CN109818984A - The defence method and device of loophole - Google Patents

The defence method and device of loophole Download PDF

Info

Publication number
CN109818984A
CN109818984A CN201910285115.2A CN201910285115A CN109818984A CN 109818984 A CN109818984 A CN 109818984A CN 201910285115 A CN201910285115 A CN 201910285115A CN 109818984 A CN109818984 A CN 109818984A
Authority
CN
China
Prior art keywords
loophole
defense
defence policies
formulate
defence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910285115.2A
Other languages
Chinese (zh)
Inventor
王照文
邹帮山
秦旭果
孙鹏飞
韩秀文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jilin Billion Bank Ltd By Share Ltd
Original Assignee
Jilin Billion Bank Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jilin Billion Bank Ltd By Share Ltd filed Critical Jilin Billion Bank Ltd By Share Ltd
Priority to CN201910285115.2A priority Critical patent/CN109818984A/en
Publication of CN109818984A publication Critical patent/CN109818984A/en
Pending legal-status Critical Current

Links

Landscapes

  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The present invention provides the defence method and device of a kind of loophole, comprising: obtains the vulnerability information of loophole;Wherein, the network address where loophole is included at least in vulnerability information;Based on the network address where the loophole in vulnerability information, the system of defense for needing to formulate defence policies is determined;Judgement needs to formulate in the systems of defense of defence policies, if the corresponding defence policies of leaky information;Wherein, defence policies are for being on the defensive to loophole;If judging to need to formulate in the system of defense of defence policies; the corresponding defence policies of leaky information; then control needs to formulate the system of defense of defence policies; open defence policies corresponding with vulnerability information; to realize by scanning system and system of defense by enterprise it has been found that loophole accurate linkage gets up; when so that the loophole obtained is in critical time; defence policies are executed to loophole by system of defense in time; so that protection system and information security in critical time, guarantee information system stable operation.

Description

The defence method and device of loophole
Technical field
The invention belongs to technical field of network security, more specifically, more particularly to a kind of loophole defence method and dress It sets.
Background technique
In internet, instantly, current all kinds of business are all service externally to be provided by IT system, and carry for rapid development The IT infrastructure (operating system, database, middleware etc.) of this kind of business function, can be with external attack means, technical side The continuous promotion of method can all have newly-increased security classes loophole daily, and on the one hand all kinds of security firms can provide detection class equipment, prevent Protect detection and protection that class equipment carries out loophole.Another aspect enterprise can purchase relevant equipment, to ensure the information in enterprise System safety.
It is for the processing mode of basic environment loophole at present in enterprise: vulnerability scanning is carried out to system and obtains loophole, it is right The loophole carries out patch installing reinforcing.In view of the continuity of service application, defensive equipment will not open the full blocking of attack Strategy needs to wait for testing after environment progress functional verification completion if the environment instantly for obtaining loophole is production environment Patch installing reinforcing is carried out to loophole again.Therefore, loophole is obtained to there are one section of critical times between patch installing reinforcing, if loophole By malicious attack in this section of critical time, then can privacy information be acquired, more serious person makes systemic breakdown.
Summary of the invention
In view of this, the purpose of the present invention is to provide a kind of defence method of loophole and device, in critical time It is interior, it is on the defensive by system of defense to loophole.
Wherein, this application provides a kind of defence methods of loophole, comprising:
Obtain the vulnerability information of loophole;Wherein, the network address where loophole is included at least in the vulnerability information;
Based on the network address where the loophole in the vulnerability information, determine to need to formulate the anti-of defence policies Imperial system;
Judge in the system of defense for needing to formulate defence policies, if having the corresponding defence plan of the vulnerability information Slightly;Wherein, the defence policies are for being on the defensive to the loophole;
If judging in the system of defense for needing to formulate defence policies, there is the corresponding defence plan of the vulnerability information Slightly, then the system of defense for needing to formulate defence policies is controlled, the defence policies corresponding with the vulnerability information are opened.
Optionally, the vulnerability information for obtaining loophole, comprising:
It calls vulnerability scanning class system to be scanned, obtains the loophole;
Obtain the vulnerability information of the loophole.
Optionally, in the judgement system of defense for needing to formulate defence policies, if having the vulnerability information pair The defence policies answered, comprising:
Obtain the public loophole and exposure CVE number of the loophole;
Judge to number in the CVE of the system of defense for needing to formulate defence policies, if number with the CVE of the loophole It is identical;
Wherein, if judging the CVE number of the system of defense for needing to formulate defence policies, the CVE with the loophole It numbers identical, then judges in the system of defense for needing to formulate defence policies there is the corresponding defence plan of the vulnerability information Slightly.
Optionally, the network address where the loophole based in the vulnerability information, determines to need to formulate The system of defense of defence policies, comprising:
Based on the network address where the loophole in the vulnerability information, system where accessing the loophole is obtained Network access path;
System of defense in the network access path is determined as to need to formulate the system of defense of defence policies.
Optionally, the method also includes:
If judging in the system of defense for needing to formulate defence policies, without the corresponding defence plan of the vulnerability information Slightly, it is determined that needing to formulate does not have the priority of the loophole of corresponding defence policies for height in the system of defense of defence policies;
The vulnerability information for carrying the priority is sent to loophole hardened system, wherein the priority is high leakage Hole is preferentially reinforced by the loophole hardened system.
Present invention also provides a kind of defence installations of loophole, comprising:
Obtaining unit, for obtaining the vulnerability information of loophole;Wherein, including at least where loophole in the vulnerability information Network address;
System of defense determination unit, for determining based on the network address where the loophole in the vulnerability information Need to formulate the system of defense of defence policies out;
Judging unit, for judging in the system of defense for needing to formulate defence policies, if there is the vulnerability information Corresponding defence policies;Wherein, the defence policies are for being on the defensive to the loophole;
First execution unit, if judging the system of defense for needing to formulate defence policies for the judging unit In, there are the corresponding defence policies of the vulnerability information, then control the system of defense for needing to formulate defence policies, described in unlatching Defence policies corresponding with the vulnerability information.
Optionally, the obtaining unit, comprising:
Subelement is called to obtain loophole for calling vulnerability scanning class system to be scanned;
First obtains subelement, for obtaining the vulnerability information of the loophole.
Optionally, the judging unit, comprising:
Second obtains subelement, for obtaining the public loophole and exposure CVE number of the loophole;
Judgment sub-unit, for judge the system of defense for needing to formulate defence policies CVE number, if having with The CVE number of the loophole is identical;
Wherein, if judging the CVE number of the system of defense for needing to formulate defence policies, the CVE with the loophole It numbers identical, then judges in the system of defense for needing to formulate defence policies there is the corresponding defence plan of the vulnerability information Slightly.
Optionally, the system of defense determination unit, comprising:
Network access path determines subelement, for based on the network where the loophole in the vulnerability information Location obtains the network access path of system where accessing the loophole;
System of defense determines subelement, anti-for the system of defense in the network access path to be determined as needing to formulate Drive the system of defense of strategy.
Optionally, described device further include:
Second execution unit, if for judging in the system of defense for needing to formulate defence policies, without the leakage The corresponding defence policies of hole information, it is determined that need to formulate the loophole for not having corresponding defence policies in the system of defense of defence policies Priority be height;
Transmission unit, for the vulnerability information for carrying the priority to be sent to loophole hardened system, wherein described excellent First grade is that high loophole is preferentially reinforced by the loophole hardened system.
From above-mentioned technical proposal it is found that in the defence method and device of a kind of loophole provided by the present application, by based on leakage The network address where loophole in the information of hole determines the system of defense for needing to formulate defence policies, and controls and need to formulate The system of defense of defence policies opens defence policies corresponding with vulnerability information, to realize vulnerability scanning class system and prevent Imperial system is based on the linkage of accurate vulnerability information and gets up, and when so that the loophole obtained being in critical time, passes through defence in time System opens defence policies, is on the defensive to loophole, so that privacy information is protected in critical time, so that system is stablized, And the system of defense unlatching and defence policies corresponding with vulnerability information for needing to formulate defence policies are controlled, so that system of defense It is targetedly on the defensive to loophole, improves defence efficiency, so that it is horizontal to improve system general safety.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention Some embodiments for those of ordinary skill in the art without creative efforts, can also basis These attached drawings obtain other attached drawings.
Fig. 1 is a kind of specific flow chart of the defence method of loophole provided in an embodiment of the present invention;
Fig. 2 is a kind of specific flow chart of the defence method for loophole that another embodiment of the invention provides;
Fig. 3 is a kind of specific flow chart of the defence method for loophole that another embodiment of the invention provides;
Fig. 4 is a kind of specific flow chart of the defence method for loophole that another embodiment of the invention provides;
Fig. 5 is a kind of schematic diagram of the defence installation for loophole that another embodiment of the invention provides;
Fig. 6 is a kind of schematic diagram of the defence installation for loophole that another embodiment of the invention provides.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
A kind of defence method of loophole provided in an embodiment of the present invention, as shown in Figure 1, comprising:
S101, the vulnerability information for obtaining loophole.
Loophole refers in defect present on the specific implementation of hardware, software and agreement or System Security Policy, so as to So that attacker can access or destroy system in the case where unauthorized.Loophole can be in operating system, database, centre Loophole present in part.
Wherein, the network address where loophole is included at least in vulnerability information.
It should be noted that can also include loophole title, loophole details, public loophole and exposure in vulnerability information The information such as (CommonVulnerabilities&Exposures, CVE) number, loophole rank.Wherein, the loophole of each loophole Title is uniquely that loophole details refer to the characteristic information of loophole;CVE number refer to information security loophole to accept extensively or The weakness that person has been exposed provides a public title, corresponding one unique CVE number of each general loophole;Loophole Rank can be the degree that the safety of computer threatens, and loophole rank can be but not limited to the shapes such as A grades, B grades and C grades Formula indicates that the degree that different level securities threatens is different.
During the specific implementation of the present embodiment, the loophole of acquisition can be to be obtained by single principle, can also To be the loophole summation got by a variety of principles, obtained vulnerability information may be the vulnerability information of multiple loopholes;Its In single principle refers to and obtains a kind of loophole by a kind of acquisition methods, a variety of principles, which refer to, obtains one by a variety of acquisition methods Kind or a variety of loopholes.
Optionally, in another embodiment of the present invention, a kind of embodiment of this step S101, as shown in Figure 2, comprising:
S201, it calls vulnerability scanning class system to be scanned, obtains loophole.
Wherein, vulnerability scanning class system can be commercial version vulnerability scanning system, be also possible to vulnerability scanning system of increasing income, Mainly by being scanned lookup loophole to operating system, database and middleware etc., swept by vulnerability scanning class system During retouching, safety detection technology mainly passed through to the detections of known bugs, with the presence or absence of having announced in inspection software Loophole.
S202, the vulnerability information for obtaining loophole.
Specifically, can carry out information extraction to loophole obtains vulnerability information;Wherein, vulnerability information includes at least loophole institute Network address, can also include that loophole title, loophole details, public loophole and exposure CVE number, loophole rank etc. are believed Breath, by being arranged to information such as network address, loophole title, loophole details, CVE number, loophole ranks where loophole The vulnerability information of above-mentioned loophole is obtained afterwards.
It should be noted that vulnerability scanning class system can be called during the specific implementation of the present embodiment and The operation such as inquiry, but do not have the function being scanned to loophole.In the process of running, vulnerability scanning class system, which is chronically at, sweeps State is retouched, so that the mode for obtaining loophole can also be by vulnerability scanning class during specific implementation in this implementation System carries out inquiry operation, obtains loophole, and the information for the loophole that inquiry obtains is arranged.
S102, based on the network address where the loophole in vulnerability information, determine the defence for needing to formulate defence policies System;Defence policies are for being on the defensive to loophole.
Wherein, system of defense can for commercial version intrusion prevention system (Intrusion Prevention System, IPS), mainly the network access path is prevented by opening IPS system on access network path corresponding with loophole Shield.
Optionally, in another embodiment of the present invention, a kind of embodiment of this step S102, as shown in Figure 3, comprising:
S301, based on the network address where the loophole in vulnerability information, the network access road of system where obtaining loophole Diameter.
Specifically, according to the network address where loophole in vulnerability information, obtaining being connected to this after obtaining vulnerability information The network access path of system where loophole;Wherein, network access path can be Intranet and/or extranet The accessible network access path to the loophole in road.
It should be noted that obtaining the mode of the network access path of loophole can be, based on the loophole in vulnerability information The network address at place, the network access path region of system where determining loophole, the network access path of system where loophole Region can be Intranet, can also be enterprise external network, can also be Intranet and extranet Network, wherein the network access path region of system where loophole includes the network access path of system where loophole, to loophole institute Each network access path in the network access path region of system is checked one by one, the net of system where obtaining loophole Network access path, wherein the network access path quantity of system where loophole is at least 1.
S302, the system of defense in network access path is determined as to need to formulate the system of defense of defence policies.
Wherein, network access path can be for one or a plurality of.
Specifically, if judging the number of the system of defense in network access path in the case that network access path is one Whether amount is 1, if judging, the quantity of the system of defense in the network access path for 1, which is determined as needing The system of defense of defence policies is formulated, the quantity of the system of defense in the network access path is not 1 if judging, will at least two A system of defense in a system of defense is determined as needing to formulate the system of defense of defence policies;Or, by least two defence System is determined as needing to formulate the system of defense of defence policies.
If needing to be determined each network access path and needing to formulate in the case that network access path is a plurality of The system of defense of defence policies, wherein determine the system of defense and above-mentioned network access path in each network access path Determine that the implementation procedure of the system of defense in network access path is identical with principle in the case where being one, details are not described herein.
S103, judgement need to formulate in the systems of defense of defence policies, if the corresponding defence policies of leaky information.
Wherein, the defence policies are for being on the defensive to the loophole, that is to say, that need to formulate the anti-of defence policies The corresponding defence policies of leaky information in imperial system, then the system of defense can be on the defensive to loophole, need to formulate defence There is no the corresponding defence policies of vulnerability information in the system of defense of strategy, then the system of defense can not be on the defensive to loophole.
Specifically, if it is judged that need to formulate in the system of defense of defence policies, the corresponding defence plan of leaky information Slightly, S104 is thened follow the steps.
Optionally, in another embodiment of the present invention, a kind of embodiment of this step S103, comprising:
Obtain the CVE number of loophole.
Specifically, extracting after the scanning of vulnerability scanning class system springs a leak to the vulnerability information of loophole, loophole is obtained CVE number, can also be vulnerability scanning class system scanning spring a leak after, obtain loophole CVE number.
Judgement needs to formulate the CVE number of the system of defense of defence policies, if identical as the CVE number of loophole.
Wherein, in each system of defense, the corresponding CVE number of the public loophole announced can be stored in advance, is corresponded to The information such as defence policies, defence policies, can be to carry out loophole the mode such as to block prevent for being on the defensive to loophole It is imperial.
Specifically, if the CVE number of the system of defense for needing to formulate defence policies and the CVE of the loophole are numbered It is identical, then judge to need to formulate in the system of defense of defence policies, the correspondence defence policies of leaky information.
It should be noted that system of defense can be carried out the operation such as inquiring during the specific implementation of the present embodiment, But do not have the function being on the defensive to loophole.Wherein, by inquiring system of defense, realize that judgement needs to formulate defence The CVE number of the system of defense of strategy, if it is identical as the CVE number of loophole, it specifically includes: getting in system of defense and prestore The corresponding CVE number of loophole, the information such as corresponding defence policies, if the leakage of the CVE number and system of defense of loophole prestored The corresponding CVE number in hole is identical, it is determined that needs to formulate in the system of defense of defence policies, the corresponding defence plan of leaky information Slightly.
Specifically, the CVE of the common loophole of acquisition can be numbered, the name of corresponding defence policies and defence policies Title is stored separately according to common and uncommon loophole, such as stores the defence policies of common loophole to memory, uncommon The defence policies of loophole are stored to database, and if common loophole, then the CVE for directly obtaining loophole numbers corresponding defence plan Slightly, if uncommon loophole, then the CVE number of loophole is obtained, numbers to obtain corresponding defence plan in database further according to CVE Slightly.
That is, by inquiring system of defense, so that judgement needs to formulate the system of defense of defence policies CVE number, if it is identical as the CVE number of loophole, it specifically includes: in the leakage that the system of defense for needing to formulate defence policies prestores It is inquired in the corresponding CVE number in hole whether containing consistent CVE number is numbered with the CVE of loophole, if needing to formulate defence Have in the corresponding CVE number of the loophole that the system of defense of strategy prestores and number consistent CVE number with the CVE of loophole, it is determined that It needs to formulate in the system of defense of defence policies, the correspondence defence policies of leaky information, without will be prestored in system of defense The corresponding CVE number of loophole, corresponding defence policies etc. are stored.
S104, control need to formulate the system of defense of defence policies, open defence policies corresponding with vulnerability information.
Specifically, whether the system of defense that judgement needs to formulate defence policies opens defence plan corresponding with vulnerability information Slightly.
If judging, the system of defense for needing to formulate defence policies is not turned on defence policies corresponding with vulnerability information, The confirmation opening imformation opened request, and obtain system of defense feedback is sent to the system of defense for needing to formulate defence policies, really Recognize the system of defense unlatching defence policies corresponding with vulnerability information for needing to formulate defence policies.
If judging, the system of defense for needing to formulate defence policies has been switched on defence policies corresponding with vulnerability information, Confirmation, which needs to formulate, opens defence policies corresponding with vulnerability information in the system of defense of defence policies.
The defence method of a kind of loophole provided by the embodiments of the present application, by based on the net where the loophole in vulnerability information Network address determines the system of defense for needing to formulate defence policies, and controls the system of defense for needing to formulate defence policies, opens Vulnerability scanning class system and system of defense are based on accurate vulnerability information to realize by defence policies corresponding with vulnerability information Linkage is got up so that the loophole obtained is when be in critical time, in time by system of defense unlatching defence policies, to loophole into Row defence so that system is stablized, and controls so that protecting privacy information in critical time and needs to formulate defence policies System of defense is opened and defence policies corresponding with vulnerability information mention so that system of defense is targetedly on the defensive to loophole Height defence efficiency, so that it is horizontal to improve system general safety.
Optionally, a kind of defence method of loophole is also disclosed in another embodiment of the present invention, as shown in Figure 4, comprising:
S401, the vulnerability information for obtaining loophole.
S402, based on the network address where the loophole in vulnerability information, determine the defence for needing to formulate defence policies System.
S403, judgement need to formulate in the systems of defense of defence policies, if the corresponding defence policies of leaky information.
Specifically, if it is judged that need to formulate in the system of defense of defence policies, the corresponding defence plan of leaky information Slightly, S404 is thened follow the steps;If it is judged that need to formulate in the system of defense of defence policies, it is corresponding anti-without vulnerability information Imperial strategy, thens follow the steps S405.
S404, control need to formulate the system of defense of defence policies, open defence policies corresponding with vulnerability information.
It should be noted that the specific embodiment of step S401, S402, S403 and S404 in the present embodiment are right respectively Step S101, S102, S103 and S104 in above-described embodiment are answered, details are not described herein again.
S405, determine that the priority for not having the loophole of corresponding defence policies in the system of defense for needing to formulate defence policies is It is high.
Wherein, according to the characteristic information of loophole and the degree to threaten to the safety of computer, loophole is divided into difference Priority;High-risk rank: may result in computer and destroyed, such as: lead to popular inbreaking of Trojan horse computer system Loophole;Common grade: not will lead to computer and destroyed, such as: it not will lead to popular inbreaking of Trojan horse computer system generally Loophole.
During the specific implementation of the present embodiment, in the system of defense if necessary to formulate defence policies, without loophole Corresponding defence policies, it is when not knowing whether the loophole can threaten to computer, the priority of the loophole is true It is set to height.
S406, the vulnerability information for carrying priority is sent to loophole hardened system.
Wherein, priority is that high loophole is preferentially reinforced by loophole hardened system.
For loophole, loophole hardened system can issue the patch of patching bugs, or issue new after being modified Therefore edition system downloads the patch or new version system of latest edition by the server end into network Complete patching bugs;The unnecessary service in loophole access approach can also equally be closed to reduce loophole and be brought Threat.
It should be noted that when judge to need to formulate the corresponding defence of leaky information in the system of defense of defence policies The priority of the loophole of strategy be it is low, loophole hardened system will the preferential loophole for reinforcing not defence policies.
The defence method of another kind loophole provided by the present application, if passing through the defence system for judging to need to formulate defence policies In system, without the corresponding defence policies of vulnerability information, it is determined that the priority of the loophole is high, and the leakage that will carry the priority Hole information is sent to loophole hardened system, so that loophole hardened system preferentially reinforces the loophole of not defence policies, so that System is stablized.
For the various method embodiments described above, for simple description, therefore, it is stated as a series of action combinations, but Be those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because according to the present invention, certain A little steps can be performed in other orders or simultaneously.Secondly, those skilled in the art should also know that, it is retouched in specification The embodiment stated belongs to preferred embodiment, and related actions and modules are not necessarily necessary for the present invention.
Another embodiment of the present invention provides a kind of loophole defence installation, as shown in Figure 5, comprising:
Obtaining unit 501, for obtaining vulnerability information.
Wherein, the network address where loophole is included at least in the vulnerability information.
System of defense determination unit 502, for based on the network address where the loophole in the vulnerability information, really Make the system of defense for needing to formulate defence policies.
Judging unit 503, for judging in the system of defense for needing to formulate defence policies, if there is the loophole to believe Cease corresponding defence policies.
Wherein, the defence policies are for being on the defensive to the loophole.
First execution unit 504, if judging the defence system for needing to formulate defence policies for the judging unit In system, there are the corresponding defence policies of the vulnerability information, then control the system of defense for needing to formulate defence policies, opens institute State defence policies corresponding with the vulnerability information.
The specific work process of unit disclosed in the above embodiment of the present invention, reference can be made to corresponding embodiment of the method content, As shown in Figure 1, details are not described herein again.
A kind of defence installation of loophole provided by the embodiments of the present application is based on loophole by system of defense determination unit 602 The network address where loophole in information determines the system of defense for needing to formulate defence policies, and executes list by first 604 control of member needs to formulate the system of defense of defence policies, defence policies corresponding with vulnerability information is opened, so that realizing will leak Class system is scanned in hole and system of defense is based on the linkage of accurate vulnerability information and gets up, so that the loophole obtained is in critical time When, defence policies are opened by system of defense in time, are on the defensive to loophole, so that privacy information is protected in critical time, from And system is stablized, and control the system of defense unlatching and defence plan corresponding with vulnerability information for needing to formulate defence policies Slightly, so that system of defense is targetedly on the defensive to loophole, defence efficiency is improved, so that it is horizontal to improve system general safety.
Optionally, in another embodiment of the present invention, obtaining unit 501, comprising:
Subelement is called to obtain loophole for calling vulnerability scanning class system to be scanned.
First obtains subelement, for obtaining the vulnerability information of the loophole.
The specific work process of unit disclosed in the above embodiment of the present invention, reference can be made to corresponding embodiment of the method content, As shown in Fig. 2, details are not described herein again.
Optionally, in another embodiment of the present invention, judging unit 503, comprising:
Second obtains subelement, for obtaining the public loophole and exposure CVE number of the loophole.
Judgment sub-unit, for judge the system of defense for needing to formulate defence policies CVE number, if having with The CVE number of the loophole is identical.
Wherein, the CVE number for judging the system of defense for needing to formulate defence policies, with the loophole CVE number is identical, then judges there is the corresponding defence of the vulnerability information in the system of defense for needing to formulate defence policies Strategy.
The specific work process of unit disclosed in the above embodiment of the present invention, reference can be made to step in above method embodiment A kind of content of embodiment of S103, details are not described herein again.
Optionally, in another embodiment of the present invention, system of defense determination unit, comprising:
Network access path determines subelement, for obtaining based on the address where the loophole in the vulnerability information The network access path of system to where accessing the loophole;
System of defense determines subelement, anti-for the system of defense in the network access path to be determined as needing to formulate Drive the system of defense of strategy.
The specific work process of unit disclosed in the above embodiment of the present invention, reference can be made to corresponding embodiment of the method content, As shown in figure 3, details are not described herein again.
Optionally, in another embodiment of the present invention, the defence installation of loophole, as shown in Figure 6, comprising:
Obtaining unit 601, for obtaining vulnerability information.
Wherein, the network address where loophole is included at least in the vulnerability information.
System of defense determination unit 602, for based on the network address where the loophole in the vulnerability information, really Make the system of defense for needing to formulate defence policies.
Judging unit 603, for judging in the system of defense for needing to formulate defence policies, if there is the loophole to believe Cease corresponding defence policies.
Wherein, the defence policies are for being on the defensive to the loophole.
Specifically, if it is judged that need to formulate in the system of defense of defence policies, the corresponding defence plan of leaky information Slightly, then the first execution unit 604 is connected;If it is judged that needing to formulate in the system of defense of defence policies, without vulnerability information Corresponding defence policies then connect the second execution unit 605.
First execution unit 604, if judging the defence system for needing to formulate defence policies for the judging unit In system, there are the corresponding defence policies of the vulnerability information, then control the system of defense for needing to formulate defence policies, opens institute State defence policies corresponding with the vulnerability information.
It should be noted that obtaining unit 601, system of defense determination unit 602 in the present embodiment, judging unit 603 The obtaining unit 501 in above-described embodiment is respectively corresponded with the specific embodiment of the first execution unit 604, system of defense determines Unit 502, judging unit 503 and the first execution unit 504, details are not described herein again.
Second execution unit 605, if for judging in the system of defense for needing to formulate defence policies, without described The corresponding defence policies of vulnerability information, it is determined that need to formulate the leakage for not having corresponding defence policies in the system of defense of defence policies The priority in hole is height.
Transmission unit 606, for the vulnerability information for carrying the priority to be sent to loophole hardened system, wherein institute Stating priority is that high loophole is preferentially reinforced by loophole hardened system.
The specific work process of unit disclosed in the above embodiment of the present invention, reference can be made to corresponding embodiment of the method content, As shown in figure 4, details are not described herein again.
From above-mentioned technical proposal it is found that being sentenced in a kind of defence installation of loophole provided by the present application by judging unit 603 It is disconnected to go out to need to formulate in the system of defense of defence policies, without the corresponding defence policies of vulnerability information, then the second execution unit 605 The priority for determining the loophole is height, and the vulnerability information for carrying the priority is sent to loophole and reinforced by transmission unit 606 System, so that loophole hardened system preferentially reinforces the loophole of not defence policies, so that system is stablized.
It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other. For device class embodiment, since it is basically similar to the method embodiment, so being described relatively simple, related place ginseng See the part explanation of embodiment of the method.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged Except there is also other identical elements in the process, method, article or apparatus that includes the element.
The foregoing description of the disclosed embodiments can be realized those skilled in the art or using the present invention.To this A variety of modifications of a little embodiments will be apparent for a person skilled in the art, and the general principles defined herein can Without departing from the spirit or scope of the present invention, to realize in other embodiments.Therefore, the present invention will not be limited It is formed on the embodiments shown herein, and is to fit to consistent with the principles and novel features disclosed in this article widest Range.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications are also answered It is considered as protection scope of the present invention.

Claims (10)

1. a kind of defence method of loophole characterized by comprising
Obtain the vulnerability information of loophole;Wherein, the network address where loophole is included at least in the vulnerability information;
Based on the network address where the loophole in the vulnerability information, the defence system for needing to formulate defence policies is determined System;
Judge in the system of defense for needing to formulate defence policies, if there are the corresponding defence policies of the vulnerability information;Its In, the defence policies are for being on the defensive to the loophole;
If judging there are the corresponding defence policies of the vulnerability information, then in the system of defense for needing to formulate defence policies The system of defense for needing to formulate defence policies is controlled, the defence policies corresponding with the vulnerability information are opened.
2. the method according to claim 1, wherein the vulnerability information for obtaining loophole, comprising:
It calls vulnerability scanning class system to be scanned, obtains the loophole;
Obtain the vulnerability information of the loophole.
3. the method according to claim 1, wherein the judgement defence system for needing to formulate defence policies In system, if having the corresponding defence policies of the vulnerability information, comprising:
Obtain the public loophole and exposure CVE number of the loophole;
Judge to number in the CVE of the system of defense for needing to formulate defence policies, if the CVE number phase with the loophole Together;
Wherein, it if judging the CVE number of the system of defense for needing to formulate defence policies, is numbered with the CVE of the loophole It is identical, then judge there are the corresponding defence policies of the vulnerability information in the system of defense for needing to formulate defence policies.
4. the method according to claim 1, wherein where the loophole based in the vulnerability information Network address, determine the system of defense for needing to formulate defence policies, comprising:
Based on the network address where the loophole in the vulnerability information, the network of system where accessing the loophole is obtained Access path;
System of defense in the network access path is determined as to need to formulate the system of defense of defence policies.
5. the method according to requiring 1, which is characterized in that further include:
If judging in the system of defense for needing to formulate defence policies, without the corresponding defence policies of the vulnerability information, Then determining in the system of defense for needing to formulate defence policies does not have the priority of the loophole of corresponding defence policies for height;
The vulnerability information for carrying the priority is sent to loophole hardened system, wherein the priority is high loophole quilt The loophole hardened system is preferentially reinforced.
6. a kind of defence installation of loophole characterized by comprising
Obtaining unit, for obtaining the vulnerability information of loophole;Wherein, the network where loophole is included at least in the vulnerability information Address;
System of defense determination unit is needed for determining based on the network address where the loophole in the vulnerability information Formulate the system of defense of defence policies;
Judging unit, for judging in the system of defense for needing to formulate defence policies, if having the vulnerability information corresponding Defence policies;Wherein, the defence policies are for being on the defensive to the loophole;
First execution unit, if judging have in the system of defense for needing to formulate defence policies for the judging unit The corresponding defence policies of the vulnerability information, then control the system of defense for needing to formulate defence policies, opens described and institute State the corresponding defence policies of vulnerability information.
7. device according to claim 6, which is characterized in that the obtaining unit, comprising:
Subelement is called to obtain loophole for calling vulnerability scanning class system to be scanned;
First obtains subelement, for obtaining the vulnerability information of the loophole.
8. device according to claim 6, which is characterized in that the judging unit, comprising:
Second obtains subelement, for obtaining the public loophole and exposure CVE number of the loophole;
Judgment sub-unit, for judge the system of defense for needing to formulate defence policies CVE number, if having with it is described The CVE number of loophole is identical;
Wherein, it if judging the CVE number of the system of defense for needing to formulate defence policies, is numbered with the CVE of the loophole It is identical, then judge there are the corresponding defence policies of the vulnerability information in the system of defense for needing to formulate defence policies.
9. device according to claim 6, which is characterized in that the system of defense determination unit, comprising:
Network access path determines subelement, for obtaining based on the network address where the loophole in the vulnerability information The network access path of system to where accessing the loophole;
System of defense determines subelement, needs to formulate defence plan for the system of defense in the network access path to be determined as System of defense slightly.
10. the device according to requiring 6, which is characterized in that further include:
Second execution unit, if believing for judging in the system of defense for needing to formulate defence policies without the loophole Cease corresponding defence policies, it is determined that need to formulate the excellent of the loophole for not having corresponding defence policies in the system of defense of defence policies First grade is height;
Transmission unit, for the vulnerability information for carrying the priority to be sent to loophole hardened system, wherein the priority It is preferentially reinforced for high loophole by the loophole hardened system.
CN201910285115.2A 2019-04-10 2019-04-10 The defence method and device of loophole Pending CN109818984A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910285115.2A CN109818984A (en) 2019-04-10 2019-04-10 The defence method and device of loophole

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910285115.2A CN109818984A (en) 2019-04-10 2019-04-10 The defence method and device of loophole

Publications (1)

Publication Number Publication Date
CN109818984A true CN109818984A (en) 2019-05-28

Family

ID=66611752

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910285115.2A Pending CN109818984A (en) 2019-04-10 2019-04-10 The defence method and device of loophole

Country Status (1)

Country Link
CN (1) CN109818984A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111027075A (en) * 2019-12-06 2020-04-17 吉林亿联银行股份有限公司 Vulnerability protection method and device and electronic equipment
CN111865902A (en) * 2020-06-03 2020-10-30 国网浙江省电力有限公司丽水供电公司 Network information vulnerability analysis method and readable storage medium
CN112702300A (en) * 2019-10-22 2021-04-23 华为技术有限公司 Security vulnerability defense method and device

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102075365A (en) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN102523218A (en) * 2011-12-16 2012-06-27 北京神州绿盟信息安全科技股份有限公司 Network safety protection method, equipment and system thereof
CN102624717A (en) * 2012-03-02 2012-08-01 深信服网络科技(深圳)有限公司 Security policy automatic generation method and security policy automatic generation device based on leak scanning
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
US20160072846A1 (en) * 2013-11-25 2016-03-10 Level 3 Communications, Llc System and method for a security asset manager
CN105791323A (en) * 2016-05-09 2016-07-20 国家电网公司 Novel defending method and device for unknown malicious software
CN105939311A (en) * 2015-08-11 2016-09-14 杭州迪普科技有限公司 Method and device for determining network attack behavior
CN106411562A (en) * 2016-06-17 2017-02-15 全球能源互联网研究院 Electric power information network safety linkage defense method and system
CN106685968A (en) * 2016-12-29 2017-05-17 北京安天网络安全技术有限公司 Automatic vulnerability defense system and method for industrial control equipment
CN107241292A (en) * 2016-03-28 2017-10-10 阿里巴巴集团控股有限公司 Leak detection method and device
CN107341396A (en) * 2016-05-03 2017-11-10 阿里巴巴集团控股有限公司 Intrusion detection method, device and server
CN108092948A (en) * 2016-11-23 2018-05-29 ***通信集团湖北有限公司 A kind of recognition methods of network attack mode and device
CN108200095A (en) * 2018-02-09 2018-06-22 华北电力科学研究院有限责任公司 The Internet boundaries security strategy fragility determines method and device
CN108270774A (en) * 2017-12-22 2018-07-10 杭州安恒信息技术有限公司 A kind of attack detection and means of defence based on attack graph

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102075365A (en) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN102523218A (en) * 2011-12-16 2012-06-27 北京神州绿盟信息安全科技股份有限公司 Network safety protection method, equipment and system thereof
CN102624717A (en) * 2012-03-02 2012-08-01 深信服网络科技(深圳)有限公司 Security policy automatic generation method and security policy automatic generation device based on leak scanning
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
US20160072846A1 (en) * 2013-11-25 2016-03-10 Level 3 Communications, Llc System and method for a security asset manager
CN105939311A (en) * 2015-08-11 2016-09-14 杭州迪普科技有限公司 Method and device for determining network attack behavior
CN107241292A (en) * 2016-03-28 2017-10-10 阿里巴巴集团控股有限公司 Leak detection method and device
CN107341396A (en) * 2016-05-03 2017-11-10 阿里巴巴集团控股有限公司 Intrusion detection method, device and server
CN105791323A (en) * 2016-05-09 2016-07-20 国家电网公司 Novel defending method and device for unknown malicious software
CN106411562A (en) * 2016-06-17 2017-02-15 全球能源互联网研究院 Electric power information network safety linkage defense method and system
CN108092948A (en) * 2016-11-23 2018-05-29 ***通信集团湖北有限公司 A kind of recognition methods of network attack mode and device
CN106685968A (en) * 2016-12-29 2017-05-17 北京安天网络安全技术有限公司 Automatic vulnerability defense system and method for industrial control equipment
CN108270774A (en) * 2017-12-22 2018-07-10 杭州安恒信息技术有限公司 A kind of attack detection and means of defence based on attack graph
CN108200095A (en) * 2018-02-09 2018-06-22 华北电力科学研究院有限责任公司 The Internet boundaries security strategy fragility determines method and device

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
叶明达等: ""一种信息安全漏洞管理方案的实践"", 《网络空间安全》 *
娄一艇等: ""电力***信息安全漏洞运维管理的研究"", 《网络空间安全》 *
徐晓伟等: ""电力企业信息安全漏洞修补经验及补丁库建设的研究"", 《网络空间安全》 *
毛宇: ""基于LDM的IDS与漏洞库联动***研究 "", 《中国优秀硕士学位论文全文数据库 信息科技》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112702300A (en) * 2019-10-22 2021-04-23 华为技术有限公司 Security vulnerability defense method and device
WO2021077987A1 (en) * 2019-10-22 2021-04-29 华为技术有限公司 Security vulnerability defense method and device
CN111027075A (en) * 2019-12-06 2020-04-17 吉林亿联银行股份有限公司 Vulnerability protection method and device and electronic equipment
CN111865902A (en) * 2020-06-03 2020-10-30 国网浙江省电力有限公司丽水供电公司 Network information vulnerability analysis method and readable storage medium

Similar Documents

Publication Publication Date Title
CN1885788B (en) Network safety protection method and system
US9148442B2 (en) Methods and apparatus providing automatic signature generation and enforcement
US7600259B2 (en) Critical period protection
US9286469B2 (en) Methods and apparatus providing computer and network security utilizing probabilistic signature generation
US8069471B2 (en) Internet security dynamics assessment system, program product, and related methods
US7587724B2 (en) Kernel validation layer
CN114978584A (en) Network security protection safety method and system based on unit cell
US6275942B1 (en) System, method and computer program product for automatic response to computer system misuse using active response modules
CN104468632A (en) Loophole attack prevention method, device and system
CN109818984A (en) The defence method and device of loophole
KR100835820B1 (en) Total internet security system and method the same
JP2008535053A (en) Dynamic protection of unpatched machines
CN105408911A (en) Hardware and software execution profiling
CN107493256A (en) Security incident defence method and device
US20060053492A1 (en) Software tracking protection system
CN106713358A (en) Attack detection method and device
KR20090044202A (en) System and method for processing security for webservices detecting evasion attack by roundabout way or parameter alteration
CN111314370B (en) Method and device for detecting service vulnerability attack behavior
CN116566654A (en) Protection system for block chain management server
CN106407802A (en) Device, method and system for monitoring application security
JP2004206683A (en) System management device, method and program, management server system and its control process, insurance method, security program, security management method, computer, and server computer
CN107682346A (en) A kind of fast positioning and identifying system and method for CSRF attacks
Falah et al. An Alternative Threat Model-based Approach for Security Testing
US20230216830A1 (en) Client-side firewall
CN115632882B (en) Illegal network attack detection method, computer equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190528