KR20200056627A - Method for identifying device information based on named-entity recognition and apparatus thereof - Google Patents

Abstract

Provided is a method for identifying device information based on named-entity recognition that analyzes scan data of a target device connected to the Internet to identify common platform enumeration (CPE) information associated with the target device. The method for identifying device information based on named-entity recognition is performed by a computing device. The method includes the steps of: analyzing received scan data as a response to a request transmitted to an internet-connected device to obtain a plurality of search keywords; obtaining a plurality of candidate CPEs associated with the device by using the plurality of search keywords; comparing an entity name obtained as a result of named-entity recognition with respect to the scan data and a keyword associated with the candidate CPE; and removing at least some of the plurality of candidate CPEs based on the comparison result to determine a final CPE of the device.

Description

METHOD FOR IDENTIFYING DEVICE INFORMATION BASED ON NAMED-ENTITY RECOGNITION AND APPARATUS THEREOF}

The present disclosure relates to a method and apparatus for identifying device information based on object name recognition. More specifically, the present invention relates to a method for identifying common platform enumeration (CPE) information associated with the device by analyzing scan data of the Internet-connected device, and an apparatus for performing the method.

The security vulnerabilities inherent in software can easily be exploited to attack computer systems. Attackers can use Internet scanning tools to identify vulnerable Web services and perform malicious actions. Therefore, security managers need to identify open vulnerabilities and respond quickly. In particular, as the Internet of Things (IoT) devices have become widespread in recent years, the number of devices connected to the Internet has rapidly increased. Therefore, it is necessary to quickly identify security vulnerabilities of numerous computer systems connected to the Internet and perform vulnerability analysis.

In order to easily share a known security vulnerability, vulnerability information is provided from various vulnerability information sources. For example, the National Vulnerability Database (NVD) provides Common Vulnerabilities and Exposures (CVE) information. CVE information provides a reference method for security vulnerability information in software packages. CVE information includes Common Vulnerabilities and Exposures IDentifier (CVE-ID), Vulnerability Overview, Vulnerability Scoring System (CVSS), Common Platform Enumeration (CPE), and Common Weakness Enumeration (CWE). ). Therefore, if only CPE information for a device is identified, the security vulnerability of the corresponding device can be obtained by querying the CVE information matched with this.

In order to obtain the correct vulnerability information, the CPE information of the device needs to be accurately identified. In the related art, keywords were extracted from the scan data of the device, and the operating system and application product name associated with the device were extracted from the CPE dictionary using the extracted keywords.

However, since the application CPE includes a number of product names composed of common words such as 'login' and 'server', if the CPE is identified in a conventional manner, the product name not related to the device is frequently extracted as the CPE. Occurred. In particular, the number of false CPEs was frequently extracted because the number of application CPEs is so large that it occupies about 86% (about 130,000) of the total CPEs. That is, the conventional method has a problem in that the accuracy of CPE identification is deteriorated, and accordingly, the security vulnerability of the device cannot be correctly identified.

In addition, the CPE dictionary contains only the list of famous hardware and software manufacturers whose vulnerabilities have been found, so it does not contain information about unknown manufacturers' products (e.g. domestic products, etc.) or products whose vulnerabilities were not found. In addition, few product names for new products are included in the CPE dictionary. Therefore, in order to identify various devices, the CPE dictionary needs to be constantly updated.

Korean Patent Publication No. 10-2018-0094633 (published August 24, 2018)

The technical problem to be solved by the present disclosure is to provide a method for accurately identifying CPE information of the device by analyzing scan data of an internet-connected device, and an apparatus for performing the method.

Another technical problem to be solved by the present disclosure relates to a method for identifying CPE information of an Internet-connected device using a CPE dictionary, and a method for removing a misidentified CPE and an apparatus to perform the method.

Another technical problem to be solved by the present disclosure relates to a method capable of generating a new CPE from scan data of an internet-connected device, and an apparatus for performing the method.

The technical problems of the present disclosure are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clearly understood by those skilled in the art from the following description.

In order to solve the above technical problem, a method for identifying device information based on object name recognition according to some embodiments of the present disclosure is a method performed by a computing device, and is a response to a request (request) sent to an Internet-connected device ( analyzing the received scan data as a response), obtaining a plurality of search keywords, using the plurality of search keywords, obtaining a plurality of candidate Common Platform Enumerations (CPEs) associated with the device, and for the scan data. Comparing an entity name obtained as a result of Named-Entity Recognition with a keyword associated with the candidate CPE, and removing at least some of the plurality of candidate CPEs based on the comparison result to determine a final CPE of the device It may include the steps.

In some embodiments, the scan data may be HTTP-body.

In some embodiments, the plurality of candidate CPEs may be CPEs matching the plurality of search keywords in a predefined CPE dictionary.

In some embodiments, the step of determining the final CPE may include removing the first candidate CPE when the keyword associated with the first candidate CPE among the plurality of candidate CPEs does not include any one of the entity names. .

In some embodiments, the entity name recognition may be performed based on a Bidirectional Long Short-Term Memory with a Conditional Random Field Layer (BI-LSTM-CRF) model.

In some embodiments, obtaining the plurality of candidate CPEs includes querying a CPE dictionary with the plurality of search keywords, and obtaining the plurality of candidate CPEs with the search result, and determining the final CPE The method includes generating a first individual name as a new CPE among the individual names obtained as a result of the object name recognition, and including the new CPE in the final CPE of the device, wherein the first individual name is the plurality of individual names. It may not have appeared in the keywords associated with the candidate CPE.

A method for identifying device information based on object name recognition according to some embodiments of the present disclosure for solving the above-described technical problem is a method performed by a computing device, in response to a request sent to an internet-connected device ( analyzing received scan data as a response), obtaining a plurality of search keywords, using the plurality of search keywords, obtaining a plurality of Common Platform Enumerations (CPEs) associated with the device, and objects for the scan data Generating a first entity name as a new CPE among entity names obtained as a result of Named-Entity Recognition, and further including the new CPE in the plurality of CPEs associated with the device. 1 The entity name may not appear in keywords associated with the plurality of CPEs.

In some embodiments, the step of obtaining the plurality of search keywords includes: scanning an open port among ports of the device, obtaining a banner string as a result of the scan, and extracting the plurality of search keywords from the banner string It may include the steps.

In some embodiments, the step of obtaining a plurality of CPEs associated with the device may include comparing an object name obtained as a result of the object name recognition with keywords associated with the plurality of CPEs, and based on the comparison result, among the plurality of CPEs. And removing at least a portion.

A device for identifying device information according to some embodiments of the present disclosure for solving the above-described technical problem includes: a memory for storing one or more instructions and one or more instructions by executing the one or more instructions ( As a response to a request, the received scan data is analyzed to obtain a plurality of search keywords, and a plurality of candidate Common Platform Enumerations (CPEs) associated with the device are obtained using the plurality of search keywords, and the The object name obtained as a result of Named-Entity Recognition for the scanned data is compared with the keyword associated with the candidate CPE, and at least a part of the plurality of candidate CPEs are removed based on the result of the comparison to finalize the device. And a processor to determine the CPE.

A computer program according to another embodiment of the present disclosure for solving the above-described technical problem is combined with a computing device and analyzes received scan data as a response to a request sent to an Internet-connected device By doing so, obtaining a plurality of search keywords, using the plurality of search keywords, obtaining a plurality of candidate Common Platform Enumerations (CPEs) associated with the device, and Named-Entity Recognition for the scan data Computing the step of determining the final CPE of the device by comparing at least some of the plurality of candidate CPEs based on the result of comparing the subject name and the keyword associated with the candidate CPE, and based on the result of the comparison. It can be stored in a readable recording medium.

1 is an exemplary configuration diagram illustrating a device information identification system according to some embodiments of the present disclosure.
2 to 4 are exemplary block diagrams illustrating an apparatus for identifying device information according to some embodiments of the present disclosure.
5 is an exemplary flowchart illustrating a method for identifying device information based on object name recognition according to some embodiments of the present disclosure.
6 and 7 are exemplary views of scan data of a device that may be referenced in some embodiments of the present disclosure.
8 is an exemplary flow diagram illustrating a CPE dictionary-based candidate CPE acquisition method according to some embodiments of the present disclosure.
9 to 11 are exemplary views for explaining a method of obtaining a CPE dictionary-based candidate CPE according to some embodiments of the present disclosure.
12 is an exemplary diagram illustrating a structure of an entity name recognition model that may be referred to in some embodiments of the present disclosure.
13 is an exemplary view illustrating a process in which object name recognition is performed according to some embodiments of the present disclosure.
14 and 15 are exemplary views for explaining a method for removing misidentified CPE according to some embodiments of the present disclosure.
16 is an exemplary flowchart illustrating a method for identifying device information based on object name recognition according to some other embodiments of the present disclosure.
17 is an exemplary diagram for describing a new CPE generating method according to some embodiments of the present disclosure.
18 is an exemplary diagram for explaining a method of learning an entity name recognition model according to some embodiments of the present disclosure.
19 is an exemplary hardware configuration diagram illustrating an example computing device capable of implementing an apparatus according to various embodiments of the present disclosure.

Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. Advantages and features of the present disclosure, and methods for achieving them will be apparent with reference to embodiments described below in detail in conjunction with the accompanying drawings. However, the technical spirit of the present disclosure is not limited to the following embodiments, and may be implemented in various different forms, and only the present embodiments allow the present disclosure to be complete, and common knowledge in the technical field to which the present disclosure pertains. It is provided to fully inform the holder of the scope of the present disclosure, and the technical spirit of the present disclosure is only defined by the scope of the claims.

It should be noted that in adding reference numerals to the components of each drawing, the same components have the same reference numerals as possible even though they are displayed on different drawings. In addition, in describing the present disclosure, when it is determined that a detailed description of related known configurations or functions may obscure the subject matter of the present disclosure, the detailed description will be omitted.

Unless otherwise defined, all terms (including technical and scientific terms) used in this specification may be used in a sense that can be commonly understood by those skilled in the art to which this disclosure belongs. In addition, terms defined in the commonly used dictionary are not ideally or excessively interpreted unless specifically defined. The terminology used herein is for describing the embodiments and is not intended to limit the present disclosure. In the present specification, the singular form also includes the plural form unless otherwise specified in the phrase.

In addition, in describing the components of the present disclosure, terms such as first, second, A, B, (a), and (b) may be used. These terms are only for distinguishing the component from other components, and the nature, order, or order of the component is not limited by the term. When a component is described as being "connected", "coupled" or "connected" to another component, the component may be directly connected to or connected to the other component, but another component between each component It will be understood that elements may be "connected", "coupled" or "connected".

As used herein, "comprises" and / or "comprising" refers to the components, steps, operations and / or elements mentioned above, the presence of one or more other components, steps, operations and / or elements Or do not exclude additions.

Prior to the description of the present specification, some terms used in the specification will be clarified.

In this specification, CPE (Common Platform Enumeration) is information configured in a predetermined format to share hardware, operating system, and application product names. CPE is composed of 7 fields by URL method and includes information such as manufacturer, product name, and version. CPE has the format "cpe: / part: vendor: product: version: update: ~ edition ~ sw_edition ~ target_sw ~ target_hw ~ other: language". For example, "Microsoft Internet Explorer 8.0.6001 Beta" is configured as "cpe: / a: microsoft: internet_explorer: 8.0.6001: beta". In CPE format, parts are divided into 'a' for application, 'o' for OS, and 'h' for hardware. In the CPE format, 'sw_edition' refers to distributions such as online and special, 'target_sw' refers to the operating system to be installed, and 'target_hw' refers to the hardware to be installed.

In this specification, an instruction is a series of instructions grouped based on a function and refers to a component of a computer program and executed by a processor.

Hereinafter, some embodiments of the present disclosure will be described in detail according to the accompanying drawings.

1 is an exemplary configuration diagram illustrating a device information identification system according to some embodiments of the present disclosure.

As illustrated in FIG. 1, the device information identification system may include at least one IoT device 300-1 to 300-n, a scan device 200, and a device information identification device 100. However, this is only a preferred embodiment for achieving the object of the present disclosure, and of course, some components may be added or deleted as necessary. In addition, it is noted that each component of the device information identification system illustrated in FIG. 1 represents functionally divided functional elements, and a plurality of components may be implemented in an integrated form in an actual physical environment. For example, the scan device 200 and the device information identification device 100 may be implemented in the form of different logics in the same physical computing device.

Further, in the actual physical environment, each of the components may be implemented in a form of being divided into a plurality of detailed functional elements. For example, the first function of the device information identification apparatus 100 may be implemented in the first computing device, and the second function may be implemented in the second computing device. Hereinafter, each of the components will be described.

In the device information identification system, IoT devices 300-1 to 300-n are target devices to be identified. 1 illustrates an example that the target device is an IoT device 300-1 to 300-n, but the technical scope of the present disclosure is not limited thereto. That is, the target device can be any device connected to the Internet.

In the device information identification system, the scan device 200 is a computing device that scans a target device to generate scan data 1.

In some embodiments, the scan apparatus 200 may scan the open port (e.g. HTTP, FTP) of the target device to generate scan data 1. At this time, the scan data 1 is response data of the target device acquired through the open port, and may be a banner, HTTP response, or the like. The banner means a welcome message provided by the target device in response when accessing the corresponding port. For an example of the banner and HTTP response, refer to FIGS. 6 and 7.

In some embodiments, the scan apparatus 200 may obtain device firmware version information, security patch information, and the like through the manufacturer's web pages of the target device.

In the device information identification system, the device information identification device 100 is a computing device that identifies CPE information 3 of the target device by analyzing scan data 1 of the target device. Here, the computing device may be a laptop, a desktop, a laptop, a smart phone, but is not limited thereto, and includes all types of devices equipped with computing and communication functions. can do. Hereinafter, for convenience of description, the device information identification device 100 will be abbreviated as the identification device 100.

In some embodiments, the identification device 100 may identify candidate CPE information by analyzing the scan data 1 of the target device based on the CPE dictionary. Also, the identification device 100 may extract a named entity from the scan data and remove the misidentified CPE from the candidate CPEs using the entity name. By doing so, the accuracy of CPE identification can be greatly improved.

In some embodiments, the identification device 100 may generate an entity name that is not associated with the candidate CPE among the extracted entity names as a new CPE. By doing so, new CPEs that are not in the CPE dictionary can be continuously added to the CPE dictionary.

A more detailed description of the identification device 100 will be described later with reference to the drawings of FIG. 2 and below.

At least some of the components of the system shown in FIG. 1 can communicate over a network. Here, the network is a wired / wireless network of any kind, such as a local area network (LAN), a wide area network (WAN), a mobile radio communication network, a Wibro (Wireless Broadband Internet), and the like. Can be implemented.

So far, a device information identification system according to some embodiments of the present disclosure has been described with reference to FIG. 1. Hereinafter, the configuration and operation of the identification device 100 will be described with reference to FIGS. 2 to 4.

2 is an exemplary block diagram illustrating the identification device 100 in accordance with some embodiments of the present disclosure, and FIG. 3 further illustrates the operation flow of the identification device 100.

2 and 3, the identification device 100 includes an input unit 110, a pre-processing unit 130, a CPE identification unit 150, a new CPE generation unit 170 and a storage unit 190 can do. However, only components related to the exemplary embodiment of the present disclosure are illustrated in FIG. 2. Therefore, a person skilled in the art to which the present disclosure belongs may recognize that other general-purpose components may be further included in addition to the components illustrated in FIG. 2. In addition, it is noted that each of the components of the identification device 100 illustrated in FIG. 2 is functionally divided functional elements, and a plurality of components may be implemented in an integrated form in an actual physical environment. Hereinafter, each component will be described.

The input unit 110 receives scan data 1.

Next, the pre-processing unit 130 performs pre-processing on the scan data 1. In order to exclude the duplicate description, detailed description of the operation of the pre-processing unit 130 will be described later with reference to FIGS. 5 to 7 and 9.

Next, the CPE identification unit 150 identifies CPE information of the target device from the pre-processed scan data 9. As illustrated in FIG. 4, the CPE identification unit 150 may include a dictionary-based CPE identification unit 151, an entity name recognition unit 153, and a CPE determination unit 155.

The dictionary-based CPE identification unit 151 identifies candidate CPEs of the target device from the pre-processed scan data 9 using the CPE dictionary. A detailed description of the operation of the dictionary-based CPE identification unit 151 will be described later with reference to FIGS. 8 to 11.

Next, the object name recognition unit 153 extracts the object name associated with the target device from the pre-processed scan data 9 through object name recognition. A detailed description of the operation of the entity name recognition unit 153 will be described later with reference to FIGS. 12 and 13.

Next, the CPE determination unit 155 determines the final CPE of the target device by removing the misidentified CPE among the plurality of candidate CPEs using the extracted object name. In order to exclude the duplicated description, a detailed description of the operation of the CPE determination unit 155 will be described later with reference to FIGS. 5, 14, and 15.

Next, the new CPE generating unit 170 generates a new CPE associated with the target device using the object name recognition result. In order to exclude the duplicate description, a detailed description of the new CPE generation unit 170 will be described later with reference to FIGS. 16 to 18.

The storage unit 190 stores and manages various information such as a CPE dictionary, a CVE dictionary, and an object name recognition model. When CPE information of the target device is identified, vulnerability information of the target device may be provided through a CVE dictionary.

For reference, it should be noted that not all components of the identification device 100 illustrated in FIGS. 2 to 4 may be required components. That is, the identification device 100 according to some other embodiments of the present disclosure may be implemented by some of the components illustrated in FIGS. 2 to 4.

Each component of FIGS. 2 to 4 may mean software or hardware such as a field programmable gate array (FPGA) or an application-specific integrated circuit (ASIC). However, the above components are not limited to software or hardware, and may be configured to be in an addressable storage medium, or may be configured to execute one or more processors. The functions provided in the above components may be implemented by more detailed components, or may be implemented as a single component that performs a specific function by combining a plurality of components.

So far, the configuration and operation of the identification device 100 according to some embodiments of the present disclosure have been described with reference to FIGS. 2 to 4. Hereinafter, a method for identifying device information based on object name recognition according to various embodiments of the present disclosure will be described with reference to FIGS. 5 to 18.

Each step of the device information identification method may be performed by a computing device. In other words, each step of the device information identification method may be implemented with one or more instructions executed by a processor of a computing device. All steps included in the device information identification method may be performed by one physical computing device, but the first steps of the method are performed by the first computing device, and the second steps of the method are second computing It can also be performed by the device. Hereinafter, it is assumed that each step of the device information identification method is performed by the identification device 100 to continue the description. However, for convenience of description, description of the operation subject of each step included in the device information identification method may be omitted.

5 is an exemplary flowchart illustrating a method for identifying device information based on object name recognition according to some embodiments of the present disclosure. However, this is only a preferred embodiment for achieving the object of the present disclosure, and of course, some steps may be added or deleted as necessary.

As shown in FIG. 5, the method starts at step S10 of obtaining scan data of a target device connected to the Internet.

In some embodiments, the scan data may be obtained by scanning the open port of the target device. That is, the scan data may be received by transmitting a predetermined request to the target device's open port and responding to the request.

For a more specific example, the scan data may be configured as a string of banners obtained through the open port scan. An example of the banner is shown in FIG. 6. In particular, FIG. 6 shows as an example the banner 11 obtained through the HTTP port scan.

For another example, the scan data may be an HTTP response obtained through an HTTP port scan. An example of the HTTP response is illustrated in FIG. 7. As shown in FIG. 7, the HTTP response 13 contains more information than the banner string (e.g. 11). Therefore, when analyzing the HTTP response (13), more identification information (e.g. CPE) can be obtained compared to the banner.

The port scan is a technology that is already well known in the art, and a detailed description thereof will be omitted.

In step S20, the identification device 100 performs pre-processing for the scan data. The pre-processing may include all types of pre-processing processes for processing the scan data into a form suitable for analysis. For example, the pre-processing may include a pre-processing process such as HTTP header removal, tag removal, blank removal, and text conversion. Alternatively, the pre-processing may include a pre-processing process such as keyword extraction, word separation using a predetermined delimeter, and small / capital conversion.

In step S20, the identification device 100 removes the header from the HTTP response to obtain an HTTP-body, removes one or more predefined tags from the HTTP-body, and textualizes the remaining data to obtain the scanned text. Can be obtained. However, the technical scope of the present disclosure is not limited thereto.

In step S30, the identification device 100 obtains a candidate CPE from the CPE dictionary. Specifically, the identification device 100 may extract a search keyword from the pre-processed scan data, and obtain a CPE matching the search keyword from the CPE dictionary as a candidate CPE. In order to provide a more convenient understanding, this step S30 will be described in detail with reference to FIGS. 8 to 11.

8 is an exemplary flow diagram illustrating a method for obtaining a candidate CPE according to some embodiments of the present disclosure.

As illustrated in FIG. 8, the method for obtaining the candidate CPE starts in step S31 by analyzing the preprocessed scan data (e.g. text data) and extracting a plurality of keywords. The specific method of extracting a plurality of keywords may vary according to embodiments.

In some embodiments, the identification device 100 may extract keywords using a specific data pattern (e.g. integer.integer.integer.integer for IP, IP: integer for port, etc.).

In some embodiments, the identification device 100 may extract the plurality of keywords by dividing the pre-processed scan data into a plurality of words by using predetermined special characters as separators. Here, the identification device 100 may apply lowercase conversion to the pre-processed scan data, and separate the lowercase converted data into the plurality of words.

An example of extracting keywords in this step S31 is illustrated in FIG. 9. As illustrated in FIG. 9, when pre-processing is performed in the HTTP response 21, text data 22 is obtained, and a plurality of keywords 23 to 29 can be extracted from the text data 22.

In step S33, the identification device 100 determines a search keyword by removing stop words from the extracted plurality of keywords. For example, the identification device 100 may remove the stopword using a predefined stopword dictionary. The terminology may include words that can generate misidentified CPE, such as 'login', 'administrator' and 'server', but the technical scope of the present disclosure is not limited thereto.

In step S35, the identification device 100 obtains a candidate CPE by querying the CPE dictionary with a search keyword. That is, the CPE searched by each search keyword is obtained as a candidate CPE. In this case, the candidate CPE may include at least one of an operating system CPE, an application CPE, and a hardware CPE.

Meanwhile, according to some other embodiments of the present disclosure, a candidate CPE may be generated using a CPE tree configured based on a CPE dictionary. Hereinafter, this embodiment will be described in detail with reference to FIGS. 10 and 11.

As illustrated in FIG. 10, the identification device 100 may construct a CPE tree 35 of a plurality of levels and a plurality of nodes from the CPE dictionary 33. The constructed CPE tree 35 may have a total of six levels. The six levels of the CPE tree 35 correspond to the product language from the vendor, excluding the part in the CPE format 31. More specifically, in the CPE tree 35, (i) the node corresponding to the first level is the vendor information, (ii) the node corresponding to the second level is the product name, and the third level The node corresponding to the product version information, the node corresponding to the fourth level is the update information, the node corresponding to the fifth level is the distribution information, and the node corresponding to the sixth level is Corresponds to product language information.

The CPE tree 35 may include at least three levels from the first level to the sixth level. At this time, the information of the node corresponding to the first level and the information of the node corresponding to the second level may be the same (ie, the manufacturer and the product name may be the same).

The CPE tree 35 includes at least one of a parent node, a child node, and a sibling node. The node corresponding to the higher level among the plurality of levels corresponds to the parent node, the node corresponding to the lower level among the plurality of levels corresponds to the child node, and the nodes corresponding to the same level among the plurality of levels correspond to the sibling node. . If an intermediate level is omitted among the plurality of levels, a node corresponding to a higher level node of the omitted intermediate level and a node corresponding to a lower level of the omitted intermediate level may be connected to each other.

The identification device 100 separates the character string of the CPE dictionary 33 based on the separator (':') to generate a plurality of levels, and the character string based on the characters '~' at the fifth level of the CPE dictionary 33 Can be separated. Also, the identification device 100 may construct the CPE tree 35 by separating the character string based on the letter '_' at each level of the CPE dictionary 33. For example, in the case of "cpe: / a: microsoft: ftp_service: 7.0", the first level is 'microsoft', the second level is 'ftp', 'service', and the third level consists of '7.0', There is no fourth to sixth level for the CPE.

11 illustrates a process of obtaining a candidate CPE from a CPE tree.

As shown in FIG. 11, by matching the search keyword 43 and the CPE tree 41 extracted from the scan data, keywords matching the CPE tree 41 among the search keywords 43 may be determined for each level. . The matching result is shown in the right figure 45 of FIG. 11. Then, the identification device 100 may generate a candidate CPE by combining keywords matched for each level. In addition, if the generated candidate CPE does not exist in the CPE dictionary, the identification device 100 may add the candidate CPE to the CPE dictionary.

It will be described again with reference to FIG. 5.

In step S40, the identification apparatus 100 extracts the entity name associated with the target device by performing Named Entity Recognition (NER) from the pre-processed scan data.

In some embodiments, the object name recognition may be performed by a deep learning based object name recognition model. For example, the entity name recognition model may be a model based on BI-LSTM-CRF (Bidirectional Long Short-Term Memory with a Conditional Random Field Layer) as shown in FIG. 12. However, the technical scope of the present disclosure is not limited thereto. The BI-LSTM-CRF model can more accurately identify an entity name in consideration of sequential relationships between words.

An example in which the object name is identified in the preprocessed scan data is shown in FIG. 13. In particular, FIG. 13 illustrates a case where the entity name category is divided into a person, an organization, a location, and others, but the entity name category may be defined in other ways.

As illustrated in FIG. 13, when object name recognition is performed, keywords 52 to 57 corresponding to the object name in the scan data 50 may be extracted for each category. Those skilled in the art will be able to clearly understand the object name recognition, and further detailed description will be omitted.

It will be described again with reference to FIG. 5.

In step S50, the identification device 100 determines the final CPE of the target device by removing the misidentified CPE using the comparison result of the candidate CPE and the individual name, that is, filtering for the candidate CPE based on the individual name in the step S50 This is done. The reason for using the object name is that general keywords such as "login" and "server" are not extracted as the object name, and through this filtering process, product names not related to the target device can be prevented from being extracted as CPE.

The specific way to remove misidentified CPE may vary depending on the embodiment.

In some embodiments, the identification device 100 may determine and remove candidate CPEs in which the object name does not appear at all among a plurality of candidate CPEs as a misidentified CPE. By doing so, CPE information associated with the target device can be more accurately identified. A specific example of this embodiment is illustrated in FIG. 14.

As shown in FIG. 14, comparison of the object name recognition result 65 and candidate CPEs 61 to 63 is performed. More specifically, a comparison is performed between keywords extracted by the object name and keywords associated with candidate CPEs 61 to 63. In this case, the keyword extracted by the object name may be composed of one or more words (e.g. a compound noun). In addition, keywords associated with the candidate CPEs 61 to 63 include product names included in the candidate CPE, keywords indicating manufacturers, etc., keywords used to search for the candidate CPE, and the like.

In addition, through the comparison result, a candidate CPE 63 in which no individual name appears at all among the candidate CPEs 61 to 63 is determined, and the candidate CPE 63 is regarded as a misidentified CPE and is removed. That is, in FIG. 14, the entity name 3 is composed of a combination of the word 4 and the word 5, but the candidate CPE 7 does not include all the entity names 3, and thus is regarded as a misidentified CPE.

In some other embodiments, the identification device 100 separates the entity name into a plurality of words using a predetermined special character as a delimiter, and among the plurality of candidate CPEs, none of the plurality of words appears CPE can be removed by judging by misidentifying CPE. That is, in this embodiment, filtering is performed under the relaxed condition than the above-described embodiment. By doing so, CPE information associated with the target device can be identified without omission. A specific example of this embodiment is illustrated in FIG. 15.

As illustrated in FIG. 15, a word separation is performed in the first entity name recognition result 78 to produce a second entity name recognition result 79, and a keyword 75 for entity name 1 (or entity name 3) ) Can be separated into two words (76, 77). Similar to the above-described embodiment, the identification device 100 compares the keyword associated with the second entity name recognition result 79 and the candidate CPEs 71 to 73, and removes the misidentified CPE based on the comparison result. In the example shown in FIG. 15, since there are no misidentified CPEs (i.e., all of the candidate CPEs contain at least one word representing an entity name), all candidate CPEs 71 to 73 are determined as the final CPE. Can be.

For reference, among the above-described steps S10 to S50, step S10 is performed by the input unit 110, step S20 is performed by the pre-processing unit 130, step S30 is performed by the dictionary-based CPE identification unit 151 Can be. In addition, step S40 may be performed by the entity name recognition unit 153, and step S50 may be performed by the CPE determination unit 155.

So far, a method for identifying device information based on object name recognition according to some embodiments of the present disclosure has been described with reference to FIGS. 5 to 15. According to the above-described method, filtering for the candidate CPE is performed using the object name extracted through object name recognition. Common words such as "login", "server", and the like are not extracted as an object name, and according to the above conditions, the misidentified CPE is filtered, and CPE information associated with the target device can be accurately identified.

Furthermore, as the CPE information for the target device is accurately identified, the vulnerability of the target device can also be accurately identified through the CVE dictionary.

Hereinafter, a method for identifying device information based on object name recognition according to some other embodiments of the present disclosure will be described with reference to FIGS. 16 to 18. Hereinafter, for clarity of the present specification, descriptions of contents overlapping with the above-described embodiments will be omitted.

16 is an exemplary flowchart illustrating a method for identifying device information based on object name recognition according to some other embodiments of the present disclosure.

As shown in FIG. 16, steps S10 to S50 are the same as the above-described embodiment, but differ from the above-described embodiment in that step S60 is further performed.

In step S60, the identification device 100 generates an entity name that is not associated with the candidate CPE as a new CPE. Here, the individual name not associated with the candidate CPE means the individual name not used to remove the misidentified CPE in step S50. The new CPE generated in step S60 may be added to the CPE dictionary and included in the final CPE information of the target device. By doing so, CPE information associated with the target device can be identified without omission. In addition, the sophistication range of the identification device 100 is reduced through a gradual CPE dictionary update, and accurate identification can be made for various devices.

For reference, in this step S60, the identification device 100 performs a duplicate check on the generated new CPE using the CPE dictionary, and adds the generated new CPE to the CPE dictionary in response to the determination that it is not a duplicate. Can be. In addition, this step S60 may be performed by the new CPE generating unit 170.

In order to provide more convenience, the step S60 will be described in detail with reference to the example shown in FIG. 17.

As shown in FIG. 17, using the entity name recognition result 86, filtering for candidate CPEs 81 to 83 is performed, and an entity name (or a word separated from the entity name) that is not used for the filtering, 84, hereinafter referred to as "unused entity name") may be created with a new CPE 85.

In some embodiments, among the unused individual names, individual names whose categories correspond to institution names or other categories are selected, and new CPEs may be generated using only the selected individual names. This is because it is highly likely that an individual name belonging to a person or location name category is not associated with a product name. According to this embodiment, a new CPE can be generated more accurately.

Meanwhile, in some embodiments, in order to generate a new CPE with an unused entity name, matching of the unused entity name with the above-described CPE tree may be performed. More specifically, unused entity names and keyword matching are performed for each level of the CPE tree, and keywords matching for each level may be determined. In addition, new CPEs may be generated by combining keywords matched for each level (that is, connected according to the CPE format).

On the other hand, in some embodiments, an object name recognition model may be used to generate a new CPE. More specifically, a new entity name recognition model capable of recognizing a product name as an entity name is constructed, and an entity name belonging to the product name category can be extracted from the scan data of the target data using the constructed entity name recognition model. . Then, the extracted individual name may be generated as a new CPE.

An example of the process of constructing the new entity name recognition model is illustrated in FIG. 18.

As shown in FIG. 18, the identification device 100, exactly, the new CPE generation unit 170, the existing CPE information 91 or the new CPE information 93 generated according to the method shown in FIG. A training dataset can be created by assigning a product category to an associated keyword. In addition, the identification device 100 may build a model capable of recognizing the individual name of the product name category by learning the learning data set. When the scan data of another target device is obtained, the identification device 100 may extract the object name of the product name category from the scan data using the constructed object name recognition model. In addition, the identification device 100 may generate a new CPE using the extracted object name. As described above, the identification device 100 may perform a duplication check through the CPE dictionary, and only new CPEs that do not overlap may be added to the CPE dictionary.

So far, a method for identifying device information based on object name recognition according to some other embodiments of the present disclosure has been described with reference to FIGS. 16 to 18. According to the above-described method, a new CPE can be created and added to the CPE dictionary using the individual name of a specific category that is closely related to the product name. Accordingly, the device identification function of the identification device 100 may be gradually enhanced. That is, the identification range of the identification device 100 is gradually expanded, and the accuracy of CPE identification can also be improved.

Hereinafter, an example of a computing device 400 capable of implementing a device according to various embodiments of the present disclosure will be described with reference to FIG. 19.

19 is an example hardware configuration diagram illustrating an example computing device 400 that may implement an apparatus in accordance with various embodiments of the present disclosure.

Referring to FIG. 19, the computing device 400 may include one or more processors 410, a bus 450, a communication interface 470, and a memory 430 that loads computer programs performed by the processor 410. And, it may include a storage 490 for storing the computer program 491. However, only components related to the exemplary embodiment of the present disclosure are illustrated in FIG. 19. Therefore, a person skilled in the art to which the present disclosure belongs may recognize that other general-purpose components may be further included in addition to the components illustrated in FIG. 19.

The processor 410 controls the overall operation of each component of the computing device 400. The processor 410 includes a CPU (Central Processing Unit), a Micro Processor Unit (MPU), a Micro Controller Unit (MCU), a Graphic Processing Unit (GPU), or any type of processor well known in the art of the present disclosure. Can be. Also, the processor 410 may perform operations on at least one application or program for executing the method according to the embodiments of the present disclosure. Computing device 400 may include one or more processors.

The memory 430 stores various data, commands and / or information. The memory 430 may load one or more programs 491 from the storage 490 to execute a method / operation according to various embodiments of the present disclosure. For example, when the computer program 491 is loaded in the memory 430, a module may be implemented on the memory 430 as illustrated in FIG. 2. The memory 430 may be implemented as a volatile memory such as RAM, but the technical scope of the present disclosure is not limited thereto.

The bus 450 provides communication functions between components of the computing device 400. The bus 450 may be implemented as various types of buses, such as an address bus, a data bus, and a control bus.

The communication interface 470 supports wired and wireless Internet communication of the computing device 400. Also, the communication interface 470 may support various communication methods other than Internet communication. To this end, the communication interface 470 may include a communication module well known in the art of the present disclosure.

The storage 490 may store the one or more programs 491 non-temporarily. The storage 490 is well-known in the art of non-volatile memory such as read only memory (ROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, hard disk, removable disk, or the art to which the present disclosure pertains. And any known form of computer-readable recording media.

Computer program 491 may include one or more instructions that, when loaded into memory 430, cause processor 410 to perform a method in accordance with various embodiments of the present disclosure. That is, the processor 410 may execute the methods according to various embodiments of the present disclosure by executing the one or more instructions.

For example, the computer program 491 analyzes received scan data as a response to a request sent to an Internet-connected device to obtain a plurality of search keywords, and uses the plurality of search keywords To obtain a plurality of candidate Common Platform Enumerations (CPEs) associated with the device, comparing the entity names obtained as a result of Named-Entity Recognition with respect to the scan data, and keywords associated with the candidate CPEs, and It may include one or more instructions to remove at least a portion of the plurality of candidate CPE based on the comparison result to perform a device identification operation to determine the final CPE of the device. In this case, the identification device 100 may be implemented through the computing device 400.

For another example, the computer program 491 analyzes received scan data as a response to a request sent to an Internet-connected device to obtain a plurality of search keywords, and the plurality of search keywords. By using the operation, obtaining a plurality of Common Platform Enumerations (CPEs) associated with the device and generating a first entity name as a new CPE among entity names obtained as a result of Named-Entity Recognition for the scan data One or more instructions may be included to perform an operation and an operation of further including the new CPE in the plurality of CPEs associated with the device. Even in this case, the identification device 100 may be implemented through the computing device 400.

So far, various embodiments of the present disclosure and effects according to the embodiments have been described with reference to FIGS. 1 to 19. Effects according to the technical spirit of the present disclosure are not limited to the above-mentioned effects, and other effects not mentioned will be clearly understood by those skilled in the art from the following description.

The technical spirit of the present disclosure described so far with reference to FIGS. 1 to 19 may be embodied as computer readable codes on a computer readable medium. The computer-readable recording medium may be, for example, a removable recording medium (CD, DVD, Blu-ray Disc, USB storage device, removable hard disk), or a fixed recording medium (ROM, RAM, computer-equipped hard disk). Can be. The computer program recorded on the computer-readable recording medium may be transmitted to another computing device through a network such as the Internet and installed on the other computing device, and thus used on the other computing device.

In the above, even if all components constituting the embodiments of the present disclosure are described as being combined or operated as one, the technical spirit of the present disclosure is not necessarily limited to these embodiments. That is, within the scope of the present disclosure, all of the components may be selectively combined to operate.

Although the operations in the drawings are shown in a specific order, it should not be understood that the operations must be performed in a specific order or in a sequential order, or that all desired operations must be executed to obtain the desired result. In certain situations, multitasking and parallel processing may be advantageous. Moreover, the separation of various configurations in the above-described embodiments should not be understood as such separation is necessary, and the described program components and systems may generally be integrated together into a single software product or packaged into multiple software products. It should be understood that there is.

Although the embodiments of the present disclosure have been described with reference to the accompanying drawings, a person of ordinary skill in the art to which the present disclosure pertains may implement the present disclosure in other specific forms without changing the technical spirit or essential characteristics. Understand that there is. Therefore, it should be understood that the above-described embodiments are illustrative in all respects and not restrictive. The scope of protection of the present disclosure should be interpreted by the claims below, and all technical spirits that are within the equivalent scope should be interpreted as being included in the scope of the technical spirits defined by the present disclosure.

Claims (21)

A method performed by a computing device,
Analyzing received scan data as a response to a request sent to an internet-connected device to obtain a plurality of search keywords;
Obtaining a plurality of candidate Common Platform Enumerations (CPEs) associated with the device using the plurality of search keywords;
Comparing an entity name obtained as a result of Named-Entity Recognition with respect to the scan data and a keyword associated with the candidate CPE; And
And determining a final CPE of the device by removing at least some of the plurality of candidate CPEs based on the comparison result.
Method for identifying device information based on object name recognition. According to claim 1,
The scan data,
HTTP-body,
Method for identifying device information based on object name recognition. According to claim 2,
The step of analyzing the scan data and obtaining the plurality of search keywords may include:
Comprising the step of acquiring text data by removing one or more predefined tags from the HTTP-body,
Method for identifying device information based on object name recognition. According to claim 3,
The step of analyzing the scan data and obtaining a plurality of search keywords may include:
Separating the obtained text data into a plurality of words by using a predetermined special character as a delimiter; And
And determining at least some of the plurality of words as the plurality of search keywords.
Method for identifying device information based on object name recognition. According to claim 4,
The step of separating the obtained text data into a plurality of words,
Applying a lowercase conversion to the obtained text data; And
Comprising the step of separating the text data converted to lowercase into the plurality of words,
Method for identifying device information based on object name recognition. According to claim 4,
Determining at least a portion of the plurality of words as the plurality of search keywords,
Determining a word other than the pre-registered keyword among the plurality of words as the plurality of search keywords,
Method for identifying device information based on object name recognition. According to claim 1,
The plurality of candidate CPE,
CPE that matches the plurality of search keywords in the predefined CPE dictionary,
Method for identifying device information based on object name recognition. The method of claim 7,
The plurality of candidate CPE,
Comprising at least one of an operating system CPE and an application CPE and a hardware CPE,
Method for identifying device information based on object name recognition. According to claim 1,
Determining the final CPE,
And removing the first candidate CPE when the object name is not included in a keyword associated with the first candidate CPE among the plurality of candidate CPEs.
Method for identifying device information based on object name recognition. According to claim 1,
Determining the final CPE,
Separating the object name into a plurality of words by using a predetermined special character as a delimiter;
Removing the first candidate CPE when the keyword associated with the first candidate CPE among the plurality of candidate CPEs does not include any one of the plurality of words;
Method for identifying device information based on object name recognition. According to claim 1,
The object name recognition,
BI-LSTM-CRF (Bidirectional Long Short-Term Memory with a Conditional Random Field Layer) model,
Method for identifying device information based on object name recognition. According to claim 1,
Obtaining the plurality of candidate CPE,
Querying a CPE dictionary with the plurality of search keywords, and obtaining the plurality of candidate CPEs as the search result,
Determining the final CPE,
Generating a first individual name as a new CPE among the individual names obtained as a result of the object name recognition; And
Including the new CPE in the final CPE of the device,
The first entity name does not appear in the keywords associated with the plurality of candidate CPEs,
Method for identifying device information based on object name recognition. The method of claim 12,
The first entity name is an organization category (organization) category or other (miscellaneous) entity name,
Method for identifying device information based on object name recognition. According to claim 1,
Obtaining the plurality of candidate CPE,
Querying a CPE dictionary with the plurality of search keywords, and obtaining the plurality of candidate CPEs as the search result,
Determining the final CPE,
Generating and registering a first object name as a new CPE among the object names obtained as a result of the object name recognition; And
Including the new CPE in the final CPE of the device,
None of the words included in the first entity name appear in keywords associated with the plurality of candidate CPEs.
Method for identifying device information based on object name recognition. A method performed by a computing device,
Analyzing received scan data as a response to a request sent to an internet-connected device to obtain a plurality of search keywords;
Obtaining a plurality of Common Platform Enumerations (CPEs) associated with the device using the plurality of search keywords;
Generating a first entity name as a new CPE among entity names obtained as a result of Named-Entity Recognition for the scan data; And
Including the step of further comprising the new CPE in the plurality of CPE associated with the device,
The first entity name does not appear in the keywords associated with the plurality of CPE,
Method for identifying device information based on object name recognition. The method of claim 15,
The step of obtaining the plurality of search keywords,
Scanning an open port among the ports of the device;
Obtaining a banner string as a result of the scan; And
And extracting the plurality of search keywords from the banner string,
Method for identifying device information based on object name recognition. The method of claim 15,
Obtaining a plurality of CPE associated with the device,
Comparing an entity name obtained as a result of the entity name recognition with a keyword associated with the plurality of CPEs; And
And removing at least a portion of the plurality of CPEs based on the comparison result.
Method for identifying device information based on object name recognition. The method of claim 15,
The first entity name is an organization category (organization) category or other (miscellaneous) entity name,
Method for identifying device information based on object name recognition. The method of claim 15,
None of the words included in the first entity name appear in keywords associated with the plurality of candidate CPEs.
Method for identifying device information based on object name recognition. The method of claim 15,
Generating a learning dataset by assigning a product category to keywords included in the first entity name; And
Further comprising the step of learning the object name recognition model using the learning data set,
Method for identifying device information based on object name recognition. A memory that stores one or more instructions; And
By executing the one or more instructions,
As a response to a request sent to an internet-connected device, a plurality of search keywords are obtained by analyzing received scan data, and a plurality of candidate CPEs (Commons) associated with the device are obtained using the plurality of search keywords Platform Enumeration), compares the entity name obtained as a result of Named-Entity Recognition with respect to the scan data and keywords associated with the candidate CPE, and based on the comparison result, at least one of the plurality of candidate CPEs. Including a processor to remove a portion to determine the final CPE of the device,
Device information identification device.

Images