WO2019127890A1 - Vulnerability scanning method, device, computer apparatus, and storage medium - Google Patents

Vulnerability scanning method, device, computer apparatus, and storage medium Download PDF

Info

Publication number
WO2019127890A1
WO2019127890A1 PCT/CN2018/077372 CN2018077372W WO2019127890A1 WO 2019127890 A1 WO2019127890 A1 WO 2019127890A1 CN 2018077372 W CN2018077372 W CN 2018077372W WO 2019127890 A1 WO2019127890 A1 WO 2019127890A1
Authority
WO
WIPO (PCT)
Prior art keywords
scanned
traffic data
scanning
data
server
Prior art date
Application number
PCT/CN2018/077372
Other languages
French (fr)
Chinese (zh)
Inventor
周圣龙
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2019127890A1 publication Critical patent/WO2019127890A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a vulnerability scanning method, apparatus, computer device, and storage medium.
  • the traditional vulnerability scanning technology refers to detecting the security vulnerability of a specified remote or local computer system based on a vulnerability database by scanning and other means, and discovering one of the exploitable vulnerabilities.
  • a security detection (penetration attack) behavior is a security detection (penetration attack) behavior.
  • the traditional vulnerability scanning technology is that the scanning server actively crawls the data to be scanned in the server through the crawling technology, and then judges whether the crawled data has a vulnerability through all the vulnerability matching rules in the vulnerability database, and the scanning efficiency is relatively high. low.
  • a vulnerability scanning method, apparatus, computer device, and storage medium are provided.
  • a vulnerability scanning method comprising:
  • the vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  • a vulnerability scanning device comprising:
  • a traffic intercepting module configured to intercept traffic data to be scanned
  • a data judging module configured to determine whether the intercepted traffic data to be scanned is dynamic data
  • a querying module configured to query whether the flow data to be scanned has a parameter when the intercepted traffic data to be scanned is dynamic data
  • a traffic type obtaining module configured to acquire a type of the to-be-scanned traffic data when the traffic data to be scanned has a parameter
  • a rule obtaining module configured to acquire a vulnerability scanning rule corresponding to the type of the traffic data to be scanned
  • a scanning module configured to perform vulnerability scanning on the to-be-scanned traffic data by using the vulnerability scanning rule.
  • a computer device comprising a memory, a processor, and a computer readable instruction stored thereon, the processor executing the computer readable instructions to implement the following steps:
  • the vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  • One or more computer readable non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of:
  • the vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  • FIG. 1 is an application scenario diagram of a vulnerability scanning method in an embodiment
  • FIG. 2 is a block diagram of a scan server in an embodiment
  • FIG. 3 is a schematic flow chart of a vulnerability scanning method in an embodiment
  • FIG. 4 is a structural block diagram of a vulnerability scanning apparatus in an embodiment
  • Figure 5 is a diagram showing the internal structure of a computer device in one embodiment.
  • the vulnerability scanning method provided by the present application can be applied to an application environment as shown in FIG. 1.
  • the terminal can access resources on the network through a core switch or a router, and the scan server can intercept the traffic data of the terminal through the core switch or the router, or the scan server can intercept the traffic data of the terminal by setting a proxy server, thereby scanning
  • the server can passively scan the traffic data when intercepting the traffic data to determine whether the traffic data is vulnerability data, thereby implementing vulnerability detection.
  • the terminal can be, but is not limited to, various personal computers, notebook computers, smart phones, tablets, and portable wearable devices.
  • the scanning server can be implemented by a separate server or a server cluster composed of multiple servers.
  • FIG. 2 is an architectural diagram of a scan server in an embodiment, including a system foundation, a transfer engine, and a web application service.
  • the scheduling engine is mainly for a passive scan service
  • the web application service is mainly for querying a record server, and a UI.
  • the interface is ready for display.
  • the scheduling engine may adopt a distributed multi-threaded deployment, where a machine learning model, a scan engine, and a system upgrade program are set.
  • the machine learning model may be a decision tree model
  • the scan engine mainly stores vulnerability scanning rules and system upgrades.
  • the program is mainly for the upgrade of the system.
  • the web application service mainly includes a report model, a log module, and a configuration module.
  • the web application service is mainly for querying the record service, that is, after each vulnerability scan is completed, a log storage to the log module can be generated, and a corresponding report is generated according to the scan result, for example, A vulnerability report or a vulnerability report is displayed on the corresponding UI interface.
  • a vulnerability scanning method is provided, which is applied to the scanning server in FIG. 1 as an example, and includes the following steps:
  • S302 Intercept the traffic data to be scanned.
  • the traffic data refers to data generated when the terminal accesses resources on the network, and includes a message for accessing the request.
  • the terminal used by the user can access the resources on the Internet.
  • the traffic data can be intercepted in the backbone node or the link node, and the intercepted traffic is stored in the scan server, thereby determining according to the traffic data. Is there a vulnerability?
  • S304 Determine whether the intercepted traffic data to be scanned is dynamic data.
  • dynamic data is only data that can be seen and interacted, and has a good experience. Users are no longer passive to browse. For example, message boards, forums, user registrations, etc. are dynamic and can be used by users. Interact with the website, while static data is for viewing only.
  • the traffic that does not need vulnerability detection in the intercepted traffic data that is intercepted may be deleted by a machine learning manner, for example, by a decision tree algorithm, and when the traffic data to be scanned is intercepted, the machine learning model is input. First, it is determined whether the traffic data to be scanned is dynamic data.
  • the machine learning model may be pre-configured, for example, by generating a training set and a test set by historically-scanned data to generate a model of the machine learning, wherein the training set is used to train to form an initial model, and the test set is used to perform an initial model. Corrected to ensure the correctness of the model.
  • the second step machine learning may determine whether the traffic data has parameters, and only the traffic to be scanned with the parameter will perform the vulnerability scanning.
  • the traffic to be scanned without parameters does not need to acquire the resources of the server on the network, and therefore does not perform vulnerability scanning.
  • the two-step machine learning can be integrated into a machine learning model, that is, when the flow data to be scanned is input into the integrated model, static data and parameterless data to be scanned can be proposed.
  • the traffic data to be scanned is dynamic data, and the parameter exists, the traffic data to be scanned needs to be scanned for vulnerability. Therefore, the type of the traffic data to be scanned is obtained first, so that different types can be obtained according to different types. Vulnerability scanning rules, which in turn reduce the execution of vulnerability scanning rules.
  • S310 Obtain a vulnerability scanning rule corresponding to the type of the traffic data to be scanned.
  • the type of the traffic data to be scanned may include web traffic or network traffic, etc., according to the type, the corresponding vulnerability detection rule may be obtained, thereby reducing the execution rate of the vulnerability detection rule.
  • the traffic data to be scanned is web traffic
  • the vulnerability detection rule for the web traffic is directly obtained, and the entire vulnerability detection rule is not needed to improve the execution efficiency of the vulnerability detection rule.
  • the vulnerability scanning rule refers to a rule pre-stored in the scanning server.
  • the vulnerability scanning rule By comparing the traffic data to be scanned with the vulnerability scanning rule, whether the traffic data to be scanned is the result of the vulnerability data can be obtained, thereby implementing the scanning of the vulnerability. For example, when the traffic data to be scanned complies with the vulnerability scanning rule, it indicates that the traffic data to be scanned is vulnerability data, so subsequent interception or the like is needed to prevent normal access. When the traffic data to be scanned does not meet the vulnerability scanning rule, it indicates that The traffic data to be scanned is not vulnerability data, and it can be accessed normally without subsequent interception and the like.
  • the above vulnerability scanning method first intercepts the traffic data to be scanned, that is, when the client has data access, the traffic data is intercepted, so that the coverage of the traffic data to be scanned becomes larger; secondly, before the vulnerability scanning, the unnecessary The scanned traffic data to be scanned is eliminated, the scanning volume of the traffic data to be scanned is reduced, and the vulnerability scanning efficiency is improved. Finally, the corresponding vulnerability scanning rule is obtained according to the type of the traffic data to be scanned, without requiring all the databases in the database. Vulnerability scanning rules are executed once, which can greatly reduce the number of executions of vulnerability scanning rules, thereby improving the efficiency of vulnerability scanning.
  • the step of intercepting the traffic data to be scanned may further include: acquiring the current resource occupancy rate; if the current resource occupancy rate exceeds the threshold, acquiring the resource occupancy rate of the standby scanning server; The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  • the scan server exists in the form of a cluster, and a main scan server is set.
  • the main scan server intercepts the traffic data to be scanned, first determines the resource occupancy rate of the main scan server, when the main scan server If the current resource usage rate exceeds the threshold, the current scan server has a higher current resource usage rate. Therefore, the resource usage rate of the standby scan server is continuously obtained, and the standby scan server with the lowest resource occupancy rate is obtained to perform the vulnerability scan. That is, it is judged whether the intercepted traffic data to be scanned is dynamic data or the like. When the resource usage of the standby scanning server is obtained, the resource usage of the standby scanning server may be sorted, which is more convenient to select.
  • the threshold of the current resource occupancy rate may be determined according to experience, or determined according to the test peak value during the system stress test, for example, determining different thresholds according to the amount of the intercepted traffic data to be scanned.
  • the resource occupancy rate may refer to the occupancy rate of the CPU of the scan server.
  • the resource occupancy rate of the primary scanning server is first determined.
  • the vulnerability scanning is performed by the primary scanning server, when the primary scanning server
  • the standby scan server is started, and the standby scan server performs vulnerability scanning to ensure consistent and normal operation of the system.
  • the step of obtaining the current resource occupancy rate may further include: determining whether the current scan server is faulty; if the current scan server does not fail, continuing to perform the step of acquiring the current resource occupancy rate; if the current scan server If the fault occurs, the resource usage of the standby scan server is obtained.
  • the standby scan server with the lowest resource usage of the standby scan server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  • the step of acquiring the current resource occupancy rate first determining whether the current scan server is faulty. If no fault occurs, the current resource occupancy rate may be further determined, and whether the current scan server is used to determine whether the current scan server is used by the current scan server. Perform vulnerability detection. If the current scan server is faulty, the standby scan server with the lowest resource usage of the standby scan server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data, without first determining the current resource occupancy rate, which may be reduced.
  • the step of performing the process wherein the resource usage rate is lower than the default value of the resource usage rate and the lowest resource usage rate; for example, three standby scan servers: standby scan server A, standby scan server B, and standby scan Server C, wherein the resource occupancy rate of the standby scan server A is a, the resource occupancy rate of the standby scan server B is b, the resource occupancy rate of the standby scan server C is c, and a is greater than the preset value of the resource occupancy rate m, b, and c. If the value of the to-be-scanned traffic is less than c, the backup scan server corresponding to the resource occupancy b needs to continue to perform the step of determining whether the intercepted traffic data is dynamic data, and in this embodiment.
  • the resource occupancy preset value is not specifically limited, and it may be set according to experience.
  • the scan server uses a distributed architecture, multi-threaded queue form for plug-in scanning or rule matching. For example, you can set up one main scanning server and multiple standby scanning servers.
  • the scan server When receiving the intercepted traffic, first determine whether the primary scanning server is faulty. If the primary scanning server is faulty, scan it through the standby scanning server. If the scan server is faulty, for example, it can be judged one by one according to the order of the standby scan server. When the current standby scan server fails, the next set is judged in order until there is a standby scan server without failure. If the primary scan server does not fail, the current resource usage rate of the primary scan server is obtained. When the resource usage exceeds the threshold, the scan server scans the current scan server. For example, the current resource usage of the standby scan server can be obtained first. Sort and select a standby scan server with low resource occupancy for scanning.
  • the current scan server is faulty. If a fault occurs, the standby scan server is directly selected for vulnerability scanning. If no fault occurs, the current scan server resources are first determined. Rate: When the current scan server's resource usage does not exceed the threshold, the current scan server scans the vulnerability. When the current scan server's resource usage exceeds the threshold, other scan servers are started, and other scan servers scan for vulnerabilities. , can ensure the system is consistent and normal operation.
  • the step of intercepting the traffic data to be scanned further includes: counting the number of interception of the traffic data to be scanned; starting a corresponding number of scan servers according to the number of intercepts; and distributing the traffic data to be scanned to The step of starting the scan server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the number of times the intercepted traffic is scanned refers to the number of times the scan server receives the vulnerability scan request, that is, after the core switch or the router or the proxy server intercepts the traffic to be scanned, the core switch or the router or the proxy server scans.
  • the server sends a vulnerability scan request, which carries traffic data to be scanned.
  • the scan server control system starts a corresponding number of scan servers according to the number of intercepts, and distributes the to-be-scanned traffic data to the scan server that is started, so that the plurality of scan servers scan the scan traffic data together.
  • the number of times the intercepted traffic data is intercepted is obtained, that is, the number of requests for scanning the traffic data to be scanned is acquired, and the corresponding scanning server is started according to the number of the requests, and then received according to the load balancing policy.
  • the request is assigned to the corresponding scan server. For example, when there are 3000 requests to be processed, the number of scanning servers that are turned on is three. According to the load balancing policy, the 3000 requests are sequentially allocated to the three scanning servers, and the three scanning servers will simultaneously request the same. Processing improves scanning efficiency.
  • Each scanning server can use multi-thread scanning when scanning, that is, each scanning server receives 50 requests, and starts 50 threads, and each thread scans the to-be-scanned traffic data in 20 requests, so that The efficiency can be further improved.
  • the processing peak of each scanning server may be preset, and the processing level is preset for each scanning server, and the processing level is selected according to the number of received requests, for example, when the received request is the first quantity, the processing level is Level 1, when the received request is the second quantity, the processing level is two, the processing request amount of the scanning server is A at the first level, and the processing request amount of the scanning server at the second level is B; according to the received The number of requests is selected as the processing level.
  • the number of scanning servers that need to be started is determined according to the number N of received requests and the processing request amount of the primary scanning server. /A; Then, according to the quantity A, the number of threads that each scanning server needs to be started is determined, thereby implementing parallel processing of requests and improving processing efficiency.
  • the corresponding scanning server is started according to the number of the requests, and then the received request is allocated according to the load balancing policy.
  • the scanning server improves processing efficiency.
  • the method further includes: receiving a vulnerability scanning rule adjustment instruction for the traffic data to be scanned; and adjusting the instruction to obtain the vulnerability scanning supplementary rule according to the vulnerability scanning rule adjustment instruction Vulnerability scanning of scanned traffic data through vulnerability scanning supplemental rules.
  • the scanning result of the to-be-scanned traffic data may be problematic, in order to avoid the problem.
  • the scan result of the traffic data to be scanned can be displayed on the UI interface, and the vulnerability scan rule adjustment instruction for the traffic data to be scanned can be received through the UI interface.
  • the scan server may first pass the web. After the traffic vulnerability scanning rule scans, the scan result is output, but the tester may think that the scan is not perfect enough, and then the network traffic scan rule may be invoked to scan the web traffic again, that is, according to the vulnerability scan rule adjustment instruction to obtain the vulnerability scan supplement. Rules; vulnerability scanning is performed by vulnerability scanning supplemental rules to scan scanned traffic data to improve the accuracy of vulnerability scanning rules.
  • the vulnerability scanning rule adjustment instruction may be further received, and the vulnerability scanning rule adjustment instruction is used to obtain another type of vulnerability scanning rule to further scan the traffic. That is, the system is configured through the web application service. In this embodiment, not only the dynamic scanning of the traffic is supported, but also the manual intervention is supported, so that the key traffic can be scanned in an all-round manner, and the accuracy of the vulnerability scanning is improved.
  • the step of intercepting the traffic data to be scanned may include intercepting the traffic data to be scanned by an agent set in advance at the client.
  • the step of intercepting the traffic data to be scanned may include: receiving the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned.
  • the traffic interception may be performed in the trunk or the primary link node, so that the proxy may be set in the client in advance, and when the client installed by the terminal has the traffic data sent, the agent intercepted by the client is preset. Traffic data to be scanned. Or, when the core switch or the router receives the traffic data sent by the client, the core switch or the router mirrors the traffic data, and sends the mirroring of the traffic data to the server to be scanned to implement interception of the traffic data to be scanned.
  • the scan server by performing traffic interception in the trunk or the primary link node, and sending the intercepted traffic data to be scanned to the scan server, the scan server performs passive scanning of the scanned traffic data, instead of the traditional Crawl traffic data to ensure the integrity of the traffic data to be scanned.
  • steps in the flowchart of FIG. 3 are sequentially displayed as indicated by the arrows, these steps are not necessarily performed in the order indicated by the arrows. Except as explicitly stated herein, the execution of these steps is not strictly limited, and the steps may be performed in other sequences. Moreover, at least some of the steps in FIG. 3 may include a plurality of sub-steps or stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution of these sub-steps or stages The order is also not necessarily sequential, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of the other steps.
  • a vulnerability scanning apparatus including: a traffic interception module, a data determination module, a query module, a traffic type acquisition module, a rule acquisition module, and a scanning module, where:
  • the traffic intercepting module 100 is configured to intercept traffic data to be scanned.
  • the data judging module 200 is configured to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the query module 300 is configured to query whether the flow data to be scanned has a parameter when the intercepted traffic data to be scanned is dynamic data.
  • the traffic type obtaining module 400 is configured to acquire the type of the traffic data to be scanned when there is a parameter of the traffic data to be scanned.
  • the rule obtaining module 500 is configured to acquire a vulnerability scanning rule corresponding to the type of the traffic data to be scanned.
  • the scanning module 600 is configured to perform vulnerability scanning on the scanned traffic data by using a vulnerability scanning rule.
  • the apparatus may further include:
  • the resource occupancy obtaining module is configured to obtain the current resource occupancy rate after the traffic data to be scanned is intercepted. If the current resource usage rate exceeds the threshold, the resource usage rate of the standby scanning server is obtained.
  • the scanning module is further configured to select whether the standby scanning server with the lowest resource occupancy rate of the standby scanning server continues to determine whether the intercepted traffic data to be scanned is a dynamic number.
  • the apparatus may further include:
  • the fault judging module is configured to determine whether the current scan server is faulty before acquiring the current resource occupancy rate.
  • the resource occupancy acquisition module is further configured to: if the current scan server fails, obtain the current resource occupancy rate; if the current scan server fails, obtain the resource occupancy rate of the standby scan server.
  • the scanning module is further configured to select the standby scanning server with the lowest resource occupancy rate of the standby scanning server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the apparatus may further include:
  • the statistics module is configured to count the number of interception of the traffic data to be scanned before intercepting the traffic data to be scanned.
  • the startup module is configured to start a corresponding number of scan servers according to the number of interceptions.
  • the data judging module is further configured to allocate the to-be-scanned traffic data to the activated scan server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the apparatus may further include:
  • the receiving module is configured to receive a vulnerability scanning rule adjustment instruction for the traffic data to be scanned after the vulnerability scanning rule scans the traffic data through the vulnerability scanning rule.
  • a supplemental rule acquisition module is configured to obtain a vulnerability scan supplemental rule according to the vulnerability scan rule adjustment instruction.
  • a supplemental scanning module for vulnerability scanning of scanned traffic data through vulnerability scanning supplemental rules for vulnerability scanning of scanned traffic data through vulnerability scanning supplemental rules.
  • the intercepting module may be further configured to intercept the traffic data to be scanned by an agent preset in the client.
  • the intercepting module is further configured to receive the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned.
  • Each of the above-described vulnerability scanning devices may be implemented in whole or in part by software, hardware, and combinations thereof.
  • Each of the above modules may be embedded in or independent of the processor in the computer device, or may be stored in a memory in the computer device in a software form, so that the processor invokes the operations corresponding to the above modules.
  • a computer device which may be a server, and its internal structure diagram may be as shown in FIG.
  • the computer device includes a processor, memory, network interface, and database connected by a system bus.
  • the processor of the computer device is used to provide computing and control capabilities.
  • the memory of the computer device includes a non-volatile storage medium, an internal memory.
  • the non-volatile storage medium stores an operating system, computer readable instructions, and a database.
  • the internal memory provides an environment for operation of an operating system and computer readable instructions in a non-volatile storage medium.
  • the database of the computer device is used to store vulnerability scan rule data.
  • the network interface of the computer device is used to communicate with an external terminal via a network connection.
  • the computer readable instructions are executed by the processor to implement a vulnerability scanning method.
  • FIG. 5 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation of the computer device to which the solution of the present application is applied.
  • the specific computer device may It includes more or fewer components than those shown in the figures, or some components are combined, or have different component arrangements.
  • a computer device including a memory, a processor, and a computer readable instruction stored thereon, the processor executing the computer readable instructions to: intercept the traffic data to be scanned; and determine the intercepted Whether the traffic data to be scanned is dynamic data; when the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has a parameter; when the traffic data to be scanned has a parameter, obtain the type of the traffic data to be scanned; Vulnerability scanning rules corresponding to the type of traffic data to be scanned; vulnerability scanning is performed on the scanned traffic data through the vulnerability scanning rule.
  • the processor may further include: acquiring the current resource occupancy rate; and acquiring the standby scan server if the current resource occupancy rate exceeds the threshold value.
  • the resource usage rate of the standby scanning server with the lowest resource usage of the standby scanning server continues to be performed to determine whether the intercepted traffic data to be scanned is dynamic data.
  • the method may further include: determining whether the current scan server is faulty; if the current scan server does not fail, proceeding to perform the acquisition.
  • the current resource usage rate is as follows: if the current scan server is faulty, the resource usage rate of the standby scan server is obtained; and the standby scan server with the lowest resource occupancy rate of the standby scan server continues to determine whether the intercepted traffic data to be scanned is dynamic. The steps of the data.
  • the processor may further include: intercepting the interception times of the traffic data to be scanned; and starting a corresponding number of scan servers according to the number of intercepts;
  • the traffic data to be scanned is allocated to the activated scan server to continue the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  • the method may further include: receiving a vulnerability scanning rule adjustment instruction for the traffic data to be scanned;
  • the vulnerability scan rule adjustment instruction acquires a vulnerability scan supplemental rule; the vulnerability scan supplemental rule scans the scanned traffic data for vulnerability.
  • the step of intercepting the to-be-scanned traffic data implemented by the processor when executing the computer readable instructions in one of the embodiments may include: intercepting the to-be-scanned traffic data by an agent preset in the client.
  • the step of intercepting the to-be-scanned traffic data implemented by the processor when executing the computer readable instructions in one embodiment may include: receiving the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned. .
  • a computer readable storage medium having stored thereon computer readable instructions that, when executed by a processor, perform the steps of: intercepting traffic data to be scanned; determining the intercepted to be scanned Whether the traffic data is dynamic data; when the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has a parameter; when the traffic data to be scanned has a parameter, obtain the type of the traffic data to be scanned; Scan the vulnerability scan rule corresponding to the type of traffic data; perform vulnerability scanning on the scanned traffic data through the vulnerability scan rule.
  • Non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory can include random access memory (RAM) or external cache memory.
  • RAM is available in a variety of formats, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization chain.
  • SRAM static RAM
  • DRAM dynamic RAM
  • SDRAM synchronous DRAM
  • DDRSDRAM double data rate SDRAM
  • ESDRAM enhanced SDRAM
  • Synchlink DRAM SLDRAM
  • Memory Bus Radbus
  • RDRAM Direct RAM
  • DRAM Direct Memory Bus Dynamic RAM
  • RDRAM Memory Bus Dynamic RAM

Abstract

A vulnerability scanning method, a system, a computer apparatus, and a storage medium. The method comprises: intercepting traffic data to be scanned; determining whether the intercepted traffic data to be scanned is dynamic data; if so, performing a search to determine whether there is a parameter for the traffic data to be scanned; if so, acquiring the type of the traffic data to be scanned; acquiring a vulnerability scanning rule corresponding to the type of the traffic data to be scanned; and performing a vulnerability scan on the traffic data to be scanned by means of the vulnerability scanning rule.

Description

漏洞扫描方法、装置、计算机设备和存储介质Vulnerability scanning method, device, computer device and storage medium
本申请要求于2017年12月30日提交中国专利局,申请号为2017114922037,申请名称为“漏洞扫描方法、装置、计算机设备和存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application entitled "Vulnerability Scanning Methods, Devices, Computer Equipment, and Storage Media" on December 30, 2017, filed on Dec. 30, 2017, the entire contents of which are incorporated by reference. In this application.
技术领域Technical field
本申请涉及计算机技术领域,特别是涉及一种漏洞扫描方法、装置、计算机设备和存储介质。The present application relates to the field of computer technologies, and in particular, to a vulnerability scanning method, apparatus, computer device, and storage medium.
背景技术Background technique
随着计算机技术的发展,出现了漏洞扫描技术,传统的漏洞扫描技术是指基于漏洞数据库,通过扫描等手段对指定的远程或者本地计算机系统的安全脆弱性进行检测,发现可利用的漏洞的一种安全检测(渗透攻击)行为。With the development of computer technology, a vulnerability scanning technology has emerged. The traditional vulnerability scanning technology refers to detecting the security vulnerability of a specified remote or local computer system based on a vulnerability database by scanning and other means, and discovering one of the exploitable vulnerabilities. A security detection (penetration attack) behavior.
然而,传统中的漏洞扫描技术是扫描服务器主动通过爬虫技术对服务器中的待扫描数据进行爬取,然后通过漏洞数据库中所有的漏洞匹配规则去判断所爬取的数据是否存在漏洞,扫描效率较低。However, the traditional vulnerability scanning technology is that the scanning server actively crawls the data to be scanned in the server through the crawling technology, and then judges whether the crawled data has a vulnerability through all the vulnerability matching rules in the vulnerability database, and the scanning efficiency is relatively high. low.
发明内容Summary of the invention
根据本申请公开的各种实施例,提供一种漏洞扫描方法、装置、计算机设备和存储介质。According to various embodiments disclosed herein, a vulnerability scanning method, apparatus, computer device, and storage medium are provided.
一种漏洞扫描方法,所述方法包括:A vulnerability scanning method, the method comprising:
截取待扫描流量数据;Intercepting traffic data to be scanned;
判断所截取的待扫描流量数据是否为动态数据;Determining whether the intercepted traffic data to be scanned is dynamic data;
当所截取的待扫描流量数据是动态数据时,则查询所述待扫描流量数据是否存在参数;When the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has parameters;
当所述扫描流量数据存在参数时,则获取所述待扫描流量数据的类型;Obtaining a type of the to-be-scanned traffic data when the scanning traffic data has a parameter;
获取与所述待扫描流量数据的类型对应的漏洞扫描规则;及Obtaining a vulnerability scanning rule corresponding to the type of the traffic data to be scanned; and
通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描。The vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
一种漏洞扫描装置,所述装置包括:A vulnerability scanning device, the device comprising:
流量截取模块,用于截取待扫描流量数据;a traffic intercepting module, configured to intercept traffic data to be scanned;
数据判断模块,用于判断所截取的待扫描流量数据是否为动态数据;a data judging module, configured to determine whether the intercepted traffic data to be scanned is dynamic data;
查询模块,用于当所截取的待扫描流量数据是动态数据时,则查询所述待扫描流量数据是否存在参数;a querying module, configured to query whether the flow data to be scanned has a parameter when the intercepted traffic data to be scanned is dynamic data;
流量类型获取模块,用于当所述待扫描流量数据存在参数时,则获取所述待扫描流量数据的类型;a traffic type obtaining module, configured to acquire a type of the to-be-scanned traffic data when the traffic data to be scanned has a parameter;
规则获取模块,用于获取与所述待扫描流量数据的类型对应的漏洞扫描规则;及a rule obtaining module, configured to acquire a vulnerability scanning rule corresponding to the type of the traffic data to be scanned; and
扫描模块,用于通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描。And a scanning module, configured to perform vulnerability scanning on the to-be-scanned traffic data by using the vulnerability scanning rule.
一种计算机设备,包括存储器、处理器,存储器上存储有计算机可读指令,所述处理器执行所述计算机可读指令时实现以下步骤:A computer device comprising a memory, a processor, and a computer readable instruction stored thereon, the processor executing the computer readable instructions to implement the following steps:
截取待扫描流量数据;Intercepting traffic data to be scanned;
判断所截取的待扫描流量数据是否为动态数据;Determining whether the intercepted traffic data to be scanned is dynamic data;
当所截取的待扫描流量数据是动态数据时,则查询所述待扫描流量数据是否存在参数;When the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has parameters;
当所述扫描流量数据存在参数时,则获取所述待扫描流量数据的类型;Obtaining a type of the to-be-scanned traffic data when the scanning traffic data has a parameter;
获取与所述待扫描流量数据的类型对应的漏洞扫描规则;及Obtaining a vulnerability scanning rule corresponding to the type of the traffic data to be scanned; and
通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描。The vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
一个或多个存储有计算机可读指令的计算机可读非易失性存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:One or more computer readable non-volatile storage media storing computer readable instructions, when executed by one or more processors, cause one or more processors to perform the steps of:
截取待扫描流量数据;Intercepting traffic data to be scanned;
判断所截取的待扫描流量数据是否为动态数据;Determining whether the intercepted traffic data to be scanned is dynamic data;
当所截取的待扫描流量数据是动态数据时,则查询所述待扫描流量数据是否存在参数;When the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has parameters;
当所述扫描流量数据存在参数时,则获取所述待扫描流量数据的类型;Obtaining a type of the to-be-scanned traffic data when the scanning traffic data has a parameter;
获取与所述待扫描流量数据的类型对应的漏洞扫描规则;及Obtaining a vulnerability scanning rule corresponding to the type of the traffic data to be scanned; and
通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描。The vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
本申请的一个或多个实施例的细节在下面的附图和描述中提出。本申请的其它特征和优点将从说明书、附图以及权利要求书变得明显。Details of one or more embodiments of the present application are set forth in the accompanying drawings and description below. Other features and advantages of the present invention will be apparent from the description, drawings and claims.
附图说明DRAWINGS
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings to be used in the embodiments will be briefly described below. Obviously, the drawings in the following description are only some embodiments of the present application, Those skilled in the art can also obtain other drawings based on these drawings without any creative work.
图1为一个实施例中漏洞扫描方法的应用场景图;1 is an application scenario diagram of a vulnerability scanning method in an embodiment;
图2为一实施例中扫描服务器的架构图;2 is a block diagram of a scan server in an embodiment;
图3为一个实施例中漏洞扫描方法的流程示意图;3 is a schematic flow chart of a vulnerability scanning method in an embodiment;
图4为一个实施例中漏洞扫描装置的结构框图;4 is a structural block diagram of a vulnerability scanning apparatus in an embodiment;
图5为一个实施例中计算机设备的内部结构图。Figure 5 is a diagram showing the internal structure of a computer device in one embodiment.
具体实施方式Detailed ways
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。In order to make the objects, technical solutions, and advantages of the present application more comprehensible, the present application will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the application and are not intended to be limiting.
本申请提供的漏洞扫描方法,可以应用于如图1所示的应用环境中。其中,终端可以通过核心交换机或路由器等访问网络上的资源,扫描服务器可以通过核心交换机或路由器截取到终端的流量数据,或者扫描服务器可以通 过设置代理服务器的方式截取到终端的流量数据,从而扫描服务器可以在截取到流量数据的时候被动地对流量数据进行扫描,以判断该流量数据是否为漏洞数据,从而实现漏洞的检测。其中终端可以但不限于是各种个人计算机、笔记本电脑、智能手机、平板电脑和便携式可穿戴设备,扫描服务器可以用独立的服务器或者是多个服务器组成的服务器集群来实现。The vulnerability scanning method provided by the present application can be applied to an application environment as shown in FIG. 1. The terminal can access resources on the network through a core switch or a router, and the scan server can intercept the traffic data of the terminal through the core switch or the router, or the scan server can intercept the traffic data of the terminal by setting a proxy server, thereby scanning The server can passively scan the traffic data when intercepting the traffic data to determine whether the traffic data is vulnerability data, thereby implementing vulnerability detection. The terminal can be, but is not limited to, various personal computers, notebook computers, smart phones, tablets, and portable wearable devices. The scanning server can be implemented by a separate server or a server cluster composed of multiple servers.
参见图2,图2为一实施例中扫描服务器的架构图,其中包括系统基础、调动引擎、web应用服务,调度引擎主要是为了被动式扫描服务,web应用服务则主要是为了查询记录服务器,UI界面则是可以进行显示。具体地,调度引擎可以采用分布式多线程的部署,其中设置有机器学习模型、扫描引擎以及系统升级程序等,该机器学习模型可以是决策树模型,扫描引擎主要存储有漏洞扫描规则,系统升级程序主要是针对系统的升级。Web应用服务主要包括报告模型、日志模块和配置模块,web应用服务则主要是为了查询记录服务,即每次漏洞扫描完成后可以生成日志存储至日志模块,并根据扫描结果生成对应的报告,例如存在漏洞的报告或不存在漏洞的报告,并显示在对应的UI界面上。Referring to FIG. 2, FIG. 2 is an architectural diagram of a scan server in an embodiment, including a system foundation, a transfer engine, and a web application service. The scheduling engine is mainly for a passive scan service, and the web application service is mainly for querying a record server, and a UI. The interface is ready for display. Specifically, the scheduling engine may adopt a distributed multi-threaded deployment, where a machine learning model, a scan engine, and a system upgrade program are set. The machine learning model may be a decision tree model, and the scan engine mainly stores vulnerability scanning rules and system upgrades. The program is mainly for the upgrade of the system. The web application service mainly includes a report model, a log module, and a configuration module. The web application service is mainly for querying the record service, that is, after each vulnerability scan is completed, a log storage to the log module can be generated, and a corresponding report is generated according to the scan result, for example, A vulnerability report or a vulnerability report is displayed on the corresponding UI interface.
在一个实施例中,如图3所示,提供了一种漏洞扫描方法,以该方法应用于图1中的扫描服务器为例进行说明,包括以下步骤:In an embodiment, as shown in FIG. 3, a vulnerability scanning method is provided, which is applied to the scanning server in FIG. 1 as an example, and includes the following steps:
S302:截取待扫描流量数据。S302: Intercept the traffic data to be scanned.
具体地,流量数据是指终端在访问网络上的资源时所产生的数据,其包括访问请求的报文等。用户使用的终端可以访问Internet上的资源,当用户使用的终端进行访问时,可以在主干节点或链路节点中进行流量数据截取,截取到的流量存储在扫描服务器中,从而根据该流量数据判断是否存在漏洞。Specifically, the traffic data refers to data generated when the terminal accesses resources on the network, and includes a message for accessing the request. The terminal used by the user can access the resources on the Internet. When the terminal used by the user accesses, the traffic data can be intercepted in the backbone node or the link node, and the intercepted traffic is stored in the scan server, thereby determining according to the traffic data. Is there a vulnerability?
S304:判断所截取的待扫描流量数据是否为动态数据。S304: Determine whether the intercepted traffic data to be scanned is dynamic data.
具体地,动态数据只是既可以看到,又可以交互的数据,并获得良好的体验效果,用户不再是被动的去浏览,比如说留言板,论坛,用户注册等这些就是动态的可以让用户与网站交互,而静态数据的则是仅供查看。具体地可以通过机器学习的方式将所截取到的待扫描流量数据中不需要漏洞检测的 流量删除,例如可以通过决策树算法进行,当截取到待扫描流量数据时,则输入机器学习模型中,首先判断该待扫描的流量数据是否为动态数据,如果是动态数据,则表示该截取的待扫描流量数据需要继续扫描,如果是静态数据,则可以剔除掉,从而可以使得需要继续扫描的待扫描流量数据的量减少,提高扫描效率。其中机器学习的模型可以是预先设置好的,例如通过历史待扫描数据形成训练集和测试集等生成该机器学习的模型,其中训练集用于训练形成初始模型,测试集用于对初始模型进行修正,以保证模型的正确性。Specifically, dynamic data is only data that can be seen and interacted, and has a good experience. Users are no longer passive to browse. For example, message boards, forums, user registrations, etc. are dynamic and can be used by users. Interact with the website, while static data is for viewing only. Specifically, the traffic that does not need vulnerability detection in the intercepted traffic data that is intercepted may be deleted by a machine learning manner, for example, by a decision tree algorithm, and when the traffic data to be scanned is intercepted, the machine learning model is input. First, it is determined whether the traffic data to be scanned is dynamic data. If it is dynamic data, it indicates that the intercepted traffic data to be scanned needs to continue scanning, and if it is static data, it can be culled, so that the scanning to be scanned needs to be scanned. The amount of flow data is reduced to improve scanning efficiency. The machine learning model may be pre-configured, for example, by generating a training set and a test set by historically-scanned data to generate a model of the machine learning, wherein the training set is used to train to form an initial model, and the test set is used to perform an initial model. Corrected to ensure the correctness of the model.
S306:当所截取的待扫描流量数据是动态数据时,则查询待扫描流量数据是否存在参数。S306: When the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has a parameter.
具体地,当第一步机器学习判断出该待扫描流量数据时动态数据时,则可以通过第二步机器学习判断该流量数据是否存在参数,只有存在参数的待扫描流量才会进行漏洞扫描,而没有参数的待扫描流量由于其一般不需要获取网络上服务器的资源等,因此不会进行漏洞扫描。在其他的实施例中,可以将两步机器学习集成在一个机器学习模型中,即待扫描流量数据当输入该集成的模型时,可以提出掉静态数据和无参数的待扫描流量数据。Specifically, when the first machine learns to determine the dynamic data when the traffic data to be scanned is determined, the second step machine learning may determine whether the traffic data has parameters, and only the traffic to be scanned with the parameter will perform the vulnerability scanning. The traffic to be scanned without parameters does not need to acquire the resources of the server on the network, and therefore does not perform vulnerability scanning. In other embodiments, the two-step machine learning can be integrated into a machine learning model, that is, when the flow data to be scanned is input into the integrated model, static data and parameterless data to be scanned can be proposed.
S308:当待扫描流量数据存在参数时,则获取待扫描流量数据的类型。S308: When there is a parameter of the traffic data to be scanned, obtain the type of the traffic data to be scanned.
具体地,当待扫描流量数据为动态数据,且存在参数时,则标识该待扫描流量数据需要进行漏洞扫描,因此首先对获取到待扫描流量数据的类型,从而可以根据不同的类型获取到不同的漏洞扫描规则,进而减少漏洞扫描规则的执行。Specifically, when the traffic data to be scanned is dynamic data, and the parameter exists, the traffic data to be scanned needs to be scanned for vulnerability. Therefore, the type of the traffic data to be scanned is obtained first, so that different types can be obtained according to different types. Vulnerability scanning rules, which in turn reduce the execution of vulnerability scanning rules.
S310:获取与待扫描流量数据的类型对应的漏洞扫描规则。S310: Obtain a vulnerability scanning rule corresponding to the type of the traffic data to be scanned.
具体地,待扫描流量数据的类型可以包括web流量或network流量等,根据该类型可以获取到对应的漏洞检测规则,从而可以减少漏洞检测规则的执行率。例如待扫描流量数据为web流量时,则直接获取到针对web流量的漏洞检测规则,而不需要执行全部的漏洞检测规则,提高漏洞检测规则的执行效率。Specifically, the type of the traffic data to be scanned may include web traffic or network traffic, etc., according to the type, the corresponding vulnerability detection rule may be obtained, thereby reducing the execution rate of the vulnerability detection rule. For example, when the traffic data to be scanned is web traffic, the vulnerability detection rule for the web traffic is directly obtained, and the entire vulnerability detection rule is not needed to improve the execution efficiency of the vulnerability detection rule.
S312:通过漏洞扫描规则对待扫描流量数据进行漏洞扫描。S312: Vulnerability scanning is performed on the scanned traffic data through the vulnerability scanning rule.
具体地,漏洞扫描规则是指预先存储在扫描服务器中的规则,通过将待扫描流量数据与该漏洞扫描规则进行比较可以得到该待扫描流量数据是否为漏洞数据的结果,从而可以实现漏洞的扫描,例如当待扫描流量数据符合漏洞扫描规则时,则表示该待扫描流量数据为漏洞数据,因此需要后续拦截等以防止其正常访问,当待扫描流量数据不符合漏洞扫描规则时,则表示该待扫描流量数据不是漏洞数据,其可以正常进行访问,不需要后续进行拦截等操作。Specifically, the vulnerability scanning rule refers to a rule pre-stored in the scanning server. By comparing the traffic data to be scanned with the vulnerability scanning rule, whether the traffic data to be scanned is the result of the vulnerability data can be obtained, thereby implementing the scanning of the vulnerability. For example, when the traffic data to be scanned complies with the vulnerability scanning rule, it indicates that the traffic data to be scanned is vulnerability data, so subsequent interception or the like is needed to prevent normal access. When the traffic data to be scanned does not meet the vulnerability scanning rule, it indicates that The traffic data to be scanned is not vulnerability data, and it can be accessed normally without subsequent interception and the like.
上述漏洞扫描方法,首先是截取待扫描流量数据,即当客户端存在数据访问时,则就会截取流量数据,使得待扫描流量数据的覆盖范围变大;其次,在漏洞扫描前,对不需要扫描的待扫描流量数据进行剔除,减少了待扫描流量数据的扫描量,提高了漏洞扫描效率;最后,根据待扫描流量数据的类型获取到对应的漏洞扫描规则,而不需要将数据库中所有的漏洞扫描规则均执行一遍,可以大大降低漏洞扫描规则的执行数量,从而也提高了漏洞扫描的效率。The above vulnerability scanning method first intercepts the traffic data to be scanned, that is, when the client has data access, the traffic data is intercepted, so that the coverage of the traffic data to be scanned becomes larger; secondly, before the vulnerability scanning, the unnecessary The scanned traffic data to be scanned is eliminated, the scanning volume of the traffic data to be scanned is reduced, and the vulnerability scanning efficiency is improved. Finally, the corresponding vulnerability scanning rule is obtained according to the type of the traffic data to be scanned, without requiring all the databases in the database. Vulnerability scanning rules are executed once, which can greatly reduce the number of executions of vulnerability scanning rules, thereby improving the efficiency of vulnerability scanning.
在其中一个实施例中,截取待扫描流量数据的步骤,即步骤S302之后,还可以包括:获取当前资源占用率;若当前资源占用率超过阈值时,则获取备扫描服务器的资源占用率;选取备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。In one embodiment, the step of intercepting the traffic data to be scanned, that is, after the step S302, may further include: acquiring the current resource occupancy rate; if the current resource occupancy rate exceeds the threshold, acquiring the resource occupancy rate of the standby scanning server; The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
具体地,在该实施例中扫描服务器是以集群的形式存在的,设置一台主扫描服务器,当主扫描服务器截取到待扫描流量数据后,首先判断主扫描服务器的资源占用率,当主扫描服务器的当前资源占用率超过阈值时,则表示主扫描服务器的当前资源占用率较高,因此继续获取备扫描服务器的资源占用率,并获取到资源占用率最低的备扫描服务器来执行该漏洞扫描的方法,即判断所截取的待扫描流量数据是否为动态数据等。且在获取备扫描服务器的资源占用率时,还可以对该备扫描服务器的资源占用率进行排序,这样更加方便选取。其中当前资源占用率的阈值可以是根据经验进行确定,或者是根据系统压力测试时的测试峰值进行确定,例如根据所截取到的待扫描流量 数据的量来确定不同的阈值等。资源占用率可以是指扫描服务器的cpu的占用率等。Specifically, in this embodiment, the scan server exists in the form of a cluster, and a main scan server is set. When the main scan server intercepts the traffic data to be scanned, first determines the resource occupancy rate of the main scan server, when the main scan server If the current resource usage rate exceeds the threshold, the current scan server has a higher current resource usage rate. Therefore, the resource usage rate of the standby scan server is continuously obtained, and the standby scan server with the lowest resource occupancy rate is obtained to perform the vulnerability scan. That is, it is judged whether the intercepted traffic data to be scanned is dynamic data or the like. When the resource usage of the standby scanning server is obtained, the resource usage of the standby scanning server may be sorted, which is more convenient to select. The threshold of the current resource occupancy rate may be determined according to experience, or determined according to the test peak value during the system stress test, for example, determining different thresholds according to the amount of the intercepted traffic data to be scanned. The resource occupancy rate may refer to the occupancy rate of the CPU of the scan server.
上述实施例中,在截取到待扫描流量数据后,首先判断主扫描服务器的资源占用率,当主扫描服务器的资源占用率未超过阈值时,才会通过主扫描服务器进行漏洞扫描,当主扫描服务器的资源占用率超过阈值时,则启动备扫描服务器,由备扫描服务器进行漏洞扫描,可以保证系统的协调一致,正常运行。In the above embodiment, after the traffic data to be scanned is intercepted, the resource occupancy rate of the primary scanning server is first determined. When the resource occupancy rate of the primary scanning server does not exceed the threshold, the vulnerability scanning is performed by the primary scanning server, when the primary scanning server When the resource usage exceeds the threshold, the standby scan server is started, and the standby scan server performs vulnerability scanning to ensure consistent and normal operation of the system.
在其中一个实施例中,获取当前资源占用率的步骤之前还可以包括:判断当前扫描服务器是否出现故障;若当前扫描服务器未出现故障,则继续执行获取当前资源占用率的步骤;若当前扫描服务器出现故障,则获取备扫描服务器的资源占用率;选取备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。In one of the embodiments, the step of obtaining the current resource occupancy rate may further include: determining whether the current scan server is faulty; if the current scan server does not fail, continuing to perform the step of acquiring the current resource occupancy rate; if the current scan server If the fault occurs, the resource usage of the standby scan server is obtained. The standby scan server with the lowest resource usage of the standby scan server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
具体地,在获取当前资源占用率的步骤之前,首先判断当前扫描服务器是否出现故障,如果未出现故障,则可以进一步判断当前资源占用率,并根据当前资源占用率来判断是否由当前扫描服务器来执行漏洞检测。如果当前扫描服务器出现故障,则选取备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤,而不需要先判断当前资源占用率,可以减少执行步骤,其中,资源占用率最低可以是指资源占用率小于资源占用率预设值,且最低的一个资源占用率;例如三台备扫描服务器:备扫描服务器A、备扫描服务器B、备扫描服务器C,其中备扫描服务器A的资源占用率为a,备扫描服务器B的资源占用率为b,备扫描服务器C的资源占用率为c,a大于资源占用率预设值m,b和c小于资源占用率预设值m,且b小于c,因此需要选取资源占用率b所对应的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤,且在本实施例中不对该资源占用率预设值进行具体限定,其可以是根据经验进行设置的。Specifically, before the step of acquiring the current resource occupancy rate, first determining whether the current scan server is faulty. If no fault occurs, the current resource occupancy rate may be further determined, and whether the current scan server is used to determine whether the current scan server is used by the current scan server. Perform vulnerability detection. If the current scan server is faulty, the standby scan server with the lowest resource usage of the standby scan server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data, without first determining the current resource occupancy rate, which may be reduced. The step of performing the process, wherein the resource usage rate is lower than the default value of the resource usage rate and the lowest resource usage rate; for example, three standby scan servers: standby scan server A, standby scan server B, and standby scan Server C, wherein the resource occupancy rate of the standby scan server A is a, the resource occupancy rate of the standby scan server B is b, the resource occupancy rate of the standby scan server C is c, and a is greater than the preset value of the resource occupancy rate m, b, and c. If the value of the to-be-scanned traffic is less than c, the backup scan server corresponding to the resource occupancy b needs to continue to perform the step of determining whether the intercepted traffic data is dynamic data, and in this embodiment. The resource occupancy preset value is not specifically limited, and it may be set according to experience.
在实际使用时,扫描服务器采用分布式架构,多线程队列形式进行插件 扫描或者规则匹配。例如可以设置一台主扫描服务器和多台备扫描服务器,接收到截取的流量时,首先判断主扫描服务器是否故障,如果主扫描服务器故障,则通过备扫描服务器进行扫描,其中也可以首先判断被扫描服务器是否出现故障,例如可以按照备扫描服务器的顺序一台一台地进行判断,当当前备扫描服务器出现故障,则按照顺序对下一台进行判断,直至出现没有故障的备扫描服务器。如果主扫描服务器未出现故障,则获取主扫描服务器当前的资源占用率,当资源占用率超过阈值时,则通过备扫描服务器进行扫描,例如可以首先获取到备扫描服务器当前的资源占用率,然后进行排序,选择资源占用率低的备扫描服务器进行扫描。In actual use, the scan server uses a distributed architecture, multi-threaded queue form for plug-in scanning or rule matching. For example, you can set up one main scanning server and multiple standby scanning servers. When receiving the intercepted traffic, first determine whether the primary scanning server is faulty. If the primary scanning server is faulty, scan it through the standby scanning server. If the scan server is faulty, for example, it can be judged one by one according to the order of the standby scan server. When the current standby scan server fails, the next set is judged in order until there is a standby scan server without failure. If the primary scan server does not fail, the current resource usage rate of the primary scan server is obtained. When the resource usage exceeds the threshold, the scan server scans the current scan server. For example, the current resource usage of the standby scan server can be obtained first. Sort and select a standby scan server with low resource occupancy for scanning.
上述实施例中,在截取待扫描流量数据后,首先判断当前扫描服务器是否出现故障,如果出现故障,则直接选取备扫描服务器进行漏洞扫描,如果没有出现故障,则首先判断当前扫描服务器的资源占用率,当当前扫描服务器的资源占用率未超过阈值时,才会通过当前扫描服务器进行漏洞扫描,当当前扫描服务器的资源占用率超过阈值时,则启动其他扫描服务器,由其他扫描服务器进行漏洞扫描,可以保证系统的协调一致,正常运行。In the above embodiment, after the traffic data to be scanned is intercepted, it is first determined whether the current scan server is faulty. If a fault occurs, the standby scan server is directly selected for vulnerability scanning. If no fault occurs, the current scan server resources are first determined. Rate: When the current scan server's resource usage does not exceed the threshold, the current scan server scans the vulnerability. When the current scan server's resource usage exceeds the threshold, other scan servers are started, and other scan servers scan for vulnerabilities. , can ensure the system is consistent and normal operation.
在其中一个实施例中,截取待扫描流量数据的步骤,即步骤S302之后,还包括:统计截取待扫描流量数据的截取次数;根据截取次数启动对应数量的扫描服务器;将待扫描流量数据分配至所启动的扫描服务器中以继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。In one embodiment, the step of intercepting the traffic data to be scanned, that is, after step S302, further includes: counting the number of interception of the traffic data to be scanned; starting a corresponding number of scan servers according to the number of intercepts; and distributing the traffic data to be scanned to The step of starting the scan server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
具体地,待扫描流量的截取次数是指扫描服务器所收到的漏洞扫描请求的次数,即通过核心交换机或路由器或代理服务器截取到待扫描流量后,该核心交换机或路由器或代理服务器则向扫描服务器发送漏洞扫描请求,该请求中携带有待扫描流量数据。扫描服务器控制系统根据截取次数启动对应数量的扫描服务器,将待扫描流量数据分配至所启动的扫描服务器中,从而多台扫描服务器一起对待扫描流量数据进行扫描。Specifically, the number of times the intercepted traffic is scanned refers to the number of times the scan server receives the vulnerability scan request, that is, after the core switch or the router or the proxy server intercepts the traffic to be scanned, the core switch or the router or the proxy server scans. The server sends a vulnerability scan request, which carries traffic data to be scanned. The scan server control system starts a corresponding number of scan servers according to the number of intercepts, and distributes the to-be-scanned traffic data to the scan server that is started, so that the plurality of scan servers scan the scan traffic data together.
其中,根据所截取到的待扫描流量数据的截取次数,即获取针对待扫描流量数据进行扫描的请求的数量,根据该请求的数量启动对应的扫描服务器, 然后根据负载均衡策略将所接收到的请求分配给对应的扫描服务器。例如,有3000个请求需要进行处理时,则开启的扫描服务器的数量是3个,根据负载均衡策略将这3000个请求按顺序的分配给这3台扫描服务器,3台扫描服务器将同时对请求进行处理,提高了扫描效率。且每台扫描服务器在扫描的时,可以采用多线程扫描,即每台扫描服务器接收到1000个请求时,开启50条线程,每条线程对20个请求中的待扫描流量数据进行扫描,这样可以进一步地提高效率。其中可以预设每台扫描服务器的处理峰值,并为每台扫描服务器预设处理等级,根据所接收到的请求的数量选取处理等级,例如当接收到的请求为第一数量,则处理等级为一级,当接收到的请求为第二数量,则处理等级为二级,一级时扫描服务器的处理请求的量为A,二级时扫描服务器的处理请求的量为B;根据所接收到的请求的数量选取处理等级,假设选取的处理等级为一级,则根据所接收到的请求的数量N与一级时扫描服务器的处理请求的量为A得到需要启动的扫描服务器的台数=N/A;然后根据数量A确定每台扫描服务器需要启动的线程数,从而实现对请求的并行处理,提高处理效率。The number of times the intercepted traffic data is intercepted is obtained, that is, the number of requests for scanning the traffic data to be scanned is acquired, and the corresponding scanning server is started according to the number of the requests, and then received according to the load balancing policy. The request is assigned to the corresponding scan server. For example, when there are 3000 requests to be processed, the number of scanning servers that are turned on is three. According to the load balancing policy, the 3000 requests are sequentially allocated to the three scanning servers, and the three scanning servers will simultaneously request the same. Processing improves scanning efficiency. Each scanning server can use multi-thread scanning when scanning, that is, each scanning server receives 50 requests, and starts 50 threads, and each thread scans the to-be-scanned traffic data in 20 requests, so that The efficiency can be further improved. The processing peak of each scanning server may be preset, and the processing level is preset for each scanning server, and the processing level is selected according to the number of received requests, for example, when the received request is the first quantity, the processing level is Level 1, when the received request is the second quantity, the processing level is two, the processing request amount of the scanning server is A at the first level, and the processing request amount of the scanning server at the second level is B; according to the received The number of requests is selected as the processing level. If the selected processing level is one level, the number of scanning servers that need to be started is determined according to the number N of received requests and the processing request amount of the primary scanning server. /A; Then, according to the quantity A, the number of threads that each scanning server needs to be started is determined, thereby implementing parallel processing of requests and improving processing efficiency.
上述实施例中,根据所截取到的流量的次数,即获取针对流量进行扫描的请求的数量,根据该请求的数量启动对应的扫描服务器,然后根据负载均衡策略将所接收到的请求分配给对应的扫描服务器,提高了处理效率。In the above embodiment, according to the number of intercepted traffic, that is, the number of requests for scanning for traffic, the corresponding scanning server is started according to the number of the requests, and then the received request is allocated according to the load balancing policy. The scanning server improves processing efficiency.
在其中一个实施例中,通过漏洞扫描规则对待扫描流量数据进行漏洞扫描的步骤之后,还可以包括:接收针对待扫描流量数据的漏洞扫描规则调整指令;根据漏洞扫描规则调整指令获取漏洞扫描补充规则;通过漏洞扫描补充规则对待扫描流量数据进行漏洞扫描。In one embodiment, after the step of performing vulnerability scanning on the scanned traffic data by using the vulnerability scanning rule, the method further includes: receiving a vulnerability scanning rule adjustment instruction for the traffic data to be scanned; and adjusting the instruction to obtain the vulnerability scanning supplementary rule according to the vulnerability scanning rule adjustment instruction Vulnerability scanning of scanned traffic data through vulnerability scanning supplemental rules.
具体地,一般情况下对不同类型的待扫描流量数据只需要通过与之对应的漏洞扫描规则进行扫描即可,但是在特殊情况下,该待扫描流量数据的扫描结果可能存在问题,为了避免该问题的出现,可以将待扫描流量数据的扫描结果均展示在UI界面上,通过该UI界面可以接收到针对待扫描流量数据的漏洞扫描规则调整指令,例如针对web流量,扫描服务器可能首先通过web 流量漏洞扫描规则进行扫描后,输出扫描结果,但是测试人员可能认为本次扫描不够完善,则可以再调用network流量扫描规则对该web流量进行再次扫描,即根据漏洞扫描规则调整指令获取漏洞扫描补充规则;通过漏洞扫描补充规则对待扫描流量数据进行漏洞扫描,从而可以提高漏洞扫描规则的准确率。Specifically, in general, different types of traffic data to be scanned need to be scanned by the corresponding vulnerability scanning rule, but in special cases, the scanning result of the to-be-scanned traffic data may be problematic, in order to avoid the problem. When the problem occurs, the scan result of the traffic data to be scanned can be displayed on the UI interface, and the vulnerability scan rule adjustment instruction for the traffic data to be scanned can be received through the UI interface. For example, for web traffic, the scan server may first pass the web. After the traffic vulnerability scanning rule scans, the scan result is output, but the tester may think that the scan is not perfect enough, and then the network traffic scan rule may be invoked to scan the web traffic again, that is, according to the vulnerability scan rule adjustment instruction to obtain the vulnerability scan supplement. Rules; vulnerability scanning is performed by vulnerability scanning supplemental rules to scan scanned traffic data to improve the accuracy of vulnerability scanning rules.
上述实施例中,还可以包括接收漏洞扫描规则调整指令,根据漏洞扫描规则调整指令获取其他类型的漏洞扫描规则对该流量进行进一步的扫描。即通过web应用服务对系统进行配置,该实施例中,不仅支持流量的动态扫描,还支持人工干预,从而可以对重点流量进行全方位的扫描,提高漏洞扫描的准确率。In the foregoing embodiment, the vulnerability scanning rule adjustment instruction may be further received, and the vulnerability scanning rule adjustment instruction is used to obtain another type of vulnerability scanning rule to further scan the traffic. That is, the system is configured through the web application service. In this embodiment, not only the dynamic scanning of the traffic is supported, but also the manual intervention is supported, so that the key traffic can be scanned in an all-round manner, and the accuracy of the vulnerability scanning is improved.
在其中一个实施例中,截取待扫描流量数据的步骤可以包括通过预先设置在客户端的代理程序截取待扫描流量数据。或者截取待扫描流量数据的步骤可以包括:接收核心交换机根据所截取到的待扫描流量数据生成的镜像流量数据作为待扫描流量数据。In one of the embodiments, the step of intercepting the traffic data to be scanned may include intercepting the traffic data to be scanned by an agent set in advance at the client. Or the step of intercepting the traffic data to be scanned may include: receiving the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned.
具体地,可以在主干或主链路节点中进行流量截取,利于可以预先在客户端设置代理,当终端安装的客户端存在流量数据的发送时,则通过该预先设置在客户端的代理程序截取到待扫描流量数据。或者在核心交换机或路由器接收到客户端发送的流量数据时,核心交换机或路由器将该流量数据进行镜像,并将流量数据的镜像发送到待扫描服务器以实现待扫描流量数据的截取。Specifically, the traffic interception may be performed in the trunk or the primary link node, so that the proxy may be set in the client in advance, and when the client installed by the terminal has the traffic data sent, the agent intercepted by the client is preset. Traffic data to be scanned. Or, when the core switch or the router receives the traffic data sent by the client, the core switch or the router mirrors the traffic data, and sends the mirroring of the traffic data to the server to be scanned to implement interception of the traffic data to be scanned.
上述实施例中,通过在主干或主链路节点中进行流量截取,并将该截取到的待扫描流量数据发送到扫描服务器,实现扫描服务器对待扫描流量数据的被动扫描,而不需要像传统中爬取流量数据,从而可以保证待扫描流量数据的完整性。In the foregoing embodiment, by performing traffic interception in the trunk or the primary link node, and sending the intercepted traffic data to be scanned to the scan server, the scan server performs passive scanning of the scanned traffic data, instead of the traditional Crawl traffic data to ensure the integrity of the traffic data to be scanned.
应该理解的是,虽然图3的流程图中的各个步骤按照箭头的指示依次显示,但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明,这些步骤的执行并没有严格的顺序限制,这些步骤可以以其它 的顺序执行。而且,图3中的至少一部分步骤可以包括多个子步骤或者多个阶段,这些子步骤或者阶段并不必然是在同一时刻执行完成,而是可以在不同的时刻执行,这些子步骤或者阶段的执行顺序也不必然是依次进行,而是可以与其它步骤或者其它步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the various steps in the flowchart of FIG. 3 are sequentially displayed as indicated by the arrows, these steps are not necessarily performed in the order indicated by the arrows. Except as explicitly stated herein, the execution of these steps is not strictly limited, and the steps may be performed in other sequences. Moreover, at least some of the steps in FIG. 3 may include a plurality of sub-steps or stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution of these sub-steps or stages The order is also not necessarily sequential, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of the other steps.
在一个实施例中,如图4所示,提供了一种漏洞扫描装置,包括:流量截取模块、数据判断模块、查询模块、流量类型获取模块、规则获取模块和扫描模块,其中:In an embodiment, as shown in FIG. 4, a vulnerability scanning apparatus is provided, including: a traffic interception module, a data determination module, a query module, a traffic type acquisition module, a rule acquisition module, and a scanning module, where:
流量截取模块100,用于截取待扫描流量数据。The traffic intercepting module 100 is configured to intercept traffic data to be scanned.
数据判断模块200,用于判断所截取的待扫描流量数据是否为动态数据。The data judging module 200 is configured to determine whether the intercepted traffic data to be scanned is dynamic data.
查询模块300,用于当所截取的待扫描流量数据是动态数据时,则查询待扫描流量数据是否存在参数。The query module 300 is configured to query whether the flow data to be scanned has a parameter when the intercepted traffic data to be scanned is dynamic data.
流量类型获取模块400,用于当待扫描流量数据存在参数时,则获取待扫描流量数据的类型。The traffic type obtaining module 400 is configured to acquire the type of the traffic data to be scanned when there is a parameter of the traffic data to be scanned.
规则获取模块500,用于获取与待扫描流量数据的类型对应的漏洞扫描规则。The rule obtaining module 500 is configured to acquire a vulnerability scanning rule corresponding to the type of the traffic data to be scanned.
扫描模块600,用于通过漏洞扫描规则对待扫描流量数据进行漏洞扫描。The scanning module 600 is configured to perform vulnerability scanning on the scanned traffic data by using a vulnerability scanning rule.
在其中一个实施例中,装置还可以包括:In one embodiment, the apparatus may further include:
资源占用率获取模块,用于在截取待扫描流量数据之后,获取当前资源占用率;若当前资源占用率超过阈值时,则获取备扫描服务器的资源占用率。The resource occupancy obtaining module is configured to obtain the current resource occupancy rate after the traffic data to be scanned is intercepted. If the current resource usage rate exceeds the threshold, the resource usage rate of the standby scanning server is obtained.
扫描模块还用于选取备扫描服务器的资源占用率最低的备扫描服务器继续判断所截取的待扫描流量数据是否为动态数。The scanning module is further configured to select whether the standby scanning server with the lowest resource occupancy rate of the standby scanning server continues to determine whether the intercepted traffic data to be scanned is a dynamic number.
在其中一个实施例中,装置还可以包括:In one embodiment, the apparatus may further include:
故障判断模块,用于在获取当前资源占用率之前,判断当前扫描服务器是否出现故障。The fault judging module is configured to determine whether the current scan server is faulty before acquiring the current resource occupancy rate.
资源占用率获取模块还用于若当前扫描服务器未出现故障,则继续获取当前资源占用率;若当前扫描服务器出现故障,则获取备扫描服务器的资源 占用率。The resource occupancy acquisition module is further configured to: if the current scan server fails, obtain the current resource occupancy rate; if the current scan server fails, obtain the resource occupancy rate of the standby scan server.
扫描模块还用于选取备扫描服务器的资源占用率最低的备扫描服务器继续判断所截取的待扫描流量数据是否为动态数据。The scanning module is further configured to select the standby scanning server with the lowest resource occupancy rate of the standby scanning server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
在其中一个实施例中,装置还可以包括:In one embodiment, the apparatus may further include:
统计模块,用于在截取待扫描流量数据之前,统计截取待扫描流量数据的截取次数。The statistics module is configured to count the number of interception of the traffic data to be scanned before intercepting the traffic data to be scanned.
启动模块,用于根据截取次数启动对应数量的扫描服务器。The startup module is configured to start a corresponding number of scan servers according to the number of interceptions.
数据判断模块还用于将待扫描流量数据分配至所启动的扫描服务器中以继续判断所截取的待扫描流量数据是否为动态数据。The data judging module is further configured to allocate the to-be-scanned traffic data to the activated scan server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
在其中一个实施例中,装置还可以包括:In one embodiment, the apparatus may further include:
接收模块,用于在通过漏洞扫描规则对待扫描流量数据进行漏洞扫描之后,接收针对待扫描流量数据的漏洞扫描规则调整指令。The receiving module is configured to receive a vulnerability scanning rule adjustment instruction for the traffic data to be scanned after the vulnerability scanning rule scans the traffic data through the vulnerability scanning rule.
补充规则获取模块,用于根据漏洞扫描规则调整指令获取漏洞扫描补充规则。A supplemental rule acquisition module is configured to obtain a vulnerability scan supplemental rule according to the vulnerability scan rule adjustment instruction.
补充扫描模块,用于通过漏洞扫描补充规则对待扫描流量数据进行漏洞扫描。A supplemental scanning module for vulnerability scanning of scanned traffic data through vulnerability scanning supplemental rules.
在其中一个实施例中,截取模块还可以用于通过预先设置在客户端的代理程序截取待扫描流量数据。In one of the embodiments, the intercepting module may be further configured to intercept the traffic data to be scanned by an agent preset in the client.
在其中一个实施例中,截取模块还可以用于接收核心交换机根据所截取到的待扫描流量数据生成的镜像流量数据作为待扫描流量数据。In one embodiment, the intercepting module is further configured to receive the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned.
关于漏洞扫描装置的具体限定可以参见上文中对于漏洞扫描方法的限定,在此不再赘述。上述漏洞扫描装置中的各个模块可全部或部分通过软件、硬件及其组合来实现。上述各模块可以硬件形式内嵌于或独立于计算机设备中的处理器中,也可以以软件形式存储于计算机设备中的存储器中,以便于处理器调用执行以上各个模块对应的操作。For specific definitions of the vulnerability scanning device, reference may be made to the limitation of the vulnerability scanning method in the above, and details are not described herein again. Each of the above-described vulnerability scanning devices may be implemented in whole or in part by software, hardware, and combinations thereof. Each of the above modules may be embedded in or independent of the processor in the computer device, or may be stored in a memory in the computer device in a software form, so that the processor invokes the operations corresponding to the above modules.
在一个实施例中,提供了一种计算机设备,该计算机设备可以是服务器,其内部结构图可以如图5所示。该计算机设备包括通过系统总线连接的处理 器、存储器、网络接口和数据库。其中,该计算机设备的处理器用于提供计算和控制能力。该计算机设备的存储器包括非易失性存储介质、内存储器。该非易失性存储介质存储有操作系统、计算机可读指令和数据库。该内存储器为非易失性存储介质中的操作系统和计算机可读指令的运行提供环境。该计算机设备的数据库用于存储漏洞扫描规则数据。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机可读指令被处理器执行时以实现一种漏洞扫描方法。In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in FIG. The computer device includes a processor, memory, network interface, and database connected by a system bus. The processor of the computer device is used to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium, an internal memory. The non-volatile storage medium stores an operating system, computer readable instructions, and a database. The internal memory provides an environment for operation of an operating system and computer readable instructions in a non-volatile storage medium. The database of the computer device is used to store vulnerability scan rule data. The network interface of the computer device is used to communicate with an external terminal via a network connection. The computer readable instructions are executed by the processor to implement a vulnerability scanning method.
本领域技术人员可以理解,图5中示出的结构,仅仅是与本申请方案相关的部分结构的框图,并不构成对本申请方案所应用于其上的计算机设备的限定,具体的计算机设备可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。It will be understood by those skilled in the art that the structure shown in FIG. 5 is only a block diagram of a part of the structure related to the solution of the present application, and does not constitute a limitation of the computer device to which the solution of the present application is applied. The specific computer device may It includes more or fewer components than those shown in the figures, or some components are combined, or have different component arrangements.
在一个实施例中,提供了一种计算机设备,包括存储器、处理器,存储器上存储有计算机可读指令,处理器执行计算机可读指令时实现以下步骤:截取待扫描流量数据;判断所截取的待扫描流量数据是否为动态数据;当所截取的待扫描流量数据是动态数据时,则查询待扫描流量数据是否存在参数;当待扫描流量数据存在参数时,则获取待扫描流量数据的类型;获取与待扫描流量数据的类型对应的漏洞扫描规则;通过漏洞扫描规则对待扫描流量数据进行漏洞扫描。In one embodiment, a computer device is provided, including a memory, a processor, and a computer readable instruction stored thereon, the processor executing the computer readable instructions to: intercept the traffic data to be scanned; and determine the intercepted Whether the traffic data to be scanned is dynamic data; when the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has a parameter; when the traffic data to be scanned has a parameter, obtain the type of the traffic data to be scanned; Vulnerability scanning rules corresponding to the type of traffic data to be scanned; vulnerability scanning is performed on the scanned traffic data through the vulnerability scanning rule.
在其中一个实施例中处理器执行计算机可读指令时所实现的截取待扫描流量数据的步骤之后,还可以包括:获取当前资源占用率;若当前资源占用率超过阈值时,则获取备扫描服务器的资源占用率;选取备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。After the step of intercepting the to-be-scanned traffic data, the processor may further include: acquiring the current resource occupancy rate; and acquiring the standby scan server if the current resource occupancy rate exceeds the threshold value. The resource usage rate of the standby scanning server with the lowest resource usage of the standby scanning server continues to be performed to determine whether the intercepted traffic data to be scanned is dynamic data.
在其中一个实施例中处理器执行计算机可读指令时所实现的获取当前资源占用率的步骤之前,还可以包括:判断当前扫描服务器是否出现故障;若当前扫描服务器未出现故障,则继续执行获取当前资源占用率的步骤;若当前扫描服务器出现故障,则获取备扫描服务器的资源占用率;选取备扫描服 务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。Before the step of obtaining the current resource occupancy rate by the processor when the processor executes the computer readable instructions, the method may further include: determining whether the current scan server is faulty; if the current scan server does not fail, proceeding to perform the acquisition. The current resource usage rate is as follows: if the current scan server is faulty, the resource usage rate of the standby scan server is obtained; and the standby scan server with the lowest resource occupancy rate of the standby scan server continues to determine whether the intercepted traffic data to be scanned is dynamic. The steps of the data.
在其中一个实施例中处理器执行计算机可读指令时所实现的截取待扫描流量数据的步骤之后,还可以包括:统计截取待扫描流量数据的截取次数;根据截取次数启动对应数量的扫描服务器;将待扫描流量数据分配至所启动的扫描服务器中以继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。After the step of intercepting the to-be-scanned traffic data is implemented by the processor, the processor may further include: intercepting the interception times of the traffic data to be scanned; and starting a corresponding number of scan servers according to the number of intercepts; The traffic data to be scanned is allocated to the activated scan server to continue the step of determining whether the intercepted traffic data to be scanned is dynamic data.
在其中一个实施例中处理器执行计算机可读指令时所实现的通过漏洞扫描规则对待扫描流量数据进行漏洞扫描的步骤之后,还可以包括:接收针对待扫描流量数据的漏洞扫描规则调整指令;根据漏洞扫描规则调整指令获取漏洞扫描补充规则;通过漏洞扫描补充规则对待扫描流量数据进行漏洞扫描。After the step of performing the vulnerability scanning by the vulnerability scanning rule to scan the traffic data by the processor executing the computer readable instructions in one embodiment, the method may further include: receiving a vulnerability scanning rule adjustment instruction for the traffic data to be scanned; The vulnerability scan rule adjustment instruction acquires a vulnerability scan supplemental rule; the vulnerability scan supplemental rule scans the scanned traffic data for vulnerability.
在其中一个实施例中处理器执行计算机可读指令时所实现的截取待扫描流量数据的步骤,可以包括:通过预先设置在客户端的代理程序截取待扫描流量数据。The step of intercepting the to-be-scanned traffic data implemented by the processor when executing the computer readable instructions in one of the embodiments may include: intercepting the to-be-scanned traffic data by an agent preset in the client.
在其中一个实施例中处理器执行计算机可读指令时所实现的截取待扫描流量数据的步骤,可以包括:接收核心交换机根据所截取到的待扫描流量数据生成的镜像流量数据作为待扫描流量数据。The step of intercepting the to-be-scanned traffic data implemented by the processor when executing the computer readable instructions in one embodiment may include: receiving the mirrored traffic data generated by the core switch according to the intercepted traffic data to be scanned as the traffic data to be scanned. .
在一个实施例中,提供了一种计算机可读存储介质,其上存储有计算机可读指令,计算机可读指令被处理器执行时实现以下步骤:截取待扫描流量数据;判断所截取的待扫描流量数据是否为动态数据;当所截取的待扫描流量数据是动态数据时,则查询待扫描流量数据是否存在参数;当待扫描流量数据存在参数时,则获取待扫描流量数据的类型;获取与待扫描流量数据的类型对应的漏洞扫描规则;通过漏洞扫描规则对待扫描流量数据进行漏洞扫描。In one embodiment, a computer readable storage medium is provided having stored thereon computer readable instructions that, when executed by a processor, perform the steps of: intercepting traffic data to be scanned; determining the intercepted to be scanned Whether the traffic data is dynamic data; when the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has a parameter; when the traffic data to be scanned has a parameter, obtain the type of the traffic data to be scanned; Scan the vulnerability scan rule corresponding to the type of traffic data; perform vulnerability scanning on the scanned traffic data through the vulnerability scan rule.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机可读指令来指令相关的硬件来完成,所述的计算机可读指令可存储于一非易失性计算机可读取存储介质中,该计算机可读指令在 执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的各实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM以多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据率SDRAM(DDRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。One of ordinary skill in the art can understand that all or part of the process of implementing the above embodiments can be completed by computer readable instructions, which can be stored in a non-volatile computer. The readable storage medium, which when executed, may include the flow of an embodiment of the methods as described above. Any reference to a memory, storage, database or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of formats, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronization chain. Synchlink DRAM (SLDRAM), Memory Bus (Rambus) Direct RAM (RDRAM), Direct Memory Bus Dynamic RAM (DRDRAM), and Memory Bus Dynamic RAM (RDRAM).
以上实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above embodiments may be arbitrarily combined. For the sake of brevity of description, all possible combinations of the technical features in the above embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, It is considered to be the range described in this specification.
以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对发明专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments are merely illustrative of several embodiments of the present application, and the description thereof is more specific and detailed, but is not to be construed as limiting the scope of the invention. It should be noted that a number of variations and modifications may be made by those skilled in the art without departing from the spirit and scope of the present application. Therefore, the scope of the invention should be determined by the appended claims.

Claims (20)

  1. 一种漏洞扫描方法,所述方法包括:A vulnerability scanning method, the method comprising:
    截取待扫描流量数据;Intercepting traffic data to be scanned;
    判断所截取的待扫描流量数据是否为动态数据;Determining whether the intercepted traffic data to be scanned is dynamic data;
    当所截取的待扫描流量数据是动态数据时,则查询所述待扫描流量数据是否存在参数;When the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has parameters;
    当所述扫描流量数据存在参数时,则获取所述待扫描流量数据的类型;Obtaining a type of the to-be-scanned traffic data when the scanning traffic data has a parameter;
    获取与所述待扫描流量数据的类型对应的漏洞扫描规则;及Obtaining a vulnerability scanning rule corresponding to the type of the traffic data to be scanned; and
    通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描。The vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  2. 根据权利要求1所述的方法,其特征在于,所述截取待扫描流量数据的步骤之后,还包括:The method according to claim 1, wherein after the step of intercepting the traffic data to be scanned, the method further comprises:
    获取当前资源占用率;Obtain the current resource occupancy rate;
    若所述当前资源占用率超过阈值时,则获取备扫描服务器的资源占用率;及If the current resource occupancy rate exceeds the threshold, the resource occupancy rate of the standby scanning server is obtained; and
    选取所述备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  3. 根据权利要求2所述的方法,其特征在于,所述获取当前资源占用率的步骤之前,还包括:The method according to claim 2, wherein before the step of acquiring the current resource occupancy rate, the method further comprises:
    判断当前扫描服务器是否出现故障;Determine whether the current scan server is faulty;
    若当前扫描服务器未出现故障,则继续执行获取当前资源占用率的步骤;If the current scan server does not fail, continue to perform the step of obtaining the current resource occupancy rate;
    若当前扫描服务器出现故障,则获取备扫描服务器的资源占用率;及If the current scan server fails, the resource occupancy rate of the standby scan server is obtained;
    选取所述备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  4. 根据权利要求1所述的方法,其特征在于,所述截取待扫描流量数据的步骤之后,还包括:The method according to claim 1, wherein after the step of intercepting the traffic data to be scanned, the method further comprises:
    统计截取所述待扫描流量数据的截取次数;Counting the number of intercepts of the traffic data to be scanned;
    根据所述截取次数启动对应数量的扫描服务器;及Starting a corresponding number of scan servers according to the number of intercepts; and
    将所述待扫描流量数据分配至所启动的扫描服务器中以继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。And distributing the to-be-scanned traffic data to the activated scan server to continue performing the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  5. 根据权利要求1至4任意一项所述的方法,其特征在于,所述通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描的步骤之后,还包括:The method according to any one of claims 1 to 4, wherein after the step of performing vulnerability scanning on the to-be-scanned traffic data by the vulnerability scanning rule, the method further includes:
    接收针对所述待扫描流量数据的漏洞扫描规则调整指令;Receiving a vulnerability scan rule adjustment instruction for the traffic data to be scanned;
    根据所述漏洞扫描规则调整指令获取漏洞扫描补充规则;及Obtaining a vulnerability scanning supplement rule according to the vulnerability scanning rule adjustment instruction; and
    通过所述漏洞扫描补充规则对所述待扫描流量数据进行漏洞扫描。Vulnerability scanning is performed on the to-be-scanned traffic data by using the vulnerability scanning supplemental rule.
  6. 根据权利要求1至4任意一项所述的方法,其特征在于,所述截取待扫描流量数据的步骤,包括:The method according to any one of claims 1 to 4, wherein the step of intercepting the traffic data to be scanned comprises:
    通过预先设置在客户端的代理可读指令截取待扫描流量数据。The traffic data to be scanned is intercepted by a proxy readable instruction set in advance on the client.
  7. 根据权利要求1至4任意一项所述的方法,其特征在于,所述截取待扫描流量数据的步骤,包括:The method according to any one of claims 1 to 4, wherein the step of intercepting the traffic data to be scanned comprises:
    接收核心交换机根据所截取到的待扫描流量数据生成的镜像流量数据作为待扫描流量数据。The receiving core switch uses the mirrored traffic data generated according to the intercepted traffic data to be scanned as the traffic data to be scanned.
  8. 一种漏洞扫描装置,其特征在于,所述装置包括:A vulnerability scanning device, characterized in that the device comprises:
    流量截取模块,用于截取待扫描流量数据;a traffic intercepting module, configured to intercept traffic data to be scanned;
    数据判断模块,用于判断所截取的待扫描流量数据是否为动态数据;a data judging module, configured to determine whether the intercepted traffic data to be scanned is dynamic data;
    查询模块,用于当所截取的待扫描流量数据是动态数据时,则查询所述待扫描流量数据是否存在参数;a querying module, configured to query whether the flow data to be scanned has a parameter when the intercepted traffic data to be scanned is dynamic data;
    流量类型获取模块,用于当所述待扫描流量数据存在参数时,则获取所述待扫描流量数据的类型;a traffic type obtaining module, configured to acquire a type of the to-be-scanned traffic data when the traffic data to be scanned has a parameter;
    规则获取模块,用于获取与所述待扫描流量数据的类型对应的漏洞扫描规则;及a rule obtaining module, configured to acquire a vulnerability scanning rule corresponding to the type of the traffic data to be scanned; and
    扫描模块,用于通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描。And a scanning module, configured to perform vulnerability scanning on the to-be-scanned traffic data by using the vulnerability scanning rule.
  9. 根据权利要求8所述的装置,其特征在于,所述装置还包括:The device according to claim 8, wherein the device further comprises:
    资源占用率获取模块,用于获取当前资源占用率;若所述当前资源占用 率超过阈值时,则获取备扫描服务器的资源占用率;及The resource occupancy obtaining module is configured to obtain the current resource occupancy rate; if the current resource occupancy rate exceeds the threshold, the resource occupancy rate of the standby scanning server is obtained;
    所述扫描模块还用于选取所述备扫描服务器的资源占用率最低的备扫描服务器继续判断所截取的待扫描流量数据是否为动态数据。The scanning module is further configured to select the standby scanning server with the lowest resource occupancy rate of the standby scanning server to continue to determine whether the intercepted traffic data to be scanned is dynamic data.
  10. 一种计算机设备,包括存储器、处理器,所述存储器上存储有计算机可读指令,其特征在于,所述处理器执行所述计算机可读指令时实现以下步骤:A computer device comprising a memory, a processor, on which is stored computer readable instructions, wherein the processor, when executing the computer readable instructions, implements the following steps:
    截取待扫描流量数据;Intercepting traffic data to be scanned;
    判断所截取的待扫描流量数据是否为动态数据;Determining whether the intercepted traffic data to be scanned is dynamic data;
    当所截取的待扫描流量数据是动态数据时,则查询所述待扫描流量数据是否存在参数;When the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has parameters;
    当所述扫描流量数据存在参数时,则获取所述待扫描流量数据的类型;Obtaining a type of the to-be-scanned traffic data when the scanning traffic data has a parameter;
    获取与所述待扫描流量数据的类型对应的漏洞扫描规则;及Obtaining a vulnerability scanning rule corresponding to the type of the traffic data to be scanned; and
    通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描。The vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  11. 根据权利要求10所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时所实现的所述截取待扫描流量数据的步骤之后,还包括:The computer device according to claim 10, wherein after the step of intercepting the to-be-scanned traffic data implemented by the processor when the processor is executed by the processor, the method further comprises:
    获取当前资源占用率;Obtain the current resource occupancy rate;
    若所述当前资源占用率超过阈值时,则获取备扫描服务器的资源占用率;及If the current resource occupancy rate exceeds the threshold, the resource occupancy rate of the standby scanning server is obtained; and
    选取所述备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  12. 根据权利要求11所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时所实现的所述获取当前资源占用率的步骤之前,还包括:The computer device according to claim 11, wherein before the step of acquiring the current resource occupancy rate that is implemented when the processor executes the computer readable instructions, the method further includes:
    判断当前扫描服务器是否出现故障;Determine whether the current scan server is faulty;
    若当前扫描服务器未出现故障,则继续执行获取当前资源占用率的步骤;If the current scan server does not fail, continue to perform the step of obtaining the current resource occupancy rate;
    若当前扫描服务器出现故障,则获取备扫描服务器的资源占用率;及If the current scan server fails, the resource occupancy rate of the standby scan server is obtained;
    选取所述备扫描服务器的资源占用率最低的备扫描服务器继续执行判断 所截取的待扫描流量数据是否为动态数据的步骤。The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  13. 根据权利要求10所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时所实现的所述截取待扫描流量数据的步骤之后,还包括:The computer device according to claim 10, wherein after the step of intercepting the to-be-scanned traffic data implemented by the processor when the processor is executed by the processor, the method further comprises:
    统计截取所述待扫描流量数据的截取次数;Counting the number of intercepts of the traffic data to be scanned;
    根据所述截取次数启动对应数量的扫描服务器;及Starting a corresponding number of scan servers according to the number of intercepts; and
    将所述待扫描流量数据分配至所启动的扫描服务器中以继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。And distributing the to-be-scanned traffic data to the activated scan server to continue performing the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  14. 根据权利要求10至13任一项所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时所实现的所述通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描的步骤之后,还包括:The computer device according to any one of claims 10 to 13, wherein the flow data to be scanned is performed by the vulnerability scanning rule implemented by the processor when the computer readable instructions are executed After the steps of vulnerability scanning, it also includes:
    接收针对所述待扫描流量数据的漏洞扫描规则调整指令;Receiving a vulnerability scan rule adjustment instruction for the traffic data to be scanned;
    根据所述漏洞扫描规则调整指令获取漏洞扫描补充规则;及Obtaining a vulnerability scanning supplement rule according to the vulnerability scanning rule adjustment instruction; and
    通过所述漏洞扫描补充规则对所述待扫描流量数据进行漏洞扫描。Vulnerability scanning is performed on the to-be-scanned traffic data by using the vulnerability scanning supplemental rule.
  15. 根据权利要求10至13任一项所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时所实现的所述截取待扫描流量数据的步骤,包括:The computer device according to any one of claims 10 to 13, wherein the step of intercepting the to-be-scanned traffic data implemented by the processor when the processor is executed by the computer comprises:
    通过预先设置在客户端的代理可读指令截取待扫描流量数据。The traffic data to be scanned is intercepted by a proxy readable instruction set in advance on the client.
  16. 根据权利要求10至13任一项所述的计算机设备,其特征在于,所述处理器执行所述计算机可读指令时所实现的所述截取待扫描流量数据的步骤,包括:The computer device according to any one of claims 10 to 13, wherein the step of intercepting the to-be-scanned traffic data implemented by the processor when the processor is executed by the computer comprises:
    接收核心交换机根据所截取到的待扫描流量数据生成的镜像流量数据作为待扫描流量数据。The receiving core switch uses the mirrored traffic data generated according to the intercepted traffic data to be scanned as the traffic data to be scanned.
  17. 一个或多个存储有计算机可读指令的计算机可读非易失性存储介质,其特征在于,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行以下步骤:One or more computer readable non-volatile storage media storing computer readable instructions, wherein when the computer readable instructions are executed by one or more processors, cause one or more processors to perform the following step:
    截取待扫描流量数据;Intercepting traffic data to be scanned;
    判断所截取的待扫描流量数据是否为动态数据;Determining whether the intercepted traffic data to be scanned is dynamic data;
    当所截取的待扫描流量数据是动态数据时,则查询所述待扫描流量数据是否存在参数;When the intercepted traffic data to be scanned is dynamic data, query whether the traffic data to be scanned has parameters;
    当所述扫描流量数据存在参数时,则获取所述待扫描流量数据的类型;及Obtaining a type of the to-be-scanned traffic data when the scanning traffic data has a parameter; and
    获取与所述待扫描流量数据的类型对应的漏洞扫描规则;Obtaining a vulnerability scan rule corresponding to the type of the traffic data to be scanned;
    通过所述漏洞扫描规则对所述待扫描流量数据进行漏洞扫描。The vulnerability scanning data is subjected to vulnerability scanning by the vulnerability scanning rule.
  18. 根据权利要求17所述的存储介质,其特征在于,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行的所述截取待扫描流量数据的步骤之后,还包括:The storage medium of claim 17, wherein when the computer readable instructions are executed by one or more processors, causing the one or more processors to perform the step of intercepting the flow data to be scanned, Also includes:
    获取当前资源占用率;Obtain the current resource occupancy rate;
    若所述当前资源占用率超过阈值时,则获取备扫描服务器的资源占用率;及If the current resource occupancy rate exceeds the threshold, the resource occupancy rate of the standby scanning server is obtained; and
    选取所述备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  19. 根据权利要求18所述的存储介质,其特征在于,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行的所述获取当前资源占用率的步骤之前,还包括:The storage medium of claim 18, wherein when the computer readable instructions are executed by one or more processors, causing the one or more processors to perform the step of obtaining a current resource occupancy, Also includes:
    判断当前扫描服务器是否出现故障;Determine whether the current scan server is faulty;
    若当前扫描服务器未出现故障,则继续执行获取当前资源占用率的步骤;If the current scan server does not fail, continue to perform the step of obtaining the current resource occupancy rate;
    若当前扫描服务器出现故障,则获取备扫描服务器的资源占用率;及If the current scan server fails, the resource occupancy rate of the standby scan server is obtained;
    选取所述备扫描服务器的资源占用率最低的备扫描服务器继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。The standby scanning server with the lowest resource usage of the standby scanning server continues to perform the step of determining whether the intercepted traffic data to be scanned is dynamic data.
  20. 根据权利要求17所述的存储介质,其特征在于,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行的所述截取待扫描流量数据的步骤之后,还包括:The storage medium of claim 17, wherein when the computer readable instructions are executed by one or more processors, causing the one or more processors to perform the step of intercepting the flow data to be scanned, Also includes:
    统计截取所述待扫描流量数据的截取次数;Counting the number of intercepts of the traffic data to be scanned;
    根据所述截取次数启动对应数量的扫描服务器;及Starting a corresponding number of scan servers according to the number of intercepts; and
    将所述待扫描流量数据分配至所启动的扫描服务器中以继续执行判断所截取的待扫描流量数据是否为动态数据的步骤。And distributing the to-be-scanned traffic data to the activated scan server to continue performing the step of determining whether the intercepted traffic data to be scanned is dynamic data.
PCT/CN2018/077372 2017-12-30 2018-02-27 Vulnerability scanning method, device, computer apparatus, and storage medium WO2019127890A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711492203.7 2017-12-30
CN201711492203.7A CN108206830B (en) 2017-12-30 2017-12-30 Vulnerability scanning method, apparatus, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2019127890A1 true WO2019127890A1 (en) 2019-07-04

Family

ID=62606158

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/077372 WO2019127890A1 (en) 2017-12-30 2018-02-27 Vulnerability scanning method, device, computer apparatus, and storage medium

Country Status (2)

Country Link
CN (1) CN108206830B (en)
WO (1) WO2019127890A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11930031B2 (en) 2020-06-23 2024-03-12 Tenable, Inc. Distributed network based vulnerability scanning via endpoint agent deployment

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059007B (en) * 2019-04-03 2020-12-22 奇安信科技集团股份有限公司 System vulnerability scanning method and device, computer equipment and storage medium
CN110377518B (en) * 2019-07-17 2023-07-25 招商银行股份有限公司 Full-flow scanning method, device, equipment and readable storage medium
CN111078517B (en) * 2019-12-09 2023-09-01 广州品唯软件有限公司 Page monitoring method and device, computer equipment and storage medium
CN112464238B (en) * 2020-12-15 2023-10-31 中国联合网络通信集团有限公司 Vulnerability scanning method and electronic equipment
CN112468516A (en) * 2020-12-17 2021-03-09 全球能源互联网研究院有限公司 Security defense method and device, electronic equipment and storage medium
CN112738068B (en) * 2020-12-25 2023-03-07 北京天融信网络安全技术有限公司 Network vulnerability scanning method and device
CN115622744B (en) * 2022-09-21 2024-04-09 天津大学 Web vulnerability scanning attack detection system under encrypted traffic

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130055398A1 (en) * 2011-08-26 2013-02-28 Rapid7, LLC. Systems and methods for performing vulnerability scans on virtual machines
CN103685228A (en) * 2013-10-12 2014-03-26 北京奇虎科技有限公司 Website vulnerability rapid scanning method and device
CN104144148A (en) * 2013-05-10 2014-11-12 中国电信股份有限公司 Vulnerability scanning method and server and risk assessment system
CN106656657A (en) * 2016-11-11 2017-05-10 北京匡恩网络科技有限责任公司 Adaptive vulnerability mining framework based on industrial control protocol

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7278161B2 (en) * 2001-10-01 2007-10-02 International Business Machines Corporation Protecting a data processing system from attack by a vandal who uses a vulnerability scanner
CN103685258B (en) * 2013-12-06 2018-09-04 北京奇安信科技有限公司 A kind of method and apparatus of quick scans web sites loophole

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130055398A1 (en) * 2011-08-26 2013-02-28 Rapid7, LLC. Systems and methods for performing vulnerability scans on virtual machines
CN104144148A (en) * 2013-05-10 2014-11-12 中国电信股份有限公司 Vulnerability scanning method and server and risk assessment system
CN103685228A (en) * 2013-10-12 2014-03-26 北京奇虎科技有限公司 Website vulnerability rapid scanning method and device
CN106656657A (en) * 2016-11-11 2017-05-10 北京匡恩网络科技有限责任公司 Adaptive vulnerability mining framework based on industrial control protocol

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11930031B2 (en) 2020-06-23 2024-03-12 Tenable, Inc. Distributed network based vulnerability scanning via endpoint agent deployment

Also Published As

Publication number Publication date
CN108206830A (en) 2018-06-26
CN108206830B (en) 2019-09-24

Similar Documents

Publication Publication Date Title
WO2019127890A1 (en) Vulnerability scanning method, device, computer apparatus, and storage medium
WO2021109669A1 (en) Method and device for detecting malicious domain name access, and computer readable storage medium
US10073916B2 (en) Method and system for facilitating terminal identifiers
CN112637346A (en) Proxy method, device, proxy server and storage medium
WO2021013033A1 (en) File operation method, apparatus, device, and system, and computer readable storage medium
CN110602169B (en) Service calling method and device, computer equipment and storage medium
CN110197075B (en) Resource access method, device, computing equipment and storage medium
WO2022057231A1 (en) Method and apparatus for accessing server, device, and storage medium
CN110555041A (en) Data processing method, data processing device, computer equipment and storage medium
CN112015674A (en) Cache resource access method and device based on multiple hierarchies and computer equipment
US20220244932A1 (en) Multi-signature validation of deployment artifacts
WO2019144548A1 (en) Security test method, apparatus, computer device and storage medium
KR102242219B1 (en) Method and device for preventing the server from being attacked
CN111367693B (en) Method, system, device and medium for scheduling plug-in tasks based on message queue
WO2021031905A1 (en) Data management method, apparatus, device and system and computer-readable storage medium
CN112118238A (en) Method, device, system, equipment and storage medium for authentication login
CN109302433B (en) Method, device, equipment and storage medium for detecting remote command execution vulnerability
CN113315750B (en) Kafka message issuing method, device and storage medium
CN114866247B (en) Communication method, device, system, terminal and server
WO2023077748A1 (en) Account management method and apparatus, and computer device and storage medium
CN114448665A (en) Method and device for detecting WEB application firewall rules and electronic equipment
CN112711574A (en) Database security detection method and device, electronic equipment and medium
CN111552551A (en) User management method and device based on master-slave system, computer equipment and medium
CN109302446B (en) Cross-platform access method and device, electronic equipment and storage medium
CN115189897A (en) Access processing method and device for zero trust network, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18897707

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06.10.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18897707

Country of ref document: EP

Kind code of ref document: A1