[go: up one dir, main page]

CN114117448A - Vulnerability information processing method and device - Google Patents

Vulnerability information processing method and device Download PDF

Info

Publication number
CN114117448A
CN114117448A CN202111434582.0A CN202111434582A CN114117448A CN 114117448 A CN114117448 A CN 114117448A CN 202111434582 A CN202111434582 A CN 202111434582A CN 114117448 A CN114117448 A CN 114117448A
Authority
CN
China
Prior art keywords
vulnerability
information
same
asset
target object
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111434582.0A
Other languages
Chinese (zh)
Inventor
董佳涵
任天宇
王小虎
王超
李博文
郭广鑫
师恩洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Beijing Electric Power Co Ltd
State Grid Corp of China SGCC
Original Assignee
State Grid Beijing Electric Power Co Ltd
State Grid Corp of China SGCC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Beijing Electric Power Co Ltd, State Grid Corp of China SGCC filed Critical State Grid Beijing Electric Power Co Ltd
Priority to CN202111434582.0A priority Critical patent/CN114117448A/en
Publication of CN114117448A publication Critical patent/CN114117448A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a vulnerability information processing method and device. Wherein, the method comprises the following steps: obtaining a plurality of vulnerability scanning reports, wherein the vulnerability scanning reports include: the scanning reports are output after the scanners of various types scan the same target object; analyzing the vulnerability scanning report to obtain state information of the target object, wherein the state information at least comprises asset information of the target object and vulnerability information of the target object; and respectively merging the state information from multiple dimensions to obtain target reports of multiple dimensions. The method and the device solve the technical problem that output results generated by vulnerability detection work of various scanners do not have a unified merging standard at present.

Description

Vulnerability information processing method and device
Technical Field
The application relates to the field of network vulnerability scanning result merging, in particular to a multidimensional vulnerability merging and classifying method.
Background
With the rapid development of information technology, the informatization degree of domestic enterprises is higher and higher, the dependence of more companies on the information technology is higher and higher, the basic functions of networks and information systems are enhanced, the information security becomes an important means for promoting the informatization to be further deepened and guaranteeing the informatization result, and becomes an important component part of the safety production of companies.
At present, many enterprises adopt vulnerability scanners of multiple manufacturers in the vulnerability detection process of internal systems, and the types and results supported by the scanners are different. In actual vulnerability detection work, the scanner results need to be combined, and vulnerability assessment needs to be carried out on a scanning target from different dimensions. The combination of different scanning results consumes a large amount of manpower in actual work, and a uniform combination standard does not exist, so that the subsequent vulnerability risk statistic dimensionality and statistic score are completely different, and different combination and evaluation methods exist for vulnerability risks of the same asset at different stages.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the application provides a vulnerability information processing method and device, and the technical problem that scanning results generated in the vulnerability detection process of various types of scanners at least do not have unified merging standards is solved.
According to an aspect of the embodiments of the present application, there is provided a vulnerability information processing method, including: obtaining a plurality of vulnerability scanning reports, wherein the vulnerability scanning reports include: the scanning reports are output after the scanners of various types scan the same target object; analyzing the vulnerability scanning report to obtain state information of the target object, wherein the state information at least comprises asset information of the target object and vulnerability information of the target object; and respectively merging the state information from multiple dimensions to obtain target reports of multiple dimensions.
Optionally, the status information includes at least: asset information and vulnerability information. The asset information includes at least one of: internet protocol address, port information, service information, component information; the vulnerability information includes at least one of: vulnerability number, vulnerability type.
Optionally, the merging the state information from multiple dimensions respectively to obtain target reports of multiple dimensions includes: extracting asset information and vulnerability information in the state information; establishing an incidence relation between the vulnerability and the assets by correlating the vulnerability information with the asset information; determining whether the same vulnerability numbers exist in the vulnerability information corresponding to the same assets according to the incidence relation, and determining that the same vulnerabilities exist in the state information when the same vulnerability numbers are determined; under the condition that the state information is determined to have the same vulnerability, removing repeated vulnerability information in the state information to obtain a first merging result; and determining a target report according to the first combination result.
Optionally, by associating the vulnerability information with the asset information, constructing an association relationship between the vulnerability and the asset includes: and constructing the incidence relation between the vulnerability and the assets by constructing the many-to-one mapping relation between a plurality of vulnerability numbers in the vulnerability information and the component information in the asset information.
Optionally, determining whether the same vulnerability numbers exist in the vulnerability information corresponding to the same asset according to the association relationship includes: determining the same assets according to at least one of the Internet protocol address and the port information, and merging the vulnerabilities associated with the same assets to obtain a second merging result; and determining whether the same vulnerability numbers exist in the vulnerability information corresponding to the same assets from the second merging result according to the association relation.
Optionally, after the status information is merged from multiple dimensions respectively to obtain target reports of the multiple dimensions, the method further includes: and adjusting the danger level of the vulnerability existing in the target object according to the vulnerability information in the target report.
Optionally, adjusting the risk level of the vulnerability existing in the target object according to the vulnerability information in the target report includes: determining danger levels and weights corresponding to different vulnerability types of a target object in a target report; and determining the vulnerability risk level of the target object according to the risk level and the weight corresponding to different vulnerability types.
According to another aspect of the embodiments of the present application, there is also provided a vulnerability information processing apparatus, including: an obtaining module, configured to obtain a plurality of vulnerability scanning reports, where the vulnerability scanning reports include: the scanning reports are output after the scanners of various types scan the same target object; the analysis module is used for analyzing the vulnerability scanning report to obtain the state information of the target object, wherein the state information at least comprises asset information of the target object and vulnerability information of the target object; and the merging processing module is used for merging the state information from multiple dimensions respectively to obtain target reports of multiple dimensions.
According to another aspect of the embodiments of the present application, there is also provided an electronic device, including: a memory and a processor; the memory is used for storing programs; the processor is used for calling the program stored in the memory to execute the vulnerability information processing method.
In the embodiment of the application, a plurality of vulnerability scanning reports are obtained; analyzing the vulnerability scanning report to obtain the state information of the target object; the method for merging the state information from multiple dimensions respectively to obtain the target reports of the multiple dimensions solves the technical problem that scanning results generated in the vulnerability detection process of various types of scanners do not have uniform merging standards at present.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a computer terminal for implementing a vulnerability information processing method according to an embodiment of the present application;
FIG. 2 is a flowchart of a vulnerability information processing method according to an embodiment of the present application;
fig. 3 is a block diagram of a vulnerability information processing apparatus according to an embodiment of the present application.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
According to an embodiment of the present application, there is provided an embodiment of a vulnerability information processing method, it should be noted that the steps shown in the flowchart of the drawings may be executed in a computer system such as a set of computer executable instructions, and although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in an order different from that here.
The vulnerability information processing method provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal or a similar operation device. Fig. 1 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing the vulnerability information processing method. As shown in fig. 1, the computer terminal 10 (or mobile device 10) may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, and a transmission module 106 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the data query method in the embodiment of the present application, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implementing the vulnerability information processing method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission module 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network Interface Controller (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
It should be noted here that in some alternative embodiments, the computer device (or mobile device) shown in fig. 1 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 1 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.
In the foregoing operating environment, an embodiment of the present application provides a vulnerability information processing method as shown in fig. 2. Fig. 2 is a flowchart of a vulnerability information processing method according to an embodiment of the present application, and as shown in fig. 2, the method includes the following steps:
step S202, a plurality of vulnerability scanning reports are obtained, wherein the vulnerability scanning reports comprise: and multiple types of scanners scan the same target object and output a scanning report.
Optionally, the multiple vulnerability scanning reports are statistical data, and include vulnerability scanning data of multiple types of scanners on the same target object.
Specifically, multiple types of scanners can be used for scanning the same host system, and multiple vulnerability scanning reports output by the multiple types of scanners are obtained, wherein the host system comprises multiple types of software. Because the vulnerability types and assessment standards for vulnerability risk levels of the scanning supported by multiple types of scanners are different, before vulnerability risk level assessment is performed on a target object from different dimensions, firstly, multiple vulnerability scanning reports of the target object are merged and classified from different dimensions through a unified merging standard, namely, multiple vulnerability scanning reports are obtained, analyzed and merged.
Step S204, analyzing the vulnerability scanning report to obtain the state information of the target object, wherein the state information at least comprises the asset information of the target object and the vulnerability information of the target object.
Optionally, the asset information comprises at least one of: internet protocol address, port information, component information; the vulnerability information includes at least one of: vulnerability number, vulnerability type.
Specifically, a plurality of scanning reports output after a plurality of types of scanners scan the same host system can be uploaded to a system vulnerability scanning platform for analysis, so as to obtain an analysis report, wherein the host system at least comprises a plurality of types of software. And obtaining the state information of the host system from the analysis report, wherein the state information at least comprises asset information and vulnerability information. The asset information includes at least one of: internet protocol address, port information, component information; the vulnerability information includes at least one of: and the vulnerability number and the vulnerability type obtained by utilizing the vulnerability number for inquiry.
Specifically, if the host system includes software a and software B, the host system is scanned by using multiple types of scanners, and multiple vulnerability scanning reports output after scanning are uploaded to a system vulnerability scanning platform for analysis, so that the state information of the host system can be obtained. The asset information in the status information includes at least one of: internet protocol address IPA of software a; the internet protocol address IPB of software B; port information PA of the software a; port information PB of the software B; the component information a1 and a2 of the software A and the component information B1 and B2 of the software B. The vulnerability information in the state information includes at least one of: vulnerability numbers CVEa11 and CVEa12 corresponding to vulnerabilities in the component information a 1; vulnerability numbers CVEa21 and CVEa22 corresponding to vulnerabilities in the component information a 2; vulnerability numbers CVEb11 and CVEb12 corresponding to vulnerabilities in the component information b 1; vulnerability numbers CVEb21 and CVEb22 corresponding to vulnerabilities in the component information b 2; according to the vulnerability numbers, vulnerability types CWEA11, CWEA12, CWEA21, CWEA22, CWEb11, CWEb12, CWEb21 and CWEb22 corresponding to each vulnerability number are inquired from the vulnerability disclosure library.
Step S206, merging the state information from multiple dimensions respectively to obtain target reports of multiple dimensions.
Optionally, the merging the state information from multiple dimensions respectively to obtain target reports of multiple dimensions includes: extracting asset information and vulnerability information in the state information; establishing an incidence relation between the vulnerability and the assets by correlating the vulnerability information with the asset information; determining whether the same vulnerability numbers exist in the vulnerability information corresponding to the same assets according to the incidence relation, and determining that the same vulnerabilities exist in the state information when the same vulnerability numbers are determined; under the condition that the state information is determined to have the same vulnerability, removing repeated vulnerability information in the state information to obtain a first merging result; and determining a target report according to the first combination result.
Optionally, by associating the vulnerability information with the asset information, constructing an association relationship between the vulnerability and the asset includes: and constructing the incidence relation between the vulnerability and the assets by constructing the many-to-one mapping relation between a plurality of vulnerability numbers in the vulnerability information and the component information in the asset information.
Optionally, determining whether the same vulnerability numbers exist in the vulnerability information corresponding to the same asset according to the association relationship includes: determining the same assets according to at least one of the Internet protocol address and the port information, and merging the vulnerabilities associated with the same assets to obtain a second merging result; and determining whether the same vulnerability numbers exist in the vulnerability information corresponding to the same assets from the second merging result according to the association relation.
Specifically, the asset information and the vulnerability information in the state information are extracted, the state information is uploaded to form processing software, and the asset information and the vulnerability information in the state information are extracted through screening. For example, after the state information is uploaded to the form processing software, the asset information and the vulnerability information are extracted by taking the internet protocol address, the port information, the component information, the vulnerability number and the vulnerability type as screening conditions.
Specifically, the vulnerability information and the asset information are correlated to construct the incidence relation between the vulnerability and the asset, and the mapping relation between a plurality of vulnerability numbers in the vulnerability information and component information in the asset information can be constructed in a many-to-one manner. There are many types of components in many types of software, and there may be many vulnerabilities in a particular component, and the same vulnerability may exist between different components. For example: by constructing a many-to-one mapping relation between a plurality of vulnerabilities corresponding to the component information a1 and the component information a1, the vulnerability information and the asset information are associated, and the association relation between the vulnerabilities and the assets is constructed. Similarly, by constructing a many-to-one mapping relationship between a plurality of vulnerabilities corresponding to the component information a2, b1 and b2 and the component information a2, b1 and b2, an association relationship between the vulnerabilities and assets is constructed.
Specifically, whether the same vulnerability numbers exist in the vulnerability information corresponding to the same assets is determined according to the association relationship, and the method can be realized through the following steps: firstly, determining that the component information a1 and a2 belong to the same software A according to an internet protocol address IPA and port information PA; and determining the vulnerability corresponding to the software A according to the incidence relation between the component and the vulnerability in the asset, and merging the vulnerability corresponding to the software A. And similarly, determining that the component information B1 and B2 belong to the same software B, determining the corresponding vulnerabilities of the software B according to the association relationship, and merging the vulnerabilities corresponding to the software B on the basis of merging the vulnerabilities corresponding to the software A to obtain a second merging result.
Specifically, after determining that the vulnerability numbers have the same, the vulnerability numbers may be determined to have the same vulnerability in the state information, where the vulnerability numbers are identification information of the vulnerability, and the vulnerability numbers and the vulnerability are in one-to-one correspondence. And comparing vulnerability numbers CWEA11, CWEA12, CWEA21 and CWEA22 corresponding to vulnerabilities in the software A based on the second merging result, and determining whether the same vulnerability numbers exist in vulnerability information corresponding to the software A. And similarly, whether the same vulnerability numbers exist in the vulnerability information corresponding to the software B can be determined. Because the vulnerability number is extracted from the state information of the host system, the same vulnerability number corresponding to the software A and the software B is determined, namely the same vulnerability number in the state information is determined, and then the vulnerabilities identified by the same vulnerability number in the state information are determined to be the same vulnerability. And removing repeated loopholes, repeated loophole numbers and loophole vulnerability types obtained by querying according to the repeated loophole numbers in the state information to obtain a first combined result, and outputting the first combined result as the content of the target report.
Optionally, after the status information is merged from multiple dimensions respectively to obtain target reports of the multiple dimensions, the method further includes: and adjusting the danger level of the vulnerability existing in the target object according to the vulnerability information in the target report.
Optionally, adjusting the risk level of the vulnerability existing in the target object according to the vulnerability information in the target report includes: determining danger levels and weights corresponding to different vulnerability types of a target object in a target report; and determining the vulnerability risk level of the target object according to the risk level and the weight corresponding to different vulnerability types.
Specifically, a vulnerability number in a first merging result is extracted from a target report, wherein the vulnerability number is used for identifying a vulnerability in the target report; inquiring vulnerability types corresponding to vulnerability numbers in a target report in a general vulnerability disclosure library, and inquiring vulnerability information corresponding to vulnerabilities in the target report in a common vulnerability enumeration library; and uploading the vulnerability type and vulnerability information in the target report to a vulnerability assessment system, re-assessing the vulnerability information in the target report by using the vulnerability assessment system, and re-calculating the risk level and the weight of the vulnerability in the target report.
Fig. 3 is a vulnerability information processing apparatus according to an embodiment of the present application, and as shown in fig. 3, the apparatus includes the following modules:
an obtaining module 30, configured to obtain a plurality of vulnerability scanning reports, where the vulnerability scanning reports include: and multiple types of scanners scan the same target object and output a scanning report.
The analysis module 32 is configured to analyze the vulnerability scanning report to obtain state information of the target object, where the state information at least includes asset information of the target object and vulnerability information of the target object.
And the merging processing module 34 is configured to merge the state information from multiple dimensions respectively to obtain target reports of multiple dimensions.
In the merging processing module 34, merging the state information from multiple dimensions respectively to obtain target reports of multiple dimensions, which specifically includes the following steps: extracting asset information and vulnerability information in the state information; establishing an incidence relation between the vulnerability and the assets by correlating the vulnerability information with the asset information; determining whether the same vulnerability numbers exist in the vulnerability information corresponding to the same assets according to the incidence relation, and determining that the same vulnerabilities exist in the state information when the same vulnerability numbers are determined; under the condition that the state information is determined to have the same vulnerability, removing repeated vulnerability information in the state information to obtain a first merging result; and determining a target report according to the first combination result.
Through the steps, the technical effect of merging and classifying the scanning results generated in the vulnerability detection process of the multiple types of scanners from different dimensions can be achieved.
It should be noted that the vulnerability information processing apparatus shown in fig. 3 is used for executing the vulnerability information processing method shown in fig. 2, and therefore the explanation of the vulnerability information processing method is also applicable to the vulnerability information processing apparatus, which is not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims (10)

1.一种漏洞信息处理方法,其特征在于,包括:1. a vulnerability information processing method, is characterized in that, comprises: 获取多个漏洞扫描报告,其中,所述漏洞扫描报告包括:多种类型的扫描器对同一个目标对象进行扫描后输出的扫描报告;Acquiring multiple vulnerability scan reports, wherein the vulnerability scan reports include: scan reports output after multiple types of scanners scan the same target object; 对所述漏洞扫描报告进行解析,得到所述目标对象的状态信息,其中,所述状态信息中至少包括所述目标对象的资产信息和所述目标对象的漏洞信息;Parsing the vulnerability scan report to obtain status information of the target object, wherein the status information at least includes asset information of the target object and vulnerability information of the target object; 对所述状态信息分别从多个维度进行合并处理,得到多个维度的目标报告。The state information is merged from multiple dimensions to obtain target reports of multiple dimensions. 2.根据权利要求1所述的方法,其特征在于,包括:2. The method of claim 1, comprising: 所述资产信息包括以下至少之一:互联网协议地址、端口信息、服务信息、组件信息;The asset information includes at least one of the following: Internet protocol address, port information, service information, and component information; 所述漏洞信息包括以下至少之一:漏洞编号、漏洞脆弱性类型。The vulnerability information includes at least one of the following: a vulnerability number and a vulnerability vulnerability type. 3.根据权利要求1所述的方法,其特征在于,对所述状态信息分别从多个维度进行合并处理,得到多个维度的目标报告包括:3. The method according to claim 1, wherein the state information is merged from a plurality of dimensions respectively, and obtaining a target report of the plurality of dimensions comprises: 提取所述状态信息中的资产信息与漏洞信息;extracting asset information and vulnerability information in the state information; 通过将漏洞信息与资产信息进行关联,构建漏洞与资产的关联关系;By associating vulnerability information with asset information, build the association relationship between vulnerabilities and assets; 根据关联关系确定相同资产对应的漏洞信息中是否存在相同的漏洞编号,并在确定具有相同的漏洞编号时,确定所述状态信息中具有相同的漏洞;Determine whether there is the same vulnerability number in the vulnerability information corresponding to the same asset according to the association relationship, and when it is determined to have the same vulnerability number, determine that the state information has the same vulnerability; 在确定所述状态信息中具有相同的漏洞的情况下,去除所述状态信息中重复的漏洞信息,得到第一合并结果;依据所述第一合并结果确定所述目标报告。When it is determined that the state information has the same vulnerability, the repeated vulnerability information in the state information is removed to obtain a first merging result; the target report is determined according to the first merging result. 4.根据权利要求3所述的方法,其特征在于,通过将漏洞信息与资产信息进行关联,构建漏洞与资产的关联关系包括:4. The method according to claim 3, wherein, by associating the vulnerability information with the asset information, constructing the association relationship between the vulnerability and the asset comprises: 通过构建所述漏洞信息中多个漏洞编号与所述资产信息中组件信息多对一的映射关系,构建漏洞与资产的关联关系。By constructing a many-to-one mapping relationship between multiple vulnerability numbers in the vulnerability information and component information in the asset information, an association relationship between vulnerabilities and assets is constructed. 5.根据权利要求3所述的方法,其特征在于,根据关联关系确定相同资产对应的漏洞信息中是否存在相同的漏洞编号包括:5. The method according to claim 3, wherein determining whether there is the same vulnerability number in the vulnerability information corresponding to the same asset according to the association relationship comprises: 根据互联网协议地址和端口信息中的至少之一确定相同的资产,并将与相同的资产关联的漏洞进行合并,得到第二合并结果;根据关联关系从所述第二合并结果中确定相同资产对应的漏洞信息中是否存在相同的漏洞编号。Determine the same asset according to at least one of the Internet protocol address and port information, and merge the vulnerabilities associated with the same asset to obtain a second merged result; determine from the second merged result that the same asset corresponds to the same asset according to the association relationship Whether the same vulnerability number exists in the vulnerability information. 6.根据权利要求3所述的方法,其特征在于,对所述状态信息分别从多个维度进行合并处理,得到多个维度的目标报告之后,所述方法还包括:6. The method according to claim 3, wherein after the state information is merged from multiple dimensions to obtain the target report of multiple dimensions, the method further comprises: 依据所述目标报告中的漏洞信息调整所述目标对象存在的漏洞的危险等级。The risk level of the vulnerability existing in the target object is adjusted according to the vulnerability information in the target report. 7.根据权利要求6所述的方法,其特征在于,依据所述目标报告中的漏洞信息调整所述目标对象存在的漏洞的危险等级,包括:7. The method according to claim 6, wherein adjusting the danger level of the vulnerability existing in the target object according to the vulnerability information in the target report, comprising: 确定所述目标报告中所述目标对象的不同漏洞类型对应的危险等级和权重;依据所述不同漏洞类型对应的危险等级和权重确定所述目标对象存在的漏洞危险等级。Determine the risk levels and weights corresponding to different vulnerability types of the target object in the target report; determine the vulnerability risk levels existing in the target object according to the risk levels and weights corresponding to the different vulnerability types. 8.一种漏洞信息处理装置,其特征在于,包括:8. A vulnerability information processing device, comprising: 获取模块,用于获取多个漏洞扫描报告,其中,所述漏洞扫描报告包括:多种类型的扫描器对同一个目标对象进行扫描后输出的扫描报告;an acquisition module, configured to acquire multiple vulnerability scan reports, wherein the vulnerability scan reports include: scan reports output after multiple types of scanners scan the same target object; 解析模块,用于对所述漏洞扫描报告进行解析,得到所述目标对象的状态信息,其中,所述状态信息中至少包括所述目标对象的资产信息和所述目标对象的漏洞信息;a parsing module, configured to parse the vulnerability scan report to obtain status information of the target object, wherein the status information at least includes asset information of the target object and vulnerability information of the target object; 合并处理模块,用于对所述状态信息分别从多个维度进行合并处理,得到多个维度的目标报告。The merging processing module is used for merging the status information from multiple dimensions to obtain target reports of multiple dimensions. 9.根据权利要求8所述的装置,其特征在于,所述合并处理模块,还用于:提取所述状态信息中的资产信息与漏洞信息;通过将漏洞信息与资产信息进行关联,构建漏洞与资产的关联关系;根据关联关系确定相同资产对应的漏洞信息中是否存在相同的漏洞编号,并在确定具有相同的漏洞编号时,确定所述状态信息中具有相同的漏洞;在确定所述状态信息中具有相同的漏洞的情况下,去除所述状态信息中重复的漏洞信息,得到第一合并结果;依据所述第一合并结果确定所述目标报告。9 . The device according to claim 8 , wherein the merging processing module is further configured to: extract asset information and vulnerability information in the state information; and construct a vulnerability by associating the vulnerability information with the asset information. 10 . The association relationship with the asset; determine whether the vulnerability information corresponding to the same asset has the same vulnerability number according to the association relationship, and when it is determined to have the same vulnerability number, determine that the state information has the same vulnerability; when determining the state In the case that the information has the same vulnerability, the duplicated vulnerability information in the state information is removed to obtain a first merged result; the target report is determined according to the first merged result. 10.一种电子设备,其特征在于,包括:存储器和处理器;所述存储器用于存储程序;所述处理器用于调用存储在所述存储器中的程序执行权利要求1至7中任意一项所述的漏洞信息处理方法。10. An electronic device, comprising: a memory and a processor; the memory is used to store a program; the processor is used to call the program stored in the memory to execute any one of claims 1 to 7 The described vulnerability information processing method.
CN202111434582.0A 2021-11-29 2021-11-29 Vulnerability information processing method and device Pending CN114117448A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111434582.0A CN114117448A (en) 2021-11-29 2021-11-29 Vulnerability information processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111434582.0A CN114117448A (en) 2021-11-29 2021-11-29 Vulnerability information processing method and device

Publications (1)

Publication Number Publication Date
CN114117448A true CN114117448A (en) 2022-03-01

Family

ID=80371237

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111434582.0A Pending CN114117448A (en) 2021-11-29 2021-11-29 Vulnerability information processing method and device

Country Status (1)

Country Link
CN (1) CN114117448A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130074188A1 (en) * 2011-09-16 2013-03-21 Rapid7 LLC. Methods and systems for improved risk scoring of vulnerabilities
CN103118003A (en) * 2012-12-27 2013-05-22 北京神州绿盟信息安全科技股份有限公司 Risk scanning method, device and system based on assets
CN109391636A (en) * 2018-12-20 2019-02-26 广东电网有限责任公司 A kind of loophole administering method and device based on hierarchical protection asset tree
CN110069930A (en) * 2019-04-29 2019-07-30 广东电网有限责任公司 A kind of loophole restorative procedure, device and computer readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130074188A1 (en) * 2011-09-16 2013-03-21 Rapid7 LLC. Methods and systems for improved risk scoring of vulnerabilities
CN103118003A (en) * 2012-12-27 2013-05-22 北京神州绿盟信息安全科技股份有限公司 Risk scanning method, device and system based on assets
CN109391636A (en) * 2018-12-20 2019-02-26 广东电网有限责任公司 A kind of loophole administering method and device based on hierarchical protection asset tree
CN110069930A (en) * 2019-04-29 2019-07-30 广东电网有限责任公司 A kind of loophole restorative procedure, device and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN111178760B (en) Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium
CN110830445B (en) Method and device for identifying abnormal access object
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN108650225B (en) Remote safety monitoring equipment, system and remote safety monitoring method
CN107332804B (en) Method and device for detecting webpage bugs
US11588678B2 (en) Generating incident response action recommendations using anonymized action implementation data
CN108923974B (en) A method and system for fingerprint identification of Internet of Things assets
CN110955891B (en) File detection method, device and system and data processing method
CN110188538B (en) Method and device for detecting data using sandbox cluster
CN111740868A (en) Alarm data processing method and device and storage medium
CN114598512B (en) Network security guarantee method and device based on honeypot and terminal equipment
CN116015800B (en) Scanner identification method, device, electronic device and storage medium
CN115865525B (en) Log data processing method, device, electronic equipment and storage medium
CN108154031B (en) Method, device, storage medium and electronic device for identifying disguised application
EP3799367B1 (en) Generation device, generation method, and generation program
CN112532605A (en) Network attack tracing method and system, storage medium and electronic device
CN114666101A (en) An attack source traceability detection system, method, device and medium
CN113746849A (en) Method, device, equipment and storage medium for identifying equipment in network
CN111193727A (en) Operation monitoring system and operation monitoring method
CN114117448A (en) Vulnerability information processing method and device
CN113972994B (en) Flow analysis method and device based on industrial control honeypot, computer equipment and readable storage medium
CN116933265A (en) Vulnerability detection method and device, electronic equipment and storage medium
CN108737350B (en) Information processing method and client
CN107317790B (en) Network behavior monitoring method and device
CN115499202A (en) Network data processing method, device, system, processing equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination