CN114139161A - Method, device, electronic equipment and medium for batch vulnerability detection - Google Patents
Method, device, electronic equipment and medium for batch vulnerability detection Download PDFInfo
- Publication number
- CN114139161A CN114139161A CN202111274545.8A CN202111274545A CN114139161A CN 114139161 A CN114139161 A CN 114139161A CN 202111274545 A CN202111274545 A CN 202111274545A CN 114139161 A CN114139161 A CN 114139161A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- preset rule
- specific information
- host
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application relates to a method, a device, electronic equipment and a medium for detecting vulnerabilities in batches, and relates to the technical field of system vulnerability scanning. The method and the device have the effect of improving the efficiency of the vulnerability scanning task.
Description
Technical Field
The present application relates to the field of system vulnerability scanning technologies, and in particular, to a method, an apparatus, an electronic device, and a medium for batch vulnerability detection.
Background
With the rapid development of computer network technology and the wide popularization of the internet, viruses and hackers attack and invade a large number of devices such as enterprises, institutions and personal computers through vulnerabilities, which leads people to seek better solutions for preventing the vulnerabilities while enjoying the convenience brought by the network.
Vulnerability scanning techniques have emerged in this context. The existing vulnerability scanning technology is basically divided into two stages: information collection and vulnerability detection. Collecting specific information of a host to be detected, wherein the specific information comprises: the specific information is input into the vulnerability detection plug-in, in the existing vulnerability scanning process, one vulnerability needs to be detected, and due to the large number of vulnerabilities, a large number of vulnerability detection plug-ins are needed, so that vulnerability scanning task efficiency is low, and tasks are more time-consuming.
Disclosure of Invention
In order to improve the efficiency of vulnerability scanning tasks, the application provides a method, a device, electronic equipment and a medium for batch vulnerability detection.
In a first aspect, the present application provides a method for batch vulnerability detection, which adopts the following technical scheme:
a method of batch vulnerability detection, comprising:
sending a detection instruction corresponding to at least one vulnerability detection plug-in to a host to be detected so that the host to be detected sends specific information;
receiving specific information sent by the host to be detected;
inputting the specific information into the at least one vulnerability detection plug-in, wherein the specific information comprises at least one type of data information, each vulnerability detection plug-in corresponds to one type of data information, and each vulnerability detection plug-in comprises at least one preset rule;
judging whether a vulnerability exists in the host to be detected or not based on the specific information and the at least one vulnerability detection plug-in;
and if the host to be detected has the vulnerability, determining vulnerability information based on the specific information, wherein the vulnerability information comprises a vulnerability number.
By adopting the technical scheme, the electronic equipment sends the detection instruction corresponding to the vulnerability detection plug-in to the host to be detected, after the host to be detected receives the detection instruction, the host to be detected sends specific information to the electronic equipment, the electronic equipment inputs the specific information into the vulnerability detection plug-in, the specific information comprises at least one type of data information, each vulnerability detection plug-in corresponds to one type of data information, each vulnerability detection plug-in can detect the same type of vulnerability, and compared with the mode that each vulnerability detection plug-in corresponds to detect one vulnerability of the host to be detected, the number of the vulnerability detection plug-ins is greatly reduced. Each vulnerability detection plug-in comprises at least one preset rule, and the specific information is matched with the preset rule in the vulnerability detection plug-in to determine whether the host to be detected has a vulnerability. And if the host to be detected has a bug, determining a bug number. By adopting the method to detect the vulnerability, the vulnerability detection is more efficient, less memory and CPU occupation are consumed, and the performance of the scanner is improved as much as possible.
In another possible implementation manner, the determining, based on the specific information and the at least one vulnerability detection plug-in, whether a vulnerability exists in the host to be detected includes:
judging whether the specific information meets a first preset rule in any vulnerability detection plug-in, wherein the first preset rule is a first preset rule in the at least one preset rule;
if so, determining that a vulnerability meeting a first preset rule exists in the host to be detected;
judging whether the specific information meets a second preset rule in any vulnerability detection plug-in, wherein the second preset rule is a next preset rule of preset rules in a last judging period;
if so, determining that a bug meeting a second preset rule exists in the host to be detected;
circularly executing the step of judging whether the specific information meets a second preset rule in any vulnerability detection plug-in, and if so, determining that the vulnerability meeting the second preset rule exists in the host to be detected until a preset condition is met;
the preset conditions include:
the second preset rule is a last preset rule in the at least one preset rule.
According to the technical scheme, after the specific information is input into the vulnerability detection plug-in, the specific information is matched with the specific information through the preset rule in the vulnerability detection plug-in, the specific information is firstly matched with the first preset rule, whether the first preset rule is met or not is judged, then the first preset rule is matched with the second preset rule, whether the second preset rule is met or not is judged, and the process is analogized until the second preset rule is matched with the last preset rule, and whether the last preset rule is met or not is judged. The electronic equipment adopts a serial mode to match the specific information with the preset rule inside the vulnerability detection plug-in, so that the requirement on the performance of the electronic equipment is reduced, and the greater order in the vulnerability detection process can be ensured.
In another possible implementation manner, the determining, based on the specific information and the at least one vulnerability detection plug-in, whether a vulnerability exists in the host to be detected includes:
matching the specific information with the at least one preset rule at the same time;
and if any preset rule is met, determining that the host to be detected has a vulnerability meeting any preset rule.
By adopting the technical scheme, when the specific information is matched with one of the preset rules, the specific information can be matched with other preset rules, namely the electronic equipment matches the specific information with the preset rules in the vulnerability detection plug-in a parallel mode, and the vulnerability detection time is greatly shortened by parallel execution, so that the vulnerability detection efficiency is improved. The waiting time when matching with a preset rule is reduced.
In another possible implementation manner, the determining vulnerability information based on the specific information includes:
and if the specific information meets any preset information in any preset rule, determining the vulnerability number as the vulnerability number corresponding to any preset information.
By adopting the technical scheme, the specific information is sent to the vulnerability detection plug-in unit and is matched with the preset information of the preset rule in the vulnerability detection plug-in unit, if the specific information is successfully matched with the preset information, the host to be detected has a vulnerability, and the vulnerability number corresponding to the preset information is determined. The vulnerability number is directly determined through comparison of the information, and compared with the method that the vulnerability number is searched through the ID of the vulnerability detection plug-in, the vulnerability detection plug-in is more convenient and fast to find.
In another possible implementation, the method further comprises at least one of:
if the vulnerability number is determined, storing the vulnerability number into a preset temporary variable;
and storing the vulnerability numbers into a preset temporary variable in a classified manner based on the corresponding relation of the vulnerability numbers, wherein the corresponding relation comprises the corresponding relation between each vulnerability number and preset information, the corresponding relation between each vulnerability number and a preset rule and the corresponding relation between each vulnerability number and a vulnerability detection plug-in.
By adopting the technical scheme, the vulnerability number is stored in the temporary variable, and after the detection task is completed, the temporary variable is deleted, so that the occupancy rate of the memory of the electronic equipment is reduced. The vulnerability numbers are classified when being stored, so that the vulnerability numbers are convenient to check which type of data information the vulnerability numbers belong to, and other related information of the vulnerability can be conveniently found in the follow-up process.
In another possible implementation manner, the method further includes:
and generating a result report based on the specific information and the vulnerability number, wherein the result report comprises the vulnerability number, the release time of the vulnerability corresponding to the vulnerability number, the source corresponding to the vulnerability number, the asset information of the host to be detected and the risk level information of the asset information.
By adopting the technical scheme, the report of the vulnerability is more detailed, and the source of the vulnerability and the risk condition of the host assets can be intuitively known through the result report.
In another possible implementation manner, the method further includes:
based on the vulnerability number, searching a patch file corresponding to the vulnerability number from a patch library;
and downloading the patch file to repair the vulnerability corresponding to the patch file.
By adopting the technical scheme, after the result report is generated, the electronic equipment searches the corresponding patch in the patch library according to the bug number of the generated result report, downloads the searched patch, and repairs the bug of the host, and the integration of bug fixing and bug detection is more convenient than that of manual downloading and repairing by searching for the patch according to information such as the bug number.
In a second aspect, the present application provides an apparatus for batch vulnerability detection, which adopts the following technical scheme:
an apparatus for batch detection of vulnerabilities, comprising:
the sending module is used for sending a detection instruction corresponding to at least one vulnerability detection plug-in to the host to be detected so that the host to be detected sends specific information;
the receiving module is used for receiving specific information sent by the host to be detected;
the transmission module is used for inputting specific information to at least one vulnerability detection plug-in, wherein the specific information comprises at least one type of data information, each vulnerability detection plug-in corresponds to one type of data information, and each vulnerability detection plug-in comprises at least one preset rule;
the judging module is used for judging whether the host to be detected has a bug or not based on the specific information and the at least one bug detection plug-in;
and the determining module is used for determining vulnerability information based on the specific information when the vulnerability exists in the host to be detected, wherein the vulnerability information comprises a vulnerability number.
By adopting the technical scheme, the sending module sends the detection instruction to the host to be detected, so that the host to be detected sends specific information to the electronic equipment, the specific information comprises at least one type of data information, and the specific information sent by the host to be detected is received by the receiving module. And after the receiving module finishes receiving, the receiving module transmits the received specific information to the vulnerability detection plug-in through the transmission module. Each vulnerability detection plug-in corresponds to one type of data information, each vulnerability detection plug-in can detect the same type of vulnerability, and compared with a mode that each vulnerability detection plug-in corresponds to one vulnerability of a host to be detected, the number of vulnerability detection plug-ins is greatly reduced. The judgment module judges the specific information transmitted to the vulnerability detection plug-in and judges whether the host to be detected has a vulnerability or not. And if the host to be detected has a bug, determining the bug number through the determining module. By adopting the device to detect the loopholes, the loopholes can be detected more efficiently, the number of concurrent processes or threads is reduced, less memory and CPU occupation are consumed, and the performance of the scanner is improved as much as possible.
In another possible implementation manner, the determining module is configured to determine whether there is a bug in the host to be detected based on the specific information and the at least one bug detection plug-in, and specifically configured to:
judging whether the specific information meets a first preset rule in any vulnerability detection plug-in, wherein the first preset rule is a first preset rule in the at least one preset rule;
if so, determining that a vulnerability meeting a first preset rule exists in the host to be detected;
judging whether the specific information meets a second preset rule in any vulnerability detection plug-in, wherein the second preset rule is a next preset rule of preset rules in a last judging period;
if so, determining that a bug meeting a second preset rule exists in the host to be detected;
circularly executing the step of judging whether the specific information meets a second preset rule in any vulnerability detection plug-in, and if so, determining that the vulnerability meeting the second preset rule exists in the host to be detected until a preset condition is met;
the preset conditions include:
the second preset rule is a last preset rule in the at least one preset rule.
In another possible implementation manner, the determining module is configured to determine whether there is a bug in the host to be detected based on the specific information and the at least one bug detection plug-in, and specifically configured to:
matching the specific information with at least one preset rule at the same time;
and if the host to be detected meets any preset rule, determining that the host to be detected has a vulnerability meeting any preset rule.
In another possible implementation manner, the determining module determines that any preset rule includes at least one item of preset information, each item of preset information corresponds to one vulnerability number, and the vulnerability information is determined based on specific information and specifically used for:
and if the specific information meets any preset information in any preset rule, determining the vulnerability number as the vulnerability number corresponding to any preset information.
In another possible implementation, the apparatus further includes at least one of a first storage module and a second storage module:
the first storage module is used for storing the bug number into a preset temporary variable;
and the second storage module is used for storing the vulnerability numbers into a preset temporary variable in a classified manner based on the corresponding relation of the vulnerability numbers, wherein the corresponding relation comprises the corresponding relation between each vulnerability number and preset information, the corresponding relation between each vulnerability number and a preset rule and the corresponding relation between each vulnerability number and the vulnerability detection plug-in.
In another possible implementation manner, the apparatus further includes:
and the report generation module is used for generating a result report based on the specific information and the vulnerability number.
In another possible implementation manner, the apparatus further includes:
the searching module is used for searching a patch file corresponding to the vulnerability number from a patch library based on the vulnerability number;
and the downloading module is used for downloading the patch file so as to repair the vulnerability corresponding to the patch file.
In a third aspect, the present application provides an electronic device, which adopts the following technical solutions:
an electronic device, comprising:
one or more processors;
a memory;
one or more application programs, wherein the one or more application programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs configured to: a method for batch vulnerability detection according to any of the possible implementations of the first aspect is performed.
In a fourth aspect, the present application provides a computer-readable storage medium, which adopts the following technical solutions:
a computer-readable storage medium, comprising: a computer program is stored which can be loaded by a processor and which performs a method of bulk detection of vulnerabilities as illustrated in any one of the possible implementations of the first aspect.
In summary, the present application includes at least one of the following beneficial technical effects:
1. when the host to be detected is subjected to vulnerability detection, each vulnerability detection plug-in corresponds to one type of data information, each vulnerability detection plug-in can detect the same type of vulnerability, the number of vulnerability detection plug-ins is reduced, specific information is matched with a preset rule in the vulnerability detection plug-in to determine whether the host to be detected has a vulnerability, and by adopting the vulnerability detection method, vulnerability detection is more efficient, the number of concurrent processes or threads is reduced, less memory and CPU occupation are consumed, and the performance of a scanner is improved as much as possible;
2. through the matching of the preset rules inside the vulnerability detection plug-in and the specific information, the electronic equipment adopts a serial mode to match the specific information with the preset rules inside the vulnerability detection plug-in, the requirement on the performance of the electronic equipment is reduced, and the greater order in the vulnerability detection process can be ensured.
Drawings
Fig. 1 is a schematic flowchart of a method for batch vulnerability detection according to an embodiment of the present application.
Fig. 2 is a schematic structural diagram of an apparatus for batch vulnerability detection according to an embodiment of the present application.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The present application is described in further detail below with reference to figures 1-3.
A person skilled in the art, after reading the present specification, may make modifications to the present embodiments as necessary without inventive contribution, but only within the scope of the claims of the present application are protected by patent laws.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship, unless otherwise specified.
The embodiments of the present application will be described in further detail with reference to the drawings attached hereto.
The embodiment of the application provides a method for detecting vulnerabilities in batch, which is executed by an electronic device, wherein the electronic device can be a server or a terminal device, the server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and a cloud server providing cloud computing services. The terminal device may be a smart phone, a tablet computer, a notebook computer, a desktop computer, etc., but is not limited thereto, the terminal device and the server may be directly or indirectly connected through a wired or wireless communication manner, and the embodiment of the present application is not limited thereto, as shown in fig. 1, the method includes step S101, step S102, step S103, step S104, and step S105, wherein,
step S101, sending a detection instruction corresponding to at least one vulnerability detection plug-in to a host to be detected, so that the host to be detected sends specific information.
Wherein, the vulnerability detection plug-in is compiled according to the detection principle of the vulnerability, and the vulnerability is classified according to different dimensions and can be divided into: database class, subassembly class and operating system class etc. after the classification of vulnerability is done, the same type of vulnerability is directly compiled into a vulnerability detection plug-in, and vulnerability detection plug-in can divide into: the vulnerability detection plug-in writes the vulnerability detection plug-in from the aspect of vulnerability instead of writing the vulnerability detection plug-in from the aspect of asset classification through a merging and cutting technology.
For the embodiment of the application, the electronic device sends a detection instruction corresponding to at least one vulnerability detection plug-in to the host to be detected, where the detection instruction may be a section of detection signal sent by the electronic device, for example, the apache vulnerability is detected by the component type vulnerability detection plug-in, and the electronic device sends a section of specific detection url. After the detection instruction is sent, the host starts to configure default parameters of the vulnerability scanning task, such as: scanning a target, a host survival detection mode, a port scanning strategy, a plug-in template, a plug-in concurrency number, plug-in overtime time, network delay and the like, issuing a vulnerability scanning task after configuring parameters, and sending specific information to the electronic equipment by the host to be detected. The specific information includes at least one type of data information, and the data information can be divided into: database class, component class, operating system class, etc., such as version information of MySQL of database class information, version information of collected components and version information of operating system type, etc.
Step S102, receiving the specific information sent by the host to be detected.
For the embodiment of the application, the electronic device schedules and executes plug-ins related to host survival scanning, port scanning, service identification, application component identification and operating system identification, and at this stage, the information collection plug-in detects specific information of the host to be detected and stores the data into a remote dictionary service (Redis), for example, the version number 5.7.17 of MySQL needs to be stored, and the data is stored through a built-in data structure of the Redis. And if the host is detected not to be alive, directly ending the vulnerability detection task.
Step S103, inputting the specific information into at least one vulnerability detection plug-in.
Each vulnerability detection plug-in corresponds to one type of data information, and each vulnerability detection plug-in comprises at least one preset rule.
For the embodiment of the application, the electronic device calls the vulnerability detection plug-in according to the internal dependency relationship of each plug-in, where the dependency relationship is a necessary condition for ensuring the operation of the vulnerability detection plug-in, for example, detecting the plug-in of the MySQL version to depend on the plug-in of the MySQL service, detecting the plug-in of the MySQL version by detecting information sent by the plug-in of the MySQL service, detecting the plug-in of the MySQL service to depend on the plug-in of the MySQL port, detecting the plug-in of the MySQL port to detect whether the remote host is alive by detecting information sent by the plug-in of the remote host to detect the plug-in of the MySQL port, and all the vulnerability detection plug-ins have dependent plug-ins.
And step S104, judging whether the host to be detected has a bug or not based on the specific information and at least one bug detection plug-in.
For the embodiment of the application, the specific information is matched with the preset rules in the vulnerability detection plug-in to determine whether the host to be detected has the vulnerability, and after the vulnerability detection plug-ins are combined, the preset detection rules of at least one vulnerability of one vulnerability detection plug-in exist, so that at least one vulnerability in the same type of data information is detected.
Step S105, if the host to be detected has a bug, determining bug information based on the specific information.
For the embodiment of the application, the vulnerability information comprises vulnerability numbers, the vulnerability numbers are stored in the vulnerability detection plug-in, and if the vulnerability detection plug-in detects that the vulnerability exists in the host to be detected, the vulnerability detection numbers corresponding to the vulnerability can be determined.
When the host to be detected is subjected to vulnerability detection, each vulnerability detection plug-in corresponds to one type of data information, each vulnerability detection plug-in can detect the same type of vulnerability, the number of vulnerability detection plug-ins is reduced, specific information is matched with preset rules in the vulnerability detection plug-ins to determine whether the host to be detected has the vulnerability, and by adopting the vulnerability detection method, vulnerability detection is performed, so that vulnerability detection is more efficient, the number of concurrent processes or threads is reduced, less memory and CPU occupation are consumed, and scanner performance is improved as much as possible.
In a possible implementation manner of the embodiment of the present application, in step S104, whether a bug exists in the host to be detected is determined based on the specific information and the at least one bug detection plug-in, and the specific steps include step S1041 (not shown in the figure), step S1042 (not shown in the figure), step S1043 (not shown in the figure), step S1044 (not shown in the figure), and step S1045 (not shown in the figure), wherein,
step S1041, determining whether the specific information satisfies a first preset rule in any vulnerability detection plug-in, where the first preset rule is a first preset rule in at least one preset rule.
For the embodiment of the application, the preset rule corresponds to the data type in the specific information, for example, a user or a worker writes a database type plug-in according to the detection principle of the database type bug, the database type plug-in corresponds to the preset rule of the database type, and if the preset rule 1 of the database type bug detection plug-in corresponding to MySQL and the preset rule 2 of the database type bug detection plug-in corresponding to SQL Server are both used, the preset rule 1 is the first preset rule.
Step S1042, if yes, determining that the host to be detected has a bug meeting the first preset rule.
For the embodiment of the application, a certain type of data information in the specific information is matched with the vulnerability detection plug-in, for example, in the vulnerability of the database type, MySQL corresponds to the preset rule 1 of the database type vulnerability detection plug-in, and SQL Server corresponds to the preset rule 2 of the database type vulnerability detection plug-in, and if the specific information of MySQL is successfully matched with the preset rule 1, it indicates that the host to be detected has the vulnerability of the database type related to the specific information of MySQL.
Step S1043, determining whether the specific information satisfies a second preset rule in any vulnerability detection plug-in, where the second preset rule is a next preset rule of the preset rules in the last determination period.
For the embodiment of the present application, the second preset rule is a next preset rule of the preset rules in the previous judgment cycle, for example, MySQL corresponds to the preset rule 1 of the database type vulnerability detection plugin, SQL Server corresponds to the preset rule 2 of the database type vulnerability detection plugin, after the matching of the specific information with the preset rule 1 is completed, the next preset rule is the preset rule 2, the preset rule 2 is the second preset rule, after the matching of the specific information with the preset rule 2 is completed, the next preset rule is the preset rule 3, and the preset rule 3 is the second preset rule.
And step S1044, if yes, determining that the host to be detected has a bug meeting a second preset rule.
For the embodiment of the application, if the specific information is successfully matched with the preset rule 2, it is indicated that the host to be detected has a vulnerability of the database class about the specific information of the SQL Server.
Step S1045, circularly executing the step of determining whether the specific information satisfies a second preset rule in any vulnerability detection plug-in, and if so, determining that a vulnerability satisfying the second preset rule exists in the host to be detected until a preset condition is satisfied.
Wherein the preset conditions include: the second preset rule is the last preset rule in the at least one preset rule.
For the embodiment of the application, the second preset rule is executed in a circulating manner, so that the vulnerability detection plug-in can be continuously matched with the preset rule in the vulnerability detection plug-in until the end of matching with the last preset rule is reached, and the vulnerability detection plug-in detection task is ended.
The specific information is executed serially when being matched with the preset rule, for example, the vulnerability detection plug-in includes a preset rule 1, a preset rule 2 and a preset rule 3, and a certain type of specific information is input into the corresponding vulnerability detection plug-in, the specific information is firstly matched with the preset rule 1, is matched with the preset rule 2 after being matched with the preset rule 1, and is matched with the preset rule 3 after being matched with the preset rule 2, so that matching of all preset rules of the vulnerability detection plug-in is completed. However, the vulnerability detection plug-ins for different types of data information may be a concurrent operation, for example, the database vulnerability detection plug-in and the component vulnerability detection plug-in may be executed simultaneously or may not be executed simultaneously.
In a possible implementation manner of the embodiment of the present application, the step S104 determines whether there is a bug in the host to be detected based on the specific information and the at least one bug detecting plug-in, and specifically includes a step S1046 (not shown in the figure) and a step S1047 (not shown in the figure), wherein,
and step S1047, matching the specific information with at least one preset rule at the same time.
For the embodiment of the application, the specific information is matched with all the preset rules in the vulnerability detection plug-in, for example, in the vulnerability of the database class, MySQL corresponds to the preset rule 1 of the vulnerability detection plug-in of the database class, SQL Server corresponds to the preset rule 2 of the vulnerability detection plug-in of the database class, and the specific information is matched with the preset rule 1 and the preset rule 2 at the same time.
Step S1048, if any preset rule is satisfied, determining that a vulnerability satisfying any preset rule exists in the host to be detected, and adopting matching with the preset rule to improve vulnerability detection efficiency.
For the embodiment of the application, if the specific information is successfully matched with the preset rule 2, it indicates that the host to be detected has a vulnerability of the database class about the specific information of the SQL Server, and if the specific information is successfully matched with both the preset rule 1 and the preset rule 2, it indicates that the host to be detected has a vulnerability of the database class about the specific information of the MySQL and the SQL Server.
If a manufacturer, a national vulnerability library and the like issue new vulnerabilities, a user or a worker can directly add matching preset rules in the vulnerability detection plug-in. For example, MySQL official publishes a new bug, which has an influence on the version of the MySQL database, and according to the published bug information, the affected version can be found, a preset rule for version judgment is directly added to the MySQL bug detection plug-in, if the new preset rule matches with specific information, the new bug needs to be reported, and as the new bug is published, the bug detection plug-in library is continuously updated.
A possible implementation manner of the embodiment of the present application, wherein any preset rule includes at least one item of preset information, each item of preset information corresponds to a bug number, the determining the bug information based on the specific information in step S105 specifically includes step S1051 (not shown in the figure), wherein,
step S1051, if the specific information satisfies any preset information in any preset rule, determining the vulnerability number as a vulnerability number corresponding to any preset information.
The bug number is a Common vulnerability disclosure (Common Vulnerabilities & Exposures) number, such as CVE-2019-.
For the embodiment of the application, in the process of determining the vulnerability number, the specific information is matched with the preset information in the preset rule. For example, the database vulnerability detection plug-in includes a preset rule 1 of the database vulnerability detection plug-in corresponding to MySQL, the preset rule 1 includes preset information 1, preset information 2 and preset information 3, the preset information 1 corresponds to a vulnerability number CVE-2012-2122, the preset information 2 corresponds to a vulnerability number CVE-2021-21206, the preset information 3 corresponds to a vulnerability number CVE-2021-26857, the database specific information is input to the database vulnerability detection plug-in and is matched with the preset rule 1 of the vulnerability detection plug-in, the specific information of the database is respectively matched with the preset information 1, the preset information 2 and the preset information 3 in the preset rule 1, if the MySQL version information in the database specific information is 5.6.6 and is matched with the MySQL version information 5.6.6 in the preset information 1, it is indicated that the vulnerability related to the version sq5.6.6 of the host to be detected, the vulnerability number can be determined to be CVE-2012 and 2122.
In a possible implementation manner of the embodiment of the present application, the method further includes at least one of step S106 (not shown in the figure) and step S107 (not shown in the figure), wherein,
and step S106, if the vulnerability number is determined, storing the vulnerability number into a preset temporary variable.
For the embodiment of the application, the preset rule hit by the specific information and the bug number corresponding to the hit preset rule are stored by using a temporary variable, and the data in the temporary variable is deleted after the task is finished, so that the memory occupation is reduced.
And S107, storing the vulnerability numbers into a preset temporary variable in a classified manner based on the corresponding relation of the vulnerability numbers.
The corresponding relation comprises a corresponding relation between each vulnerability number and preset information, a corresponding relation between each vulnerability number and a preset rule and a corresponding relation between each vulnerability number and the vulnerability detection plug-in.
For the embodiment of the application, the vulnerabilities are classified correspondingly in the detection process according to the classification of the specific information, for example, the vulnerabilities of the database class are stored firstly, the vulnerabilities of the database class are stored, the vulnerabilities of the operating system class are stored, the finally counted vulnerability list is reported, and the operation of the vulnerability detection plug-in is finished.
In this embodiment of the application, at least one of step S106 and step S107 may be executed after step S105, and if step S106 and step S107 are included, step S106 and step S107 may be executed simultaneously, or step S106 may be executed before step S107, or step S106 may be executed after step S107, which is not limited herein.
In one possible implementation manner of the embodiment of the present application, the method further includes a step S108 (not shown in the figure), wherein,
and step S108, generating a result report based on the specific information and the vulnerability number.
For the embodiment of the application, a result report is generated based on the specific information and the vulnerability number, and the result includes a text document in txt format or a file in other format. And summarizing information in the temporary variables by a result report, wherein the result report comprises vulnerability numbers, release time of vulnerabilities corresponding to the vulnerability numbers, sources corresponding to the vulnerability numbers, asset information of the host to be detected and risk level information of the asset information. The user or the staff can conveniently check the information.
For example, the generated result report includes the CNNVD number: CNNVD _202110_1063, CVE number: CVE _2021_37129, release time: 2021-10-15, update time: 2021-10-15, vulnerability source: the vulnerability is discovered by the Hua as an internal test and has a hazard level: and (5) medium risk.
The asset information of the host to be detected comprises:
basic information of the host: the system comprises a host name, a host IP and the like, and also comprises host management information (service group, responsible person, machine room position and label) and fixed asset number;
all installed software: including applications, drivers, utilities and plug-ins, and respective versions.
Evaluating the risk of the asset information of the host to be detected, and calculating according to the detected vulnerability risk index;
the vulnerability risk index of the vulnerability hazard grade over-danger is 10;
the vulnerability risk index of the vulnerability hazard level high risk is 8;
the dangerous vulnerability risk index in the vulnerability hazard grade is 5;
and the vulnerability risk index of the vulnerability with low vulnerability hazard grade is 2.
The formula for risk assessment is:
n: the total number of host bugs to be detected;
risk index value [0, 3] is low risk;
the risk index value (3, 7) is medium risk;
the risk index value (7, 10) is high risk.
For example, there are 10 vulnerabilities in the host to be detected, and the hazard grades of the 10 vulnerabilities are respectively: super-danger, high-risk, well danger, low-risk, super-risk and high-risk, then the risk index of these 10 loopholes corresponds to: 10. 8, 5, 2, 10, and 8, substituting into the risk assessment formula yields:
and (3) the risk index value of the asset information of the host to be detected belongs to the medium risk in (3, 7).
In the embodiment of the present application, step S108 may be executed after step S106, or may be executed after step S107, which is not limited herein.
In a possible implementation manner of the embodiment of the present application, step S105 further includes step S109 (not shown in the figure) and step S110 (not shown in the figure), wherein,
and step S109, based on the vulnerability number, searching a patch file corresponding to the vulnerability number from a patch library.
For the embodiment of the application, the electronic device searches the patch file of the host vulnerability to be detected from the patch library through the determined vulnerability number, the patch file corresponding to the vulnerability number is stored in the patch library, and the patch library can be a national information security vulnerability library or a preset patch library preset in the electronic device.
For example, the electronic device searches the corresponding patch file in the national information security vulnerability library through the vulnerability numbers CVE-2021-.
And step S110, downloading the patch file to repair the vulnerability corresponding to the patch file.
According to the embodiment of the application, after the corresponding patch file is found, the patch file corresponding to the bug number is downloaded, and the bug of the host to be detected is repaired through the patch file.
For example, after the electronic device finds the corresponding patch file in the national information security vulnerability library through the vulnerability number CVE-2021-.
The embodiments described above introduce a method for detecting vulnerabilities in batch from the perspective of a method flow, and the following embodiments describe a device for detecting vulnerabilities in batch from the perspective of a virtual module or a virtual unit, which are described in detail in the following embodiments.
An embodiment of the present application provides an apparatus for batch vulnerability detection, as shown in fig. 2, the apparatus 20 for batch vulnerability detection may specifically include:
a sending module 201, configured to send a detection instruction corresponding to at least one vulnerability detection plug-in to a host to be detected, so that the host to be detected sends specific information;
the receiving module 202 is configured to receive specific information sent by a host to be detected;
the transmission module 203 is used for inputting specific information to at least one vulnerability detection plug-in, wherein the specific information comprises at least one type of data information, each vulnerability detection plug-in corresponds to one type of data information, and each vulnerability detection plug-in comprises at least one preset rule;
the judging module 204 is configured to judge whether a bug exists in the host to be detected based on the specific information and the at least one bug detection plug-in;
the determining module 205 is configured to determine vulnerability information based on the specific information when a vulnerability exists in the host to be detected, where the vulnerability information includes a vulnerability number.
For the embodiment of the application, the sending module 201 sends a detection instruction to the host to be detected, so that the host to be detected sends specific information to the electronic device, where the specific information includes at least one type of data information. The receiving module 202 receives the specific information sent by the host to be detected. After the receiving module 202 completes receiving, the received specific information is transmitted to the vulnerability detection plug-in through the transmitting module 203. The determining module 204 determines the specific information transmitted to the vulnerability detection plug-in, and determines whether a vulnerability exists in the host to be detected. If the host to be detected has a bug, the bug number is determined by the determining module 205. By adopting the device, the detection of the loopholes is more efficient, the number of concurrent processes or threads is reduced, less memory and CPU occupation are consumed, and the performance of the scanner is improved as much as possible.
In a possible implementation manner of the embodiment of the present application, the determining module 204 is specifically configured to, when determining whether there is a bug in the host to be detected based on the specific information and the at least one bug detection plug-in,:
judging whether the specific information meets a first preset rule in any vulnerability detection plug-in, wherein the first preset rule is a first preset rule in at least one preset rule;
if so, determining that a vulnerability meeting a first preset rule exists in the host to be detected;
judging whether the specific information meets a second preset rule in any vulnerability detection plug-in, wherein the second preset rule is a next preset rule of the preset rules in the last judging period;
if so, determining that a bug meeting a second preset rule exists in the host to be detected;
circularly executing the step of judging whether the specific information meets a second preset rule in any vulnerability detection plug-in, and if so, determining that the vulnerability meeting the second preset rule exists in the host to be detected until a preset condition is met;
the preset conditions include: the second preset rule is the last preset rule in the at least one preset rule.
In a possible implementation manner of the embodiment of the present application, the determining module 204 is specifically configured to, when determining whether there is a bug in the host to be detected based on the specific information and the at least one bug detection plug-in,:
matching the specific information with at least one preset rule at the same time;
and if the host to be detected meets any preset rule, determining that the host to be detected has a vulnerability meeting any preset rule.
In a possible implementation manner of the embodiment of the application, any preset rule of the determining module 205 includes at least one preset item of information, each preset item of information corresponds to one vulnerability number, and the vulnerability information is determined based on specific information, and is specifically configured to:
and if the specific information meets any preset information in any preset rule, determining the vulnerability number as the vulnerability number corresponding to any preset information.
In a possible implementation manner of the embodiment of the present application, the apparatus 20 further includes:
the first storage module is used for storing the bug number into a preset temporary variable.
And the second storage module is used for storing the vulnerability numbers into a preset temporary variable in a classified manner based on the corresponding relation of the vulnerability numbers, wherein the corresponding relation comprises the corresponding relation between each vulnerability number and preset information, the corresponding relation between each vulnerability number and a preset rule and the corresponding relation between each vulnerability number and the vulnerability detection plug-in.
In a possible implementation manner of the embodiment of the present application, the apparatus 20 further includes:
and the report generation module is used for generating a result report based on the specific information and the vulnerability number.
In a possible implementation manner of the embodiment of the present application, the apparatus 20 further includes:
and the searching module is used for searching the patch file corresponding to the vulnerability number from the patch library based on the vulnerability number.
And the downloading module is used for downloading the patch file so as to repair the vulnerability corresponding to the patch file.
In an embodiment of the present application, an electronic device is provided, and as shown in fig. 3, an electronic device 30 shown in fig. 3 includes: a processor 301 and a memory 303. Wherein processor 301 is coupled to memory 303, such as via bus 302. Optionally, the electronic device 30 may also include a transceiver 304. It should be noted that the transceiver 304 is not limited to one in practical applications, and the structure of the electronic device 30 is not limited to the embodiment of the present application.
The Processor 301 may be a CPU (Central Processing Unit), a general-purpose Processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 301 may also be a combination of computing functions, e.g., comprising one or more microprocessors, a combination of a DSP and a microprocessor, or the like.
The Memory 303 may be a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (Compact Disc Read Only Memory) or other optical Disc storage, optical Disc storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), a magnetic Disc storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these.
The memory 303 is used for storing application program codes for executing the scheme of the application, and the processor 301 controls the execution. The processor 301 is configured to execute application program code stored in the memory 303 to implement the aspects illustrated in the foregoing method embodiments.
Among them, electronic devices include but are not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. But also a server, etc. The electronic device shown in fig. 3 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
The present application provides a computer-readable storage medium, on which a computer program is stored, which, when running on a computer, enables the computer to execute the corresponding content in the foregoing method embodiments. Compared with the prior art, in the embodiment of the application, the vulnerability detection plug-ins of one application or component or operating system are combined into several or more than ten vulnerability detection plug-ins from hundreds or thousands of original vulnerability detection plug-ins, a preset rule in the vulnerability detection plug-ins corresponds to the same vulnerability, after the preset rule is matched, vulnerability numbers are directly generated, the corresponding vulnerabilities do not need to be searched in a library for reporting according to the ID of the vulnerability detection plug-ins, the number of concurrent processes or threads is reduced, less memory and CPU occupation are consumed, and the performance of the scanner is improved as much as possible.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present application, and it should be noted that, for those skilled in the art, several modifications and decorations can be made without departing from the principle of the present application, and these modifications and decorations should also be regarded as the protection scope of the present application.
Claims (10)
1. A method for batch vulnerability detection, comprising:
sending a detection instruction corresponding to at least one vulnerability detection plug-in to a host to be detected so that the host to be detected sends specific information;
receiving specific information sent by the host to be detected;
inputting the specific information into the at least one vulnerability detection plug-in, wherein the specific information comprises at least one type of data information, each vulnerability detection plug-in corresponds to one type of data information, and each vulnerability detection plug-in comprises at least one preset rule;
judging whether a vulnerability exists in the host to be detected or not based on the specific information and the at least one vulnerability detection plug-in;
and if the host to be detected has the vulnerability, determining vulnerability information based on the specific information, wherein the vulnerability information comprises a vulnerability number.
2. The method according to claim 1, wherein the determining whether the host to be detected has a bug based on the specific information and the at least one bug detection plug-in comprises:
judging whether the specific information meets a first preset rule in any vulnerability detection plug-in, wherein the first preset rule is a first preset rule in the at least one preset rule;
if so, determining that a vulnerability meeting a first preset rule exists in the host to be detected;
judging whether the specific information meets a second preset rule in any vulnerability detection plug-in, wherein the second preset rule is a next preset rule of preset rules in a last judging period;
if so, determining that a bug meeting a second preset rule exists in the host to be detected;
circularly executing the step of judging whether the specific information meets a second preset rule in any vulnerability detection plug-in, and if so, determining that the vulnerability meeting the second preset rule exists in the host to be detected until a preset condition is met;
the preset conditions include:
the second preset rule is a last preset rule in the at least one preset rule.
3. The method according to claim 2, wherein the determining whether the host to be detected has a bug based on the specific information and the at least one bug detection plug-in comprises:
matching the specific information with the at least one preset rule at the same time;
and if any preset rule is met, determining that the host to be detected has a vulnerability meeting any preset rule.
4. The method according to claim 1, wherein any preset rule includes at least one item of preset information, each item of preset information corresponds to a vulnerability number, and determining vulnerability information based on the specific information includes:
and if the specific information meets any preset information in any preset rule, determining the vulnerability number as the vulnerability number corresponding to any preset information.
5. The method of claim 1, further comprising at least one of:
if the vulnerability number is determined, storing the vulnerability number into a preset temporary variable;
and storing the vulnerability numbers into a preset temporary variable in a classified manner based on the corresponding relation of the vulnerability numbers, wherein the corresponding relation comprises the corresponding relation between each vulnerability number and preset information, the corresponding relation between each vulnerability number and a preset rule and the corresponding relation between each vulnerability number and a vulnerability detection plug-in.
6. The method of claim 1, further comprising:
and generating a result report based on the specific information and the vulnerability number, wherein the result report comprises the vulnerability number, the release time of the vulnerability corresponding to the vulnerability number, the source corresponding to the vulnerability number, the asset information of the host to be detected and the risk level information of the asset information.
7. The method of claim 1, further comprising:
based on the vulnerability number, searching a patch file corresponding to the vulnerability number from a patch library;
and downloading the patch file to repair the vulnerability corresponding to the patch file.
8. An apparatus for batch vulnerability detection, comprising:
the device comprises a sending module, a receiving module and a sending module, wherein the sending module is used for sending a detection instruction corresponding to at least one vulnerability detection plug-in to a host to be detected so as to enable the host to be detected to send specific information;
the receiving module is used for receiving the specific information sent by the host to be detected;
the transmission module is used for inputting the specific information to the at least one vulnerability detection plug-in, wherein the specific information comprises at least one type of data information, each vulnerability detection plug-in corresponds to one type of data information, and each vulnerability detection plug-in comprises at least one preset rule;
the judging module is used for judging whether the host to be detected has a bug or not based on the specific information and the at least one bug detection plug-in;
and the determining module is used for determining vulnerability information based on the specific information when the vulnerability exists in the host to be detected, wherein the vulnerability information comprises a vulnerability number.
9. An electronic device, comprising:
one or more processors;
a memory;
one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more programs configured to: a method of performing a batch vulnerability detection according to any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements a method for batch vulnerability detection according to any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111274545.8A CN114139161A (en) | 2021-10-29 | 2021-10-29 | Method, device, electronic equipment and medium for batch vulnerability detection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111274545.8A CN114139161A (en) | 2021-10-29 | 2021-10-29 | Method, device, electronic equipment and medium for batch vulnerability detection |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114139161A true CN114139161A (en) | 2022-03-04 |
Family
ID=80395031
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111274545.8A Pending CN114139161A (en) | 2021-10-29 | 2021-10-29 | Method, device, electronic equipment and medium for batch vulnerability detection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114139161A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114928495A (en) * | 2022-05-31 | 2022-08-19 | 江苏保旺达软件技术有限公司 | Safety detection method, device, equipment and storage medium |
CN115174241A (en) * | 2022-07-14 | 2022-10-11 | 中汽创智科技有限公司 | Security vulnerability processing method, device, equipment and medium |
-
2021
- 2021-10-29 CN CN202111274545.8A patent/CN114139161A/en active Pending
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114928495A (en) * | 2022-05-31 | 2022-08-19 | 江苏保旺达软件技术有限公司 | Safety detection method, device, equipment and storage medium |
CN115174241A (en) * | 2022-07-14 | 2022-10-11 | 中汽创智科技有限公司 | Security vulnerability processing method, device, equipment and medium |
CN115174241B (en) * | 2022-07-14 | 2023-07-25 | 中汽创智科技有限公司 | Security vulnerability processing method, device, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8875303B2 (en) | Detecting pirated applications | |
US9742640B2 (en) | Identifying compatible web service policies | |
CN109271359B (en) | Log information processing method and device, electronic equipment and readable storage medium | |
CN112559354A (en) | Front-end code specification detection method and device, computer equipment and storage medium | |
CN110213234B (en) | Application program file developer identification method, device, equipment and storage medium | |
CN111563257B (en) | Data detection method and device, computer readable medium and terminal equipment | |
CN112068874B (en) | Continuous integration method and device for software items, terminal equipment and storage medium | |
CN112307374A (en) | Jumping method, device and equipment based on backlog and storage medium | |
CN109446753A (en) | Detect method, apparatus, computer equipment and the storage medium of pirate application program | |
CN114139161A (en) | Method, device, electronic equipment and medium for batch vulnerability detection | |
CN110244963B (en) | Data updating method and device and terminal equipment | |
CN110851339A (en) | Method and device for reporting buried point data, storage medium and terminal equipment | |
CN109491733B (en) | Interface display method based on visualization and related equipment | |
CN110688096A (en) | Method, device, medium and electronic equipment for constructing application program containing plug-in | |
CN111367531B (en) | Code processing method and device | |
CN111966630B (en) | File type detection method, device, equipment and medium | |
CN110674491B (en) | Method and device for real-time evidence obtaining of android application and electronic equipment | |
CN116401113B (en) | Environment verification method, device and medium for heterogeneous many-core architecture acceleration card | |
CN113434582A (en) | Service data processing method and device, computer equipment and storage medium | |
CN111274204A (en) | Terminal identification method, method and device for generating mobile equipment identification combination code, terminal, network side equipment and storage medium | |
CN111045983A (en) | Nuclear power station electronic file management method and device, terminal equipment and medium | |
CN114969759B (en) | Asset security assessment method, device, terminal and medium of industrial robot system | |
CN116483888A (en) | Program evaluation method and device, electronic equipment and computer readable storage medium | |
CN113392010B (en) | Public assembly testing method and device, electronic equipment and storage medium | |
CN109241742B (en) | Malicious program identification method and electronic device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |