CN116132132A - Network asset management method, device, electronic equipment and medium - Google Patents

Network asset management method, device, electronic equipment and medium Download PDF

Info

Publication number
CN116132132A
CN116132132A CN202211716348.1A CN202211716348A CN116132132A CN 116132132 A CN116132132 A CN 116132132A CN 202211716348 A CN202211716348 A CN 202211716348A CN 116132132 A CN116132132 A CN 116132132A
Authority
CN
China
Prior art keywords
vulnerability
asset
target asset
verified
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211716348.1A
Other languages
Chinese (zh)
Inventor
刘威
傅诣
陈坤伦
谢丹妮
刘鹏滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202211716348.1A priority Critical patent/CN116132132A/en
Publication of CN116132132A publication Critical patent/CN116132132A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a network asset management method, a device, electronic equipment and a medium, and relates to the technical field of computers. The method comprises the following steps: detecting an asset in the network, taking the detected asset as a target asset, and determining portrait information of the target asset; scanning the target asset and determining whether a first vulnerability exists in the target asset; under the condition that the first vulnerability exists in the target asset, determining first relevant information of the first vulnerability; correlating the first vulnerability with the target asset based on the portrait information and the first related information, and pushing the target asset correlated with the first vulnerability to an asset manager; the target asset associated with the first vulnerability is validated to determine whether the first vulnerability is effectively repaired. According to the method, the assets and the loopholes are deeply associated, the loopholes are repaired, and then automatic loopholes are verified, so that the purposes of automatic closed-loop tracking management and loophole verification of the assets and the loopholes are achieved, and the security of the network is improved.

Description

Network asset management method, device, electronic equipment and medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and apparatus for managing network assets, an electronic device, and a medium.
Background
Network assets are mainly various devices used in computer (or communication) networks, including mainly hosts, virtual machines, containers, network devices (e.g., routers, switches, etc.), security devices (firewalls, etc.), storage devices, and application software classes (e.g., databases, middleware, application software).
Vulnerabilities are flaws in the specific implementation of hardware, software, protocols, or system security policies that may enable an attacker to access or destroy the system without authorization. Vulnerabilities may come from defects in the design of the application software or operating system or errors in the coding, as well as from design defects or logic flow irrational aspects of the business during the interactive process. Since the vulnerability discovery, tracking, disposing and verifying processes are processes of combining management processes and technologies, verifying vulnerability repair is always a difficult problem of closed-loop management of asset vulnerabilities after asset vulnerabilities are discovered, the success of vulnerability verification directly influences the security of a platform system, various security risks are directly increased, and enterprise information leakage or the system is damaged or attacked, or user data is tampered.
Disclosure of Invention
In order to solve the above technical problems or at least partially solve the above technical problems, embodiments of the present invention provide a method, an apparatus, an electronic device, and a medium for managing network assets.
According to a first aspect of an embodiment of the present invention, there is provided a network asset management method, including:
detecting an asset in a network, taking the detected asset as a target asset, and determining portrait information of the target asset;
scanning the target asset and determining whether a first vulnerability exists in the target asset;
determining first related information of a first vulnerability under the condition that the first vulnerability exists in the target asset;
based on the portrait information and the first related information, associating the first vulnerability with the target asset, and outputting the first vulnerability and the target asset associated with the first vulnerability;
and when the verification triggering condition is reached, the first vulnerability is used as a vulnerability to be verified, and the target asset associated with the vulnerability to be verified is verified to determine whether the vulnerability to be verified is repaired or not.
In an optional embodiment, the verifying, with the first vulnerability as the vulnerability to be verified, the target asset associated with the vulnerability to be verified includes: taking the first vulnerability as a vulnerability to be verified, and determining the priority of the vulnerability to be verified according to first related information of the vulnerability to be verified and portrait information of a target asset associated with the vulnerability to be verified; and verifying the target asset associated with the vulnerability to be verified according to the priority of the vulnerability to be verified.
In an alternative embodiment, the verifying the target asset associated with the vulnerability to be verified to determine whether the vulnerability to be verified is repaired includes: verifying the target asset associated with the vulnerability to be verified, and determining whether a second vulnerability exists in the target asset associated with the vulnerability to be verified; under the condition that the target asset associated with the vulnerability to be verified does not have the second vulnerability, determining that the vulnerability to be verified is effectively repaired; acquiring second related information of a second vulnerability under the condition that the target asset associated with the vulnerability to be verified has the second vulnerability; determining the similarity of the vulnerability to be verified and the second vulnerability according to the first related information and the second related information; and determining whether the vulnerability to be verified is repaired or not according to the similarity of the vulnerability to be verified and the second vulnerability.
In an optional embodiment, the determining whether the vulnerability to be verified is repaired according to the similarity between the vulnerability to be verified and the second vulnerability includes: determining that the vulnerability to be verified is not effectively repaired under the condition that the similarity between the vulnerability to be verified and the second vulnerability is greater than or equal to a preset threshold value; and under the condition that the similarity between the vulnerability to be verified and the second vulnerability is smaller than a preset threshold value, determining that the vulnerability to be verified is effectively repaired.
In an alternative embodiment, the detecting the asset in the network, taking the detected asset as a target asset, and determining portrait information of the target asset includes: detecting the survival of a host computer of a network by using a preset IP scanning tool, determining the asset in the network, and taking the asset in the network as a target asset; comparing the target asset with an existing asset library to determine whether the target asset is a known asset; if the target asset is a known asset, determining portrait information of the target asset based on the existing asset library; and if the target asset is a non-known asset, carrying out port service scanning on the target asset, displaying a scanning result, receiving confirmation information of the target asset, and determining portrait information of the target asset based on the confirmation information.
In an alternative embodiment, the representation information of the target asset includes an identification of the target asset, the identification including an IP address, a port number, and an area flag.
In an alternative embodiment, the scanning the target asset to determine whether a first vulnerability exists in the target asset includes: determining the priority of the target asset according to the portrait information of the target asset; and scanning the target asset according to the priority of the target asset, and determining whether a first vulnerability exists in the target asset.
In an alternative embodiment, the representation information of the target asset further includes one or more of the following items of information: asset security risk level, asset location, asset importance level;
the determining the priority of the target asset according to the portrait information of the target asset comprises the following steps: and determining the priority of the target asset according to one or more of the security risk level, the position and the importance degree of the target asset.
In an alternative embodiment, the first relevant information of the first vulnerability includes one or more of the following information items: IP address, port number, name of the component generating the vulnerability, version, vulnerability type, vulnerability risk level.
According to a second aspect of an embodiment of the present invention, there is provided a network asset management device, including:
the asset detection module is used for detecting the asset in the network, taking the detected asset as a target asset and determining portrait information of the target asset;
the vulnerability scanning module is used for scanning the target asset and determining whether a first vulnerability exists in the target asset; determining first related information of a first vulnerability under the condition that the first vulnerability exists in the target asset;
The association module is used for associating the first vulnerability with the target asset based on the portrait information and the first related information and outputting the first vulnerability and the target asset associated with the first vulnerability;
and the vulnerability verification module is used for verifying the target asset associated with the vulnerability to be verified by taking the first vulnerability as the vulnerability to be verified when a verification triggering condition is reached, so as to determine whether the vulnerability to be verified is repaired or not.
In an alternative embodiment, the vulnerability verification module is configured to: taking the first vulnerability as a vulnerability to be verified, and determining the priority of the vulnerability to be verified according to first related information of the vulnerability to be verified and portrait information of a target asset associated with the vulnerability to be verified; and verifying the target asset associated with the vulnerability to be verified according to the priority of the vulnerability to be verified.
In an alternative embodiment, the vulnerability verification module is configured to: verifying the target asset associated with the vulnerability to be verified, and determining whether a second vulnerability exists in the target asset associated with the vulnerability to be verified; under the condition that the target asset associated with the vulnerability to be verified does not have the second vulnerability, determining that the vulnerability to be verified is effectively repaired; acquiring second related information of a second vulnerability under the condition that the target asset associated with the vulnerability to be verified has the second vulnerability; determining the similarity of the vulnerability to be verified and the second vulnerability according to the first related information and the second related information; and determining whether the vulnerability to be verified is repaired or not according to the similarity of the vulnerability to be verified and the second vulnerability.
In an alternative embodiment, the vulnerability verification module is configured to: determining that the vulnerability to be verified is not effectively repaired under the condition that the similarity between the vulnerability to be verified and the second vulnerability is greater than or equal to a preset threshold value; and under the condition that the similarity between the vulnerability to be verified and the second vulnerability is smaller than a preset threshold value, determining that the vulnerability to be verified is effectively repaired.
In an alternative embodiment, the asset detection module is configured to: detecting the survival of a host computer of a network by using a preset IP scanning tool, determining the asset in the network, and taking the asset in the network as a target asset; comparing the target asset with an existing asset library to determine whether the target asset is a known asset; if the target asset is a known asset, determining portrait information of the target asset based on the existing asset library; and if the target asset is a non-known asset, carrying out port service scanning on the target asset, displaying a scanning result, receiving confirmation information of the target asset, and determining portrait information of the target asset based on the confirmation information.
In an alternative embodiment, the vulnerability scanning module is configured to: determining the priority of the target asset according to the portrait information of the target asset; and scanning the target asset according to the priority of the target asset, and determining whether a first vulnerability exists in the target asset.
In an alternative embodiment, the representation information of the target asset further includes one or more of the following items of information: asset security risk level, asset location, asset importance level;
the vulnerability scanning module is used for: and determining the priority of the target asset according to one or more of the security risk level, the position and the importance degree of the target asset.
In a third aspect, an embodiment of the present invention provides an electronic device, including: one or more processors; and a storage means for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the network asset management method of any of the embodiments of the present invention.
In a fourth aspect, embodiments of the present invention provide a computer readable medium having stored thereon a computer program, which when executed by a processor, implements a network asset management method of any of the embodiments of the present invention.
One embodiment of the above invention has the following advantages or benefits:
according to the network asset management method, the asset in the network is detected, the detected asset is used as a target asset, and portrait information of the target asset is determined; scanning the target asset, and determining 0 whether a first vulnerability exists in the target asset; under the condition that the first vulnerability exists in the target asset, determining first relevant information of the first vulnerability; correlating the first vulnerability with the target asset based on the portrait information and the first related information, and pushing the target asset correlated with the first vulnerability to an asset manager; and verifying the target asset associated with the vulnerability to be verified by taking the first vulnerability as the vulnerability to be verified, so as to determine whether the vulnerability to be verified is effectively repaired or not, performing depth 5 association on the asset and the vulnerability, automatically transmitting relevant information of the vulnerability to an asset management responsible person, completing repair, repair and state change of the vulnerability by the asset responsibility manager, and performing automatic vulnerability verification to achieve closed-loop tracking management and vulnerability verification of asset-vulnerability automation, avoid attack or damage to a network and improve the security of the network.
Further effects of the above-described non-conventional alternatives are described below in connection with embodiment 0.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 illustrates a flow chart of a network asset management method of an embodiment of the present invention;
FIG. 2 illustrates a sub-flowchart of a network asset management method according to an embodiment of the present invention;
FIG. 3 illustrates another sub-flowchart of a network asset management method according to an embodiment of the invention;
FIG. 4 illustrates yet another sub-flowchart of a network asset management method according to an embodiment of the present invention;
FIG. 5 illustrates yet another sub-flowchart of a network asset management method according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a network asset management device according to an embodiment of the present invention;
fig. 7 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, in which various details of the embodiments of the present invention are included to facilitate understanding, and are to be considered merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Fig. 1 shows a flow chart of a network asset management method according to an embodiment of the invention. As shown in fig. 1, the method includes:
step S101: detecting the asset in the network, and determining portrait information of the target asset by taking the detected asset as the target asset.
In this embodiment, assets in the network mainly include three types: IT class, non-IT class and application software class. The IT class assets include hosts, virtual machines, containers, and the like. non-IT class assets include network devices (e.g., routers, switches, etc.), security devices (e.g., firewalls), storage devices, and other networking hardware devices. The application software class assets include databases, middleware, and application software classes.
This step may utilize an IP scanning tool (or IP identification tool) to scan the network to detect and identify assets in the network, and to detect and identify surviving assets in the network. In alternative embodiments, the network may be scanned periodically with an IP scanning tool (or IP identification tool).
The representation information of the target asset is used to describe the relevant content of the target asset. Wherein the representation information of the target asset may include an identification of the target asset, which may be a unique identification of the target asset. As a specific example, the identification of the target asset may include an IP address, a port number, and an area flag. The zone markers may include DMZ and publish. DMZ (Demilitarized Zone, isolation zone) is also known as "demilitarized zone". The buffer zone between the non-safety system and the safety system is set up for solving the problem that an access user of an external network can not access an internal network server after the firewall is installed. The buffer is located in a small network area between the enterprise internal network and the external network. DMZ zones are understood to be a special network area, as opposed to an extranet or intranet, in which DMZ typically houses public servers that do not contain confidential information, such as enterprise Web servers, FTP servers, forums, etc. PUBLIC means a non-DMZ zone. The identification of the target asset may be represented in this embodiment in the form of a triplet, such as (DMZ: IP: PORT) or (PUBLIC: IP: PORT). Where IP represents the IP address of the target asset and PORT represents the PORT of the target asset. According to the embodiment, the zone mark is set in the identification of the target asset, so that the internal asset and the external asset of the network DMZ can be distinguished, the internal asset of the DMZ can be detected, and the unique identification of the target asset is formed. After the target asset is identified, the association between the asset identification and asset management information can be established, so that portrait information of the target asset is obtained.
The representation information of the target asset further includes one or more of the following items of information: asset security risk level, asset location, asset importance level. The security risk level of the asset and the importance level of the asset can be preset according to the type, the action and the like of the asset. The asset location may be a physical location of an asset, such as where the asset is located in an xx machine room. In an alternative embodiment, after determining the identification of the target asset, matching is performed according to the identification of the target asset and asset management information in a preset known asset library to obtain portrait information of the target asset.
Step S102: the target asset is scanned to determine whether a first vulnerability exists in the target asset.
In this step, the target asset may be scanned using a preset vulnerability database and vulnerability scanner to determine whether a first vulnerability exists in the target asset.
In an alternative embodiment, in scanning the target asset, determining whether the first vulnerability exists in the target asset may include:
determining the priority of the target asset according to the portrait information of the target asset;
and scanning the target asset according to the priority of the target asset, and determining whether the first vulnerability exists in the target asset.
Wherein the priority of the target asset may be determined based on one or more of an asset security risk level, an asset location, and an asset importance level. For example, scoring criteria for asset security risk level, asset location, and asset importance may be set separately, scoring different asset security risk levels, asset locations, and asset importance. Thus, the scoring criteria may be used to score the asset security risk level, asset location, and asset importance of the target asset, and then the scores corresponding to the asset security risk level, asset location, and asset importance may be summed by weighting the resulting sum as the asset score. And finally, determining the priority of the target asset according to the grading value of the target asset. The higher the scoring value of a target asset, the higher the priority of the target asset, and the more preferentially the target asset is scanned. After determining the scoring value of the target asset, the target asset may be added to a first-in first-out queue corresponding to the scoring value of the target asset according to the scoring value of the target asset, so that the vulnerability scanner performs vulnerability scanning according to the scoring value of the target asset.
When scanning the target asset by utilizing the vulnerability scanner, a scanning strategy and scanning parameters configured by a user can be received through a user interface, and then a corresponding vulnerability scanning task is created according to the scanning strategy and the scanning task so as to scan the target asset through the vulnerability scanning task. The scanning strategy is mainly used for general configuration adopted when vulnerability scanning is executed, so that scanning is more targeted, scanning time consumption is reduced, and the like. Such as auto-match scan, windows series, linux series, high-risk vulnerability scan, etc. The scan parameters mainly include personalized parameter configurations such as the name of the scan task, the execution mode, the invoked scan engine, the port range of the scan, the target of the scan, etc.
Step S103: in the event that it is determined that a first vulnerability exists in the target asset, first relevant information for the first vulnerability is determined.
As a specific example, the first relevant information of the first vulnerability includes one or more of the following information items: IP address, port number, name of the component generating the vulnerability, version, vulnerability type, vulnerability risk level. The vulnerability risk level may be determined according to one or more of an IP address, a port number, a name, a version, and a vulnerability type of a component generating the vulnerability, which the present invention is not limited to.
After scanning out the loopholes in the network and obtaining the relevant information of the loopholes, the scanned loopholes and the assets in the network can be associated according to the relevant information of the loopholes and the portrait information of the assets, and a one-to-one relation between the loopholes and the assets is established.
Step S104: and associating the first vulnerability with the target asset based on the portrait information and the first related information, and outputting the first vulnerability and the target asset associated with the first vulnerability.
In the step, the IP address and port number in the target asset portrait information, the IP address and port number of the vulnerability are matched, and the association relationship between the target asset and the first vulnerability is determined.
After the first vulnerability and the target asset are managed, outputting the first vulnerability and the target asset associated with the first vulnerability, pushing the first vulnerability and the target asset associated with the first vulnerability to an asset manager, and repairing and rectifying the first vulnerability by the asset manager.
Step S105: and when the verification triggering condition is reached, verifying the target asset associated with the vulnerability to be verified by taking the first vulnerability as the vulnerability to be verified so as to determine whether the vulnerability to be verified is repaired.
As can be seen from the three processes, the vulnerability verification in step S105 is the follow-up process of the three processes of the asset detection and identification in step S101, the vulnerability scanning and scheduling in step S102 and the vulnerability correlation analysis in step S104, and is the verification of the vulnerability restoration effect. And verifying the loopholes to ensure that the loopholes are effectively repaired and prevent the network from being attacked or destroyed. The verification triggering condition may be a time condition, for example, starting to count after outputting the first vulnerability and its associated target asset, and triggering vulnerability verification when a preset duration is reached. The verification triggering condition may also be triggering vulnerability verification when the target asset manager updates the status of the first vulnerability to modified. For example, when the first vulnerability and its associated target assets are pushed to the asset manager, the state of the first vulnerability is set to be changed, and when the asset manager changes the first vulnerability, the state of the first vulnerability is updated to changed. Further, for the first vulnerability that passes the verification (i.e., the verification result is that the first vulnerability does not exist), the state thereof may be updated to be verified.
In an alternative embodiment, the step S105 uses the first vulnerability as the vulnerability to be verified, and the process of verifying the target asset associated with the vulnerability to be verified may include:
taking the first vulnerability as a vulnerability to be verified, and determining the priority of the vulnerability to be verified according to first related information of the vulnerability to be verified and portrait information of a target asset associated with the vulnerability to be verified;
and verifying the target asset associated with the vulnerability to be verified according to the priority of the vulnerability to be verified.
As a specific example, the priority of the vulnerability to be verified may be determined according to the vulnerability risk level of the vulnerability to be verified, the security risk level of the target asset, the asset location, and the asset importance level. The higher the priority of the loopholes to be verified, the more the loopholes to be verified are verified.
In an alternative embodiment, as shown in fig. 2, verifying the target asset associated with the vulnerability to be verified to determine whether the vulnerability to be verified is effectively repaired, including:
step S201: verifying the target asset associated with the vulnerability to be verified, and determining whether a second vulnerability exists in the target asset associated with the vulnerability to be verified;
step S202: under the condition that the target asset associated with the vulnerability to be verified does not have the second vulnerability, determining that the vulnerability to be verified is effectively repaired;
Step S203: acquiring second related information of a second vulnerability under the condition that a target asset associated with the vulnerability to be verified has the second vulnerability;
step S204: according to the first related information and the second related information, determining the similarity of the vulnerability to be verified and the second vulnerability;
step S205: and determining whether the vulnerability to be verified is effectively repaired or not according to the similarity between the vulnerability to be verified and the second vulnerability. If the similarity between the vulnerability to be verified and the second vulnerability is greater than or equal to a preset threshold, determining that the vulnerability to be verified is not effectively repaired; and under the condition that the similarity between the vulnerability to be verified and the second vulnerability is smaller than a preset threshold value, determining that the vulnerability to be verified is effectively repaired.
And if the second vulnerability does not exist in the target asset, determining that the vulnerability to be verified is effectively repaired. If the second loophole exists in the target asset, acquiring the related information of the second loophole, comparing and analyzing the related information of the second loophole with the related information of the loophole to be verified, and determining the similarity of the second loophole and the loophole to be verified. And if the similarity between the vulnerability to be verified and the second vulnerability is larger than or equal to a preset threshold, determining that the vulnerability to be verified is not effectively repaired, and if the similarity between the vulnerability to be verified and the second vulnerability is smaller than the preset threshold, determining that the vulnerability to be verified is effectively repaired.
According to the network asset management method, the asset in the network is detected, the detected asset is used as a target asset, and portrait information of the target asset is determined; scanning the target asset and determining whether a first vulnerability exists in the target asset; under the condition that the first vulnerability exists in the target asset, determining first relevant information of the first vulnerability; correlating the first vulnerability with the target asset based on the portrait information and the first related information, and pushing the target asset correlated with the first vulnerability to an asset manager; and verifying the target asset associated with the vulnerability to be verified by taking the first vulnerability as the vulnerability to be verified, in order to determine whether the vulnerability to be verified is effectively repaired, carrying out deep association on the asset and the vulnerability, automatically sending relevant information of the vulnerability to an asset management responsible person, completing the repair of the vulnerability by the asset management responsible person, and carrying out automatic vulnerability verification, thereby achieving the purposes of automatic closed-loop tracking management and vulnerability verification of the asset-vulnerability, avoiding the network from being attacked or damaged, and improving the security of the network.
In an alternative embodiment, as shown in fig. 3, the process of detecting assets in a network and determining portrait information of the detected assets in step S101 may include:
Step S301: detecting the survival of a host computer of the network by using a preset IP scanning tool, determining the asset in the network, and taking the asset in the network as a target asset;
step S302: comparing the target asset with an existing asset library to determine whether the target asset is a known asset;
step S303: if the target asset is a known asset, determining portrait information of the target asset based on the existing asset library;
step S304: if the target asset is a non-known asset, carrying out port service scanning on the target asset, and displaying a scanning result;
step S305: receiving confirmation information of the target asset, and determining portrait information of the target asset based on the confirmation information.
In step S301, the existing IP scan tool (or IP identification tool) may be used to perform a host viability probe on the network, determine the surviving asset in the network, and take the surviving asset as the target asset.
In step S302, the detected target asset may be compared to known assets in the existing assets based on the identification of the detected target asset, and a determination may be made as to whether the detected target asset is a known asset. Wherein the existing asset library is used to record known assets and related information (or image information) of the known assets.
In steps S303-S305, if the detected target asset exists in the existing asset library, the target asset is determined to be a known asset, and the portrait information of the target asset is determined based on the related information of the known asset recorded in the existing asset library. If the detected target asset is not in the existing asset library, determining that the target asset is an unknown asset, i.e., the target asset is an unknown asset. The unknown asset is then scanned using the port scanning service to determine a port number for the unknown asset. And outputting the IP address and port number of the unknown asset and displaying the IP address and port number on a preset unknown asset identification interface so that an asset manager confirms and claims the unknown asset, and thus the unknown asset is managed in a nano-tube mode, and the corresponding asset manager tracks and manages the unknown asset. The asset manager can confirm and claim the unknown asset by using the unknown asset management interface, and can also configure the related information of the unknown asset, such as the position, the security risk level and the importance degree of the unknown asset, through the unknown asset management interface, so as to obtain the portrait information of the unknown asset.
In an alternative embodiment, as shown in FIG. 4, the process of scanning for a target asset includes:
Step S401: establishing a vulnerability scanning task according to a scanning strategy and scanning parameters, and determining a scanning execution period of the vulnerability scanning task;
step S402: registering the vulnerability scanning task in a cron scheduling engine; at this time, the state of the scanning task is waiting for execution;
step S403: the cron scheduling engine polls the state of the vulnerability scanning task, when the state of the task is the scanning execution period of the vulnerability scanning task waiting to be executed, the vulnerability scanning task is executed, and the configured vulnerability scanner is called to scan the target asset, wherein the state of the vulnerability scanning task is in execution at the moment;
step S404: and after the execution of the vulnerability scanning task is completed, updating the state of the vulnerability scanning task to scanned.
In step S401, a scanning policy and a scanning parameter configured by a user may be received through a user interface, and then a corresponding vulnerability scanning task is created according to the scanning policy and the scanning task, so as to scan a target asset through the vulnerability scanning task. The scanning strategy is mainly used for general configuration adopted when vulnerability scanning is executed, so that scanning is more targeted, scanning time consumption is reduced, and the like. Such as auto-match scan, windows series, linux series, high-risk vulnerability scan, etc. The scan parameters mainly include personalized parameter configurations such as the name of the scan task, the execution mode, the invoked scan engine, the port range of the scan, the target of the scan, etc. It is also possible to receive a user setting an allowable scan period range for each target asset through the user interface and to set the period during which the scan scheduler scans within the allowable scan period range.
In steps S402-S404, cron is a scheduling daemon that executes tasks at specified intervals, these tasks being called corn jobs, primarily for automatically performing system maintenance or management tasks. Registering the vulnerability scanning task in the cron scheduling engine to automatically and periodically execute the vulnerability scanning task. The cron scheduling engine polls the state of a task, when the execution period of a vulnerability scanning task waiting for execution is reached, the vulnerability scanning task is executed, a configured vulnerability scanner is called to scan a target asset, and the state of the vulnerability scanning task is taken as the execution; and after the scanning is completed, updating the state of the vulnerability scanning task into scanned state.
In an alternative embodiment, as shown in FIG. 5, the process of associating the first vulnerability with the target asset and pushing the first vulnerability and its associated target asset to the asset manager may comprise:
step S501: determining target assets associated with the first vulnerability according to the IP port and the port number of the first vulnerability;
step S502: determining an asset manager corresponding to the target asset;
step S503: if the asset manager corresponding to the target asset is one or more, pushing the first vulnerability associated with the target asset to the asset manager;
Step S504: if a plurality of asset administrators corresponding to the target asset exist, outputting the target asset, the asset administrators and the associated first loopholes, and displaying the target asset and the asset administrators and the associated first loopholes on a page to be distributed;
step S505: and responding to the operation on the page to be allocated, determining a target asset manager corresponding to the target asset, and pushing the first vulnerability associated with the target asset to the corresponding target asset manager.
After pushing the first vulnerability to an asset manager corresponding to the associated target asset, repairing and restoring the first vulnerability by the asset manager.
Fig. 6 is a schematic diagram illustrating a configuration of a network asset management device according to an embodiment of the present invention. As shown in fig. 6, the network asset management device 600 includes:
an asset detection module 601, configured to detect an asset in a network, and determine portrait information of a target asset by using the detected asset as the target asset;
a vulnerability scanning module 602, configured to scan the target asset and determine whether a first vulnerability exists in the target asset; determining first related information of a first vulnerability under the condition that the first vulnerability exists in the target asset;
the association module 603 is configured to associate the first vulnerability with the target asset based on the portrait information and the first related information, and output the first vulnerability and the target asset associated with the first vulnerability;
And the vulnerability verification module 604 is configured to, when a verification trigger condition is reached, verify the target asset associated with the vulnerability to be verified by using the first vulnerability as the vulnerability to be verified, so as to determine whether the vulnerability to be verified is repaired.
The network asset management device of the embodiment of the invention uses the detected asset as a target asset by detecting the asset in the network, and determines portrait information of the target asset; scanning the target asset and determining whether a first vulnerability exists in the target asset; under the condition that the first vulnerability exists in the target asset, determining first relevant information of the first vulnerability; correlating the first vulnerability with the target asset based on the portrait information and the first related information, and pushing the target asset correlated with the first vulnerability to an asset manager; and verifying the target asset associated with the vulnerability to be verified by taking the first vulnerability as the vulnerability to be verified, in order to determine whether the vulnerability to be verified is effectively repaired, carrying out deep association on the asset and the vulnerability, automatically sending relevant information of the vulnerability to an asset management responsible person, completing repair, repair and state change of the vulnerability by the asset responsibility manager, and carrying out automatic vulnerability verification to achieve the purposes of closed loop tracking management and vulnerability verification of asset-vulnerability automation, avoiding attack or destruction of a network and improving the security of the network.
In an alternative embodiment, the vulnerability verification module is configured to:
taking the first vulnerability as a vulnerability to be verified, and determining the priority of the vulnerability to be verified according to first related information of the vulnerability to be verified and portrait information of a target asset associated with the vulnerability to be verified;
and verifying the target asset associated with the vulnerability to be verified according to the priority of the vulnerability to be verified.
In an alternative embodiment, the vulnerability verification module is configured to:
verifying the target asset associated with the vulnerability to be verified, and determining whether a second vulnerability exists in the target asset associated with the vulnerability to be verified;
under the condition that the target asset associated with the vulnerability to be verified does not have the second vulnerability, determining that the vulnerability to be verified is effectively repaired;
acquiring second related information of a second vulnerability under the condition that the target asset associated with the vulnerability to be verified has the second vulnerability;
determining the similarity of the vulnerability to be verified and the second vulnerability according to the first related information and the second related information;
and determining whether the vulnerability to be verified is repaired or not according to the similarity of the vulnerability to be verified and the second vulnerability.
In an alternative embodiment, the vulnerability verification module is configured to:
determining that the vulnerability to be verified is not effectively repaired under the condition that the similarity between the vulnerability to be verified and the second vulnerability is greater than or equal to a preset threshold value;
and under the condition that the similarity between the vulnerability to be verified and the second vulnerability is smaller than a preset threshold value, determining that the vulnerability to be verified is effectively repaired.
In an alternative embodiment, the asset detection module is configured to:
detecting the survival of a host computer of a network by using a preset IP scanning tool, determining the asset in the network, and taking the asset in the network as a target asset;
comparing the target asset with an existing asset library to determine whether the target asset is a known asset;
if the target asset is a known asset, determining portrait information of the target asset based on the existing asset library;
and if the target asset is a non-known asset, carrying out port service scanning on the target asset, displaying a scanning result, receiving confirmation information of the target asset, and determining portrait information of the target asset based on the confirmation information.
In an alternative embodiment, the vulnerability scanning module is configured to:
Determining the priority of the target asset according to the portrait information of the target asset;
and scanning the target asset according to the priority of the target asset, and determining whether a first vulnerability exists in the target asset.
In an alternative embodiment, the representation information of the target asset further includes one or more of the following items of information: asset security risk level, asset location, asset importance level;
the vulnerability scanning module is used for: and determining the priority of the target asset according to one or more of the security risk level, the position and the importance degree of the target asset.
The device can execute the method provided by the embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. Technical details not described in detail in this embodiment may be found in the methods provided in the embodiments of the present invention.
The embodiment of the present invention further provides an electronic device, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 perform communication with each other through the communication bus 704,
a memory 703 for storing a computer program;
The processor 701 is configured to execute the program stored in the memory 703, and implement the following steps:
detecting an asset in the network, taking the detected asset as a target asset, and determining portrait information of the target asset;
scanning the target asset and determining whether a first vulnerability exists in the target asset;
under the condition that the first vulnerability exists in the target asset, determining first relevant information of the first vulnerability;
correlating the first vulnerability with the target asset based on the portrait information and the first related information, and pushing the target asset correlated with the first vulnerability to an asset manager;
and verifying the target asset associated with the vulnerability to be verified by taking the first vulnerability as the vulnerability to be verified so as to determine whether the vulnerability to be verified is effectively repaired.
The communication bus 704 mentioned by the above terminal may be a peripheral component interconnect standard (Peripheral Component Interconnect, abbreviated as PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated as EISA) bus, etc. The communication bus 704 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 702 is used for communication between the terminal and other devices.
The memory 703 may include random access memory (Random Access Memory, RAM) or may include non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor 701.
The processor 701 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), and the like; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
In yet another embodiment of the present invention, a computer readable medium is provided, in which instructions are stored, which when run on a computer, cause the computer to perform the network asset management method according to any of the above embodiments.
In yet another embodiment of the present invention, a computer program product containing instructions that, when run on a computer, cause the computer to perform the network asset management method of any of the above embodiments is also provided.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (12)

1. A method of network asset management, comprising:
detecting an asset in a network, taking the detected asset as a target asset, and determining portrait information of the target asset;
scanning the target asset and determining whether a first vulnerability exists in the target asset;
determining first related information of a first vulnerability under the condition that the first vulnerability exists in the target asset;
based on the portrait information and the first related information, associating the first vulnerability with the target asset, and outputting the first vulnerability and the target asset associated with the first vulnerability;
and when the verification triggering condition is reached, the first vulnerability is used as a vulnerability to be verified, and the target asset associated with the vulnerability to be verified is verified to determine whether the vulnerability to be verified is repaired or not.
2. The method of claim 1, wherein the verifying the target asset associated with the vulnerability to be verified using the first vulnerability as the vulnerability to be verified comprises:
Taking the first vulnerability as a vulnerability to be verified, and determining the priority of the vulnerability to be verified according to first related information of the vulnerability to be verified and portrait information of a target asset associated with the vulnerability to be verified;
and verifying the target asset associated with the vulnerability to be verified according to the priority of the vulnerability to be verified.
3. The method of claim 1, wherein verifying the target asset associated with the vulnerability to be verified to determine whether the vulnerability to be verified is remediated comprises:
verifying the target asset associated with the vulnerability to be verified, and determining whether a second vulnerability exists in the target asset associated with the vulnerability to be verified;
under the condition that the target asset associated with the vulnerability to be verified does not have the second vulnerability, determining that the vulnerability to be verified is effectively repaired;
acquiring second related information of a second vulnerability under the condition that the target asset associated with the vulnerability to be verified has the second vulnerability;
determining the similarity of the vulnerability to be verified and the second vulnerability according to the first related information and the second related information;
and determining whether the vulnerability to be verified is repaired or not according to the similarity of the vulnerability to be verified and the second vulnerability.
4. The method of claim 3, wherein the determining whether the vulnerability to be verified is repaired based on the similarity of the vulnerability to be verified and the second vulnerability comprises:
determining that the vulnerability to be verified is not effectively repaired under the condition that the similarity between the vulnerability to be verified and the second vulnerability is greater than or equal to a preset threshold value;
and under the condition that the similarity between the vulnerability to be verified and the second vulnerability is smaller than a preset threshold value, determining that the vulnerability to be verified is effectively repaired.
5. The method of claim 1, wherein the detecting the asset in the network, using the detected asset as a target asset, and determining portrayal information of the target asset comprises:
detecting the survival of a host computer of a network by using a preset IP scanning tool, determining the asset in the network, and taking the asset in the network as a target asset;
comparing the target asset with an existing asset library to determine whether the target asset is a known asset;
if the target asset is a known asset, determining portrait information of the target asset based on the existing asset library;
and if the target asset is a non-known asset, carrying out port service scanning on the target asset, displaying a scanning result, receiving confirmation information of the target asset, and determining portrait information of the target asset based on the confirmation information.
6. The method of any of claims 1-6, wherein the representation information of the target asset comprises an identification of the target asset, the identification comprising an IP address, a port number, and an area flag.
7. The method of claim 6, wherein the scanning the target asset to determine whether a first vulnerability exists in the target asset comprises:
determining the priority of the target asset according to the portrait information of the target asset;
and scanning the target asset according to the priority of the target asset, and determining whether a first vulnerability exists in the target asset.
8. The method of claim 7, wherein the representation information of the target asset further comprises one or more of the following items of information: asset security risk level, asset location, asset importance level;
the determining the priority of the target asset according to the portrait information of the target asset comprises the following steps:
and determining the priority of the target asset according to one or more of the security risk level, the position and the importance degree of the target asset.
9. The method of claim 1, wherein the first relevant information for the first vulnerability includes one or more of the following items of information: IP address, port number, name of the component generating the vulnerability, version, vulnerability type, vulnerability risk level.
10. A network asset management device, comprising:
the asset detection module is used for detecting the asset in the network, taking the detected asset as a target asset and determining portrait information of the target asset;
the vulnerability scanning module is used for scanning the target asset and determining whether a first vulnerability exists in the target asset; determining first related information of a first vulnerability under the condition that the first vulnerability exists in the target asset;
the association module is used for associating the first vulnerability with the target asset based on the portrait information and the first related information and outputting the first vulnerability and the target asset associated with the first vulnerability;
and the vulnerability verification module is used for verifying the target asset associated with the vulnerability to be verified by taking the first vulnerability as the vulnerability to be verified when a verification triggering condition is reached, so as to determine whether the vulnerability to be verified is repaired or not.
11. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-9.
12. A computer readable medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method according to any of claims 1-9.
CN202211716348.1A 2022-12-29 2022-12-29 Network asset management method, device, electronic equipment and medium Pending CN116132132A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211716348.1A CN116132132A (en) 2022-12-29 2022-12-29 Network asset management method, device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211716348.1A CN116132132A (en) 2022-12-29 2022-12-29 Network asset management method, device, electronic equipment and medium

Publications (1)

Publication Number Publication Date
CN116132132A true CN116132132A (en) 2023-05-16

Family

ID=86296720

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211716348.1A Pending CN116132132A (en) 2022-12-29 2022-12-29 Network asset management method, device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN116132132A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915461A (en) * 2023-07-14 2023-10-20 北京立思辰安科技术有限公司 Data processing system for acquiring final vulnerability scanning equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915461A (en) * 2023-07-14 2023-10-20 北京立思辰安科技术有限公司 Data processing system for acquiring final vulnerability scanning equipment
CN116915461B (en) * 2023-07-14 2024-06-07 北京立思辰安科技术有限公司 Data processing system for acquiring final vulnerability scanning equipment

Similar Documents

Publication Publication Date Title
CA3055978C (en) Prioritized remediation of information security vulnerabilities based on service model aware multi-dimensional security risk scoring
US10534917B2 (en) Testing for risk of macro vulnerability
US11240262B1 (en) Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US10356044B2 (en) Security information and event management
US20130096980A1 (en) User-defined countermeasures
CN102484640B (en) For solving the method and apparatus of the threat detected
EP2667314B1 (en) System and method for detection and treatment of malware on data storage devices
JP5972401B2 (en) Attack analysis system, linkage device, attack analysis linkage method, and program
US8495745B1 (en) Asset risk analysis
US7434261B2 (en) System and method of identifying the source of an attack on a computer network
RU2536663C2 (en) System and method of protecting cloud infrastructure from illegal use
US8443449B1 (en) Silent detection of malware and feedback over a network
JP4283228B2 (en) Method and system for responding to computer intrusion
US20200028876A1 (en) Phishing detection and targeted remediation system and method
WO2019136282A1 (en) Control maturity assessment in security operations environments
JP7204247B2 (en) Threat Response Automation Methods
US8392998B1 (en) Uniquely identifying attacked assets
US11777961B2 (en) Asset remediation trend map generation and utilization for threat mitigation
US11128649B1 (en) Systems and methods for detecting and responding to anomalous messaging and compromised accounts
US20170155683A1 (en) Remedial action for release of threat data
CN116132132A (en) Network asset management method, device, electronic equipment and medium
US11979426B2 (en) Predictive vulnerability management analytics, orchestration, automation and remediation platform for computer systems. networks and devices
CN113987508A (en) Vulnerability processing method, device, equipment and medium
Desmet et al. Premadoma: An operational solution to prevent malicious domain name registrations in the. eu tld
RU2697926C1 (en) System and method of counteracting attack on computing devices of users

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination