CN114218579A - Vulnerability advanced early warning method and device, electronic equipment and storage medium - Google Patents
Vulnerability advanced early warning method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114218579A CN114218579A CN202111409975.6A CN202111409975A CN114218579A CN 114218579 A CN114218579 A CN 114218579A CN 202111409975 A CN202111409975 A CN 202111409975A CN 114218579 A CN114218579 A CN 114218579A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- vulnerability information
- information
- target
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the invention discloses a vulnerability advanced early warning method and device, electronic equipment and a storage medium. The method comprises the following steps: acquiring vulnerability information in a general vulnerability disclosure (CVE) database, and filtering the vulnerability information to obtain target vulnerability information; monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information; and carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information. By the technical scheme of the embodiment of the invention, the existence of the vulnerability can be sensed in advance before the vulnerability is officially and publicly released, and advanced early warning is carried out on vulnerability information.
Description
Technical Field
The embodiment of the invention relates to the technical field of enterprise network security vulnerability early warning, in particular to a vulnerability advanced early warning method and device, electronic equipment and a storage medium.
Background
In recent years, network security events are frequent, and the number of vulnerabilities of network products is increasing. The current vulnerability early warning technology is based on various large vulnerability libraries, such as NVD, CNVD, CNNVD and the like. The early warning holes are all publicly released holes, but the actual holes can be used in the field for days or even longer. The newly submitted vulnerability needs to be approved by an official, and detailed information of the vulnerability can be revealed after entering a formal publishing process, and the high-sending period of vulnerability exploitation can be missed when the early warning is sent out, so that the release delay of the vulnerability early warning is caused. And the official auditing time is very unstable, and each step in the auditing process can further prolong the vulnerability early warning time. Therefore, how to solve the vulnerability early warning information lag is a technical problem to be solved urgently by technicians in the field.
Disclosure of Invention
The embodiment of the invention provides a vulnerability early warning method and device, electronic equipment and a storage medium, so that the existence of a vulnerability can be sensed in advance before the vulnerability is officially and publicly released.
In a first aspect, an embodiment of the present invention provides a vulnerability early warning method, including:
acquiring vulnerability information in a general vulnerability disclosure (CVE) database, and filtering the vulnerability information to obtain target vulnerability information;
monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information;
and carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information.
In a second aspect, an embodiment of the present invention further provides a vulnerability early warning apparatus, including:
the target vulnerability information acquisition module is used for acquiring vulnerability information in a general vulnerability disclosure (CVE) database and filtering the vulnerability information to obtain target vulnerability information;
the vulnerability type change condition determining module is used for monitoring the target vulnerability information and detecting the vulnerability type change condition of the target vulnerability information;
and the target vulnerability information advanced early warning module is used for carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors implement the vulnerability forewarning method according to any embodiment of the invention.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the vulnerability early warning method according to any embodiment of the present invention.
The embodiment of the invention provides a vulnerability advanced early warning method, a vulnerability early warning device, electronic equipment and a storage medium, wherein target vulnerability information is obtained by collecting vulnerability information in a universal vulnerability disclosure (CVE) database and filtering the vulnerability information; monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information; and carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information. According to the technical scheme of the embodiment of the invention, the problem that the vulnerability early warning information is released lagged in the existing vulnerability early warning technology is solved, the mechanism of CVE vulnerability number distribution is utilized, the existence of the vulnerability can be sensed in advance before the vulnerability is distributed in a formal public development manner, and the vulnerability information can be effectively early warned.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Moreover, like reference numerals refer to like parts throughout the several views of the drawings. In the drawings:
fig. 1A is a flowchart of a vulnerability early warning method according to an embodiment of the present invention;
fig. 1B is a flowchart of another vulnerability early warning method according to an embodiment of the present invention;
fig. 2A is a flowchart of a vulnerability early warning method according to a second embodiment of the present invention;
fig. 2B is a flowchart of performing early warning on reserved vulnerability information according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a vulnerability advance warning apparatus according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It is to be further noted that, for the convenience of description, only a part of the structure relating to the present invention is shown in the drawings, not the whole structure.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe various operations (or steps) as a sequential process, many of the operations (or steps) can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
Example one
Fig. 1A is a flowchart of a vulnerability early warning method according to an embodiment of the present invention, where the embodiment is applicable to a situation of early warning of a vulnerability. The device can be configured in a server for early warning of the vulnerability. The method specifically comprises the following steps:
github, as the most popular open source software code hosting platform at present, provides project management functions of subscribing, discussing groups, online text editing and the like besides providing the most basic code warehouse hosting and basic WEB management interface. Currently, the number of registered users exceeds 350 thousands, and the number of managed versions is very large. The unknown open source components such as tomcat and FASTXML, etc., all of the bug fixes, code changes, etc. of the contained items are disclosed to anyone for access, and the early warning time of the bugs can be advanced by using the information.
Most of data of the existing vulnerability early warning system are based on the public vulnerability database mentioned above. And the vulnerability monitoring engine is used for regularly and periodically acquiring vulnerability data in a public API (application program interface) interface manner provided by an official party, and the vulnerability early warning is triggered to be sent out when the new vulnerability is monitored to be disclosed. When the enterprise receives the vulnerability early warning, the enterprise analyzes the public vulnerability information, studies and judges the influence of the vulnerability on the network security of the enterprise and carries out network security emergency response processing.
The above is the flow of the existing technology for emergency response, and it can be seen that the existing technology performs early warning based on the disclosed vulnerability, but the actual vulnerability may be used in the field for several days or even longer. Therefore, the application provides a vulnerability advanced early warning method.
S110, collecting vulnerability information in a general vulnerability disclosure CVE database, and filtering the vulnerability information to obtain target vulnerability information.
Wherein, the common vulnerability disclosure CVE may refer to a common name given to widely recognized information security vulnerabilities or vulnerabilities that have been exposed. Using a common name, users may be helped to share data among the vulnerability assessment tools and various vulnerability databases that are independent of each other, thus making the CVE a "key" for secure information sharing. For example, a vulnerability indicated in a vulnerability report can be quickly found in any other CVE compatible database by looking up the CVE name to solve the security problem.
Vulnerability information may refer to flaws in the specific implementation of hardware, software, and protocols or system security policies that may enable an attacker to access or destroy a system without authorization. For example, the application software or the operating system software has a defect in logic design or an error generated during programming, and the defect or the error can be used by an illegal person or a hacker to attack or control the whole computer by implanting trojans, viruses and the like, so that important data and information in the computer can be stolen, and even the whole system can be damaged. Wherein the vulnerability information includes, but is not limited to, published vulnerability information, rejected vulnerability information, reserved vulnerability information, and disputed vulnerability information. And filtering the vulnerability information to obtain reserved vulnerability information and disputed vulnerability information.
And S120, monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information.
The monitoring may refer to performing supervision and detection on the target vulnerability information, for example, setting a monitoring frequency according to the creation time of the reserved vulnerability information in the CVE official, monitoring the reserved vulnerability information, and monitoring whether the vulnerability type of the reserved vulnerability information changes.
Wherein the vulnerability type includes, but is not limited to, published vulnerability information, rejected vulnerability information, disputed vulnerability information, and reserved vulnerability information. When the type of the vulnerability information becomes public or rejected, recording the vulnerability information, warning that the vulnerability state is changed, and not monitoring the target vulnerability information; if the type of the vulnerability information is disputed vulnerability information, extracting vulnerability information from the target vulnerability information, and judging whether the target vulnerability information is associated assets again; and if the type of the vulnerability information is still reserved, performing advanced early warning on the target vulnerability information. The dynamic adjustment of the monitoring frequency may refer to dynamically adjusting the monitoring frequency according to the creation time of the reserved vulnerability information, for example, when the reserved vulnerability information is monitored for the first time, the set monitoring frequency is once a day according to the creation time of the reserved vulnerability information, and when the reserved vulnerability information is monitored for the second time, the set monitoring frequency is dynamically adjusted to once a week, so as to prevent excessive waste of resources.
S130, early warning is carried out on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information.
The advanced early warning may be to monitor the target vulnerability information according to a set monitoring frequency, alarm to find suspicious information when keywords about vulnerability information are found in a monitoring channel, and study and judge the target vulnerability information. For example, if the type of the vulnerability information is reserved vulnerability information, dynamically adjusting the monitoring frequency according to the creation time of the reserved vulnerability information; checking whether the keywords of the reserved vulnerability information are found in the monitoring channel, if the keywords of the reserved vulnerability information are found, alarming suspicious information, studying and judging the reserved vulnerability information, and realizing advanced early warning of the vulnerability information; if the keyword of the reserved vulnerability information is not found, dynamically adjusting the monitoring frequency according to the creation time of the reserved vulnerability information, and monitoring the reserved vulnerability information again. Wherein the alert includes, but is not limited to, alerting by mail; the studying and judging can mean that the expert fills the judgment information of the reserved vulnerability information in the pop-up window through the displayed pop-up window.
In an alternative scheme of the embodiment of the present invention, fig. 1B is a flowchart of another advanced vulnerability early warning method provided in the first embodiment of the present invention, and as shown in fig. 1B, vulnerability information is collected and vulnerability data is filtered, whether the vulnerability information is in a reserved state is determined, if the vulnerability information is in the reserved state, a monitoring task is created, a monitoring frequency is set, and monitoring is started according to creation time of the vulnerability information; if the vulnerability information is not in a reserved state, judging whether the vulnerability information is in a dispute state, and if the vulnerability information is in the dispute state, extracting the vulnerability information and judging whether the vulnerability information is a related asset; and if the vulnerability information is neither in a reserved state nor in a disputed state, the vulnerability information is not monitored, so that the waste of resources is reduced. Monitoring the vulnerability information of the dispute state and the vulnerability information of the reserved state, judging whether the vulnerability state changes, if the vulnerability information is adjusted to be public or rejected, alarming that the vulnerability state is changed, and not monitoring the vulnerability information; if the vulnerability information is adjusted to be in a dispute state, extracting the vulnerability information from the vulnerability information, and judging whether the vulnerability information is the associated asset again; if the type of the vulnerability information is still the reserved vulnerability information, carrying out frequency monitoring on the vulnerability information, checking whether keywords are found in a monitoring channel, if the keywords are found, alarming by the mail to find suspicious information, and carrying out research and judgment; and if the keywords are not found, dynamically adjusting the monitoring frequency of the vulnerability information according to the creation time. And the advanced early warning of the vulnerability information is realized.
The embodiment of the invention provides a vulnerability advanced early warning method, which comprises the steps of collecting vulnerability information in a general vulnerability disclosure CVE database, and filtering the vulnerability information to obtain target vulnerability information; monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information; and carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information. According to the technical scheme of the embodiment of the invention, the problem that the vulnerability early warning information is lagged after being issued by the existing vulnerability early warning technology is solved, the existence of the vulnerability can be sensed in advance before the vulnerability is officially and publicly issued by utilizing a mechanism of CVE vulnerability number distribution, and the vulnerability information can be effectively early warned in advance.
Example two
Fig. 2A is a flowchart of a vulnerability early warning method according to a second embodiment of the present invention. Embodiments of the present invention are further optimized on the basis of the embodiments described above, and the embodiments of the present invention may be combined with various alternatives in one or more of the embodiments described above. As shown in fig. 2A, the advanced vulnerability early warning method provided in the embodiment of the present invention may include the following steps:
s210, collecting keywords of the associated asset information, and limiting the monitoring range of vulnerability early warning.
The monitoring range of the vulnerability early warning is limited according to the collected keywords of the associated asset information, for example, if the collected keywords of the associated asset information include enterprise names, vulnerability information of related enterprises is monitored, and the monitoring range of the vulnerability early warning is limited.
Optionally, the vulnerability type, the influence range and the threat level of the advanced early warning are determined according to the repair scheme and the change of the code mentioned in the audit vulnerability repair log.
According to the collected keywords of the associated asset information, the monitoring range of vulnerability early warning is limited; according to the repair scheme and the change of the code mentioned in the bug repair log, the submission and repair of the bug can be found in advance, and the bug type, the influence range and the threat level can be determined.
S220, collecting vulnerability information in the universal vulnerability disclosure CVE database, and filtering the vulnerability information to obtain target vulnerability information.
The method comprises the steps of collecting vulnerability information in a CVE database, and filtering and classifying vulnerability types of the vulnerability information.
Optionally, filtering is performed according to the vulnerability type of the vulnerability information to obtain reserved vulnerability information and contentious vulnerability information;
if the disputed vulnerability information is the associated asset, taking the disputed vulnerability information and the reserved vulnerability information as target vulnerability information;
if the dispute vulnerability information is not the associated asset, using the reserved vulnerability information as target vulnerability information;
and whether the associated asset representation vulnerability information is vulnerability information issued by the enterprise to which the associated asset representation vulnerability information belongs is judged.
Filtering according to the vulnerability type of the vulnerability information, if the vulnerability type is REJECT REJECT, the vulnerability is an invalid vulnerability rejected by the CVE, the reason of rejection is usually described in the CVE entry annotation, and the original description of the vulnerability is also retained. Such vulnerabilities do not need to be concerned, a small number of vulnerabilities can be resubmitted, and still can be collected after resubmission. The disclosed vulnerability does not need special attention, and the monitoring capability of the common vulnerability early warning system can be monitored. The early warning module can be used as an auxiliary module of the early warning and used for confirming with the early warning result.
The embodiment of the invention utilizes the API interface disclosed by the CVE to collect the public vulnerability information, mainly utilizes the vulnerability CVE ID which does not disclose detailed information, and combines with the search API provided by the public code warehouse Github. And monitoring the submission remarks, problems, branch merging requests and the like of the open source component code warehouse by using the CVE ID as a key word, and discovering the submission and repair of the vulnerability in advance, thereby achieving the effect of advanced vulnerability early warning.
And S230, monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information.
Wherein, monitoring is only performed when the vulnerability type is RESERVED (RESERVED) or DISPUTED (DISPUTED), and at this time, monitoring tasks are added into the queue, and the monitoring engine executes the tasks in the queue in turn. If the vulnerability type is changed into other forms, the monitoring engine reports to the management platform, and the monitoring engine checks whether to monitor manually.
Optionally, the creating time of the reserved vulnerability information is obtained, the monitoring frequency is set to monitor the reserved vulnerability information, and a distribution channel of the reserved vulnerability information is monitored;
acquiring a distribution channel of dispute vulnerability information, and monitoring the distribution channel of dispute vulnerability information;
and determining the vulnerability type change condition of the target vulnerability information according to the set frequency monitoring result and the release channel monitoring result.
The main sources of the raw materials of the monitoring task are divided into two directions, namely monitored CVEID information and asset information. Because some bugs are in an auditing stage and do not disclose any information, the CVE in the RESERVED state does not have information of related products, so that the bugs can monitor all product release channels, and simultaneously monitor the state of the ID in the CVE database, thereby avoiding that the task cannot be finished due to monitoring failures caused by the reasons that the related products are not in the related assets, the monitoring channels are insufficient, or the CVE is not mentioned in a repair log, and the like. For a vulnerability of the DISPUTED state, the assets are determined according to the asset keywords, and the monitoring range does not cover all the assets. The monitoring task includes, but is not limited to, CVE ID, CVE status, monitoring key, monitoring frequency pattern, monitoring frequency, first start time of task, asset name, monitoring URL address, authorization pattern, authorization address, authorization key, and asset key.
The vulnerability state is RESERVED, the vulnerability only indicates that the MITRE and CNA members receive the vulnerability, the quality or the authenticity of the vulnerability is not verified, and the vulnerability is an important concern. But different monitoring frequencies are set according to different creation time periods. A few bugs may be in a RESERVED state for a long time due to difficult verification, and the like, and at this time, the monitoring frequency needs to be dynamically adjusted to prevent excessive waste of resources.
The vulnerability status is DISPUTED, and the DISPUTED vulnerability is due to the CVE entry failing to behave as expected or DISPUTED for some reason. The description information of the CVE is also partially disclosed, and such a hole leakage state is only a temporary state, and it may be rejected or marked as a valid hole. Because the vulnerability already reveals part of the information, only the publishing channel of the product needs to be monitored for such vulnerability, so as to save resources.
S240, early warning is carried out on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information.
Optionally, if the state of the target vulnerability information is adjusted to be public or rejected, recording identification information of the target vulnerability information, and warning that the state of the target vulnerability information is changed;
if the target vulnerability information state is adjusted to disputed vulnerability information, extracting the vulnerability information of the disputed vulnerability information and judging whether the vulnerability information is associated assets;
and if the target vulnerability information state is still reserved vulnerability information, performing advanced early warning on the target vulnerability information.
Each task may also query the current CVE for the latest status before monitoring to see if it has been modified. Monitoring is only performed when the latest state is RESERVED or disabled, and monitoring tasks are added to the queue and the tasks in the queue are executed in sequence. If the state is changed into other forms, the state is reported to a management platform, and whether monitoring is carried out is checked manually. And if the target vulnerability information state is still the reserved vulnerability information, carrying out advanced early warning on the target vulnerability information.
Optionally, frequency monitoring is performed on the target vulnerability information according to a set frequency, and whether keywords are found in the monitoring channel is judged;
if no keyword is found in the monitoring channel, dynamically adjusting the monitoring frequency according to the target vulnerability information creation time;
if the keywords are found in the monitoring channel, warning to find suspicious vulnerability information, studying and judging the target vulnerability information, and performing advanced early warning on the target vulnerability information.
Once finding that the repair log refers to the security repair or the CVE ID, the monitoring engine immediately reports the repair log to the management platform, the management platform notifies related security experts, the security experts audit the type of the vulnerability and the hazard of the vulnerability, and if the possibility exists, POC can be written for verification. For the safety repair without explicitly referring to the CVE, whether the CVE is covered by the manual audit upgrade performed by a safety expert or not is possible.
The embodiment of the invention provides a vulnerability early warning method, which realizes the limitation of the monitoring range of vulnerability early warning according to the collected keywords of associated asset information; according to the repair scheme and the code change in the bug repair log, the submission and repair of the bug can be found in advance, and the type, the influence range and the threat level of the bug can be determined; acquiring vulnerability information in a general vulnerability disclosure (CVE) database, and filtering the vulnerability information to obtain target vulnerability information; monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information; and carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information. According to the technical scheme of the embodiment of the invention, by utilizing the vulnerability CVE ID which does not disclose detailed information, the search API provided by the open code warehouse Github is combined. The CVE ID is used as a key word to monitor the submission remarks, problems, branch merging requests and the like of the open source component code warehouse, the submission and repair of the vulnerability are found in advance, the existence of the vulnerability can be sensed in advance before the vulnerability is officially and publicly released, and therefore the effect of vulnerability early warning is achieved.
In an alternative solution of the embodiment of the present invention, fig. 2B is a flowchart of performing early warning on reserved vulnerability information according to the second embodiment of the present invention, and as shown in fig. 2B, the management platform is a centralized scheduling center of the entire system and is responsible for managing work among a plurality of modules in the system. The facing people are mainly divided into two categories. One is a developer or an automatic asset combing system, is used for collecting keywords of asset information, is basic information for subsequently judging whether vulnerability acquisition is carried out, and mainly limits the monitoring range of vulnerability early warning. The other personnel is a security expert and is used for manually auditing the repair scheme and the code change in the bug repair log so as to determine the bug type of the advanced early warning and judge the influence range and threat level of the issued bug.
In addition, the management platform is also connected with three engine systems, which comprise: the system comprises a collection engine, an analysis engine and a monitoring engine.
The acquisition engine is mainly used for acquiring vulnerability information in the CVE database, but different from a common vulnerability early warning system in the market, the common vulnerability early warning system focuses on a vulnerability which is published formally, and the formally published vulnerability can describe which type of vulnerability of which product the CVE belongs to. While this engine is primarily concerned with RESERVED state vulnerabilities, the authenticity and impact of such vulnerabilities have not been evaluated since they are still under audit. The information of such vulnerabilities is silent about the product, vulnerability type, and degree of harm involved. The collection engine crawls according to the asset keywords stored in the management platform and transmits the data to the analysis engine. In addition, the management platform is also responsible for controlling the acquisition frequency and task triggering of the acquisition engine.
The analysis engine filters the holes and reserves the holes in the RESERVED state. And acquiring an official release channel of the product and a URL address of the release channel according to the asset key words. The analysis engine also needs to filter the creation date of the vulnerability, and for a CVEID with a long creation time but an unrefreshed status of the vulnerability, the vulnerability may be an unverified vulnerability for a long time, and it is likely that the vulnerability is difficult to reproduce or is not fed back by the manufacturer at a later time, and the vulnerability does not need to be monitored by using excessive resources.
The monitoring engine is responsible for executing the monitoring tasks submitted by the analysis engine, and because the tasks are not usually executed immediately, a task queue is also required to be arranged in the monitoring engine, and the queue can be managed by the management platform. For example, checking the number of times a task is executed, modifying the frequency of task execution, or immediately executing the task. The return result of the task execution is also reported to the management platform.
The management center maintains a list of assets that record the products and components of interest to the system, the creation of which is typically done by project personnel or security experts. Subsequent monitoring of addresses and authorization information and the like requires long-term maintenance by security personnel. The recording of the monitoring address is related to the effect of monitoring the vulnerability of the reformed product, and the monitoring address also needs to be maintained along with the updating or the reprinting of the target website. Therefore, the monitoring engine needs to have a set of security monitoring mechanism, and when the crawling exception is found, the monitoring engine needs to inform an administrator to maintain.
According to the method and the device, before the MITRE officially discloses the vulnerability, a mechanism for sensing the security vulnerability in advance can be achieved by monitoring the product. Through observation and trial, the early warning of partial vulnerabilities can be advanced by 1-3 days or even longer. However, the days are just the high-occurrence period of the vulnerability exploitation, and early warning can help enterprises to sense and protect the vulnerability in advance.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a vulnerability advance warning apparatus provided in a third embodiment of the present invention, where the apparatus includes: the target vulnerability information acquisition module 310, the vulnerability type change condition determination module 320 and the target vulnerability information advanced early warning module 330. Wherein:
the target vulnerability information acquisition module 310 is used for acquiring vulnerability information in a general vulnerability disclosure (CVE) database and filtering the vulnerability information to obtain target vulnerability information;
a vulnerability type change condition determining module 320, configured to monitor the target vulnerability information and detect a vulnerability type change condition of the target vulnerability information;
and the target vulnerability information advanced early warning module 330 is configured to perform advanced early warning on the target vulnerability information according to vulnerability type change conditions of the target vulnerability information.
On the basis of the foregoing embodiment, optionally, the target vulnerability information obtaining module 310 includes:
filtering according to the vulnerability type of the vulnerability information to obtain reserved vulnerability information and disputed vulnerability information;
if the disputed vulnerability information is the associated asset, taking the disputed vulnerability information and the reserved vulnerability information as target vulnerability information;
if the dispute vulnerability information is not the associated asset, using the reserved vulnerability information as target vulnerability information;
and whether the related asset representation vulnerability information is the vulnerability information issued by the company.
On the basis of the foregoing embodiment, optionally, the vulnerability type change condition determining module 320 includes:
acquiring the creation time of reserved vulnerability information, setting monitoring frequency to monitor the reserved vulnerability information, and monitoring a distribution channel of the reserved vulnerability information;
acquiring a distribution channel of dispute vulnerability information, and monitoring the distribution channel of dispute vulnerability information;
and determining the vulnerability type change condition of the target vulnerability information according to the set frequency monitoring result and the release channel monitoring result.
On the basis of the foregoing embodiment, optionally, the target vulnerability information early warning module 330 includes:
if the target vulnerability information state is adjusted to be public or rejected, recording the identification information of the target vulnerability information, and warning that the target vulnerability information state is changed;
if the target vulnerability information state is adjusted to disputed vulnerability information, extracting the vulnerability information of the disputed vulnerability information and judging whether the vulnerability information is associated assets;
and if the target vulnerability information state is still reserved vulnerability information, performing advanced early warning on the target vulnerability information.
On the basis of the foregoing embodiment, optionally, if the target vulnerability information state is still vulnerability reservation information, performing early warning on the target vulnerability information includes:
carrying out frequency monitoring on the target vulnerability information according to a set frequency, and judging whether keywords are found in a monitoring channel;
if no keyword is found in the monitoring channel, dynamically adjusting the monitoring frequency according to the target vulnerability information creation time;
if the keywords are found in the monitoring channel, warning to find suspicious vulnerability information, studying and judging the target vulnerability information, and performing advanced early warning on the target vulnerability information.
On the basis of the foregoing embodiment, optionally, before acquiring hole leakage information in the generic vulnerability disclosure CVE database and filtering the hole leakage information to obtain target hole leakage information, the method further includes:
collecting keywords of associated asset information to limit the monitoring range of vulnerability early warning;
and determining the vulnerability type, the influence range and the threat level of the advanced early warning according to the repair scheme and the code change in the audit vulnerability repair log.
The device can execute the vulnerability early warning method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects for executing the vulnerability early warning method.
Example four
Fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present application. The embodiment of the application provides electronic equipment, and the electronic equipment can be integrated with the vulnerability advanced early warning interaction device provided by the embodiment of the application. As shown in fig. 4, the present embodiment provides an electronic device 400, which includes: one or more processors 420; the storage device 410 is configured to store one or more programs, and when the one or more programs are executed by the one or more processors 420, the one or more processors 420 are enabled to implement the vulnerability forewarning method provided in this embodiment of the present application, the method includes:
acquiring vulnerability information in a general vulnerability disclosure (CVE) database, and filtering the vulnerability information to obtain target vulnerability information;
monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information;
and carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information. Of course, those skilled in the art can understand that the processor 420 also implements the technical solution of the vulnerability advance warning method provided in any embodiment of the present application.
The electronic device 400 shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 4, the electronic device 400 includes a processor 420, a storage device 410, an input device 430, and an output device 440; the number of the processors 420 in the electronic device may be one or more, and one processor 420 is taken as an example in fig. 4; the processor 420, the storage device 410, the input device 430, and the output device 440 in the electronic apparatus may be connected by a bus or other means, and are exemplified by a bus 450 in fig. 4.
The storage device 410 is a computer-readable storage medium, and can be used to store software programs, computer-executable programs, and module units, such as program instructions corresponding to the vulnerability early warning method in the embodiment of the present application.
The storage device 410 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the storage 410 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, storage 410 may further include memory located remotely from processor 420, which may be connected via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input means 430 may be used to receive input numbers, character information, or voice information, and to generate key signal inputs related to user settings and function control of the electronic device. Output device 440 may include a display screen, speakers, or other electronic equipment.
The electronic equipment provided by the embodiment of the application can achieve the technical effects that the existence of the vulnerability can be sensed in advance before the vulnerability is officially and publicly released, and advanced early warning is carried out on vulnerability information.
EXAMPLE five
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are executed by a computer processor to perform a vulnerability advanced warning method, and the method includes:
acquiring vulnerability information in a general vulnerability disclosure (CVE) database, and filtering the vulnerability information to obtain target vulnerability information;
monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information;
and carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read Only Memory (ROM), an Erasable Programmable Read Only Memory (EPROM), a flash Memory, an optical fiber, a portable CD-ROM, an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. A computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take a variety of forms, including, but not limited to: an electromagnetic signal, an optical signal, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions without departing from the scope of the invention. Therefore, although the present invention has been described in more detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A vulnerability advance early warning method is characterized by comprising the following steps:
acquiring vulnerability information in a general vulnerability disclosure (CVE) database, and filtering the vulnerability information to obtain target vulnerability information;
monitoring the target vulnerability information, and detecting vulnerability type change conditions of the target vulnerability information;
and carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information.
2. The method according to claim 1, wherein the collecting vulnerability information in a generic vulnerability disclosure (CVE) database and filtering the vulnerability information to obtain target vulnerability information comprises:
filtering according to the vulnerability type of the vulnerability information to obtain reserved vulnerability information and disputed vulnerability information;
if the disputed vulnerability information is the associated asset, taking the disputed vulnerability information and the reserved vulnerability information as target vulnerability information;
if the disputed vulnerability information is not the associated asset, taking the reserved vulnerability information as target vulnerability information;
and whether the associated asset representation vulnerability information is vulnerability information issued by the enterprise to which the associated asset representation vulnerability information belongs is judged.
3. The method according to claim 1, wherein the monitoring the target vulnerability information, and the detecting vulnerability type change condition of the target vulnerability information comprises:
acquiring the creation time of reserved vulnerability information, setting monitoring frequency to monitor the reserved vulnerability information, and monitoring a distribution channel of the reserved vulnerability information;
acquiring a distribution channel of dispute vulnerability information, and monitoring the distribution channel of dispute vulnerability information;
and determining the vulnerability type change condition of the target vulnerability information according to the set frequency monitoring result and the release channel monitoring result.
4. The method of claim 1, wherein the early warning of the target vulnerability information according to vulnerability type change conditions of the target vulnerability information comprises:
if the target vulnerability information state is adjusted to be public or rejected, recording the identification information of the target vulnerability information, and warning that the target vulnerability information state is changed;
if the target vulnerability information state is adjusted to disputed vulnerability information, extracting the vulnerability information of the disputed vulnerability information and judging whether the vulnerability information is associated assets;
and if the target vulnerability information state is still reserved vulnerability information, performing advanced early warning on the target vulnerability information.
5. The method of claim 1, wherein if the target vulnerability information state is still vulnerability-preserved information, the early warning of the target vulnerability information comprises:
carrying out frequency monitoring on the target vulnerability information according to a set frequency, and judging whether keywords are found in a monitoring channel;
if no keyword is found in the monitoring channel, dynamically adjusting the monitoring frequency according to the target vulnerability information creation time;
if the keywords are found in the monitoring channel, warning to find suspicious vulnerability information, studying and judging the target vulnerability information, and performing advanced early warning on the target vulnerability information.
6. The method according to claim 1, wherein before collecting vulnerability information in a generic vulnerability disclosure (CVE) database and filtering the vulnerability information to obtain target vulnerability information, the method further comprises:
collecting keywords of associated asset information to limit the monitoring range of vulnerability early warning;
and determining the vulnerability type, the influence range and the threat level of the advanced early warning according to the repair scheme and the code change in the audit vulnerability repair log.
7. The utility model provides a vulnerability advance warning device which characterized in that, the device includes:
the target vulnerability information acquisition module is used for acquiring vulnerability information in a general vulnerability disclosure (CVE) database and filtering the vulnerability information to obtain target vulnerability information;
the vulnerability type change condition determining module is used for monitoring the target vulnerability information and detecting the vulnerability type change condition of the target vulnerability information;
and the target vulnerability information advanced early warning module is used for carrying out advanced early warning on the target vulnerability information according to the vulnerability type change condition of the target vulnerability information.
8. The apparatus of claim 7, wherein the target vulnerability information obtaining module comprises:
filtering according to the vulnerability type of the vulnerability information to obtain reserved vulnerability information and disputed vulnerability information;
if the disputed vulnerability information is the associated asset, taking the disputed vulnerability information and the reserved vulnerability information as target vulnerability information;
if the disputed vulnerability information is not the associated asset, taking the reserved vulnerability information as target vulnerability information;
and whether the associated asset representation vulnerability information is vulnerability information issued by the enterprise to which the associated asset representation vulnerability information belongs is judged.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the vulnerability forewarning method of any of claims 1-6 when executing the program.
10. A storage medium containing computer-executable instructions for performing the vulnerability forewarning method of any of claims 1-6 when executed by a computer processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111409975.6A CN114218579A (en) | 2021-11-25 | 2021-11-25 | Vulnerability advanced early warning method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111409975.6A CN114218579A (en) | 2021-11-25 | 2021-11-25 | Vulnerability advanced early warning method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114218579A true CN114218579A (en) | 2022-03-22 |
Family
ID=80698230
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111409975.6A Pending CN114218579A (en) | 2021-11-25 | 2021-11-25 | Vulnerability advanced early warning method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114218579A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115329347A (en) * | 2022-10-17 | 2022-11-11 | 中国汽车技术研究中心有限公司 | Prediction method, device and storage medium based on car networking vulnerability data |
-
2021
- 2021-11-25 CN CN202111409975.6A patent/CN114218579A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115329347A (en) * | 2022-10-17 | 2022-11-11 | 中国汽车技术研究中心有限公司 | Prediction method, device and storage medium based on car networking vulnerability data |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10356044B2 (en) | Security information and event management | |
| US10397279B2 (en) | Directing audited data traffic to specific repositories | |
| US8185488B2 (en) | System and method for correlating events in a pluggable correlation architecture | |
| US7979494B1 (en) | Systems and methods for monitoring messaging systems | |
| US8516586B1 (en) | Classification of unknown computer network traffic | |
| US20100198636A1 (en) | System and method for auditing governance, risk, and compliance using a pluggable correlation architecture | |
| CN110119428B (en) | Block chain information management method, device, equipment and storage medium | |
| EP2566130A1 (en) | Automatic analysis of security related incidents in computer networks | |
| US20120290544A1 (en) | Data compliance management | |
| JP7204247B2 (en) | Threat Response Automation Methods | |
| Sellwood et al. | Sleeping android: The danger of dormant permissions | |
| CN114218579A (en) | Vulnerability advanced early warning method and device, electronic equipment and storage medium | |
| US9621677B1 (en) | Monitoring accesses to computer source code | |
| CN116708033B (en) | Terminal security detection method and device, electronic equipment and storage medium | |
| KR101973728B1 (en) | Integration security anomaly symptom monitoring system | |
| CN113067835B (en) | Integrated self-adaptive collapse index processing system | |
| Licorish et al. | Analyzing confidentiality and privacy concerns: insights from Android issue logs | |
| CN115563617A (en) | Source code vulnerability detection method and device | |
| Mogull | Understanding and selecting a database activity monitoring solution | |
| CN113138872A (en) | Abnormal processing device and method for database system | |
| CN116089965B (en) | Information security emergency management system and method based on SOD risk model | |
| CN115801472B (en) | Authority management method and system based on authentication gateway | |
| US20240020391A1 (en) | Log-based vulnerabilities detection at runtime | |
| FR3023040A1 (en) | INFORMATION SYSTEM CYBERFERENCE SYSTEM, COMPUTER PROGRAM, AND ASSOCIATED METHOD | |
| CN115967576A (en) | Complicated attack behavior pattern extraction method based on audit knowledge graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |