CN116776338B

CN116776338B - Multilayer filtering high-precision vulnerability detection method, device, equipment and medium

Info

Publication number: CN116776338B
Application number: CN202310941565.9A
Authority: CN
Inventors: 王昊天
Original assignee: Shanghai Dragon Technology Co ltd
Current assignee: Shanghai Dragon Technology Co ltd
Priority date: 2023-07-28
Filing date: 2023-07-28
Publication date: 2024-05-10
Anticipated expiration: 2043-07-28
Also published as: CN116776338A

Abstract

The application relates to a method, a device, equipment and a medium for detecting high-precision loopholes by multilayer filtration, which relate to the field of software security detection and comprise the following steps: the method comprises the steps of acquiring detection demand information about target equipment triggered by a user, determining potential loopholes of each open port from a preset loophole library based on at least one of service, protocol and version, determining target loopholes meeting the detection demand information from the potential loopholes based on the loopholes category and the risk level, determining verification strategies corresponding to the target loopholes and verifying the target loopholes.

Description

Multilayer filtering high-precision vulnerability detection method, device, equipment and medium

Technical Field

The application relates to the field of software security detection, in particular to a method, a device, equipment and a medium for detecting high-precision loopholes by multilayer filtration.

Background

With the rapid development of the internet industry, benefits and convenience can be brought to people through a network, meanwhile, the network safety protection is not enough and is easy to attack, even economic loss and bad social influence are caused, and therefore, the network safety is particularly important.

In the prior art, the method for maintaining network security mainly comprises the steps of performing vulnerability detection, namely sending a data packet to a port of an electronic device, determining an open port according to the feedback condition of the port, screening and sequentially verifying the vulnerability possibly existing in the open port, so as to judge whether the vulnerability exists and determine the threat degree of the vulnerability, and when the vulnerability is more, sequentially verifying the vulnerability, so that a long time is required for performing vulnerability verification, and the vulnerability detection efficiency is reduced.

Disclosure of Invention

In order to improve the efficiency of vulnerability detection, the application provides a multilayer filtering high-precision vulnerability detection method, device, equipment and medium.

In a first aspect, the present application provides a method for detecting a leak by multilayer filtration with high precision, which adopts the following technical scheme:

a multi-layer filtering high-precision leak detection method comprises the following steps:

acquiring detection requirement information triggered by a user and related to target equipment, wherein the service, protocol and version of at least one open port of the target equipment;

Determining potential loopholes of each open port from a preset loophole library based on at least one of the service, the protocol and the version, wherein the preset loophole library comprises a plurality of preset loopholes, and each preset loophole corresponds to a loophole category and a risk level;

Determining target vulnerabilities meeting the detection requirement information from the potential vulnerabilities based on the vulnerability categories and the risk grades of the potential vulnerabilities;

And determining a verification strategy corresponding to the target vulnerability and verifying the verification strategy.

By adopting the technical scheme, the detection requirement information about the target equipment triggered by the user is acquired, and the service, the protocol and the version of at least one open port of the target equipment are conveniently determined from the preset vulnerability library, namely, the potential vulnerability of the open port is conveniently determined, wherein the preset vulnerability library comprises a plurality of preset vulnerabilities, each preset vulnerability corresponds to the vulnerability category and the risk level respectively, and the vulnerability category and the risk level exist, so that the target vulnerability is determined from the potential vulnerabilities according to the detection requirement information, the accuracy of the target vulnerability is improved, the verification strategy corresponding to the target vulnerability is determined after the target vulnerability is determined, and the presence or absence of the target vulnerability conforming to the detection requirement information is verified according to the verification strategy.

In another possible implementation manner, the verification policy includes a verification code or a verification script corresponding to the target vulnerability, and the determining and verifying the verification policy corresponding to the target vulnerability includes:

Searching verification codes or verification scripts corresponding to the target loopholes from a preset code base based on the services, protocols and versions of the target loopholes;

operating the verification code or the verification script to obtain an operation result;

and determining whether the target vulnerability exists or not based on the operation result.

By adopting the technical scheme, because the service, the protocol and the version of the target vulnerability are different, the verification code or the verification script corresponding to the target vulnerability is also different, and meanwhile, the effect generated by the verification code or the verification script in running is also different, so that the setting of the code library is preset, the code and the script corresponding to the service, the protocol and the version of the target vulnerability are conveniently found, the accuracy of vulnerability verification is improved, and the running result characterizes the effect generated by the target vulnerability in the running process, so that whether the target vulnerability exists can be conveniently and accurately judged from the running result obtained by running the verification code or the verification script.

In another possible implementation, the method further includes:

Acquiring service, protocol and version of a history open port, wherein the history open port corresponds to a history potential vulnerability;

Judging whether a target open port exists, wherein the target open port corresponds to a target historical open port, and the service, the protocol and the version of the target open port are consistent with those of the corresponding target historical open port;

if so, determining the historical potential loopholes of the target historical open ports as the potential loopholes corresponding to the target open ports.

By adopting the technical scheme, because the service, the protocol and the version of each open port are different in corresponding loopholes, the service, the protocol and the version of the historical open port are acquired, so that the historical potential loopholes corresponding to the historical open port can be determined, whether the target open port consistent with the service, the protocol and the version of the historical open port exists or not is judged, if so, the potential loopholes of the open port and the historical open port are the same, the historical potential loopholes are determined to be the potential loopholes corresponding to the target open port, and the potential loopholes corresponding to the target open port can be determined conveniently and rapidly.

In another possible implementation, the method further includes:

determining a first number of the target vulnerabilities;

acquiring a second number of detected holes in the last detection period;

Determining an absolute value of the difference between the first number and the second number;

And determining the time point of next vulnerability detection based on the absolute value.

By adopting the technical scheme, the first quantity and the second quantity are subjected to difference and the absolute value is taken, and the nearest vulnerability quantity change intensity of the target equipment is represented by the absolute value, so that the time point of the next vulnerability detection of the target equipment can be accurately determined according to the absolute value, and the possibility of carrying out the vulnerability detection too early or too late is reduced.

In another possible implementation manner, the determining, based on the absolute value, a time point of the next vulnerability detection includes:

determining a target preset number difference interval in which the absolute value is located from at least one preset number difference interval to determine a target detection period variation corresponding to the absolute value, wherein each preset number difference interval corresponds to a detection period variation;

Determining the change trend of the vulnerability quantity according to the first quantity and the second quantity;

If the change trend is rising, subtracting the target detection period change quantity from a reference detection period to obtain a time point of next vulnerability detection, wherein the reference detection period is a detection period corresponding to the absolute value of 0;

And if the change trend is declined, adding the reference detection period and the target detection period change amount to obtain the time point of the next vulnerability detection.

By adopting the technical scheme, the reference detection period is the detection period corresponding to the absolute value of 0, namely, when the absolute value is 0, the variation of the vulnerability quantity is kept unchanged and the variation trend is unchanged, the absolute value is compared with at least one preset quantity difference interval, so that the absolute value is determined, and the detection period variation is correspondingly arranged in each preset quantity difference interval, so that the proper detection period variation under different absolute values can be conveniently and accurately determined, the variation trend of the vulnerability can be conveniently and rapidly determined according to the first quantity and the second quantity, if the variation trend is increased, the first quantity is larger than the second quantity, and the corresponding vulnerability quantity is increased, the detection period is required to be shortened, and therefore, the reference detection period is subtracted from the target detection period variation, if the variation trend is decreased, the first quantity is smaller than the second quantity, and the corresponding vulnerability quantity is required to be increased, the detection period is required to be added, and the next time point of the vulnerability is accurately determined through the variation trend.

In another possible implementation, the method further includes:

acquiring a third quantity corresponding to each port when detecting the loopholes in the history;

Generating a vulnerability quantity line graph corresponding to each port based on the third quantity;

Determining at least two target time periods in each port based on the vulnerability quantity line graph, wherein the target time periods are time periods in which the vulnerability quantity of each port is in a descending trend;

acquiring a target protection strategy corresponding to a target time period with the largest descending trend;

and protecting based on the target protection strategy corresponding to each port.

By adopting the technical scheme, the third quantity characterizes the number of holes of each port when detecting holes in the history each time, and the number of holes line graph corresponding to each port is determined according to the third quantity and the corresponding time when detecting holes each time, so that the increasing and decreasing change condition of the number of holes can be intuitively reflected, further, the target time period, namely, the time period when the number of holes of each port is in a descending trend, can be conveniently and accurately found, the trends of at least two target time periods are compared, the target time period with the largest descending trend is conveniently determined, and the target protection strategy corresponding to each port is accurately determined and protected.

In another possible implementation, the method further includes:

Obtaining the number of loopholes corresponding to each detection time in a preset time period and the risk level of each loophole;

determining a score when detecting vulnerabilities each time based on the number of vulnerabilities, an average risk level, which is an average risk level of all vulnerabilities in the vulnerabilities detected each time, and respective corresponding weights;

determining an average score in the preset time period based on the score of each detection of the loopholes;

Outputting the average score.

By adopting the technical scheme, according to the number of loopholes which are respectively corresponding to the loopholes and the risk level of each loophole number during repeated detection in a preset time period, the average risk level of all loopholes in each detection time period is calculated, the number of loopholes and the average risk level are factors which influence the health degree of target equipment, and the influence of the factors on the health degree is different, so that different weights are set, the score of each loophole detection is calculated according to the two aspects and the weights which are respectively corresponding, namely the severity level of the loopholes during each loophole detection in the preset time period is comprehensively judged from the two aspects, then the average score in the preset time period is calculated according to the score of each loophole detection, the health degree of the target equipment in the preset time period can be accurately and vividly represented through the average score, and the average score is output, so that related personnel can intuitively know the health degree of the target equipment.

In a second aspect, the present application provides a multilayer filtering high-precision leak detection device, which adopts the following technical scheme:

A multilayer filtering high-precision leak detection device, comprising:

The first acquisition module is used for acquiring detection requirement information about target equipment triggered by a user, wherein the service, the protocol and the version of at least one open port of the target equipment;

the first vulnerability determination module is used for determining potential vulnerabilities of each open port from a preset vulnerability library based on at least one of the service, the protocol and the version, wherein the preset vulnerability library comprises a plurality of preset vulnerabilities, and each preset vulnerability corresponds to a vulnerability category and a risk level;

The second vulnerability determining module is used for determining target vulnerabilities meeting the detection requirement information from the potential vulnerabilities based on the vulnerability categories and the risk grades of the potential vulnerabilities;

and the verification module is used for determining a verification strategy corresponding to the target vulnerability and verifying the verification strategy.

By adopting the technical scheme, the first acquisition module acquires the detection demand information about the target equipment triggered by the user, and the service, the protocol and the version of at least one open port of the target equipment are acquired, so that the first vulnerability determination module can conveniently determine vulnerabilities related to the service, the protocol and the version of the open port, namely, potential vulnerabilities of the open port, from the preset vulnerability library, wherein the preset vulnerability library comprises a plurality of preset vulnerabilities, each preset vulnerability corresponds to a vulnerability category and a risk level, and the categories and the risk levels exist respectively, so that the second vulnerability determination module determines the target vulnerability from the potential vulnerabilities according to the detection demand information, the accuracy of the target vulnerability is improved, and after the target vulnerability is determined, the verification module determines a verification strategy corresponding to the target vulnerability, verifies the target vulnerability conforming to the detection demand information according to the verification strategy, and compared with verification performed on all the target vulnerabilities, the time required by verification is reduced, and the verification efficiency is improved.

The searching module is used for searching verification codes or verification scripts corresponding to the target loopholes from a preset code library based on the services, protocols and versions of the target loopholes;

the operation module is used for operating the verification code or the verification script to obtain an operation result;

and the third vulnerability determining module is used for determining whether the target vulnerability exists or not based on the operation result.

In another possible implementation, the method further includes:

The second acquisition module is used for acquiring services, protocols and versions of a history open port, wherein the history open port corresponds to a history potential vulnerability;

The judging module is used for judging whether a target open port exists or not, wherein the target open port corresponds to a target history open port, and the service, the protocol and the version of the target open port are consistent with those of the corresponding target history open port;

And the fourth vulnerability determination module is used for determining the historical potential vulnerabilities of the target historical open ports as the potential vulnerabilities of the corresponding target open ports if the target historical open ports exist.

In another possible implementation, the method further includes:

A first number determination module configured to determine a first number of the target vulnerabilities;

A second number obtaining module, configured to obtain a second number of vulnerabilities detected in a previous detection period;

an absolute value determining module for determining an absolute value of the difference between the first number and the second number;

And the time point determining module is used for determining the time point of the next vulnerability detection based on the absolute value.

the detection period determining module is used for determining a target preset number difference value interval in which the absolute value is located from at least one preset number difference value interval so as to determine a target detection period change amount corresponding to the absolute value, and each preset number difference value interval corresponds to a detection period change amount;

The trend determining module is used for determining the change trend of the vulnerability quantity according to the first quantity and the second quantity;

The first calculation module is used for subtracting the target detection period variation from the reference detection period if the variation trend is rising, so as to obtain a time point of next vulnerability detection, wherein the reference detection period is a detection period corresponding to the absolute value of 0;

And the second calculation module adds the reference detection period and the target detection period change amount if the change trend is declined, so as to obtain the time point of the next vulnerability detection.

In another possible implementation, the method further includes:

the third quantity acquisition module is used for acquiring a third quantity corresponding to each port when detecting the loopholes in the history;

the line graph determining module is used for generating a vulnerability quantity line graph corresponding to each port based on the third quantity;

The time period determining module is used for determining at least two target time periods in each port based on the vulnerability quantity line graph, wherein the target time periods are time periods in which the vulnerability quantity of each port is in a descending trend;

The protection strategy acquisition module is used for acquiring a target protection strategy corresponding to a target time period with the largest descending trend;

And the protection module is used for protecting based on the target protection strategy corresponding to each port.

In another possible implementation, the method further includes:

the second acquisition module is used for acquiring the number of the corresponding loopholes and the risk level of each loophole during multiple detection in a preset time period;

The first score determining module is used for determining a score when detecting the loopholes each time based on the number of the loopholes, the average risk level and the weight corresponding to the average risk level, wherein the average risk level is the average risk level of all loopholes in the loopholes detected each time;

a second score determining module, configured to determine an average score in the preset time period based on the score of each detection of the vulnerability;

and the output module is used for outputting the average score.

In a third aspect, the present application provides an electronic device, which adopts the following technical scheme:

An electronic device, the electronic device comprising:

At least one processor;

A memory;

At least one application, wherein the at least one application is stored in the memory and configured to be executed by the at least one processor, the at least one processor configured to: a multi-layer filtering high-precision vulnerability detection method according to any one of the possible implementations of the first aspect is performed.

In a fourth aspect, the present application provides a computer readable storage medium, which adopts the following technical scheme:

A computer readable storage medium, which when executed in a computer, causes the computer to perform a multi-layer filtering high-precision vulnerability detection method of any one of the first aspect.

In summary, the present application includes at least one of the following beneficial technical effects:

1. Acquiring detection demand information about target equipment triggered by a user, wherein the service, the protocol and the version of at least one open port of the target equipment are used for conveniently determining loopholes related to the service, the protocol and the version of the open port, namely potential loopholes of the open port, from a preset loopholes library, wherein the preset loopholes library comprises a plurality of preset loopholes, each preset loophole corresponds to a loophole category and a risk level respectively, the existence of the loopholes category and the risk level enables the target loopholes to be determined from the potential loopholes according to the detection demand information, so that the accuracy of the target loopholes is improved, after the target loopholes are determined, a verification strategy corresponding to the target loopholes is determined, and the target loopholes conforming to the detection demand information are verified according to the verification strategy.

2. And taking the absolute value by taking the difference between the first quantity and the second quantity, and representing the change intensity of the latest vulnerability quantity of the target equipment by the absolute value, so that the time point of the next vulnerability detection of the target equipment can be accurately determined according to the absolute value, and the possibility of carrying out the vulnerability detection too early or too late is reduced.

Drawings

Fig. 1 is a schematic flow chart of a method for detecting a leak with high accuracy by multi-layer filtering in an embodiment of the application.

Fig. 2 is a schematic flow chart of a multi-layer filtering high-precision leak detection device in an embodiment of the application.

Fig. 3 is a schematic structural diagram of an electronic device in an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the accompanying drawings.

Modifications of the embodiments which do not creatively contribute to the application may be made by those skilled in the art after reading the present specification, but are protected by patent laws within the scope of the claims of the present application.

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In this context, unless otherwise specified, the term "/" generally indicates that the associated object is an "or" relationship.

Embodiments of the application are described in further detail below with reference to the drawings.

The embodiment of the application provides a multi-layer filtering high-precision vulnerability detection method which is executed by electronic equipment, wherein the electronic equipment can be a server or terminal equipment, the server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server for providing cloud computing service. The terminal device may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., and the terminal device and the server may be directly or indirectly connected through wired or wireless communication, which is not limited herein, and as shown in fig. 1, the method includes: step S101, step S102, step S103, and step S104, wherein,

Step S101, obtaining detection requirement information about a target device triggered by a user.

The detection requirement information comprises services, protocols and versions of at least one open port.

In the embodiment of the application, related personnel send a data packet to all ports of target equipment, and determine the open ports in the target equipment according to feedback, so as to simply and conveniently determine the open ports in the electronic equipment, and then acquire services, protocols and versions of the open ports according to detection requirement information, wherein the detection requirement information can be requirement information selected by related personnel on a visual operation interface, and it is required to be noted that the services and protocols of the ports are all known contents in the network technical field, such as Http protocol, tcp protocol and the like, and therefore, the description is omitted, and the 1 st open port is assumed to be corresponding to the a service, the b protocol and the 1.2 version.

Step S102, determining potential vulnerabilities of each open port from a preset vulnerability library based on at least one of the service, the protocol and the version.

The preset loopholes library comprises a plurality of preset loopholes, and each preset loophole corresponds to a loophole category and a risk level.

In the embodiment of the present application, since the vulnerabilities corresponding to different services, protocols and versions are also different, it is necessary to find the relevant vulnerability from the preset vulnerability library according to the services, protocols and versions, that is, the potential vulnerability, taking step S102 as an example, the corresponding open port No. 1 is the service a, the protocol B and the version 1.2, assuming that in the preset vulnerability library, the corresponding vulnerability a is the service a, the protocol C and the version 1.0, the corresponding vulnerability B is the service a, the protocol B and the version 1.3, and the corresponding vulnerability C is the service a, the protocol B and the version 1.2, where the vulnerability a, the vulnerability B and the vulnerability C are the potential vulnerabilities.

Step S103, determining target vulnerabilities meeting detection requirement information from the potential vulnerabilities based on the vulnerability categories and the risk grades of the potential vulnerabilities.

In the embodiment of the application, the vulnerability type and the vulnerability risk level can be determined according to a general vulnerability scoring system (Common Vulnerability Scoring System, CVSS), can be determined by related personnel according to actual conditions, are not particularly limited, the vulnerability type can be determined according to attack paths, can be determined according to authentication requirements, can be determined according to influence ranges, can be determined according to hazard severity, are not particularly limited, a user can autonomously select a vulnerability type or a vulnerability level according to detection requirements to determine a target vulnerability, and assume that the risk level in detection requirement information triggered by the user is 4, namely 1,2, 3 and 4 respectively, and the higher the risk level of the vulnerability is, the greater the risk level is, the risk level of the vulnerability A is 2, the risk level of the vulnerability B is 3, and the risk level of the vulnerability C is 4, so that the vulnerability C is determined to be the target vulnerability.

Step S104, determining a verification strategy corresponding to the target vulnerability and verifying the verification strategy.

In the embodiment of the application, the electronic equipment acquires the verification policy and operates the verification policy so as to determine whether the target vulnerability really exists in an open port, and it is required to be noted that the verification policy comprises GET mode cross-site script, frame injection, link injection, SQL injection and the like, and the verification policy is the well-known content in the network technical field, so that the verification method adopted in the vulnerability verification is concept verification, namely POC verification, and whether the vulnerability exists is judged through the result of the POC verification.

In order to determine whether a target vulnerability exists, in one possible implementation manner of the embodiment of the present application, the verification policy includes a verification code or a verification script corresponding to the target vulnerability, and in step S104, verification is performed based on determining the verification policy corresponding to the target vulnerability, which specifically includes: step S1041 (not shown), step S1042 (not shown), and step S1043 (not shown), wherein,

Step S1041, searching verification codes or verification scripts corresponding to the target loopholes from a preset code library based on the services, protocols and versions of the target loopholes.

In the embodiment of the application, since the loopholes have unique services, protocols and versions, verification codes or verification scripts for verifying whether the loopholes exist or not can be written according to the services, protocols and versions of each loophole, a preset code library comprises a plurality of verification codes or verification scripts for verifying the corresponding loopholes, the corresponding loopholes can be written by related personnel and then stored in the preset code library, and the corresponding relation between the verification codes and the loopholes or the corresponding relation between the verification scripts and the loopholes is established.

Step S1042, running the verification code or the verification script to obtain the running result.

In the embodiment of the application, after the verification code or the verification script of the target vulnerability is determined, the target equipment is controlled to run the verification code or the verification script, the output and input data of the verification code or the verification script in the running process are recorded, and meanwhile, the result of the attack vector is recorded, so that the final running result is obtained, and particularly, the running result comprises the effect generated when the verification code or the verification script runs.

Step S1043, determining whether the target vulnerability exists based on the operation result.

In the embodiment of the application, the result generated by each vulnerability is recorded in the preset code library, when determining whether the vulnerability exists, only the operation result of the vulnerability is required to be judged to be consistent with the recorded result in the preset code library, if so, the vulnerability exists, and if not, the vulnerability does not exist, taking step S103 as an example, assuming that the result generated by the vulnerability C recorded in the preset code library is cross-site scripting attack, and through operation verification script or verification code, the result after operation is found to be that the script is injected into the accessed webpage, and the sensitive information of the user, namely, the cross-site scripting attack, is obtained, and because the operation result of the vulnerability C is consistent with the result recorded in the preset code library, the existence of the vulnerability C in the electronic equipment is determined.

In order to enable a user to conveniently and quickly determine potential vulnerabilities corresponding to a target open port, a possible implementation manner of the embodiment of the present application further includes: step S105 (not shown), step S106 (not shown), and step S107 (not shown), wherein step S107 may be performed after step S1043,

Step S105, obtaining service, protocol and version of a history open port, wherein the history open port corresponds to a history potential vulnerability.

In the embodiment of the application, after each vulnerability detection, the electronic device can store the detected service, protocol and version of the open port into a local storage medium or a cloud server, and store the historical potential vulnerability corresponding to the open port into the local storage medium or the cloud server. After the access application passes, the electronic device acquires the service, the protocol and the version of the history open port from the storage database, and it is to be noted that, when the history open port is acquired, the history potential vulnerability corresponding to the history open port is simultaneously acquired, taking step S102 as an example, the acquired history open port is an open port No.1, and the history potential vulnerability corresponding to the open port No.1 is vulnerability a, vulnerability B and vulnerability C.

Step S106, judging whether a target open port exists, wherein the target open port corresponds to a target history open port, and the service, the protocol and the version of the target open port are consistent with those of the corresponding target history open port.

In the embodiment of the application, the electronic device compares the service, protocol and version of the open port obtained by the current detection with the service, protocol and version of the historical open port, so as to determine whether the target open port exists, taking step S105 and step S102 as an example, assuming that the open port No. 2 is a service, protocol b and version 1.0, the open port No. 3 is a service, protocol b and version 1.3, and comparing the service, protocol and version of the open port No. 2 and the open port No. 3 with the service, protocol and version of the port No. 1, respectively, so as to determine whether the open port consistent with the service, protocol and version of the target historical open port exists, namely the target open port.

Step S107, if the target open port is present, determining the historical potential vulnerability of the target open port as the potential vulnerability of the corresponding target open port.

In the embodiment of the present application, if a target open port exists, a potential vulnerability corresponding to a corresponding target historical open port is determined as a potential vulnerability of the target open port, if no target port exists, it is indicated that there is no open port consistent with all services, protocols and versions in the target historical open port, taking step S106 and step S102 as an example, all services, protocols and versions of the No. 3 open port are consistent with all services, protocols and versions of the No. 1 open port, that is, all a services, B protocols and version 1.3, so that the No. 3 open port is the target open port, and further, since all vulnerabilities a, B and C are potential vulnerabilities of the No. 1 open port, the potential vulnerabilities of the No. 3 open port are vulnerabilities a, B and C.

In order to accurately determine the time point of the next vulnerability detection, a possible implementation manner of the embodiment of the present application, the method further includes: step S108 (not shown in the figure), step S109 (not shown in the figure), step S110 (not shown in the figure), and step S111 (not shown in the figure), wherein step S108 may be performed after step S107,

Step S108, determining a first number of target vulnerabilities.

In the embodiment of the present application, the electronic device scans the open ports to obtain the target holes of each port, and then the electronic device obtains the total number of the target holes of all the open ports in the current detection, that is, the first number, by summing operation, taking step S107 as an example, it is assumed that the target holes of the port No. 1 are 15, the target number of the port No. 2 are 14, and the target number of the port No. 3 is 20, that is, the first number is 15+14+20=49.

Step S109, obtaining a second number of detected holes in the previous detection period.

In the embodiment of the application, the electronic device accesses the storage database to obtain the number of detected holes in the previous detection period, and then obtains the second number according to the difference operation, and if the number of holes in the previous detection period is 10 for the number 1 open ports, and 23 for the number 27,3 open ports, the second number is 10+27+23=60.

Step S110, determining an absolute value of the difference between the first number and the second number.

In the embodiment of the application, the first number and the second number are subjected to random subtraction operation to obtain a difference value, and the absolute value of the difference value is taken. Taking step S109 and step S108 as an example, the absolute value of the difference between the first number and the second number is |49-60|=11, i.e., the absolute value of the difference is 11. The difference between the number of holes in the last detection and the number of holes in the current detection can be accurately represented through the absolute value.

Step S111, determining a time point of the next vulnerability detection based on the absolute value.

In the embodiment of the application, the absolute value characterizes the change intensity of the number of the loopholes in the last detection and the number of the loopholes in the current detection, so that after the absolute value is determined, the time point when the loopholes need to be detected next time can be determined according to the absolute value.

In order to accurately determine the time point of the next vulnerability detection according to the variation trend, in a possible implementation manner of the embodiment of the present application, the determining the time point of the next vulnerability detection based on the absolute value in step S111 specifically includes: step S1111 (not shown in the figure), step S1112 (not shown in the figure), step S1113 (not shown in the figure), and step S1114 (not shown in the figure), wherein,

Step S1111, determining a target preset number difference interval in which the absolute value is located from at least one preset number difference interval, so as to determine a target detection period variation corresponding to the absolute value.

Wherein, each preset quantity difference interval corresponds to a detection period variation.

In the embodiment of the application, because the absolute value can only simply represent the quantity change relation of the first quantity of the current vulnerability detection and the second quantity of the last vulnerability detection, a plurality of preset quantity difference values are arranged in the electronic equipment, and are respectively [1, 10], [10, 15], each interval corresponds to a detection period change quantity, when the preset quantity difference value is in the interval [1, 10], the corresponding detection period change quantity is 2, when the preset quantity difference value is in the interval [10, 15], the corresponding detection period change quantity is 3, after the absolute value is determined by the electronic equipment, the target preset quantity difference value interval where the absolute value is located is determined, and then the target detection period change quantity is determined. Taking step S110 as an example, when the absolute value is 11, the preset number difference interval corresponding to the absolute value is [10, 15], and the detection period variation corresponding to the interval is 3, that is, the target detection period variation is 3.

In step S1112, the change trend of the vulnerability number is determined according to the first number and the second number.

In the embodiment of the application, since the change trend of the number of holes can represent whether the number of holes detected at this time is increased or decreased compared with the number of holes detected at last time, that is, whether the first number is increased or decreased compared with the second number, the change trend of the number of holes is determined by subtracting the second number from the first number, when the difference between the first number and the second number is positive, the second number is smaller than the first number, that is, the number of holes detected at present is greater than the number of holes detected at last time, so that the change trend is increased, and when the difference between the first number and the second number is negative, the second number is larger than the first number, that is, the number of holes detected at present is smaller than the number of holes detected at last time, so that the change trend is decreased, and thus, the change trend can be accurately determined according to the first number and the second number. Taking steps S108 and S109 as an example, the first number is 49, and the second number is 60, which is an upward trend.

In step S1113, if the trend of change is rising, the reference detection period is subtracted from the target detection period, so as to obtain the time point of the next vulnerability detection.

The reference detection period is a detection period corresponding to an absolute value of 0.

In the embodiment of the application, the target detection period variable quantity can only be used for representing the increase or decrease of the detection period interval, namely, when the absolute value is 0, the corresponding detection period is the reference detection period, namely, when the absolute value is 0, the first quantity and the second quantity are equal, the variable quantity of the vulnerability quantity is kept unchanged, and the change trend is unchanged, so that the setting of the reference detection period can accurately determine the time point of the next vulnerability detection according to the detection period of the current detection as a standard, and when the change trend is rising, the current vulnerability detection quantity is larger than the last vulnerability detection quantity, the vulnerability quantity of the electronic equipment is increased, the detection period is required to be shortened, and the change of the vulnerability quantity can be known in time.

Taking step S1111 as an example, assume that the reference detection period is once 5 days, in one period of leak detection, the first number is 38, the second number is 30, the absolute value of the difference between the first number and the second number is |8|, the difference is 8, the target period detection variation corresponding to the absolute value is 2, and since the difference is 8, the number of current leak detections is greater than the number of last leak detections, that is, the variation trend of the leak is rising, so that the period of the next leak detection is calculated to be 5-2=3 according to the target period detection variation, and therefore, the period of the next leak detection is 3 days, that is, the next leak detection time point is 3 days later.

In step S1114, if the trend of change is decreasing, the reference detection period and the target detection period are added to obtain the time point of the next vulnerability detection.

In the embodiment of the present application, taking step S110 and step S1111 as examples, the target detection period variation is 3, and the difference between the first number and the second number is 49-60= -11, so the number of current leak detections is smaller than the number of last leak detections, that is, the variation trend of the number of leaks decreases, and the reference detection period is assumed to be 5 days once, so the period of the next leak detection is calculated to be 5+3=8 according to the target detection period variation, that is, after 8 days of the time point of the next leak detection.

In order to accurately determine a target protection policy corresponding to each port and protect the target protection policy, a possible implementation manner of the embodiment of the present application further includes: step S112 (not shown in the figure), step S113 (not shown in the figure), step S114 (not shown in the figure), step S115 (not shown in the figure), and step S116 (not shown in the figure), wherein step S112 may be performed after step S104,

Step S112, obtaining a third number corresponding to each port when detecting the loopholes in the history.

In the embodiment of the application, the electronic device accesses the storage database to obtain the number of holes of each port, that is, the third number, when holes are detected each time, and it is assumed that the number of holes detected by the open port No.1 in 3/15 of year 2022, the number of holes detected by the open port No. 4/15 of year 2022, the number of holes detected by the open port No. 5/15 of year 2022, the number of holes detected by the open port No. 6/15 of year 2022, the number of holes detected by the open port No. 20, the open port No. 7/15 of year 2022, the number of holes detected by the open port No. 8, the open port No. detected by the open port No. 20, the open port No. detected by the open port No. 8, the open port No. detected by 15 3. 15 day 3. 15.

Step S113, generating a vulnerability quantity line graph corresponding to each port based on the third quantity.

In the embodiment of the application, a vulnerability quantity coordinate system of each port is established, the X axis is the detection time, the Y axis is the vulnerability quantity corresponding to different detection times, and the vulnerability quantity of different detection times is marked corresponding to the Y axis, so that a line graph of the vulnerability quantity is obtained. Taking step S112 as an example, the detection time, that is, the 3 rd month 15 th year of 2022, the 4 th month 15 th year of 2022, the 5 th month 15 th year of 2022, the 6 th month 15 th year of 2022, the 7 th month 15 th year of 2022, the 8 th month 15 th year of 2022, and the 9 th month 15 th year of 2022 are respectively marked on the X-axis, then the number of holes corresponding to the detection time, that is, 10, 23, 15, 20,8, 24, and 14 is sequentially corresponding to the detection time, and the corresponding number of holes on the Y-axis are marked, and then each marked number is connected to obtain the hole number broken line graph.

Step S114, determining at least two target time periods in each port based on the vulnerability number line graph.

The target time period is a time period in which the vulnerability quantity of each port is in a descending trend.

In the embodiment of the application, the electronic device selects a time period of a decreasing trend according to a line graph changing trend of the number of holes, taking step S112 and step S113 as examples, the number of holes detected by the number 1 open port in 2022, 4 months and 15 days is 23, the number of holes detected by the number 2022, 5 months and 15 days is 15, the number of holes in the time period is a decreasing trend, that is, the number of holes detected by 2022, 6 months and 15 days is 20, the number of holes detected by 2022, 7 months and 15 days is 8, the number of holes in the time period is a decreasing trend, that is, the number of holes detected by 2022, 8 months and 15 days is 24, the number of holes detected by 2022, 9 months and 15 days is 14, and the number of holes in the time period is a decreasing trend, that is, the third target time period.

Step S115, obtaining a target protection strategy corresponding to a target time period with the largest descending trend.

In the embodiment of the application, the decreasing of the vulnerability quantity characterizes the effect of the protection strategy used by the electronic equipment on vulnerability protection in the time period, namely, the larger the decreasing trend of the vulnerability quantity is, the more outstanding the protection effect of the protection strategy is, the electronic equipment compares the obtained decreasing trend of the vulnerability in three target time periods, so as to find the target time period with the largest decreasing trend, and the protection strategy specifically comprises the steps of installing a professional anti-DDOS firewall, disabling a Web server directory list, ensuring that file metadata (such as git) and backup files are not in a Web root directory, intercepting HTTP requests and the like. Taking step S114 as an example, since the number of drops in the first target period is 8, the number of drops in the second target period is 12, and the number of drops in the third target period is 10, the second target period is the target period with the largest trend of drop, and then the protection policies of the electronic device between the days 2022, 6, 15, and 2022, 7, 15, i.e., the protection policy 1, the protection policy 2, and the protection policy 3, i.e., the target protection policy, are acquired.

In another possible implementation embodiment, the electronic device may further obtain all vulnerability protection policies in three target time periods, and then aggregate all vulnerability protection policies, so as to improve a protection effect of the protection policies, taking step S114 as an example, and assume that the protection policies in the first target time period are the protection policy 1 and the protection policy 2, the protection policies in the second target time period are the protection policy 1, the protection policy 2 and the protection policy 3, the protection policies in the third target time period are the protection policy 4 and the protection policy 5, and aggregate the protection policies in the third target time period to obtain the protection policy 1, the protection policy 2, the protection policy 3, the protection policy 4 and the protection policy 5, that is, the target protection policy.

Step S116, protecting based on the target protection strategy corresponding to each port.

In the embodiment of the application, the obtained target protection policy corresponding to each port is applied to the electronic device, so that the number of holes of the port is reduced, the protection effect of the electronic device is further improved, and taking step S114 and step S115 as examples, the target protection policy of the open port No. 1 is the protection policy 1, the protection policy 2 and the protection policy 3, so that the target protection policy is operated on the electronic device, and the number of holes of the open port No. 1 is reduced.

In order to facilitate the user to accurately determine the severity of the vulnerability, a possible implementation manner of the embodiment of the present application further includes: step S117 (not shown), step S118 (not shown), step S119 (not shown), and step S120 (not shown), wherein 117 may be performed after step S104,

Step S117, obtaining the corresponding vulnerability number and the risk level of each vulnerability during multiple detection in a preset time period.

In the embodiment of the present application, when the number of holes is detected for multiple times in the preset time period, the number of holes may be obtained by accessing the storage database through the electronic device, or may be obtained by accessing the record information in the data table, which is not specifically limited in this embodiment, and the risk level of each hole is recorded in the preset database, so that after the specific hole is determined, the risk level corresponding to the hole may be searched through the preset hole database, taking step S114 as an example, the number of detection for 7 months 1 to 2022 8 months 30 days is 2, that is, the number of holes detected for 7 months 15 days is the first detection, the number of holes detected for 8 months 15 days is the second detection, the number of holes detected for 24, and it is assumed that the risk levels of 8 holes are 3, 4, 3, 1, 4, 2, 4 and 3 in sequence.

Step S118, determining the score of each detection of the loopholes based on the number of loopholes, the average risk level and the weight corresponding to each loophole.

The average risk level is an average risk level of all vulnerabilities in each detection vulnerability.

In the embodiment of the present application, the number of holes simply represents the number of holes existing in the electronic device in the preset time period, the average risk level represents the risk level of the electronic device in the preset time period, and the weight is set according to the number of holes and the importance degree of the average risk level.

Step S119, determining an average score in a preset period of time based on the score of each vulnerability detection.

In the embodiment of the application, the score can only simply represent the health degree of the electronic device when detecting the vulnerability each time, that is, the higher the score is, the higher the severity of the vulnerability in the electronic device is, the lower the health degree of the electronic device is, so in order to accurately determine the health degree of the electronic device in a preset time period, the average score of each detection score in the preset time period is calculated, taking step S118 as an example, the score of the first detection from 1 st at 2022 month 7 to 30 th at 2022 month 8 is 4.925, and assuming that the score of the second detection is 7.7, the average score from 1 st at 2022 month 7 to 30 th at 2022 month 8 is (4.925+7.7)/2= 6.3125.

Step S120, outputting the average score.

In the embodiment of the application, the electronic device may control the display screen device to display the average score, or may send the average score to the terminal device corresponding to the related person in the form of a short message, and the specific manner of outputting the average score is not specifically limited, so that the user may accurately determine the health degree of the electronic device, and in the case of step S119, the average score is 6.3125, and the health degree of the electronic device is low.

The above embodiments introduce a method for detecting a high-precision vulnerability by using multi-layer filtering from the perspective of a method flow, and the following embodiments introduce a device for detecting a high-precision vulnerability by using multi-layer filtering from the perspective of a virtual module or a virtual unit, specifically the following embodiments are described below.

The embodiment of the application provides a multilayer filtering high-precision leak detection device 20, as shown in fig. 2, the multilayer filtering high-precision leak detection device 20 may specifically include:

A first obtaining module 201, configured to obtain detection requirement information about a target device triggered by a user, a service, a protocol, and a version of at least one open port of the target device;

The first vulnerability determination module 202 is configured to determine, based on at least one of a service, a protocol, and a version, a potential vulnerability of each open port from a preset vulnerability library, where the preset vulnerability library includes a plurality of preset vulnerabilities, and each preset vulnerability corresponds to a vulnerability class and a risk level;

The second vulnerability determining module 203 is configured to determine, from the potential vulnerabilities, a target vulnerability that meets the detection requirement information based on the vulnerability class and the risk level of the potential vulnerability;

and the verification module 204 is configured to determine a verification policy corresponding to the target vulnerability and perform verification.

The embodiment of the application discloses a multilayer filtering high-precision vulnerability detection device 20, wherein a first acquisition module 201 acquires detection requirement information about target equipment triggered by a user, and services, protocols and versions of at least one open port of the target equipment, so that a first vulnerability determination module 202 can conveniently determine vulnerabilities related to the services, the protocols and the versions of the open port from a preset vulnerability library, namely potential vulnerabilities of the open port, wherein the preset vulnerability library comprises a plurality of preset vulnerabilities, each preset vulnerability corresponds to a vulnerability category and a risk level respectively, and the existence of the vulnerability category and the risk level enables a second vulnerability determination module 203 to determine a target vulnerability from the potential vulnerabilities according to detection requirement information, so that the accuracy of the target vulnerability is improved.

In one possible implementation manner of the embodiment of the present application, the verification policy includes a verification code or a verification script corresponding to the target vulnerability, and when determining and verifying the verification policy corresponding to the target vulnerability, the verification module 204 is specifically configured to:

and the third vulnerability determination module is used for determining whether the target vulnerability exists or not based on the operation result.

In one possible implementation manner of the embodiment of the present application, the apparatus 20 further includes:

The second acquisition module is used for acquiring the service, protocol and version of the history open port, and the history open port corresponds to the history potential vulnerability;

the judging module is used for judging whether a target open port exists or not, the target open port corresponds to a target history open port, and the service, the protocol and the version of the target open port are consistent with those of the corresponding target history open port;

And the fourth vulnerability determination module is used for determining the historical potential vulnerabilities of the target historical open ports as the potential vulnerabilities of the corresponding target open ports if the historical potential vulnerabilities exist.

a first number determining module, configured to determine a first number of target vulnerabilities;

In one possible implementation manner of the embodiment of the present application, when determining a time point of next vulnerability detection based on an absolute value, the time point determining module is specifically configured to:

The detection period determining module is used for determining a target preset number difference value interval in which the absolute value is located from at least one preset number difference value interval so as to determine a target detection period change amount corresponding to the absolute value, and each preset number difference value interval corresponds to the detection period change amount;

the first calculation module is used for subtracting the change amount of the reference detection period from the target detection period if the change trend is rising, so as to obtain a time point of next vulnerability detection, wherein the reference detection period is a detection period corresponding to an absolute value of 0;

And the second calculation module adds the reference detection period and the target detection period change amount if the change trend is declined, so as to obtain the time point of next vulnerability detection.

the first score determining module is used for determining scores when detecting vulnerabilities each time based on the number of the vulnerabilities, average risk levels and weights corresponding to the average risk levels, wherein the average risk levels are average risk levels of all vulnerabilities in the vulnerabilities detected each time;

The second score determining module is used for determining an average score in a preset time period based on the score of each vulnerability detection;

And the output module is used for outputting the average score.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

In an embodiment of the present application, as shown in fig. 3, an electronic device 30 shown in fig. 3 includes: a processor 301 and a memory 303. Wherein the processor 301 is coupled to the memory 303, such as via a bus 302. Optionally, the electronic device 30 may also include a transceiver 304. It should be noted that, in practical applications, the transceiver 304 is not limited to one, and the structure of the electronic device 30 is not limited to the embodiment of the present application.

The Processor 301 may be a CPU (Central Processing Unit ), general purpose Processor, DSP (DIGITAL SIGNAL Processor, data signal Processor), ASIC (Application SPECIFIC INTEGRATED Circuit), FPGA (Field Programmable GATE ARRAY ) or other programmable logic device, transistor logic device, hardware component, or any combination thereof. Which may implement or perform the various exemplary logic blocks, modules and circuits described in connection with this disclosure. Processor 301 may also be a combination that implements computing functionality, e.g., comprising one or more microprocessor combinations, a combination of a DSP and a microprocessor, etc.

Bus 302 may include a path to transfer information between the components. Bus 302 may be a PCI (PERIPHERAL COMPONENT INTERCONNECT, peripheral component interconnect standard) bus or an EISA (Extended Industry Standard Architecture ) bus, or the like. Bus 302 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 3, but not only one bus or type of bus.

The Memory 303 may be, but is not limited to, a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory ) or other type of dynamic storage device that can store information and instructions, an EEPROM (ELECTRICALLY ERASABLE PROGRAMMABLE READ ONLY MEMORY ), a CD-ROM (Compact Disc Read Only Memory, compact disc Read Only Memory) or other optical disk storage, optical disk storage (including compact discs, laser discs, optical discs, digital versatile discs, blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.

The memory 303 is used for storing application program codes for executing the inventive arrangements and is controlled to be executed by the processor 301. The processor 301 is configured to execute the application code stored in the memory 303 to implement what is shown in the foregoing method embodiments.

Among them, electronic devices include, but are not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. But may also be a server or the like. The electronic device shown in fig. 3 is only an example and should not be construed as limiting the functionality and scope of use of the embodiments of the application.

Embodiments of the present application provide a computer-readable storage medium having a computer program stored thereon, which when run on a computer, causes the computer to perform the corresponding method embodiments described above. Compared with the related art, the method and the device for detecting the target device have the advantages that the detection requirement information of the target device triggered by the user is obtained, the service, the protocol and the version of at least one open port of the target device are obtained, so that loopholes related to the service, the protocol and the version of the open port, namely potential loopholes of the open port, are conveniently determined from the preset loopholes library, wherein the preset loopholes library comprises a plurality of preset loopholes, each preset loophole corresponds to a loophole category and a risk level respectively, the loopholes category and the risk level exist, the target loopholes are determined from the potential loopholes according to the detection requirement information, the accuracy of the target loopholes is improved, the verification strategy corresponding to the target loopholes is determined after the target loopholes are determined, and the target meeting the detection requirement information is verified according to the verification strategy.

It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.

The foregoing is only a partial embodiment of the present application, and it should be noted that it will be apparent to those skilled in the art that modifications and adaptations can be made without departing from the principles of the present application, and such modifications and adaptations should and are intended to be comprehended within the scope of the present application.

Claims

1. The multilayer filtering high-precision leak detection method is characterized by comprising the following steps of:

Acquiring detection requirement information triggered by a user and related to target equipment, wherein the detection requirement information comprises services, protocols and versions of at least one open port of the target equipment;

determining a verification strategy corresponding to the target vulnerability and verifying the verification strategy;

the verification policy includes a verification code or a verification script corresponding to the target vulnerability, and the determining and verifying the verification policy corresponding to the target vulnerability includes:

2. The method for detecting a leak in a multilayer filter according to claim 1, further comprising:

And if so, determining the historical potential loopholes of the target historical open ports as the potential loopholes of the corresponding target open ports.

3. A method for detecting a leak in a multilayer filter according to any one of claims 1 or 2, further comprising:

determining a first number of the target vulnerabilities;

acquiring a second number of detected holes in the last detection period;

4. A method of multi-layer filtering high-accuracy vulnerability detection as claimed in claim 3, wherein said determining the time point of the next vulnerability detection based on said absolute value comprises:

5. The method for detecting a leak in a multilayer filter according to claim 1, further comprising:

6. The method for detecting a leak in a multilayer filter according to claim 1, further comprising:

acquiring the number of loopholes corresponding to the target equipment in the preset time period during multiple detection and the risk level of each loophole;

Outputting the average score.

7. The utility model provides a device of multilayer filtration high accuracy leak detection which characterized in that includes:

The system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module acquires detection requirement information about target equipment triggered by a user, and the detection requirement information comprises services, protocols and versions of at least one open port of the target equipment;

The first determining module is used for determining potential loopholes of each open port from a preset loophole library based on at least one of the service, the protocol and the version, wherein the preset loophole library comprises a plurality of preset loopholes, and each preset loophole corresponds to a loophole category and a risk level;

The second determining module is used for determining target vulnerabilities meeting the detection requirement information from the potential vulnerabilities based on the vulnerability categories and the risk grades of the potential vulnerabilities;

The verification module is used for determining a verification strategy corresponding to the target vulnerability and verifying the verification strategy;

8. An electronic device, comprising:

At least one processor;

A memory;

at least one application stored in the memory and configured to be executed by the at least one processor, the at least one application for performing a multi-layer filtered high-precision vulnerability detection method according to any one of claims 1-6.

9. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program, when executed in a computer, causes the computer to perform a multi-layer filtering high-precision vulnerability detection method according to any one of claims 1-6.