CN110443046B - Vulnerability repairing method and device - Google Patents
Vulnerability repairing method and device Download PDFInfo
- Publication number
- CN110443046B CN110443046B CN201910747088.6A CN201910747088A CN110443046B CN 110443046 B CN110443046 B CN 110443046B CN 201910747088 A CN201910747088 A CN 201910747088A CN 110443046 B CN110443046 B CN 110443046B
- Authority
- CN
- China
- Prior art keywords
- target
- vulnerability
- patch
- equipment
- bug
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application provides a method and a device for bug fixing, firstly, obtaining a first target bug fixing patch mapped by target bug information from a preset mapping relation between the first bug fixing patch and the bug information; secondly, performing bug fixing on the target simulation equipment by using a first target bug fixing patch on a pre-constructed equipment simulation platform comprising the target simulation equipment corresponding to the target equipment; calculating a deviation value of the equipment simulation platform subjected to bug fixing; the deviation value is not larger than a preset deviation threshold value, and vulnerability repair is carried out on the target equipment by using the first target vulnerability repair patch; if the deviation value is greater than a preset deviation threshold value, acquiring a second target vulnerability repair patch mapped by the target vulnerability information from a mapping relation between a preset second vulnerability repair patch and the vulnerability information; and performing indirect vulnerability repair on the target equipment by using the second target vulnerability repair patch, thereby solving the problem that the vulnerability patch cannot be directly applied to the industrial control system.
Description
Technical Field
The present application relates to the field of computer communications technologies, and in particular, to a method and an apparatus for bug fixing.
Background
With the development of computer, communication, automatic control and other technologies, the appearance of intelligent control chips and intelligent sensors may introduce loopholes due to the intellectualization of equipment, and needs to be repaired in time to avoid the occurrence of hacker intrusion and attack events on an industrial control system. However, since the repair of the estimated bug may affect the real-time performance of the industrial control system, the assessment and verification of the simulation platform need to be performed on the bug repair method of the industrial control system, the threshold range of the deviation value of the repaired device simulation platform is determined, and different bug repair methods are selected according to the determination result.
And the industrial control system not only needs to ensure uninterrupted operation and avoid performance damage caused by security vulnerability upgrade, but also needs to meet the time requirement of the industrial control system. Therefore, a system simulation platform needs to be built based on the target object to realize the analog simulation system. And reasonably selecting a bug fixing mode according to a test verification result of the analog simulation system after bug fixing. The method well solves the problem.
Disclosure of Invention
In view of the above, an object of the present application is to provide a method and an apparatus for bug fixing, so as to improve accuracy of bug fixing.
In a first aspect, an embodiment of the present application provides a method for bug fixing, where the method includes:
acquiring target vulnerability information and target equipment corresponding to the target vulnerability information;
on a pre-constructed device simulation platform comprising target simulation devices corresponding to the target devices, acquiring a first target vulnerability repair patch mapped by the target vulnerability information from a preset mapping relation between the first vulnerability repair patch and the vulnerability information;
utilizing the first target vulnerability repair patch to perform vulnerability repair on the target simulation equipment;
calculating a deviation value of the equipment simulation platform subjected to bug fixing;
if the deviation value is not larger than a preset deviation threshold value, utilizing the first target vulnerability repair patch to perform vulnerability repair on the target equipment;
if the deviation value is larger than a preset deviation threshold value, acquiring a second target vulnerability repair patch mapped by the target vulnerability information from a mapping relation between a preset second vulnerability repair patch and the vulnerability information;
and performing indirect vulnerability repair on the target equipment by using the second target vulnerability repair patch.
In an embodiment of the application, performing bug fixing on the target device by using the first target bug fixing patch includes:
and changing the target vulnerability information in the target equipment through the first target vulnerability repair patch.
In an embodiment of the present application, calculating a deviation value of the device simulation platform after bug fixing includes:
for each device in the repaired device simulation platform, obtaining a confidence coefficient and a time delay value of the device in the device simulation platform;
and after the product of the confidence coefficient of each device and the time delay value is calculated respectively, adding the product results of all the devices to obtain the deviation value.
In an embodiment of the application, the performing indirect vulnerability fixing on the target device by using the second target vulnerability fixing patch includes:
constructing a network information security platform corresponding to the equipment simulation platform, wherein the network information security platform at least comprises one network security equipment;
repairing the specified equipment in the network information security platform by using the second target vulnerability repair patch;
and performing indirect vulnerability repair of peripheral patching on the target equipment through the repaired network information security platform.
In an embodiment of the application, the mapping relationship between the second bug fix patch and the bug information is updated in real time according to a preset mapping relationship library.
In a second aspect, an embodiment of the present application provides an apparatus for bug fixing, including:
the first acquisition module is used for acquiring target vulnerability information and target equipment corresponding to the target vulnerability information;
a second obtaining module, configured to obtain, on a pre-established device simulation platform including a target simulation device corresponding to the target device, a first target vulnerability fix patch mapped by the target vulnerability information from a preset mapping relationship between the first vulnerability fix patch and the vulnerability information;
the first vulnerability repair module is used for utilizing the first target vulnerability repair patch to carry out vulnerability repair on the target simulation equipment;
the calculation module is used for calculating the deviation value of the equipment simulation platform subjected to bug fixing;
the second vulnerability repairing module is used for utilizing the first target vulnerability repairing patch to carry out vulnerability repairing on the target equipment if the deviation value is not larger than a preset deviation threshold value;
the judging module is used for acquiring a second target vulnerability repair patch mapped by the target vulnerability information from a mapping relation between a preset second vulnerability repair patch and the vulnerability information if the deviation value is greater than a preset deviation threshold value;
and the third vulnerability repair module is used for performing indirect vulnerability repair on the target equipment by using the second target vulnerability repair patch.
In an embodiment of the application, the first vulnerability repair module, when being configured to utilize the first target vulnerability repair patch to perform vulnerability repair on the target device, is configured to:
and changing the target vulnerability information in the target equipment through the first target vulnerability repair patch.
In an embodiment of the application, the calculation module, when being configured to calculate a deviation value of the device simulation platform after bug fixing, is configured to:
for each device in the repaired device simulation platform, obtaining a confidence coefficient and a time delay value of the device in the device simulation platform;
and after the product of the confidence coefficient of each device and the time delay value is calculated respectively, adding the product results of all the devices to obtain the deviation value.
In an embodiment of the application, the third vulnerability repair module, when being configured to utilize the second target vulnerability repair patch to perform indirect vulnerability repair on the target device, is configured to:
constructing a network information security platform corresponding to the equipment simulation platform, wherein the network information security platform at least comprises one network security equipment;
repairing the specified equipment in the network information security platform by using the second target vulnerability repair patch;
and performing indirect vulnerability repair of peripheral patching on the target equipment through the repaired network information security platform.
In an embodiment of the application, the mapping relationship between the second bug fix patch and the bug information is updated in real time according to a preset mapping relationship library.
In a third aspect, an embodiment of the present application further provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the steps of the first aspect described above, or any possible implementation of the first aspect.
In a fourth aspect, this application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program is executed by a processor to perform the steps in the first aspect or any one of the possible implementation manners of the first aspect.
The embodiment of the application provides a bug fixing method, in a pre-constructed equipment simulation platform, bug fixing is firstly carried out on target simulation equipment according to an obtained first target bug fixing patch, when a deviation value is determined to be not larger than a preset deviation threshold value through calculating a deviation value of the equipment simulation platform after bug fixing, bug fixing is carried out on the target simulation equipment according to the first target bug fixing patch, under the condition that the deviation value is larger than the preset deviation threshold value, a second target bug fixing patch mapped by target bug information is obtained from a mapping relation between a preset second bug fixing patch and bug information, and indirect bug fixing is carried out on the target equipment by utilizing the second target bug fixing patch, so that a bug fixing test is directly carried out on field equipment, and the bug fixing accuracy is improved.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a schematic flowchart illustrating a method for bug fixing according to an embodiment of the present application;
FIG. 2 is a schematic flowchart illustrating a method for calculating an offset value of an equipment simulation platform according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart illustrating another bug fixing method provided in the embodiment of the present application;
fig. 4 is a schematic structural diagram illustrating an apparatus for bug fixing according to an embodiment of the present application;
fig. 5 shows a schematic structural diagram of an electronic device 500 provided in an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
To facilitate understanding of the embodiment, a method for bug fixing disclosed in the embodiment of the present application is first described in detail.
Example one
Referring to fig. 1, a schematic flow chart of a method for bug fixing provided in the embodiment of the present application is shown, where the method includes the following steps:
s101, obtaining target vulnerability information and target equipment corresponding to the target vulnerability information.
In an application scenario of this embodiment, the field device in the industrial control system includes one or more of automation devices such as a sensor, an encoder, a switch, a contactor, a relay, etc., instruments and meters such as a pressure instrument, a temperature instrument, a flow instrument, a valve, etc., and measurement devices, computers and automation software such as an industrial computer, a control computer, industrial control software, network application software, data analysis software, etc., communication network devices such as a network switch, video monitoring, etc., and devices such as a transmission device, a speed regulator, a motion control device, and a power supply system.
When the field device in the industrial control system has a problem in operation, the field device is debugged, the time is long, and when the debugging times are excessive, the device is worn, so that the detected target vulnerability information and the target device with the problem corresponding to the target vulnerability information need to be obtained.
S102, on a pre-constructed device simulation platform comprising target simulation devices corresponding to the target devices, obtaining a first target vulnerability fix patch mapped by the target vulnerability information from a preset mapping relation between the first vulnerability fix patch and the vulnerability information.
The device simulation platform including the target simulation device corresponding to the target device specifically comprises a hardware platform and a software platform, wherein the hardware platform includes a resource allocation device and a device network device, and the software platform includes a virtual network module, a device application simulation module, a calculation evaluation module, a data module, an information acquisition and processing module, and a device allocation management module.
The equipment allocation management module can allocate equipment, so that the resource allocation device, the equipment network device, the virtual network module and the equipment application simulation module respectively correspond to corresponding equipment, send operation data of the equipment in the received data module to the calculation and evaluation module, receive feedback data information of the calculation and evaluation module on the sent data, obtain state information of the corresponding equipment according to the feedback data information, and send control information to the equipment allocation management module to control the specified equipment.
The information acquisition and processing module performs test tests on the equipment in the resource allocation device, the equipment network device, the virtual network module and the equipment application simulation module to obtain test data of the equipment and state information of the equipment, and then sends the test data and the state information to the calculation and evaluation module for calculation and analysis, and the calculation and evaluation module also receives data information sent by the data module for calculation and analysis.
After target vulnerability information and corresponding target equipment are detected in a field industrial control system, a first target vulnerability repair patch mapped by the target vulnerability information is obtained from a preset mapping relation between the first vulnerability repair patch and the vulnerability information on a constructed equipment simulation platform comprising the target simulation equipment corresponding to the target equipment.
S103, performing vulnerability repair on the target simulation equipment by using the first target vulnerability repair patch.
And S104, calculating the deviation value of the equipment simulation platform subjected to vulnerability repair.
As shown in fig. 2, a schematic flow chart of the method for calculating the deviation value of the device simulation platform according to the embodiment of the present application is shown, and the specific steps are as follows:
s201, aiming at each device in the repaired device simulation platform, obtaining a confidence coefficient and a time delay value of the device in the device simulation platform;
s202, after the product of the confidence coefficient and the time delay value of each device is calculated, the product results of all the devices are added to obtain an offset value.
Illustratively, the device emulation platform stores after repairIn N devices, obtaining the network delay value of each device, and the delay of the ith device is used as deltaiIndicating the confidence of each device by PiAnd the confidence coefficient is obtained by calculating an error value generated by the equipment, the deviation value of each equipment is the product of the confidence coefficient and the time delay value of the equipment, and the deviation value of the equipment simulation platform is obtained by adding the product results of all the N equipment.
And S105, if the deviation value is not larger than the preset deviation threshold value, utilizing the first target vulnerability repair patch to perform vulnerability repair on the target equipment.
Specifically, target vulnerability information in the target device is changed through the first target vulnerability repair patch, and vulnerability repair is performed on the target device.
Illustratively, when it is detected that the vulnerability information B exists in the device a, and a mapping relation between a preset first vulnerability repair patch and the vulnerability information is used for obtaining a vulnerability repair patch mapped by the vulnerability information B, the vulnerability information B in the device a is directly changed by the vulnerability repair patch, after the corresponding device simulation platform test, the deviation value is not greater than a preset deviation threshold value, then the vulnerability repair is performed by adopting a method of directly changing the vulnerability information B in the device a by the vulnerability repair patch, wherein the preset deviation threshold value can be adjusted according to an actual application scene.
And S106, if the deviation value is larger than a preset deviation threshold value, acquiring a second target vulnerability repair patch mapped by the target vulnerability information from a mapping relation between a preset second vulnerability repair patch and the vulnerability information.
Here, the mapping relationship between the second bug fix patch and the bug information is updated in real time according to a preset mapping relationship library.
Illustratively, when it is detected that the vulnerability information B exists in the device a, and the vulnerability repair patch mapped by the vulnerability information B is obtained through the preset mapping relationship between the first vulnerability repair patch and the vulnerability information, the vulnerability information B in the device a is directly changed through the vulnerability repair patch, after the corresponding device simulation platform test, the deviation value is smaller than the preset deviation threshold value, then the vulnerability repair cannot be performed by adopting the method of directly changing the vulnerability information B in the device a through the vulnerability repair patch, and the vulnerability repair patch mapped by the vulnerability information B needs to be continuously obtained from the preset mapping relationship between the second vulnerability repair patch and the vulnerability information.
And S107, performing indirect vulnerability repair on the target equipment by using the second target vulnerability repair patch.
Specifically, a network information security platform corresponding to the equipment simulation platform is constructed, and the network information platform at least comprises one network security equipment; repairing the specified equipment in the network information security platform by using the second target vulnerability repair patch; and performing indirect vulnerability repair of peripheral patching on the target equipment through the repaired network information security platform.
Illustratively, the network information platform corresponding to the device simulation platform is constructed to include a firewall, an IPS (Intrusion Prevention System) and other devices, and the second target vulnerability repair patch is determined to repair the specified device in the network information platform by calculating the operating efficiency and load balance of the device simulation platform after the second target vulnerability repair patch repairs the devices in the network information platform, for example, the specified device may be a firewall or an IPS device. Assuming that when the firewall in the network information platform is repaired by the second target bug fixing patch, a connection interface between the first target bug fixing patch and the firewall is a Simple Network Management Protocol (SNMP) or a system log (syslog) of an industrial standard protocol, the corresponding patch is issued to the firewall in real time by a network system (REST) of an architecture style, and when a more optimized corresponding patch is stored in a preset mapping relation library, the mapping relation between the second bug fixing patch and the bug information is updated in real time, so that the updated and more optimized patch can be issued to the firewall, and the safety protection of the industrial control system is improved.
When the target equipment is bug-repaired by using the first target bug repair patch and the deviation value of the computing equipment simulation platform is larger than the preset deviation threshold value, it is indicated that the operation of the industrial control system is affected by bug repair of the target equipment by using the first target bug repair patch, as shown in fig. 3, the equipment simulation platform is bug-repaired by using an indirect bug repair method of performing peripheral patching on the target equipment, specifically, specified equipment in a firewall 1, a firewall 2, an IPS1 and an IPS2 included in a network information platform is repaired by network flow of an external network, a second target bug repair patch is determined by a virtual patch library of a patch management center, then the specified equipment is repaired by network management, and the network flow filtered by the network information platform acts on the equipment 1, the equipment in the equipment simulation platform, Device 2, … device n, where network management is also connected to the device emulation platform, solves the problem of not being able to apply bug patches directly to the industrial control system by fixing the peripheral systems of the industrial control system.
According to the method for bug fixing, in a pre-constructed device simulation platform, bug fixing is firstly carried out on target simulation equipment according to an obtained first target bug fixing patch, when the deviation value is determined to be not larger than a preset deviation threshold value through calculating the deviation value of the device simulation platform after bug fixing, bug fixing is carried out on the target simulation equipment according to the first target bug fixing patch, under the condition that the deviation value is larger than the preset deviation threshold value, a second target bug fixing patch mapped by target bug information is obtained from the mapping relation between the preset second bug fixing patch and bug information, and indirect bug fixing is carried out on the target equipment by using the second target bug fixing patch, so that a bug fixing test is directly carried out on field equipment, and the accuracy of bug fixing is improved.
Example two
Referring to fig. 4, a schematic structural diagram of a vulnerability fixing apparatus provided in an embodiment of the present application includes: the first obtaining module 401, the second obtaining module 402, the first bug fixing module 403, the calculating module 404, the second bug fixing module 405, the judging module 406, and the third bug fixing module 407 are specifically:
a first obtaining module 401, configured to obtain target vulnerability information and target equipment corresponding to the target vulnerability information;
a second obtaining module 402, configured to obtain, on a pre-established device simulation platform including a target simulation device corresponding to the target device, a first target vulnerability fix patch mapped by the target vulnerability information from a preset mapping relationship between the first vulnerability fix patch and the vulnerability information;
a first vulnerability fixing module 403, configured to perform vulnerability fixing on the target simulation device by using the first target vulnerability fixing patch;
a calculating module 404, configured to calculate a deviation value of the device simulation platform after bug fixing is performed;
a second bug fixing module 405, configured to, if the deviation value is not greater than a preset deviation threshold value, perform bug fixing on the target device by using the first target bug fixing patch;
a determining module 406, configured to obtain a second target vulnerability repair patch mapped by the target vulnerability information from a mapping relationship between a preset second vulnerability repair patch and the vulnerability information if the deviation value is greater than a preset deviation threshold value;
and a third vulnerability fixing module 407, configured to perform indirect vulnerability fixing on the target device by using the second target vulnerability fixing patch.
In an embodiment of the present application, the first vulnerability repair module 403, when configured to utilize the first target vulnerability repair patch to perform vulnerability repair on the target device, is configured to:
and changing the target vulnerability information in the target equipment through the first target vulnerability repair patch.
In an embodiment of the present application, when the calculating module 404 is configured to calculate a deviation value of the device simulation platform after bug fixing, the calculating module is configured to:
for each device in the repaired device simulation platform, obtaining a confidence coefficient and a time delay value of the device in the device simulation platform;
and after the product of the confidence coefficient of each device and the time delay value is calculated respectively, adding the product results of all the devices to obtain the deviation value.
In an embodiment of the present application, the third vulnerability fixing module 407, when configured to utilize the second target vulnerability fixing patch to indirectly vulnerability fix the target device, is configured to:
constructing a network information security platform corresponding to the equipment simulation platform, wherein the network information security platform at least comprises one network security equipment;
repairing the specified equipment in the network information security platform by using the second target vulnerability repair patch;
and performing indirect vulnerability repair of peripheral patching on the target equipment through the repaired network information security platform.
In an embodiment of the application, the mapping relationship between the second bug fix patch and the bug information is updated in real time according to a preset mapping relationship library.
EXAMPLE III
Based on the same technical concept, the embodiment of the application also provides the electronic equipment. Referring to fig. 5, a schematic structural diagram of an electronic device 500 provided in the embodiment of the present application includes a processor 501, a memory 502, and a bus 503. The memory 502 is used for storing execution instructions and includes a memory 5021 and an external memory 5022; the memory 5021 is also referred to as an internal memory, and is used for temporarily storing operation data in the processor 501 and data exchanged with an external storage 5022 such as a hard disk, the processor 501 exchanges data with the external storage 5022 through the memory 5021, and when the electronic device 500 operates, the processor 501 communicates with the storage 502 through the bus 503, so that the processor 501 executes the following instructions:
acquiring target vulnerability information and target equipment corresponding to the target vulnerability information;
on a pre-constructed device simulation platform comprising target simulation devices corresponding to the target devices, acquiring a first target vulnerability repair patch mapped by the target vulnerability information from a preset mapping relation between the first vulnerability repair patch and the vulnerability information;
utilizing the first target vulnerability repair patch to perform vulnerability repair on the target simulation equipment;
calculating a deviation value of the equipment simulation platform subjected to bug fixing;
if the deviation value is not larger than a preset deviation threshold value, utilizing the first target vulnerability repair patch to perform vulnerability repair on the target equipment;
if the deviation value is larger than a preset deviation threshold value, acquiring a second target vulnerability repair patch mapped by the target vulnerability information from a mapping relation between a preset second vulnerability repair patch and the vulnerability information;
and performing indirect vulnerability repair on the target equipment by using the second target vulnerability repair patch.
In one possible design, in the processing performed by processor 501, the performing bug fix on the target device by using the first target bug fix patch includes:
and changing the target vulnerability information in the target equipment through the first target vulnerability repair patch.
In one possible design, in the processing performed by the processor 501, the calculating the deviation value of the device simulation platform after bug fixing includes:
for each device in the repaired device simulation platform, obtaining a confidence coefficient and a time delay value of the device in the device simulation platform;
and after the product of the confidence coefficient of each device and the time delay value is calculated respectively, adding the product results of all the devices to obtain the deviation value.
In one possible design, in the processing performed by the processor 501, the performing indirect vulnerability fixing on the target device by using the second target vulnerability fixing patch includes:
constructing a network information security platform corresponding to the equipment simulation platform, wherein the network information security platform at least comprises one network security equipment;
repairing the specified equipment in the network information security platform by using the second target vulnerability repair patch;
and performing indirect vulnerability repair of peripheral patching on the target equipment through the repaired network information security platform.
In one possible design, during the processing performed by the processor 501, the mapping relationship between the second bug fix patch and the bug information is updated in real time according to a preset mapping relationship library.
Example four
The embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the vulnerability fixing method are executed.
Specifically, the storage medium can be a general-purpose storage medium, such as a removable disk, a hard disk, and the like, and when a computer program on the storage medium is executed, the steps of the vulnerability repairing method can be executed, so that the vulnerability repairing accuracy is improved.
The computer program product of the vulnerability fixing method provided in the embodiment of the present application includes a computer readable storage medium storing a program code, and instructions included in the program code may be used to execute the method in the foregoing method embodiment, and specific implementation may refer to the method embodiment, and will not be described herein again.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided in the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the present disclosure, which should be construed in light of the above teachings. Are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
1. A method for bug fixing, comprising:
acquiring target vulnerability information and target equipment corresponding to the target vulnerability information;
on a pre-constructed device simulation platform comprising target simulation devices corresponding to the target devices, acquiring a first target vulnerability repair patch mapped by the target vulnerability information from a preset mapping relation between the first vulnerability repair patch and the vulnerability information;
utilizing the first target vulnerability repair patch to perform vulnerability repair on the target simulation equipment;
calculating a deviation value of the equipment simulation platform subjected to bug fixing;
if the deviation value is not larger than a preset deviation threshold value, utilizing the first target vulnerability repair patch to perform vulnerability repair on the target equipment;
if the deviation value is larger than a preset deviation threshold value, acquiring a second target vulnerability repair patch mapped by the target vulnerability information from a mapping relation between a preset second vulnerability repair patch and the vulnerability information;
performing indirect vulnerability repair on the target equipment by using the second target vulnerability repair patch;
performing indirect vulnerability repair on the target device by using the second target vulnerability repair patch, including:
constructing a network information security platform corresponding to the equipment simulation platform, wherein the network information security platform at least comprises one network security equipment; the network security equipment comprises a firewall and an intrusion prevention system;
repairing the specified equipment in the network information security platform by using the second target vulnerability repair patch;
performing indirect vulnerability repair of peripheral patching on the target equipment through the repaired network information security platform;
the repairing the specified device in the network information security platform by using the second target vulnerability repair patch comprises:
according to the preset mapping relation between the second bug fixing patch and the bug information, the second target bug fixing patch corresponding to the target bug information is issued to the specified equipment in real time through a network system of a framework style;
and when the optimized second bug fixing patch is stored in the mapping relation between the preset second bug fixing patch and the bug information, updating the mapping relation between the preset second bug fixing patch and the bug information in real time by using the optimized second bug fixing patch so as to issue the updated second target bug fixing patch to the specified equipment.
2. The method of claim 1, wherein the vulnerability fixing the target device with the first target vulnerability fix patch comprises:
and changing the target vulnerability information in the target equipment through the first target vulnerability repair patch.
3. The method of claim 1, wherein the calculating the deviation value of the device simulation platform after bug fixing comprises:
for each device in the repaired device simulation platform, obtaining a confidence coefficient and a time delay value of the device in the device simulation platform;
and after the product of the confidence coefficient of each device and the time delay value is calculated respectively, adding the product results of all the devices to obtain the deviation value.
4. The method of claim 1, wherein the mapping relationship between the second bug fix patch and the bug information is updated in real time according to a preset mapping relationship library.
5. An apparatus for bug fixing, comprising:
the first acquisition module is used for acquiring target vulnerability information and target equipment corresponding to the target vulnerability information;
a second obtaining module, configured to obtain, on a pre-established device simulation platform including a target simulation device corresponding to the target device, a first target vulnerability fix patch mapped by the target vulnerability information from a preset mapping relationship between the first vulnerability fix patch and the vulnerability information;
the first vulnerability repair module is used for utilizing the first target vulnerability repair patch to carry out vulnerability repair on the target simulation equipment;
the calculation module is used for calculating the deviation value of the equipment simulation platform subjected to bug fixing;
the second vulnerability repairing module is used for utilizing the first target vulnerability repairing patch to carry out vulnerability repairing on the target equipment if the deviation value is not larger than a preset deviation threshold value;
the judging module is used for acquiring a second target vulnerability repair patch mapped by the target vulnerability information from a mapping relation between a preset second vulnerability repair patch and the vulnerability information if the deviation value is greater than a preset deviation threshold value;
the third vulnerability repair module is used for performing indirect vulnerability repair on the target equipment by using the second target vulnerability repair patch;
the third vulnerability fixing module, when configured to perform indirect vulnerability fixing on the target device by using the second target vulnerability fixing patch, is configured to:
constructing a network information security platform corresponding to the equipment simulation platform, wherein the network information security platform at least comprises one network security equipment; the network security equipment comprises a firewall and an intrusion prevention system;
repairing the specified equipment in the network information security platform by using the second target vulnerability repair patch;
performing indirect vulnerability repair of peripheral patching on the target equipment through the repaired network information security platform;
the third vulnerability repair module, when configured to repair the specified device in the network information security platform by using the second target vulnerability repair patch, is configured to:
according to the preset mapping relation between the second bug fixing patch and the bug information, the second target bug fixing patch corresponding to the target bug information is issued to the specified equipment in real time through a network system of a framework style;
and when the optimized second bug fixing patch is stored in the mapping relation between the preset second bug fixing patch and the bug information, updating the mapping relation between the preset second bug fixing patch and the bug information in real time by using the optimized second bug fixing patch so as to issue the updated second target bug fixing patch to the specified equipment.
6. The apparatus of claim 5, wherein the first vulnerability fix module, when configured to exploit the first target vulnerability fix patch to vulnerability fix the target device, is configured to:
and changing the target vulnerability information in the target equipment through the first target vulnerability repair patch.
7. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the steps of the method of bug fixes of any of claims 1 to 4.
8. A computer-readable storage medium, having stored thereon a computer program for performing, when executed by a processor, the steps of the method of bug fixing according to any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910747088.6A CN110443046B (en) | 2019-08-14 | 2019-08-14 | Vulnerability repairing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910747088.6A CN110443046B (en) | 2019-08-14 | 2019-08-14 | Vulnerability repairing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110443046A CN110443046A (en) | 2019-11-12 |
| CN110443046B true CN110443046B (en) | 2021-10-29 |
Family
ID=68435247
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910747088.6A Active CN110443046B (en) | 2019-08-14 | 2019-08-14 | Vulnerability repairing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110443046B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111147491B (en) * | 2019-12-26 | 2022-11-22 | 深信服科技股份有限公司 | Vulnerability repairing method, device, equipment and storage medium |
| CN112528295B (en) * | 2020-12-22 | 2023-05-02 | 国家工业信息安全发展研究中心 | Vulnerability restoration method and device for industrial control system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103177213A (en) * | 2011-12-20 | 2013-06-26 | 腾讯科技(深圳)有限公司 | Software bug fix method and software bug fix system |
| CN106203126A (en) * | 2016-07-15 | 2016-12-07 | 国家计算机网络与信息安全管理中心 | A kind of validating vulnerability method and system based on simulated environment |
| CN108345796A (en) * | 2017-05-02 | 2018-07-31 | 北京安天网络安全技术有限公司 | A kind of loophole reparation and host reinforcement means and system |
| US10158660B1 (en) * | 2013-10-17 | 2018-12-18 | Tripwire, Inc. | Dynamic vulnerability correlation |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102156649B (en) * | 2011-03-01 | 2017-05-24 | 奇智软件(北京)有限公司 | Patch installation method and device thereof |
| CN102156651B (en) * | 2011-03-02 | 2015-05-06 | 奇智软件(北京)有限公司 | Method and device for realizing installation of patches |
| CN107645510B (en) * | 2017-10-19 | 2020-07-14 | 北京知道创宇信息技术股份有限公司 | Method and device for calculating safety precaution capacity of region and readable storage medium |
-
2019
- 2019-08-14 CN CN201910747088.6A patent/CN110443046B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103177213A (en) * | 2011-12-20 | 2013-06-26 | 腾讯科技(深圳)有限公司 | Software bug fix method and software bug fix system |
| US10158660B1 (en) * | 2013-10-17 | 2018-12-18 | Tripwire, Inc. | Dynamic vulnerability correlation |
| CN106203126A (en) * | 2016-07-15 | 2016-12-07 | 国家计算机网络与信息安全管理中心 | A kind of validating vulnerability method and system based on simulated environment |
| CN108345796A (en) * | 2017-05-02 | 2018-07-31 | 北京安天网络安全技术有限公司 | A kind of loophole reparation and host reinforcement means and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110443046A (en) | 2019-11-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11442850B2 (en) | Identifying software dependencies using controller code models | |
| CN110443046B (en) | Vulnerability repairing method and device | |
| Vieira et al. | Resilience benchmarking | |
| CN104850792A (en) | Establishment method and apparatus of trust chain of server | |
| CN110633893A (en) | Policy efficiency monitoring method and device and computer equipment | |
| US8832839B2 (en) | Assessing system performance impact of security attacks | |
| US20190215262A1 (en) | System and method for dynamically testing networked target systems | |
| WO2021028060A1 (en) | Security automation system | |
| KR102572614B1 (en) | Method, system and computer program for assessment of cyber attack damage | |
| CN111703590A (en) | Complex system reliability test method and device, computer equipment and storage medium | |
| CN113449308A (en) | Vulnerability processing method and device, computer equipment and readable storage medium | |
| CN113157386A (en) | Trust chain construction method and system from physical machine to virtual machine | |
| CN114157493A (en) | Industrial control system network security simulation test platform and computer equipment | |
| US10698394B2 (en) | Enhanced service procedures using force measurement | |
| CN115391168A (en) | Sandbox testing method, sandbox testing device, sandbox testing equipment and storage medium | |
| CN113326513B (en) | Application testing method and device, system, electronic equipment and computer readable medium | |
| Zeitler | Realistic assumptions for software reliability models. | |
| CN113127935A (en) | Trusted computing control method and equipment | |
| Wu et al. | Framework for assessing cloud trustworthiness | |
| CN117007898B (en) | Method and device for testing aging state of target electronic speed regulator | |
| Kanaya et al. | NEMIANA: cross-platform execution migration for debugging | |
| CN116599856A (en) | Digital simulation-based measurement data verification and evaluation method and device and electronic equipment | |
| CN117896145A (en) | Method, system, equipment and storage medium for testing simulated attack | |
| CN115659348A (en) | Rapid penetration test method and test device for mobile equipment | |
| KR20210054302A (en) | Method for performing network fault management and network fault management system in cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |