CN109977678A - A kind of system vulnerability methods of risk assessment - Google Patents

A kind of system vulnerability methods of risk assessment Download PDF

Info

Publication number
CN109977678A
CN109977678A CN201711499840.7A CN201711499840A CN109977678A CN 109977678 A CN109977678 A CN 109977678A CN 201711499840 A CN201711499840 A CN 201711499840A CN 109977678 A CN109977678 A CN 109977678A
Authority
CN
China
Prior art keywords
loophole
software package
software
risk
coefficient
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711499840.7A
Other languages
Chinese (zh)
Inventor
蓝永成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Shenghua Productivity Co Ltd
Original Assignee
Tianjin Shenghua Productivity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin Shenghua Productivity Co Ltd filed Critical Tianjin Shenghua Productivity Co Ltd
Priority to CN201711499840.7A priority Critical patent/CN109977678A/en
Publication of CN109977678A publication Critical patent/CN109977678A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention discloses a kind of system vulnerability methods of risk assessment, it include: to rely on metadata to the software package in software systems to pre-process, it constructs software and relies on network, wherein it is the file for recording all software package informatins in the software systems that the software package, which relies on metadata,;Vulnerability information is obtained, the incidence relation between loophole and software package is constructed according to the vulnerability information;Assessment loophole includes: the different degree coefficient for calculating each node in the software package dependency relationship subgraph to the security risk of whole software systems;Determine that the loophole of the loophole threatens coefficient;Coefficient is threatened according to the loophole of the loophole, calculates the loophole value-at-risk of each node;According to the loophole value-at-risk of the different degree coefficient of each node and each node, comprehensive loophole value-at-risk is calculated.

Description

A kind of system vulnerability methods of risk assessment
Technical field
The present invention relates to a kind of system vulnerability methods of risk assessment.
Background technique
As software systems become increasingly complex, scale is more and more huger, has promoted the modern softwares such as component software development The application of engineering method, software systems are tended not to from zero completely new exploitation, and can largely be quoted or be depended on other third parties soft Part.These softwares exist in the form of software package, component, function library, module, Web service etc., by accordant interface specification, make It is interacted with modes such as function call, data transmitting, block combiners, the large software system of large-scale complex can be collectively constituted System.The software engineering deveironment method of modularization, is conducive to the reuse of component, can quickly be answered using existing component construction complexity With software development efficiency can be greatly improved.Some components due to realizing important basic function, and can Free Acquisition open Source code, reputation with higher and very wide use scope are put, therefore these components are more likely to be used other software system Exploitation.
Summary of the invention
The invention mainly solves the technical problem of providing a kind of system vulnerability methods of risk assessment, comprising:
It relies on metadata to the software package in software systems to pre-process, building software relies on network, wherein described soft It is the file that all software package informatins are recorded in the software systems that part packet, which relies on metadata,;
Vulnerability information is obtained, the incidence relation between loophole and software package is constructed according to the vulnerability information;
Assessment loophole includes: to calculate in the software package dependency relationship subgraph respectively to save to the security risk of whole software systems The different degree coefficient of point;Determine that the loophole of the loophole threatens coefficient;Coefficient is threatened according to the loophole of the loophole, described in calculating The loophole value-at-risk of each node;According to the loophole value-at-risk of the different degree coefficient of each node and each node, calculate comprehensive Close loophole value-at-risk.
Preferably, the incidence relation between network and the loophole and software package is relied on according to the software, inquiry exists The software package of loophole and the other software packet for directly or indirectly relying on the software package construct software package dependency relationship subgraph.
Preferably, the significance level of each node in the software package dependency relationship subgraph is determined.
Preferably, the loophole of the determination loophole threatens coefficient to comprise determining that safety etc. corresponding to the loophole Grade determines that corresponding loophole threatens coefficient according to the security level.
Preferably, the software package information includes software package title, dependent software package, priority.
Preferably, the vulnerability information includes loophole title, impacted software package, security level, loophole description.
The advantages and positive effects of the present invention are: system vulnerability methods of risk assessment provided by the invention, to software Software package in system relies on metadata and is pre-processed, and building software relies on network, and obtains vulnerability information, according to the leakage Incidence relation between hole information architecture loophole and software package, according to the software rely on network and the loophole and software package it Between incidence relation, inquire the other software packet for there are the software package of loophole and directly or indirectly relying on the software package, structure Software package dependency relationship subgraph is built, based on the significance level of each node in the software package dependency relationship subgraph, assesses loophole pair The security risk of whole software systems.
Specific embodiment
Below with reference to embodiment, further description of the specific embodiments of the present invention, and following embodiment is only used for more Technical solution of the present invention is clearly demonstrated, and not intended to limit the protection scope of the present invention.
A kind of system vulnerability methods of risk assessment, comprising:
It relies on metadata to the software package in software systems to pre-process, building software relies on network, wherein described soft It is the file that all software package informatins are recorded in the software systems that part packet, which relies on metadata,;
Vulnerability information is obtained, the incidence relation between loophole and software package is constructed according to the vulnerability information;
Assessment loophole includes: to calculate in the software package dependency relationship subgraph respectively to save to the security risk of whole software systems The different degree coefficient of point;Determine that the loophole of the loophole threatens coefficient;Coefficient is threatened according to the loophole of the loophole, described in calculating The loophole value-at-risk of each node;According to the loophole value-at-risk of the different degree coefficient of each node and each node, calculate comprehensive Close loophole value-at-risk.
The incidence relation between network and the loophole and software package is relied on according to the software, there are the soft of loophole for inquiry Part packet and the other software packet for directly or indirectly relying on the software package construct software package dependency relationship subgraph.
Determine the significance level of each node in the software package dependency relationship subgraph.
The loophole of the determination loophole threatens coefficient to comprise determining that security level corresponding to the loophole, according to The security level determines that corresponding loophole threatens coefficient.
The software package information includes software package title, dependent software package, priority.
The vulnerability information includes loophole title, impacted software package, security level, loophole description.
The advantages and positive effects of the present invention are: system vulnerability methods of risk assessment provided by the invention, to software Software package in system relies on metadata and is pre-processed, and building software relies on network, and obtains vulnerability information, according to the leakage Incidence relation between hole information architecture loophole and software package, according to the software rely on network and the loophole and software package it Between incidence relation, inquire the other software packet for there are the software package of loophole and directly or indirectly relying on the software package, structure Software package dependency relationship subgraph is built, based on the significance level of each node in the software package dependency relationship subgraph, assesses loophole pair The security risk of whole software systems.
One embodiment of the present invention has been described in detail above, but the content is only preferable implementation of the invention Example, should not be considered as limiting the scope of the invention.It is all according to all the changes and improvements made by the present patent application range Deng should still be within the scope of the patent of the present invention.

Claims (6)

1. a kind of system vulnerability methods of risk assessment characterized by comprising
It relies on metadata to the software package in software systems to pre-process, building software relies on network, wherein the software package Relying on metadata is the file that all software package informatins are recorded in the software systems;
Vulnerability information is obtained, the incidence relation between loophole and software package is constructed according to the vulnerability information;
Assessment loophole includes: to calculate each node in the software package dependency relationship subgraph to the security risk of whole software systems Different degree coefficient;Determine that the loophole of the loophole threatens coefficient;Coefficient is threatened according to the loophole of the loophole, calculates each section The loophole value-at-risk of point;According to the loophole value-at-risk of the different degree coefficient of each node and each node, comprehensive leakage is calculated Hole value-at-risk.
2. a kind of system vulnerability methods of risk assessment according to claim 1, which is characterized in that relied on according to the software Incidence relation between network and the loophole and software package, inquiry rely on institute there are the software package of loophole and directly or indirectly The other software packet of software package is stated, software package dependency relationship subgraph is constructed.
3. a kind of system vulnerability methods of risk assessment according to claim 2, which is characterized in that determine the software package according to Rely the significance level of each node in relationship subgraph.
4. a kind of system vulnerability methods of risk assessment according to claim 1, which is characterized in that the determination loophole Loophole threaten coefficient comprise determining that security level corresponding to the loophole, corresponding leakage is determined according to the security level Hole threatens coefficient.
5. a kind of system vulnerability methods of risk assessment according to claim 1, which is characterized in that the software package packet Include software package title, dependent software package, priority.
6. a kind of system vulnerability methods of risk assessment according to claim 1, which is characterized in that the vulnerability information includes Loophole title, impacted software package, security level, loophole description.
CN201711499840.7A 2017-12-28 2017-12-28 A kind of system vulnerability methods of risk assessment Pending CN109977678A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711499840.7A CN109977678A (en) 2017-12-28 2017-12-28 A kind of system vulnerability methods of risk assessment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711499840.7A CN109977678A (en) 2017-12-28 2017-12-28 A kind of system vulnerability methods of risk assessment

Publications (1)

Publication Number Publication Date
CN109977678A true CN109977678A (en) 2019-07-05

Family

ID=67075650

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711499840.7A Pending CN109977678A (en) 2017-12-28 2017-12-28 A kind of system vulnerability methods of risk assessment

Country Status (1)

Country Link
CN (1) CN109977678A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632555A (en) * 2020-12-15 2021-04-09 国网河北省电力有限公司电力科学研究院 Node vulnerability scanning method and device and computer equipment
CN114826691A (en) * 2022-04-02 2022-07-29 深圳市博博信息咨询有限公司 Network information safety intelligent analysis early warning management system based on multi-dimensional analysis
CN115080985A (en) * 2022-07-27 2022-09-20 北京北大软件工程股份有限公司 Large-scale code static analysis method and system based on block

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112632555A (en) * 2020-12-15 2021-04-09 国网河北省电力有限公司电力科学研究院 Node vulnerability scanning method and device and computer equipment
CN114826691A (en) * 2022-04-02 2022-07-29 深圳市博博信息咨询有限公司 Network information safety intelligent analysis early warning management system based on multi-dimensional analysis
CN114826691B (en) * 2022-04-02 2023-08-18 上海硕曜科技有限公司 Network information security intelligent analysis early warning management system based on multidimensional analysis
CN115080985A (en) * 2022-07-27 2022-09-20 北京北大软件工程股份有限公司 Large-scale code static analysis method and system based on block

Similar Documents

Publication Publication Date Title
US11336465B2 (en) Sending cross-chain authenticatable messages
EP3479519B1 (en) Dynamic access control on blockchain
CN109977678A (en) A kind of system vulnerability methods of risk assessment
Hu et al. Review of cyber-physical system architecture
Li et al. Research on secure localization model based on trust valuation in wireless sensor networks
CN112364317B (en) Internet of things fog environment management architecture and method based on blockchain technology
CN104067280A (en) System and method for detecting a malicious command and control channel
CN102333096B (en) Creditworthiness control method and system for anonymous communication system
Goettelmann et al. A security risk assessment model for business process deployment in the cloud
CN111090386B (en) Cloud storage method, device, system and computer equipment
WO2008011576A3 (en) System and method of securing web applications across an enterprise
CN112738139B (en) Cross-link access control method and device
CN105447388A (en) Android malicious code detection system and method based on weight
Mohamed et al. IoT security: review and future directions for protection models
CN102223627A (en) Beacon node reputation-based wireless sensor network safety locating method
CN114465730A (en) Internet of things equipment mutual authentication method and device based on block chain technology
CN109067709A (en) A kind of Vulnerability Management method, apparatus, electronic equipment and storage medium
CN106487505A (en) Key management, acquisition methods and relevant apparatus and system
CN108900328A (en) A kind of electricity grid network data safety test macro and method
CN103581202B (en) The trade company of identity-based authentication platform makes board cross-certification method
WO2010019461A3 (en) Method and apparatus for critical infrastructure protection
CN111194441B (en) Data management method and related system based on block chain
CN110471849B (en) Block chain resource management test method and system, storage medium and terminal
CN113037754A (en) Block chain-based safety management system and management method for specific crowd aggregation
Chen et al. Intrusion tolerant control for warship systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190705

WD01 Invention patent application deemed withdrawn after publication