US20210226979A1 - Vulnerability scanning method, server and system - Google Patents
Vulnerability scanning method, server and system Download PDFInfo
- Publication number
- US20210226979A1 US20210226979A1 US16/099,815 US201816099815A US2021226979A1 US 20210226979 A1 US20210226979 A1 US 20210226979A1 US 201816099815 A US201816099815 A US 201816099815A US 2021226979 A1 US2021226979 A1 US 2021226979A1
- Authority
- US
- United States
- Prior art keywords
- scan
- task
- proxy node
- host
- scheduling center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/563—Data redirection of data network streams
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/63—Routing a service request depending on the request content or context
Definitions
- the present disclosure generally relates to the field of Internet technology and, more particularly, relates to a vulnerability scanning method, a server, and a system thereof.
- the scanning content is pre-customized.
- the vulnerability scanning tool may execute a one-time scan of the pre-customized scanning content, thereby detecting potential vulnerabilities defined in the scanning content.
- this vulnerability scanning method has a major limitation.
- the content scanned for the computer can be only limited to the pre-customized content.
- the customized scanning content may be not applicable, or a full vulnerability scan cannot be conducted on these computers. Therefore, the accuracy of vulnerability scanning in the existing technologies is not high enough.
- the purpose of the present disclosure is to provide a vulnerability scanning method, a server, and a system thereof, which may improve the accuracy of vulnerability scanning.
- the present disclosure provides a vulnerability scanning method.
- the method includes: identifying a host service running on a target host and creating a scan task that matches the identified host service; issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and is executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
- the present disclosure further provides a server.
- the server comprises a memory and a processor, where the memory stores computer programs that, when executed by the processor, implement the following steps: identifying a host service running on a target host and creating a scan task that matches the identified host service; issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on
- the present disclosure further provides a vulnerability scanning system.
- the system comprises a server, a task scheduling center, and a proxy node, where: the server is configured to identify a host service running on a target host, create a scan task that matches the identified host service, issue the created scan task to a task scheduling center, determine whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, if there exists the specified host service in the identified host service, issue again a scan subtask corresponding to the specified host service to the task scheduling center, and receive a scan result fed back by the proxy node; the task scheduling center is configured to receive the scan task or scan subtask issued by the server, and place the received scan task or scan subtask in a task queue; and the proxy node is configured to acquire at least one scan task or scan subtask from the task scheduling center, execute the at least one scan task or scan subtask for the target host to obtain a scan result, and feed back the obtained scan
- the technical solutions provided by the present disclosure may issue scan tasks multiple times when executing vulnerability scanning on a target host, and each issued scan task is determined based on an identification of a service, a website, or a component on the host.
- the server may issue a scan task corresponding to the host service to the task scheduling center. If the identified host service contains a specified host service that signifies a website resource, the server may issue again a scan subtask for the specified host service. Compared to the previously issued scan task, the scan subtask may scan possible vulnerabilities in the specified host service more comprehensively.
- a page address associated with the website resource may also continue to be collected.
- the server may further issue a page application scan task, so that possible vulnerabilities on a page of the website may be further scanned. Further, a web fingerprint corresponding to the collected page address may be identified. By matching the web fingerprint with the preset fingerprint database, it may be determined whether a specified page component exists in the page of the website. If there exists the specified page component, the server may further issue a page component scan task, so that the specified page component with possible vulnerabilities can be scanned.
- the technical solutions provided by the present disclosure generate the corresponding scan tasks each time based on the results identified from the host, and issue the scan tasks multiple times, so that the target host can be deliberately scanned deeper and deeper.
- the technical solutions provided by the present disclosure may not only scan the host, but also scan the websites that are operated and maintained on the host, so that a more comprehensive scanning process can be achieved.
- a mode of multiple proxy nodes scanning in parallel may be employed to improve the efficiency of vulnerability scanning. Therefore, the technical solutions provided by the present disclosure may not only improve the accuracy of vulnerability scanning, but also the efficiency of the vulnerability scanning.
- FIG. 1 is a schematic diagram of a system architecture according to some embodiments of the present disclosure
- FIG. 2 is a flowchart of a vulnerability scanning method according to some embodiments of the present disclosure
- FIG. 3 is a flowchart of vulnerability scanning according to some embodiments of the present disclosure.
- FIG. 4 is a schematic structural diagram of a server according to some embodiments of the present disclosure.
- FIG. 5 is an interactive diagram of different entities according to some embodiments of the present disclosure.
- FIG. 6 is a schematic structural diagram of a computer terminal according to some embodiments of the present disclosure.
- the system architecture may include a server, a task scheduling center, and a proxy node.
- the server may be configured to create a scan task for vulnerability scanning
- the task scheduling center may receive a scan task issued by the server
- the proxy node may acquire a scan task from the task scheduling center, execute the acquired scan task for the corresponding host to obtain a scan result related to the host.
- the scan result may be reported by the proxy node to the server.
- the system architecture may be deployed in a manner of a distributed system.
- Each proxy node may be connected to the task scheduling center.
- Some proxy nodes may obtain different scan tasks for the same host, and these proxy nodes may execute the acquired scan tasks in parallel, thereby improving the efficiency of vulnerability scanning.
- the present disclosure provides a vulnerability scanning method, which may be applied to the above system architecture.
- the method may include the following steps.
- the server may be the execution entity of the following steps S 11 to S 15 .
- the target host may be a host to be scanned for vulnerability.
- the server may first identify the host services running on the target host. Specifically, external service detection may be performed on the target host so as to detect the Internet-facing assets of the target host. Subsequently, vulnerability scanning may be executed on these Internet-facing assets.
- not all attacks come from external networks. Some attacks may also come from applications inside the target host. In this situation, the server may also perform internal application detection on the target host so as to detect the assets inside the target host.
- the above-detected assets may all serve as host services running on the target host.
- the server may query the preset vulnerability database to identify the type of vulnerability that matches the host service.
- the significance of this process is that the server will not blindly issue scan tasks for all the host services, but only issue corresponding scan tasks for the host services that may have a vulnerability.
- the server may create a scan task corresponding to the type of vulnerability.
- the scan task corresponding to the type of vulnerability may server as the scan task that matches the host service.
- S 13 issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result.
- the server may issue the scan task to the task scheduling center.
- the task scheduling center may place the scan task in a task queue to wait for the proxy node to acquire the scan task.
- a proxy node may selectively acquire a scan task from the task scheduling center based on its own instant load status.
- a proxy node may include a load balancing module.
- the load balancing module may obtain the current load parameters of the proxy node when the proxy node is about to acquire a scan task from the task scheduling center.
- the load parameters may include, for example, the instant CPU usage of the proxy node, the memory usage, the number of processing scan tasks, and the like.
- the load balancing module may comprehensively calculate the current load value of the proxy node based on the load parameters. The higher the load value, the lower the proxy node's ability to handle scan tasks.
- the load balancing module may determine the number of scan tasks expected to be acquired from the task scheduling center based on the instant load value of the proxy node.
- the load balancing module may store in advance a mapping relationship table between load values and the number of tasks.
- the load values may be divided into ranges, and the number of tasks corresponding to each range may be obtained. In this way, after the instant load value of the proxy node is determined, the number of scan tasks expected to be acquired may be determined through the mapping relationship table.
- the proxy node may execute the acquired scan task through a scan interface provided in advance by the target host. During the execution of the scan task, possible vulnerabilities with respect to the host service may be detected on the target host. When the execution of the scan task is completed, a scan result may be summarized based on the vulnerability information obtained through the scanning. The scan result may be fed back to the server by the proxy node.
- S 15 receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
- a server may receive the scan result fed back by the proxy node.
- the scan result is a result of a preliminary scanning of the host service.
- the above-noted scan task may be a shallow scanning of the host service that may have a vulnerability. For some important host services, no detailed scanning will be further executed. Accordingly, in the disclosed embodiment, the scan tasks may be issued multiple times in a deeper and deeper manner.
- the server may determine whether a specified host service exists in the identified host service.
- the specified host service may signify an existence of a website resource running on the target host. Since websites are usually accessed by a large number of users, a specified host service within the website resource may be a relatively important service on the target host and may be a service that is easily attacked.
- the specified host service is an HTTP service. In real applications, when it is detected that the HTTP service is enabled on the target host, the server may again create a scan subtask for the HTTP service. This scan subtask may execute additional scanning for the website resource.
- the server may collect the page address associated with the website resource when an HTTP service is detected to exist on the target host.
- the page address may be a page Uniform Resource Locator (URL) existing on the website.
- a page application scan task corresponding to the page address may be created.
- the page application scan task may scan for possible vulnerabilities on a page of the website. Compared to the above-noted scan tasks for general host services on the target host, a page application scan task may execute vulnerability scanning more finely for a page of the website associated with the HTTP service.
- the scan subtask created by the server may be a page application scan task.
- the server may again issue the page application scan task to the task scheduling center.
- the proxy node may continue to acquire at least one page application scan task from the task scheduling center.
- Corresponding scan result for the page may be obtained after the proxy node executes the at least one page application scan task for the target host. The scan result may be also fed back to the server.
- a plurality of page components may be included in a webpage.
- the page components may be identified by a web fingerprint.
- a web fingerprint of the page address may be further identified.
- the web fingerprint corresponding to the page address may be identified by the keywords in the webpage, MD5 code of a specified file, keywords in the page address, or the TAG mode of the page address.
- the server may match the identified web fingerprint with the preset fingerprint database, so as to determine whether the identified web fingerprint is the specified web fingerprint existing in the preset fingerprint database. It is very likely that a page component signified by a specified web fingerprint has a vulnerability. Therefore, in the disclosed embodiment, when it is determined that the identified web fingerprint is a specified web fingerprint existing in the preset fingerprint database, vulnerability scanning may be further executed for the page component corresponding to the web fingerprint.
- the server may create a page component scan task, and the page component scan task may be configured to scan a page component included in the webpage corresponding to the page address.
- the server may again issue the created page component scan task to the task scheduling center, so that the proxy node obtains at least one page component scan task from the task scheduling center. In this way, after the proxy node executes the at least one page component scan task for the target host, a page component scan result corresponding to the target host may be obtained.
- the scan tasks may be issued multiple times. Each time, the issued scan task is determined based on the identification of a service, a website, or a component on the host. Not only may the host be scanned for the vulnerability, a website on the host may be also scanned for the vulnerability, and a webpage component may be scanned as well. As the scan tasks are issued multiple times, the scanning process for the target host will become finer and finer. Different from the scanning methods using the customized content in the existing technologies, the technical solutions of the present disclosure may issue different scan tasks for different hosts, and the scanning depth also deepens as the number of times of scanning increases, thereby achieving comprehensive and accurate vulnerability scanning.
- a matching proxy node may be selectively employed to execute a scan task based on the network environment where the target host is located. Specifically, when a target host needs to be scanned, the network environment where the target host is located may be identified. For example, the operator corresponding to the network currently utilized by the target host may be identified, and the current geographical location of the target host may also be determined. Subsequently, a target proxy node that matches the identified network environment may be determined.
- the determined target proxy node may be on the same network as the operator of the target host, and the target proxy node is relatively close to the target host.
- the target proxy node that matches the target host may be selected by means of a content delivery network. In this way, a scan task may be subsequently acquired from the task scheduling center by the target proxy node, and the acquired scan task is executed by the target proxy node for the target host. Due to the same network environment, it is possible to maintain a good communication connection, so that the problem of low scanning efficiency due to the difference in the network environment may be avoided.
- a transmission path for feeding back the scan result may be purposely selected in the content delivery network.
- the network environment where each proxy node is located in the transmission path may match the network environment where the target host is located.
- the server may identify the network environment where the target host is located, and receive and identify the scan result reported by the proxy node that matches the identified network environment.
- some ports on the target host may generate serious vulnerability. If access control measures are not set in these ports and these ports are set to open directly, data leakage of the target host may occur. Therefore, in the disclosed embodiment, a specified port of the target host may be periodically scanned at a specified interval. The specified port may be an above-noted port that needs to set access control measures. When the scan result indicates that the specified port does not have access control measures, it indicates that the specified port may lead to data leakage. In this situation, a warning message may be generated for the specified port to remind the administrator of the target host to take corresponding actions in time, or new matching access control measures may be added based on the scan result.
- a scan task may be also flexibly configured on the server side.
- various scan parameters for executing a scan task may be customized on the server side.
- the scan parameters may be, for example, a defined scan depth, the number of times of scanning, and the like.
- the scanning parameters may define a scanning mode corresponding to the scan task.
- the server comprises a memory and a process, where the memory stores computer programs that, when executed by the processor, implement the following steps:
- S 13 issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result;
- S 15 receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a web site resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
- the computer programs when executed by the processor, further implement the following steps:
- the computer programs when executed by the processor, further implement the following steps:
- the present disclosure further provides a vulnerability scanning system.
- the system comprises a server, a task scheduling center, and a proxy node, where:
- the server is configured to identify a host service running on a target host, create a scan task that matches the identified host service, issue the created scan task to a task scheduling center, determine whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, if there exists the specified host service in the identified host service, issue again a scan subtask corresponding to the specified host service to the task scheduling center, and receive a scan result fed back by the proxy node;
- the task scheduling center is configured to receive the scan task or scan subtask issued by the server, and place the received scan task or scan subtask in a task queue;
- the proxy node is configured to acquire at least one scan task or scan subtask from the task scheduling center, execute the at least one scan task or scan subtask for the target host to obtain a scan result, and feed back the obtained scan result to the server.
- proxy nodes there may be multiple proxy nodes, each of which may be connected to the task scheduling center. Some of the proxy nodes may acquire different scan tasks for the same host, and these proxy nodes may execute the acquired scan tasks in parallel, thereby improving the efficiency of vulnerability scanning.
- the server is further configured to collect a page address associated with the website resource, create a page application scan task corresponding to the page address, and issue again the created page application scan task to the task scheduling center.
- the server after collecting the page address associated with the website resource, is further configured to identify a web fingerprint of the page address, and match the web fingerprint with a preset fingerprint database. If the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, the server creates a page component scan task, and issues again the created page component scan task to the task scheduling center.
- the server is further configured to identify a network environment where the target host is located, and determine a target proxy node that matches the identified network environment, so as to acquire a scan task or scan subtask from the task scheduling center through the target proxy node. Further, the target proxy node executes the acquired scan task or scan subtask for the target host.
- the proxy node further includes an address lookup module, and the address lookup module is configured to determine a target proxy node that matches a network environment where the target host is located and report the scan result through the determined target proxy node to the server.
- the proxy node further includes a load balancing module, and the load balancing module is configured to obtain current load parameters of the proxy node, and determine the number of scan tasks or scan subtasks that are expected to be acquired from the task scheduling center based on the load parameters. Specifically, the proxy node may selectively acquire a scan task from the task scheduling center based on its instant load status.
- the load balancing module may acquire the instant load parameters of the proxy node when the proxy node is about to acquire a scan task from the task scheduling center.
- the load parameters may include, for example, the instant CPU usage of the proxy node, the memory usage, the number of processing scan tasks, and the like.
- the load balancing module may comprehensively calculate the current load value of the proxy node based on the load parameters. The higher the load value, the lower the proxy node's ability to handle scan tasks. In this way, the load balancing module may determine the number of scan tasks expected to be acquired from the task scheduling center based on the instant load value of the proxy node. Specifically, the load balancing module may store in advance a mapping relationship table between load values and the number of tasks. In the mapping relationship table, the load values may be divided into ranges, and the number of tasks corresponding to each range may be obtained. In this way, after the instant load value of the proxy node is determined, the number of scan tasks expected to be acquired may be determined through the mapping relationship table.
- the computer terminal 10 may include one or more (only one is shown in the figure) processors 102 (a processor 102 may include, but is not limited to, a processing device such as a micro-controller MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission device 106 for communication purpose.
- processors 102 may include, but is not limited to, a processing device such as a micro-controller MCU or a programmable logic device FPGA
- a memory 104 for storing data
- a transmission device 106 for communication purpose.
- the structure shown in FIG. 6 is provided by way of illustration, but not by way of limitation of the structures of the above-described electronic devices.
- the computer terminal 10 may also include more or fewer components than those shown in FIG. 6 , or have a different configuration than that shown in FIG. 6 .
- the memory 104 may be used to store software programs and modules of application software.
- the processor 102 implements various functional applications and data processing by executing software programs and modules stored in the memory 104 .
- the memory 104 may include a high-speed random access memory, and a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
- the memory 104 may further include a memory remotely disposed with respect to the processor 102 , which may be connected to the computer terminal 10 through a network. Examples of such network may include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
- the transmission device 106 is configured to receive or transmit data via the network.
- the aforementioned specific examples of the network may include a wireless network provided by the communication provider of the computer terminal 10 .
- the transmission device 106 includes a network interface controller (NIC).
- the transmission device 106 may be connected to other network devices through the base stations, so as to communicate with the Internet.
- the transmission device 106 may be a Radio Frequency (RF) module that is configured to communicate with the Internet via a wireless approach.
- RF Radio Frequency
- the technical solutions provided by the present disclosure may issue scan tasks multiple times when executing vulnerability scanning on a target host, and each issued scan task is determined based on an identification of a host service, a website, or a component on the host.
- the server may issue a scan task corresponding to the host service to the task scheduling center. If the identified host service contains a specified host service that signifies a website resource, the server may issue again a scan subtask for the specified host service. Compared to the previously issued scan task, the scan subtask may scan possible vulnerabilities in the specified host service more comprehensively.
- a page address associated with the website resource may also continue to be collected.
- the server may further issue a page application scan task, so that possible vulnerabilities in a page of the website may be further scanned. Further, a web fingerprint corresponding to the collected page address may be identified. By matching the web fingerprint with the preset fingerprint database, it may be determined whether a specified page component exists in the page of the website. If there exists the specified page component, the server may further issue a page component scan task, so that the specified page component with possible vulnerabilities can be scanned.
- the technical solutions provided by the present disclosure generate the corresponding scan tasks each time based on the results identified from the host, and issue the scan tasks multiple times, so that the target host can be deliberately scanned deeper and deeper.
- the technical solutions provided by the present disclosure may not only scan the host, but also scan the websites that are operated and maintained on the host, so that a more comprehensive scanning process can be achieved.
- a mode of multiple proxy nodes scanning in parallel may be employed to improve the efficiency of vulnerability scanning. Therefore, the technical solutions provided by the present disclosure may not only improve the accuracy of vulnerability scanning, but also the efficiency of the vulnerability scanning.
- the various embodiments may be implemented in the form of software with a necessary general hardware platform, or implemented in the form of hardware.
- the above technical solutions, or essentially the parts that contribute to the existing technologies may take the form of software products.
- the computer software products may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, or an optical disc, that includes a set of instructions to direct a computing device (may be a personal computer, a server, or a network device, etc.) to implement each disclosed embodiment or part of the described methods of the disclosed embodiments.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
A vulnerability scanning method includes: identifying a host service running on a target host and creating a scan task that matches the identified host service; issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a web site resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center.
Description
- The present disclosure generally relates to the field of Internet technology and, more particularly, relates to a vulnerability scanning method, a server, and a system thereof.
- With the continuous development of Internet technology, the problem of information security on the Internet has become increasingly prominent. At present, cyber-attacks exploiting computer vulnerability and network system flaws have become an important way for criminals to seek private interests and commit crimes. In order to fix computer vulnerabilities in time, it is usually necessary to employ a vulnerability scanning tool to scan a computer so as to detect existing or potential vulnerabilities in the computer.
- When a traditional vulnerability scanning tool scans a computer, the scanning content is pre-customized. The vulnerability scanning tool may execute a one-time scan of the pre-customized scanning content, thereby detecting potential vulnerabilities defined in the scanning content. However, this vulnerability scanning method has a major limitation. The content scanned for the computer can be only limited to the pre-customized content. For different computers, the customized scanning content may be not applicable, or a full vulnerability scan cannot be conducted on these computers. Therefore, the accuracy of vulnerability scanning in the existing technologies is not high enough.
- The purpose of the present disclosure is to provide a vulnerability scanning method, a server, and a system thereof, which may improve the accuracy of vulnerability scanning.
- To achieve the above purpose, in one aspect, the present disclosure provides a vulnerability scanning method. The method includes: identifying a host service running on a target host and creating a scan task that matches the identified host service; issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and is executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
- To achieve the above purpose, in another aspect, the present disclosure further provides a server. The server comprises a memory and a processor, where the memory stores computer programs that, when executed by the processor, implement the following steps: identifying a host service running on a target host and creating a scan task that matches the identified host service; issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
- To achieve the above purpose, in another aspect, the present disclosure further provides a vulnerability scanning system. The system comprises a server, a task scheduling center, and a proxy node, where: the server is configured to identify a host service running on a target host, create a scan task that matches the identified host service, issue the created scan task to a task scheduling center, determine whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, if there exists the specified host service in the identified host service, issue again a scan subtask corresponding to the specified host service to the task scheduling center, and receive a scan result fed back by the proxy node; the task scheduling center is configured to receive the scan task or scan subtask issued by the server, and place the received scan task or scan subtask in a task queue; and the proxy node is configured to acquire at least one scan task or scan subtask from the task scheduling center, execute the at least one scan task or scan subtask for the target host to obtain a scan result, and feed back the obtained scan result to the server.
- As can be seen from the above, the technical solutions provided by the present disclosure may issue scan tasks multiple times when executing vulnerability scanning on a target host, and each issued scan task is determined based on an identification of a service, a website, or a component on the host. Specifically, when a host service is identified on the target host, the server may issue a scan task corresponding to the host service to the task scheduling center. If the identified host service contains a specified host service that signifies a website resource, the server may issue again a scan subtask for the specified host service. Compared to the previously issued scan task, the scan subtask may scan possible vulnerabilities in the specified host service more comprehensively. After issuing the scan subtask for the specified host service that signifies the website resource, a page address associated with the website resource may also continue to be collected. For the collected page address, the server may further issue a page application scan task, so that possible vulnerabilities on a page of the website may be further scanned. Further, a web fingerprint corresponding to the collected page address may be identified. By matching the web fingerprint with the preset fingerprint database, it may be determined whether a specified page component exists in the page of the website. If there exists the specified page component, the server may further issue a page component scan task, so that the specified page component with possible vulnerabilities can be scanned. As can be seen from the above, the technical solutions provided by the present disclosure generate the corresponding scan tasks each time based on the results identified from the host, and issue the scan tasks multiple times, so that the target host can be deliberately scanned deeper and deeper. In addition, the technical solutions provided by the present disclosure may not only scan the host, but also scan the websites that are operated and maintained on the host, so that a more comprehensive scanning process can be achieved. In terms of system architecture, by adopting a distributed scanning mode of the server and proxy nodes, a mode of multiple proxy nodes scanning in parallel may be employed to improve the efficiency of vulnerability scanning. Therefore, the technical solutions provided by the present disclosure may not only improve the accuracy of vulnerability scanning, but also the efficiency of the vulnerability scanning.
- To make the technical solutions in the embodiments of the present disclosure clearer, a brief introduction of the accompanying drawings consistent with descriptions of the embodiments will be provided hereinafter. It is to be understood that the following described drawings are merely some embodiments of the present disclosure. Based on the accompanying drawings and without creative efforts, persons of ordinary skill in the art may derive other drawings.
-
FIG. 1 is a schematic diagram of a system architecture according to some embodiments of the present disclosure; -
FIG. 2 is a flowchart of a vulnerability scanning method according to some embodiments of the present disclosure; -
FIG. 3 is a flowchart of vulnerability scanning according to some embodiments of the present disclosure; -
FIG. 4 is a schematic structural diagram of a server according to some embodiments of the present disclosure; -
FIG. 5 is an interactive diagram of different entities according to some embodiments of the present disclosure; and -
FIG. 6 is a schematic structural diagram of a computer terminal according to some embodiments of the present disclosure. - To make the objectives, technical solutions, and advantages of the present disclosure clearer, specific embodiments of the present disclosure will be made in detail with reference to the accompanying drawings.
- The technical solutions provided by the present disclosure may be applied to a system architecture shown in
FIG. 1 . Referring toFIG. 1 , the system architecture may include a server, a task scheduling center, and a proxy node. The server may be configured to create a scan task for vulnerability scanning, the task scheduling center may receive a scan task issued by the server, and the proxy node may acquire a scan task from the task scheduling center, execute the acquired scan task for the corresponding host to obtain a scan result related to the host. The scan result may be reported by the proxy node to the server. - In the present disclosure, the system architecture may be deployed in a manner of a distributed system. There may be a plurality of proxy nodes. Each proxy node may be connected to the task scheduling center. Some proxy nodes may obtain different scan tasks for the same host, and these proxy nodes may execute the acquired scan tasks in parallel, thereby improving the efficiency of vulnerability scanning.
- The present disclosure provides a vulnerability scanning method, which may be applied to the above system architecture. Referring to
FIG. 2 andFIG. 3 , the method may include the following steps. The server may be the execution entity of the following steps S11 to S15. - S11: identifying a host service running on a target host and creating a scan task that matches the identified host service.
- In the disclosed embodiment, the target host may be a host to be scanned for vulnerability. When issuing a scan task for the target host, the server may first identify the host services running on the target host. Specifically, external service detection may be performed on the target host so as to detect the Internet-facing assets of the target host. Subsequently, vulnerability scanning may be executed on these Internet-facing assets. In addition, not all attacks come from external networks. Some attacks may also come from applications inside the target host. In this situation, the server may also perform internal application detection on the target host so as to detect the assets inside the target host.
- In the disclosed embodiment, the above-detected assets may all serve as host services running on the target host. After detecting an existence of a host service running on the target host, the server may query the preset vulnerability database to identify the type of vulnerability that matches the host service. The significance of this process is that the server will not blindly issue scan tasks for all the host services, but only issue corresponding scan tasks for the host services that may have a vulnerability. In this way, after identifying the type of vulnerability that matches the host service, the server may create a scan task corresponding to the type of vulnerability. Here, the scan task corresponding to the type of vulnerability may server as the scan task that matches the host service.
- S13: issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result.
- In the disclosed embodiment, after creating a scan task for the target host, the server may issue the scan task to the task scheduling center. After receiving the scan task, the task scheduling center may place the scan task in a task queue to wait for the proxy node to acquire the scan task.
- In the disclosed embodiment, a proxy node may selectively acquire a scan task from the task scheduling center based on its own instant load status. Specifically, a proxy node may include a load balancing module. The load balancing module may obtain the current load parameters of the proxy node when the proxy node is about to acquire a scan task from the task scheduling center. The load parameters may include, for example, the instant CPU usage of the proxy node, the memory usage, the number of processing scan tasks, and the like. The load balancing module may comprehensively calculate the current load value of the proxy node based on the load parameters. The higher the load value, the lower the proxy node's ability to handle scan tasks. In this way, the load balancing module may determine the number of scan tasks expected to be acquired from the task scheduling center based on the instant load value of the proxy node. Specifically, the load balancing module may store in advance a mapping relationship table between load values and the number of tasks. In the mapping relationship table, the load values may be divided into ranges, and the number of tasks corresponding to each range may be obtained. In this way, after the instant load value of the proxy node is determined, the number of scan tasks expected to be acquired may be determined through the mapping relationship table.
- In the disclosed embodiment, after obtaining the scan task for the target host, the proxy node may execute the acquired scan task through a scan interface provided in advance by the target host. During the execution of the scan task, possible vulnerabilities with respect to the host service may be detected on the target host. When the execution of the scan task is completed, a scan result may be summarized based on the vulnerability information obtained through the scanning. The scan result may be fed back to the server by the proxy node.
- S15: receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
- In the disclosed embodiment, a server may receive the scan result fed back by the proxy node. The scan result is a result of a preliminary scanning of the host service. The above-noted scan task may be a shallow scanning of the host service that may have a vulnerability. For some important host services, no detailed scanning will be further executed. Accordingly, in the disclosed embodiment, the scan tasks may be issued multiple times in a deeper and deeper manner. Specifically, the server may determine whether a specified host service exists in the identified host service. The specified host service may signify an existence of a website resource running on the target host. Since websites are usually accessed by a large number of users, a specified host service within the website resource may be a relatively important service on the target host and may be a service that is easily attacked. For example, the specified host service is an HTTP service. In real applications, when it is detected that the HTTP service is enabled on the target host, the server may again create a scan subtask for the HTTP service. This scan subtask may execute additional scanning for the website resource.
- In some embodiments, the server may collect the page address associated with the website resource when an HTTP service is detected to exist on the target host. The page address may be a page Uniform Resource Locator (URL) existing on the website. After the page address associated with the website resource is collected, a page application scan task corresponding to the page address may be created. The page application scan task may scan for possible vulnerabilities on a page of the website. Compared to the above-noted scan tasks for general host services on the target host, a page application scan task may execute vulnerability scanning more finely for a page of the website associated with the HTTP service. In this way, in the disclosed embodiment, the scan subtask created by the server may be a page application scan task.
- In the disclosed embodiment, after creating a page application scan task, the server may again issue the page application scan task to the task scheduling center. In this way, the proxy node may continue to acquire at least one page application scan task from the task scheduling center. Corresponding scan result for the page may be obtained after the proxy node executes the at least one page application scan task for the target host. The scan result may be also fed back to the server.
- In some embodiments, a plurality of page components may be included in a webpage. The page components may be identified by a web fingerprint. Specifically, after collecting the page address, a web fingerprint of the page address may be further identified. In real applications, the web fingerprint corresponding to the page address may be identified by the keywords in the webpage, MD5 code of a specified file, keywords in the page address, or the TAG mode of the page address. After identifying the web fingerprint, the server may match the identified web fingerprint with the preset fingerprint database, so as to determine whether the identified web fingerprint is the specified web fingerprint existing in the preset fingerprint database. It is very likely that a page component signified by a specified web fingerprint has a vulnerability. Therefore, in the disclosed embodiment, when it is determined that the identified web fingerprint is a specified web fingerprint existing in the preset fingerprint database, vulnerability scanning may be further executed for the page component corresponding to the web fingerprint.
- Specifically, in the disclosed embodiment, the server may create a page component scan task, and the page component scan task may be configured to scan a page component included in the webpage corresponding to the page address. After creating the page component scan task, the server may again issue the created page component scan task to the task scheduling center, so that the proxy node obtains at least one page component scan task from the task scheduling center. In this way, after the proxy node executes the at least one page component scan task for the target host, a page component scan result corresponding to the target host may be obtained.
- As can be seen from the above, when executing vulnerability scanning on the target host, the scan tasks may be issued multiple times. Each time, the issued scan task is determined based on the identification of a service, a website, or a component on the host. Not only may the host be scanned for the vulnerability, a website on the host may be also scanned for the vulnerability, and a webpage component may be scanned as well. As the scan tasks are issued multiple times, the scanning process for the target host will become finer and finer. Different from the scanning methods using the customized content in the existing technologies, the technical solutions of the present disclosure may issue different scan tasks for different hosts, and the scanning depth also deepens as the number of times of scanning increases, thereby achieving comprehensive and accurate vulnerability scanning.
- In real applications, due to different operators, the network environments where hosts are located may vary greatly. In the existing technologies, when a host is scanned, it is very likely that the communication with the to-be-scanned host may not be established due to network reasons, or the communication is slow. In view of this, in the disclosed embodiment of the present disclosure, a matching proxy node may be selectively employed to execute a scan task based on the network environment where the target host is located. Specifically, when a target host needs to be scanned, the network environment where the target host is located may be identified. For example, the operator corresponding to the network currently utilized by the target host may be identified, and the current geographical location of the target host may also be determined. Subsequently, a target proxy node that matches the identified network environment may be determined. For example, the determined target proxy node may be on the same network as the operator of the target host, and the target proxy node is relatively close to the target host. In an actual application scenario, the target proxy node that matches the target host may be selected by means of a content delivery network. In this way, a scan task may be subsequently acquired from the task scheduling center by the target proxy node, and the acquired scan task is executed by the target proxy node for the target host. Due to the same network environment, it is possible to maintain a good communication connection, so that the problem of low scanning efficiency due to the difference in the network environment may be avoided.
- In some embodiments, after selecting a proxy node that matches the network environment where the target host is located to execute the scan task and obtain the scan result, in order to improve the upload efficiency of the scan result, a transmission path for feeding back the scan result may be purposely selected in the content delivery network. The network environment where each proxy node is located in the transmission path may match the network environment where the target host is located. In this way, the server may identify the network environment where the target host is located, and receive and identify the scan result reported by the proxy node that matches the identified network environment.
- In some embodiments, some ports on the target host may generate serious vulnerability. If access control measures are not set in these ports and these ports are set to open directly, data leakage of the target host may occur. Therefore, in the disclosed embodiment, a specified port of the target host may be periodically scanned at a specified interval. The specified port may be an above-noted port that needs to set access control measures. When the scan result indicates that the specified port does not have access control measures, it indicates that the specified port may lead to data leakage. In this situation, a warning message may be generated for the specified port to remind the administrator of the target host to take corresponding actions in time, or new matching access control measures may be added based on the scan result.
- In some embodiments, a scan task may be also flexibly configured on the server side. Specifically, various scan parameters for executing a scan task may be customized on the server side. The scan parameters may be, for example, a defined scan depth, the number of times of scanning, and the like. In this way, the scanning parameters may define a scanning mode corresponding to the scan task. Sequentially, when a successive proxy node executes the scan task, it may execute the scan task according to the scan mode defined by the scan parameters. The purpose of this process is to flexibly configure a vulnerability scanning process based on the requirements of users.
- Referring to
FIG. 4 , the present disclosure further provides a server. The server comprises a memory and a process, where the memory stores computer programs that, when executed by the processor, implement the following steps: - S11: identifying a host service running on a target host and creating a scan task that matches the identified host service;
- S13: issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, where the proxy node executes the at least one scan task for the target host, and obtains a scan result; and
- S15: receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a web site resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, where the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
- In some embodiments, the computer programs, when executed by the processor, further implement the following steps:
- collecting a page address associated with the website resource, and creating a page application scan task corresponding to the page address; and
- issuing again the created page application scan task to the task scheduling center, to allow the proxy node to acquire at least one page application scan task from the task scheduling center, where the proxy node executes the at least one page application scan task for the target host, and obtain a scan result corresponding to the page address.
- In some embodiments, the computer programs, when executed by the processor, further implement the following steps:
- identifying a web fingerprint of the page address, matching the web fingerprint with a preset fingerprint database, and if the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, creating a page component scan task; and
- issuing again the created page component scan task to the task scheduling center, to allow the proxy node to acquire at least one page component scan task from the task scheduling center, where the proxy node executes the at least one page component scan task for the target host, and obtain a page component scan result corresponding to the target host.
- Referring to
FIG. 1 andFIG. 5 , the present disclosure further provides a vulnerability scanning system. The system comprises a server, a task scheduling center, and a proxy node, where: - the server is configured to identify a host service running on a target host, create a scan task that matches the identified host service, issue the created scan task to a task scheduling center, determine whether there exists a specified host service in the identified host service, where the specified host service signifies an existence of a website resource running on the target host, if there exists the specified host service in the identified host service, issue again a scan subtask corresponding to the specified host service to the task scheduling center, and receive a scan result fed back by the proxy node;
- the task scheduling center is configured to receive the scan task or scan subtask issued by the server, and place the received scan task or scan subtask in a task queue; and
- the proxy node is configured to acquire at least one scan task or scan subtask from the task scheduling center, execute the at least one scan task or scan subtask for the target host to obtain a scan result, and feed back the obtained scan result to the server.
- In the disclosed embodiment, there may be multiple proxy nodes, each of which may be connected to the task scheduling center. Some of the proxy nodes may acquire different scan tasks for the same host, and these proxy nodes may execute the acquired scan tasks in parallel, thereby improving the efficiency of vulnerability scanning.
- In some embodiments, the server is further configured to collect a page address associated with the website resource, create a page application scan task corresponding to the page address, and issue again the created page application scan task to the task scheduling center.
- In some embodiments, after collecting the page address associated with the website resource, the server is further configured to identify a web fingerprint of the page address, and match the web fingerprint with a preset fingerprint database. If the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, the server creates a page component scan task, and issues again the created page component scan task to the task scheduling center.
- In some embodiments, the server is further configured to identify a network environment where the target host is located, and determine a target proxy node that matches the identified network environment, so as to acquire a scan task or scan subtask from the task scheduling center through the target proxy node. Further, the target proxy node executes the acquired scan task or scan subtask for the target host.
- In some embodiments, the proxy node further includes an address lookup module, and the address lookup module is configured to determine a target proxy node that matches a network environment where the target host is located and report the scan result through the determined target proxy node to the server.
- In some embodiments, the proxy node further includes a load balancing module, and the load balancing module is configured to obtain current load parameters of the proxy node, and determine the number of scan tasks or scan subtasks that are expected to be acquired from the task scheduling center based on the load parameters. Specifically, the proxy node may selectively acquire a scan task from the task scheduling center based on its instant load status. The load balancing module may acquire the instant load parameters of the proxy node when the proxy node is about to acquire a scan task from the task scheduling center. The load parameters may include, for example, the instant CPU usage of the proxy node, the memory usage, the number of processing scan tasks, and the like. The load balancing module may comprehensively calculate the current load value of the proxy node based on the load parameters. The higher the load value, the lower the proxy node's ability to handle scan tasks. In this way, the load balancing module may determine the number of scan tasks expected to be acquired from the task scheduling center based on the instant load value of the proxy node. Specifically, the load balancing module may store in advance a mapping relationship table between load values and the number of tasks. In the mapping relationship table, the load values may be divided into ranges, and the number of tasks corresponding to each range may be obtained. In this way, after the instant load value of the proxy node is determined, the number of scan tasks expected to be acquired may be determined through the mapping relationship table.
- Referring to
FIG. 6 , in the present disclosure, the technical solutions of the disclosed embodiments may be applied to acomputer terminal 10 shown inFIG. 6 . Thecomputer terminal 10 may include one or more (only one is shown in the figure) processors 102 (aprocessor 102 may include, but is not limited to, a processing device such as a micro-controller MCU or a programmable logic device FPGA), amemory 104 for storing data, and atransmission device 106 for communication purpose. Persons of ordinary skill in the art may understand that the structure shown inFIG. 6 is provided by way of illustration, but not by way of limitation of the structures of the above-described electronic devices. For example, thecomputer terminal 10 may also include more or fewer components than those shown inFIG. 6 , or have a different configuration than that shown inFIG. 6 . - The
memory 104 may be used to store software programs and modules of application software. Theprocessor 102 implements various functional applications and data processing by executing software programs and modules stored in thememory 104. Thememory 104 may include a high-speed random access memory, and a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some applications, thememory 104 may further include a memory remotely disposed with respect to theprocessor 102, which may be connected to thecomputer terminal 10 through a network. Examples of such network may include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof. - The
transmission device 106 is configured to receive or transmit data via the network. The aforementioned specific examples of the network may include a wireless network provided by the communication provider of thecomputer terminal 10. In one application, thetransmission device 106 includes a network interface controller (NIC). Thetransmission device 106 may be connected to other network devices through the base stations, so as to communicate with the Internet. In another application, thetransmission device 106 may be a Radio Frequency (RF) module that is configured to communicate with the Internet via a wireless approach. - As can be seen from the above, the technical solutions provided by the present disclosure may issue scan tasks multiple times when executing vulnerability scanning on a target host, and each issued scan task is determined based on an identification of a host service, a website, or a component on the host. Specifically, when a host service is identified on the target host, the server may issue a scan task corresponding to the host service to the task scheduling center. If the identified host service contains a specified host service that signifies a website resource, the server may issue again a scan subtask for the specified host service. Compared to the previously issued scan task, the scan subtask may scan possible vulnerabilities in the specified host service more comprehensively. After issuing the scan subtask for the specified host service that signifies the website resource, a page address associated with the website resource may also continue to be collected. For the collected page address, the server may further issue a page application scan task, so that possible vulnerabilities in a page of the website may be further scanned. Further, a web fingerprint corresponding to the collected page address may be identified. By matching the web fingerprint with the preset fingerprint database, it may be determined whether a specified page component exists in the page of the website. If there exists the specified page component, the server may further issue a page component scan task, so that the specified page component with possible vulnerabilities can be scanned. As can be seen from the above, the technical solutions provided by the present disclosure generate the corresponding scan tasks each time based on the results identified from the host, and issue the scan tasks multiple times, so that the target host can be deliberately scanned deeper and deeper. In addition, the technical solutions provided by the present disclosure may not only scan the host, but also scan the websites that are operated and maintained on the host, so that a more comprehensive scanning process can be achieved. In terms of system architecture, by adopting a distributed scanning mode of the server and proxy nodes, a mode of multiple proxy nodes scanning in parallel may be employed to improve the efficiency of vulnerability scanning. Therefore, the technical solutions provided by the present disclosure may not only improve the accuracy of vulnerability scanning, but also the efficiency of the vulnerability scanning.
- Through the foregoing description of the disclosed embodiments, it is clear to those skilled in the art that the various embodiments may be implemented in the form of software with a necessary general hardware platform, or implemented in the form of hardware. In light of this understanding, the above technical solutions, or essentially the parts that contribute to the existing technologies, may take the form of software products. The computer software products may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, or an optical disc, that includes a set of instructions to direct a computing device (may be a personal computer, a server, or a network device, etc.) to implement each disclosed embodiment or part of the described methods of the disclosed embodiments.
- Although the present disclosure has been described as above with reference to some preferred embodiments, these embodiments should not be constructed as limiting the present disclosure. Any modifications, equivalent replacements, and improvements made without departing from the spirit and principle of the present disclosure shall fall within the scope of the protection of the present disclosure.
Claims (17)
1. A vulnerability scanning method, comprising:
identifying a host service running on a target host and creating a scan task that matches the identified host service;
issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, wherein the proxy node executes the at least one scan task for the target host, and obtains a scan result; and
receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, wherein the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, wherein the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
2. The method according to claim 1 , wherein creating the scan task that matches the identified host service includes:
searching a preset vulnerability database for a type of vulnerability that matches the identified host service; and
creating a scan task for the type of vulnerability, and setting the created scan task as the scan task that matches the identified host service.
3. The method according to claim 1 , wherein the scan subtask includes a page application scan task, and issuing again the scan subtask corresponding to the specified host service to the task scheduling center includes:
collecting a page address associated with the website resource, and creating the page application scan task corresponding to the page address; and
issuing again the created page application scan task to the task scheduling center, to allow the proxy node to acquire at least one page application scan task from the task scheduling center, wherein the proxy node executes the at least one page application scan task for the target host, and obtain a scan result corresponding to the page address.
4. The method according to claim 3 , after collecting the page address associated with the website resource, the method further includes:
identifying a web fingerprint of the page address, matching the web fingerprint with a preset fingerprint database, and if the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, creating a page component scan task; and
issuing again the created page component scan task to the task scheduling center, to allow the proxy node to acquire at least one page component scan task from the task scheduling center, wherein the proxy node executes the at least one page component scan task for the target host, and obtain a page component scan result corresponding to the target host.
5. The method according to claim 1 , further comprising:
identifying a network environment where the target host is located, and determining a target proxy node that matches the identified network environment; and
acquiring the scan task from the task scheduling center through the target proxy node, and executing the acquired scan task for the target host by the target proxy node.
6. The method according to claim 1 , wherein receiving the scan result fed back by the proxy node includes:
identifying a network environment where the target host is located, and receiving the scan result reported by a proxy node that matches the identified network environment.
7. The method according to claim 1 , further comprising:
periodically scanning a specified port of the target host according to a specified time interval, and when the scan result indicates that the specified port does not have access control measures, generating a warning message for the specified port.
8. The method according to claim 1 , wherein the scan task includes scan parameters, and the scan parameters are used to define a scan mode corresponding to the scan task, and the proxy node executes the scan task according to the scan mode defined by the scan parameters.
9. A server, comprising a memory and a processor, wherein the memory stores computer programs that, when executed by the processor, implement the following steps:
identifying a host service running on a target host and creating a scan task that matches the identified host service;
issuing the created scan task to a task scheduling center, to allow a proxy node to acquire at least one scan task from the task scheduling center, wherein the proxy node executes the at least one scan task for the target host, and obtains a scan result; and
receiving the scan result fed back by the proxy node, determining whether there exists a specified host service in the identified host service, wherein the specified host service signifies an existence of a website resource running on the target host, and if there exists the specified host service in the identified host service, issuing again a scan subtask corresponding to the specified host service to the task scheduling center, wherein the scan subtask is acquired by the proxy node from the task scheduling center and executed for the target host to obtain a scan result corresponding to the specified host service on the target host.
10. The server according to claim 9 , wherein the computer programs, when executed by the processor, further implement the following steps:
collecting a page address associated with the website resource, and creating a page application scan task corresponding to the page address; and
issuing again the created page application scan task to the task scheduling center, to allow the proxy node to acquire at least one page application scan task from the task scheduling center, wherein the proxy node executes the at least one page application scan task for the target host, and obtain a scan result corresponding to the page address.
11. The server according to claim 10 , wherein the computer programs, when executed by the processor, further implement the following steps:
identifying a web fingerprint of the page address, matching the web fingerprint with a preset fingerprint database, and if the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, creating a page component scan task; and
issuing again the created page component scan task to the task scheduling center, to allow the proxy node to acquire at least one page component scan task from the task scheduling center, wherein the proxy node executes the at least one page component scan task for the target host, and obtain a page component scan result corresponding to the target host.
12. A vulnerability scanning system, comprising a server, a task scheduling center, and a proxy node, wherein:
the server is configured to identify a host service running on a target host, create a scan task that matches the identified host service, issue the created scan task to a task scheduling center, determine whether there exists a specified host service in the identified host service, wherein the specified host service signifies an existence of a website resource running on the target host, if there exists the specified host service in the identified host service, issue again a scan subtask corresponding to the specified host service to the task scheduling center, and receive a scan result fed back by the proxy node;
the task scheduling center is configured to receive the scan task or scan subtask issued by the server, and place the received scan task or scan subtask in a task queue; and
the proxy node is configured to acquire at least one scan task or scan subtask from the task scheduling center, execute the at least one scan task or scan subtask for the target host to obtain a scan result, and feed back the obtained scan result to the server.
13. The system according to claim 12 , wherein the server is further configured to collect a page address associated with the website resource, create a page application scan task corresponding to the page address, and issue again the created page application scan task to the task scheduling center.
14. The system according to claim 13 , after collecting the page address associated with the website resource, the server is further configured to identify a web fingerprint of the page address, match the web fingerprint with a preset fingerprint database, if the web fingerprint is a specified web fingerprint existing in the preset fingerprint database, create a page component scan task, and issue again the created page component scan task to the task scheduling center.
15. The system according to claim 12 , wherein the server is further configured to identify a network environment where the target host is located, and determine a target proxy node that matches the identified network environment, so as to acquire a scan task or scan subtask from the task scheduling center through the target proxy node, wherein the acquired scan task or scan subtask is executed by the target proxy node for the target host.
16. The system according to claim 12 , wherein the proxy node further includes an address lookup module, and the address lookup module is configured to determine a target proxy node that matches a network environment where the target host is located and report the scan result through the determined target proxy node to the server.
17. The system according to claim 12 , wherein the proxy node further includes a load balancing module, and the load balancing module is configured to acquire current load parameters of the proxy node, and determine the number of scan tasks or scan subtasks that are expected to be acquired from the task scheduling center based on the load parameters.
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810124877.X | 2018-02-07 | ||
CN201810124877X | 2018-02-07 | ||
CN201810124877.XA CN108282489B (en) | 2018-02-07 | 2018-02-07 | vulnerability scanning method, server and system |
PCT/CN2018/077557 WO2019153384A1 (en) | 2018-02-07 | 2018-02-28 | Vulnerability scanning method and system, and server |
Publications (2)
Publication Number | Publication Date |
---|---|
US11070580B1 US11070580B1 (en) | 2021-07-20 |
US20210226979A1 true US20210226979A1 (en) | 2021-07-22 |
Family
ID=62807910
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/099,815 Active 2039-07-16 US11070580B1 (en) | 2018-02-07 | 2018-02-28 | Vulnerability scanning method, server and system |
Country Status (4)
Country | Link |
---|---|
US (1) | US11070580B1 (en) |
EP (1) | EP3751811A4 (en) |
CN (1) | CN108282489B (en) |
WO (1) | WO2019153384A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
NL2026468A (en) * | 2019-12-19 | 2021-08-11 | Group Ib Tds Ltd | Method and system for determining network vulnerabilities |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2676247C1 (en) | 2018-01-17 | 2018-12-26 | Общество С Ограниченной Ответственностью "Группа Айби" | Web resources clustering method and computer device |
RU2681699C1 (en) | 2018-02-13 | 2019-03-12 | Общество с ограниченной ответственностью "Траст" | Method and server for searching related network resources |
CN108810025A (en) * | 2018-07-19 | 2018-11-13 | 平安科技(深圳)有限公司 | A kind of security assessment method of darknet, server and computer-readable medium |
CN109347892B (en) * | 2018-08-03 | 2021-09-03 | 奇安信科技集团股份有限公司 | Internet industrial asset scanning processing method and device |
CN109327471B (en) * | 2018-11-29 | 2021-07-13 | 广东电网有限责任公司信息中心 | Vulnerability discovery and emergency verification implementation method |
CN109981653B (en) * | 2019-03-28 | 2021-07-23 | 上海中通吉网络技术有限公司 | Web vulnerability scanning method |
CN110309667B (en) * | 2019-04-16 | 2022-08-30 | 网宿科技股份有限公司 | Website hidden link detection method and device |
CN111580946A (en) * | 2020-04-28 | 2020-08-25 | 北京达佳互联信息技术有限公司 | Port scanning method, device, equipment and storage medium |
CN111786947B (en) * | 2020-05-18 | 2021-10-29 | 北京邮电大学 | Attack graph generation method and device, electronic equipment and storage medium |
CN112115457B (en) * | 2020-08-24 | 2022-08-05 | 国网福建省电力有限公司 | Power terminal access method and system |
CN112839047B (en) * | 2021-01-15 | 2023-03-21 | 杭州安恒信息技术股份有限公司 | Asset vulnerability scanning method, device, equipment and medium on cloud platform |
US11822672B1 (en) * | 2021-02-04 | 2023-11-21 | Cisco Technology, Inc. | Systems and methods for scanning images for vulnerabilities |
NL2030861B1 (en) | 2021-06-01 | 2023-03-14 | Trust Ltd | System and method for external monitoring a cyberattack surface |
RU2769075C1 (en) | 2021-06-10 | 2022-03-28 | Общество с ограниченной ответственностью "Группа АйБи ТДС" | System and method for active detection of malicious network resources |
CN113672934A (en) * | 2021-08-09 | 2021-11-19 | 中汽创智科技有限公司 | Security vulnerability scanning system and method, terminal and storage medium |
CN114900341B (en) * | 2022-04-24 | 2023-11-03 | 京东科技信息技术有限公司 | Scanning detection method, device, system, equipment and medium in hybrid cloud environment |
Family Cites Families (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7243148B2 (en) * | 2002-01-15 | 2007-07-10 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
US7398399B2 (en) * | 2003-12-12 | 2008-07-08 | International Business Machines Corporation | Apparatus, methods and computer programs for controlling performance of operations within a data processing system or network |
CN1558605A (en) * | 2004-01-19 | 2004-12-29 | 上海交通大学 | Method for realizing loophole scanning |
CN1870493A (en) * | 2006-06-15 | 2006-11-29 | 北京华景中天信息技术有限公司 | Scanning method for network station leakage |
US7950056B1 (en) * | 2006-06-30 | 2011-05-24 | Symantec Corporation | Behavior based processing of a new version or variant of a previously characterized program |
US9239745B1 (en) * | 2006-09-28 | 2016-01-19 | Whitehat Security, Inc. | Method and apparatus for managing security vulnerability lifecycles |
US20100107257A1 (en) * | 2008-10-29 | 2010-04-29 | International Business Machines Corporation | System, method and program product for detecting presence of malicious software running on a computer system |
US8365290B2 (en) | 2009-05-15 | 2013-01-29 | Frederick Young | Web application vulnerability scanner |
CN101605134B (en) * | 2009-06-30 | 2012-10-17 | 成都市华为赛门铁克科技有限公司 | Method, device and system for network security scanning |
US8776169B2 (en) * | 2010-03-30 | 2014-07-08 | Authentic8, Inc. | Disposable browsers and authentication techniques for a secure online user environment |
US8671182B2 (en) * | 2010-06-22 | 2014-03-11 | Sourcefire, Inc. | System and method for resolving operating system or service identity conflicts |
US9246932B2 (en) * | 2010-07-19 | 2016-01-26 | Sitelock, Llc | Selective website vulnerability and infection testing |
CN102104601B (en) * | 2011-01-14 | 2013-06-12 | 无锡市同威科技有限公司 | Web vulnerability scanning method and device based on infiltration technology |
CN102523218B (en) * | 2011-12-16 | 2015-04-08 | 北京神州绿盟信息安全科技股份有限公司 | Network safety protection method, equipment and system thereof |
US9407653B2 (en) * | 2012-04-10 | 2016-08-02 | Mcafee, Inc. | Unified scan management |
CN103870334B (en) * | 2012-12-18 | 2017-05-31 | 中国移动通信集团公司 | A kind of method for allocating tasks and device of extensive vulnerability scanning |
CN103065095A (en) * | 2013-01-29 | 2013-04-24 | 四川大学 | WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology |
WO2014151061A2 (en) * | 2013-03-15 | 2014-09-25 | Authentic8, Inc. | Secure web container for a secure online user environment |
EP3091465B1 (en) * | 2014-03-13 | 2019-03-06 | Nippon Telegraph and Telephone Corporation | Monitoring device, monitoring method, and monitoring program |
CN104980309B (en) * | 2014-04-11 | 2018-04-20 | 北京奇安信科技有限公司 | website security detection method and device |
CN104392175B (en) * | 2014-11-26 | 2018-05-29 | 华为技术有限公司 | Cloud application attack processing method, apparatus and system in a kind of cloud computing system |
US9606854B2 (en) * | 2015-08-13 | 2017-03-28 | At&T Intellectual Property I, L.P. | Insider attack resistant system and method for cloud services integrity checking |
CN105429955B (en) * | 2015-10-30 | 2018-12-11 | 西安四叶草信息技术有限公司 | A kind of detection method of long-range loophole |
US9977894B2 (en) * | 2015-11-18 | 2018-05-22 | Red Hat, Inc. | Virtual machine malware scanning |
US20190222598A1 (en) * | 2016-11-09 | 2019-07-18 | Dev/Con Detect, Inc. | Digital auditing system and method for detecting unauthorized activities on websites |
RU2638001C1 (en) * | 2017-02-08 | 2017-12-08 | Акционерное общество "Лаборатория Касперского" | System and method of antivirus server productivity reserve part isolation for anti-virus scanning of web-page |
US10630724B2 (en) * | 2017-09-12 | 2020-04-21 | Zscaler, Inc. | Systems and methods for network vulnerability assessment and protection of Wi-fi networks using a cloud-based security system |
US20190222587A1 (en) * | 2018-01-15 | 2019-07-18 | GamaSec Ltd | System and method for detection of attacks in a computer network using deception elements |
US10944770B2 (en) * | 2018-10-25 | 2021-03-09 | EMC IP Holding Company LLC | Protecting against and learning attack vectors on web artifacts |
-
2018
- 2018-02-07 CN CN201810124877.XA patent/CN108282489B/en active Active
- 2018-02-28 US US16/099,815 patent/US11070580B1/en active Active
- 2018-02-28 WO PCT/CN2018/077557 patent/WO2019153384A1/en unknown
- 2018-02-28 EP EP18871818.3A patent/EP3751811A4/en not_active Withdrawn
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
NL2026468A (en) * | 2019-12-19 | 2021-08-11 | Group Ib Tds Ltd | Method and system for determining network vulnerabilities |
Also Published As
Publication number | Publication date |
---|---|
CN108282489A (en) | 2018-07-13 |
EP3751811A1 (en) | 2020-12-16 |
CN108282489B (en) | 2020-01-31 |
WO2019153384A1 (en) | 2019-08-15 |
EP3751811A4 (en) | 2021-03-31 |
US11070580B1 (en) | 2021-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11070580B1 (en) | Vulnerability scanning method, server and system | |
US10574698B1 (en) | Configuration and deployment of decoy content over a network | |
US9847965B2 (en) | Asset detection system | |
EP2837157B1 (en) | Network address repository management | |
EP2837159B1 (en) | System asset repository management | |
US11050787B1 (en) | Adaptive configuration and deployment of honeypots in virtual networks | |
EP3170091B1 (en) | Method and server of remote information query | |
US9058490B1 (en) | Systems and methods for providing a secure uniform resource locator (URL) shortening service | |
US20160366176A1 (en) | High-level reputation scoring architecture | |
EP3884414A1 (en) | Cybersecurity vulnerability classification and remediation based on network utilization | |
CA2895522A1 (en) | System and method for monitoring data in a client environment | |
WO2018113730A1 (en) | Method and apparatus for detecting network security | |
US20160142432A1 (en) | Resource classification using resource requests | |
Moon et al. | Accurately Measuring Global Risk of Amplification Attacks using {AmpMap} | |
US9027106B2 (en) | Organizational attribution of user devices | |
US20200213856A1 (en) | Method and a device for security monitoring of a wifi network | |
US11063975B2 (en) | Malicious content detection with retrospective reporting | |
CN113904843B (en) | Analysis method and device for abnormal DNS behaviors of terminal | |
US11140183B2 (en) | Determining criticality of identified enterprise assets using network session information | |
CN109194621B (en) | Method, device and system for detecting traffic hijacking | |
US20240106852A1 (en) | Automatic detection of application programming interface (api) attack surfaces | |
US20240020390A1 (en) | Vulnerability assessment of machine images in development phase | |
US20240372879A1 (en) | Inline detection of hardcoded credentials attack | |
Bennett | Search Engines That Scan For Internet-Connected Services: Classification and Empirical Study | |
Moon et al. | Accurately Measuring Global Risk of Amplification Attacks using AmpMap (CMU-CyLab-19-004) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: WANGSU SCIENCE & TECHNOLOGY CO.,LTD., CHINA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WANG, HAIHAN;XU, YOUNAN;ZHONG, QIFU;AND OTHERS;SIGNING DATES FROM 20180316 TO 20181015;REEL/FRAME:047451/0691 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |