CN116561773A - Intelligent vulnerability detection and verification method - Google Patents
Intelligent vulnerability detection and verification method Download PDFInfo
- Publication number
- CN116561773A CN116561773A CN202310847722.XA CN202310847722A CN116561773A CN 116561773 A CN116561773 A CN 116561773A CN 202310847722 A CN202310847722 A CN 202310847722A CN 116561773 A CN116561773 A CN 116561773A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- data
- detected
- server
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 191
- 238000012795 verification Methods 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000011156 evaluation Methods 0.000 claims abstract description 33
- 230000008569 process Effects 0.000 claims abstract description 24
- 230000002159 abnormal effect Effects 0.000 claims abstract description 17
- 238000005457 optimization Methods 0.000 claims description 35
- 238000012545 processing Methods 0.000 claims description 34
- 238000007405 data analysis Methods 0.000 claims description 23
- 238000004458 analytical method Methods 0.000 claims description 7
- 230000009545 invasion Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/217—Validation; Performance evaluation; Active pattern learning techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/22—Matching criteria, e.g. proximity measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to an intelligent vulnerability detection and verification method, which relates to the technical field of information security, and comprises the steps that a vulnerability detection module determines a vulnerability detection mode aiming at historical operation data acquired by a data acquisition module; the vulnerability verification module executes the vulnerability detected by the corresponding detection mode in the virtual machine and inputs a plurality of intrusions into the vulnerability so as to verify the vulnerability; the risk degree evaluation value of the server to be detected is determined according to the abnormal flow and the sensitive data in the historical operation data, the risk degree of the server to be detected is represented according to the risk degree evaluation value, the detection mode of the vulnerability of the service to be detected is determined according to the risk degree, and when the vulnerability condition exists in the corresponding detection mode, the detection mode is optimized according to the real-time operation condition of the server to be detected, so that the control accuracy of the vulnerability detection process is improved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to an intelligent vulnerability detection and verification method.
Background
Network intrusion is always a negative factor accompanying the development of the Internet, and is basically a path taking a vulnerability of a server as an intrusion, so that the vulnerability detection of the server is a particularly important ring, the prior art has a plurality of vulnerability detection and verification methods aiming at different user demands, most of the vulnerability detection and verification methods can meet the user demands, but the network intrusion is a constant problem, so that the detection accuracy and the detection efficiency of the vulnerability detection process are controlled, and the friendly decision for reducing the network intrusion is realized.
Chinese patent publication No.: CN110995684a discloses a vulnerability detection method and device, relates to the technical field of information security, and can solve the problem of false alarm of existing vulnerability detection. The specific technical scheme is as follows: and judging whether the difference content contains a specific vulnerability verification character string or not based on the difference content of the responses of the vulnerability request packet and the vulnerability verification packet so as to detect the vulnerability.
Chinese patent publication No.: CN108629182a discloses a vulnerability detection method, which comprises: setting a compressed package file scanning plug-in on a service server according to the type of the compressed file; receiving a file path of a compressed file of a corresponding type obtained by a service server according to a compressed package file scanning plug-in; determining at least one file detection path corresponding to the compressed file according to the file path of the compressed file; and detecting the compressed file leakage loopholes on the service server by using the file detection path. The invention also provides a vulnerability detection device, and the vulnerability detection method and the vulnerability detection device detect the leakage vulnerability of the compressed file of the service server through the compressed package file scanning plug-in on the service server, so that the vulnerability detection scanning time is shortened, and the vulnerability detection scanning efficiency is improved.
Therefore, in the prior art, the adopted scheme is different in the vulnerability detection process, but aiming at the cloud server, the vulnerability detection process also has the problem of low vulnerability detection efficiency due to the control accuracy of the vulnerability detection process.
Disclosure of Invention
Therefore, the invention provides an intelligent vulnerability detection and verification method, which is used for solving the problems that in the prior art, in the vulnerability detection process, the adopted schemes are different, but aiming at a cloud server, the vulnerability detection process also has control accuracy on the vulnerability detection process, so that the vulnerability detection efficiency is low.
In order to achieve the above object, the present invention provides an intelligent vulnerability detection and verification method, comprising:
step S1, a data acquisition module acquires historical operation data of a server to be detected;
s2, a vulnerability detection module determines a vulnerability detection mode aiming at the historical operation data;
step S3, executing the loopholes detected by the corresponding detection mode in a virtual machine by a loophole verification module, and inputting a plurality of intrusions into the loopholes to verify the loopholes;
s4, analyzing the verification process of the vulnerability verification module by a data analysis module to determine whether to optimize the detection mode;
s5, the data processing module determines whether to optimize the detection mode and determine an optimization mode of the detection mode according to the analysis result of the data analysis module;
the historical operation data comprise abnormal flow and sensitive data quantity of the server to be detected in the historical operation process;
in the step S4, when the data analysis module analyzes the verification process of the vulnerability verification module, the number of intrusions of the virtual machine by the intrusion rules corresponding to the plurality of intrusions is counted to determine whether to optimize the detection mode according to the number of intrusions;
in the step S5, when the data processing module determines whether to optimize the detection mode according to the analysis result of the data analysis module, the data processing module calculates a difference value between a ratio of the number of intrusions to the total number of intrusions and a preset ratio, so as to determine an optimization mode for the corresponding detection mode according to the difference value, where the optimization mode includes optimizing the first detection mode or the second detection mode by using a first adjustment coefficient and a second adjustment coefficient, respectively.
Further, when the vulnerability detection module determines a detection mode of the vulnerability according to the historical operation data, the vulnerability detection module determines a risk degree evaluation value of the server to be detected according to abnormal flow and sensitive data in the historical operation data, and determines a detection mode of the server to be detected according to a comparison result of the risk degree evaluation value and a preset risk degree evaluation value, wherein the detection mode comprises a first detection mode of determining a data acquisition path of the server to be detected by the vulnerability detection module when the risk degree evaluation value is smaller than or equal to the preset risk degree evaluation value, and a second detection mode of sending instructions to a plurality of nodes of the server to be detected by the vulnerability detection module when the risk degree evaluation value is larger than the preset risk degree evaluation value so as to detect the server to be detected.
Further, when the vulnerability detection module determines the risk degree evaluation value of the server to be detected according to the abnormal flow and the sensitive data amount in the historical operation data, the risk degree evaluation value R is calculated by the following formula, and is set
Where Qi represents an abnormal flow rate in the i-th historical operation data, qz is a total flow rate in the historical operation data, wj represents a sensitive data amount in the i-th historical operation data, and Wz represents a total data amount in the historical operation data.
Further, when the vulnerability detection module detects the server to be detected in a first detection mode, the vulnerability detection module detects a data packet in the data acquisition path, compares the data packet with vulnerability rules in a vulnerability detection plug-in, determines a matching degree of content in the data packet with the vulnerability rules, and when the matching degree is greater than a preset matching degree, the vulnerability detection module determines that the server to be detected has a vulnerability.
Further, when the vulnerability detection module determines the matching degree of the content in the data packet and the vulnerability rule, the matching degree is calculated by the following formula, and p=y/yz×l is set, where P is the matching degree, Y is the data amount of the same keyword as the content in the data packet and the vulnerability rule, yz is the total data amount of the content in the data packet, and L is the continuous length of the same keyword as the vulnerability rule.
Further, when the vulnerability detection module detects the server to be detected in a second detection mode, the vulnerability detection module sends a log data acquisition instruction to a data receiving node of the server to be detected, and the vulnerability detection module acquires log data fed back by the data receiving node and determines whether the fed back log data is consistent with log data required by the log data acquisition instruction;
and when the vulnerability detection module detects the server to be detected in a second detection mode, counting the node duty ratio of the log data fed back in the data receiving nodes, which is inconsistent with the log data required by the log data acquisition instruction, and when the node duty ratio is greater than or equal to a node duty ratio standard, determining that the server to be detected has the vulnerability by the vulnerability detection module.
Further, when the vulnerability verification module executes the vulnerability detected by the corresponding detection mode in a virtual machine, the vulnerability verification module copies the operation data and the operation mode of the server to be detected, where the vulnerability exists, in the virtual machine so that the virtual machine executes the same operation as the server to be detected;
when the data analysis module analyzes the verification process of the vulnerability verification module to determine whether to adjust the detection mode, the data analysis module counts the ratio of the number of times that the intrusion rules corresponding to a plurality of intrusions input into the virtual machine successfully intrude into the virtual machine to the total number of intrusions, and when the ratio is smaller than or equal to a preset ratio, the data analysis module determines that the detection mode needs to be adjusted.
Further, when the data analysis module determines to adjust the detection mode, the data processing module calculates a difference value between the ratio and a preset ratio, and determines an optimization mode for the corresponding detection mode according to a comparison result of the difference value and the preset difference value;
when the difference value is smaller than or equal to a preset difference value, the data processing module determines that the optimization mode is a first optimization mode;
and when the difference value is larger than a preset difference value, the data processing module determines that the optimization mode is a second optimization mode.
Further, when the data processing module determines that the optimization mode is a first optimization mode, the data processing module calculates a first adjustment coefficient K1 to adjust the preset matching degree or the node duty ratio standard, and sets
Ws is the sensitive data amount in the server to be detected, wr is the capacity of the server to be detected, B is the ratio of the number of times the intrusion rule successfully intrudes into the virtual machine to the total number of times of intrusion, and B0 is a preset ratio;
when the data processing module determines that the optimization mode is a second optimization mode, the data processing module calculates a second adjustment coefficient K2 to adjust the preset matching degree or the node duty ratio standard, and sets
And Qs is the real-time abnormal flow of the server to be detected, and Qr is the maximum running flow of the server to be detected.
Further, when the data processing module finishes calculating the first adjustment coefficient K1 or the second adjustment coefficient K2, the data processing module sets the adjusted preset matching degree to Pk, sets pk=p0×ki, sets the adjusted node duty ratio standard to Gk, sets gk=g0×ki, wherein P0 is the preset matching degree, G0 is the node duty ratio standard, ki is the ith adjustment coefficient, and i has a value of 1 or 2.
Compared with the prior art, the method has the beneficial effects that the risk degree evaluation value of the server to be detected is determined according to the abnormal flow and the sensitive data quantity in the historical operation data by acquiring the historical operation data of the server to be detected, so that the risk degree of the server to be detected is represented according to the risk degree evaluation value, the detection mode of the loophole of the service to be detected is determined according to the risk degree, and when the condition of the loophole exists in the corresponding detection mode, the detection mode is optimized according to the real-time operation condition of the server to be detected, the control precision degree of the loophole detection process is improved, and the loophole detection efficiency of the server to be detected is improved.
Further, the risk degree evaluation value of the server to be detected is calculated according to the historical operation data through the vulnerability detection module, the capability of the server to be detected for bearing the risk is represented through the risk degree evaluation value, and the detection mode of the server to be detected is determined through the risk degree evaluation value, so that the control precision of the vulnerability detection process is improved.
Further, different detection rules are set in the corresponding detection mode, so that whether the loopholes exist in the server in the corresponding detection mode or not is determined, and when the loopholes exist, the loopholes are copied in the virtual machine for verification, so that the accuracy of detecting the loopholes of the server can be improved under the condition that the server is not damaged, the control accuracy of the loophole detection process is further improved, and the loophole detection efficiency of the server to be detected is improved.
Further, the method and the device detect the data packet in the data acquisition path in the corresponding vulnerability detection mode and compare the data packet with the vulnerability rules in the vulnerability detection plug-in to match the content in the data packet with the vulnerability rules, so as to determine whether the vulnerability exists in the server to be detected or detect the feedback of the data receiving node of the server to be detected to the log data acquisition instruction, thereby determining whether the vulnerability exists in the server to be detected, further improving the control accuracy of the vulnerability detection process, and further improving the vulnerability detection efficiency of the server to be detected.
Further, the method and the device execute the detected loopholes in the virtual machine and determine whether the virtual machine is invaded by the input invasion rules when executing the loopholes, so that whether the detection mode is optimized is determined according to the invasion times and the optimization mode when the detection mode is optimized is determined according to the difference value of the ratio of the invasion times to the total invasion times and the preset ratio, the control precision degree of the loophole detection process is further improved, and the loophole detection efficiency of the server to be detected is improved.
Drawings
FIG. 1 is a flow chart of an intelligent vulnerability detection and verification method according to an embodiment of the present invention;
FIG. 2 is a block diagram of a system for performing the intelligent vulnerability detection and verification method according to an embodiment of the present invention.
Detailed Description
In order that the objects and advantages of the invention will become more apparent, the invention will be further described with reference to the following examples; it should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are merely for explaining the technical principles of the present invention, and are not intended to limit the scope of the present invention.
It should be noted that, in the description of the present invention, terms such as "upper," "lower," "left," "right," "inner," "outer," and the like indicate directions or positional relationships based on the directions or positional relationships shown in the drawings, which are merely for convenience of description, and do not indicate or imply that the apparatus or elements must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be either fixedly connected, detachably connected, or integrally connected, for example; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those skilled in the art according to the specific circumstances.
Referring to fig. 1 and 2, fig. 1 is a flowchart of an intelligent vulnerability detection and verification method according to an embodiment of the invention; FIG. 2 is a block diagram of a system for performing the intelligent vulnerability detection and verification method according to an embodiment of the present invention.
The intelligent vulnerability detection and verification method provided by the embodiment of the invention comprises the following steps:
step S1, a data acquisition module acquires historical operation data of a server to be detected;
s2, a vulnerability detection module determines a vulnerability detection mode aiming at the historical operation data;
step S3, executing the loopholes detected by the corresponding detection mode in a virtual machine by a loophole verification module, and inputting a plurality of intrusions into the loopholes to verify the loopholes;
s4, analyzing the verification process of the vulnerability verification module by a data analysis module to determine whether to optimize the detection mode;
and S5, the data processing module determines whether to optimize the detection mode or not and determines an optimization mode of the detection mode according to the analysis result of the data analysis module.
The historical operation data comprise abnormal flow and sensitive data quantity of the server to be detected in the historical operation process.
In the embodiment of the invention, the sensitive data volume is searched through SQL, and the data information in the structured database of the server to be detected is combed, and the corresponding sensitive data is searched from the data information to determine the sensitive data volume of the corresponding sensitive data.
Specifically, when the vulnerability detection module determines a detection mode of the vulnerability according to the historical operation data, the vulnerability detection module determines a risk degree evaluation value R of the server to be detected according to abnormal flow and sensitive data in the historical operation data, and determines the detection mode of the server to be detected according to a comparison result of the risk degree evaluation value R and a preset risk degree evaluation value R0;
when R is less than or equal to R0, the vulnerability detection module determines to detect the server to be detected in a first detection mode;
when R is more than R0, the vulnerability detection module detects the server to be detected in a second detection mode;
the first detection mode is to detect a data acquisition path of the server to be detected, and the second detection mode is to send instructions to a plurality of nodes of the server to be detected.
Specifically, when the vulnerability detection module determines the risk degree evaluation value of the server to be detected according to the abnormal flow and the sensitive data amount in the historical operation data, the risk degree evaluation value R is calculated by the following formula, and is set
Where Qi represents an abnormal flow rate in the i-th historical operation data, qz is a total flow rate in the historical operation data, wj represents a sensitive data amount in the i-th historical operation data, and Wz represents a total data amount in the historical operation data.
In the embodiment of the present invention, the preset risk degree evaluation value R0 is calculated, set,
wherein Wj represents the sensitive data amount in the ith historical operating data, and Wz represents the total data amount in the historical operating data;
namely: the risk degree evaluation value calculated when Qi takes a value of 0 is a preset risk degree evaluation value.
Specifically, when the vulnerability detection module detects the server to be detected in a first detection manner, the vulnerability detection module determines the matching degree P of the content in the data packet and the vulnerability rule by detecting the data packet in the data acquisition path and comparing the data packet with the vulnerability rule in the vulnerability detection plug-in, and determines whether the server to be detected has a vulnerability according to the comparison result of the matching degree P and a preset matching degree P0;
when P is less than or equal to P0, the vulnerability detection module determines that the server to be detected does not have vulnerabilities;
and when P is more than P0, the vulnerability detection module determines that the server to be detected has vulnerabilities.
Specifically, when the vulnerability detection module determines the matching degree P of the content in the data packet and the vulnerability rule, p=y/yz×l is set, where Y is the data amount of the same keyword as the vulnerability rule in the content in the data packet, yz is the total data amount of the content in the data packet, and L is the continuous length of the same keyword as the vulnerability rule in the content in the data packet.
In the embodiment of the invention, the value of the preset matching degree satisfies that the data size of the same keyword is less than fifty percent of the data size of the single vulnerability rule and the continuous length of the same keyword is less than 5 bytes.
Specifically, when the vulnerability detection module detects the server to be detected in a second detection mode, the vulnerability detection module sends an instruction for acquiring log data to a data receiving node of the server to be detected, and the vulnerability detection module acquires the log data fed back by the data receiving node and determines whether the fed back log data is consistent with the log data required by the instruction for acquiring the log data.
Specifically, when the vulnerability detection module detects the server to be detected in a second detection mode, counting the node duty ratio of the log data fed back in a plurality of data receiving nodes, which is inconsistent with the log data required by the log data acquisition instruction, and determining whether the server to be detected has the vulnerability according to the comparison result of the node duty ratio G and the node duty ratio standard G0;
if G is more than or equal to G0, the vulnerability detection module determines that the server to be detected has a vulnerability;
if G is less than G0, the vulnerability detection module determines that the server to be detected does not have a vulnerability.
In the embodiment of the invention, the node duty ratio standard G0 has a value of 0.
Specifically, when the vulnerability verification module executes the vulnerability detected by the corresponding detection mode in a virtual machine, the vulnerability verification module copies the operation data and the operation mode of the server to be detected, where the vulnerability exists, in the virtual machine so that the virtual machine executes the same operation as the server to be detected.
Specifically, when the data analysis module analyzes the verification process of the vulnerability verification module to determine whether to adjust the detection mode, the data analysis module counts the ratio B of the number of times that the intrusion rules corresponding to a plurality of intrusions input into the virtual machine successfully intrude into the virtual machine to the total number of intrusions, so as to determine whether to adjust the detection mode according to the comparison result of the ratio B and a preset ratio B0;
when B is less than or equal to B0, the data analysis module determines that the detection mode needs to be adjusted;
when B > B0, the data analysis module determines that the detection mode is not adjusted.
In the embodiment of the invention, the preset ratio B0 has a value of 0.5, that is, when the successful intrusion times are lower than half of the total intrusion times, the analysis of the loophole by the loophole analysis module cannot guarantee the intrusion of the loophole to the server to be detected.
Specifically, when the data analysis module determines to adjust the detection mode, the data processing module calculates a difference value C between the ratio B and a preset ratio B0, sets c=b0-B, and determines an optimization mode for the corresponding detection mode according to a comparison result of the difference value C and the preset difference value C0;
when C is less than or equal to C0, the data processing module determines that the optimization mode is a first optimization mode;
when C > C0, the data processing module determines that the optimization mode is a second optimization mode.
In the embodiment of the present invention, the preset difference C0 is 0.15, and the preset difference C0 is verified by a verifier after performing vulnerability detection on a plurality of cloud servers, and after performing a detection mode adjustment, the number of leaks missed in detecting the vulnerabilities of the cloud servers is minimum, so that the preset difference C0 is taken as the preset difference C, but it can be understood by those skilled in the art that the preset difference C is not limited thereto, and that the preset difference C is reasonably adjusted when the preset difference C is detected by other servers or systems according to the vulnerability detection method and the verification method of the present invention, and the present invention is not limited thereto.
Specifically, when the data processing module determines that the optimization mode is a first optimization mode, the data processing module calculates a first adjustment coefficient K1 to adjust the preset matching degree P0 or the node duty ratio standard B0, and sets
Ws is the sensitive data amount in the server to be detected, and Wr is the capacity of the server to be detected.
Specifically, when the data processing module determines that the optimization mode is a second optimization mode, the data processing module calculates a second adjustment coefficient K2 to adjust the preset matching degree P0 or the node duty ratio standard B0, and sets
And Qs is the real-time abnormal flow of the server to be detected, and Qr is the maximum running flow of the server to be detected.
Specifically, when the data processing module finishes calculating the first adjustment coefficient K1 or the second adjustment coefficient K2, the data processing module sets the adjusted preset matching degree to Pk, sets pk=p0×ki, sets the adjusted node duty ratio standard to Bk, and sets bk=b0×ki, where Ki is the ith adjustment coefficient, and the value of i is 1 or 2.
Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will be within the scope of the present invention.
The foregoing description is only of the preferred embodiments of the invention and is not intended to limit the invention; various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An intelligent vulnerability detection and verification method is characterized by comprising the following steps:
step S1, a data acquisition module acquires historical operation data of a server to be detected;
s2, a vulnerability detection module determines a vulnerability detection mode aiming at the historical operation data;
step S3, executing the loopholes detected by the corresponding detection mode in a virtual machine by a loophole verification module, and inputting a plurality of intrusions into the loopholes to verify the loopholes;
s4, analyzing the verification process of the vulnerability verification module by a data analysis module to determine whether to optimize the detection mode;
s5, the data processing module determines whether to optimize the detection mode and determine an optimization mode of the detection mode according to the analysis result of the data analysis module;
the historical operation data comprise abnormal flow and sensitive data quantity of the server to be detected in the historical operation process;
in the step S4, when the data analysis module analyzes the verification process of the vulnerability verification module, the number of intrusions of the virtual machine by the intrusion rules corresponding to the plurality of intrusions is counted to determine whether to optimize the detection mode according to the number of intrusions;
in the step S5, when the data processing module determines whether to optimize the detection mode according to the analysis result of the data analysis module, the data processing module calculates a difference value between a ratio of the number of intrusions to the total number of intrusions and a preset ratio, so as to determine an optimization mode for the corresponding detection mode according to the difference value, where the optimization mode includes optimizing the first detection mode or the second detection mode by using a first adjustment coefficient and a second adjustment coefficient, respectively.
2. The intelligent vulnerability detection and verification method according to claim 1, wherein when the vulnerability detection module determines a detection mode for a vulnerability with respect to the historical operation data, the vulnerability detection module determines a risk level evaluation value of the server to be detected according to abnormal traffic and sensitive data amount in the historical operation data, and determines a detection mode for the server to be detected according to a comparison result of the risk level evaluation value and a preset risk level evaluation value, wherein the detection mode includes a first detection mode for determining a data acquisition path of the server to be detected by the vulnerability detection module when the risk level evaluation value is less than or equal to the preset risk level evaluation value, and a second detection mode for transmitting an instruction to a plurality of nodes of the server to be detected to detect the server to be detected when the risk level evaluation value is greater than the preset risk level evaluation value.
3. The intelligent vulnerability detection and verification method according to claim 2, wherein when the vulnerability detection module determines the risk level evaluation value of the server to be detected according to the abnormal flow and the sensitive data amount in the historical operation data, the risk level evaluation value R is calculated by the following formula, and is set
Wherein Qi represents abnormal flow in the ith historical operating data, qz is total flow in the historical operating data, wj represents sensitive data amount in the ith historical operating data, wz represents historical operating dataIs a total data amount in (a).
4. The intelligent vulnerability detection and verification method of claim 3, wherein when the vulnerability detection module detects the server to be detected in a first detection mode, the vulnerability detection module detects a data packet in the data acquisition path and compares the data packet with a vulnerability rule in a vulnerability detection plug-in, determines a matching degree of content in the data packet with the vulnerability rule, and when the matching degree is greater than a preset matching degree, the vulnerability detection module determines that the server to be detected has a vulnerability.
5. The method for intelligent vulnerability detection and verification according to claim 4, wherein when the vulnerability detection module determines the matching degree of the content in the data packet with the vulnerability rule, the matching degree is calculated by the following formula, and p=y/yzχl is set, where P is the matching degree, Y is the data amount of the same keyword as the vulnerability rule in the data packet, yz is the total data amount of the content in the data packet, and L is the continuous length of the same keyword as the vulnerability rule in the data packet.
6. The intelligent vulnerability detection and verification method of claim 5, wherein when the vulnerability detection module detects the server to be detected in a second detection mode, the vulnerability detection module sends a log data acquisition instruction to a data receiving node of the server to be detected, and the vulnerability detection module acquires the log data fed back by the data receiving node and determines whether the fed back log data is consistent with the log data required for acquiring the log data instruction;
and when the vulnerability detection module detects the server to be detected in a second detection mode, counting the node duty ratio of the log data fed back in the data receiving nodes, which is inconsistent with the log data required by the log data acquisition instruction, and when the node duty ratio is greater than or equal to a node duty ratio standard, determining that the server to be detected has the vulnerability by the vulnerability detection module.
7. The intelligent vulnerability detection and verification method according to claim 6, wherein when the vulnerability verification module executes the vulnerability detected by the corresponding detection mode in a virtual machine, the vulnerability verification module copies the operation data and operation mode of the server to be detected, in which the vulnerability exists, in the virtual machine so that the virtual machine executes the same operation as the server to be detected;
when the data analysis module analyzes the verification process of the vulnerability verification module to determine whether to adjust the detection mode, the data analysis module counts the ratio of the number of times that the intrusion rules corresponding to a plurality of intrusions input into the virtual machine successfully intrude into the virtual machine to the total number of intrusions, and when the ratio is smaller than or equal to a preset ratio, the data analysis module determines that the detection mode needs to be adjusted.
8. The method for detecting and verifying an intelligent vulnerability according to claim 7, wherein when the data analysis module determines to adjust the detection mode, the data processing module calculates a difference value between the ratio and a preset ratio, and determines an optimization mode for the corresponding detection mode according to a comparison result of the difference value and the preset difference value;
when the difference value is smaller than or equal to a preset difference value, the data processing module determines that the optimization mode is a first optimization mode;
and when the difference value is larger than a preset difference value, the data processing module determines that the optimization mode is a second optimization mode.
9. The intelligent vulnerability detection and verification method of claim 8, wherein when the data processing module determines that the optimization mode is a first optimization mode, the data processing module calculates a first adjustment coefficient K1 to adjust the preset matching degree or the node duty ratio standard, and sets
Ws is the sensitive data amount in the server to be detected, wr is the capacity of the server to be detected, B is the ratio of the number of times the intrusion rule successfully intrudes into the virtual machine to the total number of times of intrusion, and B0 is the preset ratio;
when the data processing module determines that the optimization mode is a second optimization mode, the data processing module calculates a second adjustment coefficient K2 to adjust the preset matching degree or the node duty ratio standard, and sets
And Qs is the real-time abnormal flow of the server to be detected, and Qr is the maximum running flow of the server to be detected.
10. The method for intelligent vulnerability detection and verification according to claim 9, wherein when the data processing module finishes calculating the first adjustment coefficient K1 or the second adjustment coefficient K2, the data processing module sets the adjusted preset matching degree to Pk, sets pk=p0×ki, sets the adjusted node duty ratio standard to Gk, sets gk=g0×ki, wherein P0 is the preset matching degree, G0 is the node duty ratio standard, ki is the i-th adjustment coefficient, and i has a value of 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310847722.XA CN116561773B (en) | 2023-07-12 | 2023-07-12 | Intelligent vulnerability detection and verification method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310847722.XA CN116561773B (en) | 2023-07-12 | 2023-07-12 | Intelligent vulnerability detection and verification method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116561773A true CN116561773A (en) | 2023-08-08 |
| CN116561773B CN116561773B (en) | 2023-09-19 |
Family
ID=87503936
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310847722.XA Active CN116561773B (en) | 2023-07-12 | 2023-07-12 | Intelligent vulnerability detection and verification method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116561773B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102904940A (en) * | 2012-09-27 | 2013-01-30 | 杭州迪普科技有限公司 | Method and device for Web server recognition |
| CN108629182A (en) * | 2017-03-21 | 2018-10-09 | 腾讯科技(深圳)有限公司 | Leak detection method and Hole Detection device |
| CN110995684A (en) * | 2019-11-26 | 2020-04-10 | 西安四叶草信息技术有限公司 | Vulnerability detection method and device |
| CN115292206A (en) * | 2022-10-08 | 2022-11-04 | 西安深信科创信息技术有限公司 | Software vulnerability detection method and device, electronic equipment and storage medium |
| JP7296502B1 (en) * | 2022-03-28 | 2023-06-22 | 楽天グループ株式会社 | Bug Detection Rate Threshold Updating System, Bug Detection Rate Threshold Updating Method, and Bug Detection Rate Threshold Updating Program |
-
2023
- 2023-07-12 CN CN202310847722.XA patent/CN116561773B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102904940A (en) * | 2012-09-27 | 2013-01-30 | 杭州迪普科技有限公司 | Method and device for Web server recognition |
| CN108629182A (en) * | 2017-03-21 | 2018-10-09 | 腾讯科技(深圳)有限公司 | Leak detection method and Hole Detection device |
| CN110995684A (en) * | 2019-11-26 | 2020-04-10 | 西安四叶草信息技术有限公司 | Vulnerability detection method and device |
| JP7296502B1 (en) * | 2022-03-28 | 2023-06-22 | 楽天グループ株式会社 | Bug Detection Rate Threshold Updating System, Bug Detection Rate Threshold Updating Method, and Bug Detection Rate Threshold Updating Program |
| CN115292206A (en) * | 2022-10-08 | 2022-11-04 | 西安深信科创信息技术有限公司 | Software vulnerability detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116561773B (en) | 2023-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111092862B (en) | Method and system for detecting communication traffic abnormality of power grid terminal | |
| US7716329B2 (en) | Apparatus and method for detecting anomalous traffic | |
| KR101538709B1 (en) | Anomaly detection system and method for industrial control network | |
| CN110324323B (en) | New energy plant station network-related end real-time interaction process anomaly detection method and system | |
| CN112995161B (en) | Network security situation prediction system based on artificial intelligence | |
| Araújo et al. | Identifying important characteristics in the KDD99 intrusion detection dataset by feature selection using a hybrid approach | |
| CN112491784A (en) | Request processing method and device of Web site and computer readable storage medium | |
| CN112202817B (en) | Attack behavior detection method based on multi-event association and machine learning | |
| CN113904881B (en) | Intrusion detection rule false alarm processing method and device | |
| CN111865974A (en) | Network security defense system and method | |
| CN112788007A (en) | DDoS attack detection method based on convolutional neural network | |
| CN112839017A (en) | Network attack detection method and device, equipment and storage medium thereof | |
| CN116561773B (en) | Intelligent vulnerability detection and verification method | |
| KR101268298B1 (en) | surveillance system and method for authentication procedure based by positioning information | |
| CN117744094A (en) | Security verification method and system for trusted execution environment | |
| CN116418587B (en) | Data cross-domain switching behavior audit trail method and data cross-domain switching system | |
| Barsha et al. | Anomaly Detection in SCADA Systems: A State Transition Modeling | |
| CN116488938B (en) | Data detection method and system based on big data behavior analysis | |
| CN116112226B (en) | Network access monitoring system based on distributed trusted traceability | |
| CN116260640B (en) | Information interception control method and system for big data analysis based on artificial intelligence | |
| CN117951714B (en) | Driving system for remote operation and maintenance of bottom layer of computer | |
| Shibahara et al. | Cross-vendor knowledge transfer for managed security services with triplet network | |
| CN115643106B (en) | Agricultural product quality data transmission method based on artificial intelligence and cloud platform | |
| Qu et al. | The comparison network model for cyber anomaly detection | |
| CN115913627A (en) | Safety protection index optimization method and system for big data information safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |