false positive vulnerability information is false positive vulnerability information. 9.一种电子设备,其特征在于,包括处理器、通信接口、存储器和通信总线;其中,所述处理器、所述通信接口以及所述存储器通过总线完成相互间的通信;所述存储器,用于存放计算机程序;所述处理器,用于执行所述存储器上所存放的程序,实现权利要求1-7任一所述的误报漏洞的检测方法步骤。9. An electronic device, characterized in that it comprises a processor, a communication interface, a memory and a communication bus; wherein, the processor, the communication interface and the memory communicate with each other through the bus; the memory, The processor is used for storing computer programs; the processor is used for executing the program stored in the memory, so as to realize the steps of the false positive vulnerability detection method according to any one of claims 1-7. 10.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1-7任一项所述的误报漏洞的检测方法步骤。10. A computer-readable storage medium, characterized in that, a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the error described in any one of claims 1-7 is realized. The steps of the detection method for reporting vulnerabilities.
CN201911374600.3A 2019-12-27 2019-12-27 Method and device for detecting false alarm vulnerability and computer equipment Active CN113051571B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911374600.3A CN113051571B (en) 2019-12-27 2019-12-27 Method and device for detecting false alarm vulnerability and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911374600.3A CN113051571B (en) 2019-12-27 2019-12-27 Method and device for detecting false alarm vulnerability and computer equipment

Publications (2)

Publication Number Publication Date
CN113051571A true CN113051571A (en) 2021-06-29
CN113051571B CN113051571B (en) 2022-11-29

Family

ID=76506584

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911374600.3A Active CN113051571B (en) 2019-12-27 2019-12-27 Method and device for detecting false alarm vulnerability and computer equipment

Country Status (1)

Country Link
CN (1) CN113051571B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143075A (en) * 2021-11-29 2022-03-04 国网北京市电力公司 Security vulnerability early warning method and device and electronic equipment
CN115329347A (en) * 2022-10-17 2022-11-11 中国汽车技术研究中心有限公司 Prediction method, equipment and storage medium based on vulnerability data of Internet of Vehicles
CN115563617A (en) * 2022-08-25 2023-01-03 华北电力科学研究院有限责任公司 Source code vulnerability detection method and device

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110119742A1 (en) * 2009-11-16 2011-05-19 Noblis, Inc. Computer network security platform
CN103106368A (en) * 2013-02-26 2013-05-15 南京理工大学常熟研究院有限公司 Vulnerability scanning method for grade protection
CN104200167A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Automatic penetration testing method and system
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method
CN104618178A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website bug online evaluation method and device
CN104618177A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website bug examination method and device
CN105592049A (en) * 2015-09-07 2016-05-18 杭州华三通信技术有限公司 Attack defense rule opening method and device
CN106295346A (en) * 2015-05-20 2017-01-04 深圳市腾讯计算机系统有限公司 A kind of application leak detection method, device and the equipment of calculating
CN107944278A (en) * 2017-12-11 2018-04-20 北京奇虎科技有限公司 A kind of kernel leak detection method and device
CN108520005A (en) * 2018-03-13 2018-09-11 北京理工大学 False alarm elimination method for network active monitoring system based on machine learning
CN109145609A (en) * 2018-09-06 2019-01-04 平安科技(深圳)有限公司 A kind of data processing method and device
CN109255241A (en) * 2018-08-31 2019-01-22 国鼎网络空间安全技术有限公司 Android privilege-escalation leak detection method and system based on machine learning
CN109992958A (en) * 2017-12-29 2019-07-09 国民技术股份有限公司 A security assessment method and security assessment device
CN110287705A (en) * 2019-06-25 2019-09-27 北京中科微澜科技有限公司 A kind of security breaches wrong data modification method based on loophole map

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110119742A1 (en) * 2009-11-16 2011-05-19 Noblis, Inc. Computer network security platform
CN103106368A (en) * 2013-02-26 2013-05-15 南京理工大学常熟研究院有限公司 Vulnerability scanning method for grade protection
CN104200167A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Automatic penetration testing method and system
CN104486141A (en) * 2014-11-26 2015-04-01 国家电网公司 Misdeclaration self-adapting network safety situation predication method
CN104618178A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website bug online evaluation method and device
CN104618177A (en) * 2014-12-29 2015-05-13 北京奇虎科技有限公司 Website bug examination method and device
CN106295346A (en) * 2015-05-20 2017-01-04 深圳市腾讯计算机系统有限公司 A kind of application leak detection method, device and the equipment of calculating
CN105592049A (en) * 2015-09-07 2016-05-18 杭州华三通信技术有限公司 Attack defense rule opening method and device
CN107944278A (en) * 2017-12-11 2018-04-20 北京奇虎科技有限公司 A kind of kernel leak detection method and device
CN109992958A (en) * 2017-12-29 2019-07-09 国民技术股份有限公司 A security assessment method and security assessment device
CN108520005A (en) * 2018-03-13 2018-09-11 北京理工大学 False alarm elimination method for network active monitoring system based on machine learning
CN109255241A (en) * 2018-08-31 2019-01-22 国鼎网络空间安全技术有限公司 Android privilege-escalation leak detection method and system based on machine learning
CN109145609A (en) * 2018-09-06 2019-01-04 平安科技(深圳)有限公司 A kind of data processing method and device
CN110287705A (en) * 2019-06-25 2019-09-27 北京中科微澜科技有限公司 A kind of security breaches wrong data modification method based on loophole map

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114143075A (en) * 2021-11-29 2022-03-04 国网北京市电力公司 Security vulnerability early warning method and device and electronic equipment
CN114143075B (en) * 2021-11-29 2024-05-28 国网北京市电力公司 Security vulnerability early warning method, device and electronic equipment
CN115563617A (en) * 2022-08-25 2023-01-03 华北电力科学研究院有限责任公司 Source code vulnerability detection method and device
CN115329347A (en) * 2022-10-17 2022-11-11 中国汽车技术研究中心有限公司 Prediction method, equipment and storage medium based on vulnerability data of Internet of Vehicles

Also Published As

Publication number Publication date
CN113051571B (en) 2022-11-29

Similar Documents

Publication Publication Date Title
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US12301628B2 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US12041091B2 (en) System and methods for automated internet- scale web application vulnerability scanning and enhanced security profiling
US12184697B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
US20220201042A1 (en) Ai-driven defensive penetration test analysis and recommendation system
US10484400B2 (en) Dynamic sensors
CN110417778B (en) Access request processing method and device
US10430586B1 (en) Methods of identifying heap spray attacks using memory anomaly detection
US20180295154A1 (en) Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US20180302430A1 (en) SYSTEM AND METHOD FOR DETECTING CREATION OF MALICIOUS new USER ACCOUNTS BY AN ATTACKER
CN113810408B (en) Network attack organization detection method, device, equipment and readable storage medium
CN113051571A (en) Method and device for detecting false alarm vulnerability and computer equipment
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
Wu et al. Detect repackaged android application based on http traffic similarity
CN113497797A (en) Method and device for detecting abnormality of ICMP tunnel transmission data
US12124572B2 (en) Anomalous activity detection in container images
CN112583827A (en) Data leakage detection method and device
CN106897619A (en) Mobile terminal from malicious software cognitive method and device
CN105718767B (en) information processing method and device based on risk identification
CN110378120A (en) Application programming interfaces attack detection method, device and readable storage medium storing program for executing
US11140183B2 (en) Determining criticality of identified enterprise assets using network session information
CN112688944A (en) Local area network security state detection method, device, equipment and storage medium
CN115150034A (en) Method, device and electronic device for early warning of signaling storm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant