KR102130944B1 - Method for identifying device information based on named-entity recognition and apparatus thereof - Google Patents

Abstract

Provided is an object name recognition based device information identification method that analyzes scan data of a target device connected to the Internet to identify Common Platform Enumeration (CPE) information associated with the target device. A method for identifying device information based on object name recognition performed by a computing device includes analyzing received scan data as a response to a request sent to an Internet-connected device to obtain a plurality of search keywords, Obtaining a plurality of candidate CPEs associated with the device using the plurality of search keywords, and comparing the entity name obtained as a result of Named-Entity Recognition to the scan data with the keyword associated with the candidate CPE And determining a final CPE of the device by removing at least some of the plurality of candidate CPEs based on the step and the comparison result.

Description

METHOD FOR IDENTIFYING DEVICE INFORMATION BASED ON NAMED-ENTITY RECOGNITION AND APPARATUS THEREOF}

The present disclosure relates to a method and apparatus for identifying device information based on object name recognition. More specifically, the present invention relates to a method for identifying common platform enumeration (CPE) information associated with the device by analyzing scan data of an internet-connected device, and an apparatus for performing the method.

The security vulnerabilities inherent in software can easily be exploited to attack computer systems. Attackers can use Internet scanning tools to identify vulnerable Web services and perform malicious actions. Therefore, security managers need to identify open vulnerabilities and respond quickly. In particular, as the Internet of Things (IoT) devices are widely spread in recent years, the number of devices connected to the Internet is rapidly increasing. Therefore, it is necessary to quickly identify security vulnerabilities of numerous computer systems connected to the Internet and perform vulnerability analysis.

In order to easily share a known security vulnerability, vulnerability information is provided from various vulnerability information sources. For example, the National Vulnerability Database (NVD) provides Common Vulnerabilities and Exposures (CVE) information. CVE information provides a reference method for security vulnerability information in software packages. CVE information includes Common Vulnerabilities and Exposures IDentifier (CVE-ID), Vulnerability Overview, Vulnerability Scoring System (CVSS), Common Platform Enumeration (CPE), and Common Weakness Enumeration (CWE). ). Accordingly, if only CPE information for a device is identified, the security vulnerability of the corresponding device may be obtained by querying the CVE information matched with this.

In order to obtain the correct vulnerability information, the CPE information of the device needs to be accurately identified. In the related art, keywords were extracted from the scan data of the device, and the operating system and application product name associated with the device were extracted from the CPE dictionary using the extracted keywords.

However, since the application CPE includes a number of product names composed of common words such as'login' and'server', if the CPE is identified in a conventional manner, the product name not related to the device is frequently extracted into the CPE. Occurred. In particular, the number of wrong CPEs was frequently extracted because the number of application CPEs is so large that it occupies about 86% (about 130,000) of the total CPEs. That is, the conventional method has a problem in that the accuracy of CPE identification is poor, and accordingly, the security vulnerability of the device cannot be correctly identified.

In addition, since the CPE dictionary contains only the list of famous hardware and software manufacturers whose vulnerabilities have been found, it does not contain information about unknown manufacturers' products (e.g. domestic products, etc.) or products whose vulnerabilities were not found. In addition, few product names for new products are included in the CPE dictionary. Therefore, in order to identify various devices, the CPE dictionary needs to be constantly updated.

Korean Patent Publication No. 10-2018-0094633 (published August 24, 2018)

The technical problem to be solved by the present disclosure is to provide a method for accurately identifying CPE information of the device by analyzing scan data of an internet-connected device, and an apparatus for performing the method.

Another technical problem to be solved by the present disclosure relates to a method for identifying CPE information of an Internet-connected device using a CPE dictionary, and a method for removing a misidentified CPE and an apparatus to perform the method.

Another technical problem to be solved by the present disclosure relates to a method capable of generating a new CPE from scan data of an internet-connected device and an apparatus to perform the method.

The technical problems of the present disclosure are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the following description.

In order to solve the above technical problem, a method for identifying device information based on object name recognition according to some embodiments of the present disclosure is a method performed by a computing device, in response to a request sent to an Internet-connected device ( analyzing received scan data as a response), obtaining a plurality of search keywords, using the plurality of search keywords, obtaining a plurality of candidate Common Platform Enumerations (CPEs) associated with the device, for the scan data Comparing an entity name obtained as a result of Named-Entity Recognition with keywords associated with the candidate CPE, and removing at least some of the plurality of candidate CPEs based on the comparison result to determine the final CPE of the device It may include the steps.

In some embodiments, the scan data may be HTTP-body.

In some embodiments, the plurality of candidate CPEs may be CPEs matching the plurality of search keywords in a predefined CPE dictionary.

In some embodiments, the step of determining the final CPE may include removing the first candidate CPE when the keyword associated with the first candidate CPE among the plurality of candidate CPEs does not include any one of the entity names. .

In some embodiments, the entity name recognition may be performed based on a Bidirectional Long Short-Term Memory with a Conditional Random Field Layer (BI-LSTM-CRF) model.

In some embodiments, obtaining the plurality of candidate CPEs includes querying a CPE dictionary with the plurality of search keywords, and obtaining the plurality of candidate CPEs with the search result, and determining the final CPE The method includes generating a first object name as a new CPE among the object names obtained as a result of the object name recognition, and including the new CPE in the final CPE of the device, wherein the first object name is the plurality of object names. It may not have appeared in the keywords associated with the candidate CPE.

A method for identifying device information based on object name recognition according to some embodiments of the present disclosure for solving the above-described technical problem is a method performed by a computing device, in response to a request (request) sent to an Internet-connected device ( analyzing received scan data as a response), obtaining a plurality of search keywords, using the plurality of search keywords, obtaining a plurality of Common Platform Enumerations (CPEs) associated with the device, and objects for the scan data Generating a first entity name as a new CPE among entity names obtained as a result of Named-Entity Recognition, and further including the new CPE in the plurality of CPEs associated with the device. 1 The entity name may not appear in keywords associated with the plurality of CPEs.

In some embodiments, the step of obtaining the plurality of search keywords includes: scanning an open port among ports of the device, obtaining a banner string as a result of the scan, and extracting the plurality of search keywords from the banner string It may include the steps.

In some embodiments, the step of obtaining a plurality of CPEs associated with the device may include comparing an object name obtained as a result of the object name recognition with keywords associated with the plurality of CPEs, and based on the comparison result, among the plurality of CPEs. And removing at least a portion.

A device for identifying device information according to some embodiments of the present disclosure for solving the above-described technical problem includes: a memory storing one or more instructions and one or more instructions by executing the one or more instructions, thereby transmitting a request ( A plurality of search keywords are obtained by analyzing the received scan data as a response to a request, and a plurality of candidate Common Platform Enumerations (CPEs) associated with the device are obtained by using the plurality of search keywords, and the The object name obtained as a result of Name-Entity Recognition for the scan data is compared with the keyword associated with the candidate CPE, and at least a part of the plurality of candidate CPEs are removed based on the comparison result to finalize the device. It may include a processor for determining the CPE.

A computer program according to another embodiment of the present disclosure for solving the above-described technical problem is combined with a computing device and analyzes received scan data as a response to a request sent to an Internet-connected device By doing so, obtaining a plurality of search keywords, using the plurality of search keywords, obtaining a plurality of candidate Common Platform Enumerations (CPEs) associated with the device, Named-Entity Recognition for the scan data Computing the step of determining the final CPE of the device by comparing at least some of the plurality of candidate CPEs based on the result of comparing the subject name and the keyword associated with the candidate CPE, and based on the result of the comparison. It can be stored in a readable recording medium.

1 is an exemplary configuration diagram illustrating a device information identification system according to some embodiments of the present disclosure.
2 to 4 are exemplary block diagrams illustrating an apparatus for identifying device information according to some embodiments of the present disclosure.
5 is an exemplary flowchart illustrating a method for identifying device information based on object name recognition according to some embodiments of the present disclosure.
6 and 7 are exemplary views of scan data of a device that may be referenced in some embodiments of the present disclosure.
8 is an exemplary flow diagram illustrating a CPE dictionary-based candidate CPE acquisition method according to some embodiments of the present disclosure.
9 to 11 are exemplary views for explaining a method of obtaining a CPE dictionary-based candidate CPE according to some embodiments of the present disclosure.
12 is an exemplary diagram illustrating a structure of an entity name recognition model that may be referred to in some embodiments of the present disclosure.
13 is an exemplary view illustrating a process in which object name recognition is performed according to some embodiments of the present disclosure.
14 and 15 are exemplary views illustrating a method for removing misidentified CPE according to some embodiments of the present disclosure.
16 is an exemplary flowchart illustrating a method for identifying device information based on object name recognition according to some other embodiments of the present disclosure.
17 is an exemplary diagram for describing a new CPE generating method according to some embodiments of the present disclosure.
18 is an exemplary view for explaining a method of learning an entity name recognition model according to some embodiments of the present disclosure.
19 is an exemplary hardware configuration diagram illustrating an example computing device capable of implementing an apparatus in accordance with various embodiments of the present disclosure.

Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. Advantages and features of the present disclosure, and a method of achieving them will be apparent with reference to embodiments described below in detail together with the accompanying drawings. However, the technical spirit of the present disclosure is not limited to the following embodiments, but may be implemented in various different forms, and only the present embodiments allow the present disclosure to be complete, and common knowledge in the technical field to which the present disclosure pertains. It is provided to fully inform the holder of the scope of the present disclosure, and the technical spirit of the present disclosure is only defined by the scope of the claims.

It should be noted that in adding reference numerals to the components of each drawing, the same components have the same reference numerals as possible, even if they are displayed on different drawings. In addition, in describing the present disclosure, when it is determined that a detailed description of related known configurations or functions may obscure the subject matter of the present disclosure, the detailed description will be omitted.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used in a sense that can be commonly understood by those skilled in the art to which this disclosure belongs. In addition, terms defined in the commonly used dictionary are not ideally or excessively interpreted unless specifically defined. The terminology used herein is for describing the embodiments and is not intended to limit the present disclosure. In the present specification, the singular form also includes the plural form unless otherwise specified in the phrase.

Further, in describing the components of the present disclosure, terms such as first, second, A, B, (a), and (b) may be used. These terms are only for distinguishing the component from other components, and the nature, order, or order of the component is not limited by the term. When a component is described as being "connected", "coupled" or "connected" to another component, that component may be directly connected to or connected to the other component, but another component between each component It should be understood that elements may be "connected", "coupled" or "connected".

As used herein, "comprises" and/or "comprising" refers to the elements, steps, operations and/or elements mentioned above, the presence of one or more other components, steps, operations and/or elements. Or do not exclude additions.

Prior to the description of the present specification, some terms used in the specification will be clarified.

In this specification, CPE (Common Platform Enumeration) is information configured in a predetermined format to share hardware, operating system, and application product names. CPE is composed of 7 fields by URL method and includes information such as manufacturer, product name, and version. CPE has the format "cpe: /part: vendor: product: version: update: ~edition~sw_edition~target_sw~target_hw~other: language". For example, "Microsoft Internet Explorer 8.0.6001 Beta" is configured as "cpe:/a:microsoft:internet_explorer:8.0.6001:beta". In CPE format, parts are divided into'a' for application,'o' for OS, and'h' for hardware. In the CPE format,'sw_edition' refers to distributions such as online and special,'target_sw' refers to the operating system to be installed, and'target_hw' refers to the hardware to be installed.

In this specification, an instruction is a series of instructions grouped based on a function and refers to a component of a computer program and executed by a processor.

Hereinafter, some embodiments of the present disclosure will be described in detail according to the accompanying drawings.

1 is an exemplary configuration diagram illustrating a device information identification system according to some embodiments of the present disclosure.

As illustrated in FIG. 1, the device information identification system may include at least one IoT device 300-1 to 300-n, a scan device 200, and a device information identification device 100. However, this is only a preferred embodiment for achieving the object of the present disclosure, and of course, some components may be added or deleted as necessary. In addition, it is noted that each component of the device information identification system illustrated in FIG. 1 is functionally divided functional elements, and a plurality of components may be implemented in an integrated form in an actual physical environment. For example, the scan device 200 and the device information identification device 100 may be implemented in the form of different logic in the same physical computing device.

Further, in the actual physical environment, each of the components may be implemented in a form of being divided into a plurality of detailed functional elements. For example, the first function of the device information identification apparatus 100 may be implemented in the first computing device, and the second function may be implemented in the second computing device. Hereinafter, each of the components will be described.

In the device information identification system, the IoT devices 300-1 to 300-n are target devices to be identified. 1 illustrates the target device as an IoT device (300-1 to 300-n) by way of example, but the technical scope of the present disclosure is not limited thereto. That is, the target device can be any device connected to the Internet.

In the device information identification system, the scan device 200 is a computing device that scans a target device to generate scan data 1.

In some embodiments, the scan device 200 may scan the open port (e.g. HTTP, FTP) of the target device to generate scan data 1. At this time, the scan data 1 is response data of the target device acquired through the open port, and may be a banner, HTTP response, or the like. The banner means a welcome message provided by the target device in response when accessing the corresponding port. For an example of the banner and HTTP response, refer to FIGS. 6 and 7.

In some embodiments, the scan apparatus 200 may obtain device firmware version information, security patch information, and the like through the manufacturers' web pages of the target device.

In the device information identification system, the device information identification device 100 is a computing device that identifies CPE information 3 of the target device by analyzing scan data 1 of the target device. Here, the computing device may be a laptop, a desktop, a laptop, or a smart phone, but is not limited thereto and includes all types of devices equipped with computing and communication functions. can do. Hereinafter, for convenience of description, the device information identification device 100 will be abbreviated as the identification device 100.

In some embodiments, the identification apparatus 100 may identify candidate CPE information by analyzing the scan data 1 of the target device based on the CPE dictionary. Also, the identification device 100 may extract a named entity from the scan data and remove the misidentified CPE from the candidate CPEs using the entity name. By doing so, the accuracy of CPE identification can be greatly improved.

In some embodiments, the identification device 100 may generate an entity name that is not associated with the candidate CPE among the extracted entity names as a new CPE. By doing so, new CPEs that are not in the CPE dictionary can be continuously added to the CPE dictionary.

A more detailed description of the identification device 100 will be described later with reference to the drawings of FIG. 2 and below.

At least some of the components of the system shown in FIG. 1 can communicate over a network. Here, the network is a wired/wireless network of any kind, such as a local area network (LAN), a wide area network (WAN), a mobile radio communication network, a Wibro (Wireless Broadband Internet), and the like. Can be implemented.

So far, a device information identification system according to some embodiments of the present disclosure has been described with reference to FIG. 1. Hereinafter, the configuration and operation of the identification device 100 will be described with reference to FIGS. 2 to 4.

2 is an exemplary block diagram illustrating the identification device 100 in accordance with some embodiments of the present disclosure, and FIG. 3 further illustrates the operation flow of the identification device 100.

2 and 3, the identification device 100 includes an input unit 110, a pre-processing unit 130, a CPE identification unit 150, a new CPE generation unit 170 and a storage unit 190 can do. However, only components related to the exemplary embodiment of the present disclosure are illustrated in FIG. 2. Accordingly, a person skilled in the art to which the present disclosure belongs may recognize that other general-purpose components may be further included in addition to the components illustrated in FIG. 2. In addition, it is noted that each of the components of the identification device 100 illustrated in FIG. 2 is functionally divided functional elements, and a plurality of components may be implemented in an integrated form in an actual physical environment. Hereinafter, each component will be described.

The input unit 110 receives scan data 1.

Next, the pre-processing unit 130 performs pre-processing on the scan data 1. In order to exclude the duplicate description, detailed description of the operation of the pre-processing unit 130 will be described later with reference to FIGS. 5 to 7 and 9.

Next, the CPE identification unit 150 identifies CPE information of the target device from the pre-processed scan data 9. As shown in FIG. 4, the CPE identification unit 150 may include a dictionary-based CPE identification unit 151, an entity name recognition unit 153, and a CPE determination unit 155.

The dictionary-based CPE identification unit 151 identifies candidate CPEs of the target device from the scan data 9 preprocessed using the CPE dictionary. A detailed description of the operation of the dictionary-based CPE identification unit 151 will be described later with reference to FIGS. 8 to 11.

Next, the object name recognition unit 153 extracts the object name associated with the target device from the pre-processed scan data 9 through object name recognition. A detailed description of the operation of the entity name recognition unit 153 will be described later with reference to FIGS. 12 and 13.

Next, the CPE determination unit 155 determines the final CPE of the target device by removing the misidentified CPE among the plurality of candidate CPEs using the extracted object name. In order to exclude duplicate descriptions, a detailed description of the operation of the CPE determination unit 155 will be described later with reference to FIGS. 5, 14, and 15.

Next, the new CPE generating unit 170 generates a new CPE associated with the target device using the object name recognition result. In order to exclude the duplicate description, a detailed description of the new CPE generation unit 170 will be described later with reference to FIGS. 16 to 18.

The storage unit 190 stores and manages various information such as a CPE dictionary, a CVE dictionary, and an object name recognition model. When the CPE information of the target device is identified, vulnerability information of the target device may be provided through a CVE dictionary.

For reference, it should be noted that not all components of the identification device 100 illustrated in FIGS. 2 to 4 may be required components. That is, the identification device 100 according to some other embodiments of the present disclosure may be implemented by some of the components illustrated in FIGS. 2 to 4.

Each component of FIGS. 2 to 4 may mean software or hardware such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC). However, the above components are not limited to software or hardware, and may be configured to be in an addressable storage medium, or may be configured to execute one or more processors. The functions provided in the above components may be implemented by more detailed components, or may be implemented as a single component that performs a specific function by combining a plurality of components.

So far, the configuration and operation of the identification device 100 according to some embodiments of the present disclosure have been described with reference to FIGS. 2 to 4. Hereinafter, a method for identifying device information based on object name recognition according to various embodiments of the present disclosure will be described with reference to FIGS. 5 to 18.

Each step of the device information identification method may be performed by a computing device. In other words, each step of the device information identification method may be implemented with one or more instructions executed by a processor of a computing device. All the steps included in the device information identification method may be executed by one physical computing device, but the first steps of the method are performed by the first computing device, and the second steps of the method are second computing It can also be performed by the device. Hereinafter, it is assumed that each step of the device information identification method is performed by the identification device 100 to continue the description. However, for convenience of description, description of the operation subject of each step included in the device information identification method may be omitted.

5 is an exemplary flowchart illustrating a method for identifying device information based on object name recognition according to some embodiments of the present disclosure. However, this is only a preferred embodiment for achieving the object of the present disclosure, and of course, some steps may be added or deleted as necessary.

As shown in FIG. 5, the method starts at step S10 of obtaining scan data of a target device connected to the Internet.

In some embodiments, the scan data may be obtained by scanning the open port of the target device. That is, the scan data may be received by transmitting a predetermined request to the target device's open port and responding to the request.

For a more specific example, the scan data may be configured as a string of banners obtained through the open port scan. An example of the banner is shown in FIG. 6. In particular, FIG. 6 shows as an example the banner 11 obtained through the HTTP port scan.

For another example, the scan data may be an HTTP response obtained through an HTTP port scan. An example of the HTTP response is illustrated in FIG. 7. As shown in FIG. 7, the HTTP response 13 contains more information than the banner string (e.g. 11). Therefore, when analyzing the HTTP response (13), more identification information (e.g. CPE) can be obtained compared to the banner.

The port scan is a technology that is already well known in the art, and a detailed description thereof will be omitted.

In step S20, the identification device 100 performs pre-processing for the scan data. The pre-processing may include all types of pre-processing processes for processing the scan data into a form suitable for analysis. For example, the pre-processing may include a pre-processing process such as HTTP header removal, tag removal, blank removal, and text conversion. Alternatively, the pre-processing may include a pre-processing process such as keyword extraction, word separation using a predetermined delimeter, and small/capital conversion.

In this step S20, the identification device 100 removes the header from the HTTP response to obtain the HTTP-body, removes one or more predefined tags from the HTTP-body, and textualizes the remaining data to scan the textualized scan data. Can be obtained. However, the technical scope of the present disclosure is not limited thereto.

In step S30, the identification device 100 obtains a candidate CPE from the CPE dictionary. Specifically, the identification device 100 may extract a search keyword from the pre-processed scan data, and obtain a CPE matching the search keyword from the CPE dictionary as a candidate CPE. In order to provide a more convenient understanding, this step S30 will be described in detail with reference to FIGS. 8 to 11.

8 is an exemplary flow diagram illustrating a method for obtaining a candidate CPE according to some embodiments of the present disclosure.

As illustrated in FIG. 8, the candidate CPE acquisition method starts in step S31 of extracting a plurality of keywords by analyzing pre-processed scan data (e.g. text data). The specific method of extracting a plurality of keywords may vary according to embodiments.

In some embodiments, the identification device 100 may extract keywords using a specific data pattern (e.g. integer.integer.integer.integer for IP, IP:integer for port, etc.).

In some embodiments, the identification device 100 may extract the plurality of keywords by dividing the pre-processed scan data into a plurality of words using pre-designated special characters as separators. Here, the identification device 100 may apply a lowercase conversion to the preprocessed scan data, and may separate the lowercase converted data into the plurality of words.

An example of extracting keywords in this step S31 is illustrated in FIG. 9. As illustrated in FIG. 9, when pre-processing is performed in the HTTP response 21, text data 22 is obtained, and a plurality of keywords 23 to 29 can be extracted from the text data 22.

In step S33, the identification device 100 determines a search keyword by removing stop words from the extracted plurality of keywords. For example, the identification device 100 may remove the stopword using a predefined stopword dictionary. The terminology may include words that can generate misidentified CPE, such as'login','administrator' and'server', but the technical scope of the present disclosure is not limited thereto.

In step S35, the identification device 100 obtains a candidate CPE by querying the CPE dictionary with a search keyword. That is, the CPE searched by each search keyword is obtained as a candidate CPE. In this case, the candidate CPE may include at least one of an operating system CPE, an application CPE, and a hardware CPE.

Meanwhile, according to some other embodiments of the present disclosure, a candidate CPE may be generated using a CPE tree constructed based on a CPE dictionary. Hereinafter, this embodiment will be described in detail with reference to FIGS. 10 and 11.

As illustrated in FIG. 10, the identification device 100 may construct a CPE tree 35 of a plurality of levels and a plurality of nodes from the CPE dictionary 33. The constructed CPE tree 35 may have a total of six levels. The six levels of the CPE tree 35 correspond to the product language from the vendor, excluding the part in the CPE format 31. More specifically, in the CPE tree 35, (i) the node corresponding to the first level is the vendor information, (ii) the node corresponding to the second level is the product name, and the third level The node corresponding to the product version information, the node corresponding to the fourth level is the update information, the node corresponding to the fifth level is the distribution information, and the node corresponding to the sixth level is Corresponds to product language information.

The CPE tree 35 may include at least three levels from the first level to the sixth level. At this time, the information of the node corresponding to the first level and the information of the node corresponding to the second level may be the same (ie, the manufacturer and the product name may be the same).

The CPE tree 35 includes at least one of a parent node, a child node, and a sibling node. A node corresponding to a higher level among a plurality of levels corresponds to a parent node, a node corresponding to a lower level among a plurality of levels corresponds to a child node, and nodes corresponding to the same level among the plurality of levels correspond to a sibling node. . If the intermediate level is omitted among the plurality of levels, a node corresponding to a higher level node of the omitted intermediate level and a node corresponding to a lower level of the omitted intermediate level may be connected to each other.

The identification device 100 generates a plurality of levels by separating the character string of the CPE dictionary 33 based on the separator (':'), and the character string based on the characters'~' at the fifth level of the CPE dictionary 33 Can be separated. Also, the identification device 100 may construct the CPE tree 35 by separating the character string based on the letter'_' at each level of the CPE dictionary 33. For example, in the case of "cpe:/a:microsoft:ftp_service:7.0", the first level is'microsoft', the second level is'ftp','service', and the third level consists of '7.0', There is no fourth to sixth level for the CPE.

11 illustrates a process of obtaining a candidate CPE from a CPE tree.

As shown in FIG. 11, by matching the search keyword 43 and the CPE tree 41 extracted from the scan data, keywords matching the CPE tree 41 among the search keywords 43 may be determined for each level. . The matching result is shown in the right figure 45 of FIG. 11. Then, the identification device 100 may generate a candidate CPE by combining keywords matched for each level. In addition, if the generated candidate CPE does not exist in the CPE dictionary, the identification device 100 may add the candidate CPE to the CPE dictionary.

It will be described again with reference to FIG. 5.

In step S40, the identification device 100 extracts the entity name associated with the target device by performing Named Entity Recognition (NER) from the pre-processed scan data.

In some embodiments, the object name recognition may be performed by a deep learning based object name recognition model. For example, the entity name recognition model may be a model based on BI-LSTM-CRF (Bidirectional Long Short-Term Memory with a Conditional Random Field Layer) as illustrated in FIG. 12. However, the technical scope of the present disclosure is not limited thereto. The BI-LSTM-CRF model can more accurately identify an entity name in consideration of sequential relationships between words.

An example in which the object name is identified in the pre-processed scan data is shown in FIG. 13. In particular, FIG. 13 illustrates a case in which the object name category is divided into a person, an organization, a location, and others, but the object name category may be defined in other ways.

As illustrated in FIG. 13, when object name recognition is performed, keywords 52 to 57 corresponding to the object name in the scan data 50 may be extracted for each category. Those skilled in the art will be able to clearly understand the object name recognition, and further detailed description will be omitted.

It will be described again with reference to FIG. 5.

In step S50, the identification device 100 determines the final CPE of the target device by removing the misidentified CPE using the comparison result of the candidate CPE and the individual name, that is, filtering for the candidate CPE based on the individual name in the step S50 This is done. The reason for using the object name is that general keywords such as "login" and "server" are not extracted as the object name, and through this filtering process, product names not related to the target device can be prevented from being extracted as CPE.

The specific way to remove misidentified CPE may vary depending on the embodiment.

In some embodiments, the identification device 100 may determine and remove candidate CPEs in which the individual name does not appear at all among a plurality of candidate CPEs as a misidentified CPE. By doing so, CPE information associated with the target device can be more accurately identified. A specific example of this embodiment is illustrated in FIG. 14.

As shown in FIG. 14, comparison of the object name recognition result 65 and candidate CPEs 61 to 63 is performed. More specifically, a comparison is performed between keywords extracted by the object name and keywords associated with candidate CPEs 61 to 63. At this time, the keyword extracted by the object name may be composed of one or more words (e.g. a compound noun, etc.). In addition, keywords associated with the candidate CPEs 61 to 63 include product names included in the candidate CPEs, keywords indicating manufacturers, etc., keywords used for searching the candidate CPEs, and the like.

In addition, through the above comparison results, candidate CPEs 63 whose individual names do not appear at all among the candidate CPEs 61 to 63 are determined, and the candidate CPEs 63 are regarded as misidentified CPEs and removed. That is, in FIG. 14, the entity name 3 is composed of a combination of the word 4 and the word 5, but the candidate CPE 7 does not include all the entity names 3, and thus is regarded as a misidentified CPE.

In some other embodiments, the identification device 100 separates the entity name into a plurality of words using a predetermined special character as a delimiter, and among the plurality of candidate CPEs, none of the plurality of words appears CPE can be removed by judging by misidentifying CPE. That is, in this embodiment, filtering is performed under the relaxed condition than the above-described embodiment. By doing so, CPE information associated with the target device can be identified without omission. A specific example of this embodiment is illustrated in FIG. 15.

As illustrated in FIG. 15, the word separation is performed in the first entity name recognition result 78 to calculate the second entity name recognition result 79, and the keyword 75 for entity name 1 (or entity name 3) ) Can be separated into two words (76, 77). Similar to the above-described embodiment, the identification device 100 compares the keyword associated with the second entity name recognition result 79 and the candidate CPEs 71 to 73, and removes the misidentified CPE based on the comparison result. In the example shown in FIG. 15, since there are no misidentified CPEs (i.e., all of the candidate CPEs contain at least one word representing an entity name), all candidate CPEs 71 to 73 are determined as final CPEs. Can.

For reference, among the above-described steps S10 to S50, step S10 is performed by the input unit 110, step S20 is performed by the pre-processing unit 130, and step S30 is performed by the dictionary-based CPE identification unit 151 Can be. In addition, step S40 may be performed by the entity name recognition unit 153, and step S50 may be performed by the CPE determination unit 155.

So far, a method of identifying device information based on object name recognition according to some embodiments of the present disclosure has been described with reference to FIGS. 5 to 15. According to the above-described method, filtering for the candidate CPE is performed using the object name extracted through object name recognition. Common words such as "login", "server", and the like are not extracted as the object name, and thus the CPE for misidentification is filtered, and CPE information associated with the target device can be accurately identified.

Furthermore, as the CPE information for the target device is accurately identified, the vulnerability of the target device can also be accurately identified through the CVE dictionary.

Hereinafter, a method for identifying device information based on object name recognition according to some other embodiments of the present disclosure will be described with reference to FIGS. 16 to 18. Hereinafter, for clarity of the present specification, descriptions of contents overlapping with the above-described embodiments will be omitted.

16 is an exemplary flowchart illustrating a method for identifying device information based on object name recognition according to some other embodiments of the present disclosure.

As shown in FIG. 16, steps S10 to S50 are the same as the above-described embodiment, but differ from the above-described embodiment in that step S60 is further performed.

In step S60, the identification device 100 generates an entity name that is not associated with the candidate CPE as a new CPE. Here, the object name not associated with the candidate CPE means the object name not used to remove the misidentified CPE in step S50. The new CPE generated in step S60 may be added to the CPE dictionary, and included in the final CPE information of the target device. By doing so, CPE information associated with the target device can be identified without omission. In addition, the sophistication range of the identification device 100 is reduced through a gradual CPE dictionary update, and accurate identification can be made for various devices.

For reference, in the step S60, the identification device 100 performs a duplicate check on the generated new CPE using the CPE dictionary, and adds the generated new CPE to the CPE dictionary in response to the determination that it is not a duplicate. Can. In addition, this step S60 may be performed by the new CPE generating unit 170.

In order to provide more convenience, the step S60 will be described in detail with reference to the example shown in FIG. 17.

As shown in FIG. 17, using the entity name recognition result 86, filtering for candidate CPEs 81 to 83 is performed, and the entity names (or words separated from the entity names) that are not used for the filtering, 84, hereinafter referred to as "unused entity name") may be generated with a new CPE 85.

In some embodiments, among the unused individual names, individual names whose categories correspond to institution names or other categories are selected, and new CPEs may be generated using only the selected individual names. This is because it is highly likely that an individual name belonging to a person or location name category is not associated with a product name. According to this embodiment, a new CPE can be generated more accurately.

Meanwhile, in some embodiments, in order to generate a new CPE with an unused entity name, matching of the unused entity name with the above-described CPE tree may be performed. More specifically, unused entity names and keyword matching are performed for each level of the CPE tree, and keywords matching for each level may be determined. In addition, new CPEs may be generated by combining keywords matched for each level (that is, connected according to the CPE format).

On the other hand, in some embodiments, in order to create a new CPE, an entity name recognition model may be used. More specifically, a new object name recognition model capable of recognizing a product name as an object name is constructed, and an object name belonging to a product name category can be extracted from the scan data of target data using the constructed object name recognition model. . Then, the extracted individual name may be generated as a new CPE.

An example of a process of constructing the new entity name recognition model is illustrated in FIG. 18.

As shown in FIG. 18, the identification device 100, exactly, the new CPE generation unit 170, the existing CPE information 91 or the new CPE information 93 generated according to the method shown in FIG. A training dataset can be created by assigning a product category to an associated keyword. In addition, the identification device 100 may build a model capable of recognizing the individual name of the product name category by learning the learning data set. When the scan data of another target device is obtained, the identification device 100 may extract the object name of the product name category from the scan data using the constructed object name recognition model. In addition, the identification device 100 may generate a new CPE using the extracted object name. As described above, the identification device 100 may perform a duplication check through the CPE dictionary, and only new CPEs that do not overlap may be added to the CPE dictionary.

So far, a method for identifying device information based on object name recognition according to some other embodiments of the present disclosure has been described with reference to FIGS. 16 to 18. According to the above-described method, a new CPE can be created and added to the CPE dictionary using the object name of a specific category deeply related to the product name. Accordingly, the device identification function of the identification device 100 may be gradually enhanced. That is, the identification range of the identification device 100 is gradually expanded, and the accuracy of CPE identification can also be improved.

Hereinafter, an example of a computing device 400 capable of implementing a device according to various embodiments of the present disclosure will be described with reference to FIG. 19.

19 is an exemplary hardware configuration diagram illustrating an example computing device 400 capable of implementing an apparatus in accordance with various embodiments of the present disclosure.

Referring to FIG. 19, the computing device 400 includes a memory 430 for loading one or more processors 410, a bus 450, a communication interface 470, and computer programs performed by the processor 410. And, it may include a storage 490 for storing the computer program 491. However, only components related to the exemplary embodiment of the present disclosure are illustrated in FIG. 19. Therefore, a person skilled in the art to which the present disclosure belongs may recognize that other general-purpose components may be further included in addition to the components illustrated in FIG. 19.

The processor 410 controls the overall operation of each component of the computing device 400. The processor 410 includes a CPU (Central Processing Unit), a Micro Processor Unit (MPU), a Micro Controller Unit (MCU), a Graphic Processing Unit (GPU), or any type of processor well known in the art of the present disclosure. Can be. Also, the processor 410 may perform operations on at least one application or program for executing the method according to embodiments of the present disclosure. Computing device 400 may include one or more processors.

The memory 430 stores various data, commands and/or information. The memory 430 may load one or more programs 491 from the storage 490 to execute a method/operation according to various embodiments of the present disclosure. For example, when the computer program 491 is loaded in the memory 430, a module may be implemented on the memory 430 as illustrated in FIG. 2. The memory 430 may be implemented as a volatile memory such as RAM, but the technical scope of the present disclosure is not limited thereto.

The bus 450 provides communication functions between components of the computing device 400. The bus 450 may be implemented as various types of buses, such as an address bus, a data bus, and a control bus.

The communication interface 470 supports wired and wireless Internet communication of the computing device 400. Also, the communication interface 470 may support various communication methods other than Internet communication. To this end, the communication interface 470 may include a communication module well known in the art of the present disclosure.

The storage 490 may store the one or more programs 491 non-temporarily. The storage 490 is well-known in the field of non-volatile memory such as read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, or the technical field to which the present disclosure pertains. And any known form of computer-readable recording media.

Computer program 491 may include one or more instructions that, when loaded into memory 430, cause processor 410 to perform a method in accordance with various embodiments of the present disclosure. That is, the processor 410 may execute the methods according to various embodiments of the present disclosure by executing the one or more instructions.

For example, the computer program 491 analyzes received scan data as a response to a request sent to an Internet-connected device to obtain a plurality of search keywords, and uses the plurality of search keywords To obtain a plurality of candidate Common Platform Enumerations (CPEs) associated with the device, comparing the entity names obtained as a result of Named-Entity Recognition to the scan data with keywords associated with the candidate CPEs, and It may include one or more instructions to remove at least a portion of the plurality of candidate CPE based on the comparison result to perform a device identification operation to determine the final CPE of the device. In this case, the identification device 100 may be implemented through the computing device 400.

For another example, the computer program 491 analyzes received scan data as a response to a request sent to an Internet-connected device to obtain a plurality of search keywords, and the plurality of search keywords. By using the operation, obtaining a plurality of Common Platform Enumerations (CPEs) associated with the device and generating a first entity name as a new CPE among entity names obtained as a result of Named-Entity Recognition for the scan data One or more instructions may be included to perform an operation and an operation of further including the new CPE in the plurality of CPEs associated with the device. Even in such a case, the identification device 100 may be implemented through the computing device 400.

So far, various embodiments of the present disclosure and effects according to the embodiments have been described with reference to FIGS. 1 to 19. Effects according to the technical spirit of the present disclosure are not limited to the above-mentioned effects, and other effects not mentioned will be clearly understood by those skilled in the art from the following description.

The technical idea of the present disclosure described so far with reference to FIGS. 1 to 19 may be embodied as computer readable codes on a computer readable medium. The computer-readable recording medium may be, for example, a removable recording medium (CD, DVD, Blu-ray Disc, USB storage device, removable hard disk), or a fixed recording medium (ROM, RAM, hard disk equipped with a computer). Can. The computer program recorded on the computer-readable recording medium may be transmitted to another computing device through a network such as the Internet and installed on the other computing device, and thus used on the other computing device.

In the above, even if all components constituting the embodiments of the present disclosure are described as being combined or operated as one, the technical spirit of the present disclosure is not necessarily limited to these embodiments. That is, within the scope of the present disclosure, all of the components may be selectively combined and operated.

Although the operations are shown in a specific order in the drawings, it should not be understood that the operations must be performed in a specific order or in a sequential order, or all illustrated operations must be executed to obtain a desired result. In certain situations, multitasking and parallel processing may be advantageous. Moreover, the separation of various configurations in the above-described embodiments should not be understood as such a separation is not necessarily necessary, and the described program components and systems may generally be integrated together into a single software product or packaged into multiple software products. It should be understood that there is.

Although the embodiments of the present disclosure have been described with reference to the accompanying drawings, those of ordinary skill in the art to which the present disclosure pertains may implement the present disclosure in other specific forms without changing its technical spirit or essential features. You can understand that there is. Therefore, it should be understood that the embodiments described above are illustrative in all respects and not restrictive. The scope of protection of the present disclosure should be interpreted by the claims below, and all technical spirits within the scope equivalent thereto should be interpreted as being included in the scope of the technical spirits defined by the present disclosure.

Claims (21)

A method performed by a computing device,
Analyzing received scan data as a response to a request sent to an internet-connected device to obtain a plurality of search keywords;
Obtaining a plurality of candidate Common Platform Enumerations (CPEs) associated with the device using the plurality of search keywords;
Comparing an entity name obtained as a result of Named-Entity Recognition with respect to the scan data and a keyword associated with the candidate CPE; And
And determining a final CPE of the device by removing at least some of the plurality of candidate CPEs based on the comparison result.
Determining the final CPE,
And removing the first candidate CPE when the object name is not included in a keyword associated with the first candidate CPE among the plurality of candidate CPEs.
Method for identifying device information based on object name recognition. According to claim 1,
The scan data,
HTTP-body,
Method for identifying device information based on object name recognition. According to claim 2,
The step of analyzing the scan data and obtaining the plurality of search keywords may include:
Comprising the step of acquiring text data by removing one or more predefined tags from the HTTP-body,
Method for identifying device information based on object name recognition. According to claim 3,
The step of analyzing the scan data to obtain a plurality of search keywords,
Separating the obtained text data into a plurality of words using a predetermined special character as a delimiter; And
And determining at least some of the plurality of words as the plurality of search keywords.
Method for identifying device information based on object name recognition. According to claim 4,
The step of separating the acquired text data into a plurality of words,
Applying a lowercase conversion to the obtained text data; And
The step of separating the text data converted to lowercase into the plurality of words,
Method for identifying device information based on object name recognition. According to claim 4,
Determining at least a portion of the plurality of words as the plurality of search keywords,
Determining a word other than the pre-registered keyword among the plurality of words as the plurality of search keywords,
Method for identifying device information based on object name recognition. According to claim 1,
The plurality of candidate CPE,
CPE that matches the plurality of search keywords in the predefined CPE dictionary,
Method for identifying device information based on object name recognition. The method of claim 7,
The plurality of candidate CPE,
Comprising at least one of an operating system CPE and an application CPE and a hardware CPE,
Method for identifying device information based on object name recognition. delete According to claim 1,
If the entity name is not included in a keyword associated with a first candidate CPE among the plurality of candidate CPEs, removing the first candidate CPE may include:
Separating the object name into a plurality of words by using a predetermined special character as a delimiter;
Removing the first candidate CPE when the keyword associated with the first candidate CPE among the plurality of candidate CPEs does not include any one of the plurality of words;
Method for identifying device information based on object name recognition. According to claim 1,
The object name recognition,
BI-LSTM-CRF (Bidirectional Long Short-Term Memory with a Conditional Random Field Layer) model,
Method for identifying device information based on object name recognition. According to claim 1,
Obtaining the plurality of candidate CPE,
Querying a CPE dictionary with the plurality of search keywords, and obtaining the plurality of candidate CPEs as the search result,
Determining the final CPE,
Generating a first entity name as a new CPE among the entity names obtained as a result of the entity name recognition; And
Including the new CPE in the final CPE of the device,
The first entity name does not appear in keywords associated with the plurality of candidate CPEs,
Method for identifying device information based on object name recognition. The method of claim 12,
The first entity name is an organization category (organization) category or other (miscellaneous) entity name,
Method for identifying device information based on object name recognition. According to claim 1,
Obtaining the plurality of candidate CPE,
Querying a CPE dictionary with the plurality of search keywords, and obtaining the plurality of candidate CPEs as the search result,
Determining the final CPE,
Generating and registering a first object name as a new CPE among the object names obtained as a result of the object name recognition; And
Including the new CPE in the final CPE of the device,
None of the words included in the first entity name appear in keywords associated with the plurality of candidate CPEs.
Method for identifying device information based on object name recognition. A method performed by a computing device,
Analyzing received scan data as a response to a request sent to an internet-connected device to obtain a plurality of search keywords;
Obtaining a plurality of Common Platform Enumerations (CPEs) associated with the device using the plurality of search keywords;
Generating a first entity name as a new CPE among entity names obtained as a result of Named-Entity Recognition for the scan data; And
Including the step of further comprising the new CPE in the plurality of CPE associated with the device,
The first entity name does not appear in the keywords associated with the plurality of CPE,
Method for identifying device information based on object name recognition. The method of claim 15,
The step of obtaining the plurality of search keywords,
Scanning an open port among the ports of the device;
Obtaining a banner string as a result of the scan; And
And extracting the plurality of search keywords from the banner string,
Method for identifying device information based on object name recognition. The method of claim 15,
Obtaining a plurality of CPE associated with the device,
Comparing an entity name obtained as a result of the entity name recognition with a keyword associated with the plurality of CPEs; And
And removing at least some of the plurality of CPEs based on the comparison result.
Method for identifying device information based on object name recognition. The method of claim 15,
The first entity name is an organization category (organization) category or other (miscellaneous) entity name,
Method for identifying device information based on object name recognition. The method of claim 15,
None of the words included in the first entity name appear in keywords associated with the plurality of candidate CPEs.
Method for identifying device information based on object name recognition. The method of claim 15,
Generating a learning dataset by assigning a product category to keywords included in the first entity name; And
Further comprising the step of learning the object name recognition model using the learning data set,
Method for identifying device information based on object name recognition. A memory that stores one or more instructions; And
By executing the one or more instructions,
A plurality of search keywords are obtained by analyzing scan data received as a response to a request sent to an Internet-connected device, and a plurality of candidate CPEs (Commons) associated with the device are obtained by using the plurality of search keywords Platform Enumeration), compares the entity name obtained as a result of Named-Entity Recognition to the scan data with keywords associated with the candidate CPE, and based on the comparison result, at least one of the plurality of candidate CPEs. Including a processor to determine the final CPE of the device by removing a portion,
The determination of the final CPE includes removing the first candidate CPE when the object name is not included in a keyword associated with the first candidate CPE among the plurality of candidate CPEs.
Device information identification device.

Images