CN115859300A - Vulnerability detection method and device, electronic equipment and storage medium - Google Patents

Vulnerability detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115859300A
CN115859300A CN202211518436.0A CN202211518436A CN115859300A CN 115859300 A CN115859300 A CN 115859300A CN 202211518436 A CN202211518436 A CN 202211518436A CN 115859300 A CN115859300 A CN 115859300A
Authority
CN
China
Prior art keywords
simulation
simulation attack
attack
plug
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211518436.0A
Other languages
Chinese (zh)
Inventor
李蒙
王宝华
沈东明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ccb Trust Co ltd
Original Assignee
Ccb Trust Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ccb Trust Co ltd filed Critical Ccb Trust Co ltd
Priority to CN202211518436.0A priority Critical patent/CN115859300A/en
Publication of CN115859300A publication Critical patent/CN115859300A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a vulnerability detection method and device, electronic equipment and a storage medium. Acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information, and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library; acquiring simulation output information matched with the target simulation attack plug-in and taking the simulation output information as new comparison information; returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met; and assembling the sequentially obtained target simulation attack plug-ins to obtain a simulation attack template, and executing the simulation attack template to perform vulnerability detection on the target system. The problem that penetration testing can only select a certain number of attack templates to simulate attack is solved, the simulation attack plug-in can be dynamically scheduled and decided, and the reuse rate, attack path coverage rate and penetration testing effect of the simulation attack plug-in are improved.

Description

Vulnerability detection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a vulnerability detection method and apparatus, an electronic device, and a storage medium.
Background
The penetration test usually comprises a plurality of stages of information collection, boundary breakthrough, horizontal penetration, authority promotion and the like, each stage has various attack modes (attack plug-ins), and the traditional automatic penetration mode usually assembles a plurality of attack plug-ins according to a specific attack path and an execution sequence to form a set of attack templates.
In the process of implementing the invention, the inventor finds that the prior art has the following defects: at present, because a user can only select a certain number of attack templates to try in the penetration test, however, with the development of the attack and defense technology, the attack means are more and more diversified, the attack paths formed by different attack means are almost endless, the automatic penetration test performed by fixing the attack templates is difficult to cover all the attack paths to the maximum extent, and the penetration effect is poor.
Disclosure of Invention
The invention provides a vulnerability detection method, a vulnerability detection device, electronic equipment and a storage medium, which are used for improving the reuse rate, attack path coverage rate and penetration test effect of a simulation attack plug-in.
According to an aspect of the present invention, a vulnerability detection method is provided, which includes:
acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information, and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library;
acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information;
returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met;
and assembling the sequentially acquired target simulation attack plug-ins to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
According to another aspect of the present invention, there is provided a vulnerability detection apparatus, including:
the target simulation attack plug-in acquisition module is used for acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library;
the new comparison information determining module is used for acquiring standard simulation output information matched with the target simulation attack plug-in and taking the standard simulation output information as new comparison information;
the comparison ending condition satisfying module is used for returning and executing the operation of acquiring the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison ending condition is satisfied;
and the vulnerability detection module is used for assembling each target simulation attack plug-in acquired sequentially to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
According to another aspect of the present invention, there is provided an electronic device including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the vulnerability detection method according to any embodiment of the present invention when executing the computer program.
According to another aspect of the present invention, a computer-readable storage medium is provided, in which computer instructions are stored, and the computer instructions are used for causing a processor to implement the vulnerability detection method of any embodiment of the present invention when the processor executes the computer instructions.
According to the technical scheme of the embodiment of the invention, the real-time access parameters of the target system to be subjected to vulnerability detection are obtained and used as comparison information, and the target simulation attack plug-in matched with the comparison information is obtained from a pre-constructed simulation attack plug-in library; acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information; returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met; and assembling the sequentially obtained target simulation attack plug-ins to obtain a simulation attack template, and executing the simulation attack template to perform vulnerability detection on the target system. The problem that penetration testing can only select a certain number of attack templates to simulate attack is solved, the simulation attack plug-in can be dynamically scheduled and decided, and the reuse rate, attack path coverage rate and penetration testing effect of the simulation attack plug-in are improved.
It should be understood that the statements in this section are not intended to identify key or critical features of the embodiments of the present invention, nor are they intended to limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a vulnerability detection method according to an embodiment of the present invention;
fig. 2 is a flowchart of another vulnerability detection method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a vulnerability detection apparatus according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It is to be understood that the terms "target," "current," and the like in the description and claims of the present invention and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a vulnerability detection method according to an embodiment of the present invention, where the embodiment is applicable to a situation where a simulation attack plugin is dynamically scheduled in a simulation penetration test, and the method may be executed by a vulnerability detection apparatus, and the vulnerability detection apparatus may be implemented in a form of hardware and/or software.
Accordingly, as shown in fig. 1, the method comprises:
s110, acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information, and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library.
The real-time access parameter may be a parameter input by a user in the target system, and the acquired parameter is used as the real-time access parameter. The comparison information can be the comparison information which can be identified by the simulation attack plugin library and is obtained by performing parameter conversion processing on the real-time access parameters.
The simulation attack plugin library can be a plugin library composed of standard simulation attack plugins, standard comparison information and standard simulation output information, the simulation attack plugin library comprises a plurality of standard simulation attack plugins, and each standard simulation attack plugin comprises corresponding standard comparison information and standard simulation output information. The target simulation attack plugin can be compared with standard comparison information in a simulation attack plugin library according to the comparison information, so that the corresponding simulation attack plugin is determined.
In this embodiment, first, a real-time access parameter of a target system to be detected for a vulnerability is obtained, and then the real-time access parameter is converted to obtain corresponding comparison information. And matching with a pre-constructed simulation attack plugin library according to the comparison information, so as to obtain the target simulation attack plugin through matching.
Optionally, the obtaining of the target simulation attack plugin matched with the comparison information from the pre-constructed simulation attack plugin library includes: judging whether a standard simulation attack plugin matched with the comparison information is obtained or not from a pre-constructed simulation attack plugin library, and if so, determining the standard simulation attack plugin as the target simulation attack plugin; if not, returning to execute the operation of acquiring the real-time access parameters of the target system to be subjected to vulnerability detection as comparison information until the comparison condition is met.
The comparison ending condition can be the ending condition for comparing the comparison information with the standard comparison information in the pre-constructed simulated attack plug-in library.
In this embodiment, after the comparison information is acquired, it is necessary to determine in a pre-constructed simulation attack plugin library to determine whether a standard simulation attack plugin matching the comparison information is acquired, and if so, the standard simulation attack plugin is used as a target simulation attack plugin. Otherwise, the comparison information does not hit the standard simulation attack plug-in the simulation attack plug-in library, so that the operation of the comparison information is directly skipped, and the operation of obtaining the real-time access parameters of the target system to be subjected to vulnerability detection as the comparison information is returned until the comparison condition is met.
Optionally, the alignment-ending condition includes any one of: in a pre-constructed simulation attack plug-in library, a target simulation attack plug-in matched with the comparison information cannot be obtained; the current time reaches a comparison information matching time threshold; and receiving an instruction for stopping the acquisition of the comparison information.
The comparison information matching time threshold may be a preset time threshold, and if the current time reaches the time threshold, it indicates that the comparison operation of the comparison information is not required, and directly ends the operation of returning to execute and acquiring the real-time access parameter of the target system to be subjected to vulnerability detection as the comparison information.
In this embodiment, by setting a specific comparison ending condition, the operation of obtaining the real-time access parameter and further the operation of comparing the information can be stopped after the comparison ending condition is satisfied. Therefore, the condition that the real-time access parameters are consistently in the acquired state can be avoided, the comparison condition is set to be over, the waste of resources can be reduced, and the penetration test can be executed more efficiently.
Optionally, the determining, from a pre-constructed simulation attack plugin library, whether the obtained simulation attack plugin matched with the comparison information includes: acquiring the comparison information, and analyzing to obtain at least one data item in the comparison information; sequentially acquiring a target data item in each data item; judging whether the target data item hits at least one standard comparison information in a pre-constructed simulation attack plugin library, if so, determining the target simulation attack plugin according to the standard comparison information; if not, returning to execute in each data item, and sequentially acquiring a target data item until the traversal of all the data items is completed.
The data items may be data items obtained by parsing from the comparison information, and one or more data items may be parsed from the comparison information. The target data item may be a data item of a target identified in one or more data items. The standard comparison information may be comparison information obtained by analyzing the standard simulation attack plug-in.
Illustratively, assume that the data item parsed from the alignment information is k 1 And k 2 Suppose thatThe pre-constructed simulation attack plugin library comprises 5 standard simulation attack plugins which are respectively as follows: standard simulation attack plug-in 1 and standard comparison information k 1 And standard analog output information k 3 (ii) a Standard simulation attack plug-in 2 and standard comparison information k 2 And standard analog output information k 4 (ii) a Standard simulation attack plug-in 3 and standard comparison information k 3 And standard analog output information k 5 (ii) a Standard simulation attack plug-in 4 and standard comparison information k 5 And standard analog output information k 6 (ii) a Standard simulation attack plug-in 5 and standard comparison information k 4 And standard analog output information k 7
First a data item k 1 As the target data item, after the target data item k is analyzed 1 After that, the next data item k is acquired 2 And combining the data item k 2 And analyzing the target data item to obtain a corresponding analysis result.
The advantages of such an arrangement are: the method can dynamically transfer the simulation attack plugins, and utilize all simulation attack plugins to the maximum extent, thereby improving the reuse rate of the plugins and the coverage rate of paths.
And S120, acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information.
The standard simulation output information may be simulation output information obtained by inputting standard comparison information into a standard simulation attack plugin for analysis. For example, the standard simulation attack plug-in is regarded as a section of code, a fixed return value is set in the code, and after the code is analyzed, the return value is obtained, and the return value is the standard simulation output information.
In the previous example, k is first 1 As a target data item, the target data item k is then judged 1 Whether at least one standard comparison information in a pre-constructed simulation attack plug-in library is hit or not is determined due to the target data item k 1 Hit the standard comparison information k corresponding to the standard simulation attack plug-in 1 1 Meanwhile, the target simulation attack plug-in can be determined as the standardSimulating the attack plug-in 1 and outputting standard simulation output information k corresponding to the standard simulation attack plug-in 1 3 Determining the plug-in sequence to be new comparison information, carrying out the following comparison operation, and determining the specific plug-in sequence to be a standard simulation attack plug-in 1, a standard simulation attack plug-in 3 and a standard simulation attack plug-in 4 through comparison.
And S130, returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met.
For the previous example, assume that the target data item k is determined 1 And then, comparing with at least one piece of standard comparison information in a pre-constructed simulated attack plug-in library, and finding no matched standard comparison information, so that the target data item cannot find a corresponding target simulated attack plug-in the simulated attack plug-in library, and the operation is directly finished. The next target data item k is then obtained 2 And carrying out corresponding information comparison operation to obtain specific plug-in sequences from the standard simulation attack plug-in 2 to the standard simulation attack plug-in 5. Determining a target data item k 2 After the plug-in paths are compared, judging whether the comparison finishing condition is met, if so, finishing the operation; if not, continuing to wait for obtaining the real-time access parameters of the target system to be subjected to vulnerability detection.
S140, assembling the sequentially obtained target simulation attack plug-ins to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
The simulation attack template may be an attack template obtained by combining a plurality of target simulation attack plug-ins. The vulnerability detection operation of the target system can be carried out through the simulation attack template, specifically, the simulation attack template is permeated into the target system, the simulation attack operation of the target system is carried out through each target simulation attack plug-in the simulation attack template, a corresponding system feedback result is obtained, and the vulnerability detection operation is carried out.
Continuing the example, since the target data item k 1 The corresponding target simulation attack plug-ins are respectively as follows: standard of referenceThe system comprises a simulation attack plug-in 1, a standard simulation attack plug-in 3 and a standard simulation attack plug-in 4; target data item k 2 The corresponding target simulation attack plug-ins are respectively as follows: standard simulated attack plug-in 2 to standard simulated attack plug-in 5.
Further, assembling the sequentially obtained standard simulation attack plug-in 1, standard simulation attack plug-in 3 and standard simulation attack plug-in 4 to obtain a simulation attack template 1; and similarly, assembling the sequentially acquired standard simulation attack plug-in 2 to the standard simulation attack plug-in 5 to obtain the simulation attack template 2.
And correspondingly, detecting the vulnerability of the target system by executing the simulation attack template 1 and the simulation attack template 2.
Optionally, after the target simulation attack plugin is determined according to the standard comparison information, the method further includes: adding the matched target simulation attack plug-in into a scheduling queue; the assembling of the sequentially acquired target simulation attack plug-in units to obtain the simulation attack template comprises the following steps: and sequentially popping up each target simulation attack plug-in from the scheduling queue to form the simulation attack template.
Wherein, the scheduling queue can be a queue added by the target simulation attack plug-in. After the target simulation attack plug-in is obtained, the target simulation attack plug-in needs to be added into a scheduling queue.
For example, the target data item k 1 The corresponding target simulation attack plug-ins are respectively as follows: a standard simulation attack plug-in 1, a standard simulation attack plug-in 3 and a standard simulation attack plug-in 4. After the standard simulation attack plug-in 1 is obtained, the standard simulation attack plug-in 1 needs to be added into a scheduling queue, and after the standard simulation attack plug-in 3 and the standard simulation attack plug-in 4 are respectively obtained, the standard simulation attack plug-in 1 also needs to be added into the scheduling queue.
And in the scheduling queue, popping up each target simulation attack plug-in according to the first-in first-out characteristic of the queue, and assembling the popped-up target simulation attack plug-ins to form a simulation attack template.
Optionally, after the vulnerability detection is performed on the target system by executing the simulated attack template, the method further includes: carrying out vulnerability detection on the target system through each target simulation attack plug-in corresponding to the simulation attack template to obtain a vulnerability detection result of the target system; and feeding back the vulnerability detection result to a user.
The vulnerability detection result may be a feedback result output by the target system after the simulated attack template is infiltrated into the target system.
In this embodiment, after the simulated attack template is determined, the simulated attack template is acted on the target system to obtain a feedback result of the target system, so that the penetration test of the target system can be performed more diversely, and the penetration test effect of the target system is improved.
According to the technical scheme of the embodiment of the invention, the real-time access parameters of the target system to be subjected to vulnerability detection are obtained and used as comparison information, and the target simulation attack plug-in matched with the comparison information is obtained from a pre-constructed simulation attack plug-in library; acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information; returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met; and assembling the sequentially obtained target simulation attack plug-ins to obtain a simulation attack template, and executing the simulation attack template to perform vulnerability detection on the target system. The problem that penetration testing can only select a certain number of attack templates to simulate attack is solved, the simulation attack plug-in can be dynamically scheduled and decided, and the reuse rate, attack path coverage rate and penetration testing effect of the simulation attack plug-in are improved.
Example two
Fig. 2 is a flowchart of another vulnerability detection method provided in the second embodiment of the present invention, and this embodiment is optimized based on the above embodiments, and in this embodiment, before the real-time access parameter of the target system to be vulnerability detected is obtained as comparison information, a specific operation process for constructing a simulated attack plug-in library is further included.
Accordingly, as shown in fig. 2, the method comprises:
and S210, acquiring an initial simulation attack plugin library.
Wherein, a plurality of initial simulation attack plug-ins are included in the initial simulation attack plug-in library.
The initial simulation attack plug-in library may be a database storing a plurality of initial simulation attack plug-ins. The initial simulation attack plugin can be a simulation attack plugin which is not subjected to normalization, dimensions of the initial simulation attack plugin are possibly inconsistent, and a standard simulation attack plugin is obtained through normalization processing.
S220, respectively carrying out normalization processing on each initial simulation attack plugin to determine a standard simulation attack plugin.
The standard simulation attack plugin can be an initial simulation attack plugin subjected to normalization processing, has the same dimensionality after being subjected to normalization processing, and can perform scheduling operation of the simulation attack plugin more conveniently.
And S230, analyzing and processing each standard simulation attack plugin to obtain standard comparison information and standard simulation output information respectively corresponding to each standard simulation attack plugin.
The standard comparison information may be comparison information describing a pre-dependency condition of the standard simulation attack plugin. After each standard simulation attack plug-in is determined, corresponding standard comparison information and standard simulation output information can be obtained.
In the previous example, when the standard simulation attack plug-in 1 is determined, the standard simulation attack plug-in 1 is analyzed to obtain the standard comparison information k 1 And standard analog output information k 3 (ii) a Similarly, the standard simulation attack plug-in 2 is analyzed and processed to obtain standard comparison information k 2 And standard analog output information k 4 . Analyzing and processing the standard simulation attack plug-in 3 to obtain standard comparison information k 3 And standard analog output information k 5 . Analyzing the standard simulation attack plug-in 4 to obtain standard comparison information k 5 And standard analog output information k 6 . Analyzing the standard simulation attack plug-in 5 to obtain standard comparison information k 4 And standard analog output information k 7
And S240, jointly storing each standard simulation attack plugin, the standard comparison information and the standard simulation output information to form a simulation attack plugin library.
In the previous example, the obtained standard simulation attack plug-ins, the standard comparison information and the standard simulation output information are jointly stored to obtain a simulation attack plug-in library, that is, the simulation attack plug-in library includes: standard simulation attack plug-in 1 and standard comparison information k 1 And standard analog output information k 3 (ii) a Standard simulation attack plug-in 2 and standard comparison information k 2 And standard analog output information k 4 (ii) a Standard simulation attack plug-in 3 and standard comparison information k 3 And standard analog output information k 5 (ii) a Standard simulation attack plug-in 4 and standard comparison information k 5 And standard analog output information k 6 (ii) a Standard simulation attack plug-in 5 and standard comparison information k 4 And standard analog output information k 7
And S250, acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information, and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library.
S260, standard simulation output information matched with the target simulation attack plug-in is obtained and serves as new comparison information.
And S270, returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met.
S280, assembling the sequentially obtained target simulation attack plug-ins to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
According to the technical scheme of the embodiment of the invention, an initial simulation attack plug-in library is obtained; respectively carrying out normalization processing on each initial simulation attack plugin to determine a standard simulation attack plugin; analyzing and processing each standard simulation attack plug-in to obtain standard comparison information and standard simulation output information respectively corresponding to each standard simulation attack plug-in; performing combined storage on each standard simulation attack plugin, the standard comparison information and the standard simulation output information to form a simulation attack plugin library; acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information, and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library; acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information; returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met; and assembling the sequentially obtained target simulation attack plug-ins to obtain a simulation attack template, and executing the simulation attack template to perform vulnerability detection on the target system. A more standardized simulation attack plugin library can be constructed, so that the simulation attack plugin can be dynamically scheduled and decided, and the multiplexing rate, attack path coverage rate and penetration test effect of the simulation attack plugin are improved.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a vulnerability detection apparatus according to a third embodiment of the present invention. The vulnerability detection apparatus provided in this embodiment may be implemented by software and/or hardware, and may be configured in a terminal device or a server to implement the vulnerability detection method in the embodiments of the present invention. As shown in fig. 3, the apparatus includes: the target simulation attack plugin acquisition module 310, the new comparison information determination module 320, the end comparison condition satisfaction module 330, and the vulnerability detection module 340.
The target simulation attack plugin acquisition module 310 is configured to acquire a real-time access parameter of a target system to be subjected to vulnerability detection as comparison information, and acquire a target simulation attack plugin matched with the comparison information from a pre-constructed simulation attack plugin library;
a new comparison information determining module 320, configured to obtain standard simulation output information matched with the target simulation attack plugin, and use the standard simulation output information as new comparison information;
a comparison ending condition satisfying module 330, configured to return to execute an operation of obtaining a target simulation attack plugin matched with the comparison information from a pre-constructed simulation attack plugin library until a comparison ending condition is satisfied;
and the vulnerability detection module 340 is used for assembling each target simulation attack plugin obtained in sequence to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
According to the technical scheme of the embodiment of the invention, the real-time access parameters of the target system to be subjected to vulnerability detection are obtained and used as comparison information, and the target simulation attack plug-in matched with the comparison information is obtained from a pre-constructed simulation attack plug-in library; acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information; returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met; and assembling the sequentially obtained target simulation attack plug-ins to obtain a simulation attack template, and executing the simulation attack template to perform vulnerability detection on the target system. The problem that penetration testing can only select a certain number of attack templates to simulate attack is solved, the simulation attack plug-in can be dynamically scheduled and decided, and the reuse rate, attack path coverage rate and penetration testing effect of the simulation attack plug-in are improved.
Optionally, the system further comprises a module for constructing a simulation attack plug-in library, which may be specifically configured to: before the real-time access parameters of the target system to be subjected to vulnerability detection are obtained and used as comparison information, obtaining an initial simulation attack plug-in library, wherein the initial simulation attack plug-in library comprises a plurality of initial simulation attack plug-ins; respectively carrying out normalization processing on each initial simulation attack plugin to determine a standard simulation attack plugin; analyzing and processing each standard simulation attack plug-in to obtain standard comparison information and standard simulation output information respectively corresponding to each standard simulation attack plug-in; and jointly storing each standard simulation attack plug-in, the standard comparison information and the standard simulation output information to form a simulation attack plug-in library.
Optionally, the target simulation attack plug-in obtaining module 310 may specifically include: the simulation attack plugin judging unit is used for judging whether a standard simulation attack plugin matched with the comparison information is obtained from a pre-constructed simulation attack plugin library, and if so, determining the standard simulation attack plugin as the target simulation attack plugin; and the comparison condition finishing satisfying unit is used for returning to execute the operation of acquiring the real-time access parameters of the target system to be subjected to vulnerability detection as the comparison information if the simulation attack plug-in matched with the comparison information is not acquired until the comparison condition finishing is satisfied.
Optionally, the alignment-ending condition includes any one of: in a pre-constructed simulation attack plug-in library, a target simulation attack plug-in matched with the comparison information cannot be obtained; the current time reaches a comparison information matching time threshold; and receiving an instruction for stopping the acquisition of the comparison information.
Optionally, the simulation attack plugin determination unit may be specifically configured to: acquiring the comparison information, and analyzing to obtain at least one data item in the comparison information; sequentially acquiring a target data item in each data item; judging whether the target data item hits at least one standard comparison information in a pre-constructed simulation attack plugin library, if so, determining the target simulation attack plugin according to the standard comparison information; if not, returning to execute in each data item, and sequentially acquiring a target data item until the traversal of all the data items is completed.
Optionally, the method further includes a scheduling queue composing module, which may be specifically configured to: and after the target simulation attack plug-in is determined according to the standard comparison information, adding the matched target simulation attack plug-in into a scheduling queue.
Optionally, the vulnerability detection module 340 may be specifically configured to: and sequentially popping up each target simulation attack plug-in from the scheduling queue to form the simulation attack template.
Optionally, the vulnerability detection result feedback module may be specifically configured to: after the target system is subjected to vulnerability detection by executing the simulated attack template, carrying out vulnerability detection on the target system through each target simulated attack plug-in corresponding to the simulated attack template to obtain a vulnerability detection result of the target system; and feeding back the vulnerability detection result to a user.
The vulnerability detection device provided by the embodiment of the invention can execute the vulnerability detection method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example four
FIG. 4 shows a schematic block diagram of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the various methods and processes described above, such as the vulnerability detection methods.
In some embodiments, the vulnerability detection methods may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the vulnerability detection methods described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the vulnerability detection method by any other suitable means (e.g., by means of firmware).
The method comprises the following steps: acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information, and acquiring a target simulation attack plugin matched with the comparison information from a pre-constructed simulation attack plugin library; acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information; returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met; and assembling the sequentially obtained target simulation attack plug-ins to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
EXAMPLE five
An embodiment of the present invention further provides a computer-readable storage medium, where the computer-readable instructions, when executed by a computer processor, are configured to perform a vulnerability detection method, where the method includes: acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information, and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library; acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information; returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met; and assembling the sequentially acquired target simulation attack plug-ins to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
Of course, the computer-readable storage medium provided in the embodiments of the present invention has computer-executable instructions that are not limited to the above method operations, and may also perform related operations in the vulnerability detection method provided in any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods of the embodiments of the present invention.
It should be noted that, in the embodiment of the vulnerability detection apparatus, each included unit and each included module are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A vulnerability detection method is characterized by comprising the following steps:
acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information, and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library;
acquiring standard simulation output information matched with the target simulation attack plug-in, and taking the standard simulation output information as new comparison information;
returning to execute the operation of obtaining the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison finishing condition is met;
and assembling the sequentially acquired target simulation attack plug-ins to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
2. The method according to claim 1, wherein before the obtaining the real-time access parameter of the target system to be detected as the comparison information, the method further comprises:
acquiring an initial simulation attack plugin library, wherein the initial simulation attack plugin library comprises a plurality of initial simulation attack plugins;
respectively carrying out normalization processing on each initial simulation attack plugin to determine a standard simulation attack plugin;
analyzing and processing each standard simulation attack plug-in to obtain standard comparison information and standard simulation output information respectively corresponding to each standard simulation attack plug-in;
and jointly storing each standard simulation attack plug-in, the standard comparison information and the standard simulation output information to form a simulation attack plug-in library.
3. The method of claim 1, wherein obtaining the target simulation attack plugin matching the alignment information from a pre-constructed simulation attack plugin library comprises:
judging whether an acquired standard simulation attack plugin matched with the comparison information is obtained from a pre-constructed simulation attack plugin library, and if so, determining the standard simulation attack plugin as the target simulation attack plugin;
if not, returning to execute the operation of obtaining the real-time access parameters of the target system to be subjected to the vulnerability detection as comparison information until the comparison condition is met.
4. The method of claim 3, wherein the end alignment condition comprises any one of: in a pre-constructed simulation attack plug-in library, a target simulation attack plug-in matched with the comparison information cannot be obtained;
the current time reaches a comparison information matching time threshold; and
and receiving an instruction for stopping acquiring the comparison information.
5. The method of claim 4, wherein the determining whether the standard simulated attack plugin matched with the comparison information is obtained from a pre-constructed simulated attack plugin library comprises:
acquiring the comparison information, and analyzing to obtain at least one data item in the comparison information;
sequentially acquiring a target data item in each data item;
judging whether the target data item hits at least one standard comparison information in a pre-constructed simulation attack plugin library, if so, determining the target simulation attack plugin according to the standard comparison information;
if not, returning to execute in each data item, and sequentially acquiring a target data item until the traversal of all the data items is completed.
6. The method of claim 5, wherein after determining the target mock attack plug-in according to the standard alignment information, further comprising:
adding the matched target simulation attack plug-in into a scheduling queue;
the assembling of the sequentially acquired target simulation attack plug-in units to obtain the simulation attack template comprises the following steps:
and sequentially popping up each target simulation attack plug-in from the scheduling queue to form the simulation attack template.
7. The method according to any one of claims 1-6, wherein after the detecting the vulnerability of the target system by executing the simulated attack template, further comprising:
carrying out vulnerability detection on the target system through each target simulation attack plug-in corresponding to the simulation attack template to obtain a vulnerability detection result of the target system;
and feeding back the vulnerability detection result to a user.
8. A vulnerability detection apparatus, comprising:
the target simulation attack plug-in acquisition module is used for acquiring real-time access parameters of a target system to be subjected to vulnerability detection as comparison information and acquiring a target simulation attack plug-in matched with the comparison information from a pre-constructed simulation attack plug-in library;
the new comparison information determining module is used for acquiring standard simulation output information matched with the target simulation attack plug-in and taking the standard simulation output information as new comparison information;
the comparison ending condition satisfying module is used for returning and executing the operation of acquiring the target simulation attack plug-in matched with the comparison information from the pre-constructed simulation attack plug-in library until the comparison ending condition is satisfied;
and the vulnerability detection module is used for assembling each target simulation attack plug-in acquired sequentially to obtain a simulation attack template, and performing vulnerability detection on the target system by executing the simulation attack template.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the vulnerability detection method of any of claims 1-7 when executing the computer program.
10. A computer-readable storage medium storing computer instructions for causing a processor to implement the vulnerability detection method of any of claims 1-7 when executed.
CN202211518436.0A 2022-11-29 2022-11-29 Vulnerability detection method and device, electronic equipment and storage medium Pending CN115859300A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211518436.0A CN115859300A (en) 2022-11-29 2022-11-29 Vulnerability detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211518436.0A CN115859300A (en) 2022-11-29 2022-11-29 Vulnerability detection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115859300A true CN115859300A (en) 2023-03-28

Family

ID=85668179

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211518436.0A Pending CN115859300A (en) 2022-11-29 2022-11-29 Vulnerability detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115859300A (en)

Similar Documents

Publication Publication Date Title
CN116126346B (en) Code compiling method and device of AI model, computer equipment and storage medium
CN115576828A (en) Test case generation method, device, equipment and storage medium
CN116303013A (en) Source code analysis method, device, electronic equipment and storage medium
CN115599687A (en) Method, device, equipment and medium for determining software test scene
CN115859300A (en) Vulnerability detection method and device, electronic equipment and storage medium
CN114722401A (en) Equipment safety testing method, device, equipment and storage medium
CN115098405B (en) Software product evaluation method and device, electronic equipment and storage medium
CN116244324B (en) Task data relation mining method and device, electronic equipment and storage medium
CN115905021B (en) Fuzzy test method and device, electronic equipment and storage medium
CN117271373B (en) Automatic construction method and device for test cases, electronic equipment and storage medium
CN115860055B (en) Performance determination method, performance optimization method, device, electronic equipment and medium
CN117150215B (en) Assessment result determining method and device, electronic equipment and storage medium
CN117453747A (en) Data quality detection method and device, electronic equipment and storage medium
CN115567624A (en) Message processing method and device, electronic equipment and medium
CN117609064A (en) Unit test method and device, electronic equipment and storage medium
CN115292606A (en) Information pushing method, device, equipment and medium
CN116702667A (en) Regression testing method, device, equipment and medium for chip
CN117056222A (en) Interface test file generation method and device, electronic equipment and storage medium
CN115983222A (en) EasyExcel-based file data reading method, device, equipment and medium
CN116521977A (en) Product recommendation method, device, equipment and medium
CN115061925A (en) Performance test method and device of heterogeneous acceleration program and storage medium
CN116303071A (en) Interface testing method and device, electronic equipment and storage medium
CN115630053A (en) Data complementing method, device, equipment, storage medium and product
CN114443492A (en) Software testing method and device, electronic equipment and storage medium
CN118012936A (en) Data extraction method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination