CN118364476B - Vulnerability-associated product data processing method, device, equipment and storage medium - Google Patents

Abstract

The application provides a processing method, a device, equipment and a storage medium of vulnerability-associated product data, wherein the method comprises the following steps: obtaining a first product data set and a first vulnerability data set from a common database, and obtaining a second product data set and a second vulnerability data set from a plurality of devices; obtaining a plurality of product entity data corresponding to a plurality of vulnerability entities according to the first vulnerability data and the first product data set; selecting a plurality of candidate product entity data associated with the target vulnerability entity in the second vulnerability data set from the plurality of product entity data based on the association relationship between the vulnerability entity and the product entity data; target product information corresponding to the target vulnerability entity is obtained from the second product data set, and target product entity data corresponding to the target vulnerability entity is determined from the plurality of candidate product entity data, so that product entity alignment of the associated vulnerability is realized, and accuracy and reliability of product entity alignment are effectively improved.

Description

Method, device, equipment and storage medium for processing product data associated with vulnerabilities

Technical Field

The embodiments of the present application relate to the field of data security technology, and in particular to a method, apparatus, device and storage medium for processing product data associated with a vulnerability.

Background Art

With the popularization of the Internet and the improvement of informatization, network attacks are becoming increasingly complex. In order to cope with these challenges, enterprises and organizations need to continuously improve their network security defense capabilities. Among them, the network target range, as a virtual platform that simulates a real network environment, can simulate various network attack scenarios based on the product and vulnerability information of the corresponding equipment, allowing security personnel to conduct security testing, training and research without risk, and improve defense capabilities by simulating network attacks. The product information is CPE (Common Platform Enumeration), which is used to characterize different product assets.

Due to differences in product vulnerability scanning technologies among different manufacturers, data formats are inconsistent, so product and vulnerability information also need to be identified and aligned in the network target range. However, the current product entity alignment method is generally achieved by performing entity association processing based on string rules or fingerprint information on a single product data source, ignoring the correlation between products and vulnerabilities. It is easy to produce mismatches due to inaccurate information, which reduces the accuracy and reliability of product entity alignment.

Summary of the invention

The embodiments of the present application provide a method, apparatus, device and storage medium for processing product data associated with a vulnerability, which can obtain the vulnerability-product association relationship based on a public database, thereby determining the product entity data corresponding to the vulnerability in the target device, realizing product entity alignment of associated vulnerabilities, and effectively improving the accuracy and reliability of product entity alignment.

To achieve the above-mentioned purpose, a first aspect of an embodiment of the present application provides a method for processing product data associated with a vulnerability, including: obtaining a first product data set and a first vulnerability data set from a public database, and obtaining a second product data set and a second vulnerability data set from multiple devices; constructing multiple product entities corresponding to multiple vulnerability entities based on the first vulnerability data set; performing data supplementation processing on multiple product entities based on the first product data set to obtain multiple product entity data corresponding to multiple vulnerability entities; based on the association relationship between the vulnerability entity and the product entity data, selecting multiple candidate product entity data associated with a target vulnerability entity in the second vulnerability data set from the multiple product entity data; obtaining target product information corresponding to the target vulnerability entity from the second product data set; calculating the matching coefficient between the target product information and the multiple candidate product entity data, and determining the target product entity data corresponding to the target vulnerability entity from the multiple candidate product entity data based on the matching coefficient.

In some embodiments, the calculating of the matching coefficient between the target product information and a plurality of the candidate product entity data, and determining the target product entity data corresponding to the target vulnerability entity from the plurality of the candidate product entity data based on the matching coefficient, includes: calculating the matching coefficient between the target product information and a plurality of the candidate product entity data based on a preset text dictionary library; and determining the candidate product entity data corresponding to the highest matching coefficient as the target product entity data corresponding to the target vulnerability entity.

In some embodiments, after calculating the matching coefficient between the target product information and a plurality of the candidate product entity data based on a preset text dictionary library, the method further includes: when the highest matching coefficient is greater than a coefficient threshold, determining the candidate product entity data corresponding to the highest matching coefficient as the target product entity data corresponding to the target vulnerability entity; when the highest matching coefficient is less than or equal to the coefficient threshold, respectively calculating the word vector similarity coefficient and the edit distance similarity coefficient between the target product information and each of the candidate product entity data, and determining the target product entity data from the plurality of the candidate product entity data based on the matching coefficient, the word vector similarity coefficient and the edit distance similarity coefficient.

In some embodiments, the target product entity data is determined from the multiple candidate product entity data based on the matching coefficient, the word vector similarity coefficient and the edit distance similarity coefficient, including: weighted calculation of the matching coefficient, the word vector similarity coefficient and the edit distance similarity coefficient based on a preset weight configuration to obtain an aggregated similarity coefficient; and the candidate product entity data corresponding to the highest aggregated similarity coefficient is determined as the target product entity data.

In some embodiments, constructing multiple product entities corresponding to the multiple vulnerability entities based on the first vulnerability data set includes: performing information extraction processing on the first vulnerability data set based on a preset large language model to obtain multiple product information corresponding to the multiple vulnerability entities; and constructing multiple product entities based on the multiple product information.

In some embodiments, based on the association relationship between the vulnerability entity and the product entity data, multiple candidate product entity data associated with the target vulnerability entity in the second vulnerability data set are selected from the multiple product entity data, including: obtaining vulnerability information of the target vulnerability entity in the second vulnerability data set, and determining the vulnerability entity corresponding to the vulnerability information from the multiple vulnerability entities; based on the association relationship between the vulnerability entity and the product entity data, multiple candidate product entity data associated with the vulnerability entity corresponding to the vulnerability information are selected from the multiple product entity data.

In some embodiments, different devices have different image identifiers, the data in the second product data set and the second vulnerability data set are associated through the image identifier, and obtaining the target product information corresponding to the target vulnerability entity from the second product data set includes: obtaining the target image identifier corresponding to the target vulnerability entity from the second vulnerability data set; obtaining the target product information corresponding to the target image identifier from the second product data set.

In some embodiments, obtaining a first product data set and a first vulnerability data set from a public database includes: obtaining product log data and vulnerability log data from the public database at a preset interval; performing data cleaning processing on the product log data and the vulnerability log data, and performing key field extraction processing on the cleaned product log data and the vulnerability log data to obtain the first product data set and the first vulnerability data set.

In some embodiments, the obtaining of a second product data set and a second vulnerability data set from multiple devices includes: obtaining product vulnerability data of multiple devices by calling multiple product vulnerability scanning interfaces; performing key field extraction processing on the multiple product vulnerability data based on a preset format conversion tool to obtain the second product data set and the second vulnerability data set, the second vulnerability data set including vulnerability information of multiple devices, and the second product data set including product information corresponding to the vulnerability information of multiple devices.

In some embodiments, the method of acquiring product vulnerability data of multiple devices by calling multiple product vulnerability scanning interfaces includes: acquiring product data of a target device by calling a product scanning interface provided by a first manufacturer; acquiring vulnerability data of the target device by calling a vulnerability scanning interface provided by a second manufacturer; wherein the product data and the vulnerability data have the same mirror identifier.

In some embodiments, the method further includes: after determining the target product entity data corresponding to multiple target vulnerability entities of multiple devices, constructing a product entity alignment table characterizing the association relationship between the devices, the target vulnerability entities and the target product entity data.

To achieve the above-mentioned purpose, the second aspect of an embodiment of the present application provides a device for processing product data associated with a vulnerability, including: a data acquisition module, used to acquire a first product data set and a first vulnerability data set from a public database, and to acquire a second product data set and a second vulnerability data set from multiple devices; an entity construction module, used to construct multiple product entities corresponding to multiple vulnerability entities according to the first vulnerability data set; a data supplement module, used to perform data supplement processing on multiple product entities based on the first product data set to obtain multiple product entity data corresponding to multiple vulnerability entities; an entity association module, used to select multiple candidate product entity data associated with a target vulnerability entity in the second vulnerability data set from the multiple product entity data based on the association relationship between the vulnerability entity and the product entity data; an entity determination module, used to acquire target product information corresponding to the target vulnerability entity from the second product data set; an entity alignment module, used to calculate the matching coefficient between the target product information and the multiple candidate product entity data, and determine the target product entity data corresponding to the target vulnerability entity from the multiple candidate product entity data based on the matching coefficient.

To achieve the above-mentioned purpose, the third aspect of the embodiments of the present application proposes an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the computer program, it implements the method for processing product data associated with the vulnerability as described in any one of the embodiments in the first aspect.

To achieve the above-mentioned purpose, the fourth aspect of the embodiments of the present application proposes a computer-readable storage medium storing computer-executable instructions, which are used to execute the method for processing product data associated with vulnerabilities as described in any one of the embodiments of the first aspect.

The method, apparatus, device and storage medium for processing vulnerability-associated product data provided by the embodiment of the present application can obtain a first product data set and a first vulnerability data set from a public database, and collect a second product data set and a second vulnerability data set from multiple devices at the same time, and then construct multiple product entities corresponding to the first vulnerability data set based on the information in the first vulnerability data set, and use the first product data set to perform data supplement processing on the above-constructed product entities to form complete product entity data; further, based on the association relationship between the vulnerability entity and the product entity data, the present application can determine the candidate product entity data corresponding to the target vulnerability entity in the second vulnerability data set, and extract product information related to the target vulnerability entity from the second product data set to calculate the matching relationship between the target product information and the candidate product entity data. Matching coefficient, determine the target product entity data from the candidate product entity data according to the matching coefficient, wherein it can be understood that the present application constructs a vulnerability product association relationship based on a public database to achieve the association between products and vulnerabilities, and then when a second product data set and a second vulnerability data set of multiple devices are obtained through product vulnerability scanning technology from different manufacturers, the target product entity data corresponding to the target vulnerability entity can be determined more accurately and effectively based on the correlation of product vulnerabilities, so as to achieve product entity alignment, reduce the occurrence of mismatches, and improve the accuracy and reliability of data processing, so that the alignment result of the target product entity data under the target vulnerability entity in the present application scheme can support the complex network environment and diversified attack scenario simulation of the network target range, which helps security personnel to more comprehensively understand and respond to potential network threats.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of a method for processing vulnerability-related product data provided by an embodiment of the present application;

FIG2 is a flow chart of determining target product entity data provided by an embodiment of the present application;

FIG3 is another flow chart of determining target product entity data provided by an embodiment of the present application;

FIG4 is a flow chart of a collection of multiple product entities provided by an embodiment of the present application;

FIG5 is a flow chart of obtaining multiple candidate product entity data provided by an embodiment of the present application;

FIG6 is a flowchart of an example of a method for processing vulnerability-related product data provided by an embodiment of the present application;

FIG. 7 is a flowchart of an example of obtaining multiple product entity data provided by an embodiment of the present application;

FIG8 is a flowchart of an example of calculating a matching coefficient provided by an embodiment of the present application;

FIG9 is a flowchart of an example of determining target product entity data provided by an embodiment of the present application;

FIG. 10 is a schematic diagram of the structure of an electronic device provided in one embodiment of the present application.

DETAILED DESCRIPTION

In order to make the purpose, technical solution and advantages of the present application more clearly understood, the present application is further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application and are not used to limit the present application.

In some embodiments, although the functional modules are divided in the system schematic diagram and the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than the module division in the system or the order in the flowchart. The terms first, second, etc. in the specification, claims and the above drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.

In addition, unless otherwise clearly specified and limited, the term "connected/connected" should be understood in a broad sense. For example, it can be a fixed connection or a movable connection, a detachable connection or a non-detachable connection, or an integral connection; it can be a mechanical connection, an electrical connection, or the two can communicate with each other; it can be a direct connection, or it can be indirectly connected through an intermediate medium.

In the description of the embodiments of the present application, the description with reference to the terms "one embodiment/implementation", "another embodiment/implementation" or "certain embodiments/implementations", "in the above embodiments/implementations", etc. means that the specific features, structures, materials or characteristics described in combination with the implementation or example are included in at least two embodiments or implementations disclosed in the present application. In the disclosure of the present application, the schematic representation of the above terms does not necessarily refer to the same embodiment or implementation. It should be noted that although the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that in the flowchart.

With the popularization of the Internet and the improvement of informatization, network attacks are becoming increasingly complex. In order to cope with these challenges, enterprises and organizations need to continuously improve their network security defense capabilities. Among them, the network range, as a virtual platform that simulates a real network environment, can simulate various network attack scenarios based on the product and vulnerability information of the corresponding equipment, allowing security personnel to conduct security testing, training and research without risk, and improve defense capabilities by simulating network attacks; due to differences in product vulnerability scanning technologies of different manufacturers, resulting in inconsistent data formats, it is also necessary to identify and align product and vulnerability information in the network range. However, the current product entity alignment method is generally achieved by performing entity association processing based on string rules or fingerprint information on a single product data source, ignoring the correlation between products and vulnerabilities, and is prone to mismatching due to inaccurate information, reducing the accuracy and reliability of product entity alignment.

Among them, the product information is CPE (Common Platform Enumeration), and the product entity is CPE entity. CPE is a standardized method for describing and identifying application programs, operating systems, and hardware device categories in enterprise computing products. It provides a standard machine-readable format that can uniquely encode IT products and platforms to characterize different product assets; the vulnerability entity is CVE (Common Vulnerabilities and Exposures). CVE is used to provide unique identification and related information for known security vulnerabilities to characterize different vulnerabilities.

Based on this, the present application provides a method, apparatus, device and storage medium for processing product data associated with a vulnerability, the method comprising: obtaining a first product data set and a first vulnerability data set from a public database, and obtaining a second product data set and a second vulnerability data set from multiple devices; obtaining multiple product entity data corresponding to multiple vulnerability entities according to the first vulnerability data and the first product data set; based on the association relationship between the vulnerability entity and the product entity data, selecting multiple candidate product entity data associated with a target vulnerability entity in the second vulnerability data set from the multiple product entity data; obtaining target product information corresponding to the target vulnerability entity from the second product data set, and determining the target product entity data corresponding to the target vulnerability entity from the multiple candidate product entity data, so as to achieve product entity alignment of associated vulnerabilities, and effectively improve the accuracy and reliability of product entity alignment.

The embodiments of the present application are further described below in conjunction with the accompanying drawings.

Referring to FIG. 1 , FIG. 1 is a flow chart of a method for processing vulnerability-associated product data provided by an embodiment of the present application. A first aspect of an embodiment of the present application provides a method for processing vulnerability-associated product data, including but not limited to:

Step S110, obtaining a first product data set and a first vulnerability data set from a public database, and obtaining a second product data set and a second vulnerability data set from a plurality of devices; constructing a plurality of product entities corresponding to a plurality of vulnerability entities according to the first vulnerability data set;

Step S120, performing data supplementation processing on the multiple product entities based on the first product data set to obtain multiple product entity data corresponding to the multiple vulnerability entities;

Step S130, based on the association relationship between the vulnerability entity and the product entity data, selecting a plurality of candidate product entity data associated with the target vulnerability entity in the second vulnerability data set from the plurality of product entity data;

Step S140, obtaining target product information corresponding to the target vulnerability entity from the second product data set;

Step S150 , calculating a matching coefficient between the target product information and a plurality of candidate product entity data, and determining the target product entity data from the plurality of candidate product entity data based on the matching coefficient.

In some embodiments, the first product data set may be a CPE data set obtained from a public database such as CNNVD (China National Vulnerability Database of Information Security) at a preset interval, and the first vulnerability data set may be a CVE data set also obtained from CNNVD; the second product data set may be product data of a specific device, such as a gateway device, a terminal device, and other target devices for target identification of vulnerability product detection scanning tasks, and these devices are installed with different operating systems, software and components for different purposes, etc. The data in the first vulnerability data set needs to be aligned with the first product data set, and the second vulnerability data set is the vulnerability data associated with the second product data set; the vulnerability entity may be a specific security vulnerability defined in the first vulnerability data set, and the product entity may refer to a product instance object under a specific security vulnerability constructed based on the information in the first vulnerability data set, but the information is incomplete, and in contrast, the product entity data may refer to detailed information related to the product entity after the information is supplemented.

Among them, the candidate product entity data is a set of product entity data related to the target vulnerability entity, which is obtained based on the association relationship between the vulnerability entity and the product entity data. The target vulnerability entity is the specific vulnerability of the target device, and the target product information is the product information under the specific vulnerability. However, the product information may be incomplete, have inconsistent formats, inconsistent context dependencies, etc. Therefore, it is necessary to align with the closest data in the candidate product entity data, that is, to determine the target product entity data, so that the present application can obtain the vulnerability product association relationship based on the public database, thereby determining the product entity data corresponding to the vulnerability in the target device, realizing product entity alignment of associated vulnerabilities, and effectively improving the alignment quality and efficiency.

In some embodiments, corresponding to the above steps S110 to S150, the present application can obtain a first product data set and a first vulnerability data set from a public database, and collect a second product data set and a second vulnerability data set from multiple devices at the same time, and then construct multiple product entities corresponding thereto according to the information in the first vulnerability data set, and use the first product data set to perform data supplement processing on the above-constructed product entities to form complete product entity data; further, based on the association relationship between the vulnerability entity and the product entity data, the present application can determine the candidate product entity data corresponding to the target vulnerability entity in the second vulnerability data set, and extract the product information related to the target vulnerability entity from the second product data set to calculate the matching coefficient between the target product information and the candidate product entity data, and determine the target product entity data from the candidate product entity data according to the matching coefficient. This process is the product entity alignment process of associated vulnerabilities.

Among them, it can be understood that the present application constructs a vulnerability product association relationship based on a public database to achieve the association between product assets and vulnerabilities, and then when the second product data set and the second vulnerability data set of multiple devices are obtained through product vulnerability scanning technology from different manufacturers, the target product entity data corresponding to the target vulnerability entity can be determined more accurately and effectively based on the correlation of product vulnerabilities, so as to achieve product entity alignment representing assets, reduce the occurrence of mismatches, and improve the accuracy and reliability of data processing, so that the alignment results of the target product entity data under the target vulnerability entity in the present application scheme can support the complex network environment and diverse attack scenario simulation of the network target range, which helps security personnel to more comprehensively understand and respond to potential network threats.

In some embodiments, the above steps S130 to S150 are target product information alignment processes for a single target vulnerability entity in a single device, and the present application can perform the above processing of determining target product entity data from corresponding multiple candidate product entity data on multiple target vulnerability entities of multiple devices, and a single target vulnerability entity can have multiple target product information, and there can also be multiple target product entity data corresponding to a single target vulnerability, thereby determining the target product entity data corresponding to multiple target vulnerability entities of multiple devices.

In some embodiments, the method also includes: after determining the target product entity data corresponding to multiple target vulnerability entities of multiple devices, constructing a product entity alignment table that characterizes the association relationship between the devices, target vulnerability entities, and target product entity data, wherein it can be understood that after using a public database as a data source, obtaining multiple product entity data corresponding to multiple vulnerability entities, and constructing a basic product vulnerability association data set CVE-CPEs, the target product entity data can be determined to achieve alignment of the CPE entity data. Since different devices have different image identifiers ImageID, the aligned CPE entity data can finally be associated with ImageID and CVE to obtain an ImageID-CVE-CPEs data table, and the constructed association data table is stored in the database for application in subsequent research work such as network attack behavior analysis and attack tracing in the target range.

Among them, ImageID is a specific device identifier defined by the target range in the device vulnerability product detection scanning task, covering diversified devices such as gateway devices and terminal devices. These devices are equipped with different operating systems, functional software and components. With the help of ImageID, this application can accurately lock specific devices, and then clarify the product information and potential vulnerability details they carry; and because the product vulnerability scanning interface provided by the manufacturer is designed to adapt to the detection needs of different device types, for example, for terminal devices running the Linux operating system, the product vulnerability scanning interface of manufacturer A should be used for scanning; and for terminal devices running the Windows system, the scanning interface provided by manufacturer B should be used In view of the differences in interfaces and data formats of various manufacturers, the scanning results do not uniformly follow the standard CVE naming conventions. Therefore, it is necessary to use a format conversion tool to convert the scanning results of various manufacturers into a unified format to facilitate the subsequent CPE entity alignment work; therefore, for the same device, that is, the device identified by the same ImageID, a single manufacturer's product and vulnerability scanning interface can be used, or multiple manufacturers' interfaces can be combined for scanning. The obtained data can all be indexed with ImageID, so that this application can integrate and merge vulnerability data and product data from different scanning sources, so as to fully grasp the product list (CPE list) and vulnerability information (CVE list) of the device (ImageID).

Specifically, the ImageID-CVE-CPEs data table can be simply represented by the following data structure:

[

ImageID_01:

[cve_01:[cpe_01,cpe_02,...],cve_02:[cpe_03,cpe_04,...],...],

ImageID_02:

[cve_03:[cpe_05,cpe_06,...],cve_04:[cpe_07,cpe_08,...],...],

...

];

It can be seen that for the same ImageID, scanning the product vulnerability information on a device (ImageID) requires the use of product vulnerability scanning interfaces of multiple manufacturers. The obtained product data (cpe) and vulnerability data (cve) are indexed by ImageID. The target product entity data determined from multiple candidate product entity data is the CPE data after the information in the scanned product CPE list is adjusted and aligned for standardization and accuracy. Multiple aligned CPE data can be divided into the corresponding CVE and the corresponding ImageID.

In some embodiments, obtaining a first product data set and a first vulnerability data set from a public database includes: obtaining product log data and vulnerability log data from the public database at a preset interval; performing data cleaning on the product log data and vulnerability log data, and performing key field extraction on the cleaned product log data and vulnerability log data to obtain the first product data set and the first vulnerability data set, wherein, after performing the data set acquisition work and obtaining the CPE data set and CVE data set from public databases such as CNNVD at a preset interval, it is necessary to convert the cleaned log data into a unified format, specifically, the processed CPE data may include the following fields: product name (producet), vendor information (vendor), version number (version); the processed CVE data includes the following fields: CVE number (cve_id), vulnerability name (cvename), CNNVD number (cnnvd_id), description (description), vendor (vendor), vulnerability type (type), hazard level (rank), inclusion time (first_t), update time (update_t), etc.

It can be understood that by initially constructing multiple CPE entity objects corresponding to the CVE number through the large language model, and then filling the specific data of the entity objects through the CPE data set, the CPE affected by the current CVE can be obtained after using the large model to extract the information text describing the information in the CVE. The product name, supplier name, version number and other information mentioned here are data fields contained in the CPE entity, and the definition specification of the CPE itself also includes this information, that is, the initially produced CPE entity object and the CPE data set both include product name, supplier name, version number and other information. The difference between the two is that the data in the CPE data set is more detailed or more correct, so data supplementation is needed.

In some embodiments, obtaining a second product data set and a second vulnerability data set from multiple devices includes: obtaining product vulnerability data of multiple devices by calling multiple product vulnerability scanning interfaces; performing key field extraction processing on the multiple product vulnerability data based on a preset format conversion tool to obtain a second product data set and a second vulnerability data set, wherein the second vulnerability data set includes vulnerability information of multiple devices, and the second product data set includes product information corresponding to the vulnerability information of multiple devices, wherein a unified and automated data format conversion tool is used to convert product vulnerability data of different manufacturers into a unified data format to solve the problem of data inconsistency, and the second product data set is product vulnerability data corresponding to different image ImageIDs obtained by calling product vulnerability scanning interfaces provided by various manufacturers. After the product vulnerability data is converted into a unified format using the format conversion tool, the product vulnerability data corresponding to the same image ID can be associated based on ImageID as the association basis to obtain a CVE list and a CPE list corresponding to the current image ID, and then the CPE entity alignment result is associated with the ImageID and the CVE, and the data output form of the ImageID-CVE-CPEs data table is used. Compared with the traditional CPE entity alignment method which often only outputs the CPE entity alignment result, the form of the ImageID-CVE-CPEs data table can facilitate the target range network attack behavior analysis, attack tracing and other work.

In some embodiments, the part field in the CPE entity can only use three values: a represents application/software; h represents hardware platform; o represents operating system; the vendor field represents the vendor; the product field represents the product name; the version field represents the release version, and the value of this attribute should be a version string composed of letters and numbers of the product released by the vendor; the update field represents the update version, and the value of this attribute should be a string composed of letters and numbers, indicating a specific update or service pack of the product, such as sp3; the edition field represents that it is not recommended to use in the 2.3 version specification, unless backward compatibility with the CPE specification version 2.2 is required, otherwise it should be assigned the logical value ANY; the language field represents [RFC5646 ] defined valid language tags, and used to define the languages supported in the user interface of the described product, such as en, us, etc.; based on the above fields, data supplement processing is performed on multiple product entities based on the first product data set, and the process of using the complete CPE information obtained from CNNVD to supplement certain missing fields in the constructed CPE entity includes: matching according to the vendor, product, and version fields. If the three field information of the constructed product entity exists, the CPE information of CNNVD and other available fields are used to complete the field information of the constructed product entity; if part of the three field information of the constructed product entity is missing, resulting in an inability to accurately match, the constructed product entity is discarded.

In some embodiments, it can be understood that after constructing multiple product entities corresponding to multiple vulnerability entities based on the first vulnerability data set and determining the correspondence between the product entity and the CVEID, the product entity data associated with the CVEID can be stored in the CVE-CPEs association mapping table to complete the construction of the CVE-CPEs association mapping table, and then the CVE list and the CVE-CPEs association mapping table can be collided based on the CVE data corresponding to the CVEID in the subsequent process, and multiple candidate product entity data associated with the target vulnerability entity in the second vulnerability data set can be selected from the multiple product entity data.

In some embodiments, multiple product vulnerability scanning interfaces are called to obtain product vulnerability data of multiple devices, including: obtaining product data of the target device by calling a product scanning interface provided by a first manufacturer; obtaining vulnerability data of the target device by calling a vulnerability scanning interface provided by a second manufacturer; wherein the product data and the vulnerability data have the same image identifier, different devices have different image identifiers, and the data in the second product data set and the second vulnerability data set are associated through the image identifier, so the target image identifier corresponding to the target vulnerability entity can be obtained from the second vulnerability data set; the target product information corresponding to the target image identifier is obtained from the second product data set, and the target product information corresponding to the target vulnerability entity is obtained from the second product data set.

Referring to FIG. 2 , FIG. 2 is a flowchart of determining target product entity data provided by an embodiment of the present application; in some embodiments, the matching coefficient between the target product information and a plurality of candidate product entity data is calculated, and the target product entity data is determined from the plurality of candidate product entity data based on the matching coefficient, including but not limited to:

Step S210, based on a preset text dictionary library, respectively calculating the matching coefficient between the target product information and each candidate product entity data;

Step S220: determine the candidate product entity data corresponding to the highest matching coefficient as the target product entity data corresponding to the target vulnerability entity.

In some embodiments, the text dictionary library includes Chinese and English dictionary libraries, which are used to perform matching queries on target product information and target product entity data, and the candidate product entity data corresponding to the highest matching coefficient is determined as the target product entity data corresponding to the target vulnerability entity, so as to achieve dictionary-based matching consistency judgment of the entity data.

Referring to FIG. 3 , FIG. 3 is another flowchart of determining target product entity data provided by an embodiment of the present application; in some embodiments, after respectively calculating the matching coefficient between the target product information and each candidate product entity data based on a preset text dictionary library, the method further includes but is not limited to:

Step S310, when the highest matching coefficient is greater than the coefficient threshold, determining the candidate product entity data corresponding to the highest matching coefficient as the target product entity data corresponding to the target vulnerability entity;

Step S320, when the highest matching coefficient is less than or equal to the coefficient threshold, respectively calculate the word vector similarity coefficient and the edit distance similarity coefficient between the target product information and each candidate product entity data, and determine the target product entity data from multiple candidate product entity data based on the matching coefficient, the word vector similarity coefficient and the edit distance similarity coefficient.

It is understandable that the traditional CPE entity alignment method is insensitive to CPE variants when using string matching or rule-based matching methods, and is prone to mismatching. In addition, the traditional product vulnerability data association method is based on fingerprint information for matching, but it cannot consider the contextual information of the fingerprint, so the fingerprint may be matched incorrectly. Therefore, the embodiment of the present application proposes a multi-layer fuzzy matching process corresponding to the above steps S310 to S320, which can then calculate the similarity between entities according to the levels of coarse screening (dictionary-based matching) and subdivision (based on edit distance, based on word vector space similarity); on this basis, the product vulnerability data obtained from different manufacturers are associated with the data, and the candidate set is screened out and input into the multi-layer entity alignment model to calculate the entity similarity.

In some embodiments, target product entity data is determined from multiple candidate product entity data based on the matching coefficient, word vector similarity coefficient and edit distance similarity coefficient, including: weighted calculation of the matching coefficient, word vector similarity coefficient and edit distance similarity coefficient based on a preset weight configuration to obtain an aggregated similarity coefficient; the candidate product entity data corresponding to the highest aggregated similarity coefficient is determined as the target product entity data corresponding to the target vulnerability entity. It can be understood that after using the Chinese and English dictionary libraries to perform a matching query on the queried CPE entity, if the highest matching coefficient is greater than the coefficient threshold, and the query result is consistent with the CPE entity data, the entity alignment operation is only implemented through dictionary library matching; if the matching consistency judgment based on the dictionary library fails, the similarity matching method is used instead to evaluate the matching degree of the entity based on the calculation based on the word vector space distance similarity and the edit distance similarity. Specifically, the calculation method based on word vector space distance similarity involves inputting the query CPE entity data and the CPE entity data into the BERT-BiLSTM-CRF pre-training model to obtain the corresponding vector representations, and then calculating the vector cosine similarity between the two, and screening out the CPE entity data with the highest similarity; while the similarity method based on edit distance measures the similarity between two strings by calculating the minimum number of operations (including modification, insertion and deletion) required to transform from one string to another. In the present invention, the Smith-Waterman distance algorithm is mainly used to calculate the CPE string with the smallest distance from the query CPE entity, and use it as the candidate CPE entity data. Finally, the similarity scores obtained by aligning the above two layers of entities are aggregated by score aggregation. The relevant weights of score aggregation can be shown in Table (1):

Table (1) Rating aggregation weight configuration

When the highest matching coefficient is greater than the coefficient threshold, the scoring weights of dictionary-based matching, word vector similarity, and edit distance similarity are 1:0:0 respectively; when the highest matching coefficient is less than or equal to the coefficient threshold, the scoring weights of dictionary-based matching, word vector similarity, and edit distance similarity are 0.2:0.4:0.4 respectively. By adopting a multi-layer fuzzy matching method, the coarse screening method of dictionary matching is first used for fast matching, and then the edit distance and word vector similarity distance methods are used for precise matching, which effectively improves the efficiency of entity alignment.

Referring to FIG. 4 , FIG. 4 is a flowchart of constructing multiple product entities according to an embodiment of the present application; in some embodiments, multiple product entities corresponding to multiple vulnerability entities are constructed according to the first vulnerability data set, including but not limited to:

Step S410, performing information extraction processing on the first vulnerability data set based on a preset large language model to obtain multiple product information corresponding to multiple vulnerability entities;

Step S420: construct multiple product entities according to multiple product information.

In some embodiments, the large language model includes a ChatGPT large model, which inputs the description dictionary information of the CVE in the first vulnerability data set into ChatGPT to extract key information, extracts product information such as the product name, supplier name, version number, etc. affected by the current CVE, so as to construct multiple CPE product entities, and then the CPE data set obtained and constructed from CNNVD can be used in subsequent steps, that is, the second product data set is used to supplement the constructed CPE entity data.

It is understandable that compared with the traditional CPE entity alignment method which mainly adopts the string matching-based method, which is prone to missed matches and false matches, the present application adopts the product vulnerability association method. First, by constructing a product vulnerability association data set and using the ChatGPT large model to extract CPE entity information, ChatGPT has excellent language understanding capabilities and can accurately extract CPE entity information from the CVE description text, thereby ensuring a high degree of accuracy. As a result, during the alignment process, the present application can further collide with the entity set to narrow the candidate set range for entity alignment, thereby improving the accuracy and efficiency of the alignment and enhancing the overall processing efficiency.

Referring to FIG. 5 , FIG. 5 is a flowchart of obtaining multiple candidate product entity data provided by an embodiment of the present application; in some embodiments, based on the association relationship between the vulnerability entity and the product entity data, multiple candidate product entity data associated with the target vulnerability entity in the second vulnerability data set are selected from the multiple product entity data, including but not limited to:

Step S510, obtaining vulnerability information of a target vulnerability entity in a second vulnerability data set, and determining a vulnerability entity corresponding to the vulnerability information from a plurality of vulnerability entities;

Step S520 , based on the association relationship between the vulnerability entity and the product entity data, a plurality of candidate product entity data associated with the vulnerability entity corresponding to the vulnerability information are selected from the plurality of product entity data.

In some embodiments, a CVE-CPEs association mapping table can be generated by obtaining multiple product entity data corresponding to multiple vulnerability entities. The CVE-CPEs association mapping table can be understood as a complete set obtained and constructed through CNNVD, while the CVE list obtained by scanning using the manufacturer interface only contains the vulnerability information contained on the machine corresponding to the ImageID, which is a subset. The purpose of the collision between the two is to search in the complete set association mapping table, that is, to select multiple candidate product entity data associated with the vulnerability entity corresponding to the vulnerability information from multiple product entity data to obtain a CPE candidate set. The CPE entity information in this data is standardized, and the CPE obtained by this application using the manufacturer interface is defective in naming standardization and field integrity. Therefore, it is necessary to determine the target product entity data from multiple candidate product entity data to standardize the product information on each device of this application and achieve product entity alignment of associated vulnerabilities.

In some embodiments, in the process of obtaining vulnerability information and determining vulnerability entities, the system can extract detailed information of a specific vulnerability from the second vulnerability data set, which may include a CVE identifier, a vulnerability description, an impact range, etc., and identify entities that match the target vulnerability information from all possible vulnerability entities, so as to identify potentially affected products by using the association relationship between known vulnerability entities and product entities after determining the specific vulnerability entity. The association relationship can be realized by obtaining a CVE-CPEs association mapping table of a plurality of product entity data structures corresponding to the plurality of vulnerability entities as described above. The association mapping table contains the correspondence between CVE and the potentially affected CPE. It can be understood that Yes, the above process of determining the vulnerability entity corresponding to the vulnerability information from multiple vulnerability entities is to match each CVE in the CVE list corresponding to the second product data set with the CVE-CPEs association mapping table to determine which CPEs may be affected by a specific CVE, narrow the scope, and generate a candidate CPE entity set, that is, to realize the collision of the CVE list and the CVE-CPEs association mapping table. Through the collision process, the system can generate a narrowed candidate CPE entity set. The candidate CPE entity set includes all product entities that may be affected by the target CVE, effectively reducing the amount of data that needs further analysis, thereby speeding up the efficiency of subsequent entity alignment and vulnerability management.

Refer to Figure 6, which is an example flow chart of a method for processing product data associated with a vulnerability provided in an embodiment of the present application; in some embodiments, in order to more efficiently and accurately complete the CPE entity alignment of the target range product data, construct an ImageID-CVE-CPEs data table that can be effectively applied to the target range network attack behavior analysis, attack tracing and other tasks, the present application consists of three modules: associated data set construction, multi-layer fuzzy matching model and alignment module. Among them, corresponding to the associated data set construction process, the present application can use a large language model such as the ChatGPT large model to parse the public CVE entity data obtained from CNNVD at a preset interval, extract the CPE entity list affected by the current vulnerability, and use a multi-layer fuzzy matching module based on the CPE entity database obtained from CNNVD at a preset interval to complete and calibrate the parsed CPE entity data, and obtain multiple product entity data corresponding to multiple vulnerability entities to construct a CVE-CPEs association mapping table; at the same time, the corresponding entity Alignment process, the present application can be based on a real network attack scenario simulated by a network target range. The method uses a data format conversion module to convert product vulnerability scanning results of different manufacturers into data with a unified format, and based on a unified image identifier ImageID, realizes the association between product data and vulnerability data, collides it with the CVE-CPEs association mapping table, and selects multiple candidate product entity data associated with the target vulnerability entity in the second vulnerability data set from multiple product entity data, that is, obtains the CVE-CPEs entity candidate set corresponding to the current ImageID; further, a multi-layer fuzzy matching model is used in the entity alignment process, and the target product entity data is determined from multiple candidate product entity data based on the matching coefficient and the similarity coefficient, and the ImageID-CVE-CPEs data table is updated to prepare for security analysts to perform attack detection, security analysis and other tasks, and the above process also has the advantages of automated construction, and the constructed data table can be effectively applied to network attack behavior analysis, attack tracing and other research work in the target range.

Refer to Figure 7, which is an example flow chart of obtaining multiple product entity data provided by an embodiment of the present application; in some embodiments, corresponding to the associated data set construction process in Figure 7, in order to provide data support for the subsequent alignment process, the present application needs to first construct a basic product vulnerability associated data set, including data acquisition, key information extraction and associated data table construction. Specifically, first perform data acquisition work, and obtain public CVE data and CPE data from the National Information Security Vulnerability Database and the National Information Security Vulnerability Sharing Platform at preset intervals; then parse the CVE data and CPE data to complete the extraction of key information. Finally, based on the descriptive text content of CVE, use the ChatGPT large model to extract the CPE list (CPEs) affected by the current CVE, and use the CPE data set to repair and improve the current CPE list (CPEs), that is, obtain CPE-CPEs association mapping table data to provide data support for the subsequent CPE entity alignment module.

Refer to Figure 8, which is an example flow chart of calculating the matching coefficient provided by an embodiment of the present application; in some embodiments, corresponding to the multi-layer fuzzy matching process in Figure 8, the model can use three methods, namely, dictionary-based numerical matching, edit distance-based similarity calculation, and word vector space distance-based similarity calculation, to complete the matching of entity values and the calculation of entity value similarity in sequence. Specifically, the entity values can be first matched based on the Chinese and English dictionary library and the synonym dictionary; for entity values that cannot be effectively matched, the similarity between entities is calculated respectively using a similarity function based on the edit distance (Smith-Waterman) distance and a word vector model; finally, by scoring and aggregating the two similarities, an entity object with the highest similarity score is obtained, wherein the word vector model can be a named entity recognition model BERT-Bi-LSTM-CRF. It can be understood that the matching process in Figure 8 is the matching between specific entity data. Referring to the CPE entity correspondence, the target product information corresponding to the target vulnerability entity is obtained from the second product data set, and the CPE entity to be queried is the candidate product entity data corresponding to the target vulnerability entity.

Refer to Figure 9, which is an example flow chart of determining the target product entity data provided by an embodiment of the present application; in some embodiments, corresponding to the multi-layer fuzzy matching CPE entity alignment process in Figure 9, in order to achieve alignment of product data scanned by different manufacturers with the CPE entity data set, the module includes three steps of scanning data unified format conversion, scanning data product vulnerability association, and entity alignment calculation. Specifically, first, a format conversion tool may be used to convert the format of product vulnerability data scanned by different manufacturers to obtain scanned CVE and CPE data in a unified format; then, the image identifier ImageID is used to associate the scanned CVE and CPE data to obtain ImageID. ID-CVE-CPEs data table; for the CVEs list of the mirror ImageID, use CVEID to collide the CVE data set to obtain a CPEs entity candidate set with a smaller data volume, that is, select multiple candidate product entity data associated with the target vulnerability entity in the second vulnerability data set from multiple product entity data; finally, use a multi-layer fuzzy matching model to calculate the similarity between the CPEs entity candidate set and the query CPE entity data, select the entity with the highest similarity score, and update the ImageID-CVE-CPEs data table to complete the entity alignment process. The manufacturer product vulnerability scanning interfaces 1 to n in Figure 9 correspond to multiple different manufacturers.

The embodiment of the present application also provides a processing device for product data associated with a vulnerability, including: a data acquisition module, used to acquire a first product data set and a first vulnerability data set from a public database, and to acquire a second product data set and a second vulnerability data set from multiple devices; an entity construction module, used to construct multiple product entities corresponding to multiple vulnerability entities according to the first vulnerability data set; a data supplement module, used to perform data supplement processing on multiple product entities based on the first product data set to obtain multiple product entity data corresponding to the multiple vulnerability entities; an entity association module, used to select multiple candidate product entity data associated with a target vulnerability entity in a second vulnerability data set from multiple product entity data based on the association relationship between the vulnerability entity and the product entity data; an entity determination module, used to acquire target product information corresponding to the target vulnerability entity from the second product data set; an entity alignment module, used to calculate a matching coefficient between the target product information and the multiple candidate product entity data, and determine the target product entity data from the multiple candidate product entity data based on the matching coefficient. Among them, the processing device of vulnerability-associated product data can be used to execute the processing method of vulnerability-associated product data mentioned in any of the above embodiments, so as to achieve the corresponding vulnerability-product association relationship based on a public database, thereby determining the product entity data corresponding to the vulnerability in the target device, realizing product entity alignment of associated vulnerabilities, and effectively improving the accuracy and reliability of product entity alignment, so it will not be repeated here.

Some embodiments of the present application provide an electronic device. FIG10 is a schematic diagram of the structure of the electronic device provided by an embodiment of the present application. Referring to FIG10 , the electronic device includes a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the computer program, a method for processing product data associated with a vulnerability in any of the above-described embodiments is implemented, for example, method steps S110 to S150 in FIG1 , method steps S210 to S220 in FIG2 , method steps S310 to S320 in FIG3 , method steps S410 to S420 in FIG4 , and method steps S510 to S520 in FIG5 are executed.

The electronic device 1000 of the embodiment of the present application includes one or more processors 1010 and a memory 1020. FIG. 10 takes one processor 1010 and one memory 1020 as an example.

The processor 1010 and the memory 1020 may be connected via a bus or other means, and FIG10 takes the connection via a bus as an example.

The memory 1020, as a non-transitory computer-readable storage medium, can be used to store non-transitory software programs and non-transitory computer executable programs. In addition, the memory 1020 may include a high-speed random access memory, and may also include a non-transitory memory, such as at least one disk storage device, a flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory 1020 may optionally include a memory 1020 remotely disposed relative to the processor 1010, and these remote memories may be connected to the electronic device 1000 via a network. At the same time, examples of the above-mentioned network include but are not limited to the Internet, an intranet, a local area network, a mobile communication network, and a combination thereof.

In some embodiments, when the processor executes the computer program, the method for processing product data associated with a vulnerability of any of the above embodiments is executed at preset intervals.

Those skilled in the art will appreciate that the device structure shown in FIG. 10 does not limit the electronic device 1000 , and may include more or fewer components than shown, or combine certain components, or arrange the components differently.

In the electronic device 1000 shown in FIG. 10 , the processor 1010 may be used to call a method for processing vulnerability-associated product data stored in the memory 1020 , thereby implementing the method for processing vulnerability-associated product data.

Based on the hardware structure of the above-mentioned electronic device 1000, various embodiments of the device for processing vulnerability-associated product data of the present application are proposed. At the same time, the non-transient software program and instructions required to implement the method for processing vulnerability-associated product data of the above-mentioned embodiments are stored in the memory. When executed by the processor, the method for processing vulnerability-associated product data of the above-mentioned embodiments is executed.

An embodiment of the present application also provides a computer-readable storage medium, which stores computer-executable instructions, and the computer-executable instructions are used to execute the above-mentioned method for processing product data associated with vulnerabilities, so that the above-mentioned one or more processors can execute the method for processing product data associated with vulnerabilities of any of the above-mentioned embodiments, for example, execute method steps S110 to S150 in Figure 1 described above, method steps S210 to S220 in Figure 2, method steps S310 to S320 in Figure 3, method steps S410 to S420 in Figure 4, and method steps S510 to S520 in Figure 5.

The embodiment of the present application also provides a computer program product, which includes a computer program, and the computer program is stored in a computer-readable storage medium. The processor of the computer device reads the computer program from the computer-readable storage medium, and the processor executes the computer program, so that the computer device executes the method for processing product data associated with the vulnerability of any of the above embodiments, for example, executing the method steps S110 to S150 in Figure 1, the method steps S210 to S220 in Figure 2, the method steps S310 to S320 in Figure 3, the method steps S410 to S420 in Figure 4, and the method steps S510 to S520 in Figure 5 described above.

The device embodiments described above are merely illustrative, and the units described as separate components may or may not be physically separated, that is, they may be located in one place, or they may be distributed on multiple network nodes. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

It will be appreciated by those skilled in the art that all or some of the steps and systems in the methods disclosed above may be implemented as software, firmware, hardware, and appropriate combinations thereof. Some or all physical components may be implemented as software executed by a processor, such as a central processing unit, a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit. Such software may be distributed on a computer-readable medium, which may include a computer-readable storage medium (or non-transitory medium) and a communication medium (or transient medium). As known to those skilled in the art, the term computer-readable storage medium includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Computer-readable storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD to ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, disk storage or other magnetic storage devices, or any other medium that can be used to store desired information and can be accessed by a computer. Furthermore, it is well known to those skilled in the art that communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media.

The above is a specific description of the preferred implementation of the present application, but the present application is not limited to the above-mentioned implementation mode. Technical personnel familiar with the field can also make various equivalent modifications or substitutions without violating the spirit of the present application. These equivalent modifications or substitutions are all included in the scope defined by the claims of the present application.

Claims (9)

1. A method for processing vulnerability-associated product data, comprising:

Obtaining a first product data set and a first vulnerability data set from a common database, and obtaining a second product data set and a second vulnerability data set from a plurality of devices;

Constructing a plurality of product entities corresponding to a plurality of vulnerability entities according to the first vulnerability data set;

performing data supplementing processing on a plurality of product entities based on the first product data set to obtain a plurality of product entity data corresponding to a plurality of vulnerability entities;

Selecting a plurality of candidate product entity data associated with a target vulnerability entity in the second vulnerability data set from the plurality of product entity data based on the association relationship between the vulnerability entity and the product entity data;

acquiring target product information corresponding to the target vulnerability entity from the second product data set;

calculating the matching coefficient of the target product information and the candidate product entity data, and determining target product entity data corresponding to the target vulnerability entity from the candidate product entity data based on the matching coefficient;

Wherein the obtaining a first product data set and a first vulnerability data set from a common database comprises: obtaining product log data and vulnerability log data from the public database according to a preset interval duration; performing data cleaning processing on the product log data and the vulnerability log data, and performing key field extraction processing on the cleaned product log data and the cleaned vulnerability log data to obtain the first product data set and the first vulnerability data set;

Wherein the acquiring a second product data set and a second vulnerability data set from a plurality of devices comprises: acquiring product vulnerability data of a plurality of devices by calling a plurality of product vulnerability scanning interfaces; performing key field extraction processing on the plurality of product vulnerability data based on a preset format conversion tool to obtain a second product dataset and a second vulnerability dataset, wherein the second vulnerability dataset comprises vulnerability information of a plurality of devices, and the second product dataset comprises product information corresponding to the vulnerability information of the plurality of devices;

The constructing a plurality of product entities corresponding to the plurality of vulnerability entities according to the first vulnerability data set includes: information extraction processing is carried out on the first vulnerability data set based on a preset large language model, so that a plurality of product information corresponding to a plurality of vulnerability entities are obtained; constructing a plurality of product entities according to a plurality of the product information;

Wherein the selecting, based on the association between the vulnerability entity and the product entity data, a plurality of candidate product entity data associated with the target vulnerability entity in the second vulnerability data set from the plurality of product entity data includes: obtaining vulnerability information of a target vulnerability entity in the second vulnerability data set, and determining a vulnerability entity corresponding to the vulnerability information from a plurality of vulnerability entities; selecting a plurality of candidate product entity data associated with the vulnerability entity corresponding to the vulnerability information from the plurality of product entity data based on the association relation between the vulnerability entity and the product entity data;

the second product data set and the data in the second vulnerability data set are associated through the mirror image identifiers, and the obtaining the target product information corresponding to the target vulnerability entity from the second product data set includes: acquiring a target mirror image identifier corresponding to the target vulnerability entity from the second vulnerability data set; acquiring target product information corresponding to the target mirror image identifier from the second product data set;

The vulnerability entity is a specific security vulnerability defined in the first vulnerability data set, and the product entity is a product instance object under the specific security vulnerability and constructed according to the information in the first vulnerability data set.

2. The method for processing vulnerability-associated product data according to claim 1, wherein the calculating a matching coefficient between the target product information and the plurality of candidate product entity data, and determining target product entity data corresponding to the target vulnerability entity from the plurality of candidate product entity data based on the matching coefficient, comprises:

Based on a preset text dictionary library, calculating a matching coefficient between the target product information and each candidate product entity data;

And determining the candidate product entity data with the highest matching coefficient as target product entity data corresponding to the target vulnerability entity.

3. The method for processing vulnerability-associated product data according to claim 2, wherein after calculating the matching coefficients between the target product information and each candidate product entity data based on a preset text dictionary library, the method further comprises:

Under the condition that the highest matching coefficient is larger than a coefficient threshold value, determining the candidate product entity data corresponding to the highest matching coefficient as target product entity data corresponding to the target vulnerability entity;

and under the condition that the highest matching coefficient is smaller than or equal to a coefficient threshold value, respectively calculating a word vector similarity coefficient and an editing distance similarity coefficient between the target product information and each candidate product entity data, and determining the target product entity data from a plurality of candidate product entity data based on the matching coefficient, the word vector similarity coefficient and the editing distance similarity coefficient.

4. A method of processing vulnerability-associated product data as recited in claim 3, wherein the determining the target product entity data from a plurality of the candidate product entity data based on the matching coefficients, the word vector similarity coefficients, and the edit distance similarity coefficients comprises:

weighting calculation is carried out on the matching coefficient, the word vector similarity coefficient and the editing distance similarity coefficient based on preset weight configuration so as to obtain an aggregate similarity coefficient;

and determining the candidate product entity data corresponding to the highest aggregation similarity coefficient as the target product entity data.

5. The method for processing vulnerability-associated product data according to claim 1, wherein the step of obtaining the product vulnerability data of the plurality of devices by calling the plurality of product vulnerability scanning interfaces comprises:

Acquiring product data of target equipment by calling a product scanning interface provided by a first manufacturer;

acquiring vulnerability data of the target equipment by calling a vulnerability scanning interface provided by a second manufacturer;

wherein the product data and the vulnerability data have the same mirror image identification.

6. The method of processing vulnerability-associated product data of claim 1, further comprising:

after determining the target product entity data corresponding to the target vulnerability entities of the devices, constructing a product entity alignment table for representing the association relationship among the devices, the target vulnerability entities and the target product entity data.

7. A device for processing vulnerability-associated product data, comprising:

The data acquisition module is used for acquiring a first product data set and a first loophole data set from the public database and acquiring a second product data set and a second loophole data set from a plurality of devices;

The entity construction module is used for constructing a plurality of product entities corresponding to a plurality of vulnerability entities according to the first vulnerability data set;

The data supplementing module is used for carrying out data supplementing processing on the plurality of product entities based on the first product data set so as to obtain a plurality of product entity data corresponding to the plurality of vulnerability entities;

The entity association module is used for selecting a plurality of candidate product entity data associated with the target vulnerability entity in the second vulnerability data set from the plurality of product entity data based on the association relation between the vulnerability entity and the product entity data;

the entity determining module is used for acquiring target product information corresponding to the target vulnerability entity from the second product data set;

The entity alignment module is used for calculating the matching coefficient of the target product information and the candidate product entity data, and determining target product entity data corresponding to the target vulnerability entity from the candidate product entity data based on the matching coefficient;

Wherein the obtaining a first product data set and a first vulnerability data set from a common database comprises: obtaining product log data and vulnerability log data from the public database according to a preset interval duration; performing data cleaning processing on the product log data and the vulnerability log data, and performing key field extraction processing on the cleaned product log data and the cleaned vulnerability log data to obtain the first product data set and the first vulnerability data set;

Wherein the acquiring a second product data set and a second vulnerability data set from a plurality of devices comprises: acquiring product vulnerability data of a plurality of devices by calling a plurality of product vulnerability scanning interfaces; performing key field extraction processing on the plurality of product vulnerability data based on a preset format conversion tool to obtain a second product dataset and a second vulnerability dataset, wherein the second vulnerability dataset comprises vulnerability information of a plurality of devices, and the second product dataset comprises product information corresponding to the vulnerability information of the plurality of devices;

The constructing a plurality of product entities corresponding to the plurality of vulnerability entities according to the first vulnerability data set includes: information extraction processing is carried out on the first vulnerability data set based on a preset large language model, so that a plurality of product information corresponding to a plurality of vulnerability entities are obtained; constructing a plurality of product entities according to a plurality of the product information;

Wherein the selecting, based on the association between the vulnerability entity and the product entity data, a plurality of candidate product entity data associated with the target vulnerability entity in the second vulnerability data set from the plurality of product entity data includes: obtaining vulnerability information of a target vulnerability entity in the second vulnerability data set, and determining a vulnerability entity corresponding to the vulnerability information from a plurality of vulnerability entities; selecting a plurality of candidate product entity data associated with the vulnerability entity corresponding to the vulnerability information from the plurality of product entity data based on the association relation between the vulnerability entity and the product entity data;

the second product data set and the data in the second vulnerability data set are associated through the mirror image identifiers, and the obtaining the target product information corresponding to the target vulnerability entity from the second product data set includes: acquiring a target mirror image identifier corresponding to the target vulnerability entity from the second vulnerability data set; acquiring target product information corresponding to the target mirror image identifier from the second product data set;

The vulnerability entity is a specific security vulnerability defined in the first vulnerability data set, and the product entity is a product instance object under the specific security vulnerability and constructed according to the information in the first vulnerability data set.

8. An electronic device, comprising:

At least one processor;

At least one memory for storing at least one program;

A method of processing vulnerability-associated product data as claimed in any one of claims 1 to 6 when at least one of said programs is executed by at least one of said processors.

9. A computer readable storage medium storing computer executable instructions for performing a method of processing vulnerability-associated product data as claimed in any one of claims 1 to 6.