CN113395297A - Vulnerability processing method, device, equipment and computer readable storage medium - Google Patents
Vulnerability processing method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN113395297A CN113395297A CN202110949447.3A CN202110949447A CN113395297A CN 113395297 A CN113395297 A CN 113395297A CN 202110949447 A CN202110949447 A CN 202110949447A CN 113395297 A CN113395297 A CN 113395297A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- security
- network system
- determining
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title abstract description 10
- 238000012545 processing Methods 0.000 claims abstract description 75
- 238000000034 method Methods 0.000 claims abstract description 42
- 238000004364 calculation method Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 abstract description 6
- 238000004590 computer program Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 230000008439 repair process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the disclosure provides a vulnerability processing method, device, equipment and computer readable storage medium. The method comprises the following steps: acquiring a vulnerability in a network system; determining a service system, a security domain and security equipment which are influenced by the vulnerability in the network system; weighting and calculating the risk coefficient of the vulnerability according to the service system, the security domain and the security equipment; and determining a vulnerability processing scheme corresponding to the vulnerability from a preset risk processing scheme library according to the risk coefficient of the vulnerability. In this way, the vulnerability processing scheme suitable for the vulnerability can be automatically and accurately determined without manual analysis, and the vulnerability processing efficiency is further improved.
Description
Technical Field
The present disclosure relates to the field of network security, and more particularly to the field of vulnerability handling techniques.
Background
With the popularization of information-based construction, most enterprises complete the information-based construction, and besides the improvement of the working efficiency, the complex network architecture also brings great potential safety hazards to the enterprises. The traditional vulnerability processing scheme adopts manual experience to make decisions, but in a medium-large complex network, manual analysis often cannot provide a proper vulnerability processing scheme, so that the vulnerability processing efficiency is low.
Disclosure of Invention
The disclosure provides a vulnerability processing method, a device, equipment and a computer readable storage medium, which can automatically and accurately determine a vulnerability processing scheme suitable for a vulnerability and improve vulnerability processing efficiency.
In a first aspect, an embodiment of the present disclosure provides a vulnerability handling method, where the method includes:
acquiring a vulnerability in a network system;
determining a service system, a security domain and security equipment which are influenced by the vulnerability in the network system;
weighting and calculating the risk coefficient of the vulnerability according to the service system, the security domain and the security equipment;
and determining a vulnerability processing scheme corresponding to the vulnerability from a preset risk processing scheme library according to the risk coefficient of the vulnerability.
In some implementations of the first aspect, obtaining the vulnerability in the network system includes:
and scanning the network system for vulnerabilities to obtain vulnerabilities.
In some implementations of the first aspect, determining a business system, a security domain, and a security device that are affected by the vulnerability in the network system includes:
determining target equipment where the vulnerability is located in the network system;
determining a service system of the target equipment in the network system as a service system influenced by the vulnerability in the network system;
determining a security domain of the target equipment in the network system as a security domain influenced by the vulnerability in the network system;
and determining that the security device of which the network position is before the target device and is closest to the target device in the network system is the security device affected by the vulnerability in the network system.
In some implementations of the first aspect, prior to obtaining the vulnerability in the network system, the method further comprises:
carrying out equipment identification on the network system and determining equipment in the network system;
determining a safety device in the network system from the devices according to the types of the devices;
determining a service system in a network system according to the service information, the bearing information and the access relation of the equipment;
receiving a security domain division instruction input by a user;
and responding to the security domain division instruction, and performing security domain division on the equipment in the network system to obtain a security domain in the network system.
In some implementations of the first aspect, the method further comprises:
determining the corresponding equal security level of the vulnerability in the network system;
according to a service system, a security domain and security equipment, calculating the risk coefficient of the vulnerability in a weighting mode, wherein the calculation comprises the following steps:
and calculating the risk coefficient of the vulnerability in a weighting manner according to the service system, the security domain, the security equipment and the equal security level.
In some implementation manners of the first aspect, the calculating the risk coefficient of the vulnerability in a weighted manner according to the business system, the security domain, the security device, and the equal security level includes:
and according to the weights respectively corresponding to the service system, the security domain, the security equipment and the equal security level, carrying out weighted summation on the risk values respectively corresponding to the service system, the security domain, the security equipment and the equal security level to obtain the risk coefficient of the vulnerability.
In some implementation manners of the first aspect, after determining a vulnerability handling scheme corresponding to a vulnerability from a preset risk handling scheme library according to a risk coefficient of the vulnerability, the method further includes:
and executing the vulnerability processing scheme to process the vulnerability.
In a second aspect, an embodiment of the present disclosure provides a vulnerability handling apparatus, which includes:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring vulnerabilities in a network system;
the determining module is used for determining a service system, a security domain and security equipment which are influenced by the vulnerability in the network system;
the calculation module is used for weighting and calculating the risk coefficient of the vulnerability according to the service system, the security domain and the security equipment;
and the determining module is used for determining a vulnerability processing scheme corresponding to the vulnerability from a preset risk processing scheme library according to the risk coefficient of the vulnerability.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
In a fourth aspect, the disclosed embodiments provide a non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method as described above.
In a fifth aspect, the disclosed embodiments provide a computer program product comprising a computer program that, when executed by a processor, implements a method as described above.
According to the vulnerability processing method and device, a service system, a security domain and security equipment which are influenced by the vulnerability in a network system can be determined, the risk coefficient of the vulnerability is calculated in a weighted mode according to the service system, the security domain and the security equipment, and then the vulnerability processing scheme corresponding to the vulnerability is determined from a preset risk processing scheme library according to the risk coefficient of the vulnerability. Therefore, the vulnerability processing scheme suitable for the vulnerability can be automatically and accurately determined without manual analysis, and the vulnerability processing efficiency is improved.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
fig. 1 is a schematic structural diagram of a network system provided by an embodiment of the present disclosure;
fig. 2 shows a flowchart of a vulnerability handling method provided by an embodiment of the present disclosure;
fig. 3 is a flowchart illustrating another vulnerability handling method provided by the embodiment of the present disclosure;
fig. 4 is a schematic structural diagram illustrating a vulnerability processing apparatus according to an embodiment of the present disclosure;
FIG. 5 illustrates a schematic diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In view of the problems occurring in the background art, the embodiments of the present disclosure provide a vulnerability processing method, apparatus, device and computer-readable storage medium. Specifically, a service system, a security domain and security equipment which are affected by the vulnerability in the network system can be determined, a risk coefficient of the vulnerability is calculated in a weighted mode according to the service system, the security domain and the security equipment, and then a vulnerability processing scheme corresponding to the vulnerability is determined from a preset risk processing scheme library according to the risk coefficient of the vulnerability. Therefore, the vulnerability processing scheme suitable for the vulnerability can be automatically and accurately determined without manual analysis, and the vulnerability processing efficiency is improved.
The vulnerability processing method, apparatus, device and computer readable storage medium provided by the embodiments of the present disclosure are described in detail with reference to the accompanying drawings.
Fig. 1 shows a schematic structural diagram of a network system 100 provided in an embodiment of the present disclosure, as shown in fig. 1, the network system 100 may include: terminal device 111, security device 121, security device 122, security device 123, network device 131, server 141, server 142, server 143, server 144, server 145, server 146, server 147.
The terminal device 111 may be a mobile terminal device or a non-mobile terminal device. For example, the Mobile terminal device may be a Mobile phone, a tablet Computer, a notebook Computer, a palm Computer, an Ultra-Mobile Personal Computer (UMPC), or the like, and the non-Mobile terminal device may be a Personal Computer (PC), an automatic teller machine, a smart television, or the like.
The security device 121, the security device 122, and the security device 123 are used to form a network security architecture, which may be a gatekeeper, a terminal defense System, a Firewall, an Intrusion Prevention System (IPS), a website Application level Intrusion Prevention System (WAF), a patch repair device, and so on.
The network device 131 is a device for network communication in the network system, and may be a router, a switch, or the like.
Server 141, server 142, server 143, server 144, server 145, server 146, server 147 may be a single server, a cluster of servers, a cloud server, or the like.
In some embodiments, the network system 100 may further include an internet of things device, which is not limited herein.
As shown in fig. 1, server 141 and server 142 form service system 1, and also form security domain 1, server 143, server 144 and server 145 form service system 2, server 146, server 147 form service system 3, and secure device 122, secure device 123, server 143, server 144, server 145, server 146 and server 147 form security domain 2. The service system 1, the service system 2, and the service system 3 may be Office Automation (OA) systems, mail systems, document systems, domain name systems, and the like. The security domains 1 and 2 may be a core network, a production network, an office network, a quarantine Zone (DMZ), etc.
Illustratively, a vulnerability in the network system 100 may be obtained, and then the business system, the security domain, and the security device affected by the vulnerability in the network system 100 are determined to be the business system 3, the security domain 2, and the security device 123, respectively. And then, calculating the risk coefficient of the vulnerability in a weighted manner according to the service system 3, the security domain 2 and the security equipment 123, and determining a vulnerability processing scheme corresponding to the vulnerability from a preset risk processing scheme library according to the risk coefficient of the vulnerability, wherein the preset risk processing scheme library stores a plurality of vulnerability processing schemes. Therefore, the vulnerability processing scheme suitable for the vulnerability can be automatically and accurately determined without manual analysis, and the vulnerability processing efficiency is improved.
As shown in fig. 2, the vulnerability processing method 200 may include the following steps:
s210, acquiring the vulnerability in the network system.
The network system may be an enterprise or a group integrated network system, and includes a plurality of devices, such as a terminal device, a security device, a network device, a server, an internet of things device, and the like. Furthermore, the devices in the network system may constitute a service system, a security domain.
In some embodiments, the vulnerability scanning may be performed on the network system to obtain vulnerabilities in the network system. For example, a preset scanning algorithm may be used to fully scan the network system, so as to quickly obtain the vulnerabilities in the network system.
S220, determining a service system, a security domain and security equipment influenced by the vulnerability in the network system.
In some embodiments, a target device in which the vulnerability is located in the network system may be determined. Specifically, it may be determined from the network system that the device corresponding to the vulnerability address is the target device where the vulnerability is located, and the vulnerability address may include, for example, an IP address of the device where the vulnerability is located and a port number of the device.
And then determining that the service system of the target equipment in the network system is the service system influenced by the vulnerability in the network system, determining that the security domain of the target equipment in the network system is the security domain influenced by the vulnerability in the network system, and determining that the security equipment of which the network position is in front of the target equipment in the network system and is closest to the target equipment is the security equipment influenced by the vulnerability in the network system, namely determining that the security equipment directly controlling the security protection of the target equipment is the security equipment influenced by the vulnerability in the network system. Therefore, the service system, the security domain and the security equipment influenced by the vulnerability can be accurately determined according to the target equipment where the vulnerability is located in the network system.
And S230, calculating the risk coefficient of the vulnerability in a weighting manner according to the service system, the security domain and the security equipment.
In some embodiments, the risk values respectively corresponding to the service system, the security domain, and the security device may be weighted and summed according to the weights respectively corresponding to the service system, the security domain, and the security device, so as to obtain a risk coefficient of the vulnerability. Therefore, the risk of the vulnerability can be weighted and evaluated by combining corresponding weights on the basis of the importance of a service system, a security domain and security equipment influenced by the vulnerability, and the accuracy of vulnerability evaluation is improved.
As an example, the weight and the risk value respectively corresponding to the business system, the security domain, and the security device may be determined from a preset data table, where the data table stores the corresponding relationship between the business system and the weight and the risk value, the corresponding relationship between the security domain and the weight and the risk value, and the corresponding relationship between the security device and the weight and the risk value. It can be understood that the correspondence between the business system and the weight and the risk value, the correspondence between the security domain and the weight and the risk value, and the correspondence between the security device and the weight and the risk value may be flexibly set according to the importance of the business system, the security domain, and the security device, respectively, and are not limited herein.
S240, determining a vulnerability processing scheme corresponding to the vulnerability from a preset risk processing scheme library according to the risk coefficient of the vulnerability.
The preset risk processing scheme library stores a plurality of vulnerability processing schemes, such as patch repair, configuration repair, release repair, no repair (risk acceptance), and the like. As an example, it may be determined from a preset risk processing scheme library that a vulnerability processing scheme corresponding to a risk coefficient is a vulnerability processing scheme corresponding to a vulnerability. It will be appreciated that the library of pre-set risk processing scenarios may be set empirically by a network expert.
For example, the preset risk processing scheme library stores a corresponding relationship between the risk level and the vulnerability processing scheme, and accordingly, the risk level corresponding to the risk coefficient may be determined first, and the vulnerability processing scheme corresponding to the risk level may be determined as the vulnerability processing scheme corresponding to the vulnerability according to the corresponding relationship between the risk level in the preset risk processing scheme library and the vulnerability processing scheme.
According to the embodiment of the disclosure, a service system, a security domain and security equipment which are affected by a vulnerability in a network system can be determined, a risk coefficient of the vulnerability is calculated in a weighted mode according to the service system, the security domain and the security equipment, and then a vulnerability processing scheme corresponding to the vulnerability is determined from a preset risk processing scheme library according to the risk coefficient of the vulnerability. That is to say, the vulnerability processing scheme suitable for the vulnerability can be automatically and accurately determined according to the service system, the security domain and the security equipment which are affected by the vulnerability, manual analysis is not needed, and the vulnerability processing efficiency is further improved.
As shown in fig. 3, in some embodiments, before acquiring the vulnerability in the network system, the vulnerability processing method 200 may further include:
s201, identifying the network system and determining the equipment in the network system.
For example, the network topology can be automatically performed by passive detection and active discovery, and the devices in the network system can be identified and the types of the devices can be identified.
S202, according to the type of the equipment, the safety equipment in the network system is determined from the equipment.
That is, the device of which the type is the security device is determined to be the security device.
S203, determining a service system in the network system according to the service information, the bearing information and the access relation of the equipment.
Specifically, a service port of the device may be detected to obtain service information, application information of the device may be analyzed to obtain bearer information, and traffic of the device may be identified to obtain an access relationship.
And S204, receiving a security domain division instruction input by a user.
S205, responding to the security domain division instruction, performing security domain division on the equipment in the network system to obtain a security domain in the network system.
Therefore, the equipment, the service system and the security domain in the network system can be rapidly and comprehensively determined, the wall map battle is realized, and the vulnerability handling scheme is convenient to recommend.
Illustratively, a calibration instruction input by a user can be received, and the type, the service information, the bearer information and the access relation of the equipment are calibrated in response to the calibration instruction so as to improve the accuracy of the information.
In some embodiments, the vulnerability handling method 200 may further include: and determining the corresponding equal guarantee level of the vulnerability in the network system. Specifically, the equal protection level of the target device where the vulnerability is located may be determined to be the corresponding equal protection level of the vulnerability in the network system. It is known that before a vulnerability in a network system is obtained, a user-entered iso-coverage instruction may be received, and in response to the iso-coverage instruction, an iso-coverage level of a device in the network system is determined.
And further, the risk coefficient of the vulnerability can be calculated in a weighted mode according to the service system, the security domain, the security equipment and the equal security level. Therefore, the equal-protection level factor can be further introduced to comprehensively evaluate the risk of the vulnerability, so that the vulnerability processing scheme can be more accurately determined.
Specifically, the risk values respectively corresponding to the service system, the security domain, the security device, and the equal security level may be weighted and summed according to the weights respectively corresponding to the service system, the security domain, the security device, and the equal security level, so as to obtain a risk coefficient of the vulnerability, so as to accurately evaluate the risk of the vulnerability. It is understood that the data table may further store a corresponding relationship between the equal security level and the weight and the risk value, and accordingly, the weight and the risk value corresponding to the equal security level may be determined from the data table.
Illustratively, the data table may be as shown in table 1:
TABLE 1
Referring to table 1, for example, if a service system affected by the vulnerability a in the network system is a mail system, an affected security domain is an office network, an affected security device is a firewall, and a corresponding equal security level is 9, then a risk coefficient S of the vulnerability a is calculated as follows: s =8 × 30% +5 × 20% +9 × 20% +6 × 30% = 7. Furthermore, it may be determined 7 that the corresponding vulnerability handling scheme is a vulnerability handling scheme corresponding to a vulnerability from the preset risk handling scheme library.
In some embodiments, after determining a vulnerability handling scheme corresponding to a vulnerability from a preset risk handling scheme library according to a risk coefficient of the vulnerability, the vulnerability handling method 200 may further include:
and executing the vulnerability processing scheme to process the vulnerability. Therefore, the processing scheme suitable for the vulnerability risk can be executed to process the vulnerability, and the vulnerability processing efficiency is improved.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 4 shows a schematic structural diagram of an vulnerability processing apparatus 400 according to an embodiment of the present disclosure, and as shown in fig. 4, the vulnerability processing apparatus 400 may include:
an obtaining module 410, configured to obtain a vulnerability in the network system.
The determining module 420 is configured to determine a service system, a security domain, and a security device that are affected by the vulnerability in the network system.
And the calculating module 430 is configured to calculate the risk coefficient of the vulnerability in a weighted manner according to the service system, the security domain and the security device.
The determining module 420 is configured to determine a vulnerability handling scheme corresponding to the vulnerability from a preset risk handling scheme library according to the risk coefficient of the vulnerability.
In some embodiments, the obtaining module 410 is specifically configured to: and scanning the network system for vulnerabilities to obtain vulnerabilities.
In some embodiments, the determining module 420 is specifically configured to:
and determining the target equipment where the vulnerability is located in the network system.
And determining that the service system of the target equipment in the network system is the service system influenced by the vulnerability in the network system.
And determining that the security domain of the target equipment in the network system is the security domain influenced by the vulnerability in the network system.
And determining that the security device of which the network position is before the target device and is closest to the target device in the network system is the security device affected by the vulnerability in the network system.
In some embodiments, the vulnerability processing apparatus 400 further includes:
and the identification module is used for identifying equipment of the network system and determining the equipment in the network system before acquiring the vulnerability in the network system.
The determining module 420 is further configured to determine a security device in the network system from the devices according to the types of the devices.
The determining module 420 is further configured to determine a service system in the network system according to the service information, the bearer information, and the access relationship of the device.
The vulnerability processing apparatus 400 further includes:
the receiving module is used for receiving a security domain division instruction input by a user.
And the division module is used for responding to the security domain division instruction and performing security domain division on the equipment in the network system to obtain the security domain in the network system.
In some embodiments, the determining module 420 is further configured to determine a corresponding level of equity of the vulnerability in the network system.
The calculating module 430 is specifically configured to: and calculating the risk coefficient of the vulnerability in a weighting manner according to the service system, the security domain, the security equipment and the equal security level.
In some embodiments, the calculation module 430 is specifically configured to: and according to the weights respectively corresponding to the service system, the security domain, the security equipment and the equal security level, carrying out weighted summation on the risk values respectively corresponding to the service system, the security domain, the security equipment and the equal security level to obtain the risk coefficient of the vulnerability.
In some embodiments, the vulnerability processing apparatus 400 further includes:
and the execution module is used for executing the vulnerability processing scheme after determining the vulnerability processing scheme corresponding to the vulnerability from the preset risk processing scheme library according to the risk coefficient of the vulnerability so as to process the vulnerability.
It can be understood that each module/unit in the vulnerability processing apparatus 400 shown in fig. 4 has a function of implementing each step in the vulnerability processing method provided by the embodiment of the present disclosure, and can achieve the corresponding technical effect, and for brevity, no further description is provided herein.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, and do not violate the good customs of the public order.
FIG. 5 illustrates a schematic diagram of an electronic device 500 that may be used to implement embodiments of the present disclosure. The electronic device 500 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device 500 may also represent various forms of mobile devices, such as personal digital assistants, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 5, the electronic device 500 may include a computing unit 501 that may perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 502 or a computer program loaded from a storage unit 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data required for the operation of the electronic apparatus 500 can also be stored. The calculation unit 501, the ROM502, and the RAM503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
A number of components in the electronic device 500 are connected to the I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, or the like; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508, such as a magnetic disk, optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the electronic device 500 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general-purpose and/or special-purpose processing components having processing and computing capabilities. Some examples of the computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 501 performs the various methods and processes described above, such as the method 200. For example, in some embodiments, the method 200 may be implemented as a computer program product, including a computer program, tangibly embodied in a computer-readable medium, such as the storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 500 via the ROM502 and/or the communication unit 509. When the computer program is loaded into RAM503 and executed by the computing unit 501, one or more steps of the method 200 described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the method 200 by any other suitable means (e.g., by means of firmware).
The various embodiments described herein above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a computer-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that the present disclosure also provides a non-transitory computer readable storage medium storing computer instructions, where the computer instructions are used to enable a computer to execute the method 200 and achieve the corresponding technical effects achieved by the method according to the embodiments of the present disclosure, and for brevity, the detailed description is omitted here.
Additionally, the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method 200.
To provide for interaction with a user, the above-described embodiments may be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The embodiments described above may be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user may interact with an implementation of the systems and techniques described herein), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved, and the present disclosure is not limited herein.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (10)
1. A vulnerability handling method, comprising:
acquiring a vulnerability in a network system;
determining a service system, a security domain and security equipment which are influenced by the vulnerability in the network system;
according to the service system, the security domain and the security equipment, calculating the risk coefficient of the vulnerability in a weighting mode;
and determining a vulnerability processing scheme corresponding to the vulnerability from a preset risk processing scheme library according to the risk coefficient of the vulnerability.
2. The method of claim 1, wherein the obtaining vulnerabilities in a network system comprises:
and scanning the network system for vulnerabilities to obtain the vulnerabilities.
3. The method of claim 1, wherein the determining a business system, a security domain, and a security device that the vulnerability affects in the network system comprises:
determining target equipment where the vulnerability is located in the network system;
determining that a service system in which the target device is located in the network system is a service system influenced by the vulnerability in the network system;
determining that a security domain in which the target device is located in the network system is a security domain affected by the vulnerability in the network system;
and determining that the security device which is positioned in front of the target device and is closest to the target device in the network system is the security device which is influenced by the vulnerability in the network system.
4. The method of claim 3, wherein prior to the obtaining the vulnerability in the network system, further comprising:
carrying out equipment identification on the network system, and determining equipment in the network system;
determining a safety device in the network system from the devices according to the types of the devices;
determining a service system in the network system according to the service information, the bearing information and the access relation of the equipment;
receiving a security domain division instruction input by a user;
responding to the security domain division instruction, performing security domain division on the equipment in the network system to obtain a security domain in the network system.
5. The method of claim 1, further comprising:
determining the corresponding equal guarantee level of the vulnerability in the network system;
the calculating the risk coefficient of the vulnerability in a weighting manner according to the service system, the security domain and the security device includes:
and according to the service system, the security domain, the security equipment and the equal security level, calculating the risk coefficient of the vulnerability in a weighting manner.
6. The method of claim 5, wherein the weighted calculation of the risk factor for the vulnerability according to the business system, the security domain, the security device, and the equity level comprises:
and according to the weights respectively corresponding to the service system, the security domain, the security equipment and the security level, weighting and summing risk values respectively corresponding to the service system, the security domain, the security equipment and the security level to obtain the risk coefficient of the vulnerability.
7. The method according to any one of claims 1 to 5, wherein after determining the vulnerability handling scheme corresponding to the vulnerability from a preset risk handling scheme library according to the risk coefficient of the vulnerability, the method further comprises:
and executing the vulnerability processing scheme to process the vulnerability.
8. A vulnerability processing apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring vulnerabilities in a network system;
the determining module is used for determining a service system, a security domain and security equipment which are influenced by the vulnerability in the network system;
the calculation module is used for calculating the risk coefficient of the vulnerability in a weighting mode according to the service system, the security domain and the security equipment;
the determining module is used for determining a vulnerability processing scheme corresponding to the vulnerability from a preset risk processing scheme library according to the risk coefficient of the vulnerability.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110949447.3A CN113395297B (en) | 2021-08-18 | 2021-08-18 | Vulnerability processing method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110949447.3A CN113395297B (en) | 2021-08-18 | 2021-08-18 | Vulnerability processing method, device, equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113395297A true CN113395297A (en) | 2021-09-14 |
| CN113395297B CN113395297B (en) | 2021-12-10 |
Family
ID=77622889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110949447.3A Active CN113395297B (en) | 2021-08-18 | 2021-08-18 | Vulnerability processing method, device, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113395297B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338111A (en) * | 2021-12-20 | 2022-04-12 | 北京华云安信息技术有限公司 | Leak plugging method, device, equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103258165A (en) * | 2013-05-10 | 2013-08-21 | 华为技术有限公司 | Processing method and device for leak evaluation |
| US20140237545A1 (en) * | 2013-02-19 | 2014-08-21 | Marble Security | Hierarchical risk assessment and remediation of threats in mobile networking environment |
| CN109660561A (en) * | 2019-01-24 | 2019-04-19 | 西安电子科技大学 | A kind of network security system quantitative estimation method, network security assessment platform |
| CN110489970A (en) * | 2018-05-14 | 2019-11-22 | 阿里巴巴集团控股有限公司 | Leak detection method, apparatus and system |
| US20200042716A1 (en) * | 2016-11-22 | 2020-02-06 | Aon Global Operations Ltd (Singapore Branch) | Systems and methods for cybersecurity risk assessment |
| CN110826837A (en) * | 2018-12-29 | 2020-02-21 | 北京安天网络安全技术有限公司 | Method and device for evaluating real-time risk of website assets and storage medium |
| CN111695770A (en) * | 2020-05-07 | 2020-09-22 | 北京华云安信息技术有限公司 | Asset vulnerability risk assessment method, equipment and storage medium |
| CN111753307A (en) * | 2020-06-09 | 2020-10-09 | 李佳兴 | Method for calculating vulnerability risk |
| CN112287352A (en) * | 2020-09-25 | 2021-01-29 | 长沙市到家悠享网络科技有限公司 | Software quality evaluation method, device and storage medium |
| CN112364351A (en) * | 2020-12-30 | 2021-02-12 | 杭州海康威视数字技术股份有限公司 | Device threat discovery method, device, computing device and storage medium |
-
2021
- 2021-08-18 CN CN202110949447.3A patent/CN113395297B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140237545A1 (en) * | 2013-02-19 | 2014-08-21 | Marble Security | Hierarchical risk assessment and remediation of threats in mobile networking environment |
| CN103258165A (en) * | 2013-05-10 | 2013-08-21 | 华为技术有限公司 | Processing method and device for leak evaluation |
| US20200042716A1 (en) * | 2016-11-22 | 2020-02-06 | Aon Global Operations Ltd (Singapore Branch) | Systems and methods for cybersecurity risk assessment |
| CN110489970A (en) * | 2018-05-14 | 2019-11-22 | 阿里巴巴集团控股有限公司 | Leak detection method, apparatus and system |
| CN110826837A (en) * | 2018-12-29 | 2020-02-21 | 北京安天网络安全技术有限公司 | Method and device for evaluating real-time risk of website assets and storage medium |
| CN109660561A (en) * | 2019-01-24 | 2019-04-19 | 西安电子科技大学 | A kind of network security system quantitative estimation method, network security assessment platform |
| CN111695770A (en) * | 2020-05-07 | 2020-09-22 | 北京华云安信息技术有限公司 | Asset vulnerability risk assessment method, equipment and storage medium |
| CN111753307A (en) * | 2020-06-09 | 2020-10-09 | 李佳兴 | Method for calculating vulnerability risk |
| CN112287352A (en) * | 2020-09-25 | 2021-01-29 | 长沙市到家悠享网络科技有限公司 | Software quality evaluation method, device and storage medium |
| CN112364351A (en) * | 2020-12-30 | 2021-02-12 | 杭州海康威视数字技术股份有限公司 | Device threat discovery method, device, computing device and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 毕东旭等: "复杂信息系统风险评估框架与流程", 《计算机工程》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338111A (en) * | 2021-12-20 | 2022-04-12 | 北京华云安信息技术有限公司 | Leak plugging method, device, equipment and storage medium |
| CN114338111B (en) * | 2021-12-20 | 2023-11-28 | 北京华云安信息技术有限公司 | Vulnerability plugging method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113395297B (en) | 2021-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113010896B (en) | Method, apparatus, device, medium and program product for determining abnormal object | |
| CN114157480B (en) | Method, device, equipment and storage medium for determining network attack scheme | |
| CN113360918A (en) | Vulnerability rapid scanning method, device, equipment and storage medium | |
| CN113395297B (en) | Vulnerability processing method, device, equipment and computer readable storage medium | |
| CN113705362A (en) | Training method and device of image detection model, electronic equipment and storage medium | |
| CN115456167A (en) | Lightweight model training method, image processing device and electronic equipment | |
| CN113312611A (en) | Password detection method, device, equipment and computer readable storage medium | |
| CN113312560A (en) | Group detection method and device and electronic equipment | |
| CN113904943A (en) | Account detection method and device, electronic equipment and storage medium | |
| CN115589339B (en) | Network attack type identification method, device, equipment and storage medium | |
| CN117093627A (en) | Information mining method, device, electronic equipment and storage medium | |
| CN115296917B (en) | Asset exposure surface information acquisition method, device, equipment and storage medium | |
| CN115134386B (en) | Internet of things situation awareness system, method, equipment and medium | |
| CN113127878A (en) | Risk assessment method and device for threat event | |
| CN116015811A (en) | Method, device, storage medium and electronic equipment for evaluating network security | |
| CN114764713A (en) | Method and device for generating merchant patrol task, electronic equipment and storage medium | |
| CN110704848B (en) | Vulnerability quantitative evaluation method and device | |
| CN113723090A (en) | Position data acquisition method and device, electronic equipment and storage medium | |
| CN113868660B (en) | Training method, device and equipment for malicious software detection model | |
| CN113010571A (en) | Data detection method, data detection device, electronic equipment, storage medium and program product | |
| CN114615092B (en) | Network attack sequence generation method, device, equipment and storage medium | |
| CN113591088B (en) | Identification recognition method and device and electronic equipment | |
| CN116112245A (en) | Attack detection method, attack detection device, electronic equipment and storage medium | |
| CN116112269A (en) | Black product identification method and device, electronic equipment and storage medium | |
| CN115378746A (en) | Network intrusion detection rule generation method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |