CN116961945A - Vulnerability assessment method and device for virtual resources, storage medium and electronic device - Google Patents
Vulnerability assessment method and device for virtual resources, storage medium and electronic device Download PDFInfo
- Publication number
- CN116961945A CN116961945A CN202210406282.XA CN202210406282A CN116961945A CN 116961945 A CN116961945 A CN 116961945A CN 202210406282 A CN202210406282 A CN 202210406282A CN 116961945 A CN116961945 A CN 116961945A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- virtual
- score
- information
- virtual resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 230000007613 environmental effect Effects 0.000 claims description 48
- 238000004590 computer program Methods 0.000 claims description 16
- XDDAORKBJWWYJS-UHFFFAOYSA-N glyphosate Chemical compound OC(=O)CNCP(O)(O)=O XDDAORKBJWWYJS-UHFFFAOYSA-N 0.000 claims description 14
- 230000006870 function Effects 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 12
- 238000007726 management method Methods 0.000 description 9
- 230000005540 biological transmission Effects 0.000 description 6
- 238000012502 risk assessment Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000000556 factor analysis Methods 0.000 description 3
- 238000012827 research and development Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000002123 temporal effect Effects 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000009193 crawling Effects 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the application provides a vulnerability assessment method and device for virtual resources, a storage medium and an electronic device, wherein the method comprises the following steps: obtaining vulnerability basic information of virtual resources, and performing basic grading on the virtual resources according to the vulnerability basic information to obtain basic scores; respectively determining a vulnerability time factor score, a vulnerability environment factor score and a virtual asset factor score of the virtual resource according to the vulnerability basic information; performing secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score to obtain a secondary grading result; and generating a vulnerability assessment result of the virtual resource according to the secondary grading result, so that the problem that the CVSS vulnerability score in the related technology cannot objectively reflect the influence of the vulnerability on the real environment can be solved, and finally, the vulnerability assessment result is obtained by carrying out secondary grading on the basic score, the risk of the supply chain attack of the open source software is relieved, and the efficiency of open source treatment is improved.
Description
Technical Field
The embodiment of the application relates to the field of communication, in particular to a vulnerability assessment method and device for virtual resources, a storage medium and an electronic device.
Background
A generic vulnerability scoring system (Common Vulnerability Scoring System, abbreviated as CVSS) is an open framework for communicating the features and severity of software vulnerabilities. CVSS consists of three index sets: base, temporal and Environmental. The Base group represents the intrinsic quality of vulnerabilities that remain unchanged over time and across user environments, the Temporal group reflects vulnerability characteristics that change over time, and the Environment group represents the user-specific vulnerability characteristics Environment. The base indicator produces a score ranging from 0 to 10 and can then be modified by scoring the time and environmental indicators.
The original CVSS score only contains the Base score, and lacks the analysis of the real influence of the actual condition of the asset where the vulnerability is located, such as: CVE-2015-5652 is an upgrade vulnerability of the previous version of Python3.5.0, which can be exploited only in windows environment, but the Python version containing the vulnerability is deployed on the linux server with virtually no risk. The environmental factor options of the CVSS may not adequately cover threat facets, such as the probability of an actual environmental attack event occurring, the manner in which components containing vulnerabilities are used, and so on. And the CVSS does not take into account the importance of the asset and cannot accurately assess risk.
Aiming at the problem that CVSS vulnerability scores in the related technology can not objectively reflect the influence of vulnerabilities on the real environment, no solution has been proposed yet.
Disclosure of Invention
The embodiment of the application provides a vulnerability assessment method and device for virtual resources, a storage medium and an electronic device, which are used for at least solving the problem that CVSS vulnerability scores in related technologies cannot objectively reflect the influence of vulnerabilities on real environments.
According to one embodiment of the present application, there is provided a vulnerability assessment method of a virtual resource, the method including:
obtaining vulnerability basic information of virtual resources, and performing basic grading on the virtual resources according to the vulnerability basic information to obtain basic scores;
respectively determining a vulnerability time factor score, a vulnerability environment factor score and a virtual asset factor score of the virtual resource according to the vulnerability basic information;
performing secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score to obtain a secondary grading result;
and generating a vulnerability assessment result of the virtual resource according to the secondary grading result.
In an embodiment, the method further comprises:
acquiring project version information and component version information of an open source component where the virtual resource is located;
and determining that no corresponding vulnerability information exists in a vulnerability information base according to the project version information and the component version information, wherein the vulnerability information base stores vulnerability information of an open source component corresponding to the component version and the project version.
In an embodiment, the method further comprises:
determining that corresponding vulnerability information exists in a vulnerability information base according to the item version and the component version, and acquiring a vulnerability assessment result of the vulnerability information of the open source component from the vulnerability information base;
and determining a vulnerability assessment result of the vulnerability information of the open source component as a vulnerability assessment result of the virtual resource.
In an embodiment, obtaining vulnerability basic information of a virtual resource includes:
acquiring asset basic information of an open source component where the virtual resource is located;
and obtaining vulnerability basic information of the virtual resource according to the project version information of the open source component where the virtual resource is and the asset basic information.
In an embodiment, determining the vulnerability time factor score, the vulnerability environment factor score, and the virtual asset factor score of the virtual resource according to the vulnerability basic information includes:
acquiring a plurality of vulnerability time factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability time factors according to time factor scores preset for the plurality of vulnerability time factors, and determining the vulnerability time factor scores according to the scores of the plurality of vulnerability time factors;
acquiring a plurality of vulnerability environmental factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability environmental factors according to environmental factor scores preset for the plurality of vulnerability environmental factors, and determining scores of the plurality of vulnerability environmental factors according to the scores of the plurality of vulnerability environmental factors;
and acquiring a plurality of virtual resource factors according to the vulnerability basic information, determining the scores corresponding to the plurality of virtual resource factors according to the virtual resource factor scores preset for the plurality of virtual resource factors, and determining the virtual resource factor scores according to the scores of the plurality of virtual resource factors.
In an embodiment, obtaining the multiple vulnerability environmental factors according to the vulnerability basic information includes:
judging whether the vulnerability environmental factors are analyzed according to the vulnerability basic information;
under the condition that the judgment result is negative, prompting to perfect the virtual environment factors according to the asset basic information of the virtual resource, and obtaining the plurality of perfect virtual environment factors;
and under the condition that the judgment result is yes, acquiring the plurality of virtual environment factors.
In an embodiment, the method further comprises:
performing secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score in the following manner to obtain a secondary grading result:
ALL_SCORE=RoundUP(ES p ×AS (1-P) ,m);
wherein all_score is the secondary grading result, ES is the product of the base SCORE, the vulnerability time factor SCORE, and the vulnerability environment factor SCORE, AS is a virtual asset factor SCORE, p is a threat coefficient, m is a specified number of bits, and RoundUP is a function rounded up according to the specified number of bits m.
According to another embodiment of the present application, there is also provided a vulnerability assessment apparatus of a virtual resource, the apparatus including:
the first acquisition module is used for acquiring vulnerability basic information of the virtual resources, and performing basic grading on the virtual resources according to the vulnerability basic information to obtain basic scores;
the first determining module is used for respectively determining a vulnerability time factor score, a vulnerability environment factor score and a virtual asset factor score of the virtual resource according to the vulnerability basic information;
the secondary grading module is used for carrying out secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score to obtain a secondary grading result;
and the generation module is used for generating a vulnerability assessment result of the virtual resource according to the secondary grading result.
In an embodiment, the device further comprises:
the second acquisition module is used for acquiring the project version information and the component version information of the open source component where the virtual resource is located;
and the second determining module is used for determining that no corresponding vulnerability information exists in a vulnerability information base according to the project version information and the component version information, wherein the vulnerability information base stores vulnerability information of an open source component corresponding to the component version and the project version.
In an embodiment, the device further comprises:
the third acquisition module is used for determining that corresponding vulnerability information exists in a vulnerability information base according to the project version and the component version, and acquiring a vulnerability assessment result of the vulnerability information of the open source component from the vulnerability information base;
and the third determining module is used for determining the vulnerability assessment result of the vulnerability information of the open source component as the vulnerability assessment result of the virtual resource.
In an embodiment, the first obtaining module is further configured to obtain asset basic information of an open source component where the virtual resource is located; and obtaining vulnerability basic information of the virtual resource according to the project version information of the open source component where the virtual resource is and the asset basic information.
In an embodiment, the first determining module includes:
the first determining submodule is used for obtaining a plurality of vulnerability time factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability time factors according to time factor scores preset for the plurality of vulnerability time factors, and determining vulnerability time factor scores according to the scores of the plurality of vulnerability time factors;
the second determining submodule is used for acquiring a plurality of vulnerability environmental factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability environmental factors according to environmental factor scores preset for the plurality of vulnerability environmental factors, and determining scores of the vulnerability environmental factors according to the scores of the plurality of vulnerability environmental factors;
and the third determination submodule is used for acquiring a plurality of virtual resource factors according to the vulnerability basic information, determining the scores corresponding to the plurality of virtual resource factors according to the virtual resource factor scores preset for the virtual resource factors, and determining the virtual resource factor scores according to the scores of the plurality of virtual resource factors.
In an embodiment, the second determining module is further configured to
Judging whether the vulnerability environmental factors are analyzed according to the vulnerability basic information;
under the condition that the judgment result is negative, prompting to perfect the virtual environment factors according to the asset basic information of the virtual resource, and obtaining the plurality of perfect virtual environment factors;
and under the condition that the judgment result is yes, acquiring the plurality of virtual environment factors.
In an embodiment, the secondary grading module is further configured to perform secondary vulnerability grading on the virtual asset according to the base score, the vulnerability time factor score, the vulnerability environment factor score, and the virtual asset factor score, to obtain a secondary grading result:
ALL_SCORE=RoundUP(ES p ×AS (1-P) ,m);
wherein all_score is the secondary grading result, ES is the product of the base SCORE, the vulnerability time factor SCORE, and the vulnerability environment factor SCORE, AS is a virtual asset factor SCORE, p is a threat coefficient, m is a specified number of bits, and RoundUP is a function rounded up according to the specified number of bits m.
According to a further embodiment of the application, there is also provided a computer-readable storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to a further embodiment of the application, there is also provided an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
According to the embodiment of the application, the vulnerability basic information of the virtual resource is obtained, and the virtual resource is subjected to basic grading according to the vulnerability basic information to obtain a basic score; respectively determining a vulnerability time factor score, a vulnerability environment factor score and a virtual asset factor score of the virtual resource according to the vulnerability basic information; performing secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score to obtain a secondary grading result; and generating a vulnerability assessment result of the virtual resource according to the secondary grading result, so that the problem that the CVSS vulnerability score in the related technology cannot objectively reflect the influence of the vulnerability on the real environment can be solved, and finally, the vulnerability assessment result is obtained by carrying out secondary grading on the basic score, the risk of the supply chain attack of the open source software is relieved, and the efficiency of open source treatment is improved.
Drawings
FIG. 1 is a block diagram of a hardware structure of a mobile terminal of a vulnerability assessment method of virtual resources according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of vulnerability assessment of virtual resources according to an embodiment of the application;
FIG. 3 is a logical architecture diagram of the vulnerability risk analysis system according to the present embodiment;
FIG. 4 is a schematic diagram of a vulnerability risk analysis scenario according to the present embodiment;
FIG. 5 is a schematic diagram of vulnerability risk secondary grading in accordance with the present embodiment;
FIG. 6 is a schematic diagram of basic grading according to the present embodiment;
FIG. 7 is a flow chart of vulnerability assessment according to the present embodiment;
fig. 8 is a block diagram of a vulnerability assessment apparatus of a virtual resource according to the present embodiment.
Detailed Description
Embodiments of the present application will be described in detail below with reference to the accompanying drawings in conjunction with the embodiments.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order.
The method embodiments provided in the embodiments of the present application may be performed in a mobile terminal, a computer terminal or similar computing device. Taking a mobile terminal as an example, fig. 1 is a block diagram of a hardware structure of a mobile terminal according to a virtual resource vulnerability assessment method of an embodiment of the present application, as shown in fig. 1, the mobile terminal may include one or more (only one is shown in fig. 1) processors 102 (the processors 102 may include, but are not limited to, a microprocessor MCU or a programmable logic device FPGA, etc. processing means) and a memory 104 for storing data, where the mobile terminal may further include a transmission device 106 for a communication function and an input/output device 108. It will be appreciated by those skilled in the art that the structure shown in fig. 1 is merely illustrative and not limiting of the structure of the mobile terminal described above. For example, the mobile terminal may also include more or fewer components than shown in fig. 1, or have a different configuration than shown in fig. 1.
The memory 104 may be used to store a computer program, for example, a software program of an application software and a module, such as a computer program corresponding to a vulnerability assessment method of a virtual resource in an embodiment of the present application, and the processor 102 executes the computer program stored in the memory 104, thereby executing various functional applications and a service chain address pool slicing process, that is, implementing the method described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely located relative to the processor 102, which may be connected to the mobile terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 106 is arranged to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the mobile terminal. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
In this embodiment, a method for evaluating vulnerabilities of virtual resources running on the mobile terminal or the network architecture is provided, and fig. 2 is a flowchart of a method for evaluating vulnerabilities of virtual resources according to an embodiment of the present application, as shown in fig. 2, where the flowchart includes the following steps:
step S202, obtaining vulnerability basic information of virtual resources, and performing basic grading on the virtual resources according to the vulnerability basic information to obtain basic scores;
in this embodiment, in the step S202, obtaining the vulnerability basic information of the virtual resource may specifically include: acquiring asset basic information of an open source component where the virtual resource is located; and obtaining vulnerability basic information of the virtual resource according to the project version information of the open source component where the virtual resource is and the asset basic information.
Step S204, determining vulnerability time factor scores, vulnerability environment factor scores and virtual asset factor scores of the virtual resources according to the vulnerability basic information;
step S206, performing secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score to obtain a secondary grading result;
in this embodiment, the step S206 may specifically perform secondary vulnerability grading on the virtual asset according to the base score, the vulnerability time factor score, the vulnerability environment factor score, and the virtual asset factor score to obtain a secondary grading result:
ALL_SCORE=RoundUP(ES p ×AS (1-P) ,m);
wherein all_score is the secondary grading result, ES is the product of the base SCORE, the vulnerability time factor SCORE, and the vulnerability environment factor SCORE, AS is a virtual asset factor SCORE, p is a threat coefficient, m is a specified number of bits, and RoundUP is a function rounded up according to the specified number of bits m.
And step S208, generating a vulnerability assessment result of the virtual resource according to the secondary grading result.
Through the steps S202 to S208, the problem that the CVSS vulnerability score in the related art cannot objectively reflect the influence of the vulnerability on the real environment can be solved, and the vulnerability assessment result is finally obtained by performing secondary grading on the basic score, so that the risk of the open source software supply chain attack is relieved, and the efficiency of open source treatment is improved.
In an alternative embodiment, the method further comprises: acquiring project version information and component version information of an open source component where the virtual resource is located; and determining that no corresponding vulnerability information exists in a vulnerability information base according to the project version information and the component version information, wherein the vulnerability information base stores vulnerability information of an open source component corresponding to the component version and the project version.
Further, corresponding vulnerability information exists in a vulnerability information base according to the item version and the component version, and a vulnerability assessment result of the vulnerability information of the open source component is obtained from the vulnerability information base; and determining the vulnerability assessment result of the vulnerability information of the open source component as the vulnerability assessment result of the virtual resource, and directly acquiring the vulnerability assessment result, thereby improving the assessment efficiency.
In this embodiment, the step S202 may specifically include: acquiring a plurality of vulnerability time factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability time factors according to time factor scores preset for the plurality of vulnerability time factors, and determining the vulnerability time factor scores according to the scores of the plurality of vulnerability time factors; acquiring a plurality of vulnerability environmental factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability environmental factors according to environmental factor scores preset for the plurality of vulnerability environmental factors, and determining scores of the plurality of vulnerability environmental factors according to the scores of the plurality of vulnerability environmental factors; and acquiring a plurality of virtual resource factors according to the vulnerability basic information, determining the scores corresponding to the plurality of virtual resource factors according to the virtual resource factor scores preset for the plurality of virtual resource factors, and determining the virtual resource factor scores according to the scores of the plurality of virtual resource factors.
Further, the obtaining the multiple vulnerability environmental factors according to the vulnerability basic information may specifically include: judging whether the vulnerability environmental factors are analyzed according to the vulnerability basic information; under the condition that the judgment result is negative, prompting to perfect the virtual environment factors according to the asset basic information of the virtual resource, and obtaining the plurality of perfect virtual environment factors; and under the condition that the judgment result is yes, acquiring the plurality of virtual environment factors.
In this embodiment, the vulnerability time factor may specifically include: vulnerability availability, vulnerability restoration method, vulnerability disclosure days, vulnerability attack trend; the vulnerability environmental factor may specifically include: the application type of the open source assembly, the required modification authority, the modification attack vector, the occurrence probability of the actual environment, the network threat information and the modified user interaction; the virtual asset factor may specifically include: asset importance, extent of asset loss, recovery process impact.
The application environment of the present embodiment may include: software product release, security assessment before supply chain delivery, compliance audit, loopholes, security event response and other business scenes. Fig. 3 is a logic architecture diagram of the vulnerability risk analysis system according to the present embodiment, as shown in fig. 3, including: asset (specially refers to an information system and equipment deployed by an open source component), a vulnerability information base and a vulnerability scoring system.
And the asset management platform is used for uniformly managing project assets, accurately identifying related assets by the project in the standing stage and the demand analysis stage, and confirming the types of the assets and the application scenes of the assets. And inputting the basic information of the asset, and automatically converting the basic information into various index options of the asset factors by the system.
The system has the capability of data asset management, realizes asset visualization, and has the requirement of safety capability for project asset management. The method realizes standard management of all the assets, and records basic information such as asset numbers, asset categories, asset deployment product versions, network environments, historical attack events and the like. And automatically grading the vulnerability influence degree according to the importance of the asset and the threat description.
The asset management platform supports construction of asset standard systems of other industries, asset information has data model layering and opening capability, and asset standards and asset layering support various scenes. Synchronous adjustment and support of standard-related configuration, modeling, monitoring and the like.
TABLE 1
| Asset numbering | Asset class | Product name | Product version | Deployment environment | Local point information | History attacks |
| 00001 | PaaS platform | Example | V1.0 | Telecom cloud | XX movement | 1 |
| 00002 | 5G network manager | UME | V1.2.1 | Intranet (Intranet) | XX UNICOM | 0 |
As shown in table 1, the vulnerability assessment system combines the product related information of the open source component obtained from the asset management platform to automatically grade the importance of the Asset (AIR), the loss degree of the asset (LAR) and the like, and calculates the final score of the asset factor.
And the vulnerability information base is used for storing the vulnerability information of the open source component in the vulnerability information base according to the two key values of the component version and the project version. Basic information of the vulnerability comes from open source communities, fuzzy tests, industry-accepted open source component scanning tools, vulnerability information public networks and the like. The system can extract public network information regularly and update relevant parameters of time factors of vulnerabilities in real time. The common information of loopholes can be synchronized in real time according to manufacturer adjustment of the open source assembly. The loophole expert adjusts according to the information of the loopholes at regular time, optimizes the original data and forms a loophole information base adapting to the research and development industry.
According to the open source component information used by the project version, matching is carried out to a specific research and development project use file, the project group analyzes the loopholes, the influence of the open source loopholes is identified, project analysis conclusions are stored in a loophole information base, and all analysis conclusions of the project can be inherited and extracted. For the environmental factors of the loopholes, the items can select matched version baselines so as to transfer and inherit historical data.
Fig. 4 is a schematic diagram of a vulnerability risk analysis scenario according to the present embodiment, and as shown in fig. 4, first, a user identifies an asset of a vulnerability of an open source component, and identifies its vulnerability according to a specific asset. And judging the threat of the asset according to the importance and the loss degree of the asset, and then determining the threat of the vulnerability to the asset. And performing secondary grading of vulnerability risks according to influences of threat and asset analysis risks, wherein the secondary grading comprises time factor analysis, environment factor analysis and asset factor analysis. Generating a risk assessment report according to the secondary grading result, prompting risk treatment, including: relieving risk, accepting risk and relieving risk. The influence of the time factor on the vulnerability risk is analyzed, for example, the vulnerability utilization degree changes with the passage of time. And then, according to the use condition of the open source assembly by the actual project, modifying the influence of the environmental factors on the risk, wherein the influence of the loopholes of the open source assembly has an actual trigger scene, and part of loopholes only generate the actual influence under the condition of meeting the special scene.
The risk is the probability of threat exploitation vulnerability to damage the asset. It is an assessment of probability, likelihood or opportunity. The greater the likelihood of a threat event occurring, the greater the risk. If formulated, the risk may be defined as: risk = threat x vulnerability.
Reducing threat subject or vulnerability can directly reduce risk. When a risk occurs, a threat subject, threat executor, or threat event has utilized vulnerability to damage or compromise one or more assets. Avoiding risks is achieved by eliminating vulnerabilities and preventing threat agents and threat times from harming the asset.
Fig. 5 is a schematic diagram of secondary grading of vulnerability risk according to the present embodiment, as shown in fig. 5, including secondary grading of vulnerability risk according to scores of base score, time factor, environment factor, and asset factor.
Fig. 6 is a schematic diagram of basic grading according to the present embodiment, and as shown in fig. 6, basic grading may be modified. By providing a correction vector, a new basis score is calculated using the CVSS.
1, the time factor is shown in table 2.
TABLE 2
2, the environmental factors are shown in table 3.
TABLE 3 Table 3
3, the asset factors are shown in table 4.
TABLE 4 Table 4
The secondary grading result can be obtained by the following transmission:
ALL_SCORE=RoundUP(ES p ×AS (1-P) ,m)
wherein all_score is a secondary grading result, ES is a product of a base SCORE, a vulnerability time factor SCORE, and a vulnerability environment factor SCORE, AS is a virtual asset factor SCORE, p is a threat coefficient, m is a specified number of bits, and RoundUP is a function rounded up according to the specified number of bits m, such AS: m=3, roundup (3.14159,3) rounds up 3.14159, leaving three decimal places (3.142), m=1, roundup (3.14159,1) rounds up 3.14159, leaving one decimal place (3.1).
Fig. 7 is a flowchart of vulnerability assessment according to the present embodiment, as shown in fig. 7, including:
s701, discovering an open source component vulnerability in the project version;
s702, analyzing vulnerability basic information and project version information;
s703, inquiring whether the vulnerability exists in the vulnerability information base, executing step S704 if the inquiry result is negative, and executing step S710 if the inquiry result is positive;
s704, automatically crawling various indexes of the time factors according to the basic information of the loopholes;
s705, acquiring asset information from an asset management platform according to project version information;
judging whether the vulnerability environmental factor is analyzed or not, executing step S707 if the judgment result is negative, and executing step S708 if the judgment result is positive;
s707, prompting research and development personnel to perfect environmental factor information according to the asset information;
s708, matching asset information of an asset management platform, and perfecting asset factors (namely virtual resource factors);
s709, calculating a secondary grading result through the vulnerability secondary grading, and giving a treatment suggestion
S710, generating a vulnerability assessment result;
s711, push report to interested party.
The embodiment is suitable for the field of network security and the scene of the life cycle security management of the software supply chain. Including, but not limited to, in IT application scenarios, relying on third party open source components to identify and evaluate the impact of vulnerabilities on real assets. The embodiment has remarkable gain on risk assessment of the open source component supply chain attack, can effectively identify the real influence of the open source component vulnerability on the located asset, and helps developers to repair the software defect with real high risk.
According to another embodiment of the present application, there is further provided a vulnerability assessment apparatus of a virtual resource, and fig. 8 is a block diagram of the vulnerability assessment apparatus of a virtual resource according to the present embodiment, as shown in fig. 8, the apparatus includes:
the first obtaining module 82 is configured to obtain vulnerability basic information of a virtual resource, and perform basic grading on the virtual resource according to the vulnerability basic information to obtain a basic score;
a first determining module 84, configured to determine a vulnerability time factor score, a vulnerability environment factor score, and a virtual asset factor score of the virtual resource according to the vulnerability basic information, respectively;
the secondary grading module 86 is configured to perform secondary vulnerability grading on the virtual asset according to the base score, the vulnerability time factor score, the vulnerability environment factor score, and the virtual asset factor score, so as to obtain a secondary grading result;
and the generating module 88 is configured to generate a vulnerability assessment result of the virtual resource according to the secondary grading result.
In an embodiment, the device further comprises:
the second acquisition module is used for acquiring the project version information and the component version information of the open source component where the virtual resource is located;
and the second determining module is used for determining that no corresponding vulnerability information exists in a vulnerability information base according to the project version information and the component version information, wherein the vulnerability information base stores vulnerability information of an open source component corresponding to the component version and the project version.
In an embodiment, the device further comprises:
the third acquisition module is used for determining that corresponding vulnerability information exists in a vulnerability information base according to the project version and the component version, and acquiring a vulnerability assessment result of the vulnerability information of the open source component from the vulnerability information base;
and the third determining module is used for determining the vulnerability assessment result of the vulnerability information of the open source component as the vulnerability assessment result of the virtual resource.
In an embodiment, the first obtaining module is further configured to obtain asset basic information of an open source component where the virtual resource is located; and obtaining vulnerability basic information of the virtual resource according to the project version information of the open source component where the virtual resource is and the asset basic information.
In one embodiment, the first determining module 84 includes:
the first determining submodule is used for obtaining a plurality of vulnerability time factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability time factors according to time factor scores preset for the plurality of vulnerability time factors, and determining vulnerability time factor scores according to the scores of the plurality of vulnerability time factors;
the second determining submodule is used for acquiring a plurality of vulnerability environmental factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability environmental factors according to environmental factor scores preset for the plurality of vulnerability environmental factors, and determining scores of the vulnerability environmental factors according to the scores of the plurality of vulnerability environmental factors;
and the third determination submodule is used for acquiring a plurality of virtual resource factors according to the vulnerability basic information, determining the scores corresponding to the plurality of virtual resource factors according to the virtual resource factor scores preset for the virtual resource factors, and determining the virtual resource factor scores according to the scores of the plurality of virtual resource factors.
In an embodiment, the second determining module is further configured to
Judging whether the vulnerability environmental factors are analyzed according to the vulnerability basic information;
under the condition that the judgment result is negative, prompting to perfect the virtual environment factors according to the asset basic information of the virtual resource, and obtaining the plurality of perfect virtual environment factors;
and under the condition that the judgment result is yes, acquiring the plurality of virtual environment factors.
In an embodiment, the secondary grading module 86 is further configured to perform secondary vulnerability grading on the virtual asset according to the base score, the vulnerability time factor score, the vulnerability environment factor score, and the virtual asset factor score, to obtain a secondary grading result by:
ALL_SCORE=RoundUP(ES p ×AS (1-P) ,m);
wherein all_score is the secondary grading result, ES is the product of the base SCORE, the vulnerability time factor SCORE, and the vulnerability environment factor SCORE, AS is a virtual asset factor SCORE, p is a threat coefficient, m is a specified number of bits, and RoundUP is a function rounded up according to the specified number of bits m.
Embodiments of the present application also provide a computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
In one exemplary embodiment, the computer readable storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
An embodiment of the application also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
In an exemplary embodiment, the electronic apparatus may further include a transmission device connected to the processor, and an input/output device connected to the processor.
Specific examples in this embodiment may refer to the examples described in the foregoing embodiments and the exemplary implementation, and this embodiment is not described herein.
It will be appreciated by those skilled in the art that the modules or steps of the application described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than that shown or described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps of them may be fabricated into a single integrated circuit module. Thus, the present application is not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. A method for vulnerability assessment of virtual resources, the method comprising:
obtaining vulnerability basic information of virtual resources, and performing basic grading on the virtual resources according to the vulnerability basic information to obtain basic scores;
respectively determining a vulnerability time factor score, a vulnerability environment factor score and a virtual asset factor score of the virtual resource according to the vulnerability basic information;
performing secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score to obtain a secondary grading result;
and generating a vulnerability assessment result of the virtual resource according to the secondary grading result.
2. The method according to claim 1, wherein the method further comprises:
acquiring project version information and component version information of an open source component where the virtual resource is located;
and determining that no corresponding vulnerability information exists in a vulnerability information base according to the project version information and the component version information, wherein the vulnerability information base stores vulnerability information of an open source component corresponding to the component version and the project version.
3. The method according to claim 2, wherein the method further comprises:
determining that corresponding vulnerability information exists in a vulnerability information base according to the item version and the component version, and acquiring a vulnerability assessment result of the vulnerability information of the open source component from the vulnerability information base;
and determining a vulnerability assessment result of the vulnerability information of the open source component as a vulnerability assessment result of the virtual resource.
4. The method of claim 1, wherein obtaining vulnerability basic information for a virtual resource comprises:
acquiring asset basic information of an open source component where the virtual resource is located;
and obtaining vulnerability basic information of the virtual resource according to the project version information of the open source component where the virtual resource is and the asset basic information.
5. The method of claim 1, wherein determining the vulnerability time factor score, vulnerability environment factor score, and virtual asset factor score for the virtual resource based on the vulnerability base information, respectively, comprises:
acquiring a plurality of vulnerability time factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability time factors according to time factor scores preset for the plurality of vulnerability time factors, and determining the vulnerability time factor scores according to the scores of the plurality of vulnerability time factors;
acquiring a plurality of vulnerability environmental factors according to the vulnerability basic information, determining scores corresponding to the plurality of vulnerability environmental factors according to environmental factor scores preset for the plurality of vulnerability environmental factors, and determining scores of the plurality of vulnerability environmental factors according to the scores of the plurality of vulnerability environmental factors;
and acquiring a plurality of virtual resource factors according to the vulnerability basic information, determining the scores corresponding to the plurality of virtual resource factors according to the virtual resource factor scores preset for the plurality of virtual resource factors, and determining the virtual resource factor scores according to the scores of the plurality of virtual resource factors.
6. The method of claim 5, wherein obtaining a multi-item vulnerability environmental factor from the vulnerability basic information comprises:
judging whether the vulnerability environmental factors are analyzed according to the vulnerability basic information;
under the condition that the judgment result is negative, prompting to perfect the virtual environment factors according to the asset basic information of the virtual resource, and obtaining the plurality of perfect virtual environment factors;
and under the condition that the judgment result is yes, acquiring the plurality of virtual environment factors.
7. The method according to any one of claims 1 to 6, further comprising:
performing secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score in the following manner to obtain a secondary grading result:
ALL_SCORE=RoundUP(ES p ×AS (1-P) ,m);
wherein all_score is the secondary grading result, ES is the product of the base SCORE, the vulnerability time factor SCORE, and the vulnerability environment factor SCORE, AS is a virtual asset factor SCORE, p is a threat coefficient, m is a specified number of bits, and RoundUP is a function rounded up according to the specified number of bits m.
8. A vulnerability assessment apparatus for a virtual resource, the apparatus comprising:
the first acquisition module is used for acquiring vulnerability basic information of the virtual resources, and performing basic grading on the virtual resources according to the vulnerability basic information to obtain basic scores;
the first determining module is used for respectively determining a vulnerability time factor score, a vulnerability environment factor score and a virtual asset factor score of the virtual resource according to the vulnerability basic information;
the secondary grading module is used for carrying out secondary vulnerability grading on the virtual asset according to the basic score, the vulnerability time factor score, the vulnerability environment factor score and the virtual asset factor score to obtain a secondary grading result;
and the generation module is used for generating a vulnerability assessment result of the virtual resource according to the secondary grading result.
9. A computer readable storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method of any of claims 1 to 7 when run.
10. An electronic device comprising a memory in which a computer program is stored and a processor arranged to run the computer program to perform the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210406282.XA CN116961945A (en) | 2022-04-18 | 2022-04-18 | Vulnerability assessment method and device for virtual resources, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210406282.XA CN116961945A (en) | 2022-04-18 | 2022-04-18 | Vulnerability assessment method and device for virtual resources, storage medium and electronic device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116961945A true CN116961945A (en) | 2023-10-27 |
Family
ID=88444849
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210406282.XA Pending CN116961945A (en) | 2022-04-18 | 2022-04-18 | Vulnerability assessment method and device for virtual resources, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116961945A (en) |
-
2022
- 2022-04-18 CN CN202210406282.XA patent/CN116961945A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110417772B (en) | Method and device for analyzing attack behavior, storage medium and electronic device | |
| CN111866016B (en) | Log analysis method and system | |
| Feutrill et al. | The effect of common vulnerability scoring system metrics on vulnerability exploit delay | |
| KR100752677B1 (en) | Information technology risk management system and method the same | |
| US20230396641A1 (en) | Adaptive system for network and security management | |
| CN114297661A (en) | Bug duplicate removal processing method, bug duplicate removal processing device, bug duplicate removal processing equipment and bug duplicate removal storage medium | |
| CN111831817B (en) | Questionnaire generation analysis method, device, computer device and readable storage medium | |
| CN113760666A (en) | System exception processing method, device and storage medium | |
| CN112699264A (en) | Wind control management method and system based on chat records | |
| CN116961945A (en) | Vulnerability assessment method and device for virtual resources, storage medium and electronic device | |
| CN110889763A (en) | Financial management system based on big data | |
| KR20220116410A (en) | Security compliance automation method | |
| CN110489568B (en) | Method and device for generating event graph, storage medium and electronic equipment | |
| CN114021127A (en) | Intrusion prevention data processing method and device, computer equipment and storage medium | |
| WO2020055230A1 (en) | System and method for performing vulnerability assessment of a computer network | |
| EP3556084B1 (en) | Application-sensitive strategy for server decommissioning | |
| CN112580089A (en) | Information leakage early warning method, device and system, storage medium and electronic device | |
| CN117610018B (en) | Vulnerability simulation method and device | |
| US12074897B1 (en) | Machine learned alert triage classification system | |
| CN118260167B (en) | Meteorological data product processing flow monitoring method, system, equipment and storage medium | |
| CN117421198B (en) | Visual asset management system and method based on security | |
| US20240330505A1 (en) | Method and system for trusted third party audit of personal-information deletion | |
| CN116974801A (en) | Transaction link abnormality analysis method and device, storage medium and computer equipment | |
| CN111914259B (en) | Data processing method and computing device | |
| CN118101352A (en) | Abnormality detection rule generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |