CN113051571A - Method and device for detecting false alarm vulnerability and computer equipment - Google Patents
Method and device for detecting false alarm vulnerability and computer equipment Download PDFInfo
- Publication number
- CN113051571A CN113051571A CN201911374600.3A CN201911374600A CN113051571A CN 113051571 A CN113051571 A CN 113051571A CN 201911374600 A CN201911374600 A CN 201911374600A CN 113051571 A CN113051571 A CN 113051571A
- Authority
- CN
- China
- Prior art keywords
- information
- vulnerability
- false
- positive
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the invention provides a method and a device for detecting a false alarm vulnerability and computer equipment, wherein the method comprises the following steps: acquiring first suspected false-positive vulnerability information, determining a security type corresponding to the first suspected false-positive vulnerability information, and determining a situation coefficient of the security type; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. By the embodiment of the invention, the problem that in the prior art, a large amount of manpower and material resources are wasted because a large amount of time is spent on verifying the bugs in the bug scanning report one by one to eliminate the false alarm bugs is solved, and the detection efficiency of the false alarm bugs is further improved.
Description
Technical Field
The invention relates to the technical field of mobile communication, in particular to a method and a device for detecting a false alarm vulnerability and computer equipment.
Background
At present, because security holes may exist in an operating system, a middleware, a database and the like which are relied on by the stable operation of the service support network, background data may be leaked due to the holes, and an important service system may be paralyzed in a severe case, it is very important to perform hole scanning on the operating system, the middleware, the database and the like which are relied on by the stable operation of the service support network.
Although the vulnerability scanning tool can be used for discovering the potential safety hazards of an operating system, middleware, a database and the like which are relied on by the stable operation of the service supporting network, a considerable number of false alarm vulnerabilities may exist in vulnerability scanning reports obtained by the vulnerability scanning tool.
However, to verify whether a bug in a bug scanning report is a false-positive bug, a tester is often required to have certain knowledge about various bug principles and scanning bugs, which puts higher requirements on the capability of the tester, and the tester is required to spend a large amount of time to verify the bugs in the bug scanning report one by one to eliminate the false-positive bugs, thereby wasting a large amount of manpower and material resources.
Disclosure of Invention
The embodiment of the invention aims to provide a method, a device and computer equipment for detecting false-alarm bugs, which are used for solving the problems that in the prior art, a large number of false-alarm bugs exist in bug scanning reports, and a large amount of time is needed for manually verifying the bugs in the false-alarm scanning reports one by one to eliminate the false-alarm bugs, so that a large amount of manpower and material resources are wasted.
In order to solve the above technical problem, the embodiment of the present invention is implemented as follows:
in a first aspect, an embodiment of the present invention provides a method for detecting a false alarm vulnerability, including:
acquiring first suspected false alarm vulnerability information;
determining a security type corresponding to the first suspected false positive vulnerability information;
determining a situation coefficient of the security type;
and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining that the first suspected false-positive vulnerability information is false-positive vulnerability information.
In a second aspect, an embodiment of the present invention provides a device for detecting a false alarm vulnerability, including:
the first acquisition module is used for acquiring first suspected false alarm vulnerability information;
a first determining module, configured to determine a security type corresponding to the first suspected false positive vulnerability information;
the second determination module is used for determining the situation coefficient of the safety type;
and the third determining module is used for determining that the first suspected false-positive vulnerability information is false-positive vulnerability information under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between the first vulnerability characteristic value of the first suspected false-positive vulnerability information and the second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value.
In a third aspect, an embodiment of the present invention provides a computer device, including a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete mutual communication through a bus; the memory is used for storing a computer program; the processor is configured to execute the program stored in the memory, and implement the steps of the method for detecting a false alarm bug according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for detecting a false alarm bug according to the first aspect are implemented.
According to the method, the device and the computer equipment for detecting the false alarm, disclosed by the embodiment of the invention, the security type corresponding to the first suspected false alarm information is determined by acquiring the first suspected false alarm information, and the situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a first flowchart of a method for detecting a false alarm bug according to an embodiment of the present invention;
fig. 2 is a second flowchart of a method for detecting a false alarm bug according to an embodiment of the present invention;
fig. 3 is a third flowchart illustrating a method for detecting a false alarm bug according to an embodiment of the present invention;
fig. 4 is a fourth flowchart illustrating a method for detecting a false alarm bug according to an embodiment of the present invention;
fig. 5 is a fifth flowchart illustrating a method for detecting a false alarm vulnerability according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating a module composition of a device for detecting a false alarm bug according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method and a device for detecting a false alarm vulnerability and computer equipment.
In order to make those skilled in the art better understand the technical solution of the present invention, the technical solution in the embodiment of the present invention will be clearly and completely described below with reference to the drawings in the embodiment of the present invention, and it is obvious that the described embodiment is only a part of the embodiment of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, an execution main body of the method may be a server, where the server may be an independent server or a server cluster composed of multiple servers, and the server may be a server capable of detecting whether vulnerability information in an obtained vulnerability scanning report is false-positive vulnerability information, and the method may implement automatic detection on whether vulnerability information in a vulnerability scanning report is false-positive vulnerability. The method may specifically comprise the steps of:
in S101, first suspected false positive vulnerability information is obtained.
The first suspected false-positive vulnerability information may be suspected false-positive vulnerability information in a plurality of vulnerability information included in the acquired vulnerability scanning report. The vulnerability scanning report may be vulnerability scanning result information obtained by a third-party vulnerability scanning tool. For example, the vulnerability scanning report may be network vulnerability scanning result information obtained by a network vulnerability scanner scanning a specified network interface of a scanned device. Or, the vulnerability scanning report may be database scanning result information obtained by the database vulnerability scanner scanning the database of the scanned device. Alternatively, the vulnerability scanning report may also be scanning result information obtained by scanning the operating system of the scanned device by the operating system vulnerability scanner. Alternatively, the vulnerability scanning report may also be scanning result information obtained by the host vulnerability scanner scanning the host of the scanned device. Or, the vulnerability scanning report may also be vulnerability scanning result information obtained by scanning the middleware of the scanned device by the middleware vulnerability scanner.
In implementation, because security holes may exist in an operating system, a middleware, a database, and the like, which are relied on by the stable operation of the service support network, and these holes may cause background data leakage and may cause a breakdown of an important service system in a severe case, it is very important to perform hole scanning on the operating system, the middleware, the database, and the like, which are relied on by the stable operation of the service support network. At present, potential safety hazards existing in an operating system, middleware, a database and the like which are relied on by the stable operation of a business support network can be found by utilizing a vulnerability scanning tool, but a considerable number of false alarm vulnerabilities may exist in vulnerability scanning reports obtained by the vulnerability scanning tool. However, to verify whether a bug in a bug scanning report is a false-positive bug, a tester is often required to have certain knowledge about various bug principles and scanning bugs, which puts higher requirements on the capability of the tester, and the tester is required to spend a large amount of time to verify the bugs in the bug scanning report one by one to eliminate the false-positive bugs, thereby wasting a large amount of manpower and material resources. Therefore, the embodiments of the present invention provide a technical solution to solve the above problems, and refer to the following contents.
Taking the example that the server acquires the first suspected false alarm vulnerability information through the third-party vulnerability scanning tool, the server may acquire address information of the third-party vulnerability scanning tool in advance, send instruction information for acquiring a scanning report to the third-party vulnerability scanning tool through the acquired address information, and after receiving the instruction information, the third-party vulnerability scanning tool returns a vulnerability scanning report generated after scanning the scanned device to the server. And then, the server analyzes and processes the acquired vulnerability scanning report and screens out first suspected false-positive vulnerability information.
In S102, a security type corresponding to the first suspected false positive vulnerability information is determined.
The security types comprise one or more of code types, configuration types, password types, communication types and attack types.
In implementation, the server may obtain, according to the address information of the scanned device in the obtained bug scanning report, a data packet related to a process in which each service occurs in the server within a preset time period. And obtaining data packets corresponding to the substitution code class, the configuration class, the password class, the communication class and the attack class from the obtained data packets related to the services. And then, according to the identification information of the first suspected false-positive vulnerability information, finding vulnerability description information corresponding to the first suspected false-positive vulnerability information in the acquired vulnerability scanning report, and analyzing and processing the vulnerability description information to obtain a security type corresponding to the first suspected false-positive vulnerability information.
In S103, the situation coefficient of the security type is determined.
The situation coefficient may reflect an influence situation of a security type corresponding to the first suspected false positive vulnerability information in a current network, and if the situation coefficient is smaller, it may be stated that the probability that the security type corresponding to the first suspected false positive vulnerability information has a network security threat is smaller, that is, the probability that the scanned object may be attacked is smaller. If the situation coefficient is larger, it can be shown that the probability that the security type corresponding to the first suspected false positive vulnerability information has the network security threat is larger, that is, the probability that the scanned object may be attacked is larger.
In implementation, after determining the security type corresponding to the first suspected false alarm vulnerability information, the server may determine the adhesion degree of the data packets corresponding to the security type by using the similarity between every two data packets in the obtained data packets corresponding to the security type and the number of the data packets corresponding to the security type, and then determine the situation coefficient of the security type based on the obtained adhesion degree.
In S104, when the situation coefficient is smaller than a first preset threshold and a difference between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold, the first suspected false-positive vulnerability information is determined as false-positive vulnerability information.
The first vulnerability characteristic value may be a characteristic value obtained by analyzing and calculating vulnerability characteristics of the first suspected false-positive vulnerability information. The vulnerability characteristics of the first suspected false positive vulnerability information may be vulnerability characteristics obtained through vulnerability scanning reports. The second vulnerability characteristic value may be a characteristic value obtained by analyzing and calculating vulnerability characteristics in the data packet corresponding to the security type.
In implementation, considering that the situation coefficient may reflect an influence situation of the security type corresponding to the first suspected false positive vulnerability information in the current network, that is, under the condition that the situation coefficient is greater than a first preset threshold, it may be stated that the probability that the security type corresponding to the first suspected false positive vulnerability information has a network security threat is higher, that is, the probability that the scanned object may be attacked is higher, and at this time, in order to avoid unnecessary loss, the first suspected false positive vulnerability is determined to be vulnerability information. Under the condition that the situation coefficient is smaller than a first preset threshold value, it can be stated that the probability that the security type corresponding to the first suspected false-positive vulnerability information has network security threat is low, at this time, in order to further reduce the situation of vulnerability false-positive, a first vulnerability characteristic of the first suspected false-positive vulnerability information and a second vulnerability characteristic of a data packet corresponding to the security type need to be analyzed, whether the deviation between the first vulnerability characteristic and the second vulnerability characteristic is too large is judged, and if the deviation between the first vulnerability characteristic and the second vulnerability characteristic is judged to be large, the first suspected false-positive vulnerability information can be determined to be false-positive vulnerability information.
Specifically, the method for determining the deviation between the first vulnerability characteristic and the second vulnerability characteristic may be: and calculating the first vulnerability characteristics through a first preset algorithm to obtain characteristic values of the first vulnerability characteristics, namely the first vulnerability characteristic values. And calculating the second vulnerability characteristics through a second preset algorithm to obtain characteristic values of the second vulnerability characteristics, namely second vulnerability characteristic values. It should be noted that the first preset algorithm and the second preset algorithm may be the same or different.
According to the detection method of the false alarm vulnerability, the security type corresponding to the first suspected false alarm vulnerability information is determined by acquiring the first suspected false alarm vulnerability information, and the situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
As shown in fig. 2, the specific processing manner of S102 may be various, and an alternative processing manner is provided below, which may specifically refer to the processing of S1021 to S1024.
In S1021, vulnerability description information of the first suspected false positive vulnerability information is obtained.
The vulnerability description information may be description information corresponding to first suspected false-positive vulnerability information in the obtained vulnerability scanning report. The vulnerability description information may include: version information of the scanned object, vulnerability type information, vulnerability generation reason information, vulnerability existence position information, which ways an attacker may utilize the vulnerability, and information of influences on a system and user software.
In implementation, the server may search, according to the obtained identification information of the first suspected false-positive vulnerability information, vulnerability description information corresponding to the identification information of the first suspected false-positive vulnerability information in a vulnerability scanning report.
In S1022, semantic analysis is performed on the vulnerability description information to obtain an analysis result.
In an implementation, for example, after the server acquires the vulnerability description information of the first suspected false positive vulnerability information i through the processing of the above S1021, the server may perform semantic analysis on the vulnerability description information to obtain an analysis result,
in S1023, the analysis result is matched with the plurality of security types, and the matching degrees with the plurality of security types are obtained.
In practice, the following can be expressed by the formula:
calculating the matching degree between the analysis result and each safety type, wherein AijThe matching degree W between the analysis result of the first suspected false alarm vulnerability information i and the security type j can be representedijThe method can be represented as the degree of association between the device type and the security type j in the first suspected false positive vulnerability information i, and the degree of association can be obtained through big data cluster analysis. XiThe risk level in the first suspected false positive vulnerability information i may be weighted.
It should be noted that the vulnerability scanning report acquired by the server carries a risk level corresponding to the first suspected false positive vulnerability information, where the risk level may be a risk degree of the scanned object being maliciously attacked due to the existence of the first suspected false positive vulnerability information. The risk level may be represented by high, medium, low. The risk level is high, which indicates that the scanned object has a higher risk degree of being maliciously attacked due to the existence of the first suspected false positive vulnerability information. The risk level is medium, which indicates that the risk degree of the scanned object being maliciously attacked due to the existence of the first suspected false alarm vulnerability information is general. The risk level is low, which indicates that the scanned object has a low risk degree of being maliciously attacked due to the existence of the first suspected false positive vulnerability information. The weights corresponding to the above risk levels can be shown in table 1:
TABLE 1
| Risk rating | Weight of |
| Height of | Wij |
| In | 0.6*Wij |
| Is low in | 0.1*Wij |
In S1024, the security type with the highest matching degree is determined as the security type corresponding to the first suspected false positive vulnerability information.
In implementation, the server matches the obtained analysis result with the code class, the configuration class, the password class, the communication class, the design class, and the attack class respectively through the processing of S1023, and determines the security type (e.g., the configuration class) with the highest matching degree as the security type corresponding to the first suspected false alarm hole information if the obtained analysis result has a matching degree of 40% with the code class, a matching degree of 90% with the configuration class, a matching degree of 50% with the password class, a matching degree of 60% with the communication class, a matching degree of 70% with the design class, and a matching degree of 80% with the attack class.
As shown in fig. 3, the specific processing manner of S103 may be various, and an alternative processing manner is provided below, which may specifically refer to the processing of S1031 to S1035 described below.
And S1031, obtaining scanned equipment information corresponding to the first suspected false alarm vulnerability information.
The scanned device information may be address information (e.g., IP address information) of the scanned device.
In implementation, the server may obtain, according to the identification information of the first suspected false-positive vulnerability information, address information of the scanned device corresponding to the identification information of the first suspected false-positive vulnerability information in the obtained vulnerability scanning report.
S1032, a plurality of first data packets generated in the interaction process between the scanned device and the network within the preset time period are obtained.
The first data packet is a data packet related to each service generated in the interaction process of the scanned device and the network.
In implementation, after the server obtains the address information of the scanned device corresponding to the first suspected false alarm vulnerability information through the processing in S1031, the server may obtain, according to the obtained address information, a plurality of first data packets generated during the interaction process between the scanned device and the network in a preset time period from the scanned device.
It should be noted that, in order to ensure accurate determination of the subsequently obtained situation coefficient, a plurality of first data packets generated in the interaction process between the scanned device and the network need to be acquired within a preset time period before the current time.
S1033, a plurality of second packets corresponding to the security type are screened out from the plurality of acquired first packets.
In an implementation, the server may filter the plurality of first packets according to the security type from among the plurality of acquired first packets through the process of S1032, for example, filter the plurality of first packets according to a code class, a configuration class, a password class, a communication class, and an attack class, and acquire second packets corresponding to the code class, the configuration class, the password class, the communication class, and the attack class, respectively.
S1034, determining the adhesion degree between the plurality of second data packets.
Wherein, the adhesion degree is the similarity between every two data packets.
In implementation, after the server screens out the plurality of second packets corresponding to the security types through the processing in S1033, the adhesion degree between the second packets may be determined for the plurality of second packets corresponding to each security type.
Specifically, for example, the security type is a configuration class, the number of second packets corresponding to the configuration class is j, and each second packet includes M characteristics, where the characteristics may be a packet size of each second packet, or a packet length of each second packet. The adhesion degree is the sum/j of the similarity between every two second data packets. The similarity between any two second data packets u, v ═ first eigenvalue of the first eigenvalue of u/v) + (second eigenvalue of the second eigenvalue of u/v) +...... + (mth eigenvalue of u/v) ]. The configuration class similarity mean value is calculated according to the similarity between every two second data packets corresponding to the historical configuration class, or is a preset value defined in advance.
S1035, determining a situation coefficient of the security type based on the adhesion degree.
In an implementation, after the server determines the adhesion degree between the plurality of second packets corresponding to the security type through the processing of S1034, the server may determine the situation coefficient of the security type based on the adhesion degree.
Specifically, taking the security type as the configuration class as an example, the situation coefficient of the security type is
Wherein T1 is the degree of adhesion between packets in the configuration class, and the second packet loss rate, σ, in the configuration class1Is a preset influence factor.
As shown in fig. 4, before the step S101 of acquiring the first suspected false positive vulnerability information, the following steps S001 to S005 are also included.
S001, acquiring a vulnerability scanning report, wherein the vulnerability scanning report comprises: at least one of address information of a scanned device, a device type of the scanned device, vulnerability description information, and scanned object related information, where the scanned object related information includes: at least one of operating system version information, middleware version information, database version information, and software version information.
It should be noted that the content of the vulnerability scanning report obtained by the server is related to a third-party vulnerability scanning tool, and the content in the vulnerability scanning report is not specifically limited in this specification, but at least includes at least one of address information (such as an IP address) of a scanned device, a device type, a risk level, a vulnerability identification, vulnerability discovery time, vulnerability description information, and scanned object related information, where the scanned object related information includes: at least one of operating system version information, middleware version information, database version information, and software version information.
And S002, acquiring characteristic information of the scanned device according to the address information of the scanned device, wherein the characteristic information of the scanned device at least comprises the related information of the scanned object.
In implementation, the server may obtain address information and an authorized account of the scanned device in the vulnerability scanning report according to the identification information of the first suspected false-positive vulnerability, and log in the scanned device corresponding to the first suspected false-positive vulnerability information to obtain the feature information of the scanned device. Alternatively, the scanned device feature information may be acquired by means of a preset script.
It should be noted that the obtained scanned device characteristic information may be the same as or different from the content of the scanned object related information corresponding to the first suspected false positive vulnerability information, but the scanned device characteristic information is not less than the content of the scanned object related information corresponding to the first suspected false positive vulnerability information.
And S003, under the condition that the characteristic information of the scanned equipment is not matched with the related information of the scanned object in the vulnerability scanning report, determining the vulnerability information corresponding to the related information of the scanned object in the vulnerability scanning report as first false alarm vulnerability information.
And S004, screening out a vulnerability misinformation rule matched with the first misinformation vulnerability information from a vulnerability misinformation rule base.
Before the step is executed, the method further includes: and establishing a vulnerability false alarm rule base, wherein the vulnerability false alarm rule base can be a basis for quickly positioning which vulnerability information is false alarm vulnerability information in the follow-up process.
Specifically, the side leakage holes of the service support network device mainly include the following aspects: hosts (Redhat, HP-UX, AIX, SUSE, CentOS, etc.), databases (Oracle, Mysql), middleware (Websphere, Tomcat), etc. Therefore, a vulnerability false report rule base which depends on the CVE and takes the operating system, the software version, the repair package and the patch set version as rules can be established according to the repairing mode of the security vulnerability of the operating system, the database and the middleware and the information of the security patch, the patch set and the repair package which are officially released by the operating system, the database and the middleware, and the specific steps are as follows:
and acquiring vulnerability information, vulnerability characteristics and a repair version from the official website vulnerability public page of the operating system. According to the false alarm of the bug for different operating systems, the false alarm of different versions of the same operating system and the false alarm of the same version of the same operating system, building bug false alarm screening knowledge bases of different levels according to the three standards of the bug feature and the false alarm of the repair version, and building bug false alarm rules according to the bug feature and the repair version.
Specifically, the operating system bug misinformation rule may be: aiming at the Redhat operating system, three rules of 'according to CVE number + operating system type', 'CVE number + operating system version' and 'CVE number + operating system version + software version' are established by taking the vulnerability influence range and the repair version which are officially released by the red cap as the basis. Alternatively, the "CVE number + OS version + software version" rule may be determined for the HP-UX operating system. Alternatively, a "CVE number + operating system type" rule may also be determined for the AIX operating system. The database (Oracle) bug false alarm rule may be: and taking a database patch set + CVE number set as a rule. The vulnerability misinformation rule of the middleware (Websphere) can be as follows: and taking a middleware repair packet, a middleware version number and a CVE number set as a rule. In addition, the vulnerability false-alarm rule can be updated subsequently according to the vulnerability scanning result and the official release condition.
In implementation, after the server determines the vulnerability information corresponding to the scanned object related information as the first false-positive vulnerability information through the processing of the above S003, a vulnerability false-positive rule matching the first false-positive vulnerability information can be screened out from the vulnerability false-positive rule base.
Specifically, because the first false-positive vulnerability information carries CVE number information, the server may screen out a vulnerability false-positive rule matched with the first false-positive vulnerability information from a vulnerability false-positive rule base according to the CVE number information in the first false-positive vulnerability information, where the vulnerability false-positive rule may be a plurality of vulnerability false-positive rules identical to the CVE number information.
And S005, under the condition that the scanned equipment characteristic information is not matched with the bug false alarm rule, determining the first false alarm bug information as the first suspected false alarm bug information.
In implementation, after the server screens out a bug false-positive rule matching the first false-positive bug information in the bug false-positive rule base through the processing of the above S004, the server may match the feature information of the scanned device with the screened bug false-positive rule, and may determine the first false-positive bug information as the first suspected false-positive bug information when the feature information of the scanned device is not matched with the bug false-positive rule.
As shown in fig. 5, after determining the situation coefficient of the security type in S103, the following processing procedures from S105 to S108 are also included.
In S105, a first support degree of the first suspected false positive vulnerability information is determined according to the situation coefficient of the security type.
The first support degree refers to the probability that the first suspected false-positive vulnerability information is false-positive vulnerability information.
In consideration of the fact that different devices have different security risks for the same security type, the description fully considers the association among the device type, the security type and the security risk in the process of determining the security type, so that the method provided by the proposal is more consistent with the real situation of the vulnerability scanning object, and the vulnerability misinformation screening accuracy is improved.
In implementation, after determining the situation coefficient of the security type through the processing in S103, the server may determine first weight information of the first suspected false-positive vulnerability information according to the risk level of the first suspected false-positive vulnerability information; and then, determining a first support degree of the first suspected false-positive vulnerability information according to first weight information of the first suspected false-positive vulnerability information, a first association degree between the equipment type corresponding to the first suspected false-positive vulnerability information and the security type corresponding to the first suspected false-positive vulnerability information, and a situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information. The risk level may be a risk degree of the scanned object being attacked due to the existence of the first suspected false positive vulnerability information.
Specifically, the vulnerability false-positive information further includes a risk level of the vulnerability information, and the server may determine the risk level of the first suspected false-positive vulnerability information according to the identification information of the first suspected false-positive vulnerability information, and determine the first weight information X of the first suspected false-positive vulnerability information according to the corresponding relationship between the risk level and the weight in table 1i. Then, the server according to the first weight information X of the first suspected false alarm loophole informationiA first association degree W between the equipment type corresponding to the first suspected false positive vulnerability information and the security type corresponding to the first suspected false positive vulnerability information1 and a situation coefficient S of a security type corresponding to the first suspected false positive vulnerability information, and determining a first support degree R1 of the first suspected false positive vulnerability information, wherein,
the first weight information X of the first suspected false alarm vulnerability informationiWhen the risk level is high, the corresponding first weight information X is shown in Table 1iIs WijWhen the risk level is middle, the corresponding first weight information XiIs 0.6WijWhen the risk level is low, the corresponding first weight information XiIs 0.1Wij。
In S106, second suspected false alarm vulnerability information of the scanned device is determined according to the obtained characteristic information of the scanned device and the vulnerability false alarm rule.
In consideration of the fact that the scanned device may have a vulnerability risk, which may affect the accuracy of determining whether the first suspected false-positive vulnerability information is false-positive vulnerability information, the server also needs to determine the second suspected false-positive vulnerability information existing in the scanned device.
In implementation, the server determines second suspected false-positive vulnerability information of the scanned device according to the acquired feature information of the scanned device and vulnerability description information of the vulnerability false-positive rule.
In S107, a second support degree of the second suspected false positive vulnerability information is determined.
The second support degree may be a probability that the scanned device has a vulnerability (a second suspected false positive vulnerability).
In implementation, the server may determine a risk level of the second suspected false-positive vulnerability information according to the obtained scanned device feature information and vulnerability description information of the vulnerability false-positive rule, determine second weight information of the second suspected false-positive vulnerability information according to the risk level, and then determine a second support degree of the second suspected false-positive vulnerability information according to the second weight information, a second association degree between the device type of the scanned device and a security type corresponding to the second suspected false-positive vulnerability information.
Specifically, the server may determine a risk level of second suspected false-positive vulnerability information according to the acquired feature information of the scanned device and vulnerability description information of the vulnerability false-positive rule, and determine second weight information X of the second suspected false-positive vulnerability information according to a corresponding relationship between the risk level and the weight in table 1i. Then, the server performs the process according to the second weight information XiDetermining a second support degree R2 of the second suspected false positive vulnerability information according to a second association degree W2 between the equipment type of the scanned equipment and the security type corresponding to the second suspected false positive vulnerability information, wherein,
second weight information X of the second suspected false positive vulnerability informationiWhen the risk level is high, the corresponding second weight information X is shown in Table 1iIs WijWhen the risk level is middle, the corresponding second weight information XiIs 0.6WijWhen the risk level is low, the corresponding second weight information XiIs 0.1Wij。
In S108, when it is detected that the first support degree and the second support degree satisfy the preset rule, it is determined that the first suspected false positive vulnerability information is false positive vulnerability information.
In an implementation, when the server detects that the first support degree R2< α × R1 is detected, the first suspected false positive vulnerability information may be determined as false positive vulnerability information, where α is a preset rate false positive coefficient.
As can be seen from the technical solutions provided in the embodiments of the present specification, a security type corresponding to first suspected false-positive vulnerability information is determined by obtaining the first suspected false-positive vulnerability information, and a situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
The detection method for the false alarm bug provided by the embodiment is based on the same technical concept, the embodiment of the present invention further provides a detection device for the false alarm bug, fig. 6 is a schematic diagram of modules of the detection device for the false alarm bug provided by the embodiment of the present invention, the detection device for the false alarm bug is used for executing the detection method for the false alarm bug described in fig. 1 to 5, and as shown in fig. 6, the detection device for the false alarm bug comprises:
a first obtaining module 601, configured to obtain first suspected false-positive vulnerability information;
a first determining module 602, configured to determine a security type corresponding to the first suspected false positive vulnerability information;
a second determining module 603, configured to determine a situation coefficient of the security type;
a third determining module 604, configured to determine that the first suspected false-positive vulnerability information is false-positive vulnerability information when the situation coefficient is smaller than a first preset threshold and a difference between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is greater than a second preset threshold.
As can be seen from the technical solutions provided in the embodiments of the present specification, a security type corresponding to first suspected false-positive vulnerability information is determined by obtaining the first suspected false-positive vulnerability information, and a situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
Optionally, the first determining module 602 includes:
a first obtaining unit, configured to obtain vulnerability description information of the first suspected false-positive vulnerability information;
the analysis unit is used for carrying out semantic analysis on the vulnerability description information to obtain an analysis result;
the matching unit is used for matching the analysis result with a plurality of security types to obtain the matching degree with the plurality of security types;
and the first determining unit is used for determining the security type with the highest matching degree as the security type corresponding to the first suspected false positive vulnerability information.
Optionally, the second determining module 603 includes:
a second obtaining unit, configured to obtain scanned device information corresponding to the first suspected false positive vulnerability information;
the third acquisition unit is used for acquiring a plurality of first data packets generated in the interaction process of the scanned equipment and the network within a preset time period;
the screening unit is used for screening a plurality of second data packets corresponding to the security types from the plurality of acquired first data packets;
a second determining unit configured to determine a degree of adhesion between the plurality of second packets;
and the third determining unit is used for determining the situation coefficient of the safety type based on the adhesion degree.
Optionally, the apparatus further comprises:
a second obtaining module, configured to obtain a vulnerability scanning report, where the vulnerability scanning report includes: at least one of address information of a scanned device, a device type of the scanned device, vulnerability description information, and scanned object related information, where the scanned object related information includes: at least one of operating system version information, middleware version information, database version information and software version information;
a third obtaining module, configured to obtain feature information of the scanned device according to address information of the scanned device, where the feature information of the scanned device at least includes information related to the scanned object;
a fourth determining module, configured to determine vulnerability information corresponding to the scanned object related information in the vulnerability scanning report as first false-positive vulnerability information when the scanned device feature information does not match the scanned object related information in the vulnerability scanning report;
the screening module is used for screening a vulnerability false alarm rule matched with the first false alarm vulnerability information from a vulnerability false alarm rule base;
and the fifth determining module is used for determining the first false alarm vulnerability information as first suspected false alarm vulnerability information under the condition that the scanned equipment characteristic information is not matched with the vulnerability false alarm rule.
Optionally, the apparatus further comprises:
a sixth determining module, configured to determine, according to the situation coefficient of the security type, a first support degree of the first suspected false positive vulnerability information;
a seventh determining module, configured to determine second suspected false alarm vulnerability information of the scanned device according to the acquired feature information of the scanned device and the vulnerability false alarm rule;
an eighth determining module, configured to determine a second support degree of the second suspected false positive vulnerability information;
and the ninth determining module is used for determining the first suspected false alarm vulnerability information as false alarm vulnerability information under the condition that the first support degree and the second support degree are detected to meet a preset rule.
Optionally, the vulnerability false-positive rule includes a risk level of vulnerability information, and the sixth determining module includes:
a fourth determining unit, configured to determine, according to the risk level of the first suspected false positive vulnerability information, first weight information of the first suspected false positive vulnerability information;
a fifth determining unit, configured to determine a first support degree of the first suspected false positive information according to first weight information of the first suspected false positive information, a first association degree between a device type corresponding to the first suspected false positive information and a security type corresponding to the first suspected false positive information, and a situation coefficient of the security type corresponding to the first suspected false positive information.
Optionally, the eighth determining module includes:
a sixth determining unit, configured to determine a risk level of the second suspected false-positive vulnerability information according to the acquired feature information of the scanned device and vulnerability description information of the vulnerability false-positive rule;
a seventh determining unit, configured to determine, according to the risk level, second weight information of the second suspected false positive vulnerability information;
an eighth determining unit, configured to determine a second support degree of the second suspected false positive vulnerability information according to the second weight information, a second association degree between the device type of the scanned device and the security type corresponding to the second suspected false positive vulnerability information.
As can be seen from the technical solutions provided in the embodiments of the present specification, a security type corresponding to first suspected false-positive vulnerability information is determined by obtaining the first suspected false-positive vulnerability information, and a situation coefficient of the security type is determined; and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining the first suspected false-positive vulnerability information as false-positive vulnerability information. According to the embodiment of the invention, under the condition that the situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information is larger than the preset threshold value, the method for determining the first suspected false-positive vulnerability information as the false-positive vulnerability information solves the problem that in the prior art, a large amount of time is spent on manually verifying the vulnerabilities in the vulnerability scanning report one by one to eliminate the false-positive vulnerabilities, so that a large amount of manpower and material resources are wasted, and the detection efficiency of the false-positive vulnerabilities is further improved.
The detection device for the false alarm bug provided by the embodiment of the invention can realize each process in the embodiment corresponding to the detection method for the false alarm bug, and is not repeated here for avoiding repetition.
It should be noted that the detection apparatus for a false alarm bug according to the embodiment of the present invention and the detection method for a false alarm bug according to the embodiment of the present invention are based on the same inventive concept, and therefore specific implementation of the embodiment may refer to implementation of the detection method for a false alarm bug, and repeated details are not described herein.
Based on the same technical concept, the embodiment of the present invention further provides a computer device for executing the method for detecting a false alarm bug, and fig. 7 is a schematic structural diagram of a computer device for implementing the embodiments of the present invention, as shown in fig. 7. Computer devices may vary widely in configuration or performance and may include one or more processors 701 and memory 702, with one or more stored applications or data stored in memory 702. Memory 702 may be, among other things, transient storage or persistent storage. The application program stored in memory 702 may include one or more modules (not shown), each of which may include a series of computer-executable instructions for a computing device. Still further, the processor 701 may be configured to communicate with the memory 702 to execute a series of computer-executable instructions in the memory 702 on a computer device. The computer apparatus may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input-output interfaces 705, one or more keyboards 706.
In this embodiment, the computer device includes a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete mutual communication through a bus; the memory is used for storing a computer program; the processor is used for executing the program stored in the memory and realizing the following method steps:
acquiring first suspected false alarm vulnerability information;
determining a security type corresponding to the first suspected false positive vulnerability information;
determining a situation coefficient of the security type;
and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining that the first suspected false-positive vulnerability information is false-positive vulnerability information.
An embodiment of the present application further provides a computer-readable storage medium, in which a computer program is stored, and when executed by a processor, the computer program implements the following method steps:
acquiring first suspected false alarm vulnerability information;
determining a security type corresponding to the first suspected false positive vulnerability information;
determining a situation coefficient of the security type;
and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining that the first suspected false-positive vulnerability information is false-positive vulnerability information.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for detecting a false alarm vulnerability is characterized by comprising the following steps:
acquiring first suspected false alarm vulnerability information;
determining a security type corresponding to the first suspected false positive vulnerability information;
determining a situation coefficient of the security type;
and under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between a first vulnerability characteristic value of the first suspected false-positive vulnerability information and a second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value, determining that the first suspected false-positive vulnerability information is false-positive vulnerability information.
2. The method of claim 1, wherein the determining a security type corresponding to the first suspected false positive vulnerability information comprises:
acquiring vulnerability description information of the first suspected false-positive vulnerability information;
performing semantic analysis on the vulnerability description information to obtain an analysis result;
matching the analysis result with a plurality of security types to obtain the matching degree of the plurality of security types;
and determining the security type with the highest matching degree as the security type corresponding to the first suspected false positive vulnerability information.
3. The method of claim 1, wherein the determining the situational coefficients for the security type comprises:
acquiring scanned equipment information corresponding to the first suspected false alarm vulnerability information;
acquiring a plurality of first data packets generated in the interaction process of a scanned device and a network within a preset time period;
screening a plurality of second data packets corresponding to the security types from the plurality of acquired first data packets;
determining a degree of adhesion between a plurality of the second data packets;
determining a situational coefficient for the security type based on the adhesion.
4. The method of claim 1, further comprising, before the obtaining the first suspected false positive vulnerability information:
obtaining a vulnerability scanning report, wherein the vulnerability scanning report comprises: at least one of address information of a scanned device, a device type of the scanned device, vulnerability description information, and scanned object related information, where the scanned object related information includes: at least one of operating system version information, middleware version information, database version information and software version information;
acquiring characteristic information of the scanned device according to the address information of the scanned device, wherein the characteristic information of the scanned device at least comprises the related information of the scanned object;
under the condition that the scanned equipment feature information is not matched with the scanned object related information in the vulnerability scanning report, determining vulnerability information corresponding to the scanned object related information in the vulnerability scanning report as first false alarm vulnerability information;
screening a vulnerability misinformation rule matched with the first misinformation vulnerability information from a vulnerability misinformation rule base;
and under the condition that the scanned equipment characteristic information is not matched with the bug false alarm rule, determining the first false alarm bug information as first suspected false alarm bug information.
5. The method of claim 4, further comprising, after said determining the posture coefficient for the security type:
determining a first support degree of the first suspected false positive vulnerability information according to the situation coefficient of the security type;
determining second suspected false alarm loophole information of the scanned equipment according to the acquired characteristic information of the scanned equipment and the loophole false alarm rule;
determining a second support degree of the second suspected false positive vulnerability information;
and under the condition that the first support degree and the second support degree are detected to meet a preset rule, determining that the first suspected false-positive vulnerability information is false-positive vulnerability information.
6. The method according to claim 5, wherein the vulnerability false positive rules include risk levels of vulnerability information, and the determining the first support degree of the first suspected false positive vulnerability information according to the situation coefficient of the security type includes:
determining first weight information of the first suspected false positive vulnerability information according to the risk level of the first suspected false positive vulnerability information;
and determining a first support degree of the first suspected false-positive vulnerability information according to first weight information of the first suspected false-positive vulnerability information, a first association degree between a device type corresponding to the first suspected false-positive vulnerability information and a security type corresponding to the first suspected false-positive vulnerability information, and a situation coefficient of the security type corresponding to the first suspected false-positive vulnerability information.
7. The method of claim 5, wherein the determining the second degree of support for the second suspected false positive vulnerability information comprises:
determining the risk level of the second suspected false-alarm vulnerability information according to the acquired scanned equipment characteristic information and vulnerability description information of the vulnerability false-alarm rule;
determining second weight information of the second suspected false-positive vulnerability information according to the risk level;
and determining a second support degree of the second suspected false-positive vulnerability information according to the second weight information and a second association degree between the equipment type of the scanned equipment and the security type corresponding to the second suspected false-positive vulnerability information.
8. A detection device for false alarm loopholes is characterized by comprising:
the first acquisition module is used for acquiring first suspected false alarm vulnerability information;
a first determining module, configured to determine a security type corresponding to the first suspected false positive vulnerability information;
the second determination module is used for determining the situation coefficient of the safety type;
and the third determining module is used for determining that the first suspected false-positive vulnerability information is false-positive vulnerability information under the condition that the situation coefficient is smaller than a first preset threshold value and the difference value between the first vulnerability characteristic value of the first suspected false-positive vulnerability information and the second vulnerability characteristic value corresponding to the security type is larger than a second preset threshold value.
9. An electronic device comprising a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete mutual communication through a bus; the memory is used for storing a computer program; the processor is used for executing the program stored in the memory and realizing the steps of the method for detecting the false alarm bug according to any one of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the method steps of the method for detecting a false positive vulnerability according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911374600.3A CN113051571B (en) | 2019-12-27 | 2019-12-27 | Method and device for detecting false alarm vulnerability and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911374600.3A CN113051571B (en) | 2019-12-27 | 2019-12-27 | Method and device for detecting false alarm vulnerability and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113051571A true CN113051571A (en) | 2021-06-29 |
| CN113051571B CN113051571B (en) | 2022-11-29 |
Family
ID=76506584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911374600.3A Active CN113051571B (en) | 2019-12-27 | 2019-12-27 | Method and device for detecting false alarm vulnerability and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113051571B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143075A (en) * | 2021-11-29 | 2022-03-04 | 国网北京市电力公司 | Security vulnerability early warning method and device and electronic equipment |
| CN115329347A (en) * | 2022-10-17 | 2022-11-11 | 中国汽车技术研究中心有限公司 | Prediction method, device and storage medium based on car networking vulnerability data |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110119742A1 (en) * | 2009-11-16 | 2011-05-19 | Noblis, Inc. | Computer network security platform |
| CN103106368A (en) * | 2013-02-26 | 2013-05-15 | 南京理工大学常熟研究院有限公司 | Vulnerability scanning method for grade protection |
| CN104200167A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Automatic penetration testing method and system |
| CN104486141A (en) * | 2014-11-26 | 2015-04-01 | 国家电网公司 | Misdeclaration self-adapting network safety situation predication method |
| CN104618177A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug examination method and device |
| CN104618178A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug online evaluation method and device |
| CN105592049A (en) * | 2015-09-07 | 2016-05-18 | 杭州华三通信技术有限公司 | Attack defense rule opening method and device |
| CN106295346A (en) * | 2015-05-20 | 2017-01-04 | 深圳市腾讯计算机系统有限公司 | A kind of application leak detection method, device and the equipment of calculating |
| CN107944278A (en) * | 2017-12-11 | 2018-04-20 | 北京奇虎科技有限公司 | A kind of kernel leak detection method and device |
| CN108520005A (en) * | 2018-03-13 | 2018-09-11 | 北京理工大学 | The wrong report removing method for network active monitoring system based on machine learning |
| CN109145609A (en) * | 2018-09-06 | 2019-01-04 | 平安科技(深圳)有限公司 | A kind of data processing method and device |
| CN109255241A (en) * | 2018-08-31 | 2019-01-22 | 国鼎网络空间安全技术有限公司 | Android privilege-escalation leak detection method and system based on machine learning |
| CN109992958A (en) * | 2017-12-29 | 2019-07-09 | 国民技术股份有限公司 | A kind of security assessment method and safety evaluation equipment |
| CN110287705A (en) * | 2019-06-25 | 2019-09-27 | 北京中科微澜科技有限公司 | A kind of security breaches wrong data modification method based on loophole map |
-
2019
- 2019-12-27 CN CN201911374600.3A patent/CN113051571B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110119742A1 (en) * | 2009-11-16 | 2011-05-19 | Noblis, Inc. | Computer network security platform |
| CN103106368A (en) * | 2013-02-26 | 2013-05-15 | 南京理工大学常熟研究院有限公司 | Vulnerability scanning method for grade protection |
| CN104200167A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Automatic penetration testing method and system |
| CN104486141A (en) * | 2014-11-26 | 2015-04-01 | 国家电网公司 | Misdeclaration self-adapting network safety situation predication method |
| CN104618177A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug examination method and device |
| CN104618178A (en) * | 2014-12-29 | 2015-05-13 | 北京奇虎科技有限公司 | Website bug online evaluation method and device |
| CN106295346A (en) * | 2015-05-20 | 2017-01-04 | 深圳市腾讯计算机系统有限公司 | A kind of application leak detection method, device and the equipment of calculating |
| CN105592049A (en) * | 2015-09-07 | 2016-05-18 | 杭州华三通信技术有限公司 | Attack defense rule opening method and device |
| CN107944278A (en) * | 2017-12-11 | 2018-04-20 | 北京奇虎科技有限公司 | A kind of kernel leak detection method and device |
| CN109992958A (en) * | 2017-12-29 | 2019-07-09 | 国民技术股份有限公司 | A kind of security assessment method and safety evaluation equipment |
| CN108520005A (en) * | 2018-03-13 | 2018-09-11 | 北京理工大学 | The wrong report removing method for network active monitoring system based on machine learning |
| CN109255241A (en) * | 2018-08-31 | 2019-01-22 | 国鼎网络空间安全技术有限公司 | Android privilege-escalation leak detection method and system based on machine learning |
| CN109145609A (en) * | 2018-09-06 | 2019-01-04 | 平安科技(深圳)有限公司 | A kind of data processing method and device |
| CN110287705A (en) * | 2019-06-25 | 2019-09-27 | 北京中科微澜科技有限公司 | A kind of security breaches wrong data modification method based on loophole map |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143075A (en) * | 2021-11-29 | 2022-03-04 | 国网北京市电力公司 | Security vulnerability early warning method and device and electronic equipment |
| CN114143075B (en) * | 2021-11-29 | 2024-05-28 | 国网北京市电力公司 | Security vulnerability early warning method, device and electronic equipment |
| CN115329347A (en) * | 2022-10-17 | 2022-11-11 | 中国汽车技术研究中心有限公司 | Prediction method, device and storage medium based on car networking vulnerability data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113051571B (en) | 2022-11-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US20200389495A1 (en) | Secure policy-controlled processing and auditing on regulated data sets | |
| US10133870B2 (en) | Customizing a security report using static analysis | |
| US11756404B2 (en) | Adaptive severity functions for alerts | |
| US12058177B2 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| US10484400B2 (en) | Dynamic sensors | |
| US10430586B1 (en) | Methods of identifying heap spray attacks using memory anomaly detection | |
| US20220014561A1 (en) | System and methods for automated internet-scale web application vulnerability scanning and enhanced security profiling | |
| CN110417778B (en) | Access request processing method and device | |
| US20180302430A1 (en) | SYSTEM AND METHOD FOR DETECTING CREATION OF MALICIOUS new USER ACCOUNTS BY AN ATTACKER | |
| CN113497797B (en) | Abnormality detection method and device for ICMP tunnel transmission data | |
| CN109800560A (en) | A kind of device identification method and device | |
| CN113051571B (en) | Method and device for detecting false alarm vulnerability and computer equipment | |
| Wu et al. | Detect repackaged android application based on http traffic similarity | |
| US10313369B2 (en) | Blocking malicious internet content at an appropriate hierarchical level | |
| CN114024761B (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| CN117407865A (en) | Interface safety protection method and device, electronic equipment and storage medium | |
| CN115809466B (en) | Security requirement generation method and device based on STRIDE model, electronic equipment and medium | |
| CN105718767B (en) | information processing method and device based on risk identification | |
| CN104021324A (en) | Method and device for writing safety verification | |
| US11693957B1 (en) | Operation behavior monitoring method and apparatus, electronic device, and storage medium | |
| CN114567678A (en) | Resource calling method and device of cloud security service and electronic equipment | |
| US11140183B2 (en) | Determining criticality of identified enterprise assets using network session information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |