CN114448721B - Loophole noninductive relieving device and method - Google Patents

Loophole noninductive relieving device and method Download PDF

Info

Publication number
CN114448721B
CN114448721B CN202210239340.4A CN202210239340A CN114448721B CN 114448721 B CN114448721 B CN 114448721B CN 202210239340 A CN202210239340 A CN 202210239340A CN 114448721 B CN114448721 B CN 114448721B
Authority
CN
China
Prior art keywords
module
access
vulnerability
application app
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210239340.4A
Other languages
Chinese (zh)
Other versions
CN114448721A (en
Inventor
姚启桂
张小建
费稼轩
王向群
王齐
郭志民
吕卓
李暖暖
陈岑
陈涛
李峰
袁涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Global Energy Internet Research Institute Co ltd Nanjing Branch
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
State Grid Xinjiang Electric Power Co Ltd
Original Assignee
Global Energy Internet Research Institute Co ltd Nanjing Branch
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
State Grid Xinjiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Global Energy Internet Research Institute Co ltd Nanjing Branch, State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Henan Electric Power Co Ltd, State Grid Xinjiang Electric Power Co Ltd filed Critical Global Energy Internet Research Institute Co ltd Nanjing Branch
Priority to CN202210239340.4A priority Critical patent/CN114448721B/en
Publication of CN114448721A publication Critical patent/CN114448721A/en
Application granted granted Critical
Publication of CN114448721B publication Critical patent/CN114448721B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a vulnerability noninductive relieving device and a vulnerability noninductive relieving method, wherein the device comprises the following steps: the vulnerability monitoring program module monitors vulnerability risk of the application APP; the access strategy module intercepts or releases the access request to the application APP or the APP corresponding to the application APP in the non-sense relieving module based on the access request packet; the noninductive mitigation module constructs a vulnerability reinforcement function according to the monitoring result of the vulnerability monitoring program module, and generates a reinforcement function and a reinforcement log; the evaluation module continuously evaluates the application APP according to the reinforcement log and the access log, and the access policy module generates a new access rule of the interface function based on the evaluation result, so that key indexes exposed by the vulnerability of the application APP function can be reinforced in time without restarting an application program, the virtual patch is updated and loaded in real time for interception configuration, and related vulnerabilities are efficiently repaired before the vulnerable target is endangered by malicious software, and corresponding attack behaviors are avoided.

Description

Loophole noninductive relieving device and method
Technical Field
The invention relates to the technical field of information security, in particular to a vulnerability noninductive relieving device and method.
Background
Along with the intelligent and interactive development of the power system and the evolution of network attack technology, the intelligent Internet of things terminal with the characteristics of hardware platformization, business APP and structural modularization faces the risk of network attack from public networks or private networks, and the problem of vulnerability hidden danger existing in the terminal is more prominent. The related loopholes are generally repaired in an off-line or on-line mode by replacing or patching the problematic software package so as to strengthen the application, but on one hand, the period and the replacement cost of the loopholes are high, and on the other hand, the process of the loopholes is required to restart the application or the system after upgrading, so that the normal use of other businesses is influenced, and the original application and the system are greatly invaded.
Disclosure of Invention
Therefore, the technical problem to be solved by the invention is to overcome the defect that the application or the system needs to be restarted after the updating is finished in the process of bug repairing in the prior art, so as to provide a bug non-sense relieving device and a bug non-sense relieving method.
In order to achieve the above purpose, the present invention provides the following technical solutions:
in a first aspect, an embodiment of the present invention provides a vulnerability non-perception alleviating apparatus, including: the system comprises an application vulnerability monitoring program module, an access strategy module, a non-sense relieving module and an evaluation module, wherein the vulnerability monitoring program module is used for performing real-time sensing monitoring on an application APP and monitoring vulnerability risks existing in the application APP; the access strategy module is used for intercepting or releasing the access request to the application APP or the APP corresponding to the application APP in the non-sense relieving module based on the access request packet; the noninductive alleviation module is used for constructing a corresponding vulnerability reinforcement function according to the monitoring result of the vulnerability monitoring program module, generating a reinforcement function and a related reinforcement log and sending the reinforcement function and the related reinforcement log to the evaluation module; the evaluation module is used for continuously evaluating the application APP according to the reinforcement log and the access log, and the access strategy module generates a new access rule of the interface function of the application APP based on the evaluation result of the evaluation module.
In a second aspect, an embodiment of the present invention provides a vulnerability non-sensing mitigation method, based on the vulnerability non-sensing mitigation device of the first aspect, the method includes: when an application APP receives an access request packet sent by a visitor, the application APP sends the access request packet to an access policy module, and the access policy module judges whether the visitor has access rights according to the access rule of each application APP stored in the application APP and the received request packet; when the visitor has access rights, the access strategy module judges whether the access function has a vulnerability, and when the access function has the access vulnerability, the access strategy module judges whether the noninductive relieving module has a reinforcement function corresponding to the application APP; when the noninductive relieving module has a reinforcement function corresponding to the application APP, the access strategy module sends an access request packet to the APP corresponding to the application APP in the noninductive relieving module to perform normal service access.
In one embodiment, the access policy module intercepts the access request when the visitor has no access rights.
In an embodiment, when the access function has an access vulnerability, the access policy module releases the access request, and the visitor accesses the application APP normally.
In one embodiment, the access policy module intercepts the access request when the dead reclassification module does not have a reinforcement function corresponding to the application APP.
In one embodiment, the non-sensory relief module records the relevant access log and synchronizes the access process to the assessment module; the evaluation module continuously evaluates the access of the application, and the access strategy module generates a new access rule of the interface function of the application APP based on the evaluation result of the evaluation module.
In one embodiment, the process of the dead reclassification module establishing the reinforcement function includes: an application vulnerability monitoring program module is deployed in each application container, the application APP is scanned by the application vulnerability monitoring program module, a relationship label between the application APP and the vulnerability is established based on a scanning result, and the label is sent to the noninductive mitigation module; the noninductive mitigation module consolidates an interface function of the application APP based on the application APP and the vulnerability relation label, generates a consolidation function and a relevant consolidation log and sends the consolidation function and the relevant consolidation log to the evaluation module; the evaluation module evaluates the access rule of the interface function of the application APP based on the reinforcement log, obtains an evaluation result and sends the evaluation result to the access strategy module; the access policy module generates a new access rule of the interface function of the application APP based on the evaluation result.
In one embodiment, the scan results include: the dangerous situations of function libraries, exposed interface functions and ports on which the application APP depends.
In an embodiment, based on the scanning result, the process of establishing the application APP and vulnerability relationship label includes: the application vulnerability monitoring program module analyzes vulnerabilities of the exposed interface functions of the application APP; based on the analysis result, the vulnerability of the application APP and the exposed interface function is established.
In a third aspect, an embodiment of the present invention provides a computer readable storage medium, where computer instructions are stored, where the computer instructions are configured to cause a computer to perform the vulnerability imperceptible mitigation method according to the second aspect of the embodiment of the present invention.
The technical scheme of the invention has the following advantages:
according to the vulnerability noninductive mitigation device and the vulnerability mitigation method provided by the invention, the vulnerability monitoring program module carries out real-time perception monitoring on the application APP to monitor the vulnerability risk existing in the application APP; the access strategy module intercepts or releases the access request to the application APP or the APP corresponding to the application APP in the non-sense relieving module based on the access request packet; the noninductive mitigation module constructs a corresponding vulnerability reinforcement function according to the monitoring result of the vulnerability monitoring program module, and generates a reinforcement function and a related reinforcement log; the evaluation module continuously evaluates the application APP according to the reinforcement log and the access log, and the access policy module generates a new access rule of an interface function of the application APP based on the evaluation result of the evaluation module, so that key indexes such as a port exposed by a vulnerability of the application APP function, a leaked address and the like can be reinforced in time without restarting an application program, a virtual patch is updated and loaded in real time to perform interception configuration, and related vulnerabilities are efficiently repaired before the vulnerable targets are endangered by malicious software, and corresponding attack behaviors are avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a composition diagram of a specific example of a vulnerability non-perception alleviating apparatus provided by an embodiment of the present invention;
FIG. 2 is a flowchart of a specific example of a vulnerability non-perception mitigation method provided by an embodiment of the present invention;
FIG. 3 is a flowchart of another specific example of a vulnerability non-perception mitigation method provided by an embodiment of the present invention;
fig. 4 is a composition diagram of a specific example of a computer device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made apparent and fully in view of the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In the description of the present invention, it should be noted that the directions or positional relationships indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the devices or elements referred to must have a specific orientation, be configured and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and "third" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance.
In the description of the present invention, it should be noted that, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; the two components can be directly connected or indirectly connected through an intermediate medium, or can be communicated inside the two components, or can be connected wirelessly or in a wired way. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
In addition, the technical features of the different embodiments of the present invention described below may be combined with each other as long as they do not collide with each other.
Example 1
The embodiment of the invention provides a vulnerability non-inductive mitigation device which can be a vulnerability non-inductive mitigation device based on an electric intelligent Internet of things terminal application, and can intercept data flow when an application program is illegally accessed, pertinently filter attack data packets harmful to an original application program, such as malicious software, attack script execution, SQL injection, CC instructions, SHELCODE, abnormal data packets and the like, and improve the safety of the application program when the application program is not patched and upgraded.
As shown in fig. 1, the vulnerability non-perception alleviating apparatus of the embodiment of the present invention includes: the system comprises an application vulnerability monitoring program module 1, an access strategy module 2, a non-sense relieving module 3 and an evaluation module 4.
The vulnerability monitoring program module of the embodiment of the invention monitors the vulnerability risk existing in the application APP by performing real-time sensing monitoring. Specifically, in the embodiment of the invention, a vulnerability monitoring program module is deployed in each application APP, and the types of the application APP can be marketing service APP, distribution service APP, environment monitoring APP and the like.
The access policy module of the embodiment of the invention is used for intercepting or releasing the access request to the corresponding application APP or the APP corresponding to the application APP in the non-sense relieving module based on the access request packet.
The noninductive mitigation module is used for constructing a corresponding vulnerability reinforcement function according to the monitoring result of the vulnerability monitoring program module, generating reinforcement functions and related reinforcement logs and sending the reinforcement functions and the related reinforcement logs to the evaluation module. The evaluation module carries out real-time trust evaluation through the APP access request of the terminal, realizes risk judgment of the application and the vulnerability access context environment, embeds a continuous evaluation model based on a deep learning algorithm such as a Convolutional Neural Network (CNN) +a cyclic neural network (RNN), a twin network and the like, and can evaluate the trust of the access of the current application on the basis of the existing access strategy.
The evaluation module of the embodiment of the invention is used for continuously evaluating the application APP according to the reinforcement log and the access log, and the access strategy module generates a new access rule of the interface function of the application APP based on the evaluation result of the evaluation module. The access strategy has a short-time characteristic, and the continuous trust evaluation model dynamically adjusts the current context of the access strategy according to the authentication strength, the risk state and the environmental factors to form a dynamic trust relationship, and continuously and dynamically protects the application program.
Specifically, the embodiment of the invention establishes a security access center (comprising an access strategy module, a non-sense relieving module and an evaluation module) on the intelligent terminal, continuously records, analyzes and identifies the behavior, habit and the like of the application access service app by utilizing a dynamic access control technology, dynamically evaluates the trust degree of the application, opens to the minimum degree according to an authorization result, establishes a white list mechanism in the security access center, monitors the whole process of the access process of the application, and effectively and dynamically intercepts illegal access.
In the vulnerability non-inductive mitigation module of the embodiment of the invention, two operations can be completed: the loophole noninductive alleviation and application scanning reinforcement operation comprises the following specific operation processes:
(1) Vulnerability-based mitigation operation: when an application APP receives an access request packet sent by a visitor, the application APP sends the access request packet to an access policy module, and the access policy module judges whether the visitor has access rights according to the access rule of each application APP stored in the application APP and the received request packet; when the visitor has access rights, the access strategy module judges whether the access function has a vulnerability, and when the access function has the access vulnerability, the access strategy module judges whether the noninductive relieving module has a reinforcement function corresponding to the application APP; when the noninductive relieving module has a reinforcement function corresponding to the application APP, the access strategy module sends an access request packet to the APP corresponding to the application APP in the noninductive relieving module to perform normal service access.
(2) Applying a scan reinforcement operation: an application vulnerability monitoring program module is deployed in each application container, the application APP is scanned by the application vulnerability monitoring program module, a relationship label between the application APP and the vulnerability is established based on a scanning result, and the label is sent to the noninductive mitigation module; the noninductive mitigation module consolidates an interface function of the application APP based on the application APP and the vulnerability relation label, generates a consolidation function and a relevant consolidation log and sends the consolidation function and the relevant consolidation log to the evaluation module; the evaluation module evaluates the access rule of the interface function of the application APP based on the reinforcement log, obtains an evaluation result and sends the evaluation result to the access strategy module; the access policy module generates a new access rule of the interface function of the application APP based on the evaluation result.
Example 2
The embodiment of the invention provides a vulnerability non-perception alleviating method, which is based on a vulnerability non-perception alleviating device of embodiment 1, as shown in fig. 2, and comprises the following steps:
step S11: when the application APP receives an access request packet sent by a visitor, the application APP sends the access request packet to an access policy module, and the access policy module judges whether the visitor has access rights according to the access rule of each application APP stored in the application APP and the received request packet.
Specifically, when a visitor accesses the application APP, the application APP sends a received access request packet to an access policy module in a secure access center through an application access forwarding module by using a kernel hook function of the visitor, access rules of the application APPs are stored in the access policy module, the access request packet is matched with the access rules, and whether the visitor has access rights is judged.
Step S12: when the visitor has access rights, the access strategy module judges whether the access function has loopholes, and when the access function has access loopholes, the access strategy module judges whether the noninductive relieving module has reinforcement functions corresponding to the application APP.
Specifically, the access request packet includes visitor information and an access function, when a visitor has access rights, the access policy module also needs to judge whether the access function has a vulnerability, and when the access function has a vulnerability, the access policy module judges whether the noninductive access module has a reinforcement function corresponding to the application APP, and the reinforcement function is set for the vulnerabilities of various interface functions possibly occurring in the application APP; when the visitor does not have the access right, the access strategy module directly intercepts the access request; when the visitor has access authority and the access function has no vulnerability, the access strategy module releases the access request, and the visitor normally accesses the application APP.
Step S13: when the noninductive relieving module has a reinforcement function corresponding to the application APP, the access strategy module sends an access request packet to the APP corresponding to the application APP in the noninductive relieving module to perform normal service access.
Specifically, an APP with the reinforced application APP interface function is arranged in the access strategy module, when the noninductive relieving module has a reinforced function corresponding to the application APP, the access strategy module sends an access request packet to the APP corresponding to the application APP in the noninductive relieving module, and a visitor performs normal service access; when the noninductive relieving module does not have a reinforcement function corresponding to the application APP, the access strategy module intercepts the access request.
In a specific embodiment, the vulnerability non-perception mitigation method further includes: the noninductive relieving module records related access logs and synchronizes the access process to the evaluation module; the evaluation module continuously evaluates the access of the application, and the access strategy module generates a new access rule of the interface function of the application APP based on the evaluation result of the evaluation module.
Specifically, the evaluation module performs real-time trust evaluation on application access according to the access log or the reinforcement log sent by the non-sense relief module, so as to realize risk judgment on the context environment of the application and vulnerability access, and evaluates the trust of the current application access on the basis of the existing access strategy by using a continuous evaluation model based on deep learning algorithms such as a Convolutional Neural Network (CNN) +a cyclic neural network (RNN), a twin network and the like. The access strategy has a short-time characteristic, and the continuous trust evaluation model dynamically adjusts the current context of the access strategy according to the authentication strength, the risk state and the environmental factors to form a dynamic trust relationship, and continuously and dynamically protects the application program.
Specifically, the updating of the access rule is not limited to the establishment of a white list mechanism and a black list mechanism, so that the whole process supervision is carried out on the access process of the application, and the illegal access is effectively and dynamically intercepted.
In one embodiment, as shown in fig. 3, the procedure for establishing the reinforcement function by the dead-reclassification module includes:
step S21: an application vulnerability monitoring program module is deployed in each application container, the application APP is scanned by the application vulnerability monitoring program module, a vulnerability relation label between the application APP and the application APP is established based on a scanning result, and the label is sent to the noninductive mitigation module.
Specifically, the vulnerability monitoring program module scans and analyzes the application APP to obtain a function library, an exposed interface function and dangerous situations of a port on which the application APP depends, and further analyzes vulnerabilities existing in the exposed interface function according to the exposed content, and establishes a relationship tag (relationship tag between the application APP and the vulnerabilities) on the application APP and the exposed interface function.
Step S22: the noninductive relieving module consolidates an interface function of the application APP based on the application APP and the vulnerability relation label, generates a consolidate function and a relevant consolidate log, and sends the consolidate function and the relevant consolidate log to the evaluation module.
Specifically, the noninductive alleviation module analyzes the process of utilizing the interface function with the vulnerability according to the application APP and the vulnerability relation label, and timely consolidates the interface function to obtain a consolidated function and a consolidated log, wherein the consolidated log is not limited by time, consolidated projects and other information; for interface functions which are not up to date and are consolidated, when an illegal access process exists, the access policy center performs timely blocking interception.
Step S23: the evaluation module evaluates the access rule of the interface function of the application APP based on the reinforcement log, obtains an evaluation result and sends the evaluation result to the access policy module.
Step S24: the access policy module generates a new access rule of the interface function of the application APP based on the evaluation result.
Specifically, the evaluation module performs real-time trust evaluation on application access aiming at the reinforcement log sent by the non-inductive mitigation module, so that risk judgment on the application and vulnerability access context environment is realized, and the trust of current application access is evaluated simultaneously on the basis of the existing access strategy by utilizing the continuous evaluation model. The access policy module generates a new access rule of the interface function of the application APP based on the evaluation result.
Example 3
An embodiment of the present invention provides a computer device, as shown in fig. 4, including: at least one processor 401, such as a CPU (Central Processing Unit ), at least one communication interface 403, a memory 404, at least one communication bus 402. Wherein communication bus 402 is used to enable connected communications between these components. The communication interface 403 may include a Display screen (Display) and a Keyboard (Keyboard), and the optional communication interface 403 may further include a standard wired interface and a wireless interface. The memory 404 may be a high-speed RAM memory (Ramdom Access Memory, volatile random access memory) or a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 404 may also optionally be at least one storage device located remotely from the aforementioned processor 401. Wherein the processor 401 may perform the vulnerability imperceptible mitigation method of embodiment 2. A set of program codes is stored in the memory 404, and the processor 401 calls the program codes stored in the memory 404 for executing the vulnerability mitigation method of embodiment 2.
The communication bus 402 may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. Communication bus 402 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one line is shown in fig. 4, but not only one bus or one type of bus.
Wherein the memory 404 may include volatile memory (English) such as random-access memory (RAM); the memory may also include a nonvolatile memory (english: non-volatile memory), such as a flash memory (english: flash memory), a hard disk (english: hard disk drive, abbreviated as HDD) or a solid-state drive (english: SSD); memory 404 may also include a combination of the above types of memory.
The processor 401 may be a central processor (English: central processing unit, abbreviated: CPU), a network processor (English: network processor, abbreviated: NP) or a combination of CPU and NP.
Wherein the processor 401 may further comprise a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof (English: programmable logic device). The PLD may be a complex programmable logic device (English: complex programmable logic device, abbreviated: CPLD), a field programmable gate array (English: field-programmable gate array, abbreviated: FPGA), a general-purpose array logic (English: generic array logic, abbreviated: GAL), or any combination thereof.
Optionally, the memory 404 is also used for storing program instructions. The processor 401 may invoke program instructions to implement the vulnerability mitigation method as in execution embodiment 2 of the present application.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores computer executable instructions thereon, wherein the computer executable instructions can execute the vulnerability imperceptible mitigation method of the embodiment 2. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid-State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
It is apparent that the above examples are given by way of illustration only and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. And obvious variations or modifications thereof are contemplated as falling within the scope of the present invention.

Claims (10)

1. A vulnerability non-perception mitigation device, comprising: an application vulnerability monitoring program module, an access strategy module, a non-sense relieving module and an evaluation module, wherein,
the vulnerability monitoring program module is used for performing real-time sensing monitoring on the application APP and monitoring the vulnerability risk existing in the application APP;
the access strategy module is used for intercepting or releasing the access request to the application APP or the APP corresponding to the application APP in the non-sense relieving module based on the access request packet;
the noninductive mitigation module is used for constructing a corresponding vulnerability reinforcement function according to the monitoring result of the vulnerability monitoring program module, generating a reinforcement function and a related reinforcement log and sending the reinforcement function and the related reinforcement log to the evaluation module; the evaluation module is used for continuously evaluating the application APP according to the reinforcement log and the access log, and the access strategy module generates a new access rule of the interface function of the application APP based on the evaluation result of the evaluation module;
an application vulnerability monitoring program module is deployed in each application container, the application vulnerability monitoring program module scans an application APP, a vulnerability relation label between the application APP and the vulnerability is established based on a scanning result, and the label is sent to a non-sensing alleviation module; the noninductive mitigation module consolidates an interface function of the application APP based on the application APP and the vulnerability relation label, generates a consolidate function and a relevant consolidate log, and sends the consolidate function and the relevant consolidate log to the evaluation module.
2. A vulnerability non-perception mitigation method, characterized in that based on the vulnerability non-perception mitigation device of claim 1, the method comprises:
when an application APP receives an access request packet sent by a visitor, the application APP sends the access request packet to an access policy module, and the access policy module judges whether the visitor has access rights according to the access rule of each application APP stored in the application APP and the received request packet;
when the visitor has access rights, the access strategy module judges whether the access function has a vulnerability, and when the access function has the access vulnerability, the access strategy module judges whether the noninductive relieving module has a reinforcement function corresponding to the application APP;
when the noninductive relieving module has a reinforcement function corresponding to the application APP, the access strategy module sends an access request packet to the APP corresponding to the application APP in the noninductive relieving module to perform normal service access.
3. The vulnerability imperceptible mitigation method of claim 2, further comprising:
when the visitor does not have access rights, the access policy module intercepts the access request.
4. The vulnerability imperceptible mitigation method of claim 2, further comprising:
when the access function has an access vulnerability, the access policy module releases the access request, and the visitor normally accesses the application APP.
5. The vulnerability imperceptible mitigation method of claim 2, further comprising:
when the noninductive relieving module does not have a reinforcement function corresponding to the application APP, the access strategy module intercepts the access request.
6. The vulnerability imperceptible mitigation method of claim 2, further comprising:
the non-sense relieving module records related access logs and synchronizes the access process to the evaluation module;
the evaluation module is used for continuously evaluating the application access, and the access strategy module is used for generating a new access rule of the interface function of the application APP based on the evaluation result of the evaluation module.
7. The vulnerability mitigation method of claim 2, wherein the process of the vulnerability mitigation module establishing the reinforcement function comprises:
an application vulnerability monitoring program module is deployed in each application container, the application APP is scanned by the application vulnerability monitoring program module, a vulnerability relation label between the application APP and the application APP is established based on a scanning result, and the label is sent to a non-sense relieving module;
the non-inductive mitigation module consolidates an interface function of the application APP based on the application APP and the vulnerability relation label, generates a consolidate function and a relevant consolidate log, and sends the consolidate function and the relevant consolidate log to the evaluation module;
the evaluation module evaluates the access rule of the interface function of the application APP based on the reinforcement log, obtains an evaluation result and sends the evaluation result to the access strategy module;
the access policy module generates a new access rule of the interface function of the application APP based on the evaluation result.
8. The vulnerability mitigation method of claim 7, wherein the scan results comprise: the dangerous situations of function libraries, exposed interface functions and ports on which the application APP depends.
9. The vulnerability non-perception mitigation method of claim 7, wherein the process of establishing the application APP and vulnerability relationship label based on the scan results comprises:
the application vulnerability monitoring program module analyzes vulnerabilities of the exposed interface functions of the application APP;
based on the analysis result, the vulnerability of the application APP and the exposed interface function is established.
10. A computer device, comprising: at least one processor, and a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the vulnerability mitigation method of any of claims 2-9.
CN202210239340.4A 2022-03-11 2022-03-11 Loophole noninductive relieving device and method Active CN114448721B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210239340.4A CN114448721B (en) 2022-03-11 2022-03-11 Loophole noninductive relieving device and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210239340.4A CN114448721B (en) 2022-03-11 2022-03-11 Loophole noninductive relieving device and method

Publications (2)

Publication Number Publication Date
CN114448721A CN114448721A (en) 2022-05-06
CN114448721B true CN114448721B (en) 2023-06-13

Family

ID=81360246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210239340.4A Active CN114448721B (en) 2022-03-11 2022-03-11 Loophole noninductive relieving device and method

Country Status (1)

Country Link
CN (1) CN114448721B (en)

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789942A (en) * 2010-01-29 2010-07-28 蓝盾信息安全技术股份有限公司 Method for preventing sensitive data from betraying confidential matters and device thereof
CN109861951A (en) * 2017-11-30 2019-06-07 北京安云世纪科技有限公司 A kind of Website access method, device, system
CN110290114A (en) * 2019-06-04 2019-09-27 武汉大学 A kind of loophole automation means of defence and system based on warning information
CN110311926A (en) * 2019-02-02 2019-10-08 奇安信科技集团股份有限公司 A kind of application access control method, system and medium
CN111132138A (en) * 2019-12-06 2020-05-08 中国电子科技集团公司电子科学研究院 Transparent communication protection method and device for mobile application program
CN111556037A (en) * 2020-04-21 2020-08-18 杭州安恒信息技术股份有限公司 Method and device for evaluating security index of website system
CN112257070A (en) * 2020-10-22 2021-01-22 全球能源互联网研究院有限公司 Vulnerability troubleshooting method and system based on asset scene attributes
CN113032793A (en) * 2021-04-13 2021-06-25 北京国联易安信息技术有限公司 Intelligent reinforcement system and method for data security
CN113591096A (en) * 2021-08-10 2021-11-02 北京凌云信安科技有限公司 Vulnerability scanning system for comprehensively detecting big data bugs and unsafe configurations
CN113660224A (en) * 2021-07-28 2021-11-16 上海纽盾科技股份有限公司 Situation awareness defense method, device and system based on network vulnerability scanning
CN113704767A (en) * 2021-08-10 2021-11-26 北京凌云信安科技有限公司 Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7669051B2 (en) * 2000-11-13 2010-02-23 DigitalDoors, Inc. Data security system and method with multiple independent levels of security

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789942A (en) * 2010-01-29 2010-07-28 蓝盾信息安全技术股份有限公司 Method for preventing sensitive data from betraying confidential matters and device thereof
CN109861951A (en) * 2017-11-30 2019-06-07 北京安云世纪科技有限公司 A kind of Website access method, device, system
CN110311926A (en) * 2019-02-02 2019-10-08 奇安信科技集团股份有限公司 A kind of application access control method, system and medium
CN110290114A (en) * 2019-06-04 2019-09-27 武汉大学 A kind of loophole automation means of defence and system based on warning information
CN111132138A (en) * 2019-12-06 2020-05-08 中国电子科技集团公司电子科学研究院 Transparent communication protection method and device for mobile application program
CN111556037A (en) * 2020-04-21 2020-08-18 杭州安恒信息技术股份有限公司 Method and device for evaluating security index of website system
CN112257070A (en) * 2020-10-22 2021-01-22 全球能源互联网研究院有限公司 Vulnerability troubleshooting method and system based on asset scene attributes
CN113032793A (en) * 2021-04-13 2021-06-25 北京国联易安信息技术有限公司 Intelligent reinforcement system and method for data security
CN113660224A (en) * 2021-07-28 2021-11-16 上海纽盾科技股份有限公司 Situation awareness defense method, device and system based on network vulnerability scanning
CN113591096A (en) * 2021-08-10 2021-11-02 北京凌云信安科技有限公司 Vulnerability scanning system for comprehensively detecting big data bugs and unsafe configurations
CN113704767A (en) * 2021-08-10 2021-11-26 北京凌云信安科技有限公司 Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Vulnerability of Deep Reinforcement Learning to Policy Induction Attacks;Vahid Behzadan, Arslan Munir;《Computer Science》;全文 *
基于Android访问权限漏洞的安全机制分析研究;徐成,袁家政,鲍泓,张璐璐;《计算机科学》;全文 *

Also Published As

Publication number Publication date
CN114448721A (en) 2022-05-06

Similar Documents

Publication Publication Date Title
JP6019484B2 (en) Systems and methods for server-bound malware prevention
US7870242B2 (en) Flexible compliance agent with integrated remediation
US9344431B2 (en) System and method for assessing an application based on data from multiple devices
US9268945B2 (en) Detection of vulnerabilities in computer systems
US20170230397A1 (en) System and method for assessing data objects on mobile communications devices
US8019857B2 (en) Flexible system health and remediation agent
US20110047620A1 (en) System and method for server-coupled malware prevention
CN104468632A (en) Loophole attack prevention method, device and system
US8943599B2 (en) Certifying server side web applications against security vulnerabilities
CN114143034A (en) Network access security detection method and device
CN101901323B (en) System filtration method for monitoring loading activity of program module
CN111177708A (en) PLC credibility measuring method, system and measuring device based on TCM chip
KR20090121466A (en) Apparatus and method for checking personal computer's security
Mahmood et al. Systematic threat assessment and security testing of automotive over-the-air (OTA) updates
CN110968872A (en) File vulnerability detection processing method and device, electronic equipment and storage medium
CN115701019A (en) Access request processing method and device of zero trust network and electronic equipment
CN114448721B (en) Loophole noninductive relieving device and method
US20230319112A1 (en) Admission control in a containerized computing environment
CN116415300A (en) File protection method, device, equipment and medium based on eBPF
CN114329444A (en) System safety improving method and device
CN111309978A (en) Transformer substation system safety protection method and device, computer equipment and storage medium
CN117648100B (en) Application deployment method, device, equipment and storage medium
CN114124558B (en) Operation response method, device, electronic equipment and computer readable storage medium
CN116961977A (en) Security detection method, apparatus, device and computer program product
KR20240041662A (en) Method and apparatus for providing digital financial security service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant