CN116541854A - Vulnerability testing method and device, electronic equipment and storage medium - Google Patents
Vulnerability testing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116541854A CN116541854A CN202310822483.2A CN202310822483A CN116541854A CN 116541854 A CN116541854 A CN 116541854A CN 202310822483 A CN202310822483 A CN 202310822483A CN 116541854 A CN116541854 A CN 116541854A
- Authority
- CN
- China
- Prior art keywords
- test
- vector
- tested
- class
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012360 testing method Methods 0.000 title claims abstract description 506
- 239000013598 vector Substances 0.000 claims abstract description 249
- 238000000034 method Methods 0.000 claims abstract description 26
- 239000004973 liquid crystal related substance Substances 0.000 claims 2
- 238000000605 extraction Methods 0.000 abstract description 3
- 238000004590 computer program Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 4
- 239000000284 extract Substances 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000002360 preparation method Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Artificial Intelligence (AREA)
- Computing Systems (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the disclosure provides a vulnerability testing method, a vulnerability testing device, electronic equipment and a storage medium. The method is applied to the technical field of computers and comprises the steps of performing equivalence class division on test data of test variables in objects to be tested for vulnerabilities; respectively extracting an equivalence class from the test variables and combining to obtain equivalence class combinations corresponding to each test class vector in a round of test, and respectively randomly extracting test data from the equivalence class combinations and combining to obtain each test vector; performing one-round test on the object to be tested for the vulnerability by using each test vector; and randomly extracting one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each new round of test vectors, and performing a new round of test on the object to be tested by using each new round of test vectors. In this way, random extraction of test data in the equivalence class under high coverage of the equivalence class can be realized, the probability of discovering the loophole is improved, and further the efficiency of testing the loophole is improved.
Description
Technical Field
The disclosure relates to the technical field of computers, and in particular relates to a vulnerability testing method, a vulnerability testing device, electronic equipment and a storage medium.
Background
Vulnerability testing refers to a technique of discovering and repairing vulnerabilities before they are exploited, guaranteeing security of units or enterprise systems.
The traversal detection mode is widely applied to the field of vulnerability testing, however, the time consumption is larger and the vulnerability discovery probability is lower in the vulnerability testing process, so that the vulnerability testing has lower efficiency.
Therefore, there is a need for a vulnerability testing method, device, electronic apparatus, and storage medium with higher testing efficiency.
Disclosure of Invention
The disclosure provides a vulnerability testing method, a vulnerability testing device, electronic equipment and a storage medium.
According to a first aspect of the present disclosure, a vulnerability testing method is provided. The method comprises the following steps:
performing equivalence class division on test data of test variables C1 and C2 … Cn in a to-be-tested object to obtain P1 and P2 … Pn equivalence classes respectively, wherein n is a positive integer greater than 1, and Pn is a positive integer greater than or equal to 1;
respectively extracting and combining an equivalence class from the test variables C1 and C2 … Cn to obtain equivalence class combinations corresponding to each test class vector in one round of test; wherein the number of test class vectors isAnd the equivalent class combinations corresponding to the test class vectors are different from each other;
randomly extracting and combining one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each test vector;
judging whether to use each test vector to test the object to be tested for the vulnerability in one round according to the relation between each test vector and the tested vector set, wherein the tested vector set comprises the tested test vectors;
randomly extracting test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain new test vectors;
judging whether to use each new round of test vectors to perform a new round of test on the object to be tested according to the relation between each new round of test vectors and the tested vector set.
Further, extracting and combining an equivalence class from the test variables C1, C2 … Cn, respectively, includes:
one equivalence class extracted from the test variables C1, C2 … Cn, respectively, is combined in the order of the test variables C1, C2 … Cn.
Further, determining whether to use each test vector to perform a round of test on the object to be tested for the vulnerability according to the relationship between each test vector and the tested vector set includes:
and respectively judging whether each test vector is in the tested vector set, and adopting the test vector existing in the tested vector set to test the object to be tested for the vulnerability in one round.
Further, judging whether to use each test vector to test the object to be tested for the vulnerability according to the relation between each test vector and the tested vector set, and further comprising:
and adding the test vector which has completed the test of the object to be tested for the vulnerability into the tested vector set.
Further, judging whether to use each test vector to test the object to be tested for the vulnerability according to the relation between each test vector and the tested vector set, and further comprising:
judging whether each test vector in the round of test completes the relation judgment with the tested vector set,
if so, randomly extracting one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each new round of test vectors.
Further, determining whether to use each new round of test vectors to perform a new round of test on the object to be tested according to the relation between each new round of test vectors and the tested vector set comprises:
it is determined whether a user stop condition is received,
if yes, ending the test of the object to be tested for the vulnerability;
if not, performing a new round of vulnerability test on the object to be vulnerability tested.
Further, judging whether to use each new round of test vectors to perform a new round of test on the object to be tested according to the relation between each new round of test vectors and the tested vector set, including:
judging whether the tested vector set is equal to the full test vector set, wherein the full test vector set comprises all test vectors obtained by combining all test data in the test variables C1 and C2 … Cn in a traversal mode,
if yes, ending the test of the object to be tested for the vulnerability;
if not, continuing to test the object to be tested for the vulnerability.
According to a second aspect of the present disclosure, a vulnerability testing apparatus is provided. The device comprises:
the division module is used for carrying out equivalence class division on test data of test variables C1 and C2 … Cn in the object to be tested to obtain P1 and P2 … Pn equivalence classes respectively, n is a positive integer greater than 1, and Pn is a positive integer greater than or equal to 1;
the first acquisition module is used for respectively extracting and combining an equivalent class from the test variables C1 and C2 … Cn to obtain equivalent class combinations corresponding to each test class vector in one round of test; wherein the number of test class vectors isAnd the equivalent class combinations corresponding to the test class vectors are different from each other;
the second acquisition module is used for randomly extracting and combining one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each test vector;
the third acquisition module is used for randomly extracting one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each new round of test vector;
the test module is used for judging whether to use each test vector to test the object to be tested for the vulnerability or not according to the relation between each test vector and the tested vector set, wherein the tested vector set comprises the tested test vectors; and the method is also used for judging whether to use the new test vectors to perform a new test on the object to be tested for the vulnerability according to the relation between the new test vectors and the tested vector set.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: the system comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes a vulnerability testing method when executing the program.
According to a fourth aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a vulnerability testing method.
According to the embodiment of the disclosure, the test data of the test variables C1 and C2 … Cn in the object to be tested are classified by performing equivalence class classification on the test data of the test variables in the object to be tested, so that preparation is made for randomly extracting the test data in the equivalence class; by respectively extracting and combining one equivalence class from the test variables C1 and C2 … Cn, different combination modes of different equivalence classes in the test variables C1 and C2 … Cn are realized, and each combination contains one equivalence class in each test variable, so that high coverage of the equivalence class in subsequent vulnerability tests is realized, and vulnerability test efficiency is improved; the method has the advantages that the random extraction of the test data in each equivalent class is realized by randomly extracting one test data from each equivalent class in the equivalent class combination corresponding to the test class vector and combining, the probability of discovering the loopholes is improved, and the efficiency of the loophole test is further improved.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. For a better understanding of the present disclosure, and without limiting the disclosure thereto, the same or similar reference numerals denote the same or similar elements, wherein:
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented;
FIG. 2 shows a schematic diagram of a method of interaction between the client and the computer device shown in FIG. 1;
FIG. 3 illustrates a flow chart of a vulnerability testing method according to an embodiment of the disclosure;
FIG. 4 illustrates a block diagram of a vulnerability testing apparatus according to an embodiment of the disclosure;
fig. 5 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to be within the scope of this disclosure.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
FIG. 1 illustrates a schematic diagram of an exemplary operating environment 100 in which embodiments of the present disclosure can be implemented, the operating environment 100 including a client 101 and a computer device 102.
In some embodiments, the client 101 may be a web browser, and may also be a mobile App or PC software for instant messaging.
In some embodiments, the computer device 102 may be a server, a switch, a personal computer, or a numerical control system.
Fig. 2 shows a schematic diagram of an interaction method 200 between the client and the computer device shown in fig. 1.
Dividing the test variable C1 to obtain E1 and E2 in a block 201; dividing the test variable C2 to obtain E3 and E4; dividing the test variable C3 to obtain E5 and E6, wherein the method comprises the following steps: the client 101 performs equivalence class classification on data in test variables C1, C2 and C3 acquired from the computer device 102, wherein the test data in the test variable C1 comprises d1, d2 and d3; the test data in the test variable C2 comprises d4 and d5; the test data in the test variable C3 comprises d6 and d7, and the test data d1 and d2 in the test variable C1 are divided into an equivalence class E1; dividing the test data d3 in the test variable C1 into an equivalence class E2; dividing the test data d4 in the test variable C2 into an equivalence class E3; dividing the test data d5 in the test variable C2 into an equivalence class E4; dividing the test data d6 in the test variable C3 into an equivalence class E5; the test data d7 in the test variable C3 is divided into an equivalence class E6.
At block 202, the E1, E2, E3, E4, E5, and E6 permutations are combined to obtain F1, F2, F3, F4, F5, F6, F7, and F8, respectively, including: the client 101 combines E1, E3, E5 to obtain an equivalent class combination f1= { E1, E3, E5} corresponding to the test class vector; combining E1, E3 and E6 to obtain an equivalent class combination F2= { E1, E3 and E6}, corresponding to the test class vector; combining E1, E4 and E5 to obtain an equivalent class combination F3= { E1, E4 and E5}, corresponding to the test class vector; combining E1, E4 and E6 to obtain an equivalent class combination F4= { E1, E4 and E6}, wherein the equivalent class combination corresponds to the test class vector; combining E2, E3 and E5 to obtain an equivalent class combination F5= { E2, E3 and E5}, corresponding to the test class vector; combining E2, E3 and E6 to obtain an equivalent class combination F6= { E2, E3 and E6}, corresponding to the test class vector; combining E2, E4 and E5 to obtain an equivalent class combination F7= { E2, E4 and E5}, wherein the equivalent class combination corresponds to the test class vector; and combining E2, E4 and E6 to obtain an equivalent class combination F8= { E2, E4 and E6} corresponding to the test class vector.
At block 203, extracting and combining one measurement data from each equivalent class of F1, F2, F3, F4, F5, F6, F7, and F8, respectively, to obtain test vectors F1, F2, F3, F4, F5, F6, F7, and F8, respectively, comprising: the client 101 extracts and combines one test data from each equivalent class in F1 to obtain a test vector f1= { d1, d4, d6}; respectively extracting and combining test data from each equivalent class in F2 to obtain a test vector f2= { d1, d4, d7}; respectively extracting and combining test data from each equivalent class in F3 to obtain a test vector f3= { d1, d5, d6}; respectively extracting and combining test data from each equivalent class in F4 to obtain a test vector f4= { d1, d5, d7}; respectively extracting and combining test data from each equivalent class in F5 to obtain a test vector f5= { d3, d4, d6}; respectively extracting and combining test data from each equivalent class in F6 to obtain a test vector f6= { d3, d4, d7}; respectively extracting and combining test data from each equivalent class in F7 to obtain a test vector f7= { d3, d5, d6}; and respectively extracting and combining one test data from each equivalent class in F8 to obtain a test vector f8= { d3, d5, d7}.
At block 204, a round of vulnerability testing is performed according to the test vectors f1, f2, f3, f4, f5, f6, f7, and f8, including: the computer device 102 receives the test vectors f1, f2, f3, f4, f5, f6, f7, and f8 and performs a round of vulnerability testing based on the test vectors f1, f2, f3, f4, f5, f6, f7, and f 8.
Fig. 3 shows a flowchart of a vulnerability testing method 300 according to an embodiment of the disclosure, the method comprising:
s301, carrying out equivalence class division on test data of test variables C1 and C2 … Cn in a to-be-loophole test object to respectively obtain P1 and P2 … Pn equivalence classes, wherein n is a positive integer greater than 1, and Pn is a positive integer greater than or equal to 1.
In some embodiments, when classifying the test data of the test variables C1, C2, … up to Cn in the object to be tested for the vulnerability, the classification may be performed according to the numerical type of the test data in the test variables, for example, whether the test data in the test variable C1 is classified according to an odd number, and if the test data in the test variable C1 is an odd number, the test data in the test variable C1 is classified into an odd number equivalent class; if the test data in the test variable C1 is even, the test data in the test variable C1 is divided into even equivalence classes.
In some embodiments, when classifying the test data of the test variables C1, C2, … up to Cn in the object to be tested, the classification may be performed according to the magnitude of the test data in the test variables, for example, the magnitude of the test data in the test variable C1 may be classified according to whether the magnitude of the test data in the test variable C1 is greater than Q, Q is a preset magnitude, and if the magnitude of the test data in the test variable C1 is greater than Q, the test data in the test variable C1 is classified into a large equivalence class; and if the numerical value of the test data in the test variable C1 is smaller than Q, dividing the test data in the test variable C1 into small equivalence classes.
In some embodiments, the test variables of the object to be vulnerabilities include C1, C2, and C3, and the test variables C1 include test data D1, D2, D3, and D4; the test variable C2 includes test data D5, D6, D7, and D8; the test variable C3 comprises test data D9, D10, D11 and D12, and when the test data of the test variables C1, C2 and C3 in the object to be tested for the vulnerability are divided, the test variables C1 and D2 are divided into equivalence classes S1; dividing D3 and D4 in the test variable C1 into equivalence classes S2; dividing D5 and D6 in the test variable C2 into equivalence classes S3; dividing D7 and D8 in the test variable C2 into equivalence classes S4; dividing D9 and D10 in the test variable C3 into equivalence classes S5; d11 and D12 in the test variable C3 are divided into equivalence classes S6.
According to the embodiment of the disclosure, the test data of the test variables C1 and C2 … Cn in the object to be tested are classified by performing equivalence class classification on the test data of the test variables in the object to be tested, so that preparation is made for randomly extracting the test data in the equivalence class.
S302, respectively extracting and combining an equivalent class from the test variables C1 and C2 … Cn to obtain equivalent class combinations corresponding to each test class vector in one round of test;wherein the number of the test class vectors isAnd the equivalent class combinations corresponding to the test class vectors are different from each other.
In some embodiments, S1 is extracted between equivalence classes S1 and S2 in the test variable C1; s3 is extracted between equivalence classes S3 and S4 in the test variable C2; extracting S5 between equivalence classes S5 and S6 in the test variable C3; and combining S1, S3 and S5 to obtain an equivalent class combination s1= { S1, S3, S5} corresponding to the test class vector; extracting S1 between equivalence classes S1 and S2 in the test variable C1; extracting S3 between equivalence classes S3 and S4 in the test variable C2; extracting S6 between equivalence classes S5 and S6 in the test variable C3; and combining S1, S3 and S6 to obtain an equivalent class combination s2= { S1, S3, S6} corresponding to the test class vector; extracting S1 between equivalence classes S1 and S2 in the test variable C1; extracting S4 between equivalence classes S3 and S4 in the test variable C2; extracting S5 between equivalence classes S5 and S6 in the test variable C3; and combining S1, S4 and S5 to obtain an equivalent class combination s3= { S1, S4, S5} corresponding to the test class vector; extracting S1 between equivalence classes S1 and S2 in the test variable C1; extracting S4 between equivalence classes S3 and S4 in the test variable C2; extracting S6 between equivalence classes S5 and S6 in the test variable C3; and combining S1, S4 and S6 to obtain an equivalent class combination s4= { S1, S4, S6} corresponding to the test class vector; extracting S2 between equivalence classes S1 and S2 in the test variable C1; extracting S3 between equivalence classes S3 and S4 in the test variable C2; extracting S5 between equivalence classes S5 and S6 in the test variable C3; and combining S2, S3 and S5 to obtain an equivalent class combination s5= { S2, S3, S5} corresponding to the test class vector; extracting S2 between equivalence classes S1 and S2 in the test variable C1; extracting S3 between equivalence classes S3 and S4 in the test variable C2; extracting S6 between equivalence classes S5 and S6 in the test variable C3; and combining S2, S3 and S6 to obtain an equivalent class combination s6= { S2, S3, S6} corresponding to the test class vector; extracting S2 between equivalence classes S1 and S2 in the test variable C1; extracting S4 between equivalence classes S3 and S4 in the test variable C2; extracting S5 between equivalence classes S5 and S6 in the test variable C3; and combining S2, S4 and S5 to obtain an equivalent class combination s7= { S2, S4, S5} corresponding to the test class vector; extracting S2 between equivalence classes S1 and S2 in the test variable C1; extracting S4 between equivalence classes S3 and S4 in the test variable C2; extracting S6 between equivalence classes S5 and S6 in the test variable C3; and combining S2, S4 and S6 to obtain an equivalent class combination s8= { S2, S4, S6} corresponding to the test class vector.
According to the embodiment of the disclosure, by respectively extracting and combining one equivalence class from the test variables C1 and C2 … Cn, different combination modes of different equivalence classes in the test variables C1 and C2 … Cn are realized, and each combination contains one equivalence class in each test variable, so that high coverage of equivalence classes in subsequent vulnerability tests is realized, and vulnerability test efficiency is improved.
S303, randomly extracting and combining one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each test vector.
In some embodiments, test data D1, D5 and D9 are extracted from the equivalent class combinations s1= { S1, S3, S5} corresponding to the test class vectors and combined to obtain test vectors t1= { D1, D5, D9}; extracting test data D1, D5 and D11 from equivalent class combinations s2= { S1, S3, S6} corresponding to the test class vectors respectively and combining the test data D1, D5 and D11 to obtain test vectors t2= { D1, D5, D11}; extracting test data D1, D7 and D9 from equivalent class combinations s3= { S1, S4, S5} corresponding to the test class vectors respectively and combining the test data D1, D7 and D9 to obtain test vectors t3= { D1, D7, D9}; extracting test data D1, D7 and D11 from equivalent class combinations s4= { S1, S4, S6} corresponding to the test class vectors respectively and combining the test data D1, D7 and D11 to obtain test vectors t4= { D1, D7, D11}; extracting test data D3, D5 and D9 from equivalent class combinations s5= { S2, S3, S5} corresponding to the test class vectors respectively and combining the test data D3, D5 and D9 to obtain test vectors t5= { D3, D5, D9}; extracting test data D3, D5 and D11 from equivalent class combinations s6= { S2, S3, S6} corresponding to the test class vectors respectively and combining the test data D3, D5 and D11 to obtain test vectors t6= { D3, D5, D11}; extracting test data D3, D7 and D9 from equivalent class combinations s7= { S2, S4, S5} corresponding to the test class vectors respectively and combining the test data D3, D7 and D9 to obtain test vectors t7= { D3, D7, D9}; and respectively extracting and combining test data D3, D7 and D11 from equivalent class combinations s8= { S2, S4, S6} corresponding to the test class vectors to obtain test vectors t8= { D3, D7, D11}.
According to the embodiment of the disclosure, the random extraction of the test data in each equivalent class is realized by randomly extracting and combining one test data from each equivalent class in the equivalent class combination corresponding to the test class vector, so that the probability of discovering the loopholes is improved, and the efficiency of the loophole test is further improved.
S304, judging whether to use each test vector to test the object to be loophole for one round according to the relation between each test vector and the tested vector set, wherein the tested vector set comprises tested test vectors.
In some embodiments, the test vector t1= { D1, D5, D9}, t2= { D1, D5, D11}, t3= { D1, D7, D9}, t4= { D1, D7, D11}, t5= { D3, D5, D9}, t6= { D3, D5, D11}, t7= { D3, D7, D9} and t8= { D3, D7, D11} may be used to perform a round of testing on the object to be tested.
In other embodiments, the test vectors t9= { D2, D6, D10}, t10= { D2, D6, D12}, t11= { D2, D8, D10}, t12= { D2, D8, D12}, t13= { D4, D6, D10}, t14= { D4, D6, D12}, t15= { D4, D8, D10} and t16= { D4, D8, D12} may also be used to perform a round of testing on the object to be loophole.
In some embodiments, determining whether to use each test vector to perform a round of testing on the object to be tested according to the relationship between each test vector and the tested vector set includes: and respectively judging whether each test vector is in a tested vector set, and adopting the test vector existing in the tested vector set to perform one-round test on the object to be tested. For example, if there is a test vector { D1, D7, D11} in the tested vector set, when the test vector t4= { D1, D7, D11} is used for testing the object to be tested for the vulnerability in this round, the test vector t4= { D1, D7, D11} is discarded; if none of the test vectors used in the present round is in the tested vector set, it indicates that the test vector has not been used for testing the object to be loophole, so the test vector can be used for testing the object to be loophole.
In some embodiments, determining whether to use each test vector to perform a round of testing on the object to be tested according to the relationship between each test vector and the tested vector set includes: adding the test vector which has completed testing the object to be tested to the tested vector set, and realizing the real-time updating of the tested vector set in this way.
In some embodiments, determining whether to use each test vector to perform a round of testing on the object to be tested according to the relationship between each test vector and the tested vector set includes: judging whether each test vector in the test round completes the relation judgment with the tested vector set, if so, indicating that the test round is finished, and randomly extracting test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each new test vector round.
S305, randomly extracting one test data from each equivalent class in the equivalent class combination corresponding to the test class vector again to obtain each new round of test vectors.
S306, judging whether to use each new round of test vectors to perform a new round of test on the object to be tested according to the relation between each new round of test vectors and the tested vector set.
In some embodiments, determining whether to use each new round of test vectors to perform a new round of test on the object to be tested according to the relation between each new round of test vectors and the tested vector set includes: judging whether a user stopping condition is received, if so, ending the test of the object to be subjected to the vulnerability test; and if not, performing a new round of vulnerability test on the object to be subjected to the vulnerability test.
In some embodiments, the user stopping condition may be the number of found vulnerabilities, for example, the stopping condition set by the user is that 3 vulnerabilities are found, and when the vulnerability testing method is used to test the object to be tested for vulnerabilities and find 3 vulnerabilities, the test is ended.
In other embodiments, the user stopping condition may be a test time, for example, the stopping condition set by the user is that the object to be tested for a vulnerability is tested for 1 minute, and after the object to be tested for a vulnerability is tested for 1 minute by using the vulnerability testing method, the test is ended no matter whether a vulnerability is found.
In some embodiments, determining whether to use each new round of test vectors to perform a new round of test on the object to be tested according to the relationship between each new round of test vectors and the tested vector set includes: judging whether the tested vector set is equal to a full-test vector set or not, wherein the full-test vector set comprises all test vectors obtained by combining all test data in the test variables C1 and C2 … Cn in a traversal mode, and if so, ending the test of the object to be tested for the vulnerability; if not, continuing to test the object to be tested for the vulnerability.
In other embodiments, the user stopping condition may be the number of test vectors in the tested vector set, for example, the stopping condition set by the user is that the number of test vectors in the tested vector set is two-thirds of the number of test vectors in the full test vector set, and the vulnerability testing method is used to test the object to be subjected to vulnerability testing, and when the number of test vectors in the tested vector set reaches two-thirds of the number of test vectors in the full test vector set, whether the vulnerability is found or not, the test is ended.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present disclosure. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
The foregoing is a description of embodiments of the method, and the following further describes embodiments of the present disclosure through examples of apparatus.
Fig. 4 shows a block diagram of a vulnerability testing apparatus 400 according to an embodiment of the disclosure, the apparatus 400 comprising:
the dividing module 401 is configured to perform equivalence class division on test data of test variables C1 and C2 … Cn in a to-be-tested object to obtain P1 and P2 … Pn equivalence classes respectively, where n is a positive integer greater than 1, and Pn is a positive integer greater than or equal to 1;
a first obtaining module 402, configured to extract and combine an equivalence class from the test variables C1 and C2 … Cn, respectively, to obtain an equivalence class combination corresponding to each test class vector in a round of test; wherein the number of the test class vectors isAnd the equivalent class combinations corresponding to the test class vectors are different from each other;
a second obtaining module 403, configured to randomly extract and combine one test data from each equivalent class in the equivalent class combination corresponding to the test class vector, so as to obtain each test vector;
a third obtaining module 404, configured to randomly extract one test data from each equivalent class in the equivalent class combination corresponding to the test class vector, to obtain each new round of test vectors;
a test module 405, configured to perform a round of testing on the object to be tested by using each test vector; wherein each test vector in the performing of a round of testing tests that the tested vector set contains test vectors that have been tested according to a relationship with the tested vector set; and the method is also used for carrying out a new round of test on the object to be tested for the vulnerability according to the relation between the new round of test vectors and the tested vector set.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the described modules may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related user personal information all conform to the regulations of related laws and regulations, and the public sequence is not violated.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device and a readable storage medium.
Fig. 5 shows a schematic block diagram of an electronic device 500 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The electronic device 500 includes a computing unit 501 that can perform various appropriate actions and processes according to a computer program stored in a ROM502 or a computer program loaded from a storage unit 508 into a RAM 503. In the RAM503, various programs and data required for the operation of the electronic device 500 may also be stored. The computing unit 501, ROM502, and RAM503 are connected to each other by a bus 504. I/O interface 505 is also connected to bus 504.
A number of components in electronic device 500 are connected to I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, etc.; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508 such as a magnetic disk, an optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the electronic device 500 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 501 performs the various methods and processes described above, such as the vulnerability testing method. For example, in some embodiments, the vulnerability testing method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 500 via the ROM502 and/or the communication unit 509. When a computer program is loaded into RAM503 and executed by computing unit 501, one or more steps of the vulnerability testing method described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the vulnerability testing method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-chips (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: display means for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. A vulnerability testing method, comprising:
performing equivalence class division on test data of test variables C1 and C2 … Cn in a to-be-tested object to obtain P1 and P2 … Pn equivalence classes respectively, wherein n is a positive integer greater than 1, and Pn is a positive integer greater than or equal to 1;
extracting and combining an equivalent class from the test variables C1 and C2 … Cn respectively to obtain equivalent class combinations corresponding to each test class vector in one round of test; wherein the number of the test class vectors isAnd the equivalent class combinations corresponding to the test class vectors are different from each other;
randomly extracting and combining one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each test vector;
judging whether to use each test vector to test the object to be tested for a round according to the relation between each test vector and a tested vector set, wherein the tested vector set comprises tested test vectors;
randomly extracting test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain new test vectors;
judging whether to use each new round of test vectors to perform a new round of test on the object to be tested according to the relation between each new round of test vectors and the tested vector set.
2. The vulnerability testing method of claim 1, wherein extracting and combining an equivalence class from the test variables C1, C2 … Cn, respectively, comprises:
one equivalence class extracted from the test variables C1, C2 … Cn, respectively, is combined in the order of the test variables C1, C2 … Cn.
3. The vulnerability testing method of claim 1, wherein determining whether to use each test vector to perform a round of testing on the object to be vulnerability tested according to the relationship between each test vector and the tested vector set comprises:
and respectively judging whether each test vector is in a tested vector set, and adopting the test vector existing in the tested vector set to perform one-round test on the object to be tested.
4. The vulnerability testing method of claim 1, wherein determining whether to use each test vector to perform a round of testing on the object to be vulnerability tested according to the relationship between each test vector and the tested vector set, further comprises:
and adding the test vector which is tested by the object to be tested for the vulnerability into the tested vector set.
5. The vulnerability testing method of claim 1, wherein determining whether to use each test vector to perform a round of testing on the object to be vulnerability tested according to the relationship between each test vector and the tested vector set, further comprises:
judging whether each test vector in the round of test completes the relation judgment with the tested vector set,
if so, randomly extracting one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each new round of test vectors.
6. The vulnerability testing method of claim 1, wherein determining whether to use each new round of test vectors to perform a new round of test on the object to be vulnerability testing based on the relationship between each new round of test vectors and the tested vector set comprises:
it is determined whether a user stop condition is received,
if yes, ending the test of the object to be subjected to the vulnerability test;
and if not, performing a new round of vulnerability test on the object to be subjected to the vulnerability test.
7. The vulnerability testing method of claim 1, wherein determining whether to use each new round of test vectors to perform a new round of test on the object to be vulnerability tested according to the relationship between each new round of test vectors and the tested vector set comprises:
judging whether the tested vector set is equal to a full-test vector set, wherein the full-test vector set comprises all test vectors obtained by combining all test data in the test variables C1 and C2 … Cn in a traversal mode,
if yes, ending the test of the object to be subjected to the vulnerability test;
if not, continuing to test the object to be tested for the vulnerability.
8. A vulnerability testing apparatus, comprising:
the division module is used for carrying out equivalence class division on test data of test variables C1 and C2 … Cn in the object to be tested to obtain P1 and P2 … Pn equivalence classes respectively, n is a positive integer greater than 1, and Pn is a positive integer greater than or equal to 1;
the first acquisition module is used for respectively extracting and combining an equivalent class from the test variables C1 and C2 … Cn to obtain equivalent class combinations corresponding to each test class vector in one round of test; wherein the number of the test class vectors isAnd the equivalent class combinations corresponding to the test class vectors are different from each other;
the second acquisition module is used for randomly extracting and combining one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each test vector;
the third acquisition module is used for randomly extracting one test data from each equivalent class in the equivalent class combination corresponding to the test class vector to obtain each new round of test vectors;
the test module is used for judging whether to use each test vector to test the object to be loophole for one round according to the relation between each test vector and a tested vector set, wherein the tested vector set comprises tested test vectors; and the method is also used for judging whether to use each new round of test vectors to perform a new round of test on the object to be tested according to the relation between each new round of test vectors and the tested vector set.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310822483.2A CN116541854A (en) | 2023-07-06 | 2023-07-06 | Vulnerability testing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310822483.2A CN116541854A (en) | 2023-07-06 | 2023-07-06 | Vulnerability testing method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116541854A true CN116541854A (en) | 2023-08-04 |
Family
ID=87458248
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310822483.2A Pending CN116541854A (en) | 2023-07-06 | 2023-07-06 | Vulnerability testing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116541854A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001222429A (en) * | 2000-02-09 | 2001-08-17 | Fujitsu Ltd | Test item generation supporting device |
| CN101901183A (en) * | 2009-05-31 | 2010-12-01 | 西门子(中国)有限公司 | Method and device of test case for filtering |
| CN102103539A (en) * | 2011-03-11 | 2011-06-22 | 天津大学 | Z-specification-based test case generating method |
| CN112559316A (en) * | 2020-09-03 | 2021-03-26 | 中国银联股份有限公司 | Software testing method and device, computer storage medium and server |
| CN114168469A (en) * | 2021-12-07 | 2022-03-11 | 北京水木羽林科技有限公司 | Coverage rate analysis method and system based on database management system fuzzy test |
| CN114546857A (en) * | 2022-02-22 | 2022-05-27 | 中国平安人寿保险股份有限公司 | Interface test case generation method and device, electronic equipment and storage medium |
| CN115408689A (en) * | 2021-05-26 | 2022-11-29 | 北京大学 | Method and system for detecting and repairing reentry vulnerability |
-
2023
- 2023-07-06 CN CN202310822483.2A patent/CN116541854A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2001222429A (en) * | 2000-02-09 | 2001-08-17 | Fujitsu Ltd | Test item generation supporting device |
| CN101901183A (en) * | 2009-05-31 | 2010-12-01 | 西门子(中国)有限公司 | Method and device of test case for filtering |
| CN102103539A (en) * | 2011-03-11 | 2011-06-22 | 天津大学 | Z-specification-based test case generating method |
| CN112559316A (en) * | 2020-09-03 | 2021-03-26 | 中国银联股份有限公司 | Software testing method and device, computer storage medium and server |
| CN115408689A (en) * | 2021-05-26 | 2022-11-29 | 北京大学 | Method and system for detecting and repairing reentry vulnerability |
| CN114168469A (en) * | 2021-12-07 | 2022-03-11 | 北京水木羽林科技有限公司 | Coverage rate analysis method and system based on database management system fuzzy test |
| CN114546857A (en) * | 2022-02-22 | 2022-05-27 | 中国平安人寿保险股份有限公司 | Interface test case generation method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113795039B (en) | Operator network switching method, device, equipment and computer readable storage medium | |
| CN113139660A (en) | Model reasoning method and device, electronic equipment and storage medium | |
| CN113904943B (en) | Account detection method and device, electronic equipment and storage medium | |
| CN112817660B (en) | Method, device, equipment and storage medium for expanding applet capability | |
| CN113033408B (en) | Data queue dynamic updating method and device, electronic equipment and storage medium | |
| CN113377998A (en) | Data loading method and device, electronic equipment and storage medium | |
| CN115481594B (en) | Scoreboard implementation method, scoreboard, electronic equipment and storage medium | |
| CN116860996A (en) | Method, device, equipment and storage medium for constructing three-dimensional knowledge graph | |
| CN116541854A (en) | Vulnerability testing method and device, electronic equipment and storage medium | |
| CN113627526B (en) | Vehicle identification recognition method and device, electronic equipment and medium | |
| CN113010721B (en) | Picture auditing method and device, electronic equipment and storage medium | |
| CN114386577A (en) | Method, apparatus, and storage medium for executing deep learning model | |
| CN114093006A (en) | Training method, device and equipment of living human face detection model and storage medium | |
| CN112817463A (en) | Method, equipment and storage medium for acquiring audio data by input method | |
| CN116108439B (en) | APT software family identification method and device and electronic equipment | |
| CN114428646B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN116341023B (en) | Block chain-based service address verification method, device, equipment and storage medium | |
| CN113591088B (en) | Identification recognition method and device and electronic equipment | |
| CN113033415B (en) | Data queue dynamic updating method and device, electronic equipment and storage medium | |
| CN113011494B (en) | Feature processing method, device, equipment and storage medium | |
| CN114429509B (en) | Method and device for finding newly added road and electronic equipment | |
| CN113343064B (en) | Data processing method, apparatus, device, storage medium, and computer program product | |
| CN116318724A (en) | Method and system for detecting abnormal instruction in hardware equipment | |
| CN114120982A (en) | Voice recognition method, voice processing method and device and automatic driving vehicle | |
| CN116383332A (en) | Method, device and equipment for generating vulnerability restoration sequence table based on knowledge graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |