CN113987515A - Vulnerability threat discovery method and system based on intelligent matching - Google Patents

Vulnerability threat discovery method and system based on intelligent matching Download PDF

Info

Publication number
CN113987515A
CN113987515A CN202111285719.0A CN202111285719A CN113987515A CN 113987515 A CN113987515 A CN 113987515A CN 202111285719 A CN202111285719 A CN 202111285719A CN 113987515 A CN113987515 A CN 113987515A
Authority
CN
China
Prior art keywords
threat
vulnerability
data
internet
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111285719.0A
Other languages
Chinese (zh)
Other versions
CN113987515B (en
Inventor
李忆平
庞景秋
齐井春
李绍俊
崔放
陈兴钰
董铖
白东鑫
高起
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changchun Jiacheng Information Technology Co ltd
Original Assignee
Changchun Jiacheng Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changchun Jiacheng Information Technology Co ltd filed Critical Changchun Jiacheng Information Technology Co ltd
Priority to CN202111285719.0A priority Critical patent/CN113987515B/en
Publication of CN113987515A publication Critical patent/CN113987515A/en
Application granted granted Critical
Publication of CN113987515B publication Critical patent/CN113987515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a vulnerability threat discovery method and system based on intelligent matching, wherein a server acquires vulnerability risk values corresponding to all Internet of things terminals in a local area network every other first preset time, and then determines a risk terminal based on the vulnerability risk values; according to the technical scheme provided by the invention, only the vulnerability detection is carried out on the risk terminals in the same local area network, whether threat vulnerabilities of other common terminals appear or not can be analyzed and deduced, and then different countermeasures are taken in a targeted manner; in other words, according to the technical scheme provided by the invention, the node devices of the Internet of things do not need to be detected in sequence, so that the detection efficiency is greatly improved.

Description

Vulnerability threat discovery method and system based on intelligent matching
Technical Field
The invention relates to the technical field of vulnerability threats, in particular to a vulnerability threat discovery method and system based on intelligent matching.
Background
With the rapid development of the technology of the internet of things, the daily life, work and study of people are facilitated, and the internet of things is widely applied to the production and life of various industries; in the process, the internet of things equipment also stores a large amount of information resources.
Therefore, how to protect information stored in the internet of things equipment becomes particularly important, but because the loopholes of the internet of things exist all the time, the safety of the network information of the internet of things is greatly threatened, and therefore the loopholes existing in the internet of things need to be detected all the time and correspondingly remedied.
However, the existing detection method for security vulnerability threats is mainly based on an interface vulnerability scanning technology or a port vulnerability scanning technology, so that each node device of the internet of things is sequentially detected, and the detection efficiency is low.
Disclosure of Invention
The invention mainly aims to provide a vulnerability threat discovery method and system based on intelligent matching, and aims to solve the problem of low detection efficiency caused by the fact that the existing security vulnerability threat detection method mainly adopts a scheme of sequentially detecting each node device of the Internet of things.
The technical scheme provided by the invention is as follows:
a vulnerability threat discovery method based on intelligent matching is applied to a vulnerability threat discovery system based on intelligent matching; the system comprises a server and a plurality of terminals of the Internet of things; each Internet of things terminal is in communication connection with the server; the server stores a public network security vulnerability library; the method comprises the following steps:
the server collects attribute information of each Internet of things terminal every other first preset time length to determine a vulnerability risk value of each Internet of things terminal;
the server marks the Internet of things terminal with the largest vulnerability risk value as a risk terminal, and marks the rest Internet of things terminals as common terminals;
the server acquires vulnerability detection data generated by the risk terminal and marks the vulnerability detection data as risk data, wherein the vulnerability detection data is obtained by detecting an OVAL vulnerability detector on the risk terminal;
the server matches the risk data with the public network security vulnerability database to judge whether the risk data are threat data;
and if so, the server takes corresponding measures for each Internet of things terminal based on the threat data.
Preferably, every other first preset time, the server collects attribute information of each internet of things terminal to determine a vulnerability risk value of each internet of things terminal, and the method includes:
every other first preset time, the server acquires the accumulated running time, the accumulated software updating times, the network transmission type support number, the collectable data type number and the accumulated data transmission amount of each Internet of things terminal;
and the server determines the vulnerability risk value of each Internet of things terminal based on the accumulated running time, the accumulated software updating times, the network transmission type support number, the collectable data type number and the accumulated data transmission amount.
Preferably, the server determines, based on the accumulated operating time, the accumulated software update times, the network transmission type support number, the collectable data type number, and the accumulated data transmission amount, a calculation formula of the vulnerability risk value of each internet of things terminal is as follows:
Figure BDA0003332894840000021
wherein Z isfIs the vulnerabilityA risk value; t is1The unit is s for the accumulated duration; t isb,1Is the standard running time length with the unit of s; c1Updating the accumulated software times; t is tbUpdating standard interval duration for software, wherein the unit is s; slThe unit of the accumulated data transmission quantity, namely the data throughput of the internet of things terminal and the external network is B; sbThe standard data transmission speed is B/S; a is a terminal type index of the terminal of the Internet of things, and is determined according to the type of the terminal of the Internet of things; c2The number of the network transmission types is supported, namely the number of the network transmission types which can be supported by the terminal of the internet of things; c3The number of the types of the collectable data is.
Preferably, every other first preset time, the server collects attribute information of each internet of things terminal to determine a vulnerability risk value of each internet of things terminal, and the method further includes:
the server determines an initial period;
the server judges whether the risk data is threat data within the last first preset time;
if so, the server shortens the initial period and then determines the initial period as the first preset time length;
if not, the server determines the initial period as the first preset time after prolonging the initial period.
Preferably, each internet of things terminal group forms a local area network; the server determines an initial period comprising:
the server determines a periodic reference value of the local area network based on the network transmission type support number, the collectable data type number and the terminal type index of each internet of things terminal:
Figure BDA0003332894840000031
wherein Z iscIs the periodic reference value; n is the number of the terminals of the Internet of things in the local area network; a isiThe terminal type index of the ith Internet of things terminal is shown, wherein i is greater than 0 and less than or equal to N; c2,iThe network transmission type support number of the ith Internet of things terminal is obtained; c3,iThe number of the types of the data which can be collected is the terminal of the ith Internet of things;
the server determines the initial period based on the period reference value:
Figure BDA0003332894840000032
wherein, TcIs the initial period, with the unit of s; zbIs a standard reference value, is a constant; t isb,2Is a standard period corresponding to the standard reference value and has a unit of s.
Preferably, the step of matching the risk data with the public network security vulnerability database by the server to determine whether the risk data is threat data includes:
the server matches the description information of the risk data with vulnerability description information in the public network security vulnerability database, and obtains a matching rate value;
and when the matching rate value is larger than a preset matching rate value, the server determines the risk data as threat data.
Preferably, the system further comprises a central router; each Internet of things terminal is in communication connection with an external network through the central router; the server is in communication connection with an external network through the central router; the server takes a countermeasure for each of the internet of things terminals based on the threat data, including:
the server determines a threat type and a threat degree corresponding to the threat data based on the public network security vulnerability library, wherein the threat type comprises a software threat, a hardware threat and a comprehensive threat, the comprehensive threat belongs to the software threat and the hardware threat simultaneously, and the threat degree comprises high risk, medium risk, low threat and unknown degree;
when the threat type corresponding to the threat data is not low-risk, the server acquires vulnerability detection data generated by the common terminal and marks the vulnerability detection data as common data;
the server matches the common data with the public network security vulnerability database to judge whether the common data are threat data;
and when the common data are threat data, the server disconnects the communication connection between each Internet of things terminal and an external network through the central router.
Preferably, the system further comprises an alarm terminal in communication connection with the server; the method comprises the following steps of determining a threat type and a threat degree corresponding to the threat data based on the public network security vulnerability library, and then:
when the threat category corresponding to the threat data is a software threat or a comprehensive threat, the server acquires a patch file corresponding to the threat data through an external network;
the server sends the patch file to each Internet of things terminal so as to fill up the loophole corresponding to the threat information;
and when the threat category corresponding to the threat data is a hardware threat, the server sends alarm information to the alarm terminal.
Preferably, the method further comprises the following steps:
and acquiring and updating the public network security vulnerability database from the external network every second preset time.
The invention also provides a vulnerability threat discovery system based on intelligent matching, which is applied to the vulnerability threat discovery method based on intelligent matching in any item; the vulnerability threat discovery system based on intelligent matching comprises a server and a plurality of Internet of things terminals; each Internet of things terminal is in communication connection with the server; the server stores a public network security vulnerability library.
Through above-mentioned technical scheme, can realize following beneficial effect:
according to the vulnerability threat discovery method based on intelligent matching, every other first preset time length, a server obtains vulnerability risk values corresponding to all Internet of things terminals in a local area network, and then a risk terminal is determined based on the vulnerability risk values, wherein the risk terminal is the most important Internet of things terminal which is most likely to have threat vulnerabilities in the same local network in the first preset time length; detecting a risk terminal through an OVAL vulnerability detector to obtain risk data, matching the risk data with a public network security vulnerability library to judge whether the risk data are threat data or not, so as to judge whether the risk terminal has a threat vulnerability or not, and if the threat vulnerability exists, showing that other common terminals in the same local area network have the same threat vulnerability with higher probability, so that the corresponding measures are directly taken for each Internet of things terminal in the same local area network based on the threat data, the vulnerability is repaired in time, and the normal operation of all the Internet of things terminals in the whole local area network is ensured; if no threat vulnerability occurs, the threat vulnerability occurs at a low probability in other common terminals in the same local area network, and then vulnerability detection is not needed to be carried out on other terminals one by one; according to the technical scheme provided by the invention, only the vulnerability detection is carried out on the risk terminals in the same local area network, whether threat vulnerabilities of other common terminals appear or not can be analyzed and deduced, and then different countermeasures are taken in a targeted manner; that is to say, according to the technical scheme provided by the invention, the node devices of the Internet of things do not need to be detected in sequence, so that the detection efficiency is greatly improved
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
Fig. 1 is a flowchart of a vulnerability threat discovery method based on intelligent matching according to a first embodiment of the present invention.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a vulnerability threat discovery method and system based on intelligent matching.
As shown in fig. 1, in a first embodiment of the intelligent matching-based vulnerability threat discovery method, the intelligent matching-based vulnerability threat discovery method is applied to an intelligent matching-based vulnerability threat discovery system; the system comprises a server and a plurality of terminals of the Internet of things; a plurality of internet of things terminals form a local area network; each Internet of things terminal is in communication connection with the server; the server stores a public network security vulnerability library; the embodiment comprises the following steps:
step S110: and the server acquires the attribute information of each Internet of things terminal every other first preset time so as to determine the vulnerability risk value of each Internet of things terminal.
Specifically, the first preset time duration is a monitoring period, and can be determined according to the actual situation of the terminal of the internet of things, and is generally set to 1 day; the vulnerability risk value corresponds to the internet of things terminal and is used for reflecting the importance degree of each internet of things terminal and the difficulty degree of vulnerability threat, and specifically, when the vulnerability risk value is larger, the corresponding internet of things terminal is more important and the vulnerability threat is more likely to occur.
The internet of things terminal can be any intelligent terminal, including a mobile phone, a tablet computer, a notebook computer, a palm computer, mobile internet equipment, wearable equipment, virtual reality equipment, augmented reality equipment, a wireless terminal in industrial control, a wireless terminal in unmanned driving, a wireless terminal in remote operation, a wireless terminal in an intelligent power grid, a wireless terminal in transportation safety, a wireless terminal in a smart city, a wireless terminal in a smart home, a monitoring terminal (such as a camera terminal) in a security system, various types of information acquisition terminals (such as a sound acquisition terminal) and the like.
Step S120: and the server marks the Internet of things terminal with the largest vulnerability risk value as a risk terminal, and marks the rest Internet of things terminals as common terminals.
Specifically, the internet of things terminal with the largest vulnerability risk value is selected from the plurality of internet of things terminals and marked as a risk terminal, and other internet of things terminals are marked as common terminals.
Step S130: and the server acquires vulnerability detection data generated by the risk terminal and marks the vulnerability detection data as risk data, wherein the vulnerability detection data is obtained by detecting an OVAL vulnerability detector on the risk terminal.
In particular, the OVAL is a new standard for computer vulnerability assessment issued by network security organization Mitre, and is a descriptive language for defining technical details such as examination terms, vulnerabilities, and the like. While the OVAL clearly describes the security-related check points, and such description is machine-readable, a typical XML document in the format defined by the OVAL is composed of elements such as definitions (Definition), Test (Test), objects (Object), states (State), and variables (Variable).
And vulnerability detection data obtained by adopting the OVAL vulnerability detector for detection, wherein the vulnerability detection data comprises description information for describing the threat vulnerability.
Step S140: and the server matches the risk data with the public network security vulnerability database to judge whether the risk data are threat data.
Specifically, the Common network security Vulnerabilities & Exposures (CVE) is like a dictionary table, giving a Common name for widely recognized information security Vulnerabilities or exposed Vulnerabilities. If there is a vulnerability indicated in a vulnerability report, you can quickly find the corresponding fix information in any other CVE-compatible database if there is a CVE name, solving the security problem.
If yes, go to step S150: and the server takes corresponding measures for each Internet of things terminal based on the threat data.
Specifically, if the risk data is threat data, it indicates that the risk terminal has detected a threat vulnerability, and then other common terminals in the same local area network have the same threat vulnerability with a higher probability, then directly taking a countermeasure for each internet of things terminal in the same local area network based on the threat data, and repairing the vulnerability in time, thereby ensuring the normal operation of all internet of things terminals in the whole local area network.
If not, go to step S160: and the server marks all terminals of the Internet of things in the same local area network as safety terminals within the first preset time.
Specifically, if not, the server marks all internet of things terminals in the same local area network as safe terminals, and if no threat leak occurs, it indicates that a threat leak occurs at a low probability in other common terminals in the same local area network, then leak detection does not need to be performed on the other terminals one by one within a first preset time, that is, within the first preset time, the OVAL leak detector of the common terminal is not controlled to detect the common terminal.
According to the vulnerability threat discovery method based on intelligent matching, every other first preset time length, a server obtains vulnerability risk values corresponding to all Internet of things terminals in a local area network, and then a risk terminal is determined based on the vulnerability risk values, wherein the risk terminal is the most important Internet of things terminal which is most likely to have threat vulnerabilities in the same local network in the first preset time length; detecting a risk terminal through an OVAL vulnerability detector to obtain risk data, matching the risk data with a public network security vulnerability library to judge whether the risk data are threat data or not, so as to judge whether the risk terminal has a threat vulnerability or not, and if the threat vulnerability exists, showing that other common terminals in the same local area network have the same threat vulnerability with higher probability, so that the corresponding measures are directly taken for each Internet of things terminal in the same local area network based on the threat data, the vulnerability is repaired in time, and the normal operation of all the Internet of things terminals in the whole local area network is ensured; if no threat vulnerability occurs, the threat vulnerability occurs at a low probability in other common terminals in the same local area network, and then vulnerability detection is not needed to be carried out on other terminals one by one; according to the technical scheme provided by the invention, only the vulnerability detection is carried out on the risk terminals in the same local area network, whether threat vulnerabilities of other common terminals appear or not can be analyzed and deduced, and then different countermeasures are taken in a targeted manner; that is to say, according to the technical scheme provided by the invention, each node device of the internet of things does not need to be strictly detected in sequence, so that the detection efficiency is greatly improved.
In a second embodiment of the vulnerability threat discovery method based on intelligent matching, based on the first embodiment, step S110 includes the following steps:
step S210: and the server acquires the accumulated running time, the accumulated software updating times, the network transmission type support number, the collectable data type number and the accumulated data transmission quantity of each Internet of things terminal every other first preset time.
Specifically, the accumulated software update times refer to update times of software running in each piece of internet-of-things terminal equipment, and the greater the update times, the less the vulnerability of the software is, so the smaller the corresponding vulnerability risk value is; the network transmission type support number refers to network transmission types (such as Bluetooth, wired communication, Wi-Fi and ZigBee) supported by the terminal of the Internet of things, and the more the network transmission types are supported, the greater the risk of the terminal of the Internet of things being attacked by an external network is increased, and the greater the corresponding vulnerability risk value is; the number of the types of the data which can be acquired is the types of the data (such as video data, audio data, temperature data, speed data, text data and the like) which can be acquired by the terminal of the internet of things, and the more the types of the data which can be acquired are, the more information which can be contained by the terminal of the internet of things and relates to the user is, the more the risk of being attacked by the network is, and the larger the corresponding vulnerability risk value is; the accumulated data transmission amount is the accumulated data amount interacted with an external network when the terminal of the internet of things operates, and the larger the value is, the larger the corresponding vulnerability risk value is.
Step S220: and the server determines the vulnerability risk value of each Internet of things terminal based on the accumulated running time, the accumulated software updating times, the network transmission type support number, the collectable data type number and the accumulated data transmission amount.
The embodiment aims at providing a calculation scheme of the vulnerability risk value.
In a third embodiment of the vulnerability threat discovery method based on intelligent matching, based on the second embodiment, the calculation formula of step S220 is:
Figure BDA0003332894840000081
wherein Z isfThe vulnerability risk value is obtained; t is1The unit is s for the accumulated duration; t isb,1Standard run length in units of s, e.g., 864000s (10 days); c1Updating the accumulated software times; t is tbA standard interval duration for software updates in units of s, e.g., 2593000s (30 days); slThe unit of the accumulated data transmission quantity, namely the data throughput of the internet of things terminal and the external network is B; sbThe standard data transmission speed is in units of B/S, such as 102400B/S; a is a terminal type index of the terminal of the internet of things, and is determined according to the type of the terminal of the internet of things, specifically, the terminal of the internet of things (such as a camera) of a data acquisition type is 3, the terminal of the internet of things (such as an unmanned aerial vehicle) capable of moving is 5, the terminal of the internet of things (such as a display terminal) with a data output function is 2, and the terminals of other internet of things are 1; c2The number of the network transmission types is supported, namely the number of the network transmission types which can be supported by the terminal of the internet of things; c3The number of the types of the collectable data is.
In a fourth embodiment of the vulnerability threat discovery method based on intelligent matching, based on the second embodiment, step S110 further includes the following steps:
step S410: the server determines an initial period.
Specifically, for example, the initial period is 1 day, i.e., 86400 seconds.
Step S420: and the server judges whether the risk data is threat data within the last first preset time.
If yes, go to step S430: and the server shortens the initial period and then determines the initial period as the first preset time.
Specifically, when the threat leak is detected within the last preset time, the first preset time can be shortened, so that the detection frequency is improved, and the security of the internet of things terminal is guaranteed.
If not, go to step S440: and the server determines the initial period as the first preset time after prolonging the initial period.
Specifically, when the threat vulnerability is not detected within the last preset time, the first preset time can be prolonged, and therefore the detection efficiency is considered.
In a fifth embodiment of the intelligent matching-based vulnerability threat discovery method, based on the fourth embodiment, each internet of things terminal forms a local area network; step S410, including the following steps:
step S510: the server determines a periodic reference value of the local area network based on the network transmission type support number, the collectable data type number and the terminal type index of each internet of things terminal:
Figure BDA0003332894840000091
wherein Z iscIs the periodic reference value; n is the number of the terminals of the Internet of things in the local area network; a isiIs a terminal type index of the ith Internet of things terminal, i is more than 0 and less than or equal to N, aiThe larger the detection frequency is, the larger the risk that the corresponding terminal of the internet of things has a threat to the vulnerability is, the shorter the duration of the corresponding initial period is, so that the detection frequency is improved; c2,iThe network transmission type support number, C, for the ith Internet of things terminal2,iThe larger the detection frequency is, the larger the risk that the corresponding terminal of the internet of things has a threat to the vulnerability is, the shorter the duration of the corresponding initial period is, so that the detection frequency is improved; c3,iThe terminal of the ith Internet of thingsNumber of data types collected, C3,iThe larger the detection frequency is, the larger the risk that the corresponding internet of things terminal has a threat to the vulnerability is, the shorter the duration of the corresponding initial period is, and thus the detection frequency is improved.
Step S520: the server determines the initial period based on the period reference value:
Figure BDA0003332894840000092
wherein, TcIs the initial period, with the unit of s; zbIs a standard reference value, is a constant, e.g., 10; t isb,2Is a standard period corresponding to the standard reference value, in units of s, such as 86400 s.
In a sixth embodiment of the intelligent matching-based vulnerability threat discovery method provided by the present invention, based on the first embodiment, step S130 includes the following steps:
step S610: and the server matches the description information of the risk data with the vulnerability description information in the public network security vulnerability database and acquires a matching rate value.
Step S620: and when the matching rate value is larger than a preset matching rate value, the server determines the risk data as threat data.
In a seventh embodiment of the intelligent matching-based vulnerability threat discovery method, based on the first embodiment, the system further comprises a central router; each Internet of things terminal is in communication connection with an external network through the central router; the server is in communication connection with an external network through the central router; step S150, including the steps of:
step S710: the server determines a threat type and a threat degree corresponding to the threat data based on the public network security vulnerability library, wherein the threat type comprises a software threat, a hardware threat and a comprehensive threat, the comprehensive threat belongs to the software threat and the hardware threat simultaneously, and the threat degree comprises high risk, medium risk, low risk and unknown degree.
Step S720: and when the threat type corresponding to the threat data is not low-risk, the server acquires the vulnerability detection data generated by the common terminal and marks the vulnerability detection data as common data.
Specifically, when the threat data is not low-risk, it indicates that the severity of the threat vulnerability corresponding to the threat data is relatively high, so the server needs to detect the common terminal to obtain the common data.
Step S730: and the server matches the common data with the public network security vulnerability database to judge whether the common data is threat data.
Step S740: and when the common data are threat data, the server disconnects the communication connection between each Internet of things terminal and an external network through the central router.
Specifically, when other common data in the same local area network are threat data, it is indicated that threat holes all appear in the whole local area network, and in order to avoid network attack caused by malicious utilization of the threat holes, the server disconnects the internet of things terminals from the external network through the central router, so as to protect the internet of things terminals.
In an eighth embodiment of the intelligent matching-based vulnerability threat discovery method provided by the present invention, based on the seventh embodiment, the system further includes an alarm terminal (for example, a smart phone) in communication connection with the server; step S710, then, further includes the following steps:
step S810: and when the threat category corresponding to the threat data is a software threat or a comprehensive threat, the server acquires a patch file corresponding to the threat data through an external network.
Step S820: and the server sends the patch file to each Internet of things terminal so as to fill up the loophole corresponding to the threat information.
Step S830: and when the threat category corresponding to the threat data is a hardware threat, the server sends alarm information to the alarm terminal.
Specifically, the present embodiment provides measures for coping with different types of threat data.
In a ninth embodiment of the intelligent matching-based vulnerability threat discovery method provided by the present invention, based on the seventh embodiment, the present embodiment further includes the following steps:
step S910: and acquiring and updating the public network security vulnerability database from the external network every second preset time.
Specifically, the second preset time period is preferably 10 days, that is, the public network security vulnerability database is updated regularly.
The invention also provides a vulnerability threat discovery system based on intelligent matching, which is applied to the vulnerability threat discovery method based on intelligent matching according to any one of the above items; the vulnerability threat discovery system based on intelligent matching comprises a server and a plurality of Internet of things terminals; each Internet of things terminal is in communication connection with the server; the server stores a public network security vulnerability library.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, wherein the software product is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A vulnerability threat discovery method based on intelligent matching is characterized by being applied to a vulnerability threat discovery system based on intelligent matching; the system comprises a server and a plurality of terminals of the Internet of things; each Internet of things terminal is in communication connection with the server; the server stores a public network security vulnerability library; the method comprises the following steps:
the server collects attribute information of each Internet of things terminal every other first preset time length to determine a vulnerability risk value of each Internet of things terminal;
the server marks the Internet of things terminal with the largest vulnerability risk value as a risk terminal, and marks the rest Internet of things terminals as common terminals;
the server acquires vulnerability detection data generated by the risk terminal and marks the vulnerability detection data as risk data, wherein the vulnerability detection data is obtained by detecting an OVAL vulnerability detector on the risk terminal;
the server matches the risk data with the public network security vulnerability database to judge whether the risk data are threat data;
and if so, the server takes corresponding measures for each Internet of things terminal based on the threat data.
2. The intelligent matching-based vulnerability threat discovery method according to claim 1, wherein the server collects attribute information of each internet of things terminal every first preset time to determine vulnerability risk values of each internet of things terminal, and the method comprises the following steps:
every other first preset time, the server acquires the accumulated running time, the accumulated software updating times, the network transmission type support number, the collectable data type number and the accumulated data transmission amount of each Internet of things terminal;
and the server determines the vulnerability risk value of each Internet of things terminal based on the accumulated running time, the accumulated software updating times, the network transmission type support number, the collectable data type number and the accumulated data transmission amount.
3. The intelligent matching-based vulnerability threat discovery method according to claim 2, wherein the server determines a calculation formula of vulnerability risk values of each internet of things terminal based on the accumulated running time, the accumulated software updating times, the network transmission type support number, the collectable data type number and the accumulated data transmission amount as follows:
Figure FDA0003332894830000011
wherein Z isfThe vulnerability risk value is obtained; t is1The unit is s for the accumulated duration; t isb,1Is the standard running time length with the unit of s; c1Updating the accumulated software times; t is tbUpdating standard interval duration for software, wherein the unit is s; slThe unit of the accumulated data transmission quantity, namely the data throughput of the internet of things terminal and the external network is B; sbThe standard data transmission speed is B/S; a is a terminal type index of the terminal of the Internet of things, and is determined according to the type of the terminal of the Internet of things; c2The number of the network transmission types is supported, namely the number of the network transmission types which can be supported by the terminal of the internet of things; c3The number of the types of the collectable data is.
4. The intelligent matching-based vulnerability threat discovery method according to claim 2, wherein the server collects attribute information of each internet of things terminal every first preset time to determine vulnerability risk values of each internet of things terminal, and the method further comprises:
the server determines an initial period;
the server judges whether the risk data is threat data within the last first preset time;
if so, the server shortens the initial period and then determines the initial period as the first preset time length;
if not, the server determines the initial period as the first preset time after prolonging the initial period.
5. The intelligent matching-based vulnerability threat discovery method according to claim 4, wherein each terminal of the internet of things forms a local area network; the server determines an initial period comprising:
the server determines a periodic reference value of the local area network based on the network transmission type support number, the collectable data type number and the terminal type index of each internet of things terminal:
Figure FDA0003332894830000021
wherein Z iscIs the periodic reference value; n is the number of the terminals of the Internet of things in the local area network; a isiThe terminal type index of the ith Internet of things terminal is shown, wherein i is greater than 0 and less than or equal to N; c2,iThe network transmission type support number of the ith Internet of things terminal is obtained; c3,iThe number of the types of the data which can be collected is the terminal of the ith Internet of things;
the server determines the initial period based on the period reference value:
Figure FDA0003332894830000022
wherein, TcIs the initial period, with the unit of s; zbIs a standard reference value, is a constant; t isb,2Is a standard period corresponding to the standard reference value and has a unit of s.
6. The intelligent matching-based vulnerability threat discovery method according to claim 1, wherein the server matches the risk data with the public network security vulnerability library to determine whether the risk data is threat data, comprising:
the server matches the description information of the risk data with vulnerability description information in the public network security vulnerability database, and obtains a matching rate value;
and when the matching rate value is larger than a preset matching rate value, the server determines the risk data as threat data.
7. The intelligent matching-based vulnerability threat discovery method of claim 1, wherein the system further comprises a central router; each Internet of things terminal is in communication connection with an external network through the central router; the server is in communication connection with an external network through the central router; the server takes a countermeasure for each of the internet of things terminals based on the threat data, including:
the server determines a threat type and a threat degree corresponding to the threat data based on the public network security vulnerability library, wherein the threat type comprises a software threat, a hardware threat and a comprehensive threat, the comprehensive threat belongs to the software threat and the hardware threat simultaneously, and the threat degree comprises high risk, medium risk, low threat and unknown degree;
when the threat type corresponding to the threat data is not low-risk, the server acquires vulnerability detection data generated by the common terminal and marks the vulnerability detection data as common data;
the server matches the common data with the public network security vulnerability database to judge whether the common data are threat data;
and when the common data are threat data, the server disconnects the communication connection between each Internet of things terminal and an external network through the central router.
8. The intelligent matching-based vulnerability threat discovery method according to claim 7, wherein the system further comprises an alarm terminal in communication connection with the server; the method comprises the following steps of determining a threat type and a threat degree corresponding to the threat data based on the public network security vulnerability library, and then:
when the threat category corresponding to the threat data is a software threat or a comprehensive threat, the server acquires a patch file corresponding to the threat data through an external network;
the server sends the patch file to each Internet of things terminal so as to fill up the loophole corresponding to the threat information;
and when the threat category corresponding to the threat data is a hardware threat, the server sends alarm information to the alarm terminal.
9. The intelligent matching-based vulnerability threat discovery method according to claim 7, further comprising:
and acquiring and updating the public network security vulnerability database from the external network every second preset time.
10. An intelligent matching-based vulnerability threat discovery system is applied to the intelligent matching-based vulnerability threat discovery method according to any one of claims 1-9; the vulnerability threat discovery system based on intelligent matching comprises a server and a plurality of Internet of things terminals; each Internet of things terminal is in communication connection with the server; the server stores a public network security vulnerability library.
CN202111285719.0A 2021-11-02 2021-11-02 Vulnerability threat discovery method and system based on intelligent matching Active CN113987515B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111285719.0A CN113987515B (en) 2021-11-02 2021-11-02 Vulnerability threat discovery method and system based on intelligent matching

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111285719.0A CN113987515B (en) 2021-11-02 2021-11-02 Vulnerability threat discovery method and system based on intelligent matching

Publications (2)

Publication Number Publication Date
CN113987515A true CN113987515A (en) 2022-01-28
CN113987515B CN113987515B (en) 2022-04-01

Family

ID=79745589

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111285719.0A Active CN113987515B (en) 2021-11-02 2021-11-02 Vulnerability threat discovery method and system based on intelligent matching

Country Status (1)

Country Link
CN (1) CN113987515B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118041709A (en) * 2024-04-15 2024-05-14 南京汇荣信息技术有限公司 Multi-source data-based security threat studying and judging method, system and device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103368978A (en) * 2013-08-02 2013-10-23 公安部第三研究所 System and method for achieving leak application and communication safety detection of smart mobile terminal
CN108989299A (en) * 2018-07-03 2018-12-11 杭州安恒信息技术股份有限公司 A kind of monitoring method and system of internet of things equipment loophole
CN109361660A (en) * 2018-09-29 2019-02-19 武汉极意网络科技有限公司 Abnormal behaviour analysis method, system, server and storage medium
CN110881050A (en) * 2019-12-20 2020-03-13 万翼科技有限公司 Security threat detection method and related product
CN111259400A (en) * 2018-11-30 2020-06-09 阿里巴巴集团控股有限公司 Vulnerability detection method, device and system
CN112653669A (en) * 2020-12-04 2021-04-13 智网安云(武汉)信息技术有限公司 Network terminal security threat early warning method and system and network terminal management device
US11128652B1 (en) * 2013-10-17 2021-09-21 Tripwire, Inc. Dynamic vulnerability correlation

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103368978A (en) * 2013-08-02 2013-10-23 公安部第三研究所 System and method for achieving leak application and communication safety detection of smart mobile terminal
US11128652B1 (en) * 2013-10-17 2021-09-21 Tripwire, Inc. Dynamic vulnerability correlation
CN108989299A (en) * 2018-07-03 2018-12-11 杭州安恒信息技术股份有限公司 A kind of monitoring method and system of internet of things equipment loophole
CN109361660A (en) * 2018-09-29 2019-02-19 武汉极意网络科技有限公司 Abnormal behaviour analysis method, system, server and storage medium
CN111259400A (en) * 2018-11-30 2020-06-09 阿里巴巴集团控股有限公司 Vulnerability detection method, device and system
CN110881050A (en) * 2019-12-20 2020-03-13 万翼科技有限公司 Security threat detection method and related product
CN112653669A (en) * 2020-12-04 2021-04-13 智网安云(武汉)信息技术有限公司 Network terminal security threat early warning method and system and network terminal management device

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
AKIHITO NAKAMURA等: "《Towards Unified Vulnerability Assessment with Open Data》", 《2013 IEEE 37TH ANNUAL COMPUTER SOFTWARE AND APPLICATIONS CONFERENCE WORKSHOPS》 *
JERRYLOVECODING: "《基于OVAL的漏洞检测及修复服务的研究与实现》", 《HTTPS://WWW.JIANSHU.COM/P/E4EC9CDFC4A4》 *
奚军庆等: "《分布式系统设计中NewSQL数据库技术的应用》", 《长江信息通信》 *
庞景秋: "《关于提升城市居民冬季室内温度体验感的建议》", 《吉林人大》 *
董铖: "《针对Android应用中Gallery内存溢出的解决方案》", 《中国优秀硕士学位论文全文数据库 (电子期刊)》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118041709A (en) * 2024-04-15 2024-05-14 南京汇荣信息技术有限公司 Multi-source data-based security threat studying and judging method, system and device
CN118041709B (en) * 2024-04-15 2024-06-07 南京汇荣信息技术有限公司 Multi-source data-based security threat studying and judging method, system and device

Also Published As

Publication number Publication date
CN113987515B (en) 2022-04-01

Similar Documents

Publication Publication Date Title
US11171977B2 (en) Unsupervised spoofing detection from traffic data in mobile networks
US10476749B2 (en) Graph-based fusing of heterogeneous alerts
CN111565390B (en) Internet of things equipment risk control method and system based on equipment portrait
US10367844B2 (en) Systems and methods of network security and threat management
US10937465B2 (en) Anomaly detection with reduced memory overhead
CN111541661A (en) Power information network attack scene reconstruction method and system based on causal knowledge
US20230092522A1 (en) Data packet processing method, apparatus, and electronic device, computer-readable storage medium, and computer program product
US20170288979A1 (en) Blue print graphs for fusing of heterogeneous alerts
US20200210894A1 (en) Analysis apparatus, analysis method, and analysis program
US11949701B2 (en) Network access anomaly detection via graph embedding
CN113672475B (en) Alarm processing method and device, computer equipment and storage medium
CN115174251B (en) False alarm identification method and device for safety alarm and storage medium
CN113987515B (en) Vulnerability threat discovery method and system based on intelligent matching
CN112671767A (en) Security event early warning method and device based on alarm data analysis
US11954210B2 (en) Hierarchical health index evaluation method and apparatus for intelligent substation
US20240196185A1 (en) Wireless device detection systems and methods incorporating streaming survival modeling for discrete rotating identifier data
CN117118761B (en) Deep defense system and method for penetrating intelligent automobile information security
CN114338171A (en) Black product attack detection method and device
CN112256732B (en) Abnormality detection method and device, electronic equipment and storage medium
CN105493096A (en) Distributed pattern discovery
CN109327433B (en) Threat perception method and system based on operation scene analysis
CN109302403B (en) Network intrusion detection method, system, device and computer readable storage medium
CN111061795B (en) Data processing method and device, intelligent terminal and storage medium
WO2020255512A1 (en) Monitoring system and monitoring method
CN114938300A (en) Industrial control system situation perception method and system based on equipment behavior analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant