CN116846540B - Equipment manufacturer presumption method, equipment, storage medium and device - Google Patents

Equipment manufacturer presumption method, equipment, storage medium and device Download PDF

Info

Publication number
CN116846540B
CN116846540B CN202310575424.XA CN202310575424A CN116846540B CN 116846540 B CN116846540 B CN 116846540B CN 202310575424 A CN202310575424 A CN 202310575424A CN 116846540 B CN116846540 B CN 116846540B
Authority
CN
China
Prior art keywords
firmware
file
tested
occurrence
analysis result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310575424.XA
Other languages
Chinese (zh)
Other versions
CN116846540A (en
Inventor
袁静
刘阳
高强
张伟
陈禹
徐峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202310575424.XA priority Critical patent/CN116846540B/en
Publication of CN116846540A publication Critical patent/CN116846540A/en
Application granted granted Critical
Publication of CN116846540B publication Critical patent/CN116846540B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to the technical field of network security, and discloses a device manufacturer presumption method, device, storage medium and device, wherein the method comprises the following steps: analyzing the co-occurrence frequency of a file list of the firmware to be tested in a firmware database to obtain a file co-occurrence analysis result, analyzing the co-occurrence frequency of a software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result, analyzing the co-occurrence frequency of a known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result, and presuming equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result; according to the method and the device, the device manufacturer information of the firmware is comprehensively presumed from three dimensions of file co-occurrence similarity analysis, software package co-occurrence similarity analysis and vulnerability co-occurrence similarity analysis, so that the device manufacturer information of the firmware can be accurately obtained.

Description

Equipment manufacturer presumption method, equipment, storage medium and device
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a device manufacturer presumption method, a device, a storage medium, and a device.
Background
In recent years, as the number and variety of internet of things (Internet of Things, ioT) devices accessing the internet are rapidly increasing, the internet of things devices are almost integrated into various industries, such as industry, energy industry, etc., and once the internet of things devices are maliciously utilized, the internet of things devices will have a wide influence.
Therefore, in order to ensure the security of the internet of things device, in the prior art, the firmware of the internet of things device is generally analyzed to detect the vulnerability of the internet of things device. However, in practical applications, the firmware analysis scene is usually a black box analysis scene, and reliable equipment manufacturer information cannot be directly obtained.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The invention mainly aims to provide a device manufacturer presumption method, device, storage medium and device, and aims to solve the technical problem that in the prior art, a firmware analysis scene is usually a black box analysis scene and reliable firmware information cannot be directly obtained.
In order to achieve the above object, the present invention provides an equipment manufacturer estimation method, comprising the steps of:
analyzing the co-occurrence frequency of a file list of the firmware to be tested in a firmware database to obtain a file co-occurrence analysis result;
Analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result;
analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result;
and presuming equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result.
Optionally, the analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database to obtain the file co-occurrence analysis result includes:
unpacking the firmware to be tested to obtain a file list of the firmware to be tested;
calculating hash values of all files in the file list;
and analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database based on the hash value to obtain a file co-occurrence analysis result.
Optionally, the unpacking the firmware to be tested to obtain a file list of the firmware to be tested includes:
extracting a firmware compression packet corresponding to the firmware to be tested, and decompressing the firmware compression packet;
when decompression fails, performing password cracking on the firmware compression packet to obtain an encrypted password of the firmware compression packet;
And decompressing the firmware compression packet again based on the encryption password to obtain a file list of the firmware to be tested.
Optionally, the decompressing the compressed packet again based on the encryption password to obtain the file list of the firmware to be tested includes:
decompressing the firmware compressed package again based on the encryption password to obtain a firmware root file image;
and unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain a file list of the firmware to be tested.
Optionally, the unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain the file list of the firmware to be tested includes:
unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain a firmware root file system;
traversing the files in the firmware root file system to obtain a file list of the firmware to be tested.
Optionally, the device vendor speculation method further comprises:
acquiring firmware data reported by Internet of things equipment, and collecting resource data of equipment manufacturers corresponding to the Internet of things equipment;
Aggregating the firmware data and the resource data to obtain aggregated data;
and generating a firmware database based on the aggregated data.
Optionally, the generating a firmware database based on the aggregated data includes:
extracting data characteristics of the aggregated data;
carrying out data reasoning according to a natural language processing model and the data characteristics to obtain reasoning data corresponding to the aggregated data;
a firmware database is generated based on the aggregated data and the reasoning data.
Optionally, the analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database, before obtaining the vulnerability co-occurrence analysis result, further includes:
traversing configuration files in the file list, and carrying out file analysis on the configuration files to obtain file analysis results;
performing entropy analysis on the firmware to be tested to obtain an entropy analysis result;
calling a preset script to traverse the file list to obtain sensitive file information in the file list;
and generating a known vulnerability list of the firmware to be tested based on the file analysis result, the entropy analysis result and the sensitive file information.
Optionally, the performing entropy analysis on the firmware to be tested to obtain an entropy analysis result includes:
Performing entropy analysis on the firmware to be tested to obtain a continuous change curve of data bits in a firmware file;
and analyzing the encryption characteristics of the firmware to be tested based on the continuous change curve to obtain an entropy analysis result.
Optionally, the predicting the equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result includes:
determining a firmware presumption model according to the firmware type of the firmware to be detected;
generating weight values corresponding to all analysis results based on the firmware presumption model;
and predicting equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result, the vulnerability co-occurrence analysis result and the weight value.
Optionally, after the device vendor information of the firmware to be tested is presumed according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result, the method further includes:
performing vulnerability analysis on each Internet of things device according to the device manufacturer information to obtain a vulnerability analysis result;
and determining the influence range of the loopholes of each device based on the loophole analysis result.
In addition, in order to achieve the above object, the present invention also proposes a device vendor estimation device including a memory, a processor, and a device vendor estimation program stored on the memory and executable on the processor, the device vendor estimation program being configured to implement the device vendor estimation method as described above.
In addition, in order to achieve the above object, the present invention also proposes a storage medium having stored thereon a device vendor estimation program that, when executed by a processor, implements the device vendor estimation method as described above.
In addition, in order to achieve the above object, the present invention also provides an equipment manufacturer estimation device including: the system comprises a file analysis module, a software package analysis module, a vulnerability analysis module and an information speculation module;
the file analysis module is used for analyzing the co-occurrence frequency of a file list of the firmware to be tested in the firmware database to obtain a file co-occurrence analysis result;
the software package analysis module is used for analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result;
The vulnerability analysis module is used for analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result;
and the information speculation module is used for speculating equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result.
Optionally, the file analysis module is further configured to unpack the firmware to be tested to obtain a file list of the firmware to be tested;
the file analysis module is further used for calculating hash values of all files in the file list;
and the file analysis module is also used for analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database based on the hash value to obtain a file co-occurrence analysis result.
Optionally, the file analysis module is further configured to extract a firmware compression packet corresponding to the firmware to be tested, and decompress the firmware compression packet;
the file analysis module is further used for performing password cracking on the firmware compression packet when decompression fails to obtain an encrypted password of the firmware compression packet;
and the file analysis module is further used for decompressing the firmware compression packet again based on the encryption password to obtain a file list of the firmware to be tested.
Optionally, the file analysis module is further configured to decompress the firmware compressed packet again based on the encryption password to obtain a firmware root file image;
the file analysis module is further configured to unpack the firmware root file image according to an unpacking script corresponding to the firmware root file image, so as to obtain a file list of the firmware to be tested.
Optionally, the file analysis module is further configured to unpack the firmware root file image according to an unpacking script corresponding to the firmware root file image to obtain a firmware root file system;
the file analysis module is further used for traversing files in the firmware root file system to obtain a file list of the firmware to be tested.
Optionally, the device vendor speculation means further comprises: a database generation module;
the database generation module is used for acquiring firmware data reported by the Internet of things equipment and collecting resource data of equipment manufacturers corresponding to the Internet of things equipment;
the database generation module is further used for aggregating the firmware data and the resource data to obtain aggregated data;
the database generation module is further used for generating a firmware database based on the aggregation data.
Optionally, the database generating module is further configured to extract data features of the aggregated data;
the database generation module is also used for carrying out data reasoning according to the natural language processing model and the data characteristics to obtain reasoning data corresponding to the aggregated data;
the database generation module is further configured to generate a firmware database based on the aggregate data and the inference data.
Analyzing the co-occurrence frequency of a file list of a firmware to be tested in a firmware database to obtain a file co-occurrence analysis result, analyzing the co-occurrence frequency of a software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result, analyzing the co-occurrence frequency of a known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result, and predicting equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result; according to the method and the device, the device manufacturer information of the firmware is comprehensively presumed from three dimensions of file co-occurrence similarity analysis, software package co-occurrence similarity analysis and vulnerability co-occurrence similarity analysis, so that the device manufacturer information of the firmware can be accurately obtained.
Drawings
FIG. 1 is a schematic diagram of a device vendor speculation device for a hardware runtime environment in accordance with an embodiment of the present invention;
FIG. 2 is a flow chart of a first embodiment of the apparatus vendor speculation method of the present invention;
FIG. 3 is a flow chart of a second embodiment of the apparatus vendor speculation method of the present invention;
FIG. 4 is a flow chart of a third embodiment of the apparatus vendor speculation method of the present invention;
FIG. 5 is a block diagram of a first embodiment of the apparatus vendor estimation device of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic diagram of a device vendor speculative device structure of a hardware running environment according to an embodiment of the present invention.
As shown in fig. 1, the device vendor speculated device may comprise: a processor 1001, such as a central processing unit (Central Processing Unit, CPU), a communication bus 1002, a user interface 1003, a network interface 1004, a memory 1005. Wherein the communication bus 1002 is used to enable connected communication between these components. The user interface 1003 may include a Display (Display), and the optional user interface 1003 may also include a standard wired interface, a wireless interface, and the wired interface for the user interface 1003 may be a USB interface in the present invention. The network interface 1004 may optionally include a standard wired interface, a Wireless interface (e.g., a Wireless-Fidelity (Wi-Fi) interface). The Memory 1005 may be a high-speed random access Memory (Random Access Memory, RAM) Memory or a stable Memory (NVM), such as a disk Memory. The memory 1005 may also optionally be a storage device separate from the processor 1001 described above.
Those skilled in the art will appreciate that the structure shown in fig. 1 does not constitute a limitation of the device vendor speculated device, and may include more or fewer components than illustrated, or may combine certain components, or may be arranged in different components.
As shown in fig. 1, an operating system, a network communication module, a user interface module, and a device vendor-speculative program may be included in a memory 1005, which is considered to be one type of computer storage medium.
In the equipment manufacturer presumption equipment shown in fig. 1, the network interface 1004 is mainly used for connecting to a background server, and performing data communication with the background server; the user interface 1003 is mainly used for connecting user equipment; the device vendor speculation device invokes a device vendor speculation program stored in memory 1005 via processor 1001 and performs the device vendor speculation method provided by the embodiments of the present invention.
Based on the above hardware structure, an embodiment of the device manufacturer presumption method of the present invention is presented.
Referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of an apparatus vendor estimation method according to the present invention.
In a first embodiment, the device vendor speculation method comprises the steps of:
Step S10: and analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database to obtain a file co-occurrence analysis result.
It should be understood that the execution subject of the method of the present embodiment may be a device manufacturer presumption device having data processing, network communication, and program running functions, for example, a computer, an internet of things device, or other electronic devices capable of implementing the same or similar functions, which is not limited in this embodiment.
It should be noted that the firmware to be tested may be firmware of the internet of things device to be tested. The device to be tested can be an internet of things device needing security detection, the device to be tested can be an embedded device connected to a network in a certain mode, the firmware can be software written into hardware devices, and the firmware contains bottom codes and is used for controlling applications and various system functions.
The file list may include all files in the file system of the firmware under test.
The firmware database may be used to store firmware information of a plurality of firmware samples, where the firmware samples may be collected from the internet, or may be uploaded after the device manufacturer information is presumed by the device manufacturer presumption device, which is not limited in this embodiment; the firmware information may include a file sample, a software package sample, a bug sample, etc. of each device manufacturer, which is not limited in this implementation.
It can be understood that, analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database, obtaining the file co-occurrence analysis result may be that performing similarity analysis on each file in the file list and a file sample in the firmware database, counting the number of the file samples with co-occurrence according to the similarity analysis result, recording the number as the co-occurrence frequency, sorting the equipment manufacturers based on the co-occurrence frequency, and taking the equipment manufacturer with the highest co-occurrence frequency as the file co-occurrence analysis result.
Step S20: and analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result.
It should be noted that, the software package list may include all software packages of the firmware to be tested.
It should be understood that, analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database, obtaining the software package co-occurrence analysis result may be that each software package in the software package list and a software package sample in the firmware database are subjected to similarity analysis, the number of software package samples with co-occurrence is counted according to the similarity analysis result, the number is recorded as the co-occurrence frequency, the manufacturers of each device are ordered based on the co-occurrence frequency, and the manufacturer of the device with the highest co-occurrence frequency is used as the software package co-occurrence analysis result.
Step S30: and analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result.
It should be noted that all vulnerabilities of the firmware to be tested may be included in the known vulnerability list.
It may be understood that, analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database, and obtaining the vulnerability co-occurrence analysis result may be that performing similarity analysis on each vulnerability in the known vulnerability list and the vulnerability sample in the firmware database, counting the number of the vulnerability samples with co-occurrence according to the similarity analysis result, and recording the number as the co-occurrence frequency, sorting the device manufacturers based on the co-occurrence frequency, and taking the device manufacturer with the highest co-occurrence frequency as the vulnerability co-occurrence analysis result.
Step S40: and presuming equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result.
The following is illustrative for ease of understanding, but is not limiting of the present solution. The steps of equipment vendor information speculation are as follows:
1. unpacking the firmware to be tested, extracting all files in a file system of the firmware to be tested, and obtaining a file list of the firmware to be tested;
2. Traversing the file list, and calculating the hash value of the file;
3. inquiring a firmware database according to the hash list of the file, and calculating the co-occurrence frequency of the file in the firmware database;
4. according to the co-occurrence frequency sequence, taking the name of the equipment manufacturer with the highest co-occurrence frequency as the name1 of the firmware to be tested;
5. traversing all files obtained by unpacking, and identifying a software package list of the firmware to be tested;
6. inquiring a firmware database interface according to a software package list of the firmware to be tested, and calculating the co-occurrence frequency of the software package in the firmware database;
7. sequencing according to the co-occurrence frequency, taking the name of a firmware manufacturer of the co-occurrence frequency as the name2 of the firmware to be tested;
8. traversing the software package list, and identifying a known vulnerability list of the firmware to be tested;
9. inquiring a firmware database interface according to a known vulnerability list of the firmware, and calculating the co-occurrence frequency of the known vulnerability in the firmware database;
10. according to the co-occurrence frequency sequence, taking the name of the firmware manufacturer with the highest co-occurrence frequency as the name3 of the firmware to be tested;
11. vendor speculation result information name1, name2, and name3 for three dimensions are output.
In a first embodiment, a co-occurrence frequency of a file list of a firmware to be tested in a firmware database is analyzed to obtain a file co-occurrence analysis result, a co-occurrence frequency of a software package list of the firmware to be tested in the firmware database is analyzed to obtain a software package co-occurrence analysis result, a co-occurrence frequency of a known vulnerability list of the firmware to be tested in the firmware database is analyzed to obtain a vulnerability co-occurrence analysis result, and equipment manufacturer information of the firmware to be tested is presumed according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result; in the embodiment, the equipment manufacturer information of the firmware is comprehensively presumed from three dimensions of file co-occurrence similarity analysis, software package co-occurrence similarity analysis and vulnerability co-occurrence similarity analysis, so that the equipment manufacturer information of the firmware can be accurately obtained.
Further, the device vendor speculation method further comprises:
acquiring firmware data reported by Internet of things equipment, and collecting resource data of equipment manufacturers corresponding to the Internet of things equipment;
aggregating the firmware data and the resource data to obtain aggregated data;
and generating a firmware database based on the aggregated data.
It should be appreciated that in order to improve the data integrity of the firmware database, in this embodiment, the firmware data may be collected from multiple dimensions.
It can be understood that the internet of things equipment can automatically report firmware data after being connected to the internet of things; or the internet of things device may automatically upload the device manufacturer information obtained by the prediction after executing the device manufacturer prediction method, which is not limited in this embodiment.
It should be appreciated that device vendors of firmware typically upload firmware resources on an official website or update the firmware over a wireless network. Therefore, in order to obtain the latest firmware data, in this embodiment, resource data of a device vendor corresponding to the internet of things device is also collected from the internet.
It can be understood that, in this embodiment, in order to avoid the occurrence of duplicate and erroneous data, firmware data and resource data are further aggregated to obtain aggregated data.
It should be appreciated that aggregating the firmware data and the resource data may be deleting duplicate data in the firmware data and the resource data, and modifying or deleting erroneous data in the firmware data and the resource data.
Further, the generating a firmware database based on the aggregated data includes:
extracting data characteristics of the aggregated data;
carrying out data reasoning according to a natural language processing model and the data characteristics to obtain reasoning data corresponding to the aggregated data;
a firmware database is generated based on the aggregated data and the reasoning data.
It will be appreciated that the manner of generating the firmware database described above may only be limited to obtaining existing firmware data. Therefore, in order to overcome the above-mentioned drawbacks, in the present embodiment, data inference is also performed according to the natural language processing model and the data characteristics of the aggregate data to infer possible firmware data.
It should be noted that the natural language processing model may be preset to infer an association relationship between data features, and generate new data identical to the original data features based on the association relationship. For example, the natural language processing model may be a generative pre-training transformation model, which is not limited in this embodiment.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the apparatus vendor estimation method according to the present invention, and based on the first embodiment shown in fig. 2, the second embodiment of the apparatus vendor estimation method according to the present invention is proposed.
In a second embodiment, the step S10 includes:
step S101: unpacking the firmware to be tested to obtain a file list of the firmware to be tested.
It should be appreciated that, because of the large number of file samples in the firmware database, if the similarity analysis is directly performed on each file in the file list and the file samples in the firmware database, the efficiency and accuracy are low. Therefore, in order to improve efficiency and accuracy of file co-occurrence analysis, in this embodiment, the co-occurrence frequency of the file list of the firmware to be tested in the firmware database may be analyzed based on the hash value of each file in the file list, so as to obtain a file co-occurrence analysis result.
It should be noted that, each file may correspond to a unique hash value, so that analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database based on the hash value of each file in the file list may improve efficiency and accuracy of file co-occurrence analysis.
Further, the step S101 includes:
Extracting a firmware compression packet corresponding to the firmware to be tested, and decompressing the firmware compression packet;
when decompression fails, performing password cracking on the firmware compression packet to obtain an encrypted password of the firmware compression packet;
and decompressing the firmware compression packet again based on the encryption password to obtain a file list of the firmware to be tested.
It will be appreciated that in practical applications, in order to protect the firmware from reverse analysis, the device manufacturer typically encrypts the firmware compressed packet, which results in the inability to directly unpack the firmware. Therefore, in order to overcome the above-mentioned drawbacks, in this embodiment, when the decompression of the firmware compressed packet fails, the firmware compressed packet is subjected to the password decoding, and the firmware compressed packet is decompressed again based on the encrypted password obtained by the decoding.
The firmware compression packet may be a compression packet encapsulated in a file compression type such as bin, zip, LZMA and arj. The bin file is in a binary mirror image form, and a file list of the firmware to be tested needs to be extracted by using the bin walk.
It should be appreciated that the cryptographically cracking the firmware compression package may be based on a preset decryption script. The preset decryption script may be preset, for example, the preset decryption script may be an fcrackzip script.
Further, the decompressing the compressed packet again based on the encryption password to obtain the file list of the firmware to be tested includes:
decompressing the firmware compressed package again based on the encryption password to obtain a firmware root file image;
and unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain a file list of the firmware to be tested.
It will be appreciated that in practical applications, after decompressing the firmware compressed package, there may be a part of firmware root file images, and at this time, the firmware root file images need to be further decompressed. Therefore, in this embodiment, the firmware compressed package is decompressed again based on the encryption password to obtain the firmware root file image, and then the firmware root file image is decompressed according to the decompression Bao Jiaoben corresponding to the firmware root file image to obtain the file list of the firmware to be tested.
It should be noted that, the firmware root file image may be a file with a file suffix of. YAFFS or. YAFFS2, where Yaffs (Yet Another FlashFile System) is an embedded file system specifically designed for NAND flash, and currently there are two versions of YAFFS and YAFFS2, and one of the main differences between the two versions is that YAFFS2 can better support a NAND FLASH chip with a large capacity.
It should be understood that, the unpacking of the firmware root file image according to the unpacking Bao Jiaoben corresponding to the firmware root file image may be performed to obtain the file list of the firmware to be tested, where the compression algorithm adopted by the firmware to be tested is determined according to the firmware type of the firmware to be tested, then the unpacking script corresponding to the firmware root file image is searched based on the compression algorithm, and then the unpacking of the firmware root file image is performed based on the unpacking file to obtain the file list of the firmware to be tested.
In a specific implementation, taking Dlink DWR-932B router firmware as an example, since Dlink DWR-932B router firmware adopts a native compression algorithm of YAFFS, unpacking of YAFFS2 images by unyaffs unpacking script pairs is required.
Further, the unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain the file list of the firmware to be tested, including:
unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain a firmware root file system;
traversing the files in the firmware root file system to obtain a file list of the firmware to be tested.
It should be understood that, in order to obtain all files in the file system of the firmware to be tested, in this embodiment, the firmware root file image is unpacked according to the unpack Bao Jiaoben corresponding to the firmware root file image to obtain the firmware root file system, and then the files in the firmware root file system are traversed to obtain the file list of the firmware to be tested.
It may be understood that traversing files in the firmware root file system to obtain the file list of the firmware to be tested may be running a preset query script to traverse files in the firmware root file system to obtain the file list of the firmware to be tested, where the preset query script may be preset, for example, running a find script to traverse files in the firmware root file system to obtain the file list of the firmware to be tested.
Step S102: and calculating hash values of all files in the file list.
It is understood that calculating the hash value of each file in the file list may be calculating the hash value of each file in the file list based on a preset hash algorithm. The preset hash algorithm may be preset, for example, may be at least one of md5, sha1, sha256 and sha512 algorithms, which is not limited in this embodiment.
Step S103: and analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database based on the hash value to obtain a file co-occurrence analysis result.
It should be understood that, based on the hash value, the co-occurrence frequency of the file list of the firmware to be tested in the firmware database is analyzed, the obtained file co-occurrence analysis result may be that the hash value of each file in the file list is matched with the hash value of the file sample in the firmware database, the successfully matched file sample is recorded as the file sample with co-occurrence, the number of the file samples with co-occurrence is counted, the number is recorded as the co-occurrence frequency, the device manufacturers with the highest co-occurrence frequency are ranked based on the co-occurrence frequency, and the device manufacturers with the highest co-occurrence frequency are used as the file co-occurrence analysis result.
In a second embodiment, unpacking a firmware to be tested to obtain a file list of the firmware to be tested, calculating hash values of all files in the file list, and analyzing co-occurrence frequency of the file list of the firmware to be tested in a firmware database based on the hash values to obtain a file co-occurrence analysis result; according to the method and the device for analyzing the file list of the firmware to be tested, the co-occurrence frequency of the file list of the firmware to be tested in the firmware database is analyzed based on the hash value of each file in the file list, and the file co-occurrence analysis result is obtained, so that the efficiency and the accuracy of file co-occurrence analysis can be improved.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of the apparatus vendor estimation method according to the present invention. Based on the above embodiments, a third embodiment of the apparatus vendor estimation method of the present invention is presented.
In a third embodiment, before the step S30, the method further includes:
step S210: traversing the configuration files in the file list, and carrying out file analysis on the configuration files to obtain file analysis results.
It should be understood that, in order to obtain an accurate and reliable known vulnerability list, in this embodiment, before analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database, the vulnerability analysis is further performed on the firmware to be tested from three dimensions of configuration file analysis, entropy analysis and sensitive file analysis.
It can be appreciated that, in order to analyze the possible potential safety hazards of the firmware, in this embodiment, the configuration files in the file list may be traversed, and file analysis may be performed on the configuration files.
It should be noted that the configuration file may be a configuration file that may have a potential safety hazard, for example, a conf configuration file.
It may be appreciated that the configuration files in the traverse file list may be configuration files in a traverse file list running a preset query script, where the preset query script may be preset, for example, a. Conf configuration file in a find script traverse file list.
In a specific implementation, taking Dlink DWR-932B router firmware as an example, router no-IP configuration information is stored in an inadyn-mt-conf file (for dyndns clients) by traversing the conf configuration file, which contains a username and a hardcoded password for accessing the website https:// www.no-IP.
Step S220: and carrying out entropy analysis on the firmware to be tested to obtain an entropy analysis result.
It should be understood that, in order to analyze the encryption condition of the firmware, in this embodiment, entropy analysis is also performed on the firmware to be tested.
It can be understood that the entropy analysis is performed on the firmware to be tested, and the entropy analysis result may be obtained by performing entropy analysis on the firmware to be tested through a preset entropy analysis script. The preset entropy analysis script may be preset, for example, the preset entropy analysis script may be a binwalk-E script.
Further, in order to improve accuracy of the entropy analysis, the step S220 includes:
performing entropy analysis on the firmware to be tested to obtain a continuous change curve of data bits in a firmware file;
and analyzing the encryption characteristics of the firmware to be tested based on the continuous change curve to obtain an entropy analysis result.
It should be understood that, in order to improve accuracy of entropy analysis, in this embodiment, entropy analysis is performed on the firmware to be tested first to obtain a continuous variation curve of data bits in the firmware file, and encryption characteristics of the firmware to be tested are analyzed based on the continuous variation curve to obtain an entropy analysis result.
It should be noted that the data bits may include 0x00 bytes, low address, ASCII code, high address, etc., which is not limited in this embodiment.
Step S230: and calling a preset script to traverse the file list to obtain sensitive file information in the file list.
It can be understood that, in order to traverse all the sensitive file contents in the firmware, in this embodiment, a preset script is also called to traverse the file list, so as to obtain the sensitive file information in the file list.
It should be noted that, the preset script may be preset, for example, the preset script may be a firmwalker, and the firmwalker may automatically traverse all the sensitive file contents in the firmware file system.
In a specific implementation, the firmwalker can automatically traverse files such as the files of conf, key, bin, sh, shadow, passwd and the like, and collect sensitive file information.
Step S240: and generating a known vulnerability list of the firmware to be tested based on the file analysis result, the entropy analysis result and the sensitive file information.
It should be understood that the generating the known vulnerability list of the firmware to be tested based on the file analysis result, the entropy analysis result, and the sensitive file information may be generating the known vulnerability list of the firmware to be tested based on at least one of the file analysis result, the entropy analysis result, and the sensitive file information, which is not limited in this implementation.
In a third embodiment, traversing configuration files in the file list is disclosed, file analysis is performed on the configuration files to obtain file analysis results, entropy analysis is performed on the firmware to be tested to obtain entropy analysis results, a preset script is called to traverse the file list to obtain sensitive file information in the file list, and a known vulnerability list of the firmware to be tested is generated based on the file analysis results, the entropy analysis results and the sensitive file information; according to the embodiment, before the co-occurrence frequency of the known vulnerability list of the firmware to be tested is analyzed in the firmware database, vulnerability analysis is further performed on the firmware to be tested from three dimensions of configuration file analysis, entropy analysis and sensitive file analysis, so that an accurate and reliable known vulnerability list can be obtained.
In a third embodiment, the step S40 includes:
step S401: and determining a firmware presumption model according to the firmware type of the firmware to be tested.
It should be appreciated that different types of firmware are contemplated to have different characteristics. Therefore, in order to ensure the reliability of the equipment vendor information, in the present embodiment, a corresponding weight is also set for each analysis result based on the firmware estimation model.
It should be noted that the firmware types may include low-level firmware, high-level firmware, subsystems, and the like. The low-level firmware may be stored on a nonvolatile Memory chip such as a Read-Only Memory (ROM). Therefore, it cannot be rewritten or updated and is considered an inherent part of hardware; advanced firmware may be used with flash memory chips to allow for updates, which typically have more complex instructions than low-level firmware, making it closer to software than hardware; the subsystem may be a device or unit that is a semi-independent part of a larger system, which is typically similar to a stand-alone device, as this firmware level microcode is embedded in the flash memory chip, CPU and LCD unit, and is similar to high-level firmware.
It is understood that the firmware speculation model may be a neural network model obtained by training in advance for determining the reliability of the co-occurrence analysis results corresponding to each firmware type.
Step S402: and generating a weight value corresponding to each analysis result based on the firmware presumption model.
It should be understood that, generating the weight value corresponding to each analysis result based on the firmware speculation model may be to input the firmware type into the firmware speculation model to obtain the weight value corresponding to each analysis result of the firmware to be tested. The weight value is used for measuring the credibility of each analysis result, and the larger the weight value is, the higher the credibility of the analysis result is.
Step S403: and predicting equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result, the vulnerability co-occurrence analysis result and the weight value.
It can be understood that, according to the file co-occurrence analysis result, the software package co-occurrence analysis result, the vulnerability co-occurrence analysis result and the weight value, the equipment manufacturer information of the firmware to be tested is presumed, wherein the reliability scoring is performed based on the weight value, the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result, and the reliability scoring value corresponding to each co-occurrence analysis result is used as the equipment manufacturer information of the firmware to be tested;
The file co-occurrence analysis result, the software package co-occurrence analysis result, the vulnerability co-occurrence analysis result and the weight value may be directly used as the equipment manufacturer information of the firmware to be tested, which is not limited in this embodiment.
In a third embodiment, a firmware presumption model is determined according to the firmware type of the firmware to be detected, weight values corresponding to all analysis results are generated based on the firmware presumption model, and equipment manufacturer information of the firmware to be detected is presumed according to file co-occurrence analysis results, software package co-occurrence analysis results, vulnerability co-occurrence analysis results and the weight values; because the embodiment also sets the corresponding weight for each analysis result based on the firmware presumption model, the accuracy of equipment manufacturer information can be improved.
In a third embodiment, after the step S40, the method further includes:
step S50: and performing vulnerability analysis on each Internet of things device according to the device manufacturer information to obtain a vulnerability analysis result.
It should be understood that, in order to analyze the influence scope of the device vulnerability, in this embodiment, vulnerability analysis is performed on each internet of things device according to the device manufacturer information, and the influence scope of the device vulnerability is determined based on the vulnerability analysis result.
It can be understood that performing vulnerability analysis on each internet of things device according to device manufacturer information, and obtaining a vulnerability analysis result may be that device manufacturers with security vulnerabilities are counted according to the device manufacturer information, and the internet of things device affected by the device manufacturers with security vulnerabilities is determined, so as to obtain the vulnerability analysis result.
Step S60: and determining the influence range of the loopholes of each device based on the loophole analysis result.
It should be understood that determining the influence range of each device vulnerability based on the vulnerability analysis result may be counting the number of the internet of things devices affected by the device manufacturer having the security vulnerability, and determining the influence range of each device vulnerability according to the number; or generating an influence statistical graph according to the device information of the internet of things device influenced by the device manufacturer with the security holes, and determining the influence range of each device hole according to the influence statistical graph.
In a third embodiment, performing vulnerability analysis on each Internet of things device according to device manufacturer information to obtain a vulnerability analysis result, and determining an influence range of each device vulnerability based on the vulnerability analysis result; in the embodiment, vulnerability analysis is performed on each internet of things device according to the device manufacturer information, and the influence range of each device vulnerability is determined based on the vulnerability analysis result, so that the influence range of the device vulnerability can be analyzed.
In addition, the embodiment of the present invention also proposes a storage medium having stored thereon a device vendor estimation program that, when executed by a processor, implements the device vendor estimation method as described above.
In addition, referring to fig. 5, an embodiment of the present invention further provides an apparatus vendor estimation device, where the apparatus vendor estimation device includes: a file analysis module 10, a software package analysis module 20, a vulnerability analysis module 30, and an information speculation module 40;
the file analysis module 10 is configured to analyze co-occurrence frequency of a file list of the firmware to be tested in a firmware database, and obtain a file co-occurrence analysis result.
It should be noted that the firmware to be tested may be firmware of the internet of things device to be tested. The device to be tested can be an internet of things device needing security detection, the device to be tested can be an embedded device connected to a network in a certain mode, the firmware can be software written into hardware devices, and the firmware contains bottom codes and is used for controlling applications and various system functions.
The file list may include all files in the file system of the firmware under test.
The firmware database may be used to store firmware information of a plurality of firmware samples, where the firmware samples may be collected from the internet, or may be uploaded after the device manufacturer information is presumed by the device manufacturer presumption device, which is not limited in this embodiment; the firmware information may include a file sample, a software package sample, a bug sample, etc. of each device manufacturer, which is not limited in this implementation.
It can be understood that, analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database, obtaining the file co-occurrence analysis result may be that performing similarity analysis on each file in the file list and a file sample in the firmware database, counting the number of the file samples with co-occurrence according to the similarity analysis result, recording the number as the co-occurrence frequency, sorting the equipment manufacturers based on the co-occurrence frequency, and taking the equipment manufacturer with the highest co-occurrence frequency as the file co-occurrence analysis result.
The software package analysis module 20 is configured to analyze co-occurrence frequency of the software package list of the firmware to be tested in the firmware database, and obtain a software package co-occurrence analysis result.
It should be noted that, the software package list may include all software packages of the firmware to be tested.
It should be understood that, analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database, obtaining the software package co-occurrence analysis result may be that each software package in the software package list and a software package sample in the firmware database are subjected to similarity analysis, the number of software package samples with co-occurrence is counted according to the similarity analysis result, the number is recorded as the co-occurrence frequency, the manufacturers of each device are ordered based on the co-occurrence frequency, and the manufacturer of the device with the highest co-occurrence frequency is used as the software package co-occurrence analysis result.
The vulnerability analysis module 30 is configured to analyze co-occurrence frequencies of the known vulnerability list of the firmware to be tested in the firmware database, and obtain a vulnerability co-occurrence analysis result.
It should be noted that all vulnerabilities of the firmware to be tested may be included in the known vulnerability list.
It may be understood that, analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database, and obtaining the vulnerability co-occurrence analysis result may be that performing similarity analysis on each vulnerability in the known vulnerability list and the vulnerability sample in the firmware database, counting the number of the vulnerability samples with co-occurrence according to the similarity analysis result, and recording the number as the co-occurrence frequency, sorting the device manufacturers based on the co-occurrence frequency, and taking the device manufacturer with the highest co-occurrence frequency as the vulnerability co-occurrence analysis result.
The information speculation module 40 is configured to infer equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result, and the vulnerability co-occurrence analysis result.
The following is illustrative for ease of understanding, but is not limiting of the present solution. The steps of equipment vendor information speculation are as follows:
1. unpacking the firmware to be tested, extracting all files in a file system of the firmware to be tested, and obtaining a file list of the firmware to be tested;
2. traversing the file list, and calculating the hash value of the file;
3. inquiring a firmware database according to the hash list of the file, and calculating the co-occurrence frequency of the file in the firmware database;
4. according to the co-occurrence frequency sequence, taking the name of the equipment manufacturer with the highest co-occurrence frequency as the name1 of the firmware to be tested;
5. traversing all files obtained by unpacking, and identifying a software package list of the firmware to be tested;
6. inquiring a firmware database interface according to a software package list of the firmware to be tested, and calculating the co-occurrence frequency of the software package in the firmware database;
7. sequencing according to the co-occurrence frequency, taking the name of a firmware manufacturer of the co-occurrence frequency as the name2 of the firmware to be tested;
8. Traversing the software package list, and identifying a known vulnerability list of the firmware to be tested;
9. inquiring a firmware database interface according to a known vulnerability list of the firmware, and calculating the co-occurrence frequency of the known vulnerability in the firmware database;
10. according to the co-occurrence frequency sequence, taking the name of the firmware manufacturer with the highest co-occurrence frequency as the name3 of the firmware to be tested;
11. vendor speculation result information name1, name2, and name3 for three dimensions are output.
In a first embodiment, a co-occurrence frequency of a file list of a firmware to be tested in a firmware database is analyzed to obtain a file co-occurrence analysis result, a co-occurrence frequency of a software package list of the firmware to be tested in the firmware database is analyzed to obtain a software package co-occurrence analysis result, a co-occurrence frequency of a known vulnerability list of the firmware to be tested in the firmware database is analyzed to obtain a vulnerability co-occurrence analysis result, and equipment manufacturer information of the firmware to be tested is presumed according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result; in the embodiment, the equipment manufacturer information of the firmware is comprehensively presumed from three dimensions of file co-occurrence similarity analysis, software package co-occurrence similarity analysis and vulnerability co-occurrence similarity analysis, so that the equipment manufacturer information of the firmware can be accurately obtained.
Further, the device vendor speculation means further comprises: a database generation module;
the database generation module is used for acquiring firmware data reported by the Internet of things equipment and collecting resource data of equipment manufacturers corresponding to the Internet of things equipment;
the database generation module is further used for aggregating the firmware data and the resource data to obtain aggregated data;
the database generation module is further used for generating a firmware database based on the aggregation data.
It should be appreciated that in order to improve the data integrity of the firmware database, in this embodiment, the firmware data may be collected from multiple dimensions.
It can be understood that the internet of things equipment can automatically report firmware data after being connected to the internet of things; or the internet of things device may automatically upload the device manufacturer information obtained by the prediction after executing the device manufacturer prediction method, which is not limited in this embodiment.
It should be appreciated that device vendors of firmware typically upload firmware resources on an official website or update the firmware over a wireless network. Therefore, in order to obtain the latest firmware data, in this embodiment, resource data of a device vendor corresponding to the internet of things device is also collected from the internet.
It can be understood that, in this embodiment, in order to avoid the occurrence of duplicate and erroneous data, firmware data and resource data are further aggregated to obtain aggregated data.
It should be appreciated that aggregating the firmware data and the resource data may be deleting duplicate data in the firmware data and the resource data, and modifying or deleting erroneous data in the firmware data and the resource data.
Further, the database generation module is further configured to extract data features of the aggregated data;
the database generation module is also used for carrying out data reasoning according to the natural language processing model and the data characteristics to obtain reasoning data corresponding to the aggregated data;
the database generation module is further configured to generate a firmware database based on the aggregate data and the inference data.
It will be appreciated that the manner of generating the firmware database described above may only be limited to obtaining existing firmware data. Therefore, in order to overcome the above-mentioned drawbacks, in the present embodiment, data inference is also performed according to the natural language processing model and the data characteristics of the aggregate data to infer possible firmware data.
It should be noted that the natural language processing model may be preset to infer an association relationship between data features, and generate new data identical to the original data features based on the association relationship. For example, the natural language processing model may be a generative pre-training transformation model, which is not limited in this embodiment.
Other embodiments or specific implementations of the apparatus vendor estimation device according to the present invention may refer to the above method embodiments, and are not described herein.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. read only memory mirror (Read Only Memory image, ROM)/random access memory (Random Access Memory, RAM), magnetic disk, optical disk), comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
The invention discloses an A1, equipment manufacturer presumption method, which comprises the following steps:
analyzing the co-occurrence frequency of a file list of the firmware to be tested in a firmware database to obtain a file co-occurrence analysis result;
analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result;
analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result;
and presuming equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result.
A2, the equipment manufacturer presumption method as recited in A1, wherein the analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database to obtain the file co-occurrence analysis result comprises the following steps:
Unpacking the firmware to be tested to obtain a file list of the firmware to be tested;
calculating hash values of all files in the file list;
and analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database based on the hash value to obtain a file co-occurrence analysis result.
A3, the equipment manufacturer presumption method as recited in A2, wherein the unpacking the firmware to be tested to obtain the file list of the firmware to be tested includes:
extracting a firmware compression packet corresponding to the firmware to be tested, and decompressing the firmware compression packet;
when decompression fails, performing password cracking on the firmware compression packet to obtain an encrypted password of the firmware compression packet;
and decompressing the firmware compression packet again based on the encryption password to obtain a file list of the firmware to be tested.
A4, the equipment manufacturer presumption method according to A3, wherein the decompressing the compressed packet again based on the encryption password to obtain the file list of the firmware to be tested includes:
decompressing the firmware compressed package again based on the encryption password to obtain a firmware root file image;
and unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain a file list of the firmware to be tested.
A5, the equipment manufacturer presumption method as recited in A4, wherein the unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image, to obtain the file list of the firmware to be tested, includes:
unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain a firmware root file system;
traversing the files in the firmware root file system to obtain a file list of the firmware to be tested.
A6, the equipment vendor estimation method of any one of A1 to A5, further comprising:
acquiring firmware data reported by Internet of things equipment, and collecting resource data of equipment manufacturers corresponding to the Internet of things equipment;
aggregating the firmware data and the resource data to obtain aggregated data;
and generating a firmware database based on the aggregated data.
A7, the device vendor speculation method of A6, wherein the generating a firmware database based on the aggregated data comprises:
extracting data characteristics of the aggregated data;
carrying out data reasoning according to a natural language processing model and the data characteristics to obtain reasoning data corresponding to the aggregated data;
A firmware database is generated based on the aggregated data and the reasoning data.
A8, the equipment manufacturer speculation method of any one of A1 to A5, before analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database to obtain the vulnerability co-occurrence analysis result, further comprises:
traversing configuration files in the file list, and carrying out file analysis on the configuration files to obtain file analysis results;
performing entropy analysis on the firmware to be tested to obtain an entropy analysis result;
calling a preset script to traverse the file list to obtain sensitive file information in the file list;
and generating a known vulnerability list of the firmware to be tested based on the file analysis result, the entropy analysis result and the sensitive file information.
A9, the equipment manufacturer presumption method according to A8, wherein the performing entropy analysis on the firmware to be tested to obtain an entropy analysis result comprises the following steps:
performing entropy analysis on the firmware to be tested to obtain a continuous change curve of data bits in a firmware file;
and analyzing the encryption characteristics of the firmware to be tested based on the continuous change curve to obtain an entropy analysis result.
A10, the equipment manufacturer speculation method of any one of A1 to A5, wherein the equipment manufacturer information of the firmware to be tested is speculated according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result, and the method comprises the following steps:
determining a firmware presumption model according to the firmware type of the firmware to be detected;
generating weight values corresponding to all analysis results based on the firmware presumption model;
and predicting equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result, the vulnerability co-occurrence analysis result and the weight value.
A11, the device manufacturer speculation method of any one of A1 to A5, after the device manufacturer information of the firmware to be tested is speculated according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result, further comprises:
performing vulnerability analysis on each Internet of things device according to the device manufacturer information to obtain a vulnerability analysis result;
and determining the influence range of the loopholes of each device based on the loophole analysis result.
The invention also discloses a B12, equipment manufacturer presumption equipment, which comprises: a memory, a processor, and a device vendor speculation program stored on the memory and executable on the processor, which when executed by the processor implements a device vendor speculation method as described above.
The invention also discloses a C13, a storage medium, the storage medium storing a device manufacturer speculation program, the device manufacturer speculation program implementing the device manufacturer speculation method as described above when executed by a processor.
The invention also discloses a D14 and a device manufacturer presumption device, wherein the device manufacturer presumption device comprises: the system comprises a file analysis module, a software package analysis module, a vulnerability analysis module and an information speculation module;
the file analysis module is used for analyzing the co-occurrence frequency of a file list of the firmware to be tested in the firmware database to obtain a file co-occurrence analysis result;
the software package analysis module is used for analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result;
the vulnerability analysis module is used for analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result;
and the information speculation module is used for speculating equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result.
D15, the device manufacturer speculation apparatus as described in D14, where the file analysis module is further configured to unpack a firmware to be tested to obtain a file list of the firmware to be tested;
the file analysis module is further used for calculating hash values of all files in the file list;
and the file analysis module is also used for analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database based on the hash value to obtain a file co-occurrence analysis result.
The equipment manufacturer presumption device according to D15, wherein the file analysis module is further configured to extract a firmware compression packet corresponding to the firmware to be tested, and decompress the firmware compression packet;
the file analysis module is further used for performing password cracking on the firmware compression packet when decompression fails to obtain an encrypted password of the firmware compression packet;
and the file analysis module is further used for decompressing the firmware compression packet again based on the encryption password to obtain a file list of the firmware to be tested.
D17, the device vendor speculation device of D16, where the file analysis module is further configured to decompress the firmware compressed packet again based on the encryption password to obtain a firmware root file image;
The file analysis module is further configured to unpack the firmware root file image according to an unpacking script corresponding to the firmware root file image, so as to obtain a file list of the firmware to be tested.
D18, the device vendor speculation device of D17, where the file analysis module is further configured to unpack the firmware root file image according to an unpacking script corresponding to the firmware root file image to obtain a firmware root file system;
the file analysis module is further used for traversing files in the firmware root file system to obtain a file list of the firmware to be tested.
D19, the equipment vendor estimation device according to any one of D14 to D18, further comprising: a database generation module;
the database generation module is used for acquiring firmware data reported by the Internet of things equipment and collecting resource data of equipment manufacturers corresponding to the Internet of things equipment;
the database generation module is further used for aggregating the firmware data and the resource data to obtain aggregated data;
the database generation module is further used for generating a firmware database based on the aggregation data.
D20, the equipment manufacturer speculation device of D19, where the database generation module is further configured to extract data features of the aggregated data;
The database generation module is also used for carrying out data reasoning according to the natural language processing model and the data characteristics to obtain reasoning data corresponding to the aggregated data;
the database generation module is further configured to generate a firmware database based on the aggregate data and the inference data.

Claims (10)

1. A device vendor estimation method, the device vendor estimation method comprising:
analyzing the co-occurrence frequency of a file list of the firmware to be tested in a firmware database to obtain a file co-occurrence analysis result;
analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result;
analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result;
and presuming equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result.
2. The device vendor speculation method of claim 1, wherein analyzing co-occurrence frequencies of the file list of the firmware under test in the firmware database to obtain the file co-occurrence analysis result comprises:
Unpacking the firmware to be tested to obtain a file list of the firmware to be tested;
calculating hash values of all files in the file list;
and analyzing the co-occurrence frequency of the file list of the firmware to be tested in the firmware database based on the hash value to obtain a file co-occurrence analysis result.
3. The apparatus vendor speculation method of claim 2, wherein unpacking the firmware to be tested to obtain the file list of the firmware to be tested comprises:
extracting a firmware compression packet corresponding to the firmware to be tested, and decompressing the firmware compression packet;
when decompression fails, performing password cracking on the firmware compression packet to obtain an encrypted password of the firmware compression packet;
and decompressing the firmware compression packet again based on the encryption password to obtain a file list of the firmware to be tested.
4. The apparatus vendor speculation method of claim 3, wherein said re-decompressing the compressed package based on the encrypted password to obtain the file list of the firmware under test comprises:
decompressing the firmware compressed package again based on the encryption password to obtain a firmware root file image;
and unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain a file list of the firmware to be tested.
5. The device vendor speculation method of claim 4, wherein unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain the file list of the firmware under test comprises:
unpacking the firmware root file image according to the unpacking script corresponding to the firmware root file image to obtain a firmware root file system;
traversing the files in the firmware root file system to obtain a file list of the firmware to be tested.
6. The device vendor estimation method according to any one of claims 1 to 5, wherein the device vendor estimation method further comprises:
acquiring firmware data reported by Internet of things equipment, and collecting resource data of equipment manufacturers corresponding to the Internet of things equipment;
aggregating the firmware data and the resource data to obtain aggregated data;
and generating a firmware database based on the aggregated data.
7. The device vendor speculation method of claim 6, wherein the generating a firmware database based on the aggregated data comprises:
extracting data characteristics of the aggregated data;
carrying out data reasoning according to a natural language processing model and the data characteristics to obtain reasoning data corresponding to the aggregated data;
A firmware database is generated based on the aggregated data and the reasoning data.
8. A device vendor estimation device, the device vendor estimation device comprising: a memory, a processor, and a device vendor speculation program stored on the memory and executable on the processor, which when executed by the processor implements the device vendor speculation method of any one of claims 1 to 7.
9. A storage medium having stored thereon a device vendor-speculated program that, when executed by a processor, implements the device vendor-speculated method of any one of claims 1 to 7.
10. A device vendor estimation device, comprising: the system comprises a file analysis module, a software package analysis module, a vulnerability analysis module and an information speculation module;
the file analysis module is used for analyzing the co-occurrence frequency of a file list of the firmware to be tested in the firmware database to obtain a file co-occurrence analysis result;
the software package analysis module is used for analyzing the co-occurrence frequency of the software package list of the firmware to be tested in the firmware database to obtain a software package co-occurrence analysis result;
The vulnerability analysis module is used for analyzing the co-occurrence frequency of the known vulnerability list of the firmware to be tested in the firmware database to obtain a vulnerability co-occurrence analysis result;
and the information speculation module is used for speculating equipment manufacturer information of the firmware to be tested according to the file co-occurrence analysis result, the software package co-occurrence analysis result and the vulnerability co-occurrence analysis result.
CN202310575424.XA 2023-05-19 2023-05-19 Equipment manufacturer presumption method, equipment, storage medium and device Active CN116846540B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310575424.XA CN116846540B (en) 2023-05-19 2023-05-19 Equipment manufacturer presumption method, equipment, storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310575424.XA CN116846540B (en) 2023-05-19 2023-05-19 Equipment manufacturer presumption method, equipment, storage medium and device

Publications (2)

Publication Number Publication Date
CN116846540A CN116846540A (en) 2023-10-03
CN116846540B true CN116846540B (en) 2024-03-08

Family

ID=88158830

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310575424.XA Active CN116846540B (en) 2023-05-19 2023-05-19 Equipment manufacturer presumption method, equipment, storage medium and device

Country Status (1)

Country Link
CN (1) CN116846540B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112818357A (en) * 2021-03-11 2021-05-18 北京顶象技术有限公司 Automated batch IoT firmware risk assessment method and system
CN114386032A (en) * 2021-11-29 2022-04-22 深圳供电局有限公司 Firmware detection system and method for power Internet of things equipment
CN114780960A (en) * 2021-01-05 2022-07-22 ***通信有限公司研究院 Safety detection method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10943015B2 (en) * 2018-03-22 2021-03-09 ReFirm Labs, Inc. Continuous monitoring for detecting firmware threats

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114780960A (en) * 2021-01-05 2022-07-22 ***通信有限公司研究院 Safety detection method and device
CN112818357A (en) * 2021-03-11 2021-05-18 北京顶象技术有限公司 Automated batch IoT firmware risk assessment method and system
CN114386032A (en) * 2021-11-29 2022-04-22 深圳供电局有限公司 Firmware detection system and method for power Internet of things equipment

Also Published As

Publication number Publication date
CN116846540A (en) 2023-10-03

Similar Documents

Publication Publication Date Title
CN109997139B (en) Detecting malware using hash-based fingerprints
US8627469B1 (en) Systems and methods for using acquisitional contexts to prevent false-positive malware classifications
Yang et al. Detecting android malware by applying classification techniques on images patterns
US20200380125A1 (en) Method for Detecting Libraries in Program Binaries
CN102663281A (en) Method and device for detecting malicious software
CN110727643B (en) File classification management method and system based on machine learning
RU2722692C1 (en) Method and system for detecting malicious files in a non-isolated medium
Kedziora et al. Malware detection using machine learning algorithms and reverse engineering of android java code
CN106709336A (en) Method and apparatus for identifying malware
CN114386032A (en) Firmware detection system and method for power Internet of things equipment
CN117171696A (en) Sensor production monitoring method and system based on Internet of things
CN115062309A (en) Vulnerability mining method based on equipment firmware simulation under novel power system and storage medium
CN114610635A (en) Interface test case generation method and device, computer equipment and storage medium
US10748074B2 (en) Configuration assessment based on inventory
CN111338958A (en) Parameter generation method and device of test case and terminal equipment
CN116846540B (en) Equipment manufacturer presumption method, equipment, storage medium and device
CN111460448B (en) Malicious software family detection method and device
CN113591079B (en) Method and device for acquiring abnormal application installation package and electronic equipment
US20210342651A1 (en) Data classification device, data classification method, and data classification program
WO2016127858A1 (en) Method and device for identifying webpage intrusion script features
CN113688240B (en) Threat element extraction method, threat element extraction device, threat element extraction equipment and storage medium
CN112231194B (en) Index abnormity root analysis method and device and computer readable storage medium
US20210097179A1 (en) Creating generic rules in a high dimensional sparse feature space using negative feedback
EP3799367B1 (en) Generation device, generation method, and generation program
US11928208B2 (en) Calculation device, calculation method, and calculation program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant