CN114817929B - Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium - Google Patents

Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium Download PDF

Info

Publication number
CN114817929B
CN114817929B CN202210409775.9A CN202210409775A CN114817929B CN 114817929 B CN114817929 B CN 114817929B CN 202210409775 A CN202210409775 A CN 202210409775A CN 114817929 B CN114817929 B CN 114817929B
Authority
CN
China
Prior art keywords
vulnerability
information
information table
data
historical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210409775.9A
Other languages
Chinese (zh)
Other versions
CN114817929A (en
Inventor
雷志强
张贺
段伟恒
方维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sky Sky Safety Technology Co ltd
Original Assignee
Sky Sky Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sky Sky Safety Technology Co ltd filed Critical Sky Sky Safety Technology Co ltd
Priority to CN202210409775.9A priority Critical patent/CN114817929B/en
Publication of CN114817929A publication Critical patent/CN114817929A/en
Application granted granted Critical
Publication of CN114817929B publication Critical patent/CN114817929B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computational Linguistics (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application relates to the technical field of the Internet of things, in particular to a dynamic tracking and processing method, a device, electronic equipment and a medium for vulnerabilities of the Internet of things, wherein the method comprises the following steps: collecting vulnerability data; updating a historical device information table and a historical vulnerability information table according to vulnerability data, and generating a current device information table and a current vulnerability information table; updating a multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed on the basis of the historical equipment information table and the historical vulnerability information table; the device information table is used for storing device information related to the IOT vulnerability, and the vulnerability information table is used for storing basic information of the IOT vulnerability.

Description

Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium
Technical Field
The application relates to the technical field of the internet of things, in particular to a dynamic tracking and processing method and device for vulnerabilities of the internet of things, electronic equipment and a medium.
Background
With the development and innovation of the technology of the internet of things, a large amount of internet of things equipment is continuously accessed into a network, and a large amount of known bugs are generated due to the fact that part of the internet of things equipment lacks official continuous technical support and patch updating programs.
At present, the international mainstream vulnerability sharing platform does not specially classify vulnerabilities of the internet of things, domestic mainstream vulnerability disclosure platforms are classified in a manual or semi-automatic mode, certain time delay exists, related platforms cannot meet the requirement of high timeliness for security researchers to process vulnerabilities of the internet of things, and therefore how to conduct efficient and fine-grained classification on vulnerabilities of the internet of things is provided for security researchers to analyze vulnerabilities accurately in time, and therefore the problem that follow-up data support for subsequent security detection, threat early warning and the like becomes urgent to be solved is solved.
Disclosure of Invention
In order to provide data support for subsequent processing of the vulnerability of the internet of things and carry out efficient fine-grained classification and processing on the vulnerability of the internet of things, the application provides a dynamic tracking and processing method and device of the vulnerability of the internet of things, electronic equipment and a medium.
In a first aspect of the application, a method for dynamically tracking and processing vulnerabilities of the internet of things is provided, and the method includes the steps of collecting vulnerability data; updating a historical device information table and a historical vulnerability information table according to the vulnerability data, and generating a current device information table and a current vulnerability information table; updating a multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed based on the historical equipment information table and the historical vulnerability information table; the device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
By adopting the technical scheme, the vulnerability data can be collected at regular time or based on preset frequency, the historical equipment information table and the historical vulnerability information table are updated and perfected according to the collected vulnerability data, and the knowledge map is updated according to the current equipment information table and the current vulnerability information table. By the method, the latest vulnerability data can be acquired in time, the Internet of things vulnerability can be identified in the vulnerability data, and the latest information of the Internet of things vulnerability is updated to the equipment information table and the vulnerability information table, so that the knowledge map is updated. Therefore, when a new threat report of the loopholes of the Internet of things is obtained, the knowledge graph spectrum can provide the latest and most complete loophole association relation for security researchers, and the security researchers can quickly process the loopholes of the Internet of things.
Preferably, the vulnerability data includes vulnerability information data, poc data and threat information data, and the updating of the historical device information table and the historical vulnerability information table according to the vulnerability data includes: identifying the vulnerability of the Internet of things in the vulnerability information data according to a historical equipment information table; updating the corresponding vulnerability information in the vulnerability information data of the identified vulnerability of the Internet of things into the historical equipment information table and the historical vulnerability information table; determining whether an internet of things vulnerability exists in the Poc data and the threat information data according to the updated historical vulnerability information table; and if the vulnerability exists, updating the determined Poc data and threat information data corresponding to the vulnerability of the Internet of things into the historical vulnerability information table.
By adopting the technical scheme, the acquired vulnerability data comprises vulnerability information data, poc data and threat information data, the vulnerability information data is some basic information of the vulnerability, and comprises CVE (composite video encryption Standard) numbers, vulnerability description information, vulnerability types, CPE (public customer premise equipment) lists corresponding to the vulnerability and the like, the Poc data is vulnerability concept verification codes, the threat information data is clue information required for reducing the occurred attacks and predicting the non-occurred attacks, the historical equipment information table and the historical vulnerability information table are updated based on the vulnerability information data, so that the information of the two tables can be more complete, the knowledge map is improved, the threat information related to the vulnerability of the Internet of things can be timely found by acquiring the Poc data and the threat information, the information can be pushed to security researchers in real time after the threat information related to the new vulnerability of the Internet of things is found, the security researchers can also obtain the newly-added threat information in the historical vulnerability information table at regular time, and the new threat information can be rapidly responded.
Preferably, identifying the internet of things vulnerability in the vulnerability information data according to a historical device information table comprises generating a device manufacturer dictionary, a device model dictionary, a device type dictionary and a device identification dictionary according to the historical device information table; and if at least two dictionaries in the four dictionaries are matched with vulnerability information corresponding to vulnerabilities in the vulnerability information data, determining that the vulnerability is an Internet of things vulnerability.
By adopting the technical scheme, the historical equipment information table at least comprises four fields of equipment manufacturer, equipment model, equipment type and equipment identification and values of the IOT vulnerabilities corresponding to the four fields, the historical information table is pre-established through collecting information of all the IOT vulnerabilities disclosed in the network platform, however, due to the fact that the data size is huge, the situation that part of vulnerability information is incomplete may exist, and the four fields are respectively and correspondingly generated into dictionaries for matching, so that the IOT vulnerabilities can be more accurately identified.
Preferably, the updating of the vulnerability information corresponding to the identified vulnerability of the internet of things in the vulnerability information data to the historical device information table and the historical vulnerability information table includes extracting actual information of the vulnerability of the internet of things corresponding to the unmatched dictionaries in the vulnerability information data if at least one of the four dictionaries is not matched with the corresponding vulnerability information of the identified vulnerability of the internet of things in the vulnerability information data; combining the matched information in the dictionary and the extracted actual information and updating the combined information into the historical equipment information table; and extracting information corresponding to each field in the historical vulnerability information table from the vulnerability information data and updating the information into the historical vulnerability information table.
By adopting the technical scheme, the information of the identified loopholes of the internet of things corresponding to each field in the equipment information table can be acquired, so that the updated information is complete each time without being supplemented, meanwhile, the information corresponding to each field in the historical loophole information table is extracted from the loophole information data, the loophole information corresponding to the loopholes of the internet of things existing in the historical loophole information table can be perfected, and the newly acquired loophole information corresponding to the loopholes of the internet of things can be completely stored in the historical loophole information table.
Preferably, extracting the actual information of the internet of things vulnerability corresponding to the unmatched dictionary from the vulnerability information data includes judging whether a CPE list of the internet of things vulnerability exists in the vulnerability information data; if yes, acquiring equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information of the vulnerability of the Internet of things in the CPE list; if not, extracting equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information of the vulnerability of the Internet of things from the vulnerability information data based on the pre-trained named entity model.
By adopting the technical scheme, the CPE lists, namely the universal platform lists, are in a fixed format, most of the CPE lists comprise four pieces of information, namely equipment manufacturer information, equipment model information, equipment type information and equipment identification information, which correspond to the vulnerability of the Internet of things, so that when information is supplemented, whether the CPE list corresponding to the vulnerability of the Internet of things exists in acquired vulnerability information data needs to be checked, and if the CPE list exists, the information can be extracted completely through the lists. Due to the fact that a certain time delay exists in updating of a CPE list of part of new vulnerabilities of the Internet of things, if the certain time delay does not exist, corresponding information is extracted from vulnerability description information through a pre-trained named entity model for supplement, corresponding data content can be perfected through the method, and latest vulnerability information of the Internet of things can be obtained in time.
Preferably, the vulnerability information table, the Poc data and the threat information data at least comprise CVE numbers, whether the IOT vulnerability exists in the Poc data and the threat information data is determined according to the updated historical vulnerability information table, the same CVE numbers in the Poc data and the threat information data are extracted, and whether the CVE numbers exist in the historical vulnerability information table is judged; and if the Poc data and the threat information data exist, determining that the vulnerability of the Internet of things exists in the Poc data and the threat information data.
By adopting the technical scheme, the identical CVE numbers are extracted from the Poc data and the threat information data, and then the CVE numbers are compared with the CVE numbers in the historical vulnerability information table, so that the Poc data can verify the vulnerability in the threat information data, the accuracy of the threat information data is improved, the CVE numbers are the only identity identification marks of the vulnerability, and the identification accuracy of the threat information can be improved by the mode.
Preferably, before updating the historical device information table and the historical vulnerability information table according to the vulnerability data, the method further comprises the step of performing duplicate removal and fusion processing on the collected vulnerability data.
By adopting the technical scheme, the processed old data can be removed, the data volume is reduced by fusion processing, and the quality of the acquired vulnerability data is enhanced.
In a second aspect of the application, a dynamic tracking and processing device for vulnerabilities of the internet of things is provided, which includes an acquisition module for acquiring vulnerability data; the first updating module is used for updating the historical equipment information table and the historical vulnerability information table according to the vulnerability data and generating a current equipment information table and a current vulnerability information table; the second updating module is used for updating the multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed on the basis of the historical equipment information table and the historical vulnerability information table; the device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
In a third aspect of the present application, an electronic device is presented, comprising a memory having stored thereon a computer program and a processor implementing the method according to any of the first aspect when executing the program.
In a fourth aspect of the present application, a computer-readable storage medium is presented, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of the first aspect.
In summary, the present application includes at least one of the following beneficial technical effects:
1. the vulnerability of the Internet of things is classified in a high-efficiency and fine-grained manner, the relation between the vulnerability of the Internet of things and the associated equipment manufacturer and equipment type is displayed through a knowledge map, and safety researchers can directly and rapidly analyze the relation between the vulnerabilities, so that data support is provided for subsequent processing.
2. And related information of the loopholes of the Internet of things is updated in time, so that safety researchers can obtain the latest information in time.
3. The manual work is liberated, the loophole information is automatically processed, and the coverage range is wide.
Drawings
The above and other features, advantages and aspects of various embodiments of the present application will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, like or similar reference characters denote like or similar elements, and wherein:
fig. 1 shows a block diagram of an electronic device according to an embodiment of the present application.
Fig. 2 is a flowchart of a dynamic tracking and processing method for vulnerabilities of the internet of things according to the embodiment of the present application.
Fig. 3 is a schematic block diagram of a device for dynamically tracking and processing vulnerabilities of the internet of things in the embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship, unless otherwise specified.
With the development and innovation of the technology of the internet of things, a large amount of internet of things equipment is continuously accessed into a network, and a large amount of known bugs are generated due to the fact that part of the internet of things equipment lacks official continuous technical support and patch updating programs. However, the existing international mainstream vulnerability sharing platform does not classify vulnerabilities of the internet of things in a special fine classification mode, domestic mainstream vulnerability disclosing platforms are classified in a manual or semi-automatic mode, a certain time delay exists in the acquisition of vulnerabilities of the internet of things, and related platforms cannot meet the requirement of high timeliness for processing vulnerabilities of the internet of things by security researchers, so that the vulnerabilities of the internet of things can be analyzed by efficiently and finely classifying the vulnerabilities of the internet of things, and data support can be provided for subsequent security detection, threat early warning and the like, and the problem that needs to be solved urgently is solved.
Next, a system architecture according to an embodiment of the present application will be described. It should be noted that the system architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not constitute a limitation to the technical solution provided in the embodiment of the present application, and as a person having ordinary skill in the art knows that along with the evolution of the network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
Fig. 1 shows a block diagram of an electronic device according to an embodiment of the present application.
Referring to fig. 1, an electronic device 100 includes a processor 101 and a memory 103. Wherein the processor 101 is coupled to the memory 103, such as via a bus 102. Optionally, the electronic device 100 may also include a transceiver 104. It should be noted that the transceiver 104 is not limited to one in practical applications, and the structure of the electronic device 100 does not constitute a limitation to the embodiments of the present application.
The Processor 101 may be a CPU (Central Processing Unit), a general-purpose Processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or other Programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 101 may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors.
Bus 102 may include a path that conveys information between the aforementioned components. The bus 102 may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus 102 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 1, but that does not indicate only one bus or one type of bus.
The Memory 103 may be a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (Compact Disc Read Only Memory) or other optical Disc storage, optical Disc storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these.
The memory 103 is used for storing application program codes for executing the scheme of the application, and is controlled by the processor 101 to execute. The processor 101 is configured to execute application program codes stored in the memory 103 to implement the method for dynamically tracking and processing the vulnerability of the internet of things.
Among them, electronic devices include but are not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. It should be noted that the electronic device shown in fig. 1 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
Fig. 2 is a flowchart illustrating a dynamic tracking and processing method for vulnerabilities of the internet of things according to an embodiment of the present application, where, as shown in fig. 2, the method includes,
step S201, collecting vulnerability data.
In step S201, vulnerability data may be acquired at regular time or based on a preset frequency, and vulnerability information disclosed on a full network platform is acquired in an incremental manner, specifically, the vulnerability data may be acquired in a manner of using a crawler program or calling an API, and the vulnerability data acquired in the present application includes vulnerability information data, poc data, and threat information data, wherein the vulnerability information data includes a CVE number (a general vulnerability disclosure number), vulnerability description information, a CVSS (i.e., "general vulnerability scoring system"), which is an "industry disclosure standard" designed to evaluate the severity of a vulnerability and help determine the urgency and importance of a response required), information, vulnerability type, related links, CPE (general platform listing) corresponding to the vulnerability, and the situation of different languages may occur due to different sources of acquisition, so that the vulnerability information data acquired at different sources may be stored in different databases, and the vulnerability information data in the same language may also be stored in the same database, and a database may be created specifically according to the actual acquisition situation. In the application, the bug data is preferentially acquired in an incremental manner, so that in some application embodiments, the acquired bug data needs to be subjected to deduplication and fusion processing, particularly, the bug information data has a CVE (composite virtual environment) number as a unique identity, the bug information data can be subjected to deduplication and fusion processing based on the CVE number, and in an achievable manner, deduplication can be performed by using a database or according to an HTTP (hyper text transport protocol) cache mechanism. In one example, if two vulnerability information A and B collected from different sites have the same CVE number, the vulnerability information A has vulnerability title information, and the vulnerability title information B does not have the vulnerability title information, the vulnerability title in A is taken as the title of the vulnerability, and if the risk scores of A and B in CVSS are consistent, one of the vulnerability titles is taken. Unifying the bug information data languages after the duplication removal and the fusion processing, and storing the bug information data languages into a non-relational database for storage.
Step S202, the historical device information table and the historical vulnerability information table are updated according to vulnerability data, and a current device information table and a current vulnerability information table are generated.
In an implementation manner, the preset historical device information table and the preset historical vulnerability information table are formed by collecting relevant information of all vulnerabilities of the internet of things disclosed in the network and processing and sorting the relevant information. And the equipment information table and the vulnerability information table are associated through the CVE number of the vulnerability of the Internet of things.
Table 1 is an example of a device information table in the embodiment of the present application, and referring to table 1, the device information table includes four fields of a device manufacturer, a device model, a device type, and a device identifier, and a device information base is created to store the device information table.
Figure BDA0003603696450000101
TABLE 1 Equipment information Table
In the application, a vulnerability information base is also created for storing a vulnerability information table, wherein the vulnerability information table comprises CVE numbers, titles, CWE (general vulnerability enumeration), CPE (general platform enumeration), related links, vulnerability types, corresponding equipment types, equipment manufacturers, POC (vulnerability concept verification codes), vulnerability titles, solution measures and the like.
In some application embodiments, updating the historical device information table and the historical vulnerability information table according to vulnerability data is implemented by the following steps:
step A1, identifying the vulnerability of the Internet of things in vulnerability information data according to a historical device information table.
In the step A1, the implementation process of identifying the vulnerability of the Internet of things according to the historical equipment information table is as follows: generating an equipment manufacturer dictionary, an equipment model dictionary, an equipment type dictionary and an equipment identification dictionary according to the historical equipment information table; in the embodiment of the present application, the historical device information table at least includes four fields of a device manufacturer, a device model, a device type, and a device identifier, and four dictionaries are generated corresponding to the four fields, where each dictionary includes a value stored in a corresponding field in the historical device information table, for example, if the device manufacturer field in the historical device information table includes 6 manufacturers from C1 to C6, the device manufacturer dictionary includes { "C1", "C2", "C3", "C4", "C5", "C6", and the other three dictionaries are produced in the same manner as the device manufacturer dictionary. The values in the four dictionaries are kept the same as the historical equipment information table, and when the historical equipment information table is updated or deleted, the dictionaries need to be updated or deleted correspondingly. And then, identifying the vulnerability of the Internet of things according to the four dictionaries, specifically, if at least two dictionaries in the four dictionaries are matched with vulnerability information corresponding to the vulnerability in vulnerability information data, determining the vulnerability as the vulnerability of the Internet of things. The acquired vulnerability information data at least comprises vulnerability related information, such as a CVE number, vulnerability description information, CVSS information, vulnerability types, related links, CPE corresponding to the vulnerability and the like of the vulnerability, and the information may be collected incompletely. Taking the example that only one vulnerability is included in the collected vulnerability information data, the four dictionaries are respectively matched with the vulnerability information data, namely information corresponding to four fields of a device manufacturer, a device model, a device type and a device identifier of the vulnerability is extracted from the vulnerability information data, then value matching is carried out in the four dictionaries, and the vulnerability is judged to be the vulnerability of the internet of things as long as at least two dictionaries match the same value in the vulnerability information data. In some application embodiments, it may also be determined whether the information extracted from the vulnerability information data is associated with at least two dictionaries, and whether the information is associated with at least two dictionaries may be determined by keywords, and if the at least two dictionaries are associated with the vulnerability information data, the vulnerability is determined to be an internet of things vulnerability.
And step A2, updating the vulnerability information of the identified vulnerability of the Internet of things in the vulnerability information data into a historical device information table and a historical vulnerability information table.
In the step A2, when updating the historical device information table, it is first determined whether the four dictionaries in the step A1 are all matched with the vulnerability information corresponding to the vulnerability in the vulnerability information data, if so, the values matched by the four dictionaries, that is, the values of the vulnerability of the internet of things corresponding to each field in the historical device information table, before updating the record to the device information table, the historical device information table is traversed to check whether the record exists, and if so, the historical device information table does not need to be updated, so that repeated storage is avoided.
In some application embodiments, if at least one dictionary in the four dictionaries is not matched with corresponding vulnerability information of the identified vulnerability of the internet of things in vulnerability information data, extracting actual information of the networking vulnerability corresponding to the unmatched dictionary from the vulnerability information data, wherein the process of extracting the actual information from the vulnerability information data comprises checking whether a CPE list of the vulnerability of the internet of things exists in the vulnerability information data; if yes, acquiring actual information of fields represented by the unmatched dictionaries corresponding to the loopholes of the Internet of things in a CPE list, namely equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information; if the CPE list of the vulnerability of the Internet of things does not exist in the vulnerability information data, extracting actual information of the vulnerability of the Internet of things, namely equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information, corresponding to fields represented by the unmatched dictionaries from the vulnerability information data based on the pre-trained named entity model.
Because most of the vulnerabilities of the internet of things have corresponding CPE lists, namely, the vulnerabilities of the internet of things are listed on a general platform, the CPE lists are in a fixed format and comprise four pieces of information, namely equipment manufacturer information, equipment model information, equipment type information and equipment identification information, which correspond to the vulnerabilities of the internet of things, when the information is extracted, whether the CPE lists corresponding to the vulnerabilities of the internet of things exist in acquired vulnerability information data or not needs to be checked, if the CPE lists exist, the information can be extracted completely through the lists, if the CPE lists do not exist, corresponding information is extracted from vulnerability description information through a pre-trained named entity model, and the method can automatically complement corresponding actual field data and improve the readability and the integrity of the vulnerability information.
And combining the matched information in the dictionary with the extracted actual information to form a record of the vulnerability of the Internet of things corresponding to each field in the historical equipment information table, updating the combined complete record into the historical equipment information table, and generating the current equipment information table. After the historical device information table is updated, the four dictionaries are updated according to the current device information table. In an implementation mode, after the equipment manufacturer information, the equipment model information, the equipment type information and/or the equipment identification information are extracted from the vulnerability information data, the record of the vulnerability of the internet of things can be marked, and a security researcher rechecks the record and updates the record into a historical equipment information table after confirming the correctness.
In the embodiment of the application, the equipment manufacturer dictionary, the equipment model dictionary, the equipment type dictionary and the equipment identification dictionary are updated in real time according to the equipment information table, dictionary information can be kept in the latest state through the technical scheme of self-capacity-expansion dictionary, and the accuracy of the recognition of the loopholes of the Internet of things is ensured.
When the historical vulnerability information table is updated, the pre-trained named entity model can be used for extracting information corresponding to each field in the historical vulnerability information table from the vulnerability information data and updating the information into the historical vulnerability information table, if the extracted information is the same as the existing information in the historical vulnerability information table, the information is not changed, and the updated information is the information which does not exist or is different from the vulnerability corresponding to the Internet of things in the historical vulnerability information table.
And A3, determining whether the vulnerability of the Internet of things exists in the Poc data and the threat information data according to the updated historical vulnerability information table.
After the historical equipment information table and the historical vulnerability information table are updated according to vulnerability information data, whether the IOT vulnerabilities exist in Poc data and threat information data is determined according to the updated historical vulnerability information table, at least CVE numbers corresponding to the IOT vulnerabilities are stored in the historical vulnerability information table, the Poc data and the threat information data at least comprise collected CVE numbers corresponding to the vulnerabilities, the Poc data and the same CVE numbers in the threat information data are extracted through a regular expression, the same CVE numbers are extracted because false, repeated and incomplete conditions may exist in the vulnerability information in the threat information data, poc is a concept vulnerability verification code, if the same CVE numbers exist in the threat information data in the Poc data, the fact that the vulnerabilities corresponding to the CVE transformation ratio are verified or highly correlated is really existed is verified, the mode can improve accuracy of the vulnerability data, then the same CVE numbers are extracted and compared with the CVE numbers of each vulnerability in the historical vulnerability information table, whether the same IOT vulnerabilities exist in the historical vulnerability information table or not is determined, and if the same CVE numbers exist in the IOT data, the IOT vulnerability data and the IOT vulnerability data are determined.
And step A4, if the existing loopholes exist, updating the determined Poc data and threat information data corresponding to the loopholes of the Internet of things into a historical loophole information table.
In the step A4, the Poc data and threat information data corresponding to the vulnerability of the internet of things determined in the step A3 are updated to a historical vulnerability information table, that is, the Poc data corresponding to the vulnerability of the internet of things and/or the URL corresponding to the threat information data are added to the historical vulnerability information table. And finishing updating the historical vulnerability information table and producing the current vulnerability information table.
In some application embodiments, the newly added threat information data in the current vulnerability information table is pushed to security researchers, so that the security researchers can check the data on one hand, and on the other hand, the security researchers can timely acquire the threat information and timely process related vulnerabilities.
And step S203, updating the multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed based on the historical equipment information table and the historical vulnerability information table.
In the embodiment of the application, after a historical device information table and a historical vulnerability information table are preset, an initial knowledge graph can be constructed according to the incidence relation between the historical device information table and the historical vulnerability information table, in the application, the knowledge graph is constructed from two dimensions, and the same device manufacturer classifies vulnerabilities of the internet of things to construct the knowledge graph based on the existing information of device manufacturer fields in the historical device information table; and classifying the vulnerabilities of the Internet of things to construct a knowledge graph based on the information of the existing equipment type field in the historical equipment information table in the same equipment type. In some application embodiments, a knowledge graph of multiple dimensions may also be constructed from other fields in the historical device information table.
The constructed knowledge graph also comprises the association degree between the vulnerabilities, the value range of the association degree is 0 to 5, the calculation table of the association degree between the vulnerabilities is shown as a table 2, the association degree between the vulnerabilities is calculated from five dimensions, the value of each dimension is the same as 1, and if not, the value of each dimension is 0, and the association degree is the sum of the values of all the dimensions.
Figure BDA0003603696450000151
TABLE 2 correlation degree calculation Table
After the historical device information table and the historical vulnerability information table are updated by collecting vulnerability data each time, corresponding information updating needs to be carried out on the knowledge map, and therefore when a new threat report of the vulnerability of the Internet of things is obtained, the knowledge map can provide the latest vulnerability incidence relation for security researchers, the security researchers can rapidly process the vulnerability of the Internet of things, and powerful data support is provided for the security researchers.
It should be noted that for simplicity of description, the above-mentioned method embodiments are described as a series of acts, but those skilled in the art should understand that the present disclosure is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present disclosure. Further, those skilled in the art will appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules are not necessarily required for the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are described below to further illustrate the aspects of the disclosure.
Fig. 3 is a schematic block diagram of an apparatus for dynamically tracking and processing vulnerabilities of the internet of things in the embodiment of the present application, and with reference to fig. 3, the apparatus includes:
the acquisition module 301 is configured to acquire vulnerability data.
The first updating module 302 is configured to update the historical device information table and the historical vulnerability information table according to the vulnerability data, and generate a current device information table and a current vulnerability information table.
The second updating module 303 updates the multidimensional knowledge map based on the current device information table and the current vulnerability information table, where the multidimensional knowledge map is constructed based on the historical device information table and the historical vulnerability information table.
The device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
In some application embodiments, the vulnerability data includes vulnerability information data, poc data and threat information data, and the first updating module is specifically configured to identify an internet of things vulnerability in the vulnerability information data according to a historical device information table; updating vulnerability information corresponding to the identified vulnerability of the Internet of things in vulnerability information data into a historical device information table and a historical vulnerability information table; determining whether the Poc data and the threat information data have the vulnerability of the Internet of things according to the updated historical vulnerability information table; and if so, updating the determined Poc data and threat information data corresponding to the vulnerability of the Internet of things into a historical vulnerability information table.
In some application embodiments, the device further includes a processing module, configured to perform deduplication and fusion processing on the collected vulnerability data.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
The present application provides a computer-readable storage medium, on which a computer program is stored, which, when running on a computer, enables the computer to execute the corresponding content in the foregoing method embodiments.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present application, and it should be noted that, for those skilled in the art, several modifications and decorations can be made without departing from the principle of the present application, and these modifications and decorations should also be regarded as the protection scope of the present application.

Claims (8)

1. A dynamic tracking and processing method for vulnerabilities of the Internet of things is characterized by comprising the following steps:
collecting vulnerability data; updating a historical device information table and a historical vulnerability information table according to the vulnerability data, and generating a current device information table and a current vulnerability information table; updating a multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed based on the historical equipment information table and the historical vulnerability information table; the device information table is used for storing device information related to the Internet of things vulnerability, and the vulnerability information table is used for storing basic information of the Internet of things vulnerability;
the vulnerability data includes vulnerability information data, poc data and threat intelligence data, according to vulnerability data update history equipment information table and history vulnerability information table include:
identifying the vulnerability of the Internet of things in the vulnerability information data according to a historical equipment information table; updating the vulnerability information corresponding to the identified IOT vulnerability in the vulnerability information data into the historical equipment information table and the historical vulnerability information table; determining whether an internet of things vulnerability exists in the Poc data and the threat information data according to the updated historical vulnerability information table; if yes, updating the determined Poc data and threat information data corresponding to the vulnerability of the Internet of things into the historical vulnerability information table;
identifying the IOT vulnerabilities in the vulnerability information data according to a historical device information table, including:
generating an equipment manufacturer dictionary, an equipment model dictionary, an equipment type dictionary and an equipment identification dictionary according to the historical equipment information table; and if at least two dictionaries in the four dictionaries are matched with vulnerability information corresponding to vulnerabilities in the vulnerability information data, determining that the vulnerabilities are vulnerabilities of the Internet of things.
2. The method for dynamically tracking and processing the vulnerabilities of the internet of things according to claim 1, wherein the updating vulnerability information corresponding to the identified vulnerabilities of the internet of things in the vulnerability information data to the historical device information table and the historical vulnerability information table includes:
if at least one dictionary in the four dictionaries is not matched with the corresponding vulnerability information of the identified IOT vulnerability in the vulnerability information data, extracting the actual information of the IOT vulnerability corresponding to the unmatched dictionary from the vulnerability information data; combining and updating the matched information in the dictionary and the extracted actual information into the historical equipment information table; and extracting information corresponding to each field in the historical vulnerability information table from the vulnerability information data and updating the information into the historical vulnerability information table.
3. The method for dynamically tracking and processing the vulnerability of the internet of things according to claim 2, wherein extracting the actual information of the vulnerability of the internet of things corresponding to the unmatched dictionary from the vulnerability information data comprises:
judging whether a CPE list of the vulnerability of the Internet of things exists in the vulnerability information data; if yes, acquiring equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information of the vulnerability of the Internet of things in the CPE list; if not, extracting equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information of the vulnerability of the Internet of things from the vulnerability information data based on the pre-trained named entity model.
4. The dynamic tracking and processing method for vulnerabilities of the internet of things according to claim 1, wherein the historical vulnerability information table, the Poc data and the threat intelligence data at least include CVE numbers, and determining whether there is an vulnerability of the internet of things in the Poc data and the threat intelligence data according to the updated vulnerability information table includes:
extracting the same CVE number in the Poc data and the threat information data, and judging whether the CVE number exists in the historical vulnerability information table:
and if the vulnerability exists, determining that the vulnerability of the Internet of things exists in the Poc data and the threat information data.
5. The method for dynamically tracking and processing the vulnerability of the Internet of things according to claim 1, wherein before the updating of the historical device information table and the historical vulnerability information table according to the vulnerability data, the method further comprises:
and carrying out duplicate removal and fusion processing on the acquired vulnerability data.
6. The utility model provides a thing networking vulnerability dynamic tracking and processing apparatus which characterized in that includes:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring vulnerability data, and the vulnerability data comprises vulnerability information data, poc data and threat information data; the first updating module is used for updating the historical device information table and the historical vulnerability information table according to the vulnerability data, generating a current device information table and a current vulnerability information table, and specifically comprises the following steps:
identifying the vulnerability of the Internet of things in the vulnerability information data according to a historical equipment information table; updating the vulnerability information corresponding to the identified IOT vulnerability in the vulnerability information data into the historical equipment information table and the historical vulnerability information table; determining whether an internet of things vulnerability exists in the Poc data and the threat information data according to the updated historical vulnerability information table; if yes, updating the determined Poc data and threat information data corresponding to the vulnerability of the Internet of things into the historical vulnerability information table;
wherein, according to historical equipment information table discernment thing networking leak in the leak information data includes:
generating an equipment manufacturer dictionary, an equipment model dictionary, an equipment type dictionary and an equipment identification dictionary according to the historical equipment information table; if at least two dictionaries in the four dictionaries are matched with vulnerability information corresponding to vulnerabilities in the vulnerability information data, determining that the vulnerabilities are vulnerabilities of the Internet of things;
the second updating module is used for updating the multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed on the basis of the historical equipment information table and the historical vulnerability information table; the device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
7. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program, wherein the processor when executing the program implements the method of any one of claims 1 to 5.
8. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method according to any one of claims 1 to 5.
CN202210409775.9A 2022-04-19 2022-04-19 Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium Active CN114817929B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210409775.9A CN114817929B (en) 2022-04-19 2022-04-19 Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210409775.9A CN114817929B (en) 2022-04-19 2022-04-19 Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN114817929A CN114817929A (en) 2022-07-29
CN114817929B true CN114817929B (en) 2022-11-22

Family

ID=82504791

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210409775.9A Active CN114817929B (en) 2022-04-19 2022-04-19 Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN114817929B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109542846A (en) * 2018-11-16 2019-03-29 重庆邮电大学 A kind of Internet of Things vulnerability information management system based on data virtualization
CN112671716A (en) * 2020-12-03 2021-04-16 中国电子科技网络信息安全有限公司 Vulnerability knowledge mining method and system based on map
CN112699382A (en) * 2021-03-25 2021-04-23 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Internet of things network security risk assessment method and device and computer storage medium
CN112749396A (en) * 2021-01-21 2021-05-04 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for constructing security vulnerability knowledge graph

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161426A (en) * 2016-06-08 2016-11-23 北京工业大学 A kind of vulnerability scanning method being applied to industry Internet of Things
CN107154940A (en) * 2017-05-11 2017-09-12 济南大学 A kind of Internet of Things vulnerability scanning system and scan method
KR101881271B1 (en) * 2017-11-15 2018-07-25 한국인터넷진흥원 Apparatus for collecting vulnerability information and method thereof
KR101850098B1 (en) * 2017-11-21 2018-04-19 한국인터넷진흥원 Method for generating document to share vulnerability information, system and apparatus thereof
JP7174559B2 (en) * 2018-08-01 2022-11-17 株式会社野村総合研究所 Vulnerability management system and program
CN109218336B (en) * 2018-11-16 2021-02-19 北京知道创宇信息技术股份有限公司 Vulnerability defense method and system
CN110321708B (en) * 2019-03-21 2021-04-23 北京天防安全科技有限公司 Rapid vulnerability scanning method and system based on asset classes
CN110391937B (en) * 2019-07-25 2022-03-04 哈尔滨工业大学 Internet of things honey net system based on SOAP service simulation
CN111310195A (en) * 2020-03-27 2020-06-19 北京双湃智安科技有限公司 Security vulnerability management method, device, system, equipment and storage medium
CN113315767B (en) * 2021-05-26 2023-08-22 国网山东省电力公司电力科学研究院 Electric power internet of things equipment safety detection system and method
CN113407946A (en) * 2021-06-19 2021-09-17 西安电子科技大学 Intelligent protection method and system for IoT (IoT) equipment
CN113704767A (en) * 2021-08-10 2021-11-26 北京凌云信安科技有限公司 Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system
CN113609261B (en) * 2021-08-25 2023-10-31 北京华云安信息技术有限公司 Vulnerability information mining method and device based on knowledge graph of network information security
CN114168968A (en) * 2021-12-08 2022-03-11 四川启睿克科技有限公司 Vulnerability mining method based on Internet of things equipment fingerprints

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109542846A (en) * 2018-11-16 2019-03-29 重庆邮电大学 A kind of Internet of Things vulnerability information management system based on data virtualization
CN112671716A (en) * 2020-12-03 2021-04-16 中国电子科技网络信息安全有限公司 Vulnerability knowledge mining method and system based on map
CN112749396A (en) * 2021-01-21 2021-05-04 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for constructing security vulnerability knowledge graph
CN112699382A (en) * 2021-03-25 2021-04-23 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Internet of things network security risk assessment method and device and computer storage medium

Also Published As

Publication number Publication date
CN114817929A (en) 2022-07-29

Similar Documents

Publication Publication Date Title
US11250137B2 (en) Vulnerability assessment based on machine inference
JP5575902B2 (en) Information retrieval based on query semantic patterns
CN110472068B (en) Big data processing method, equipment and medium based on heterogeneous distributed knowledge graph
US10095780B2 (en) Automatically mining patterns for rule based data standardization systems
CN103455758A (en) Method and device for identifying malicious website
CN115827895A (en) Vulnerability knowledge graph processing method, device, equipment and medium
WO2023035362A1 (en) Polluted sample data detecting method and apparatus for model training
CN114139161A (en) Method, device, electronic equipment and medium for batch vulnerability detection
CN114817929B (en) Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium
CN116821903A (en) Detection rule determination and malicious binary file detection method, device and medium
CN109597828B (en) Offline data checking method, device and server
CN110765100B (en) Label generation method and device, computer readable storage medium and server
CN114547050A (en) Batch processing content duplication judging method, system, device, terminal equipment and storage medium
CN112187768B (en) Method, device and equipment for detecting bad information website and readable storage medium
US11347722B2 (en) Big data regression verification method and big data regression verification apparatus
WO2024021874A1 (en) Vulnerability analysis method and apparatus, and device and computer-readable storage medium
CN114254081B (en) Enterprise big data search system, method and electronic equipment
CN117539759A (en) Method, system, electronic equipment and storage medium for identifying similar defects
CN115794862A (en) Database data verification method, device, equipment and storage medium
CN115935039A (en) Webpage data classification method, device, equipment and storage medium
CN114237685A (en) Data processing method and device, electronic equipment and storage medium
CN118075233A (en) Legal domain name identification method and device and computer equipment
CN114722390A (en) Method, device, equipment and medium for safety data integration and feature extraction
CN117851608A (en) Case map generation method, device, equipment and medium
CN114416174A (en) Model reconstruction method and device based on metadata, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant