CN117828605A - System vulnerability detection method and device, electronic equipment and storage medium - Google Patents

System vulnerability detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117828605A
CN117828605A CN202311660557.3A CN202311660557A CN117828605A CN 117828605 A CN117828605 A CN 117828605A CN 202311660557 A CN202311660557 A CN 202311660557A CN 117828605 A CN117828605 A CN 117828605A
Authority
CN
China
Prior art keywords
vulnerability
data
module
vulnerability data
tested system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311660557.3A
Other languages
Chinese (zh)
Inventor
谢丹妮
林楠轩
刘鹏滨
刘威
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202311660557.3A priority Critical patent/CN117828605A/en
Publication of CN117828605A publication Critical patent/CN117828605A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides a method, a device, electronic equipment and a storage medium for detecting system vulnerabilities, which belong to the technical field of network security, and the method comprises the following steps: an IAST module is adopted to monitor and collect an application program executing process in a tested system, first vulnerability data of the tested system is obtained through analyzing the application program executing process, a DAST module is adopted to instruct the tested system to operate a vulnerability detection task, and second vulnerability data of the tested system is obtained through analyzing a task executing process; fusing the first vulnerability data and the second vulnerability data to obtain target vulnerability data; obtaining vulnerability correction suggestions matched with the target vulnerability data; and outputting a vulnerability detection report based on the vulnerability detection result and the vulnerability correction suggestion.

Description

System vulnerability detection method and device, electronic equipment and storage medium
Technical Field
The application belongs to the technical field of network security, and particularly relates to a system vulnerability detection method, a system vulnerability detection device, electronic equipment and a storage medium.
Background
With the development and popularization of cloud computing technology, more and more enterprises choose to migrate business to the cloud, however, this also brings new security challenges.
Because of the characteristics of the cloud environment, the traditional safety detection means cannot meet the requirements of the current cloud environment and the service rapid iteration environment, the threshold of manual safety penetration is high, the time consumption is long, internal safety technicians are short, and the current service rapid iteration online efficiency cannot be met; the loopholes discovered in the production stage are high in correction and modification time and high in repair cost;
the traditional security detection means can not effectively detect deep security holes of codes and components.
Disclosure of Invention
The application provides a system vulnerability detection method, a system vulnerability detection device, electronic equipment and a storage medium.
Some embodiments of the present application provide a method for detecting a system vulnerability, where the method includes:
an IAST module is adopted to monitor and collect an application program executing process in a tested system, first vulnerability data of the tested system is obtained through analyzing the application program executing process, a DAST module is adopted to instruct the tested system to operate a vulnerability detection task, and second vulnerability data of the tested system is obtained through analyzing a task executing process;
fusing the first vulnerability data and the second vulnerability data to obtain target vulnerability data;
obtaining vulnerability correction suggestions matched with the target vulnerability data;
and outputting a vulnerability detection report based on the vulnerability detection result and the vulnerability correction suggestion.
Optionally, the step of monitoring and collecting an application program execution process in the tested system by using the IAST module and obtaining the first vulnerability data of the tested system by analyzing the application program execution process includes:
generating a basic mirror image of the tested system, and deploying a software item into the basic mirror image;
and scanning an application program execution process of the basic mirror image, and analyzing the application program execution process to obtain first vulnerability data of the tested system.
Optionally, the step of using the DAST module to instruct the tested system to run the vulnerability detection task and obtain the second vulnerability data of the tested system by analyzing the task execution process includes:
creating a vulnerability detection task for the tested system;
the tested system is instructed to execute the vulnerability detection task, and a flow log of the tested system is collected;
and carrying out scanning analysis on the flow autonomy to obtain second vulnerability data of the tested system.
Optionally, the step of fusing the first vulnerability data and the second vulnerability data to obtain target vulnerability data includes:
and performing deduplication processing on the first vulnerability data and the second vulnerability data to obtain target vulnerability data.
Optionally, the step of performing deduplication processing on the first vulnerability data and the second vulnerability data to obtain target vulnerability data includes:
extracting characteristic data in the first vulnerability data and the second vulnerability data;
splicing the characteristic data to obtain a characteristic character string;
calculating a target hash value of the characteristic character string;
when the target hash value does not exist in a preset hash value list, adding the target hash value into the preset hash value list;
and taking vulnerability data corresponding to the hash value contained in the preset hash value list as target vulnerability data.
Optionally, the step of obtaining the vulnerability correction proposal matched with the target vulnerability data includes:
determining a vulnerability name corresponding to the target vulnerability data;
and inquiring the bug correction proposal matched with the bug name in a preset bug correction proposal mapping relation.
Optionally, the step of outputting a vulnerability detection report based on the vulnerability detection result and the vulnerability correction suggestion includes:
and converting the vulnerability detection result and the vulnerability correction proposal into a vulnerability detection report in a target format, and outputting the vulnerability detection report.
Some embodiments of the present application provide a system vulnerability detection apparatus, where the apparatus includes:
the system comprises an acquisition module, an IAST module, a DAST module, a program analysis module and a program analysis module, wherein the acquisition module is used for monitoring and acquiring an application program execution process in a tested system, acquiring first vulnerability data of the tested system by analyzing the application program execution process, indicating the tested system to run a vulnerability detection task by adopting the DAST module, and acquiring second vulnerability data of the tested system by analyzing the task execution process;
the fusion module is used for fusing the first vulnerability data and the second vulnerability data to obtain target vulnerability data;
the output module is used for acquiring vulnerability correction suggestions matched with the target vulnerability data;
and outputting a vulnerability detection report based on the vulnerability detection result and the vulnerability correction suggestion.
Optionally, the acquisition module is further configured to:
generating a basic mirror image of the tested system, and deploying a software item into the basic mirror image;
and scanning an application program execution process of the basic mirror image, and analyzing the application program execution process to obtain first vulnerability data of the tested system.
Optionally, the acquisition module is further configured to:
creating a vulnerability detection task for the tested system;
the tested system is instructed to execute the vulnerability detection task, and a flow log of the tested system is collected;
and carrying out scanning analysis on the flow autonomy to obtain second vulnerability data of the tested system.
Optionally, the fusion module is further configured to:
and performing deduplication processing on the first vulnerability data and the second vulnerability data to obtain target vulnerability data.
Optionally, the fusion module is further configured to:
extracting characteristic data in the first vulnerability data and the second vulnerability data;
splicing the characteristic data to obtain a characteristic character string;
calculating a target hash value of the characteristic character string;
when the target hash value does not exist in a preset hash value list, adding the target hash value into the preset hash value list;
and taking vulnerability data corresponding to the hash value contained in the preset hash value list as target vulnerability data.
Optionally, the output module is further configured to:
determining a vulnerability name corresponding to the target vulnerability data;
and inquiring the bug correction proposal matched with the bug name in a preset bug correction proposal mapping relation.
Optionally, the output module is further configured to:
and converting the vulnerability detection result and the vulnerability correction proposal into a vulnerability detection report in a target format, and outputting the vulnerability detection report.
Some embodiments of the present application provide a computing processing device comprising:
a memory having computer readable code stored therein;
one or more processors, the computing processing device performing the method of detecting a system vulnerability as described above when the computer readable code is executed by the one or more processors.
Some embodiments of the present application provide a computer program comprising computer readable code which, when run on a computing processing device, causes the computing processing device to perform a method of detecting a system vulnerability as described above.
Some embodiments of the present application provide a non-transitory computer readable medium in which a method for detecting a system vulnerability as described above is stored.
According to the method, the device, the electronic equipment and the storage medium for detecting the system loopholes, provided by some embodiments of the application, the two loophole detection modes of DAST and IAST are continuously integrated with software items in a detected system, and the loophole detection results obtained by the two detection modes are fused to generate a loophole detection report, so that loopholes of code and component layers can be detected by using an IAST module, and the loopholes can be found from the black box detection angle by using the DAST module, so that automatic security detection can be built conveniently and integrated into the early stage of a software life cycle, serious loopholes at the later stage of opening are avoided, and the efficiency of software development is improved.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, a brief description will be given below of the drawings that are needed in the embodiments or the prior art descriptions, and it is obvious that the drawings in the following description are some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 schematically illustrates a flowchart of a system vulnerability detection method according to some embodiments of the present application;
FIG. 2 schematically illustrates a software architecture diagram of a system vulnerability detection method according to some embodiments of the present application;
FIG. 3 schematically illustrates one of the flow diagrams of another system vulnerability detection method provided in some embodiments of the present application;
FIG. 4 schematically illustrates a schematic structure of vulnerability data provided in some embodiments of the present application;
FIG. 5 schematically illustrates a second flowchart of another system vulnerability detection method according to some embodiments of the present application;
FIG. 6 schematically illustrates a third flowchart of another system vulnerability detection method according to some embodiments of the present application;
fig. 7 schematically illustrates a structural schematic diagram of a system bug detection device according to some embodiments of the present application;
FIG. 8 schematically illustrates a block diagram of a computing processing device for performing methods according to some embodiments of the present application;
fig. 9 schematically illustrates a storage unit for holding or carrying program code for implementing methods according to some embodiments of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Fig. 1 schematically illustrates a flowchart of a method for detecting a system vulnerability provided in the present application, where the method includes:
step 101, an IAST module is adopted to monitor and collect an application program executing process in a tested system, first vulnerability data of the tested system is obtained through analyzing the application program executing process, a DAST module is adopted to instruct the tested system to operate a vulnerability detection task, and second vulnerability data of the tested system is obtained through analyzing a task executing process.
Step 102, fusing the first vulnerability data and the second vulnerability data to obtain target vulnerability data.
It should be noted that, the IAST module is a functional module with IAST (InteractiveApplication Security Testing, interactive application security test) technology, and IAST is a technology for automatically identifying and diagnosing software vulnerabilities in applications and APIs by means of instrumentation. The DAST module is a functional module with DAST (DynamicApplication Security Testing, dynamic application security test) technology, which is a black box test technology, and automatically simulates an attack application to perform a test by simulating a malicious attacker.
In the embodiment of the present application, referring to fig. 2, program steps of the method for detecting a system vulnerability provided in the embodiment of the present application include an iat module, a DAST module, and a fusion module in an execution process;
the IAST module comprises three service modules, namely a agent (agent node), a vulnerability analysis engine and a mirror image template configuration;
the Agent is deployed in the tested system and used for monitoring the data flow of the web application server of the tested system, monitoring the application program execution process of requesting and continuously treating the heart pain of the mobile phone in a code instrumentation mode, temporarily storing the collected application program execution process in a system queue, and pushing the stored application program execution process to the vulnerability analysis engine.
The vulnerability analysis engine is used for providing a vulnerability analysis function, analyzing an application program execution process acquired by the agent, and pushing a first vulnerability detection result obtained by analysis to the report generation module in the fusion module by using a dongtai open source engine.
The image template configuration is used for providing a dockerfile template configuration function of the basic image, classifying according to a development language used by the web server, generating the basic image dockerfile for embedding the agent, and packaging the dockerfile operation with a tested system to form the basic image based on the packaged image.
DAST modules include, but are not limited to: the system comprises a flow acquisition module, a vulnerability scanning engine and a task management module.
The traffic collection module is deployed on the traffic test contact, the traffic test outlet point can be set by using a switch tool whistle, and all data such as requests and responses generated by the positive traffic test outlet point are collected and stored in a local traffic log file. The seconds engine may be implemented using an x-ray open source tool.
The task management module is used for providing functions such as task creation, task scanning and task ending states of the DAST scanning. The task creation is automatically triggered when the software project version is deployed, the traffic collection module is used for storing traffic of the service test in a local traffic log of the service test contact, the traffic log is automatically pushed to the vulnerability scanning engine to trigger the task scanning process when the test is completed, and the obtained second vulnerability detection result is pushed to the report generation module in the fusion module after the vulnerability scanning process is finished.
Step 103, obtaining vulnerability correction suggestions matched with the target vulnerability data.
In the embodiment of the application, the fusion module includes, but is not limited to, report rule configuration, vulnerability deduplication module, vulnerability mapping management module, and report generation module.
Rule configuration provides detection rule management, poc configuration management and sensitive information detection rule configuration management for two detection modes in an IAST module and a DAST module. The detection rule is configured to control vulnerability detection logic of the vulnerability detection engine through a vulnerability name and a vulnerability judgment rule. The Poc configuration management is used for compiling a custom Poc, expanding a vulnerability database and detecting more 0day and 1day vulnerabilities. The sensitive information monitoring rule configuration management is used for judging whether the request or the return packet of the tested system has custom sensitive fineness through configuring the regular expression, wherein identity information, mobile phone number and the like can be configured as sensitive information by default.
And the vulnerability deduplication module is used for removing repeated detection results in the first vulnerability detection result and the second vulnerability detection result.
The vulnerability mapping management module is used for providing mapping configurations such as vulnerability correction suggestions such as security risks and security suggestions corresponding to vulnerability names for generating an automatic penetration test report, matching the corresponding vulnerability correction suggestions by utilizing the vulnerability names in the vulnerability results after duplication removal, and generating data required in the vulnerability detection report.
Step 104, outputting a vulnerability detection report based on the vulnerability detection result and the vulnerability correction suggestion.
In the embodiment of the application, the generating report module is used for generating the vulnerability detection report with the specified format by using the output target vulnerability detection result.
According to the embodiment of the application, the DAST and IAST leak detection modes are continuously integrated with software projects in a detected system, leak detection results obtained by the two detection modes are fused to generate a leak detection report, so that a IAST module can be utilized to detect leaks of codes and component layers, and the DAST module can be utilized to find the leaks from the black box detection angle, so that automatic safety detection can be conveniently built and integrated into the early stage of a software life cycle, serious leaks in the later stage of opening are avoided, and the efficiency of software development is improved.
Optionally, the step 101 includes:
and step 1011, generating a basic image of the tested system, and deploying the software project into the basic image.
Step 1012, scanning an application program execution process of the base image, and analyzing the application program execution process to obtain first vulnerability data of the tested system.
In the embodiment of the present application, referring to fig. 3, the operation procedure of the iast module is as follows:
step S1, taking a dockerfile image generated through image template configuration as a basic inlet of a tested system, embedding a agent into the basic image of the tested system, then carrying out a deployment flow of continuous integration of conventional software projects, carrying out conventional service function test on the tested system after the test environment of the tested system is deployed completely, and automatically carrying out passive scanning by an IAST module at the moment.
In step 2, in the process of executing the passive scanning by the iast module, each time a vulnerability is found, the vulnerability is subjected to vulnerability storage operation in a vulnerability object data structure shown in fig. 4, for example.
According to the embodiment of the application, the IAST module is utilized to scan the basic image of the tested system to analyze and obtain the vulnerability detection result, so that the image extraction of the software vulnerability is facilitated.
Optionally, the step 101 includes:
step 1013, creating a vulnerability detection task for the tested system.
Step 1014, instructing the tested system to execute the vulnerability detection task, and collecting the flow log of the tested system.
And step 1015, performing scanning analysis on the flow autonomous to obtain second vulnerability data of the tested system.
In the embodiment of the present application, referring to fig. 5, the dast module operates as follows:
and step P1, after the tested system completes the step of testing the environment, triggering the creation of the DAST scanning task by calling a task creation interface of the task management module, and storing the service test flow locally by a flow acquisition module deployed at a service test outlet point.
And step P2, after the service test result, actively triggering the link by the service test outlet point, and calling an ending task interface of the task management module.
And step P3, after triggering the task ending state, pushing the flow log to the vulnerability scanning engine module by the flow acquisition module to perform DAST scanning.
And step P4, in the process of the DSAT module appointing active scanning, carrying out vulnerability warehousing operation on the vulnerability according to the data structure of the vulnerability object after each vulnerability is found.
Optionally, the step 102 includes: and performing deduplication processing on the first vulnerability data and the second vulnerability data to obtain target vulnerability data.
Optionally, the step 102 includes:
and step 1021, extracting characteristic data in the first vulnerability data and the second vulnerability data.
And step 1022, splicing the characteristic data to obtain a characteristic character string.
Step 1023, calculating the target hash value of the characteristic string.
Step 1024, adding the target hash value to the preset hash value list when the target hash value does not exist in the preset hash value list.
Step 1025, using the vulnerability data corresponding to the hash value contained in the preset hash value list as the target vulnerability data.
In the embodiment of the present application, referring to fig. 6, the vulnerability deduplication module performs feature extraction on each vulnerability data, including but not limited to name, describe, url, request and other features. And then splicing the extracted characteristic values, converting the characteristic values into characteristic character strings, and calculating a target hash value of the characteristic character string obtained by calculating each characteristic character string by utilizing a hash function, wherein the hash value can be calculated by adopting an md5 algorithm. Then, storing the target hash values of different vulnerability data into a hash set (preset hash value list), creating a map at the same time, and storing the vulnerability data into the map as a value by taking the target hash value as a key. If new vulnerability data is received in the following steps, the above steps can be repeated to calculate the hash value of the vulnerability data.
Further, the target hash value of the new input vulnerability data can be compared with the hash value existing in the preset hash value list, if the calculated hash value exists in the preset hash value list, the calculated hash value is repeated, the calculated hash value does not need to be added into the preset hash value list, if the target hash value does not exist in the preset hash value list, the target hash value is new, the target hash value is added into the preset hash value list, and meanwhile, the vulnerability data corresponding to the target hash value is stored in the mapping table. Finally, each value in the mapping table represents unrepeated vulnerability data.
According to the embodiment of the application, the vulnerability detection results generated by the two different vulnerability detection modes are subjected to duplicate removal processing in a hash value comparison mode, so that repeated error reporting in the vulnerability detection process is avoided, and the accuracy of vulnerability detection is improved.
Optionally, the step 103 includes:
step 1031, determining the vulnerability name corresponding to the target vulnerability data.
Step 1032, querying a bug correction proposal matched with the bug name in a preset bug correction proposal mapping relation.
In the embodiment of the present application, the vulnerability name of the target vulnerability data may be obtained by: when the IAST module and the DAST module detect that a certain vulnerability exists according to the vulnerability detection principle and component version of the CVE and the OWAPS, the vulnerability name is the name of the vulnerability, for example, if the IAST module or the DAST module discovers that the system has SQL injection vulnerability, the vulnerability name of the vulnerability data is SQL injection. Furthermore, various security risk descriptions and security modification suggestions can be set for the loopholes corresponding to different loopholes in advance, so that the obtained loopholes can be used for inquiring the security risk descriptions and the security modification suggestions matched with the loopholes, and a user does not need to repeatedly provide the loopholes modification suggestions for the same loopholes.
According to the embodiment of the invention, the preset loophole correction proposal mapping relation is utilized to set the loophole correction proposal for the loophole data corresponding to different loophole names, so that the loophole correction proposal is not required to be provided for the same loophole data repeatedly by a user, and the output efficiency of the loophole detection report is improved.
Optionally, the step 1034 includes: and converting the vulnerability detection result and the vulnerability correction proposal into a vulnerability detection report in a target format, and outputting the vulnerability detection report.
In the embodiment of the application, after the target vulnerability detection result and the vulnerability modification suggestion are combined, the target vulnerability detection result and the vulnerability modification suggestion are output according to formats such as word, pdf, txt, so that a user can intuitively know various vulnerability modification suggestions under the condition of the acquired complete vulnerability detection result, and flexibility of a vulnerability detection report is improved.
Fig. 7 schematically illustrates a structural schematic diagram of a system bug detection device 20 provided in the present application, where the device includes:
the collecting module 201 is configured to monitor and collect an application program execution process in a tested system by using an IAST module, obtain first vulnerability data of the tested system by analyzing the application program execution process, instruct the tested system to run a vulnerability detection task by using a DAST module, and obtain second vulnerability data of the tested system by analyzing the task execution process;
a fusion module 202, configured to fuse the first vulnerability data and the second vulnerability data to obtain target vulnerability data;
an output module 203, configured to obtain vulnerability modification suggestions that match the target vulnerability data;
and outputting a vulnerability detection report based on the vulnerability detection result and the vulnerability correction suggestion.
Optionally, the acquisition module 201 is further configured to:
generating a basic mirror image of the tested system, and deploying a software item into the basic mirror image;
and scanning an application program execution process of the basic mirror image, and analyzing the application program execution process to obtain first vulnerability data of the tested system.
Optionally, the acquisition module 201 is further configured to:
creating a vulnerability detection task for the tested system;
the tested system is instructed to execute the vulnerability detection task, and a flow log of the tested system is collected;
and carrying out scanning analysis on the flow autonomy to obtain second vulnerability data of the tested system.
Optionally, the fusion module 202 is further configured to:
and performing deduplication processing on the first vulnerability data and the second vulnerability data to obtain target vulnerability data.
Optionally, the fusion module 202 is further configured to:
extracting characteristic data in the first vulnerability data and the second vulnerability data;
splicing the characteristic data to obtain a characteristic character string;
calculating a target hash value of the characteristic character string;
when the target hash value does not exist in a preset hash value list, adding the target hash value into the preset hash value list;
and taking vulnerability data corresponding to the hash value contained in the preset hash value list as target vulnerability data.
Optionally, the output module 203 is further configured to:
determining a vulnerability name corresponding to the target vulnerability data;
and inquiring the bug correction proposal matched with the bug name in a preset bug correction proposal mapping relation.
Optionally, the output module 203 is further configured to:
and converting the vulnerability detection result and the vulnerability correction proposal into a vulnerability detection report in a target format, and outputting the vulnerability detection report.
According to the embodiment of the application, the DAST and IAST leak detection modes are continuously integrated with software projects in a detected system, leak detection results obtained by the two detection modes are fused to generate a leak detection report, so that a IAST module can be utilized to detect leaks of codes and component layers, and the DAST module can be utilized to find the leaks from the black box detection angle, so that automatic safety detection can be conveniently built and integrated into the early stage of a software life cycle, serious leaks in the later stage of opening are avoided, and the efficiency of software development is improved.
Various component embodiments of the present application may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functions of some or all of the components in a computing processing device according to embodiments of the present application may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present application may also be embodied as an apparatus or device program (e.g., computer program and computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present application may be stored on a non-transitory computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
For example, FIG. 8 illustrates a computing processing device in which methods according to the present application may be implemented. The computing processing device conventionally includes a processor 310 and a computer program product in the form of a memory 320 or a non-transitory computer readable medium. The memory 320 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. The memory 320 has a memory space 330 for program code 331 for performing any of the method steps in the method described above. For example, the memory space 330 for the program code may include individual program code 331 for implementing the various steps in the above method, respectively. The program code can be read from or written to one or more computer program products. These computer program products comprise a program code carrier such as a hard disk, a Compact Disc (CD), a memory card or a floppy disk. Such a computer program product is typically a portable or fixed storage unit as described with reference to fig. 9. The storage unit may have memory segments, memory spaces, etc. arranged similarly to the memory 320 in the computing processing device of fig. 8. The program code may be compressed, for example, in a suitable form. Typically, the storage unit comprises computer readable code 331', i.e. code that can be read by a processor, such as 310, for example, which when run by a computing processing device causes the computing processing device to perform the steps in the method described above.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
Reference herein to "one embodiment," "an embodiment," or "one or more embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Furthermore, it is noted that the word examples "in one embodiment" herein do not necessarily all refer to the same embodiment.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the present application may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The application may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (10)

1. A method for detecting a system vulnerability, the method comprising:
an IAST module is adopted to monitor and collect an application program executing process in a tested system, first vulnerability data of the tested system is obtained through analyzing the application program executing process, a DAST module is adopted to instruct the tested system to operate a vulnerability detection task, and second vulnerability data of the tested system is obtained through analyzing a task executing process;
fusing the first vulnerability data and the second vulnerability data to obtain target vulnerability data;
obtaining vulnerability correction suggestions matched with the target vulnerability data;
and outputting a vulnerability detection report based on the vulnerability detection result and the vulnerability correction suggestion.
2. The method of claim 1, wherein the step of using the IAST module to monitor and collect application execution in the system under test and obtain the first vulnerability data of the system under test by analyzing the application execution includes:
generating a basic mirror image of the tested system, and deploying a software item into the basic mirror image;
and scanning an application program execution process of the basic mirror image, and analyzing the application program execution process to obtain first vulnerability data of the tested system.
3. The method of claim 1, wherein the step of using the DAST module to instruct the tested system to run the vulnerability detection task and obtain the second vulnerability data of the tested system by analyzing the task execution process comprises:
creating a vulnerability detection task for the tested system;
the tested system is instructed to execute the vulnerability detection task, and a flow log of the tested system is collected;
and carrying out scanning analysis on the flow autonomy to obtain second vulnerability data of the tested system.
4. The method of claim 1, wherein the step of fusing the first vulnerability data and the second vulnerability data to obtain target vulnerability data comprises:
and performing deduplication processing on the first vulnerability data and the second vulnerability data to obtain target vulnerability data.
5. The method of claim 4, wherein the step of performing deduplication processing on the first vulnerability data and the second vulnerability data to obtain target vulnerability data comprises:
extracting characteristic data in the first vulnerability data and the second vulnerability data;
splicing the characteristic data to obtain a characteristic character string;
calculating a target hash value of the characteristic character string;
when the target hash value does not exist in a preset hash value list, adding the target hash value into the preset hash value list;
and taking vulnerability data corresponding to the hash value contained in the preset hash value list as target vulnerability data.
6. The method of claim 1, wherein the step of obtaining the vulnerability modification suggestion that the target vulnerability data matches comprises:
determining a vulnerability name corresponding to the target vulnerability data;
and inquiring the bug correction proposal matched with the bug name in a preset bug correction proposal mapping relation.
7. The method of claim 1, wherein the outputting the vulnerability detection report based on the vulnerability detection result and the vulnerability correction advice comprises:
and converting the vulnerability detection result and the vulnerability correction proposal into a vulnerability detection report in a target format, and outputting the vulnerability detection report.
8. A system vulnerability detection apparatus, the apparatus comprising:
the system comprises an acquisition module, an IAST module, a DAST module, a program analysis module and a program analysis module, wherein the acquisition module is used for monitoring and acquiring an application program execution process in a tested system, acquiring first vulnerability data of the tested system by analyzing the application program execution process, indicating the tested system to run a vulnerability detection task by adopting the DAST module, and acquiring second vulnerability data of the tested system by analyzing the task execution process;
the fusion module is used for fusing the first vulnerability data and the second vulnerability data to obtain target vulnerability data;
the output module is used for acquiring vulnerability correction suggestions matched with the target vulnerability data;
and outputting a vulnerability detection report based on the vulnerability detection result and the vulnerability correction suggestion.
9. A computing processing device, comprising:
a memory having computer readable code stored therein;
one or more processors, the computing processing device, when the computer readable code is executed by the one or more processors, performs the method of detecting a system vulnerability as recited in any one of claims 1-7.
10. A non-transitory computer readable medium, wherein a computer program of the system vulnerability detection method according to any one of claims 1-7 is stored.
CN202311660557.3A 2023-12-05 2023-12-05 System vulnerability detection method and device, electronic equipment and storage medium Pending CN117828605A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311660557.3A CN117828605A (en) 2023-12-05 2023-12-05 System vulnerability detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311660557.3A CN117828605A (en) 2023-12-05 2023-12-05 System vulnerability detection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117828605A true CN117828605A (en) 2024-04-05

Family

ID=90514302

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311660557.3A Pending CN117828605A (en) 2023-12-05 2023-12-05 System vulnerability detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117828605A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118503992A (en) * 2024-07-17 2024-08-16 杭州孝道科技有限公司 IAST application vulnerability aggregation method based on multiple feature factor signatures

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118503992A (en) * 2024-07-17 2024-08-16 杭州孝道科技有限公司 IAST application vulnerability aggregation method based on multiple feature factor signatures

Similar Documents

Publication Publication Date Title
US10657264B2 (en) Techniques for correlating vulnerabilities across an evolving codebase
CN108334781B (en) Virus detection method, device, computer readable storage medium and computer equipment
CN111523117A (en) Android malicious software detection and malicious code positioning system and method
US10679135B2 (en) Periodicity analysis on heterogeneous logs
JPWO2018235252A1 (en) Analyzing device, log analyzing method, and analyzing program
CN109375945A (en) Firmware version detection method and vulnerability repair rate evaluation method for Internet of things equipment
Jie et al. Survey on software vulnerability analysis method based on machine learning
CN107392028A (en) The detection method and its detection means of sensitive information, storage medium, electronic equipment
WO2018127794A1 (en) Management of security vulnerabilities
Nguyen et al. Detecting repackaged android applications using perceptual hashing
CN109766697A (en) Vulnerability scanning method, storage medium, equipment and system applied to linux system
US20230252136A1 (en) Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information
CN113468524B (en) RASP-based machine learning model security detection method
CN112131571B (en) Threat tracing method and related equipment
CN114036059A (en) Automatic penetration testing system and method for power grid system and computer equipment
Pirch et al. Tagvet: Vetting malware tags using explainable machine learning
CN117828605A (en) System vulnerability detection method and device, electronic equipment and storage medium
US20240054210A1 (en) Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program
KR101228902B1 (en) Cloud Computing-Based System for Supporting Analysis of Malicious Code
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
CN116756021A (en) Fault positioning method and device based on event analysis, electronic equipment and medium
CN114036526A (en) Vulnerability testing method and device, computer equipment and storage medium
Michalas et al. MemTri: A memory forensics triage tool using bayesian network and volatility
CN115834188A (en) Vulnerability scanning monitoring method and system, electronic equipment and storage medium
CN115270136A (en) Binary group-based vulnerability clone detection system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination