CN114817929A - Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium - Google Patents

Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium Download PDF

Info

Publication number
CN114817929A
CN114817929A CN202210409775.9A CN202210409775A CN114817929A CN 114817929 A CN114817929 A CN 114817929A CN 202210409775 A CN202210409775 A CN 202210409775A CN 114817929 A CN114817929 A CN 114817929A
Authority
CN
China
Prior art keywords
vulnerability
information
information table
data
historical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210409775.9A
Other languages
Chinese (zh)
Other versions
CN114817929B (en
Inventor
雷志强
张贺
段伟恒
方维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sky Sky Safety Technology Co ltd
Original Assignee
Sky Sky Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sky Sky Safety Technology Co ltd filed Critical Sky Sky Safety Technology Co ltd
Priority to CN202210409775.9A priority Critical patent/CN114817929B/en
Publication of CN114817929A publication Critical patent/CN114817929A/en
Application granted granted Critical
Publication of CN114817929B publication Critical patent/CN114817929B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computational Linguistics (AREA)
  • Animal Behavior & Ethology (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application relates to the technical field of Internet of things, in particular to a method, a device, electronic equipment and a medium for dynamically tracking and processing vulnerabilities of the Internet of things, wherein the method comprises the following steps: collecting vulnerability data; updating a historical device information table and a historical vulnerability information table according to vulnerability data, and generating a current device information table and a current vulnerability information table; updating a multidimensional knowledge graph according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge graph is constructed on the basis of a historical equipment information table and a historical vulnerability information table; the device information table is used for storing device information related to the IOT vulnerability, and the vulnerability information table is used for storing basic information of the IOT vulnerability.

Description

Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium
Technical Field
The application relates to the technical field of the internet of things, in particular to a dynamic tracking and processing method and device for vulnerabilities of the internet of things, electronic equipment and a medium.
Background
With the development and innovation of the technology of the internet of things, a large amount of internet of things equipment is continuously accessed into a network, and a large amount of known bugs are generated due to the fact that part of the internet of things equipment lacks official continuous technical support and patch updating programs.
At present, international mainstream vulnerability sharing platform does not classify the vulnerabilities of the internet of things in a special fine classification mode, domestic mainstream vulnerability disclosing platform is classified in a manual or semi-automatic mode, certain time delay exists, related platforms cannot meet the requirement of high timeliness for security researchers to process the vulnerabilities of the internet of things, and therefore how to carry out high efficiency and fine granularity classification on the vulnerabilities of the internet of things, security researchers can timely analyze the vulnerabilities of the internet of things accurately, and therefore the problem that subsequent data support is provided for security detection, threat early warning and the like and needs to be solved urgently can be solved.
Disclosure of Invention
In order to provide data support for subsequent processing of the vulnerability of the internet of things and carry out efficient fine-grained classification and processing on the vulnerability of the internet of things, the application provides a dynamic tracking and processing method and device of the vulnerability of the internet of things, electronic equipment and a medium.
In a first aspect of the application, a method for dynamically tracking and processing vulnerabilities of the internet of things is provided, and the method includes the steps of collecting vulnerability data; updating a historical device information table and a historical vulnerability information table according to the vulnerability data, and generating a current device information table and a current vulnerability information table; updating a multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed based on the historical equipment information table and the historical vulnerability information table; the device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
By adopting the technical scheme, the vulnerability data can be collected at regular time or based on preset frequency, the historical equipment information table and the historical vulnerability information table are updated and perfected according to the collected vulnerability data, and the knowledge map is updated according to the current equipment information table and the current vulnerability information table. By the method, the latest vulnerability data can be acquired in time, the Internet of things vulnerability can be identified in the vulnerability data, and the latest information of the Internet of things vulnerability is updated to the equipment information table and the vulnerability information table, so that the knowledge map is updated. Therefore, when a new threat report of the vulnerability of the Internet of things is obtained, the knowledge graph spectrum can provide the latest and most complete vulnerability incidence relation for security researchers, so that the security researchers can rapidly process the vulnerability of the Internet of things.
Preferably, the vulnerability data includes vulnerability information data, Poc data and threat information data, and the updating of the historical device information table and the historical vulnerability information table according to the vulnerability data includes: identifying the vulnerability of the Internet of things in the vulnerability information data according to a historical equipment information table; updating the corresponding vulnerability information in the vulnerability information data of the identified vulnerability of the Internet of things into the historical equipment information table and the historical vulnerability information table; determining whether an internet of things vulnerability exists in the Poc data and the threat information data according to the updated historical vulnerability information table; and if the vulnerability exists, updating the determined Poc data and threat information data corresponding to the vulnerability of the Internet of things into the historical vulnerability information table.
By adopting the technical scheme, the acquired vulnerability data comprises vulnerability information data, Poc data and threat information data, the vulnerability information data is some basic information of the vulnerability, including CVE (composite video encryption Standard) numbers, vulnerability description information, vulnerability types, CPE (public service provider) lists corresponding to the vulnerability and the like, the Poc data is a vulnerability concept verification code, the threat information data is clue information required for reducing the occurred attacks and predicting the non-occurred attacks, the historical equipment information table and the historical vulnerability information table are updated based on the vulnerability information data, so that the information of the two tables can be more complete, the knowledge map is improved, the threat information related to the vulnerability of the Internet of things can be timely found by acquiring the Poc data and the threat information, the threat information related to the vulnerability of the Internet of things can be pushed to security researchers in real time after the threat information related to the new vulnerability of the Internet of things is found, and the security researchers can also obtain the newly-added threat information in the historical vulnerability information table at regular time, can quickly deal with new threat intelligence information.
Preferably, identifying the internet of things vulnerability in the vulnerability information data according to a historical device information table comprises generating a device manufacturer dictionary, a device model dictionary, a device type dictionary and a device identification dictionary according to the historical device information table; and if at least two dictionaries in the four dictionaries are matched with vulnerability information corresponding to vulnerabilities in the vulnerability information data, determining that the vulnerability is an Internet of things vulnerability.
By adopting the technical scheme, the historical equipment information table at least comprises four fields of equipment manufacturers, equipment models, equipment types and equipment identifications and values of the vulnerabilities of the internet of things corresponding to the four fields, the historical information table is pre-established by collecting information of all vulnerabilities of the internet of things disclosed in the network platform, but due to the fact that the data size is huge, partial vulnerability information is incomplete, and the four fields are respectively and correspondingly generated into dictionaries to be matched, so that the vulnerabilities of the internet of things can be more accurately identified.
Preferably, the updating of the vulnerability information corresponding to the identified vulnerability of the internet of things in the vulnerability information data to the historical device information table and the historical vulnerability information table includes extracting actual information of the vulnerability of the internet of things corresponding to the unmatched dictionaries in the vulnerability information data if at least one of the four dictionaries is not matched with the corresponding vulnerability information of the identified vulnerability of the internet of things in the vulnerability information data; combining the matched information in the dictionary and the extracted actual information and updating the combined information into the historical equipment information table; and extracting information corresponding to each field in the historical vulnerability information table from the vulnerability information data and updating the information into the historical vulnerability information table.
By adopting the technical scheme, the information of the identified loopholes of the internet of things corresponding to each field in the equipment information table can be acquired, so that the updated information is complete each time without being supplemented, meanwhile, the information corresponding to each field in the historical loophole information table is extracted from the loophole information data, the loophole information corresponding to the loopholes of the internet of things existing in the historical loophole information table can be perfected, and the newly acquired loophole information corresponding to the loopholes of the internet of things can be completely stored in the historical loophole information table.
Preferably, extracting the actual information of the internet of things vulnerability corresponding to the unmatched dictionary from the vulnerability information data includes judging whether a CPE list of the internet of things vulnerability exists in the vulnerability information data; if yes, acquiring equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information of the vulnerability of the Internet of things in the CPE list; if not, extracting equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information of the vulnerability of the Internet of things from the vulnerability information data based on the pre-trained named entity model.
By adopting the technical scheme, the CPE lists, namely the universal platform lists, are in a fixed format, most of the CPE lists comprise four pieces of information, namely equipment manufacturer information, equipment model information, equipment type information and equipment identification information, which correspond to the vulnerability of the Internet of things, so that when information is supplemented, whether the CPE list corresponding to the vulnerability of the Internet of things exists in acquired vulnerability information data needs to be checked, and if the CPE list exists, the information can be extracted completely through the lists. Due to the fact that a certain time delay exists in updating of a CPE list of part of new vulnerabilities of the Internet of things, if the certain time delay does not exist, corresponding information is extracted from vulnerability description information through a pre-trained named entity model for supplement, corresponding data content can be perfected through the method, and latest vulnerability information of the Internet of things can be obtained in time.
Preferably, the vulnerability information table, the Poc data and the threat information data at least comprise CVE numbers, whether the IOT vulnerability exists in the Poc data and the threat information data is determined according to the updated historical vulnerability information table, the same CVE numbers in the Poc data and the threat information data are extracted, and whether the CVE numbers exist in the historical vulnerability information table is judged; and if the vulnerability exists, determining that the vulnerability of the Internet of things exists in the Poc data and the threat information data.
By adopting the technical scheme, the same CVE number is extracted from the Poc data and the threat information data, and then the CVE number is compared with the CVE number in the historical vulnerability information table, because the Poc data can verify the vulnerability in the threat information data, the accuracy of the threat information data is improved, and the CVE number is the only identity identification mark of the vulnerability, the identification accuracy of the threat information can be improved.
Preferably, before updating the historical device information table and the historical vulnerability information table according to the vulnerability data, the method further comprises the step of performing duplicate removal and fusion processing on the collected vulnerability data.
By adopting the technical scheme, the processed old data can be removed, the data volume is reduced by fusion processing, and the quality of the acquired vulnerability data is enhanced.
In a second aspect of the present application, a dynamic tracking and processing device for vulnerabilities of the internet of things is provided, the device including an acquisition module for acquiring vulnerability data; the first updating module is used for updating the historical equipment information table and the historical vulnerability information table according to the vulnerability data and generating a current equipment information table and a current vulnerability information table; the second updating module is used for updating the multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed on the basis of the historical equipment information table and the historical vulnerability information table; the device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
In a third aspect of the present application, an electronic device is presented, comprising a memory having a computer program stored thereon and a processor that, when executing the program, performs the method according to any of the first aspect.
In a fourth aspect of the application, a computer-readable storage medium is presented, on which a computer program is stored which, when executed by a processor, carries out the method according to any one of the first aspects.
In summary, the present application includes at least one of the following beneficial technical effects:
1. the vulnerability of the Internet of things is classified in a high-efficiency and fine-grained manner, the relation between the vulnerability of the Internet of things and the associated equipment manufacturer and equipment type is displayed through a knowledge map, and safety researchers can directly and rapidly analyze the relation between the vulnerabilities, so that data support is provided for subsequent processing.
2. And related information of the vulnerability of the Internet of things is updated in time, so that safety researchers can obtain the latest information in time.
3. The manual work is liberated, the loophole information is automatically processed, and the coverage range is wide.
Drawings
The above and other features, advantages and aspects of various embodiments of the present application will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, like or similar reference characters designate like or similar elements, and wherein:
fig. 1 shows a block diagram of an electronic device according to an embodiment of the present application.
Fig. 2 is a flowchart illustrating a dynamic tracking and processing method for vulnerabilities of the internet of things according to an embodiment of the present application.
Fig. 3 is a schematic block diagram of a dynamic vulnerability tracking and processing device of the internet of things in the embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship, unless otherwise specified.
With the development and innovation of the technology of the internet of things, a large amount of internet of things equipment is continuously accessed into a network, and a large amount of known bugs are generated due to the fact that part of the internet of things equipment lacks official continuous technical support and patch updating programs. However, the existing international mainstream vulnerability sharing platform does not perform special fine classification on the vulnerabilities of the internet of things, domestic mainstream vulnerability disclosure platforms are classified in a manual or semi-automatic mode, a certain time delay exists in the acquisition of the vulnerabilities of the internet of things, and related platforms cannot meet the requirement of high timeliness for security researchers to process the vulnerabilities of the internet of things, so that the vulnerabilities of the internet of things can be analyzed by efficiently and finely classifying the vulnerabilities of the internet of things, and data support can be provided for subsequent security detection, threat early warning and the like, and the problem that needs to be solved urgently is formed.
Next, a system architecture according to an embodiment of the present application will be described. It should be noted that the system architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not constitute a limitation to the technical solution provided in the embodiment of the present application, and as a person having ordinary skill in the art knows that along with the evolution of the network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
Fig. 1 shows a block diagram of an electronic device according to an embodiment of the present application.
Referring to fig. 1, an electronic device 100 includes a processor 101 and a memory 103. Wherein the processor 101 is coupled to the memory 103, such as via a bus 102. Optionally, the electronic device 100 may also include a transceiver 104. It should be noted that the transceiver 104 is not limited to one in practical applications, and the structure of the electronic device 100 does not constitute a limitation to the embodiments of the present application.
The Processor 101 may be a CPU (Central Processing Unit), a general-purpose Processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 101 may also be a combination of computing functions, e.g., comprising one or more microprocessors, DSPs, and microprocessors.
Bus 102 may include a path that conveys information between the aforementioned components. The bus 102 may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus 102 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 1, but it is not intended that there be only one bus or one type of bus.
The Memory 103 may be a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (Compact Disc Read Only Memory) or other optical Disc storage, optical Disc storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), a magnetic Disc storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these.
The memory 103 is used for storing application program codes for executing the scheme of the application, and is controlled by the processor 101 to execute. The processor 101 is configured to execute the application program codes stored in the memory 103 to implement the method for dynamically tracking and processing the vulnerability of the internet of things.
Among them, electronic devices include but are not limited to: mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. It should be noted that the electronic device shown in fig. 1 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
Fig. 2 is a flowchart illustrating a dynamic tracking and processing method for vulnerabilities of the internet of things according to an embodiment of the present application, as shown in fig. 2, the method includes,
step S201, vulnerability data is collected.
In step S201, vulnerability data may be acquired at regular time or based on a preset frequency, and vulnerability information disclosed on a full network platform is acquired in an incremental manner, specifically, the vulnerability data may be acquired in a manner of using a crawler program or calling API, and the vulnerability data acquired by the present application includes vulnerability information data, Poc data, and threat information data, wherein the vulnerability information data specifically includes a CVE number (a general vulnerability disclosure number) of a vulnerability, vulnerability description information, a CVSS (i.e., "general vulnerability scoring system", which is an "industry public standard" designed to evaluate the severity of the vulnerability and help determine urgency and importance of a required reaction) information, vulnerability type, related links, CPE (general platform enumeration) corresponding to the vulnerability, and for the vulnerability information data, because the acquisition sources are different, the condition that languages are not uniform can occur, so leak information data collected from different sources are stored in different databases, leak information data in the same language can also be stored in the same database, and a database can be specifically created according to actual collection conditions. In the application, the bug data is preferentially acquired in an incremental manner, so that in some application embodiments, the acquired bug data needs to be subjected to deduplication and fusion processing, particularly, the bug information data has a CVE (composite virtual environment) number as a unique identity, the bug information data can be subjected to deduplication and fusion processing based on the CVE number, and in an achievable manner, deduplication can be performed by using a database or according to an HTTP (hyper text transport protocol) cache mechanism. In one example, if two vulnerability information A and B collected from different sites have the same CVE number, the vulnerability information A has vulnerability title information, and the vulnerability title information B does not have the vulnerability title information, the vulnerability title in A is taken as the title of the vulnerability, and if the risk scores of A and B in CVSS are consistent, one of the vulnerability titles is taken. Unifying the bug information data languages after the duplication removal and the fusion processing, and storing the bug information data languages into a non-relational database for storage.
Step S202, updating the historical device information table and the historical vulnerability information table according to vulnerability data, and generating a current device information table and a current vulnerability information table.
In an implementation manner, the preset historical device information table and the preset historical vulnerability information table are formed by collecting relevant information of all vulnerabilities of the internet of things disclosed in the network and processing and sorting the relevant information. And the equipment information table and the vulnerability information table are associated through the CVE number of the vulnerability of the Internet of things.
Table 1 is an example of a device information table in the embodiment of the present application, and referring to table 1, the device information table includes four fields of a device manufacturer, a device model, a device type, and a device identifier, and a device information base is created to store the device information table.
Figure BDA0003603696450000101
TABLE 1 Equipment information Table
In the application, a vulnerability information base is also created for storing a vulnerability information table, wherein the vulnerability information table comprises CVE numbers, titles, CWE (general vulnerability enumeration), CPE (general platform enumeration), related links, vulnerability types, corresponding equipment types, equipment manufacturers, POC (vulnerability concept verification codes), vulnerability titles, solution measures and the like.
In some application embodiments, updating the historical device information table and the historical vulnerability information table according to vulnerability data is implemented by the following steps:
step A1, identifying the IOT vulnerability in the vulnerability information data according to the historical equipment information table.
In step a1, the implementation process of identifying the vulnerability of the internet of things according to the historical device information table is as follows: generating an equipment manufacturer dictionary, an equipment model dictionary, an equipment type dictionary and an equipment identification dictionary according to the historical equipment information table; in the embodiment of the present application, the historical device information table at least includes four fields of a device manufacturer, a device model, a device type, and a device identifier, and four dictionaries are generated corresponding to the four fields, where each dictionary includes values already stored in the corresponding field in the historical device information table, for example, if the device manufacturer field in the historical device information table includes 6 manufacturers from C1 to C6, the device manufacturer dictionary includes { "C1", "C2", "C3", "C4", "C5", "C6" }, and the other three dictionaries are produced in the same manner as the device manufacturer dictionary. The values in the four dictionaries are kept the same as the historical equipment information table, and when the historical equipment information table is updated or deleted, the dictionaries need to be updated or deleted correspondingly. And then, identifying the vulnerability of the Internet of things according to the four dictionaries, specifically, if at least two dictionaries in the four dictionaries are matched with vulnerability information corresponding to the vulnerability in vulnerability information data, determining the vulnerability as the vulnerability of the Internet of things. The acquired vulnerability information data at least comprises vulnerability related information, such as a CVE number, vulnerability description information, CVSS information, vulnerability types, related links, CPE corresponding to the vulnerability and the like of the vulnerability, and the information may be collected incompletely. Taking the example that only one bug is included in the acquired bug information data, the four dictionaries are respectively matched with the bug information data, namely information corresponding to four fields of a device manufacturer, a device model, a device type and a device identifier of the bug is extracted from the bug information data, then value matching is performed in the four dictionaries, and the bug is judged to be the bug of the internet of things as long as at least two dictionaries match the same value in the bug information data. In some application embodiments, it may also be determined whether the information extracted from the vulnerability information data is associated with at least two dictionaries, and whether the information is associated with at least two dictionaries may be determined by keywords, and if the at least two dictionaries are associated with the vulnerability information data, the vulnerability is determined to be an internet of things vulnerability.
Step A2, the vulnerability information corresponding to the identified IOT vulnerability in the vulnerability information data is updated to a historical device information table and a historical vulnerability information table.
In step a2, when updating the historical device information table, it is first determined whether the four dictionaries in step a1 are all matched with the vulnerability information corresponding to the vulnerabilities in the vulnerability information data, if so, the values matched by the four dictionaries, that is, the value of each field in the historical device information table corresponding to the vulnerabilities of the internet of things, before updating the record to the device information table, the historical device information table is traversed to check whether the record exists, and if so, the historical device information table does not need to be updated, thereby avoiding repeated storage.
In some application embodiments, if at least one dictionary in the four dictionaries is not matched with corresponding vulnerability information of the identified IOT vulnerability in vulnerability information data, extracting actual information of the IOT vulnerability corresponding to the unmatched dictionary from the vulnerability information data, wherein the process of extracting the actual information from the vulnerability information data comprises checking whether a CPE list of the IOT vulnerability exists in the vulnerability information data; if the field exists, acquiring actual information, namely equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information, of the field, corresponding to the unmatched dictionary, of the vulnerability of the Internet of things in the CPE list; if the CPE list of the vulnerability of the Internet of things does not exist in the vulnerability information data, extracting actual information of fields represented by the dictionary which is not matched with the vulnerability of the Internet of things, namely equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information, from the vulnerability information data based on the pre-trained named entity model.
Because most of the vulnerabilities of the internet of things have corresponding CPE lists, namely, the vulnerabilities of the internet of things are listed on a general platform, the CPE lists are in a fixed format and comprise four pieces of information, namely equipment manufacturer information, equipment model information, equipment type information and equipment identification information, which correspond to the vulnerabilities of the internet of things, when the information is extracted, whether the CPE lists corresponding to the vulnerabilities of the internet of things exist in acquired vulnerability information data or not needs to be checked, if the CPE lists exist, the information can be extracted completely through the lists, if the CPE lists do not exist, corresponding information is extracted from vulnerability description information through a pre-trained named entity model, and the method can automatically complement corresponding actual field data and improve the readability and the integrity of the vulnerability information.
And combining the matched information in the dictionary with the extracted actual information to form a record of the vulnerability of the Internet of things corresponding to each field in the historical equipment information table, updating the combined complete record into the historical equipment information table, and generating the current equipment information table. After the historical equipment information table is updated, the four dictionaries are updated according to the current equipment information table. In an implementation manner, after the device manufacturer information, the device model information, the device type information, and/or the device identification information are extracted from the vulnerability information data, the record of the vulnerability of the internet of things can be marked, and the record is rechecked by a security researcher and updated to a historical device information table after the correctness is confirmed.
In the embodiment of the application, the equipment manufacturer dictionary, the equipment model dictionary, the equipment type dictionary and the equipment identification dictionary are updated in real time according to the equipment information table, dictionary information can be kept in the latest state through the technical scheme of self-capacity-expansion dictionary, and the accuracy of the recognition of the loopholes of the Internet of things is ensured.
When the historical vulnerability information table is updated, the pre-trained named entity model can be used for extracting information corresponding to each field in the historical vulnerability information table from the vulnerability information data and updating the information into the historical vulnerability information table, if the extracted information is the same as the existing information in the historical vulnerability information table, the information is not changed, and the updated information is the information which does not exist or is different from the vulnerability corresponding to the Internet of things in the historical vulnerability information table.
Step A3, determining whether the vulnerability of the Internet of things exists in the Poc data and the threat intelligence data according to the updated historical vulnerability information table.
After the historical equipment information table and the historical vulnerability information table are updated according to vulnerability information data, whether the Internet of things vulnerability exists in Poc data and threat information data is determined according to the updated historical vulnerability information table, wherein at least CVE numbers corresponding to the Internet of things vulnerability are stored in the historical vulnerability information table, the Poc data and the threat information data at least comprise collected CVE numbers corresponding to the vulnerability, the same CVE numbers in the Poc data and the threat information data are extracted through a regular expression, the same CVE numbers are extracted because the vulnerability information in the threat information data may have false, repeated and incomplete conditions, the Poc is a vulnerability concept verification code, if the same CVE numbers exist in the threat information data in the Poc data, the vulnerability corresponding to the CVE transformation ratio is verified or highly associated, and is really the vulnerability exists, the method can improve the accuracy of threat information data, then compares the extracted same CVE number with the CVE number of each Internet of things vulnerability in the historical vulnerability information table, judges whether the same CVE number exists in the historical vulnerability information table, and if yes, determines that the Internet of things vulnerability exists in the Poc data and the threat information data.
And step A4, if the existing loopholes exist, the determined Poc data and threat information data corresponding to the loopholes of the Internet of things are updated to a historical loophole information table.
In step a4, the Poc data and threat information data corresponding to the internet of things vulnerability determined in step A3 are updated to a historical vulnerability information table, that is, the Poc data corresponding to the internet of things vulnerability and/or the URL corresponding to the threat information data are added to the historical vulnerability information table. And finishing updating the historical vulnerability information table and producing the current vulnerability information table.
In some application embodiments, the threat information data newly added in the current vulnerability information table is pushed to a security researcher, so that on one hand, the security researcher can check the threat information data, on the other hand, the security researcher can acquire the threat information data in time and process related vulnerabilities in time.
And step S203, updating the multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed based on the historical equipment information table and the historical vulnerability information table.
In the embodiment of the application, after a historical device information table and a historical vulnerability information table are preset, an initial knowledge graph can be constructed according to the incidence relation between the historical device information table and the historical vulnerability information table, in the application, the knowledge graph is constructed from two dimensions, and the same device manufacturer classifies vulnerabilities of the internet of things to construct the knowledge graph based on the existing information of device manufacturer fields in the historical device information table; and classifying the vulnerabilities of the Internet of things to construct a knowledge graph based on the information of the existing equipment type field in the historical equipment information table in the same equipment type. In some application embodiments, a knowledge graph of multiple dimensions may also be constructed from other fields in the historical device information table.
The constructed knowledge graph also comprises the relevance between the vulnerabilities, the relevance value range is 0 to 5, the relevance calculation table is shown as a table 2, the relevance between the vulnerabilities is calculated from five dimensions, the value of each dimension is the same as 1, and if not, the value of each dimension is 0, and the relevance is the sum of the values of the dimensions.
Figure BDA0003603696450000151
TABLE 2 correlation calculation Table
After the historical device information table and the historical vulnerability information table are updated by collecting vulnerability data each time, corresponding information updating needs to be carried out on the knowledge map, and therefore when a new threat report of the vulnerability of the Internet of things is obtained, the knowledge map can provide the latest vulnerability incidence relation for security researchers, the security researchers can rapidly process the vulnerability of the Internet of things, and powerful data support is provided for the security researchers.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 3 is a schematic block diagram of an apparatus for dynamically tracking and processing vulnerabilities of the internet of things in the embodiment of the present application, and with reference to fig. 3, the apparatus includes:
the acquisition module 301 is configured to acquire vulnerability data.
The first updating module 302 is configured to update the historical device information table and the historical vulnerability information table according to the vulnerability data, and generate a current device information table and a current vulnerability information table.
The second updating module 303 updates the multidimensional knowledge map based on the current device information table and the current vulnerability information table, where the multidimensional knowledge map is constructed based on the historical device information table and the historical vulnerability information table.
The device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
In some application embodiments, the vulnerability data includes vulnerability information data, Poc data and threat intelligence data, and the first updating module is specifically configured to identify an Internet of things vulnerability in the vulnerability information data according to a historical device information table; updating vulnerability information corresponding to the identified vulnerability of the Internet of things in vulnerability information data into a historical device information table and a historical vulnerability information table; determining whether the Poc data and the threat information data have the vulnerability of the Internet of things according to the updated historical vulnerability information table; and if so, updating the determined Poc data and threat information data corresponding to the vulnerability of the Internet of things into a historical vulnerability information table.
In some application embodiments, the apparatus further includes a processing module, configured to perform deduplication and fusion processing on the collected vulnerability data.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
The present application provides a computer-readable storage medium, on which a computer program is stored, which, when running on a computer, enables the computer to execute the corresponding content in the foregoing method embodiments.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless otherwise indicated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The foregoing is only a partial embodiment of the present application, and it should be noted that, for those skilled in the art, several modifications and decorations can be made without departing from the principle of the present application, and these modifications and decorations should also be regarded as the protection scope of the present application.

Claims (10)

1. A dynamic tracking and processing method for vulnerabilities of the Internet of things is characterized by comprising the following steps:
collecting vulnerability data;
updating a historical device information table and a historical vulnerability information table according to the vulnerability data, and generating a current device information table and a current vulnerability information table;
updating a multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed based on the historical equipment information table and the historical vulnerability information table;
the device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
2. The method for dynamically tracking and processing the vulnerabilities of the internet of things according to claim 1, wherein the vulnerability data includes vulnerability information data, Poc data and threat information data, and the updating of a historical device information table and a historical vulnerability information table according to the vulnerability data includes:
identifying the vulnerability of the Internet of things in the vulnerability information data according to a historical equipment information table;
updating the vulnerability information corresponding to the identified IOT vulnerability in the vulnerability information data into the historical equipment information table and the historical vulnerability information table;
determining whether an internet of things vulnerability exists in the Poc data and the threat information data according to the updated historical vulnerability information table;
and if the vulnerability exists, updating the determined Poc data and threat information data corresponding to the vulnerability of the Internet of things into the historical vulnerability information table.
3. The method for dynamically tracking and processing the vulnerability of the internet of things according to claim 2, wherein identifying the vulnerability of the internet of things in the vulnerability information data according to a historical device information table comprises:
generating an equipment manufacturer dictionary, an equipment model dictionary, an equipment type dictionary and an equipment identification dictionary according to the historical equipment information table;
and if at least two dictionaries in the four dictionaries are matched with vulnerability information corresponding to vulnerabilities in the vulnerability information data, determining that the vulnerability is an Internet of things vulnerability.
4. The method for dynamically tracking and processing the vulnerability of the internet of things according to claim 3, wherein the updating of the vulnerability information corresponding to the identified vulnerability of the internet of things in the vulnerability information data to the historical device information table and the historical vulnerability information table comprises:
if at least one dictionary in the four dictionaries is not matched with the corresponding vulnerability information of the identified IOT vulnerability in the vulnerability information data, extracting the actual information of the IOT vulnerability corresponding to the unmatched dictionary from the vulnerability information data;
combining the matched information in the dictionary and the extracted actual information and updating the combined information into the historical equipment information table;
and extracting information corresponding to each field in the historical vulnerability information table from the vulnerability information data and updating the information into the historical vulnerability information table.
5. The method for dynamically tracking and processing the vulnerability of the internet of things according to claim 4, wherein extracting the actual information of the vulnerability of the internet of things corresponding to the unmatched dictionary from the vulnerability information data comprises:
judging whether a CPE list of the vulnerability of the Internet of things exists in the vulnerability information data;
if yes, acquiring equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information of the vulnerability of the Internet of things in the CPE list;
if not, extracting equipment manufacturer information, equipment model information, equipment type information and/or equipment identification information of the vulnerability of the Internet of things from the vulnerability information data based on the pre-trained named entity model.
6. The method for dynamically tracking and processing the vulnerability of the internet of things according to claim 2, wherein the historical vulnerability information table, the Poc data and the threat information data at least comprise CVE numbers, and whether the vulnerability of the internet of things exists in the Poc data and the threat information data is determined according to the updated vulnerability information table comprises the following steps:
extracting the same CVE number in the Poc data and the threat information data, and judging whether the CVE number exists in the historical vulnerability information table or not;
and if the vulnerability exists, determining that the vulnerability of the Internet of things exists in the Poc data and the threat information data.
7. The method for dynamically tracking and processing the vulnerability of the internet of things according to claim 1, wherein before the updating of the historical device information table and the historical vulnerability information table according to the vulnerability data, the method further comprises:
and carrying out duplicate removal and fusion processing on the acquired vulnerability data.
8. The utility model provides a thing networking vulnerability dynamic tracking and processing apparatus which characterized in that includes:
the acquisition module is used for acquiring vulnerability data;
the first updating module is used for updating the historical equipment information table and the historical vulnerability information table according to the vulnerability data and generating a current equipment information table and a current vulnerability information table;
the second updating module is used for updating the multidimensional knowledge map according to the current equipment information table and the current vulnerability information table, wherein the multidimensional knowledge map is constructed on the basis of the historical equipment information table and the historical vulnerability information table;
the device information table is used for storing device information related to the vulnerability of the Internet of things, and the vulnerability information table is used for storing basic information of the vulnerability of the Internet of things.
9. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program, wherein the processor, when executing the program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
CN202210409775.9A 2022-04-19 2022-04-19 Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium Active CN114817929B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210409775.9A CN114817929B (en) 2022-04-19 2022-04-19 Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210409775.9A CN114817929B (en) 2022-04-19 2022-04-19 Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN114817929A true CN114817929A (en) 2022-07-29
CN114817929B CN114817929B (en) 2022-11-22

Family

ID=82504791

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210409775.9A Active CN114817929B (en) 2022-04-19 2022-04-19 Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN114817929B (en)

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161426A (en) * 2016-06-08 2016-11-23 北京工业大学 A kind of vulnerability scanning method being applied to industry Internet of Things
CN107154940A (en) * 2017-05-11 2017-09-12 济南大学 A kind of Internet of Things vulnerability scanning system and scan method
KR101850098B1 (en) * 2017-11-21 2018-04-19 한국인터넷진흥원 Method for generating document to share vulnerability information, system and apparatus thereof
CN109218336A (en) * 2018-11-16 2019-01-15 北京知道创宇信息技术有限公司 Loophole defence method and system
CN109542846A (en) * 2018-11-16 2019-03-29 重庆邮电大学 A kind of Internet of Things vulnerability information management system based on data virtualization
US20190147167A1 (en) * 2017-11-15 2019-05-16 Korea Internet & Security Agency Apparatus for collecting vulnerability information and method thereof
CN110321708A (en) * 2019-03-21 2019-10-11 北京天防安全科技有限公司 A kind of quick vulnerability scanning method and system based on class of assets
CN110391937A (en) * 2019-07-25 2019-10-29 哈尔滨工业大学 A kind of Internet of Things honeynet system based on SOAP service simulation
JP2020021309A (en) * 2018-08-01 2020-02-06 株式会社野村総合研究所 Vulnerability management system and program
CN111310195A (en) * 2020-03-27 2020-06-19 北京双湃智安科技有限公司 Security vulnerability management method, device, system, equipment and storage medium
CN112671716A (en) * 2020-12-03 2021-04-16 中国电子科技网络信息安全有限公司 Vulnerability knowledge mining method and system based on map
CN112699382A (en) * 2021-03-25 2021-04-23 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Internet of things network security risk assessment method and device and computer storage medium
CN112749396A (en) * 2021-01-21 2021-05-04 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for constructing security vulnerability knowledge graph
CN113315767A (en) * 2021-05-26 2021-08-27 国网山东省电力公司电力科学研究院 Electric power Internet of things equipment safety detection system and method
CN113407946A (en) * 2021-06-19 2021-09-17 西安电子科技大学 Intelligent protection method and system for IoT (IoT) equipment
CN113609261A (en) * 2021-08-25 2021-11-05 北京华云安信息技术有限公司 Vulnerability information mining method and device based on knowledge graph of network information security
CN113704767A (en) * 2021-08-10 2021-11-26 北京凌云信安科技有限公司 Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system
CN114168968A (en) * 2021-12-08 2022-03-11 四川启睿克科技有限公司 Vulnerability mining method based on Internet of things equipment fingerprints

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161426A (en) * 2016-06-08 2016-11-23 北京工业大学 A kind of vulnerability scanning method being applied to industry Internet of Things
CN107154940A (en) * 2017-05-11 2017-09-12 济南大学 A kind of Internet of Things vulnerability scanning system and scan method
US20190147167A1 (en) * 2017-11-15 2019-05-16 Korea Internet & Security Agency Apparatus for collecting vulnerability information and method thereof
KR101850098B1 (en) * 2017-11-21 2018-04-19 한국인터넷진흥원 Method for generating document to share vulnerability information, system and apparatus thereof
JP2020021309A (en) * 2018-08-01 2020-02-06 株式会社野村総合研究所 Vulnerability management system and program
CN109542846A (en) * 2018-11-16 2019-03-29 重庆邮电大学 A kind of Internet of Things vulnerability information management system based on data virtualization
CN109218336A (en) * 2018-11-16 2019-01-15 北京知道创宇信息技术有限公司 Loophole defence method and system
CN110321708A (en) * 2019-03-21 2019-10-11 北京天防安全科技有限公司 A kind of quick vulnerability scanning method and system based on class of assets
CN110391937A (en) * 2019-07-25 2019-10-29 哈尔滨工业大学 A kind of Internet of Things honeynet system based on SOAP service simulation
CN111310195A (en) * 2020-03-27 2020-06-19 北京双湃智安科技有限公司 Security vulnerability management method, device, system, equipment and storage medium
CN112671716A (en) * 2020-12-03 2021-04-16 中国电子科技网络信息安全有限公司 Vulnerability knowledge mining method and system based on map
CN112749396A (en) * 2021-01-21 2021-05-04 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for constructing security vulnerability knowledge graph
CN112699382A (en) * 2021-03-25 2021-04-23 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) Internet of things network security risk assessment method and device and computer storage medium
CN113315767A (en) * 2021-05-26 2021-08-27 国网山东省电力公司电力科学研究院 Electric power Internet of things equipment safety detection system and method
CN113407946A (en) * 2021-06-19 2021-09-17 西安电子科技大学 Intelligent protection method and system for IoT (IoT) equipment
CN113704767A (en) * 2021-08-10 2021-11-26 北京凌云信安科技有限公司 Vulnerability scanning engine and vulnerability worksheet management fused vulnerability management system
CN113609261A (en) * 2021-08-25 2021-11-05 北京华云安信息技术有限公司 Vulnerability information mining method and device based on knowledge graph of network information security
CN114168968A (en) * 2021-12-08 2022-03-11 四川启睿克科技有限公司 Vulnerability mining method based on Internet of things equipment fingerprints

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
NATALIIA NESHENKO 等: "Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations", 《 IEEE COMMUNICATIONS SURVEYS & TUTORIALS 》 *
兰昆 等: "定量和定性相结合的物联网漏洞分类方法研究", 《通信技术》 *
赵月: "物联网设备识别与漏洞发现方案的研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
郭锡泉: "基于领域本体的信息安全漏洞知识库构建", 《信息安全研究》 *

Also Published As

Publication number Publication date
CN114817929B (en) 2022-11-22

Similar Documents

Publication Publication Date Title
US11250137B2 (en) Vulnerability assessment based on machine inference
CN112579155B (en) Code similarity detection method and device and storage medium
JP2013504118A (en) Information retrieval based on query semantic patterns
CN111177719B (en) Address category determination method, device, computer-readable storage medium and apparatus
CN103455758A (en) Method and device for identifying malicious website
CN115827895A (en) Vulnerability knowledge graph processing method, device, equipment and medium
CN115150261B (en) Alarm analysis method, device, electronic equipment and storage medium
CN115174250B (en) Network asset security assessment method and device, electronic equipment and storage medium
CN111460803B (en) Equipment identification method based on Web management page of industrial Internet of things equipment
CN114493255A (en) Enterprise abnormity monitoring method based on knowledge graph and related equipment thereof
CN110008701B (en) Static detection rule extraction method and detection method based on ELF file characteristics
WO2023035362A1 (en) Polluted sample data detecting method and apparatus for model training
CN114139161A (en) Method, device, electronic equipment and medium for batch vulnerability detection
CN108804917B (en) File detection method and device, electronic equipment and storage medium
CN111221690B (en) Model determination method and device for integrated circuit design and terminal
CN116821903A (en) Detection rule determination and malicious binary file detection method, device and medium
CN111722998B (en) Code quality control method, system, equipment and storage medium
CN116860311A (en) Script analysis method, script analysis device, computer equipment and storage medium
CN114817929B (en) Method and device for dynamically tracking and processing vulnerability of Internet of things, electronic equipment and medium
CN110765100A (en) Label generation method and device, computer readable storage medium and server
CN114816518A (en) Simhash-based open source component screening and identifying method and system in source code
CN112187768B (en) Method, device and equipment for detecting bad information website and readable storage medium
WO2014107350A2 (en) Expeditious citation indexing
US11347722B2 (en) Big data regression verification method and big data regression verification apparatus
CN112445710B (en) Test method, test device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant