CN114124417A - Vulnerability assessment method for enhancing expandability in large-scale network - Google Patents
Vulnerability assessment method for enhancing expandability in large-scale network Download PDFInfo
- Publication number
- CN114124417A CN114124417A CN202010875523.6A CN202010875523A CN114124417A CN 114124417 A CN114124417 A CN 114124417A CN 202010875523 A CN202010875523 A CN 202010875523A CN 114124417 A CN114124417 A CN 114124417A
- Authority
- CN
- China
- Prior art keywords
- cpe
- vulnerability
- nvd
- matching
- fingerprint information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 230000002708 enhancing effect Effects 0.000 title abstract description 5
- 229920006235 chlorinated polyethylene elastomer Polymers 0.000 claims abstract description 44
- 238000000136 cloud-point extraction Methods 0.000 claims abstract description 4
- 238000012216 screening Methods 0.000 abstract description 8
- 238000004364 calculation method Methods 0.000 abstract 1
- 238000005516 engineering process Methods 0.000 description 5
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computational Linguistics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a vulnerability assessment method for enhancing expandability in a large-scale network, and belongs to the technical field of information security. The passive vulnerability matching system of the vulnerability assessment method calculates the similarity by combining the equipment fingerprint information input by a user, the equipment fingerprint information in the CPE format extracted from the NVD vulnerability library and a high-precision vulnerability matching algorithm, and stores the similarity into a temporary similarity array; sequentially traversing the CPEs in all the NVDs, and repeating the matching calculation for each CPE; taking out the maximum value in the temporary similarity array to obtain a corresponding CPE, and searching whether a CVE (constant video edge) containing the CPE exists in NVD (noise video noise correction) through the CPE; on the basis of not improving the resource occupancy rate, the method uses the longest common subsequence algorithm to combine the coverage range, thereby greatly improving the precision of vulnerability matching; through the loophole matching algorithm, the step of manual screening is removed, but the matching accuracy can reach the accuracy of manual screening.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a vulnerability assessment method for enhancing expandability in a large-scale network.
Background
The core of the passive Vulnerability matching technology is that a user searches for the same CPE (Common Platform implementation, standardized by a method of naming software applications, operating systems, and hardware) in a National Vulnerability Database (NVD) through vendor information, product information, and version information of a device, and further finds a CVE (Common Vulnerability and exposure), i.e., a Vulnerability number, corresponding to the CPE. At present, for Passive vulnerability matching technologies, the following main documents are provided, m.latovika proposes network monitoring and vulnerability enumeration in a large heterogeneous network, s.na proposes internet service equipment identification based on CPE, l.a.b.sanguino proposes matching software vulnerability using CPE and CVE, m.gawron proposes PVD (Passive vulnerability detection), and the like. The passive vulnerability matching technology proposed by the researchers can already solve the problem of vulnerability matching, but a problem is generally existed, and the result precision of vulnerability matching is not very high. By analyzing the documents, the reason that the matching precision of the passive holes is low is summarized to that when a user searches for the same CPE in an NVD hole library through manufacturer information, product information and version information of equipment to match the holes, the product information acquired by the user may have abbreviations or alternative names, so that the matching precision of the holes is reduced. In order to solve the problem, the above researchers have proposed various schemes including Levenshtein distance (edit distance) or multiple screening and finally adding manual identification, but according to the experimental results, there are two phenomena, one is low in precision but consumes less manpower and material resources, and the other is high in precision but pays a large amount of manpower and material resources. In order to solve the existing problems, improve the precision of vulnerability matching and reduce the occupation of resources, a high-precision matching algorithm suitable for a passive vulnerability detection technology is provided.
Therefore, the core of the passive vulnerability matching technology is whether the device fingerprint information provided by the user can be accurately matched with the CPE in the NVD. Na et al propose passive vulnerability matching methods that, although all can solve the vulnerability matching problem, have the following problems: (1) the precision is low, but the resource occupation is small. (2) The precision is high, but the resource occupation is large.
Disclosure of Invention
Based on the problems, the invention provides a vulnerability assessment method with enhanced expandability in a large-scale network, which uses the longest common subsequence algorithm to combine with the coverage range on the basis of not improving the resource occupancy rate, thereby greatly improving the precision of vulnerability matching. Through the vulnerability matching algorithm, the step of manual screening is removed, but the matching accuracy can reach the accuracy of manual screening. The method comprises the following steps:
s1, inputting device fingerprint information (manufacturer information, product information and version number) by a user;
s2, the passive vulnerability matching system calculates the similarity by combining the equipment fingerprint information input by the user, the equipment fingerprint information in the CPE format extracted from the NVD vulnerability library and the high-precision vulnerability matching algorithm, and stores the similarity into a temporary similarity array;
s3, sequentially traversing all the CPEs in the NVD, and repeating the step two for each CPE;
s4, taking out the maximum value in the temporary similarity array, obtaining the corresponding CPE, and searching whether the CVE containing the CPE exists in the NVD through the CPE.
Further, the high-precision matching algorithm in step S2 is divided into two steps, which specifically include:
s2.1, using a longest common subsequence algorithm (LCS) to calculate the length of the longest common subsequence of the equipment fingerprint information input by a user and the equipment fingerprint information in the NVD under the CPE format;
s2.2, according to the longest public subsequence (CS) obtained in the S2.1, the coverage rate of the subsequence in the matched sequence is obtained;
and S2.3, multiplying the length of the Longest Common Subsequence (LCS) obtained in the S2.1 by the coverage rate of the subsequence in the step two, storing the length into a temporary array, and removing the length after traversing the whole NVD, wherein the CPE corresponding to the maximum value in the temporary array.
Further, the longest common subsequence algorithm (LCS) formula in S2.1 is:
requirement X (X)1,x2....xi) And Y (Y)1,y2...yj) Where c [ i, j ] is the longest common substring of]Represents XiAnd YjThe LCS length of (C) is given by the following formula:
the invention has the beneficial effects that:
on the basis of not improving the resource occupancy rate, the method uses the longest common subsequence algorithm in combination with the idea of coverage range, and greatly improves the precision of vulnerability matching. Through the vulnerability matching algorithm, the step of manual screening is removed, but the matching accuracy can reach the accuracy of manual screening.
Drawings
FIG. 1 is a diagram of vulnerability matching architecture of a vulnerability assessment method for scalability enhancement in large-scale networks according to the present invention;
fig. 2 is an experimental result diagram of the vulnerability assessment method for enhancing scalability in a large-scale network according to the present invention:
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
Example (b):
the problem of low precision in the prior art mainly occurs that product information provided by a user is not matched with product information in a CPE format in NVD. The information provided by the user is often a short name or an alternative name of the product information, while the product information in the CPE is often a full name, and in order to be as unsuitable as possible for manual screening, the following problems need to be solved:
(1) the product information in the user-entered device fingerprint information is used in acronyms (acronyms, partial word acronyms, etc.) by how to match the correct CPE.
(2) The product information in the device fingerprint information input by the user is named as http _ server of Apache, and the product is named as httpd, and how to match the contended CPE is named as http _ server
In order to better describe the technical solution of the present invention, the existing problems are first exemplified. The product information of the product 1 is vxworks, and meanwhile, the product information of the product in a CPE format in NVD is also vxworks; the product information of the product 2 is IIS, but the product information of the product in the NVD under the CPE format is internet _ information _ server; product information for product 3 is router, but the product is 1701hg _ router in CPE format in NVD.
For different cases of product information in the above three types of device fingerprint information, it is found that the matching precision is highest for the product 1 when vulnerability matching is performed, but the matching precision is lower for product information with abbreviations and partial omission. The solution to this problem is by the present invention combining the longest common subsequence problem, and the coverage of the subsequences in the matched sequence (i.e., CPE in NVD).
The solution of the invention can improve the precision, mainly for the following reasons:
(1) in computer science, the similarity of two character strings is measured by comparing the length of the Longest Common Subsequence (LCS), and the larger the length of the LCS is, the higher the similarity of the two is.
(2) When coverage needs to be considered on the basis of the longest common subsequence, for product 2, another product, anti _ bforiision _ receiver, may exist in NVD, if only the Longest Common Subsequence (LCS) is used for solving, it is found that LCS is all is, but the user certainly prefers to the first product information being internet _ information _ server, because is an acronym of internet _ information _ server, and prefers to the ordinary abbreviation of people.
Therefore, as shown in fig. 1, based on the above problem, the vulnerability assessment method for scalability enhancement in a large-scale network provided by the present invention includes the steps of:
s1, inputting device fingerprint information (manufacturer information, product information and version number) by a user;
s2, the passive vulnerability matching system calculates the similarity by combining the equipment fingerprint information input by the user, the equipment fingerprint information in the CPE format extracted from the NVD vulnerability library and the high-precision vulnerability matching algorithm, and stores the similarity into a temporary similarity array;
s3, sequentially traversing all the CPEs in the NVD, and repeating the step two for each CPE;
s4, taking out the maximum value in the temporary similarity array, obtaining the corresponding CPE, and searching whether the CVE containing the CPE exists in the NVD through the CPE.
As shown in fig. 1, the high-precision matching algorithm in step S2 is divided into two steps, which specifically include:
s2.1, using a longest public subsequence algorithm (LCS) to calculate the length of the longest public subsequence of CPE product information in NVD of the product information input by a user;
s2.2, according to the longest public subsequence (CS) obtained in the S2.1, the coverage rate of the subsequence in the matched sequence is obtained;
and S2.3, multiplying the length of the Longest Common Subsequence (LCS) calculated in the S2.1 by the coverage rate of the subsequence in the step two. And storing the data into a temporary array, and removing the data after traversing the whole NVD, wherein the CPE corresponding to the maximum value in the temporary array.
As shown in fig. 1, the longest common subsequence algorithm (LCS) formula in step S2.1:
requirement X (X)1,x2....xi) And Y (Y)1,y2...yj) The longest common substring ofIn c [ i, j ]]Represents XiAnd YjThe LCS length of (C) is given by the following formula:
as shown in fig. 2, to evaluate the accuracy of the matching result, we scanned the following 10 cities in north heydyork province in china: qinhuang island, Tangshan, Shijiazhuang, Handan, Hengshui, Chenchentai, Zhangkou, Gallery, Baoding and Cangzhou. Then, we randomly select 100 network devices from each city and evaluate their vulnerabilities based on the obtained device fingerprint information. Finally, we purchase a Shodan (the most authoritative Web search engine) dataset for comparison. The comparative results are as follows: (1) as is obvious from the figure, the identification accuracy of the vulnerability matching scheme is between 85% and 90% no matter which city is evaluated. (2) Both false negatives and false positives are present in the collected device fingerprint information imperfection, making it impossible to complete a correct NVD match. (3) Meanwhile, false negatives in the experimental result are higher than false positives, and the experimental result can have small influence on the false report of the equipment vulnerability information.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art upon reference to the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.
Claims (3)
1. A vulnerability assessment method for expandability enhancement in a large-scale network is characterized by comprising the following steps: the method comprises the following steps:
s1, inputting device fingerprint information by a user, wherein the device fingerprint information mainly comprises the following contents: manufacturer information, product information, version number;
s2, the passive vulnerability matching system calculates the similarity by combining the equipment fingerprint information input by the user, the equipment fingerprint information in the CPE format extracted from the NVD vulnerability library and the high-precision vulnerability matching algorithm, and stores the similarity into a temporary similarity array;
s3, sequentially traversing all the CPEs in the NVD, and repeating the step two for each CPE;
s4, taking out the maximum value in the temporary similarity array, obtaining the corresponding CPE, and searching whether the CVE containing the CPE exists in the NVD through the CPE.
2. The vulnerability assessment method of claim 1, wherein the vulnerability assessment method comprises: the high-precision matching algorithm in the step S2 is divided into two steps, which specifically include:
s2.1, using a longest common subsequence algorithm (LCS) to calculate the length of the longest common subsequence of the equipment fingerprint information input by a user and the equipment fingerprint information in the NVD under the CPE format;
s2.2, according to the longest public subsequence (CS) obtained in the S2.1, the coverage rate of the subsequence in the matched sequence is obtained;
s2.3, multiplying the length of the Longest Common Subsequence (LCS) obtained in the S2.1 by the coverage rate of the subsequence in the step two, and storing the length into a temporary array; and after traversing the whole NVD library, taking out the CPE corresponding to the maximum value in the temporary array.
3. The vulnerability assessment method of scalability enhancement under large-scale networks according to claim 2, characterized in that: the longest common subsequence algorithm (LCS) formula in S2.1:
requirement X (X)1,x2....xi) And Y (Y)1,y2...yj) Where c [ i, j ] is the longest common substring of]Represents XiAnd YjThe LCS length of (C) is given by the following formula:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010875523.6A CN114124417B (en) | 2020-08-27 | 2020-08-27 | Vulnerability assessment method with enhanced expandability under large-scale network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010875523.6A CN114124417B (en) | 2020-08-27 | 2020-08-27 | Vulnerability assessment method with enhanced expandability under large-scale network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114124417A true CN114124417A (en) | 2022-03-01 |
CN114124417B CN114124417B (en) | 2024-02-13 |
Family
ID=80374478
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010875523.6A Active CN114124417B (en) | 2020-08-27 | 2020-08-27 | Vulnerability assessment method with enhanced expandability under large-scale network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114124417B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115529160A (en) * | 2022-08-22 | 2022-12-27 | 东北大学秦皇岛分校 | Efficient and safe large-scale ISP network vulnerability assessment method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101778112A (en) * | 2010-01-29 | 2010-07-14 | 中国科学院软件研究所 | Network attack detection method |
CN102495884A (en) * | 2011-12-08 | 2012-06-13 | 中国信息安全测评中心 | Vulnerability information cloud service method based on Internet |
CN107871078A (en) * | 2016-09-27 | 2018-04-03 | 北京计算机技术及应用研究所 | The method that vulnerability information is extracted in non-structured text |
KR101859562B1 (en) * | 2016-11-11 | 2018-05-21 | 한국인터넷진흥원 | Method and Apparatus for Analyzing Vulnerability Information |
CN108182365A (en) * | 2017-12-18 | 2018-06-19 | 北京天融信网络安全技术有限公司 | Leak detection method, equipment and computer readable storage medium based on CPE |
-
2020
- 2020-08-27 CN CN202010875523.6A patent/CN114124417B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101778112A (en) * | 2010-01-29 | 2010-07-14 | 中国科学院软件研究所 | Network attack detection method |
CN102495884A (en) * | 2011-12-08 | 2012-06-13 | 中国信息安全测评中心 | Vulnerability information cloud service method based on Internet |
CN107871078A (en) * | 2016-09-27 | 2018-04-03 | 北京计算机技术及应用研究所 | The method that vulnerability information is extracted in non-structured text |
KR101859562B1 (en) * | 2016-11-11 | 2018-05-21 | 한국인터넷진흥원 | Method and Apparatus for Analyzing Vulnerability Information |
CN108182365A (en) * | 2017-12-18 | 2018-06-19 | 北京天融信网络安全技术有限公司 | Leak detection method, equipment and computer readable storage medium based on CPE |
Non-Patent Citations (1)
Title |
---|
温涛;张玉清;刘奇旭;杨刚;: "UVDA:自动化融合异构安全漏洞库框架的设计与实现", 通信学报, no. 10 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115529160A (en) * | 2022-08-22 | 2022-12-27 | 东北大学秦皇岛分校 | Efficient and safe large-scale ISP network vulnerability assessment method |
Also Published As
Publication number | Publication date |
---|---|
CN114124417B (en) | 2024-02-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11799823B2 (en) | Domain name classification systems and methods | |
US20220078207A1 (en) | Domain name processing systems and methods | |
CN112104677B (en) | Controlled host detection method and device based on knowledge graph | |
CN108965245B (en) | Phishing website detection method and system based on self-adaptive heterogeneous multi-classification model | |
CN111212053B (en) | Industrial control honeypot-oriented homologous attack analysis method | |
CN103297435B (en) | A kind of abnormal access behavioral value method and system based on WEB daily record | |
US20200110885A1 (en) | Vulnerability assessment based on machine inference | |
US10404731B2 (en) | Method and device for detecting website attack | |
CN111291070B (en) | Abnormal SQL detection method, equipment and medium | |
US20110307436A1 (en) | Pattern tree-based rule learning | |
US20120330959A1 (en) | Method and Apparatus for Assessing a Person's Security Risk | |
CN113656807B (en) | Vulnerability management method, device, equipment and storage medium | |
Herrera-Semenets et al. | A data reduction strategy and its application on scan and backscatter detection using rule-based classifiers | |
CN114124417A (en) | Vulnerability assessment method for enhancing expandability in large-scale network | |
US20240095289A1 (en) | Data enrichment systems and methods for abbreviated domain name classification | |
CN117240632B (en) | Attack detection method and system based on knowledge graph | |
WO2016173327A1 (en) | Method and device for detecting website attack | |
WO2023063971A1 (en) | Fragmented record detection based on records matching techniques | |
WO2023063970A1 (en) | Records matching techniques for facilitating database search and fragmented record detection | |
WO2023063972A1 (en) | Records matching techniques for facilitating database search and fragmented record detection | |
CN110633430B (en) | Event discovery method, apparatus, device, and computer-readable storage medium | |
EP3786825B1 (en) | Natural language processing systems and methods for automatic reduction of false positives in domain discovery | |
Rani et al. | Optimize space search using FCC_STF algorithm in fuzzy co-clustering through search engine | |
US20240121267A1 (en) | Inline malicious url detection with hierarchical structure patterns | |
Obert et al. | Named Entity Comparison Algorithms in Enterprise Decision Systems. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |