CN113709174B - Network vulnerability heat reappearance and repair method for power monitoring system - Google Patents

Network vulnerability heat reappearance and repair method for power monitoring system Download PDF

Info

Publication number
CN113709174B
CN113709174B CN202111029561.0A CN202111029561A CN113709174B CN 113709174 B CN113709174 B CN 113709174B CN 202111029561 A CN202111029561 A CN 202111029561A CN 113709174 B CN113709174 B CN 113709174B
Authority
CN
China
Prior art keywords
vulnerability
patch
information
environment
hot
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111029561.0A
Other languages
Chinese (zh)
Other versions
CN113709174A (en
Inventor
王文婷
徐征
马强
黄华
刘鑫
聂其贵
林琳
刘宏伟
赵基盛
关昊
李明宇
张秋实
李建坡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
State Grid Shandong Electric Power Co Ltd
Northeast Electric Power University
Information and Telecommunication Branch of State Grid Shandong Electric Power Co Ltd
Original Assignee
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
State Grid Shandong Electric Power Co Ltd
Northeast Dianli University
Information and Telecommunication Branch of State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd, State Grid Shandong Electric Power Co Ltd, Northeast Dianli University, Information and Telecommunication Branch of State Grid Shandong Electric Power Co Ltd filed Critical Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
Priority to CN202111029561.0A priority Critical patent/CN113709174B/en
Publication of CN113709174A publication Critical patent/CN113709174A/en
Application granted granted Critical
Publication of CN113709174B publication Critical patent/CN113709174B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a method for recovering and repairing a power monitoring system network vulnerability heat, which comprises the steps of automatically configuring a vulnerability heat recovery environment, analyzing a vulnerability utilization mode, searching and repairing a vulnerability hot patch and the like, can automatically realize the vulnerability heat recovery, analyzes the vulnerability utilization mode and finally achieves the goal of vulnerability repair. Compared with the traditional method, the method provided by the invention has the advantages that the complicated process of configuring the environment during artificial loophole reproduction is reduced by an automatic reproduction mode, the workload of an artificial loophole analysis utilization mode is reduced, the autonomous hot patch searching and repairing based on the analysis loophole utilization mode are realized, and the method has the advantages of scientific and reasonable method, strong applicability, good effect and the like.

Description

Network vulnerability heat reappearance and repair method for power monitoring system
Technical Field
The invention relates to a power monitoring technology, in particular to a power monitoring system network vulnerability heat reproduction and repair method.
Background
The power monitoring system network vulnerability hot-reproduction and repair mainly comprises three parts, namely vulnerability hot-reproduction, vulnerability utilization analysis and vulnerability hot-patch repair. The vulnerability hot recurrence refers to the utilization process of a certain vulnerability existing in the system, which is combined with the acquired vulnerability information to self-configure a recurrence environment and recur the vulnerability without influencing the normal service of the system; the vulnerability utilization analysis is to identify the vulnerability type and determine the vulnerability generation reason and other key information by combining system defects based on vulnerability information and through technologies such as manual analysis, fuzzy analysis and the like; the vulnerability hot patch repairing refers to the steps of aiming at system defects, searching corresponding vulnerability patches according to vulnerability generation reasons, configuring patch operating environments and then installing the patches so as to achieve the purpose of repairing vulnerabilities. In summary, after the vulnerability information is obtained, under the condition that normal service operation of the power monitoring system network is not affected, the vulnerability exploitation process can be simulated in a vulnerability hot-replication mode, the vulnerability exploitation mode is analyzed to extract key field information of the replication process, namely executed functions, memory context information, registers and other data, and then relevant patches are searched after the vulnerability generation reason is obtained, so that vulnerability repair is realized. The current bug fixing technology still has the following problems:
(1) The existing vulnerability repair technology cannot automatically build a vulnerability recurrence environment, search and construct a vulnerability utilization mode;
(2) The existing vulnerability repair technology cannot autonomously analyze a vulnerability utilization mode according to vulnerability recurrence information;
(3) The existing vulnerability patching technology cannot independently search hot patch information based on vulnerability generation reasons, and realizes vulnerability hot patch patching under the condition of not interrupting the current service of equipment.
Disclosure of Invention
The invention mainly aims to improve and innovate the vulnerability repair technology on the basis of the existing network vulnerability repair technology, and provides a vulnerability hot-replication and repair method which is scientific, reasonable, high in applicability and good in effect. The method is based on the existing vulnerability repairing method, based on vulnerability information, a vulnerability environment is automatically set up, a vulnerability utilization mode is searched or constructed, vulnerability reproduction is completed under the condition that the current service of the power monitoring system network is not interrupted, the utilization mode is analyzed and processed through a semantic analysis technology, and repairing modes such as hot patches are searched to complete vulnerability repairing.
The technical scheme adopted by the invention is as follows: a power monitoring system network vulnerability thermal reappearance and repair method comprises the following steps: automatically configuring a vulnerability thermal recurrence environment method; a vulnerability exploiting mode analyzing method; a vulnerability hot patch searching and repairing method.
Further, the method for automatically configuring the vulnerability thermal recurrence environment comprises the following steps: when the bug hot replication is carried out, the rapid simulation kernel virtual machine technology is utilized to realize the virtualized configuration of bug replication environment vectors, and the kernel virtual machine KVM is used for carrying out hardware acceleration on the rapid simulator QEMU while the normal state of the power monitoring system network is maintained; during configuration, firstly, known vulnerability information is read, vulnerability recurrence environment data, namely variables such as a system kernel file kernel, a system memory, bios during vulnerability operation, a hard disk had, a network card file net and a mirror image hard disk drive, are obtained, a recurrence environment vector TargetVuln _ map corresponding to the vulnerability is established, resources such as the kernel, the memory, the bios, the had, the net and the drive are read and distributed, vulnerability recurrence is carried out in a dynamic code translation mode, and an actual trigger scene of each vulnerability is completely recovered.
Furthermore, the vulnerability exploiting mode analyzing method comprises the following steps: establishing a three-dimensional coordinate system, marking vulnerability occurrence NewV by using a related application state, a middle component state and a bottom register state of a vulnerability discovery site as three-dimensional coordinate points, automatically crawling related vulnerability information in a common network, a national information security vulnerability sharing platform and a Chinese national information security vulnerability library, screening a plurality of vulnerabilities of the same type, calculating a correlation coefficient among the vulnerabilities according to each vulnerability occurrence coordinate point, searching vulnerability information similar to new vulnerabilities, and defining a similarity calculation formula as follows:
Figure DEST_PATH_IMAGE001
(1)
wherein the content of the first and second substances,
Figure 250071DEST_PATH_IMAGE002
is a dimension of a bug coordinate point, and is based on the comparison result>
Figure 902769DEST_PATH_IMAGE003
Is newly discovered and broken>
Figure 928363DEST_PATH_IMAGE004
For relevant vulnerabilities crawled from the network, calculating the similarity degree of the two>
Figure DEST_PATH_IMAGE005
The loophole with the highest similarity can be analyzed and obtained for searching
Figure 350117DEST_PATH_IMAGE006
The concept certification and the vulnerability of the related release are analyzed by common words, and the specific formula is as follows:
Figure DEST_PATH_IMAGE007
(2)
binding vulnerabilities
Figure 553696DEST_PATH_IMAGE008
By means of which a decision is taken>
Figure 428111DEST_PATH_IMAGE009
And determining the vulnerability utilization mode according to the vulnerability trigger point.
Furthermore, the vulnerability hot patch searching and repairing method comprises the following steps: according to the obtained vulnerability trigger point and the vulnerability type, searching related vulnerability hot patches by adopting a search mode based on a search engine, searching corresponding patches with similar vulnerabilities, collecting information of the searched vulnerability hot patches, extracting factors such as an operating system patch _ os, an equipment type patch _ dev, a software version patch _ svsion, a programming language type patch _ language and the like in the patches, and constructing a patch information text vector patch _ mag; extracting information such as an operating system pathc _ os, a device type pathc _ dev, a software version pathc _ svision, a programming language type pathc _ language and the like of the vulnerability reproduction environment, establishing a vulnerability information text vector vuln _ mag, and analyzing the correlation between the patch information and the vulnerability information by using a formula (3):
Figure 867183DEST_PATH_IMAGE010
(3)
wherein the content of the first and second substances,
Figure 268077DEST_PATH_IMAGE011
and the vector dimension is adopted, after the correlation degree calculation result is obtained, the related patches are selected according to the sequence of the correlation degree from high to low to operate in the generated virtualized environment, whether hot patch repair is effective or not is detected, and hot patch repair is performed on the actual environment of the power monitoring system network after verification is finished.
The invention has the advantages that: according to the method for reproducing and repairing the power monitoring system network vulnerability heat, disclosed by the invention, the vulnerability heat reproduction can be automatically realized, and the vulnerability utilization mode is analyzed, so that the purpose of vulnerability repair is finally achieved. Compared with the traditional method, the automatic vulnerability replication method has the advantages that the complicated process of configuring the environment during artificial vulnerability replication is reduced through the automatic replication method, the workload of the artificial vulnerability analysis utilization method is reduced, the automatic hot patch searching and repairing based on the vulnerability analysis utilization method is realized, and the automatic vulnerability replication method has the advantages of being scientific and reasonable, strong in applicability, good in effect and the like.
In addition to the above-described objects, features and advantages, the present invention has other objects, features and advantages. The present invention will be described in further detail below with reference to the drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the invention and, together with the description, serve to explain the invention and not to limit the invention.
FIG. 1 is a flow chart of a method for recovering and repairing network vulnerability heat of a power monitoring system according to the present invention;
fig. 2 is a schematic diagram of analyzing vulnerability similarity coordinates by the power monitoring system network vulnerability heat recovery and repair method.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1 and fig. 2, a method for recovering and repairing a power monitoring system network vulnerability thermally includes: automatically configuring a vulnerability thermal recurrence environment method; a vulnerability exploiting mode analyzing method; a vulnerability hot patch searching and repairing method.
The method for automatically configuring the vulnerability thermal recurrence environment comprises the following steps: when the vulnerability heat recovery is carried out, a Quick emulation Kernel-based Virtual Machine (QEMU-KVM) technology is utilized to realize the virtualized configuration of the vulnerability recovery environment vector, and the Kernel Virtual Machine (KVM) is used for accelerating the hardware of the Quick Emulator QEMU while the normal state of the power monitoring system network is maintained; during configuration, firstly, known vulnerability information is read, vulnerability recurrence environment data, namely variables such as a system kernel file kernel, a system memory, bios during vulnerability operation, a hard disk had, a network card file net and a mirror image hard disk drive, are obtained, a recurrence environment vector TargetVuln _ map corresponding to the vulnerability is established, resources such as the kernel, the memory, the bios, the had, the net and the drive are read and distributed, vulnerability recurrence is carried out in a dynamic code translation mode, and an actual trigger scene of each vulnerability is completely recovered.
The vulnerability exploiting mode analyzing method comprises the following steps: establishing a three-dimensional coordinate system, marking the Vulnerability occurrence New V (AppState, middle component State, underlyingState) for the three-dimensional coordinate points by using the related application state (AppState), middle component State and bottom register State (UnderlyingState) of the Vulnerability recurrence field, automatically crawling general Vulnerability disclosure (CVE) in a public network, national Information Security Vulnerability sharing platform (China National Information Vulnerability Database, CNVD), screening a plurality of coordinate points of the same type, calculating the related coefficients among Vulnerabilities according to the Vulnerability occurrence points, searching Vulnerability Information similar to new Vulnerabilities, and defining a similarity calculation formula as follows:
Figure 501612DEST_PATH_IMAGE012
(1)
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE013
is a dimension of a bug coordinate point, and is based on the comparison result>
Figure 128903DEST_PATH_IMAGE014
Is newly discovered and broken>
Figure DEST_PATH_IMAGE015
To be driven fromRelevant vulnerabilities crawled in the network are calculated by calculating the similarity of the two vulnerabilities>
Figure 247031DEST_PATH_IMAGE016
The loophole with the highest similarity can be analyzed and obtained for searching
Figure DEST_PATH_IMAGE017
The Concept certification (POC) and the Exploit (expit, EXP) of the related release are analyzed for common words, and the specific formula is as follows: />
Figure 643378DEST_PATH_IMAGE018
(2)
Binding vulnerabilities
Figure 172448DEST_PATH_IMAGE019
By means of which a decision is taken>
Figure 21455DEST_PATH_IMAGE020
And determining the vulnerability utilization mode according to the vulnerability trigger point.
The vulnerability hot patch searching and repairing method comprises the following steps: according to the obtained vulnerability trigger point and the vulnerability type, searching related vulnerability hot patches by adopting a search mode based on a search engine, searching corresponding patches with similar vulnerabilities, collecting information of the searched vulnerability hot patches, extracting factors such as an operating system patch _ os, an equipment type patch _ dev, a software version patch _ svsion, a programming language type patch _ language and the like in the patches, and constructing a patch information text vector patch _ mag; extracting information such as an operating system pathc _ os, a device type pathc _ dev, a software version pathc _ svision, a programming language type pathc _ language and the like of the vulnerability reproduction environment, establishing a vulnerability information text vector vuln _ mag, and analyzing the correlation between the patch information and the vulnerability information by using a formula (3):
Figure DEST_PATH_IMAGE021
(3)
wherein the content of the first and second substances,
Figure 536750DEST_PATH_IMAGE022
and selecting the patches according to the sequence of the correlation degree from high to low to operate the related patches in the generated virtualized environment after the correlation degree calculation result is obtained, detecting whether the hot patch repair is effective, and performing hot patch repair on the actual environment of the power monitoring system network after verification is finished.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (1)

1. The method for reproducing and repairing the power monitoring system network vulnerability heat is characterized by comprising the following steps:
automatically configuring a vulnerability thermal recurrence environment method;
a vulnerability exploiting mode analyzing method;
a vulnerability hot patch searching and repairing method;
the method for automatically configuring the vulnerability thermal recurrence environment comprises the following steps:
when vulnerability hot recovery is carried out, a rapid simulation kernel virtual machine technology is utilized to achieve virtualization configuration of vulnerability recovery environment vectors, and the kernel virtual machine KVM is used for accelerating hardware of a rapid simulator QEMU while the normal state of the power monitoring system network is maintained; during configuration, firstly reading known vulnerability information, acquiring vulnerability recurrence environment data, namely a system kernel file kernel, a system memory, bios during operation, a hard disk had, a network card file net and a mirror image hard disk drive variable, establishing a recurrence environment vector TargetVuln _ map [ kernel, memory, bios, had, net and drive ] corresponding to a vulnerability, then submitting the TargetVuln _ map to a QEMU process, reading and distributing kernel and bios resources, adopting a dynamic code translation mode to perform vulnerability recurrence, and completely restoring an actual trigger scene of each vulnerability;
the vulnerability exploiting mode analyzing method comprises the following steps:
establishing a three-dimensional coordinate system, marking vulnerability occurrence NewV by using a related application state, a middle component state and a bottom register state of a vulnerability discovery site as three-dimensional coordinate points, automatically crawling related vulnerability information in a common network, a national information security vulnerability sharing platform and a Chinese national information security vulnerability library, screening a plurality of vulnerabilities of the same type, calculating a correlation coefficient among the vulnerabilities according to each vulnerability occurrence coordinate point, searching vulnerability information similar to new vulnerabilities, and defining a similarity calculation formula as follows:
Figure QLYQS_1
(1)
wherein the content of the first and second substances,
Figure QLYQS_2
is a dimension of a vulnerability coordinate point, and>
Figure QLYQS_3
for new hair holes, in the presence of a fire-fighting agent>
Figure QLYQS_4
Calculating the similarity of the two vulnerabilities to be crawled from the network>
Figure QLYQS_5
Can analyze and obtain the loophole with the highest similarity and search for>
Figure QLYQS_6
The concept certification and the vulnerability of the related release are analyzed by common words, and the specific formula is as follows:
Figure QLYQS_7
(2)
binding vulnerabilities
Figure QLYQS_8
By means of which a decision is taken>
Figure QLYQS_9
Determining a vulnerability utilization mode according to the vulnerability trigger point;
the vulnerability hot patch searching and repairing method comprises the following steps:
according to the acquired vulnerability trigger point and vulnerability type, searching related vulnerability hot patches by adopting a search mode based on a search engine, searching corresponding patches of similar vulnerabilities, collecting information of the searched vulnerability hot patches, extracting operating system patch _ os, equipment type patch _ dev, software version patch _ svision and programming language type patch _ language factors in the patches, and constructing a patch information text vector patch _ mag; extracting operating system pathc _ os, equipment type pathc _ dev, software version pathc _ svision and programming language type pathc _ language information of the vulnerability reproduction environment, establishing vulnerability information text vector vuln _ mag, and analyzing the correlation degree of the patch information and the vulnerability information by using a formula (3):
Figure QLYQS_10
(3)
wherein, the first and the second end of the pipe are connected with each other,
Figure QLYQS_11
and the vector dimension is adopted, after the correlation degree calculation result is obtained, the related patches are selected according to the sequence of the correlation degree from high to low to operate in the generated virtualized environment, whether hot patch repair is effective or not is detected, and hot patch repair is performed on the actual environment of the power monitoring system network after verification is finished. />
CN202111029561.0A 2021-09-03 2021-09-03 Network vulnerability heat reappearance and repair method for power monitoring system Active CN113709174B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111029561.0A CN113709174B (en) 2021-09-03 2021-09-03 Network vulnerability heat reappearance and repair method for power monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111029561.0A CN113709174B (en) 2021-09-03 2021-09-03 Network vulnerability heat reappearance and repair method for power monitoring system

Publications (2)

Publication Number Publication Date
CN113709174A CN113709174A (en) 2021-11-26
CN113709174B true CN113709174B (en) 2023-04-18

Family

ID=78657730

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111029561.0A Active CN113709174B (en) 2021-09-03 2021-09-03 Network vulnerability heat reappearance and repair method for power monitoring system

Country Status (1)

Country Link
CN (1) CN113709174B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301638B (en) * 2021-12-13 2024-02-06 山石网科通信技术股份有限公司 Firewall rule reproduction method and device, storage medium and processor
CN114329486A (en) * 2021-12-24 2022-04-12 中电信数智科技有限公司 Asset vulnerability management method and device, electronic equipment and storage medium
CN115310099A (en) * 2022-10-12 2022-11-08 北京盛邦赛云科技有限公司 Vulnerability coordinate system establishing method, vulnerability analyzing device and related equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714314A (en) * 2018-11-21 2019-05-03 中国电子科技网络信息安全有限公司 A kind of construction method for the holographic vulnerability database reappearing loophole Life cycle
CN112286823A (en) * 2020-11-18 2021-01-29 山石网科通信技术股份有限公司 Method and device for testing kernel of operating system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103745158A (en) * 2014-01-26 2014-04-23 北京奇虎科技有限公司 Method and device for repairing system bugs
US10534915B2 (en) * 2017-06-29 2020-01-14 Aqua Security Software, Ltd. System for virtual patching security vulnerabilities in software containers

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714314A (en) * 2018-11-21 2019-05-03 中国电子科技网络信息安全有限公司 A kind of construction method for the holographic vulnerability database reappearing loophole Life cycle
CN112286823A (en) * 2020-11-18 2021-01-29 山石网科通信技术股份有限公司 Method and device for testing kernel of operating system

Also Published As

Publication number Publication date
CN113709174A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
CN113709174B (en) Network vulnerability heat reappearance and repair method for power monitoring system
US20180365674A1 (en) Using a mixture model to generate simulated transaction information
CN101438529A (en) Proactive computer malware protection through dynamic translation
CN101788915A (en) White list updating method based on trusted process tree
WO2016203759A1 (en) Analysis system, analysis method, analysis device, and recording medium in which computer program is stored
Korkin et al. Applying memory forensics to rootkit detection
CN110875928A (en) Attack tracing method, device, medium and equipment
CN107515778A (en) A kind of origin method for tracing and system based on context-aware
CN116527332B (en) Network attack drilling method, device, equipment and storage medium
CN113868648A (en) Automatic shelling engine implementation method for malicious files
Le et al. Iot Botnet detection using system call graphs and one-class CNN classification
JP2023003363A (en) Iterative memory analysis for malware detection
Lyu et al. An efficient and packing-resilient two-phase android cloned application detection approach
US20140298002A1 (en) Method and device for identifying a disk boot sector virus, and storage medium
Zhang et al. Automatic detection of Android malware via hybrid graph neural network
Zhang et al. Android malware detection combined with static and dynamic analysis
CN112257077A (en) Automatic vulnerability mining method based on deep learning
CN107203410A (en) A kind of VMI method and system based on redirection of system call
Thevenon et al. iMRC: Integrated Monitoring & Recovery Component, a Solution to Guarantee the Security of Embedded Systems.
KR102507189B1 (en) Method for extracting neural networks via meltdown
Alptekin et al. Trapdroid: Bare-metal android malware behavior analysis framework
Pendergrass et al. Lkim: The linux kernel integrity measurer
Jia et al. Findevasion: an effective environment-sensitive malware detection system for the cloud
CN115220736A (en) Target automatic deployment method based on OPENSTACK
CN115242487A (en) APT attack sample enhancement and detection method based on meta-behavior

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant