CN116208386A - Vulnerability management method, system, electronic equipment and medium for automobile network security - Google Patents
Vulnerability management method, system, electronic equipment and medium for automobile network security Download PDFInfo
- Publication number
- CN116208386A CN116208386A CN202310076251.7A CN202310076251A CN116208386A CN 116208386 A CN116208386 A CN 116208386A CN 202310076251 A CN202310076251 A CN 202310076251A CN 116208386 A CN116208386 A CN 116208386A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- repair
- information
- scheme
- historical database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
- Y02T10/00—Road transport of goods or passengers
- Y02T10/10—Internal combustion engine [ICE] based vehicles
- Y02T10/40—Engine management systems
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a vulnerability management method of automobile network security, comprising the following steps: acquiring the loopholes of the current automobile and the loophole information corresponding to the loopholes in real time; matching the vulnerability information with the historical database, and if the vulnerability information is matched with the historical database, referencing a historical repair scheme to repair the vulnerability; if the vulnerability information is not matched with the historical database, analyzing the vulnerability to obtain vulnerability parameters, and formulating a designated repair scheme based on the vulnerability parameters, wherein the designated repair scheme is used for vulnerability repair; the vulnerability information is uploaded to the historical database to instruct the historical database to manage, and the technical scheme provided by the invention has the beneficial effects that: the method not only can effectively repair the disclosed network security holes, but also can formulate a designated repair scheme for the unpublished and undiscovered network security holes, enhance the network security protection level of the vehicle, and help enterprises to more effectively construct the hole management links in the automobile network security system.
Description
Technical Field
The application relates to the technical field of automobile network security, in particular to a vulnerability management method, system, electronic equipment and medium for automobile network security.
Background
The system overall management is carried out on the network security of the automobile, under the condition that CSMS (Cyber Security Management System, network security management system) is gradually standardized and built by leading enterprises of OEM (Original Entrusted Manufacture, original equipment manufacturer/whole automobile factory), the system management is expected to be carried out on network security holes as a ring of the network security system, along with the rapid development of intelligent and networking of the automobile, the attack surface of the automobile is increased continuously, the facing threat is increased gradually, and once a hacker attacks through holes, huge personal and property losses can be caused for users. Meanwhile, the internet of vehicles has become a part of the network space, and the security of the internet of vehicles is related to the security of the whole network space.
Because the implementation of the automobile vulnerability sharing platform function developed in the current industry is limited to vulnerability collection and sharing in a single aspect, automobile security events cannot be verified in real time, event research and judgment cannot be achieved, and in the network security system overall management system designed by the related technology, no clear system design is given for vulnerability management.
Disclosure of Invention
In view of the above drawbacks of the prior art, an object of the present invention is to provide a method, a system, an electronic device and a medium for managing vulnerabilities of an automobile network, which are used for solving the problem that no explicit system design is given for vulnerabilities management in the prior art.
To achieve the above and other related objects, the present invention provides a vulnerability management method for automobile network security, comprising:
acquiring the loopholes of the current automobile and the loophole information corresponding to the loopholes in real time;
matching the vulnerability information with a historical database, and if the vulnerability information is matched with the historical database, referencing a historical repair scheme to repair the vulnerability;
if the vulnerability information is not matched with the historical database, analyzing the vulnerability to obtain vulnerability parameters, and formulating a specified repair scheme based on the vulnerability parameters, wherein the specified repair scheme is used for vulnerability repair;
and uploading the vulnerability information to a historical database to instruct the historical database to manage.
In one embodiment of the present invention, after obtaining the vulnerability of the current automobile and the vulnerability information corresponding to the vulnerability, the method further includes:
threat degree judgment is carried out on the loopholes;
analyzing the root cause of the vulnerability, related systems and attack paths, acquiring threat degree grades of the vulnerability, comparing the threat degree grades of the vulnerability with preset threat degree grades, and if the threat degree grades of the vulnerability are lower than the preset threat degree grades, recording the vulnerability information into a historical database;
and if the threat level is higher than or equal to the preset threat level, recording the vulnerability information into a historical database and uploading the vulnerability information to a network supervision center.
In one embodiment of the present invention, repairing based on an established repair scheme comprises:
creating a simulated repair scene, and generating the loopholes in the simulated repair scene;
importing a formulated specified repair scheme into a simulated repair scene, repairing the novel vulnerability based on the repair scheme and generating repair information, and importing the formulated specified repair scheme into a system for repair if the repair information shows that the repair is successful; and if the repair information shows that the repair fails, optimizing and perfecting the formulated specified repair scheme until the repair information shows that the repair is successful.
In one embodiment of the invention, the method further comprises:
and after the bug repair is completed, uploading the repair result, the repair information and the designated repair scheme to the historical database, and synchronously uploading the repair result, the repair information and the designated repair scheme to the network supervision center.
The invention also provides a vulnerability management system of the automobile network security, which is characterized by comprising the following steps:
the information acquisition module is used for acquiring vulnerability information of the current automobile;
the matching module is used for matching the vulnerability information with the historical database;
the vulnerability restoration module is used for referring to the historical restoration scheme to carry out vulnerability restoration or making a designated restoration scheme to carry out vulnerability restoration;
and the historical database module is used for collecting, storing and managing the vulnerability information.
In one embodiment of the invention, the system further comprises:
the analysis module is used for identifying root causes of the loopholes, related systems related to the loopholes, attack paths and attack feasibility;
the risk assessment module is used for assessing the risk level of the loopholes;
and the uploading module is used for recording the loopholes to the historical database or synchronously uploading the loopholes to the network supervision center.
In one embodiment of the present invention, the vulnerability restoration module includes:
the scheme making unit is used for preliminarily making a repairing scheme capable of repairing the loopholes;
the test unit is used for creating a simulated repair scene and generating the vulnerability information in the simulated repair scene;
the optimizing unit is used for perfecting and optimizing the scheme incapable of repairing the loopholes;
and the repair unit is used for importing the completed repair scheme into the current vehicle-mounted system to repair the vulnerability.
In one embodiment of the present invention, the uploading module includes:
the vulnerability information reporting unit is used for reporting vulnerability risk and risk assessment information to the historical database and the network supervision center for management;
and the processing result reporting unit is used for reporting the vulnerability repairing result and the verification record to the historical database, and reporting the high-risk and the vulnerabilities to the network supervision center for management.
The invention also provides an electronic device comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the electronic device to implement a vulnerability management method of automotive network security as claimed in any one of the preceding claims.
The present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor of a computer, causes the computer to perform a vulnerability management method of any one of the above-mentioned automotive network security.
As described above, the technical solution of the present invention at least includes:
according to the method, the vulnerability information is obtained in real time, and the vulnerabilities in the vehicle-mounted system can be effectively repaired by obtaining, analyzing and repairing the vulnerabilities, so that the disclosed network security vulnerabilities can be effectively repaired, and a designated repairing scheme can be formulated for the unpublished and undiscovered network security vulnerabilities, so that the network security protection level of the vehicle is enhanced, the network security of the vehicle can be effectively improved, and the enterprise is helped to more effectively construct a vulnerability management link in the automobile network security system;
and the undisclosed and undisclosed network complete loopholes can be reported to a network supervision center, and the technical characteristics, the hazard level, the influence range, the disposal measures and other information of the loopholes are disclosed, so that the network security loophole protection level of various vehicle types of enterprises is comprehensively improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. It is apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art. In the drawings:
FIG. 1 is a flow chart of a vulnerability management method for automotive network security according to an exemplary embodiment of the invention;
FIG. 2 is a flow chart of threat level determination for vulnerabilities according to an exemplary embodiment of the present invention;
FIG. 3 is a flowchart illustrating specific steps for repairing vulnerabilities according to an exemplary embodiment of the present invention;
FIG. 4 is a block diagram of a vulnerability management system for automotive network security according to an exemplary embodiment of the present invention;
FIG. 5 is a block diagram of a vulnerability risk analysis assessment system according to an exemplary embodiment of the present invention;
fig. 6 is a schematic diagram of a computer system according to an exemplary embodiment of the present application.
Detailed Description
Further advantages and effects of the present invention will become readily apparent to those skilled in the art from the disclosure herein, by referring to the accompanying drawings and the preferred embodiments. The invention may be practiced or carried out in other embodiments that depart from the specific details, and the details of the present description may be modified or varied from the spirit and scope of the present invention. It should be understood that the preferred embodiments are presented by way of illustration only and not by way of limitation.
It should be noted that the illustrations provided in the following embodiments merely illustrate the basic concept of the present invention by way of illustration, and only the components related to the present invention are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In the following description, numerous details are set forth in order to provide a more thorough explanation of embodiments of the present invention, it will be apparent, however, to one skilled in the art that embodiments of the present invention may be practiced without these specific details, in other embodiments, well-known structures and devices are shown in block diagram form, rather than in detail, in order to avoid obscuring the embodiments of the present invention.
Fig. 1 is a flowchart of a vulnerability management method of automotive network security according to an exemplary embodiment of the present application, please refer to fig. 1, and the present invention provides an automotive network security vulnerability management method, which includes:
140, if the vulnerability information is not matched with the historical database, analyzing the vulnerability to obtain vulnerability parameters, and formulating a designated repair scheme based on the vulnerability parameters, wherein the designated repair scheme is used for vulnerability repair;
In one embodiment of the application, specifically, a vehicle-mounted system detects and acquires a vulnerability and vulnerability information corresponding to the vulnerability in real time, wherein the vulnerability comprises an unpublished vulnerability discovered in a public vulnerability, a public threat information and a vehicle type project safety test link;
matching the vulnerability information with a historical database, wherein the historical database comprises vulnerability information and a repairing scheme corresponding to the vulnerability information, and if the vulnerability information collected by the current vehicle can be matched with one item of vulnerability information in the historical database;
judging whether the vulnerability information has a corresponding repair scheme or not, if the vulnerability information has the corresponding repair scheme, directly referencing the repair scheme to repair the vulnerability, and if the vulnerability information does not have the corresponding repair scheme, formulating a designated repair scheme for repairing the vulnerability, wherein the designated repair scheme can be autonomously generated by a system based on vulnerability parameters and can also be produced by engineer operators;
if the vulnerability information cannot be matched with one item of vulnerability information in the historical database, a designated repair scheme is formulated for vulnerability repair;
and uploading the vulnerability information to a history database to instruct the history database to manage.
FIG. 2 is a flowchart illustrating threat level determination for vulnerabilities according to an exemplary embodiment of the present application, see FIG. 2;
after obtaining the loophole of the current automobile and the loophole information corresponding to the loophole, the method further comprises the following steps:
220, analyzing root causes of the loopholes, related systems and attack paths, and obtaining threat level of the loopholes;
and 250, if the threat level is higher than or equal to the preset threat level, recording the vulnerability information into a historical database and uploading the vulnerability information to a network supervision center.
In one embodiment of the application, specifically, after obtaining the vulnerability information, an analysis module analyzes and evaluates the root cause of the vulnerability, related systems and parts, attack paths of the vulnerability and attack feasibility, generates an evaluation result, generates a threat level of the vulnerability based on the evaluation result, compares the threat level of the vulnerability with a preset threat level, only uploads the vulnerability information to a historical database for storage if the threat level of the vulnerability is lower than the preset threat level, and uploads the vulnerability information to the historical database for storage if the threat level of the vulnerability is higher than or equal to the preset threat level, and the vulnerability information is uploaded to a network supervision center for unified storage and management.
FIG. 3 is a flowchart illustrating a specific step of repairing a vulnerability according to an exemplary embodiment of the present application, please refer to FIG. 3;
repairing based on the formulated repairing scheme comprises the following steps:
and 340, if the repair information shows that the repair fails, optimizing and perfecting the formulated specified repair scheme until the repair information shows that the repair is successful.
In one embodiment of the application, specifically, a simulated repair scene for repairing the vulnerability information is created, the vulnerability is generated in the simulated repair scene, the specified repair scheme formulated above is imported into the simulated repair scene to repair the vulnerability, repair information is generated, if the repair information shows that the vulnerability repair is successful, the specified repair scheme is imported into the vehicle-mounted system to repair the vulnerability, if the repair information shows that the repair is failed, the vehicle-mounted system or an engineer operator performs improvement optimization on the specified repair scheme, and then the specified repair scheme after improvement optimization is imported into the simulated repair scene again to repair until the repair information shows that the repair is successful.
The method further comprises the steps of:
after the bug repair is completed, the repair result, the repair information and the designated repair scheme are uploaded to a historical database and synchronously uploaded to a network supervision center.
In one embodiment of the present application, specifically, after the bug is repaired successfully, the repair information and the designated repair scheme corresponding to the bug are uploaded to the historical database, and judgment is made based on the threat level of the bug, if the threat level of the bug is higher than or equal to the set threat level, the repair information and the designated repair scheme corresponding to the bug are uploaded to the historical database, and synchronously uploaded to the network supervision center.
FIG. 4 is a block diagram of a vulnerability management system for automotive network security according to an exemplary embodiment of the present application, please refer to FIG. 4;
the application also provides a vulnerability management system of automobile network security, comprising:
an information obtaining module 410, configured to obtain vulnerability information of a current automobile;
the matching module 420 is configured to match the vulnerability information with the history database;
the bug fix module 430 is configured to refer to a history fix scheme for bug fix, or formulate a specified fix scheme for bug fix;
the history database module 440 is configured to collect, store, and manage vulnerability information.
In one embodiment of the present application, specifically, the information obtaining module includes a public vulnerability collecting unit, an unpublished vulnerability discovery unit, and a vulnerability confirming unit, where;
the public vulnerability collection unit is used for collecting public threat information and vulnerabilities (collection channels comprise third party security vendors, suppliers, vehicle users, various business departments or supervision institutions);
the undisclosed vulnerability discovery unit is used for collecting undisclosed vulnerabilities discovered in the safety test links of the vehicle type project;
the vulnerability confirming unit is used for analyzing and confirming the collected vulnerabilities (the analysis and confirmation content comprises authenticity, completion row and relativity of the vulnerabilities, identifying registered vehicles related to the vulnerabilities and identifying vehicles with network security vulnerabilities).
FIG. 5 is a block diagram of a vulnerability risk analysis assessment system according to an exemplary embodiment of the present application, see FIG. 5;
the system further comprises:
an analysis module 510, configured to identify a root cause of the vulnerability, a relevant system related to the vulnerability, and an attack path and attack feasibility thereof;
a risk assessment module 520 for assessing a risk level of the vulnerability;
and the uploading module 530 is configured to record the vulnerability to a history database or upload the vulnerability to a network supervision center synchronously.
The vulnerability restoration module comprises:
the scheme making unit is used for preliminarily making a repairing scheme capable of repairing the loopholes;
the test unit is used for creating a simulated repair scene and generating vulnerability information in the simulated repair scene;
and the optimizing unit is used for perfecting and optimizing the scheme which cannot repair the loopholes.
And the repair unit is used for importing the completed repair scheme into the current vehicle-mounted system to repair the vulnerability.
The uploading module comprises:
the vulnerability information reporting unit is used for reporting vulnerability risk and risk assessment information to the historical database and the network supervision center for management;
and the processing result reporting unit is used for reporting the vulnerability repairing result and the verification record to the historical database, and reporting the high-risk and the vulnerabilities to the network supervision center for management.
Referring to fig. 6, fig. 6 is a schematic diagram illustrating a computer system of an electronic device according to an exemplary embodiment of the present application.
In one embodiment of the present invention, an electronic device for a vulnerability management method of automobile network security is provided, which includes a memory, at least one processor, and a computer program stored on the memory and executable on the processor, so that the computer device implements a vulnerability management method of automobile network security in the above embodiments.
The computer system 600 includes a central processing unit (Central Processing Unit, CPU) 601 which can perform various appropriate actions and processes, such as performing the methods in the above-described embodiments, according to a program stored in a Read-Only Memory (ROM) 602 or a program loaded from a storage section 608 into a random access Memory (Random Access Memory, RAM) 603. In the RAM 603, various programs and data required for system operation are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other through a bus 604. An Input/Output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and a speaker, etc.; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN (Local Area Network ) card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.
In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. When executed by a Central Processing Unit (CPU) 601, performs the various functions defined in the system of the present application.
In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. When executed by a Central Processing Unit (CPU) 601, performs the various functions defined in the system of the present application.
Another aspect of the present application also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor of a computer, causes the computer to perform the aforementioned vulnerability management method of automotive network security. The computer-readable storage medium may be included in the electronic device described in the above embodiment or may exist alone without being incorporated in the electronic device.
Another aspect of the present application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs a vulnerability management method of automobile network security provided in the above embodiments.
The electronic device disclosed in this embodiment includes a processor, a memory, a transceiver, and a communication interface, where the memory and the communication interface are connected to the processor and the transceiver and perform communication therebetween, the memory is used to store a computer program, the communication interface is used to perform communication, and the processor and the transceiver are used to run the computer program, so that the electronic device performs each step of the above method.
In this embodiment, the memory may include a random access memory (Random Access Memory, abbreviated as RAM), and may further include a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory.
The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a graphics processor (Graphics Processing Unit, GPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
The above description and the drawings illustrate embodiments of the disclosure sufficiently to enable those skilled in the art to practice them. Other embodiments may involve structural, logical, electrical, process, and other changes. The embodiments represent only possible variations. Individual components and functions are optional unless explicitly required, and the sequence of operations may vary. Portions and sub-samples of some embodiments may be included in or substituted for portions and sub-samples of other embodiments. Moreover, the terminology used in the present application is for the purpose of describing embodiments only and is not intended to limit the claims. As used in the description of the embodiments and the claims, the singular forms "a," "an," and "the" (the) are intended to include the plural forms as well, unless the context clearly indicates otherwise. Similarly, the term "and/or" as used in this application is meant to encompass any and all possible combinations of one or more of the associated listed. In addition, when used in this application, the terms "comprises," "comprising," and/or "includes," and variations thereof, mean the presence of the stated sub-sample, integer, step, operation, element, and/or component, but do not exclude the presence or addition of one or more other sub-samples, integers, steps, operations, elements, components, and/or groups of these. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of other like elements in a process, method or apparatus comprising such elements. In this context, each embodiment may be described with emphasis on the differences from the other embodiments, and the same similar parts between the various embodiments may be referred to each other. For the methods, products, etc. disclosed in the embodiments, if they correspond to the method sections disclosed in the embodiments, the description of the method sections may be referred to for relevance. It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with a computer-readable computer program embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. A computer program embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
Those of skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. The skilled person may use different methods for each particular application to achieve the described functionality, but such implementation should not be considered to be beyond the scope of the embodiments of the present disclosure. It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In the embodiments disclosed herein, the disclosed methods, articles of manufacture (including but not limited to devices, apparatuses, etc.) may be practiced in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements may be merely a logical functional division, and there may be additional divisions in actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some sub-samples may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form. The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to implement the present embodiment. In addition, each functional unit in the embodiments of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. In the description corresponding to the flowcharts and block diagrams in the figures, operations or steps corresponding to different blocks may also occur in different orders than that disclosed in the description, and sometimes no specific order exists between different operations or steps. For example, two consecutive operations or steps may actually be performed substantially in parallel, they may sometimes be performed in reverse order, which may be dependent on the functions involved. Each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Claims (10)
1. The vulnerability management method for the automobile network security is characterized by comprising the following steps of:
acquiring the loopholes of the current automobile and the loophole information corresponding to the loopholes in real time;
matching the vulnerability information with a historical database, and if the vulnerability information is matched with the historical database, referencing a historical repair scheme to repair the vulnerability;
if the vulnerability information is not matched with the historical database, analyzing the vulnerability to obtain vulnerability parameters, and formulating a specified repair scheme based on the vulnerability parameters, wherein the specified repair scheme is used for vulnerability repair;
and uploading the vulnerability information to a historical database to instruct the historical database to manage.
2. The method for managing vulnerabilities of network security of an automobile according to claim 1, wherein after obtaining vulnerabilities of a current automobile and corresponding vulnerability information, the method further comprises:
threat degree judgment is carried out on the loopholes;
analyzing the root cause of the vulnerability, related systems and attack paths, acquiring threat degree grades of the vulnerability, comparing the threat degree grades of the vulnerability with preset threat degree grades, and if the threat degree grades of the vulnerability are lower than the preset threat degree grades, recording the vulnerability information into a historical database;
and if the threat level is higher than or equal to the preset threat level, recording the vulnerability information into a historical database and uploading the vulnerability information to a network supervision center.
3. The method for managing security vulnerabilities of an automobile network according to claim 1, wherein repairing based on the formulated repairing scheme comprises:
creating a simulated repair scene, and generating the loopholes in the simulated repair scene;
importing a formulated specified repair scheme into a simulated repair scene, repairing the novel vulnerability based on the repair scheme and generating repair information, and importing the formulated specified repair scheme into a system for repair if the repair information shows that the repair is successful; and if the repair information shows that the repair fails, optimizing and perfecting the formulated specified repair scheme until the repair information shows that the repair is successful.
4. The method for vulnerability management of automotive network security of claim 2, further comprising:
and after the bug repair is completed, uploading the repair result, the repair information and the designated repair scheme to the historical database, and synchronously uploading the repair result, the repair information and the designated repair scheme to the network supervision center.
5. A vulnerability management system for automotive network security, comprising:
the information acquisition module is used for acquiring vulnerability information of the current automobile;
the matching module is used for matching the vulnerability information with the historical database;
the vulnerability restoration module is used for referring to the historical restoration scheme to carry out vulnerability restoration or making a designated restoration scheme to carry out vulnerability restoration;
and the historical database module is used for collecting, storing and managing the vulnerability information.
6. The vulnerability management system of claim 5, further comprising:
the analysis module is used for identifying root causes of the loopholes, related systems related to the loopholes, attack paths and attack feasibility;
the risk assessment module is used for assessing the risk level of the loopholes;
and the uploading module is used for recording the loopholes to the historical database or synchronously uploading the loopholes to the network supervision center.
7. The vulnerability management system of claim 5, wherein the vulnerability restoration module comprises:
the scheme making unit is used for preliminarily making a repairing scheme capable of repairing the loopholes;
the test unit is used for creating a simulated repair scene and generating the vulnerability information in the simulated repair scene;
the optimizing unit is used for perfecting and optimizing the scheme incapable of repairing the loopholes;
and the repair unit is used for importing the completed repair scheme into the current vehicle-mounted system to repair the vulnerability.
8. The vulnerability management system of claim 6, wherein the uploading module comprises:
the vulnerability information reporting unit is used for reporting vulnerability risk and risk assessment information to the historical database and the network supervision center for management;
and the processing result reporting unit is used for reporting the vulnerability repairing result and the verification record to the historical database, and reporting the high-risk and the vulnerabilities to the network supervision center for management.
9. An electronic device, the electronic device comprising:
one or more processors;
storage means for storing one or more programs which when executed by the one or more processors cause the electronic device to implement a vulnerability management method of automotive network security as claimed in any one of claims 1 to 4.
10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor of a computer, causes the computer to perform a vulnerability management method of one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310076251.7A CN116208386A (en) | 2023-01-18 | 2023-01-18 | Vulnerability management method, system, electronic equipment and medium for automobile network security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310076251.7A CN116208386A (en) | 2023-01-18 | 2023-01-18 | Vulnerability management method, system, electronic equipment and medium for automobile network security |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116208386A true CN116208386A (en) | 2023-06-02 |
Family
ID=86518506
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310076251.7A Pending CN116208386A (en) | 2023-01-18 | 2023-01-18 | Vulnerability management method, system, electronic equipment and medium for automobile network security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116208386A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116401679A (en) * | 2023-06-08 | 2023-07-07 | 张家港金典软件有限公司 | Security management method and system based on enterprise software vulnerability recognition |
| CN116502238A (en) * | 2023-06-26 | 2023-07-28 | 中汽智联技术有限公司 | Protection method based on car networking product security vulnerability professional library CAVD |
| CN116992438A (en) * | 2023-09-25 | 2023-11-03 | 北京安普诺信息技术有限公司 | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine |
-
2023
- 2023-01-18 CN CN202310076251.7A patent/CN116208386A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116401679A (en) * | 2023-06-08 | 2023-07-07 | 张家港金典软件有限公司 | Security management method and system based on enterprise software vulnerability recognition |
| CN116401679B (en) * | 2023-06-08 | 2023-09-05 | 张家港金典软件有限公司 | Security management method and system based on enterprise software vulnerability recognition |
| CN116502238A (en) * | 2023-06-26 | 2023-07-28 | 中汽智联技术有限公司 | Protection method based on car networking product security vulnerability professional library CAVD |
| CN116502238B (en) * | 2023-06-26 | 2023-10-10 | 中汽智联技术有限公司 | Protection method based on car networking product security vulnerability professional library CAVD |
| CN116992438A (en) * | 2023-09-25 | 2023-11-03 | 北京安普诺信息技术有限公司 | Method, device, equipment and medium for repairing real-time loopholes based on code vaccine |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN116208386A (en) | Vulnerability management method, system, electronic equipment and medium for automobile network security | |
| CN103339635B (en) | Determine the vulnerability that computer software application is attacked for privilege upgrading | |
| Huang et al. | Distilling critical attack graph surface iteratively through minimum-cost sat solving | |
| US20190361992A1 (en) | Terms of service platform using blockchain | |
| US10171487B2 (en) | Generating a virtual database to test data security of a real database | |
| CN111914408B (en) | Threat modeling-oriented information processing method and system and electronic equipment | |
| CN114780965A (en) | Vulnerability repair priority evaluation method and system | |
| CN111404692B (en) | Block chain identity information confirmation system and confirmation method based on big data | |
| EP4182823A1 (en) | Threat analysis and risk assessment for cyber-physical systems based on physical architecture and asset-centric threat modeling | |
| CN113032792A (en) | System service vulnerability detection method, system, equipment and storage medium | |
| Sun et al. | Defining security requirements with the common criteria: Applications, adoptions, and challenges | |
| CN112016138A (en) | Method and device for automatic safe modeling of Internet of vehicles and electronic equipment | |
| CN115776668A (en) | Vehicle network security monitoring system and monitoring method thereof | |
| Daubner et al. | Towards verifiable evidence generation in forensic-ready systems | |
| CN112528295B (en) | Vulnerability restoration method and device for industrial control system | |
| CN109522723A (en) | POC scenario generation method, device, electronic equipment and storage medium | |
| CN117573768A (en) | Block chain-based service handling data processing method, device, system and equipment | |
| WO2017167015A1 (en) | Method and device for server device security management and computer storage medium | |
| CN101833505B (en) | Method for detecting security bugs of software system | |
| CN111050326A (en) | Short message verification method, device, equipment and medium based on block chain | |
| EP4334834B1 (en) | Computer-implemented method and system for checking data anonymization | |
| WO2019142469A1 (en) | Security design apparatus, security design method, and security design program | |
| CN112015715A (en) | Industrial Internet data management service testing method and system | |
| JP2021060872A (en) | Generation method, generation program, and information processing apparatus | |
| CN115271714A (en) | Automatic safety evaluation method of block chain consensus mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |