CN117556432A - Homologous vulnerability safety response method and system based on propagation influence analysis - Google Patents
Homologous vulnerability safety response method and system based on propagation influence analysis Download PDFInfo
- Publication number
- CN117556432A CN117556432A CN202410047059.XA CN202410047059A CN117556432A CN 117556432 A CN117556432 A CN 117556432A CN 202410047059 A CN202410047059 A CN 202410047059A CN 117556432 A CN117556432 A CN 117556432A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- information
- component
- propagation
- components
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000004458 analytical method Methods 0.000 title claims abstract description 51
- 230000004044 response Effects 0.000 title claims abstract description 40
- 230000008569 process Effects 0.000 claims description 16
- 230000008439 repair process Effects 0.000 claims description 14
- 230000001419 dependent effect Effects 0.000 claims description 7
- 238000003058 natural language processing Methods 0.000 claims description 7
- 230000000007 visual effect Effects 0.000 claims description 6
- 238000010845 search algorithm Methods 0.000 claims description 5
- 238000006467 substitution reaction Methods 0.000 claims description 3
- 230000001902 propagating effect Effects 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 8
- 238000001514 detection method Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012038 vulnerability analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention relates to the field of software code analysis, and discloses a homologous vulnerability security response method and system based on propagation influence analysis, wherein the method comprises the following steps: and determining the corresponding relation between the components and the loopholes according to the alignment result of the component information and the loopholes, determining a loophole propagation influence graph according to the dependency relation between the components, and responding to the loopholes based on the propagation paths and the influence ranges of the loopholes. According to the method, through analysis of the propagation influence of the homologous loopholes, the propagation path and the influence range of the loopholes can be determined more accurately, the efficiency and the accuracy of the security response of the loopholes are further improved, the occurrence of attack of the homologous loopholes can be effectively prevented, and various methods are provided for timely responding and repairing the discovered loopholes.
Description
Technical Field
The invention relates to the field of software code analysis, in particular to a homologous vulnerability security response method and system based on propagation influence analysis.
Background
As the number of open source components used in software development continues to increase, security vulnerabilities in software components are also becoming more prevalent. These security vulnerabilities may be exploited by hackers, posing a serious threat to the security of the software. Currently, vulnerability security response techniques are commonly employed to discover and repair these vulnerabilities.
The general vulnerability security response technology mainly comprises the following aspects of vulnerability scanning and analysis: by carrying out vulnerability scanning and analysis on the software components, timely finding out the existing security vulnerabilities and classifying and evaluating the security vulnerabilities so as to take targeted security response measures; secure access control: adopting a safe access control strategy to limit the interaction between software components and prevent malicious attackers from attacking by utilizing the loopholes; vulnerability sharing management: strict authority control and audit mechanisms are adopted for codes and resources shared among software components, so that the loopholes are ensured to be repaired in time; log monitoring and analysis: the method comprises the steps of monitoring and analyzing related operation logs of a software component in real time, and timely finding and responding to abnormal conditions including security vulnerability attacks; emergency response: aiming at security vulnerability attacks, an emergency response plan is started timely, and affected software components are isolated and repaired to prevent the attacks from being further spread; vulnerability restoration: appropriate measures are taken to fix the vulnerability, such as installing security patches, modifying code or configuration files, updating software, etc.; and (3) verifying loopholes: verifying whether the vulnerability has been successfully repaired, and ensuring the security of the system; vulnerability reporting: the vulnerability and repair situation is recorded and reported to the relevant aspect.
The conventional method for checking the loopholes of the open source components is only aimed at the security response of the loopholes of the components, if the loopholes exist in the associated dependencies, the loopholes possibly cannot be found, so that some loopholes which can cause great harm to the system are missed, and the current phenomenon is mainly caused by the fact that the dependency relationship among the components is not considered. In particular, the internal complex relationships between software dependencies, greatly impair the impact of their analysis and limit the effectiveness of the security response.
Disclosure of Invention
The invention aims to overcome one or more of the prior art problems and provides a homologous loophole safety response method and system based on propagation influence analysis.
In order to achieve the above object, the present invention provides a method for responding to homologous loopholes based on propagation influence analysis, comprising:
determining the corresponding relation between the component and the vulnerability according to the alignment result of the component information and the vulnerability information;
determining a vulnerability propagation influence graph according to the dependency relationship between the components;
responding to the vulnerability based on the propagation path and the influence range of the vulnerability.
According to one aspect of the invention, the component information includes source code, bytecode, binary file, or configuration file of the dependent package; the vulnerability information includes vulnerability information in NVD, CNVD, and CNNVD.
According to one aspect of the present invention, the process of obtaining the alignment result includes:
aligning the component information and the vulnerability information once by using CPE format information;
and performing secondary alignment on the primary alignment result by using natural language processing to obtain an alignment result of the component information and the vulnerability information.
According to one aspect of the invention, a visual interface is constructed based on the alignment structure of the component information and the vulnerability information after secondary alignment, and the component information and the vulnerability information are configured to have relevance in response to the operation of associating the component information and the vulnerability information by the visual interface.
According to one aspect of the invention, the dependencies between components are determined by means of a method of component analysis.
According to one aspect of the invention, a dependency propagation effect graph is constructed as follows:
representing components by using nodes, representing the dependency relationship among the components by using edges, and constructing a dependency relationship graph;
and determining the propagation path and the influence range of the vulnerability according to the dependency graph and the components corresponding to the vulnerability.
According to one aspect of the invention, responding to a vulnerability includes:
identifying a component with a vulnerability based on a vulnerability propagation influence graph, determining an association relationship between a current component and a component containing the vulnerability in a dependency graph through a depth-first search algorithm, and determining the influence of the component containing the vulnerability on a system based on vulnerability information and security patch information of the component containing the vulnerability.
According to one aspect of the invention, responding to the vulnerability further comprises:
identifying components with holes based on the hole propagation influence graph, determining a substitution version or a hole controllable version of the corresponding components without holes based on a graph algorithm, and substituting the components with holes;
or determining a repair method of the vulnerability component based on the component vulnerability information, and repairing the vulnerability.
In order to achieve the above object, the present invention provides a homologous vulnerability security response system based on propagation impact analysis, comprising:
the component vulnerability alignment unit is used for aligning the component information with vulnerability data and determining the corresponding relation between the component and the vulnerability;
the vulnerability propagation image graph acquisition unit is used for determining a vulnerability propagation influence graph according to the dependency relationship among the components;
and the response unit is used for responding to the loopholes based on the propagation paths and the influence ranges of the loopholes.
Based on the above, the invention has the beneficial effects that:
the method provided by the invention tracks and analyzes the security holes existing in the software component to know the propagation rule and influence factors of the holes, thereby taking effective security response measures. The security analysis method of the homologous loophole security response is adopted, and aims to discover and repair deeper security loopholes in software components. The homologous vulnerability security response technology based on propagation influence analysis can effectively improve the security and stability of software, reduce the influence of security vulnerabilities on the software development process and the use process, and solve the vulnerability influence introduced by component dependence transfer.
By analyzing the propagation influence of the homologous loopholes, the propagation path and the influence range of the loopholes can be determined more accurately, the efficiency and the accuracy of the security response of the loopholes are further improved, the occurrence of the attack of the homologous loopholes can be effectively prevented, and various methods are provided for timely responding and repairing the discovered loopholes.
Drawings
FIG. 1 is a flow chart of a method of homologous vulnerability security response based on propagation impact analysis of the present invention;
FIG. 2 is a flow chart of a homologous vulnerability security response system based on propagation impact analysis of the present invention.
Detailed Description
The present disclosure will now be discussed with reference to exemplary embodiments, it being understood that the embodiments discussed are merely for the purpose of enabling those of ordinary skill in the art to better understand and thus practice the present disclosure and do not imply any limitation to the scope of the present disclosure.
As used herein, the term "comprising" and variants thereof are to be interpreted as meaning "including but not limited to" open-ended terms. The terms "based on" and "based at least in part on" are to be construed as "at least one embodiment.
According to an embodiment of the present invention, fig. 1 is a flowchart of a method for responding to homologous loopholes based on propagation influence analysis in the present invention, as shown in fig. 1, in order to achieve the above object, the method for responding to homologous loopholes based on propagation influence analysis provided by the present invention includes:
determining the corresponding relation between the component and the vulnerability according to the alignment result of the component information and the vulnerability information;
determining a vulnerability propagation influence graph according to the dependency relationship between the components;
responding to the vulnerability based on the propagation path and the influence range of the vulnerability.
According to one embodiment of the invention, the component information is bytecode information, which is compiled from source code, and at runtime the bytecode is interpreted to obtain machine-recognizable machine code or binary code, so that the component can designate a processor or processors of the computer and cause the corresponding computing resources to be invoked.
According to another embodiment of the invention, the component information is source code, such as a py file or a js file, which is interpreted at run-time to obtain machine-recognizable machine code or binary code, so that the component can designate a processor or processors of the computer and cause the corresponding computing resource to be invoked.
According to another embodiment of the invention, the component information is a binary file, such as a py file or a js file, which is interpreted at run-time to obtain machine-recognizable machine code or binary code, so that the component can designate a processor or processors of the computer and cause the corresponding computing resource to be invoked.
The method comprises the steps of firstly determining an alignment result of component information and vulnerability information according to the disclosed information, natural language processing and manual auditing modes to obtain a corresponding relationship between the component and the vulnerability;
then, a vulnerability propagation influence graph is determined according to the dependency relationship among the components, the vulnerability propagation influence graph reflects the association among the vulnerabilities, and the propagation path of the vulnerabilities among the components and the influence range of the vulnerabilities can be determined according to the vulnerabilities;
and then, the method and the device carry out vulnerability assessment and repair based on the vulnerability propagation influence graph, and compared with the conventional vulnerability analysis, the process can avoid false alarm and identify vulnerability information on a deep dependent link, thereby reducing the harm of system vulnerabilities.
According to one embodiment of the invention, the component information includes source code, bytecode, binary file, or configuration file of the dependent package; the vulnerability information includes vulnerability information in NVD, CNVD, and CNNVD.
NVD (National Vulnerability Database) used in some embodiments of the invention is a comprehensive vulnerability database maintained by the National Institute of Standards and Technology (NIST); CNVD (China National Vulnerability Database) is a national information security vulnerability sharing platform, namely an information security vulnerability information sharing knowledge base jointly established by a national computer network emergency technology processing coordination center; CNNVD (China National Vulnerability Database of Information Security) is a national information security vulnerability database, which is responsible for construction and maintenance by the China information security assessment center.
By using the security vulnerability database, disclosed information can be timely identified, or component vulnerabilities of unpublished reports which can be confirmed through propagation of an influence graph can be identified.
According to one embodiment of the present invention, the process of obtaining the alignment result includes:
aligning the component information and the vulnerability information once by using CPE format information;
and performing secondary alignment on the primary alignment result by using natural language processing to obtain an alignment result of the component information and the vulnerability information.
The invention aligns the component information and the vulnerability information by using a three-time alignment mode, wherein one alignment is used for carrying out the first association based on the same naming convention of the IT product, in the process, some information can not be associated because of lacking auxiliary information, the information is supplemented by a natural language processing mode, a data source relied by the natural language processing is from a network search engine, for example, a mode of providing a keyword containing a vulnerability name or the component name is provided, related information is obtained from a page of a network search result, and the related information is matched with the component information and the vulnerability information to determine the association.
The method can solve the alignment problem of most component information and vulnerability information.
According to one embodiment of the invention, a visual interface is constructed based on the alignment structure of the component information and the vulnerability information after secondary alignment, and the component information and the vulnerability information are configured to have relevance in response to the operation of associating the component information and the vulnerability information by the visual interface.
Because part of network source information or security information public website disclosed vulnerability information has inaccuracy or part of vulnerability information has update delay, and part of information obtained by a search engine is content generated by a content farm or AIGC, the problem that actual component information and vulnerability information are not matched is caused, and at this time, further alignment of component information and vulnerability information can be performed in a manual auxiliary mode.
For example, the user can associate the component information with the vulnerability information by establishing a user interface operated by a client or a web page interface provided in the form of a browser, or by operating the user interface of the mobile terminal in the form of an App and providing the component information with the vulnerability information recommended by the system at least on the interface, and the user can carry out denial of the association of the component information with the vulnerability information by a denial manner.
Or, in the constructed user interface, the user can directly deny the vulnerability information through the provided component information and directly confirm that the component information is safe;
or, in the constructed user interface, corresponding to the provided component information, the user selects one or more vulnerabilities from the collected vulnerability options to match with the component information;
or, in the constructed user interface, corresponding to the provided component information, the user selects one or more vulnerabilities from the collected vulnerability options and selects one or more component information from the provided component information to match with the selected vulnerability information;
in the above user interface, the component information or vulnerability information corresponding to the provided component information and the vulnerability information or component information part corresponding to the component information are generated based on recommendation, and the recommendation can be made based on the similarity between the vulnerability information and the component information or based on the source, for example, the vulnerability information based on CNVD or CCNVD is regarded as reliable, and is provided as recommendation information.
By the method, the accuracy of the association degree is further improved on the basis of the public information.
According to one embodiment of the invention, the dependency relationship between components is determined by means of a composition analysis.
Component analysis, SCA (Software Composition Analysis), is a popular understanding of the technology that recognizes, manages and tracks software by analyzing some information and features contained in the software. Security detection of applications using SCA technology is a common method of software analysis.
SCA is a general analysis method in theory, and can analyze any development language object, java, C/c++, golang, python, javaScript, etc., and it is the file content from the file level, the association relationship between files, and the process details of combining the files into a target. The target program form of SCA analysis is divided into source code and compiled binary files, and the analyzed data object is insensitive to program structure and compiling mode.
The SCA analysis process comprises the steps of decompressing a target source code or a binary file, extracting features from the file, identifying and analyzing the features to obtain the relation of each part, thereby obtaining the image of the application program, namely the component name and the version number, and further correlating the existing known vulnerability list.
The invention obtains the dependency relationship between the components by the component analysis method and further provides the association between the loopholes.
According to one embodiment of the invention, a dependency propagation effect graph is constructed as follows:
representing components by using nodes, representing the dependency relationship among the components by using edges, and constructing a dependency relationship graph;
and determining the propagation path and the influence range of the vulnerability according to the dependency graph and the components corresponding to the vulnerability.
The invention realizes the association between the loopholes and the components by using the graph network, and can intuitively confirm the propagation path and the influence range of the loopholes based on the association.
According to one embodiment of the invention, responding to the vulnerability includes:
identifying a component with a vulnerability based on a vulnerability propagation influence graph, determining an association relationship between a current component and a component containing the vulnerability in a dependency graph through a depth-first search algorithm, and determining the influence of the component containing the vulnerability on a system based on vulnerability information and security patch information of the component containing the vulnerability.
When vulnerabilities exist in the system, a depth-first search algorithm may be used to determine in what way a component and vulnerability are associated.
Specifically, the depth-first traversal graph starts from a component corresponding to a node in the graph: accessing the component; sequentially starting from the non-accessed adjacent points of the component, and performing depth-first traversal on the graph; until the components in the graph which are in path communication with the components are accessed; if the components in the graph are not accessed at the moment, starting from an unaccessed node, performing depth-first traversal again until all the components in the graph are accessed.
According to one embodiment of the invention, responding to the vulnerability includes:
identifying components with holes based on the hole propagation influence graph, determining a substitution version or a hole controllable version of the corresponding components without holes based on a graph algorithm, and substituting the components with holes;
or determining a repair method of the vulnerability component based on the component vulnerability information, and repairing the vulnerability.
In this way, when determining a homologous security breach, a corresponding security response measure may be determined.
According to one embodiment of the invention, a method for constructing a dependency propagation influence graph comprises the following steps:
based on the alignment result of the component information and the vulnerability information, determining the corresponding relation between the component and the vulnerability;
determining dependencies between components using component analysis;
a component that determines that a vulnerability exists;
and constructing a dependency propagation influence graph based on the propagation path and the dependency relationship of the vulnerability.
In one embodiment of the invention, the analysis and response of homologous security vulnerabilities is performed as follows:
the first step: and the data acquisition is realized, and the automatic acquisition of component information such as source codes, binary files, byte codes, third-party package dependencies and the like and domestic and foreign vulnerability data are realized through a crawler program.
The acquisition data source comprises: the source CODE items are collected, and the source CODE items of domestic and foreign open source websites and communities are collected, including GITHUB, GITEE, GOOGLE CODE, APACHE and other open source websites and communities, and because the quantity of the source CODE items is too large, and a plurality of open source items are some example items or items such as students' subjects are found, the items are not depended on by other items basically, and for time efficiency and space saving, the collection can be carried out preferentially according to the popularity and the awareness, such as star and fork indexes in GITHUB. The byte code items in the maven central warehouse are collected in full quantity. Binary projects, collection windows, a common dynamic link library, a static dependency library and a common binary software package project of a Linux system. The third party package relies on to collect configuration file information of multiple programming languages, including more than twenty of the dozens of programming languages such as JS, python, PHP and the like. Vulnerability information, collecting vulnerability data in official vulnerability libraries and private known vulnerability libraries at home and abroad, including NVD, CNVD, CNNVD and other private vulnerability libraries.
And a second step of: vulnerability alignment is a process of analyzing and aligning association relations between collected vulnerability information and source codes, byte codes, binary items and third-party package dependencies: and processing the vulnerability primary data, and performing some version normalization processing by using CPE format information to perform preliminary alignment, wherein CPE is named Common Platform Enumeration, which means that the common platform enumerates items. IT is a unified naming convention for IT products, including systems, platforms, software packages, and the like. And performing further alignment operation by using search information searched by a search engine in a natural language processing mode. And constructing a vulnerability recommendation alignment system by using the alignment information obtained in the two steps, and performing final association relationship alignment in a manual auditing mode.
And a third step of: in the process of dependency analysis, software development and deployment, the dependency relationship among components is very complex, and the invention adopts the technology of component analysis to analyze and process the dependency relationship of the software components. The dependency resolution process includes the following steps: a component is determined. Before analyzing the dependency relationship, all the collected components need to be determined, and the content of the components may be a source code file, a library file, a configuration file and the like, and different types of components are processed by different preprocessing modes. A dependency relationship is determined. By analyzing the reference relationships between the components, the dependency relationships between the components are determined. Dependencies may include compilation dependencies, runtime dependencies, configuration dependencies, and the like. Dependency conflicts are resolved, and in some cases, there may be dependency conflicts between different components, such as conflicts between different versions of the same component. Dependency conflict resolution is required, and an appropriate version is selected and configured accordingly. Managing dependencies. In the software development and deployment process, the dependency relationship is managed, and the version of the dependency is managed, the dependency is updated, and the like.
Fourth step; and constructing a dependency propagation influence graph, and constructing the dependency propagation influence graph by using a graph algorithm after determining the dependency relationship of all the components according to the third step. All components collected are determined, including source code items, binary items, byte code items, third party package dependent item information, and the like, and classified and grouped. And establishing a component dependency graph. The components and the dependency relationships among the components are represented by nodes and edges, and a component dependency graph is constructed. Nodes represent components and edges represent dependencies. Wherein vulnerability components can be marked with points of different sizes depending on what is referenced and how much the reference depends on. In the component dependency graph, components containing vulnerabilities are marked by combining vulnerability alignment information, and color marking can be performed on the vulnerability components according to severity, so that propagation paths and influence ranges of the vulnerabilities can be further analyzed. And analyzing the vulnerability propagation path. Paths of vulnerabilities propagating from the vulnerability component to other components are analyzed according to the dependency graph. Vulnerability propagation can be simulated by a graph algorithm, or manually analyzed. And analyzing the vulnerability influence range. Depending on the vulnerability propagation path, the scope of influence of the vulnerability is analyzed, including affected component child dependencies, parent dependencies, direct dependencies, indirect dependencies, and the like.
Fifth step: and (3) carrying out the security response of the component according to the propagation path and the influence range, wherein the security response comprises the analysis of the homologous loopholes, the examination of the influence range of the loopholes, and the determination of corresponding security measures such as the repair of the loopholes, the upgrading of the component, the limitation of access and the like. And (3) identifying loopholes: identifying components with loopholes by using a propagation influence dependency graph, including directly carrying out loopholes and loopholes introduced by propagation dependency, extracting dependency relations in the propagation influence graph by a depth-first search algorithm so as to thoroughly find the association relation between the current components and the components containing the loopholes in the dependency tree, monitoring public loophole information and security patch information, and further evaluating the influence of the public loophole information and the security patch information on a system. Vulnerability assessment: and evaluating the risk and potential influence of the loopholes, and determining the priority and the emergency degree of the loopholes according to the available difficulty, the influence range, the severity level and the like of the loopholes. Vulnerability restoration: appropriate measures are taken to repair the loopholes, component information is located by using a propagation influence graph, a graph algorithm is used for searching similar non-loophole versions or corresponding repair method location is carried out according to component loophole information repair suggestions, such as upgrading component versions, installing security patches, modifying codes or configuration files, limiting component use and the like. And (3) verifying loopholes: and verifying whether the vulnerability is successfully repaired or not according to the vulnerability description information, POC information and the like, and ensuring the security of the component. Vulnerability reporting: recording the loopholes and the repair conditions, and recording, reporting and notifying the relevant aspects.
In order to test the effect of the embodiment, 1000 component versions which are relatively commonly used are randomly screened from a packet dependency warehouse corresponding to 5 popular programming languages through experiments, the component versions do not contain vulnerabilities, the components are further analyzed through a propagation influence diagram, direct dependency information, indirect dependency information and vulnerability information on a dependency propagation path are positioned, and the results are shown in table 1.
TABLE 1 analysis results Table with propagation influences
| Component type (1000 of each component were tested) | Average dependent path length | Average path length of incoming holes | Vulnerability-affected component count | Number of incoming holes | Average repair method suggestion for single vulnerability |
| JAVA(MAVEN) | 5.6 | 3.3 | 217 | 1347 | 2.7 |
| JS(NPM) | 3.9 | 2.1 | 173 | 763 | 2.5 |
| Python(PIP) | 4.2 | 2.7 | 198 | 862 | 2.4 |
| PHP(composer) | 3.6 | 2.2 | 146 | 347 | 2.6 |
| C++(CMAKE) | 5.1 | 3.0 | 202 | 933 | 2.5 |
Table 1 counts the result statistics obtained by the propagation influence analysis of all the components, including average dependence path length (for example, a- > B- > C represents length 2), average path length of introduced holes, number of components affected by holes, number of introduced holes, and average repair method suggestion of single holes.
The running result shows that the homologous vulnerability safety response analyzed by using the propagation influence can effectively identify the vulnerability information on the deep dependent link, reduce the vulnerability report missing condition, and ensure that centrality exists on vulnerable paths, namely that most vulnerable paths can pass through limited dependency relationships, so that the method can be used for cutting off vulnerable paths. The method can provide various effective repairing suggestions for program developers, various emergency schemes and timely and effectively reduce the damage of the loopholes to the system.
Furthermore, in order to achieve the above object, the present invention further provides a system for responding to a homologous vulnerability based on propagation impact analysis, and fig. 2 is a flowchart of a system for responding to a homologous vulnerability based on propagation impact analysis according to the present invention, as shown in fig. 2, a system for responding to a homologous vulnerability based on propagation impact analysis according to the present invention includes:
the component vulnerability alignment unit is used for aligning the component information with vulnerability data and determining the corresponding relation between the component and the vulnerability;
the vulnerability propagation image graph acquisition unit is used for determining a vulnerability propagation influence graph according to the dependency relationship among the components;
and the response unit is used for responding to the loopholes based on the propagation paths and the influence ranges of the loopholes.
Based on the method, the method and the system have the advantages that the code analysis system detection configuration can be adaptively adjusted for the codes to be detected adopting different program frameworks, the step of manually customizing the analysis configuration of the specific framework is saved, the construction of the relevant model of the system analysis layer can be simplified, the false alarm rate of security hole detection is reduced, and the problem of self-adaptive detection of the codes to be detected adopting different program frameworks is solved.
Those of ordinary skill in the art will appreciate that the modules and algorithm steps described in connection with the embodiments disclosed herein can be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus and device described above may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of modules is merely a logical function division, and there may be additional divisions of actual implementation, e.g., multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the embodiment of the invention.
In addition, each functional module in the embodiment of the present invention may be integrated in one processing module, or each module may exist alone physically, or two or more modules may be integrated in one module.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored on a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method for energy saving signal transmission/reception of the various embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by persons skilled in the art that the scope of the invention referred to in this application is not limited to the specific combinations of features described above, but also covers other technical solutions which may be formed by any combination of the features described above or their equivalents without departing from the inventive concept. Such as the above-described features and technical features having similar functions (but not limited to) disclosed in the present application are replaced with each other.
It should be understood that, the sequence numbers of the steps in the summary and the embodiments of the present invention do not necessarily mean the order of execution, and the execution order of the processes should be determined by the functions and the internal logic, and should not be construed as limiting the implementation process of the embodiments of the present invention.
Claims (9)
1. The homologous vulnerability safety response method based on propagation influence analysis is characterized by comprising the following steps of:
determining the corresponding relation between the component and the vulnerability according to the alignment result of the component information and the vulnerability information;
determining a vulnerability propagation influence graph according to the dependency relationship between the components;
responding to the vulnerability based on the propagation path and the influence range of the vulnerability.
2. The method for a homogeneous vulnerability security response based on propagation impact analysis as recited in claim 1, wherein the component information comprises source code, byte code, binary file or package dependent configuration file; the vulnerability information includes vulnerability information in NVD, CNVD, and CNNVD.
3. The method for homologous vulnerability security response based on propagation impact analysis as claimed in claim 2, wherein the process of obtaining the alignment result comprises:
aligning the component information and the vulnerability information once by using CPE format information;
and performing secondary alignment on the primary alignment result by using natural language processing to obtain an alignment result of the component information and the vulnerability information.
4. The method for homologous vulnerability security response based on propagation impact analysis as recited in claim 3, wherein a visual interface is constructed based on the alignment structure of the component information and the vulnerability information after the secondary alignment, and the component information and the vulnerability information are configured to have relevance in response to the operation of associating the component information and the vulnerability information by the visual interface.
5. The method for propagating impact analysis based homologous vulnerability safety response of claim 4, wherein the dependency relationship between components is determined by means of composition analysis.
6. The method for homologous vulnerability security response based on propagation impact analysis as recited in claim 5, wherein the dependency propagation impact graph is constructed as follows:
representing components by using nodes, representing the dependency relationship among the components by using edges, and constructing a dependency relationship graph;
and determining the propagation path and the influence range of the vulnerability according to the dependency graph and the components corresponding to the vulnerability.
7. The method for homologous vulnerability security response based on propagation impact analysis as recited in claim 6, wherein responding to the vulnerability comprises:
identifying a component with a vulnerability based on a vulnerability propagation influence graph, determining an association relationship between a current component and a component containing the vulnerability in a dependency graph through a depth-first search algorithm, and determining the influence of the component containing the vulnerability on a system based on vulnerability information and security patch information of the component containing the vulnerability.
8. The method for homologous vulnerability security response based on propagation impact analysis as recited in claim 7, wherein responding to the vulnerability further comprises:
identifying components with holes based on the hole propagation influence graph, determining a substitution version or a hole controllable version of the corresponding components without holes based on a graph algorithm, and substituting the components with holes;
or determining a repair method of the vulnerability component based on the component vulnerability information, and repairing the vulnerability.
9. A system for homologous vulnerability security response based on propagation impact analysis, comprising:
the component vulnerability alignment unit is used for aligning the component information with vulnerability data and determining the corresponding relation between the component and the vulnerability;
the vulnerability propagation image graph acquisition unit is used for determining a vulnerability propagation influence graph according to the dependency relationship among the components;
and the response unit is used for responding to the loopholes based on the propagation paths and the influence ranges of the loopholes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410047059.XA CN117556432A (en) | 2024-01-12 | 2024-01-12 | Homologous vulnerability safety response method and system based on propagation influence analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410047059.XA CN117556432A (en) | 2024-01-12 | 2024-01-12 | Homologous vulnerability safety response method and system based on propagation influence analysis |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117556432A true CN117556432A (en) | 2024-02-13 |
Family
ID=89819002
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410047059.XA Pending CN117556432A (en) | 2024-01-12 | 2024-01-12 | Homologous vulnerability safety response method and system based on propagation influence analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117556432A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105046155A (en) * | 2015-06-24 | 2015-11-11 | 北京系统工程研究所 | Risk assessment method and apparatus for software system vulnerability |
| US10691810B1 (en) * | 2019-09-16 | 2020-06-23 | Fmr Llc | Detecting vulnerabilities associated with a software application build |
| CN113434870A (en) * | 2021-07-14 | 2021-09-24 | 中国电子科技网络信息安全有限公司 | Vulnerability detection method, device, equipment and medium based on software dependence analysis |
| US20220318396A1 (en) * | 2021-04-05 | 2022-10-06 | International Business Machines Corporation | Traversing software components and dependencies for vulnerability analysis |
| CN116415251A (en) * | 2023-01-06 | 2023-07-11 | 中国科学院软件研究所 | Vulnerability influence range reasoning method and system based on deep learning |
| CN116738436A (en) * | 2023-06-11 | 2023-09-12 | 苏州棱镜七彩信息科技有限公司 | Vulnerability reachability analysis method, vulnerability reachability analysis system, computer equipment and vulnerability processor |
-
2024
- 2024-01-12 CN CN202410047059.XA patent/CN117556432A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105046155A (en) * | 2015-06-24 | 2015-11-11 | 北京系统工程研究所 | Risk assessment method and apparatus for software system vulnerability |
| US10691810B1 (en) * | 2019-09-16 | 2020-06-23 | Fmr Llc | Detecting vulnerabilities associated with a software application build |
| US20220318396A1 (en) * | 2021-04-05 | 2022-10-06 | International Business Machines Corporation | Traversing software components and dependencies for vulnerability analysis |
| CN113434870A (en) * | 2021-07-14 | 2021-09-24 | 中国电子科技网络信息安全有限公司 | Vulnerability detection method, device, equipment and medium based on software dependence analysis |
| CN116415251A (en) * | 2023-01-06 | 2023-07-11 | 中国科学院软件研究所 | Vulnerability influence range reasoning method and system based on deep learning |
| CN116738436A (en) * | 2023-06-11 | 2023-09-12 | 苏州棱镜七彩信息科技有限公司 | Vulnerability reachability analysis method, vulnerability reachability analysis system, computer equipment and vulnerability processor |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10891378B2 (en) | Automated malware signature generation | |
| Cova et al. | Detection and analysis of drive-by-download attacks and malicious JavaScript code | |
| Nayak et al. | Some vulnerabilities are different than others: Studying vulnerabilities and attack surfaces in the wild | |
| US9043924B2 (en) | Method and system of runtime analysis | |
| Shar et al. | Defeating SQL injection | |
| Scholte et al. | Have things changed now? An empirical study on input validation vulnerabilities in web applications | |
| US9419996B2 (en) | Detection and prevention for malicious threats | |
| CN110650117A (en) | Cross-site attack protection method, device, equipment and storage medium | |
| JP5656266B2 (en) | Blacklist extraction apparatus, extraction method and extraction program | |
| Bier et al. | Mitigating remote code execution vulnerabilities: A study on tomcat and android security updates | |
| El-Rewini et al. | Dissecting residual APIs in custom android ROMs | |
| Bhatt et al. | Categorization of vulnerabilities in a software | |
| US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| JP2012083909A (en) | Application characteristic analysis device and program | |
| Di Sorbo et al. | Exposed! a case study on the vulnerability-proneness of google play apps | |
| CN117556432A (en) | Homologous vulnerability safety response method and system based on propagation influence analysis | |
| Mendes et al. | Benchmarking the security of web serving systems based on known vulnerabilities | |
| CN115348052A (en) | Multi-dimensional blacklist protection method, device, equipment and readable storage medium | |
| Kurniawan et al. | Automation of Quantifying Security Risk Level on Injection Attacks Based on Common Vulnerability Scoring System Metric. | |
| CN111339532A (en) | Malicious website interception method | |
| CN111027052A (en) | Application program version-based virtual machine document discrimination method and device and storage equipment | |
| Nakamura | Towards unified vulnerability assessment with open data | |
| Thiyagarajan et al. | Methods for detection and prevention of SQL attacks in analysis of web field data | |
| US20240054215A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| KR102447280B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |