WO2021135257A1 - Vulnerability processing method and related device - Google Patents

Vulnerability processing method and related device Download PDF

Info

Publication number
WO2021135257A1
WO2021135257A1 PCT/CN2020/109106 CN2020109106W WO2021135257A1 WO 2021135257 A1 WO2021135257 A1 WO 2021135257A1 CN 2020109106 W CN2020109106 W CN 2020109106W WO 2021135257 A1 WO2021135257 A1 WO 2021135257A1
Authority
WO
WIPO (PCT)
Prior art keywords
vulnerability
host device
patch
determination result
risk
Prior art date
Application number
PCT/CN2020/109106
Other languages
French (fr)
Chinese (zh)
Inventor
蒋武
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021135257A1 publication Critical patent/WO2021135257A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/658Incremental updates; Differential updates

Definitions

  • This application relates to the field of computer network technology, in particular to a vulnerability processing method and related equipment.
  • Vulnerabilities also known as vulnerabilities (Vulnerability) refer to defects in computer system security, which threaten the confidentiality, integrity, availability, and access control of the computer system or its application data. Vulnerabilities are defects in the specific implementation of hardware, software, and protocols or system security strategies. Vulnerabilities may come from defects in the design of application software or operating systems or errors in coding, or from design defects in the interactive processing of the business or unreasonable logic flow. These flaws, errors or unreasonable points may be intentionally or unintentionally exploited, thereby adversely affecting an organization's assets or operations, so the risk of vulnerabilities needs to be judged.
  • the existing method of obtaining vulnerability information of the host is to obtain the version of the application software installed on the host, and then query the vulnerability information corresponding to the version of the installed application software in the vulnerability database, thereby obtaining the vulnerability information of the host, where the vulnerability database is the application Vulnerability information issued by software providers or third-party organizations includes vulnerability identification and related vulnerability description information.
  • the above scheme for obtaining vulnerability information of the host may have false positives, that is, the generated vulnerability information of the host includes some vulnerability information that cannot actually be exploited by an attacker.
  • a high false positive rate or number of false positives will cause a series of adverse effects. For example, the energy of network administrators is scattered among a large number of false positives, and the real threat vulnerabilities cannot be eliminated in time.
  • the embodiments of the present application provide a vulnerability processing method and related equipment, which can improve the accuracy of vulnerability risk analysis.
  • the first aspect of the embodiments of the present application provides a vulnerability processing method.
  • the method includes: a host device obtains a first vulnerability identifier, where the first vulnerability identifier is used to indicate that a first vulnerability exists in the first application software installed on the host device. Then, the host device obtains patch description information of the first vulnerability according to the first vulnerability identifier, and the patch description information is used to describe the characteristics of the operating environment of the computer software after the patch is installed by the computer. The host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability and the current software operating environment of the first host device. The host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch.
  • the host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability, and then determines whether the host device has installed the patch program corresponding to the first vulnerability.
  • the risk of the first vulnerability It can accurately analyze whether vulnerabilities are at risk, avoid vulnerabilities that have been patched, and improve the accuracy of vulnerability risk analysis.
  • the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch, including: if the determination result is that the host device has When the patch program is installed, the host device determines that the first vulnerability corresponds to a low risk value, and the low risk value indicates that the risk is lower than the warning threshold.
  • the host device determines that the first vulnerability is a low-risk vulnerability. In this way, the user is notified that the risk of the first vulnerability being exploited is low, thereby providing the user with differentiated information about the vulnerability risk, or omitting the prompting of low-risk vulnerabilities to the user, so as to reduce the user's attention to the low-risk vulnerabilities.
  • the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch, including: if the determination result is that the host device has not When the patch program is installed, the host device determines that the first vulnerability corresponds to a high risk value, and the high risk value indicates that the risk is higher than the warning threshold.
  • the host device determines that the first vulnerability is a high-risk vulnerability, and thus prompts the user that the risk of the first vulnerability is high, thereby providing the user with information about the vulnerability risk. Discrimination information. Or omit prompting users of low-risk vulnerabilities, and only prompt users of high-risk vulnerabilities, so that users can focus on high-risk vulnerabilities, such as downloading corresponding patches for only high-risk vulnerabilities, reducing the user's workload.
  • the above steps after the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed a patch, the method further includes: The device sends the determination result.
  • the host device after the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch program, the host device sends the determination result to the management device.
  • the management device can mark the risk of the first vulnerability on the host device according to the determination result.
  • the management device analyzes the overall risk of the host device based on the analysis of the high-risk vulnerabilities and low-risk vulnerabilities on the host device, or the management device sends high-risk vulnerabilities to the host in a targeted manner based on the determination results Patch.
  • the host device determines whether the host device has installed the patch according to the patch description information of the first vulnerability and the current software operating environment of the host device, Including: if the current software operating environment of the host device has the characteristics described by the patch description information of the first vulnerability, the host device determines that the host device has installed the patch. If the current software operating environment of the host device does not have the characteristics described in the patch description information of the first vulnerability, the host device determines that the host device has not installed the patch program.
  • the above steps after the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch, the method further includes: the host device marks the first vulnerability Vulnerability risk corresponding to the vulnerability.
  • the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch, and then marks the risk value corresponding to the first vulnerability.
  • vulnerabilities that are actually risk-free are identified, thereby reducing false alarms.
  • high-risk vulnerabilities are identified, so as to prompt users of risks in time.
  • the patch description information includes at least one of registry information, file system directory information, configuration file information, and application software hash value.
  • a second aspect of the embodiments of the present application provides a vulnerability processing method.
  • the method includes: a management device receives a determination result sent by a host device, and the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability. Vulnerabilities in the first application software installed on the host device.
  • the management device marks the risk of the first vulnerability on the host device according to the determination result.
  • the management device receives the determination result sent by the host device, and marks the risk of the first vulnerability on the host device according to the determination result of whether the host device has installed the patch corresponding to the first vulnerability.
  • the above determination results provide a basis for further analysis of the management device. For example, the management device analyzes the overall risk of the host device based on the analysis of high-risk vulnerabilities and low-risk vulnerabilities on the host device, or the management device can specifically push high-risk vulnerabilities to the host based on the determination results. Patches required for risk vulnerabilities.
  • the management device marks the risk of the first vulnerability on the host device according to the determination result, including: if the determination result indicates that the host device has installed a patch, then The management device marks the first vulnerability on the host device corresponding to a low risk value, and the low risk value indicates that the risk is lower than the warning threshold.
  • the determination result of the management device indicates that the host device has installed the patch, it marks the first vulnerability on the host device as corresponding to a low risk value. Improve the fineness of the management device for the management of the host device.
  • the management device marks the risk of the first vulnerability on the host device according to the determination result, including: if the determination result indicates that the host device has not installed a patch, then The management device marks the first vulnerability on the host device corresponding to a high risk value, and the high risk value indicates that the risk is higher than the warning threshold.
  • the determination result of the management device indicates that the host device has not installed the patch, it marks the first vulnerability on the host device as corresponding to a high risk value.
  • the management device can only focus on high-risk vulnerabilities, such as downloading corresponding patches only for high-risk vulnerabilities, which reduces the workload of the management device for downloading patches for low-risk vulnerabilities.
  • the software information includes the identification of the first application software or the version number of the first application software.
  • the management device queries the vulnerability database for at least one vulnerability identifier corresponding to the first application software information according to the first application software information, and the vulnerability database stores a correspondence between the first application software information and the at least one vulnerability identifier.
  • the management device sends at least one vulnerability identifier to the host device.
  • the management device may send the vulnerability identifier corresponding to the first application software information to the host device according to the received first application software information sent by the host device.
  • Convenient management equipment unified management of host equipment.
  • the third aspect of the present application provides a host device, which is used to execute the foregoing first aspect or any possible implementation of the first aspect.
  • the device includes a module or unit for executing the above-mentioned first aspect or any possible implementation of the first aspect.
  • the fourth aspect of the present application provides a management device for executing the foregoing second aspect or any possible implementation method of the second aspect.
  • the device includes a module or unit for executing the foregoing second aspect or any possible implementation of the second aspect.
  • a fifth aspect of the present application provides a host device, which includes at least one processor, a memory, and a communication interface.
  • the processor is coupled with the memory and the communication interface.
  • the memory is used to store instructions
  • the processor is used to execute the instructions
  • the communication interface is used to communicate with the management device under the control of the processor.
  • the processor executes the method in the first aspect or any possible implementation manner of the first aspect.
  • a sixth aspect of the present application provides a management device, which includes at least one processor, a memory, and a communication interface.
  • the processor is coupled with the memory and the communication interface.
  • the memory is used to store instructions
  • the processor is used to execute the instructions
  • the communication interface is used to communicate with the host device under the control of the processor.
  • the processor executes the second aspect or the method in any possible implementation manner of the second aspect.
  • the seventh aspect of the present application provides a computer storage medium that stores instructions in the computer storage medium.
  • the computer executes the foregoing first aspect or any possible implementation manner of the first aspect, and the second Aspect or any possible implementation of the second aspect.
  • the eighth aspect of the present application provides a computer program product.
  • the computer program product When the computer program product is executed on a computer, the computer executes any possible implementation of the first aspect or the first aspect, and any of the second aspect or the second aspect. Methods in possible implementations.
  • the ninth aspect of the present application provides a vulnerability processing system, including a management device and at least one host device; the management device is used to receive first application software information sent by the host device, and the first application software information includes the identification or The version number of the first application software; the management device is also used to query the vulnerability database for at least one vulnerability identifier corresponding to the first application software information according to the first application software information, and the vulnerability database stores the first application software information and at least one Correspondence of vulnerability identification. The management device is also used to send at least one vulnerability identifier to the host device.
  • the host device is used to send the first application software information to the management device, the host device is also used to receive at least one vulnerability identifier sent by the management device, the host device is also used to send a determination result to the management device, and the determination result is used to indicate whether the host device has Install the patch corresponding to the first vulnerability, where the first vulnerability is a vulnerability existing in the first application software installed on the host device.
  • the technical effects brought by the third, fifth, seventh, eighth aspects or any one of the possible implementation manners can be referred to the technical effects brought by the first aspect or the different possible implementation manners of the first aspect, here No longer.
  • Figure 1 is a schematic diagram of an application scenario of a vulnerability processing system in an embodiment of the application
  • FIG. 2 is a schematic diagram of a process of a vulnerability processing method in an embodiment of the application
  • FIG. 3 is a schematic diagram of the process of creating a difference file in an embodiment of the application
  • FIG. 4 is a schematic diagram of another process of the vulnerability processing method in an embodiment of the application.
  • FIG. 5 is a schematic diagram of a structure of a host device in an embodiment of the application.
  • FIG. 6 is a schematic diagram of another structure of a host device in an embodiment of the application.
  • FIG. 7 is a schematic diagram of a structure of a management device in an embodiment of the application.
  • FIG. 8 is a schematic diagram of another structure of a management device in an embodiment of the application.
  • FIG. 9 is a schematic diagram of another structure of a management device in an embodiment of the application.
  • FIG. 10 is a schematic diagram of another structure of a host device in an embodiment of the application.
  • the embodiment of the application provides a vulnerability processing method and related equipment. Based on this method, after the host device obtains the vulnerability identifier (the vulnerability identifier is used to indicate the vulnerability in the application software installed on the host device), the corresponding patch description information is obtained according to the vulnerability identifier, thereby determining whether the host device has been installed
  • the patch program used to fix the vulnerability further determines the risk of the vulnerability based on the determination result, thereby improving the accuracy of vulnerability risk analysis.
  • the host device may require the cooperation of one or more other devices in the process of executing the foregoing method.
  • Fig. 1 is a schematic diagram of an application scenario of a vulnerability processing system provided by an embodiment of the application.
  • the vulnerability processing system in the embodiment of the present application includes: a management device 101 and at least one host device.
  • a management device 101 For the sake of brevity, only one management device 101 and three host devices 102 to 104 are taken as examples for schematic description. In actual applications, there are more management devices or no management devices in the application scenario of the embodiment of the present application, or there is at least one host device in the application scenario of the embodiment of the present application. The embodiment of the present application does not limit the number of host devices.
  • the management device 101 is connected to the host devices 102 to 104 through a network.
  • the management device 101 is connected to the host devices 102 to 104 via a local area network, or the management device 101 is connected to the host devices 102 to 104 via the Internet.
  • the network used to connect the management device 101 and the host devices 102 to 104 is a network such as the Internet, the Internet of Things, or a wireless fidelity (WiFi) network, which is not specifically limited here.
  • the management device 101 and the host devices 102 to 104 may be connected through a wired network or through a wireless network. If it is connected through a wired network, the general connection method is an optical fiber network; if it is connected through a wireless network, the general connection method is a WiFi network, or a cellular wireless network, or other types of wireless networks.
  • the host devices 102 to 104 are personal computers, servers, laptops, virtual machines, wearable devices, mobile phones, smart screen TVs, sweeping robots, projectors, tablets, switches, wireless access points (access points, AP) devices, smart cameras, baby monitors, home routers, and other devices with computing capabilities and network connection capabilities.
  • An agent is installed in the host device.
  • the agent program refers to a small program used to implement predetermined functions.
  • the agent program usually supports interaction with the management program (master) installed on the communication peer device of the designated Internet Protocol (IP) address, such as receiving instructions sent by the management program, executing corresponding functions according to the instructions, and sending the management program to the management program. Send data and so on.
  • IP Internet Protocol
  • the management device 101 is a personal computer, a server, and other devices that have certain computing capabilities, storage capabilities, and network connection capabilities.
  • a management program (master) is installed on the management device.
  • the main function of the management device 101 is to manage the host devices 102 to 104, to issue instructions to the host devices 102 to 104, and to receive data reported by the host devices 102 to 104.
  • the main functions of the host devices 102 to 104 are security detection and response management device 101.
  • the embodiments of the present application provide a variety of vulnerability processing methods, such as a vulnerability processing method implemented by a host device interacting with a management device, or a vulnerability processing method mainly executed by the host device, etc., which are described separately below.
  • Fig. 2 is a schematic flowchart of a vulnerability processing method provided by an embodiment of the present application.
  • the management device is connected to the host device through a network taking a local area network as an example.
  • the first application software information sent by the host device to the management device.
  • the first software information is used to describe the first application software installed on the host device.
  • the "first” and “second” appearing in the embodiments of the present application are only used to distinguish different objects, and do not indicate a sequence relationship.
  • the "first” in “first application software” is to distinguish it from other applications.
  • the first application software information includes an identification of the first application software, and/or a version number of the first application software.
  • the management device obtains a vulnerability identifier corresponding to the first application software information.
  • the management device there are many ways for the management device to obtain the vulnerability identifier corresponding to the first application software information, which are described separately below.
  • the management device obtains the vulnerability identifier corresponding to the first application software information from the first cloud device. Specifically, the management device sends a software information acquisition instruction to the host device. The host device sends the first application software information to the management device according to the acquisition instruction. After obtaining the first application software information, the management device obtains the vulnerability identifier corresponding to the first application software information from the first cloud device.
  • the first application software is the application software installed on the host device.
  • the first application software is an Adobe reader, and the version number of the first application software is 11.0.0.379. It can be understood that this is an example, and the first application software may also be other application software, which is not specifically limited here.
  • the first application software information includes the identity document (ID) of the first application software, the version number of the first application software, the manufacturer name of the first application software, and other parameters related to the first application software. At least one type, which is not specifically limited here.
  • the management device receives the first application software information sent by the host device.
  • the management device sends the first application software information to the first cloud device.
  • a first vulnerability database is stored in the first cloud device, and the first vulnerability database includes an association relationship between the first application software information and the vulnerability identifier.
  • an entry in the first vulnerability database includes the name of the first application software, the version number of the first application software, and the correspondence between the vulnerability list corresponding to the first application software. This correspondence can be expressed as:
  • CVE XXXXX and CVE MMMMM are vulnerability identifiers. This entry is used to indicate that there are two vulnerabilities in the application software named adobe reader with version number 11.0.0.379, namely CVE XXXXX and CVE MMMMM.
  • CVE Common Vulnerabilities and Exposures
  • CVE is a database related to information security. It collects various information security weaknesses and vulnerabilities and gives them numbers for public access.
  • the database is now owned by the National Cybersecurity Federal Fund R&D Center (National Cybersecurity FFRDC) affiliated to the U.S. non-profit organization MITRE. Operation and maintenance.
  • the vulnerability identification can also be the vulnerability identification issued by the China National Vulnerability Database of Information Security (CNNVD) and other vulnerability libraries.
  • the first cloud device finds an entry containing the vulnerability identifier corresponding to the first application software information from the first vulnerability database.
  • the entry includes the association relationship between the first application software information and the vulnerability identifier.
  • the association relationship between the first application software information and the vulnerability identifier is the association relationship between the ID of the first application software and the vulnerability identifier or the association relationship between the version number of the first application software and the vulnerability identifier.
  • the first cloud device sends the vulnerability identifier included in the found entry to the management device.
  • the first vulnerability library is CVE, or CNNVD.
  • the management device generates the first software asset identifier based on the first software information and the identifier of the host device to facilitate subsequent management requirements.
  • the identifier of the host device includes the IP address of the host device, or the media access control (Media Access Control, MAC) address of the host device, and so on.
  • the first software asset identifier corresponds to the combination of the first software information and the identifier of the host. This correspondence can be expressed as:
  • the software asset identifier indicates the first application software on a specific host.
  • the software asset identifier is 12345.
  • the first software asset identifier corresponds to the adobe reader on the IP address 10.0.0.123, and the version number of the software adobe reader is 11.0.0.379.
  • the first software asset identifier is unique within the scope of management equipment management.
  • the application software information includes the application software name and the application software version number
  • IP address, application software name, and application software version number is different
  • two different software must be used Asset identification to indicate separately.
  • two different software asset identifiers need to be used to represent two different application software information on the same host device.
  • the management device locally stores the vulnerability identifier corresponding to the first software asset identifier based on the vulnerability identifier returned by the first cloud device to facilitate subsequent asset management.
  • the vulnerability identifier corresponding to the first software asset identifier is expressed as:
  • the management device After receiving the first application software information sent by the host device, the management device queries the corresponding vulnerability identifier from the first cloud device, so that the management device does not need to store the first vulnerability database locally, thereby saving storage space of the management device.
  • the management device downloads the first vulnerability database as a whole from the first cloud device in advance, and saves the downloaded first vulnerability database locally.
  • the management device queries the vulnerability identifier corresponding to the first application software information in the first vulnerability database stored locally.
  • the management device obtains the first vulnerability database from the first cloud device.
  • the management device performs a local database query according to the received first application software information.
  • the management device Compared with the method in which the management device needs to query the corresponding vulnerability identifier from the first cloud device every time the management device obtains the first application software information from the host device, it can reduce the number of interactions between the management device and the first cloud device. , Thereby shortening the time delay caused by network transmission, and improving the speed at which the management device obtains the vulnerability identification.
  • Manner 2 The management device obtains the vulnerability identifier corresponding to the first software asset identifier through the scanning tool.
  • the management device sends a detection message to the host device through the scanning tool, and the management device obtains the response message returned by the host device for the detection message, and the content of the response message can reflect the vulnerability information.
  • the management device After the management device obtains the response message from the host device, the management device queries the second vulnerability database for the vulnerability identifier corresponding to the response message according to the response message, thereby determining the vulnerability identifier corresponding to the first software asset identifier.
  • the second vulnerability database includes the correspondence between the response message (or the content of the specific field in the response message) and the vulnerability identifier.
  • the second vulnerability database is provided by the scanning tool in the management device.
  • the second vulnerability library is a comprehensive system vulnerability library formed by security experts based on the analysis of network system security vulnerabilities, hacker attack cases, and system administrators’ actual experience on network system security configuration and other content. The specifics are not limited here.
  • the management device locally stores the vulnerability information corresponding to the first software asset identifier based on querying the second vulnerability database to obtain the vulnerability identifier, so as to facilitate subsequent asset management.
  • the vulnerability identifier corresponding to the first software asset identifier is expressed as:
  • the management device sends a vulnerability identifier to the host device.
  • the management device After the management device determines the vulnerability identifier corresponding to the first application software information, the management device sends the vulnerability identifier to the host device.
  • the management device sends the vulnerability identifiers corresponding to the first application software information to the host device one by one, or sends all the vulnerability identifiers corresponding to the first application software information to the host device one by one .
  • the first application software information corresponding to the two vulnerability identifiers CVE XXXXX and CVE MMMMM in the previous example Take the first application software information corresponding to the two vulnerability identifiers CVE XXXXX and CVE MMMMM in the previous example as an example:
  • the management device sends CVE XXXXX and CVE MMMMM to the host device one by one, or sends CVE XXXXX and CVE MMMMM together.
  • step 200 to step 202 in FIG. 2 are a possible implementation manner for the host device to obtain the first vulnerability identifier using CVE XXXX or CVE MMMMM as an example.
  • the host device may also obtain the first vulnerability identifier in other ways, such as determining the first vulnerability identifier according to a locally stored first vulnerability library or a vulnerability scanning tool.
  • the first vulnerability identifier is used to indicate that a first vulnerability exists in the first application software installed on the host device.
  • the embodiment of the present application does not limit the specific way for the host device to obtain the first vulnerability identifier.
  • the host device obtains patch description information of the first vulnerability according to the first vulnerability identifier.
  • the host device sends the first vulnerability identifier to the management device.
  • the first vulnerability is identified as one of CVE XXXX and CVE MMMMM.
  • the management device sends the first vulnerability identifier to the second cloud device.
  • the second cloud device stores the first patch description information base, and the entries in the first patch description information base include the association relationship between the vulnerability identifier and the patch description information.
  • the second cloud device and the first cloud device are the same device or different devices.
  • the management device does not need to wait to receive the vulnerability identifier sent by the host device, but directly sends the first vulnerability identifier of the at least one vulnerability identifier to the second cloud device to obtain Patch description information corresponding to the first vulnerability identifier.
  • the management device pushes the acquired patch description information to the host according to the first software asset identifier.
  • the patch description information is created in advance by the second cloud device.
  • Patch description information is used to describe the characteristics of the computer software operating environment after the patch is installed by the computer.
  • a patch log file exists on the computer:
  • the patch description information is a difference (DIFF) file.
  • the creation process of the DIFF file is shown in Figure 3, the first snapshot is retained before the first application software on an isolated dedicated host is patched, and the second snapshot is retained after the patch of the first application software is installed on an isolated dedicated host.
  • the second cloud device generates a DIFF file according to the first snapshot and the second snapshot.
  • the DIFF file is used to describe the operating environment characteristics of the first application software in the computer before and after the patch is installed by the computer.
  • the DIFF file includes one description information or multiple description information. The specific situation of the description information is set by the needs at the time when the DIFF file is created.
  • the DIFF file includes at least one feature that can reflect the difference, such as registry changes, system catalog file changes, configuration file changes, and application software hash changes.
  • a computer refers to a device with computing capability
  • the host device is a type of computer.
  • computer and host refer to the same concept.
  • the second cloud device After the second cloud device receives the first vulnerability identifier sent by the management device, the second cloud device queries the first patch description information database for the entry containing the patch description information corresponding to the received vulnerability identifier according to the first vulnerability identifier . The second cloud device sends the patch description information contained in the entry to the management device. After receiving the patch description information, the management device sends the patch description information to the host device.
  • the management device downloads the first patch description information database as a whole from the second cloud device in advance, and saves the downloaded first patch description information database locally.
  • the management device queries the patch description information corresponding to the vulnerability identifier (that is, the patch description information of the first vulnerability) in the first patch description information database stored locally.
  • the management device obtains the first patch description information database from the second cloud device.
  • the management device performs a local database query to obtain patch description information corresponding to the vulnerability identifier.
  • this method can reduce the number of interactions between the management device and the second cloud device, thereby shortening the network transmission.
  • the delay which improves the speed at which the management device obtains patch description information.
  • the host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability.
  • the host device scans the current software operating environment of the host device through the host agent program to determine whether the current software operating environment of the host device has the characteristics described in the patch description information of the first vulnerability .
  • the software operating environment includes but is not limited to the registry, file system, operating system process list, logical port opening list, and so on.
  • the patch description information of the first vulnerability obtained in step 204 has ten characteristics.
  • the host device scans the current software operating environment of the host device through the host agent program, and finds that the host device has the patch description information of the first vulnerability.
  • Nine characteristics This indicates that the operating environment of the first application software of the host device does not have the characteristics described by the patch description information of the first vulnerability, that is, the host device does not install the patch program corresponding to the first vulnerability.
  • the feature described in the patch description information of the first vulnerability includes a predetermined key-value pair or a predetermined sub-key-value pair in the key value of the registry.
  • This predetermined key-value pair or predetermined sub-key-value pair is added due to the installation of a patch, or set due to the installation of a patch.
  • the feature described by the patch description information of the first vulnerability includes a predetermined record in the operating system log file.
  • the scheduled record is increased due to patch installation.
  • the feature described in the patch description information of the first vulnerability includes a predetermined file in a predetermined file system path, and the predetermined file includes an executable file or a log file (such as the patch log file exemplified in step 203).
  • the predetermined file in the predetermined file system path is increased by installing a patch.
  • the characteristics described in the patch description information of the first vulnerability include that a predetermined file does not exist in a predetermined file system path, and the predetermined file is deleted due to the installation of a patch.
  • the predetermined file is a patch log file
  • the host device scans the current file system of the host device through the host agent program. If patchXXXXX.log is found in the current file system of the host device after scanning, the current software operating environment of the host device has the characteristics described in the patch description information of the first vulnerability, that is, the host device has installed the patch corresponding to the first vulnerability .
  • the host device contains all the features in the patch description information
  • the current software operating environment of the host device has the features described in the patch description information of the first vulnerability, that is, the host device has installed the corresponding feature of the first vulnerability. Patch.
  • the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch corresponding to the first vulnerability.
  • the host device does not install the patch corresponding to the first vulnerability, it means that the first vulnerability is at risk of being exploited by an attacker.
  • the host device determines that the first vulnerability corresponds to a low risk value, and the low risk value indicates that the risk is lower than the warning Threshold.
  • the host device has installed the patch corresponding to the first vulnerability, it means that the first vulnerability is a vulnerability that cannot be exploited by an attacker, and the host device determines that the first vulnerability corresponds to a high risk value, and the high risk value indicates that the risk is higher than Warning threshold.
  • the risk value is represented by a numerical value, and different numerical values represent different risks.
  • the higher the value, the lower the risk For example, 1 means the risk is lower than the warning threshold, and 0 means the risk is higher than the warning threshold.
  • the risk value can also be represented by letters or character strings, for example, the letter D or the character string “dangerous” indicates that the risk is higher than the warning threshold, and the letter S or the character string “safe” indicates that the risk is lower than the warning threshold.
  • the risk value is represented by a numerical value, and 1 means that the risk is higher than the warning threshold, and 0 means that the risk is lower than the warning threshold.
  • the host device determines that the vulnerability corresponding to the vulnerability identifier CVE XXXX has installed the corresponding patch, so the low risk value corresponding to CVE XXXXX is 0; the vulnerability corresponding to the vulnerability identifier CVE MMMMM does not have the corresponding patch installed, so the high risk value corresponding to CVE XXXX 1 .
  • the host device sends the determination result to the management device.
  • the host device After the host device determines the risk of the first vulnerability, the host device sends the determination result to the management device.
  • the determination result includes the risk value corresponding to the first vulnerability.
  • the determination result also includes a text description or an indication of whether the host device has installed the patch program corresponding to the first vulnerability.
  • the management device marks the risk of the first vulnerability on the host device according to the determination result.
  • the management device After the management device receives the determination result, the management device marks the determination result corresponding to the first software asset identification mark.
  • the determination result corresponding to the vulnerability identifier CVE XXXXX received by the management device is "0, patch is installed”
  • the determination result indicates that the vulnerability identifier CVE XXXXX corresponds to the low risk value 0
  • the text indicates that the host device has been installed Patch program corresponding to CVE XXXXX.
  • the determination result indicates the high risk value 1 corresponding to the vulnerability identifier CVE MMMMM, and the text description indicates that the host device does not have the corresponding CVE MMMMM installed. Patch.
  • the management device After receiving the above confirmation result, the management device marks the corresponding determination result for the first software asset identification mark, for example:
  • the host device evaluates the threat of a vulnerability according to the patch description information corresponding to the vulnerability, thereby improving the accuracy of vulnerability analysis. On the one hand, it identifies a vulnerability that is actually risk-free, that is, the corresponding vulnerability has been installed. Patch vulnerabilities, thereby reducing false alarms; on the other hand, identifying high-risk vulnerabilities, that is, vulnerabilities that have not been installed with corresponding patches, so as to prompt users of risks in time. In this way, the user of the host device can only focus on high-risk vulnerabilities, such as downloading corresponding patches for only high-risk vulnerabilities, which reduces the workload of the user.
  • Fig. 4 is a schematic flowchart of a vulnerability processing method provided by an embodiment of the present application.
  • the host device is connected to the network.
  • the host device obtains a vulnerability identifier.
  • the host device obtains the vulnerability identifier through interaction with another network device.
  • the host device sends the first application software information to the third cloud device.
  • a third vulnerability database is stored in the third cloud device, and the third vulnerability database includes an association relationship between the first application software information and the first vulnerability identifier.
  • an entry in the third vulnerability database includes the name of the first application software, the version number of the first application software, and the correspondence between the vulnerability list corresponding to the first application software. This correspondence can be expressed as:
  • CVE XXXXX and CVE MMMMM are vulnerability identifiers. This entry is used to indicate that there are two vulnerabilities in the application software named adobe reader with version number 11.0.0.379, namely CVE XXXXX and CVE MMMMM.
  • the third cloud device finds an entry containing the vulnerability identifier corresponding to the first application software information from the third vulnerability database.
  • the entry includes an association relationship between the first application software information and the first vulnerability identifier.
  • the association relationship between the first application software information and the first vulnerability identifier is the association relationship between the ID of the first application software and the first vulnerability identifier or the association relationship between the version number of the first application software and the first vulnerability identifier.
  • the third cloud device sends the first vulnerability identifier included in the found entry to the host device.
  • the third vulnerability library is similar to the first vulnerability library described in the embodiment corresponding to FIG. 2, and the third vulnerability library is CVE, or CNNVD.
  • the host device downloads the third vulnerability database as a whole from the third cloud device in advance, and saves the downloaded third vulnerability database locally.
  • the host device obtains the third vulnerability database from the third cloud device.
  • the host device performs a local database query based on the first application software information. Compared with the method in which the host device needs to query the corresponding vulnerability identifier from the third cloud device every time, this method can reduce the number of interactions between the host device and the third cloud device, thereby shortening the delay caused by network transmission and improving the host device. The speed at which the device obtains the vulnerability identification.
  • step 401 in FIG. 4 is a possible implementation manner for the host device to obtain the first vulnerability identifier using CVE XXXXX or CVE MMMMM as an example.
  • the host device may also obtain the first vulnerability identifier in other ways.
  • the host device may also determine the first vulnerability identifier according to a third vulnerability library stored locally, or a vulnerability scanning tool may determine the first vulnerability identifier.
  • the first vulnerability identifier is used to indicate that a first vulnerability exists in the first application software installed on the host device.
  • the embodiment of the present application does not limit the specific way for the host device to obtain the first vulnerability identifier.
  • the host device obtains patch description information of the first vulnerability according to the first vulnerability identifier.
  • the host device sends the first vulnerability identifier to the fourth cloud device.
  • the first vulnerability is identified as one of CVE XXXX and CVE MMMMM.
  • the fourth cloud device stores a second patch description information database, and the entries in the second patch description information database include the association relationship between the vulnerability identifier and the patch description information.
  • the fourth cloud device and the third cloud device are the same device or different devices.
  • the patch description information is created in advance by the fourth cloud device.
  • Patch description information is used to describe the characteristics of the computer software operating environment after the patch is installed by the computer.
  • a patch log file exists on the computer:
  • the patch description information is a difference (DIFF) file.
  • DIFF difference
  • the creation process of the DIFF file is similar to the description corresponding to Figure 3 above, and will not be repeated here.
  • the fourth cloud device After the fourth cloud device receives the first vulnerability identifier sent by the host device, the fourth cloud device queries the second patch description information database for the entry containing the patch description information corresponding to the received vulnerability identifier according to the first vulnerability identifier . The fourth cloud device sends the patch description information contained in the entry to the host device.
  • the host device downloads the second patch description information database as a whole from the fourth cloud device in advance, and saves the downloaded second patch description information database locally.
  • the patch description information corresponding to the vulnerability identifier (that is, the patch description information of the first vulnerability) is queried in the second patch description information database stored locally.
  • the second patch description information base and the first patch description information base are the same database or different databases.
  • the host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability.
  • the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch corresponding to the first vulnerability.
  • Step 403 and step 404 in this embodiment are similar to step 204 and step 205 corresponding to FIG. 2, and will not be repeated here.
  • the host device marks the risk of the first vulnerability on the host device according to the determination result.
  • the host device After the host device determines the risk of the first vulnerability, the host device marks the corresponding risk for the first software asset identification. For example: 12345
  • “0, patch is installed” means that the vulnerability identifier CVE XXXX corresponds to a low risk value of 0, and the text indicates that the host device has installed the patch corresponding to CVE XXXXX.
  • "1, patch is not installed” indicates the high risk value 1 corresponding to the vulnerability identifier CVE MMMMM, and the text description indicates that the patch program corresponding to CVE MMMMM is not installed on the host device.
  • the host device does not rely on the management device to complete the vulnerability processing, reduces the data transmission generated by the interaction with the management device, saves time, and thus performs the above-mentioned vulnerability processing process more efficiently.
  • the host device evaluates the threat of the vulnerability according to the patch description information corresponding to the vulnerability, thereby improving the accuracy of vulnerability analysis.
  • it identifies vulnerabilities that are actually risk-free, that is, vulnerabilities that have already installed the corresponding patch. Thereby reducing false alarms;
  • high-risk vulnerabilities are identified, that is, vulnerabilities that have not been installed with corresponding patches, so as to prompt users of risks in time. In this way, the user of the host device can only focus on high-risk vulnerabilities, such as downloading corresponding patches for only high-risk vulnerabilities, which reduces the workload of the user.
  • FIG. 5 is a schematic structural diagram of a host device provided in an embodiment of the present application.
  • the host device includes an obtaining unit 501 and a determining unit 502.
  • the host device shown in FIG. 5 is the host device in the embodiments described in FIG. 1, FIG. 2 and FIG. 4.
  • the obtaining unit 501 is configured to obtain a first vulnerability identifier, and the first vulnerability identifier is used to indicate that the first vulnerability exists in the first application software installed on the host device.
  • the obtaining unit 501 is further configured to obtain patch description information of the first vulnerability according to the first vulnerability identifier, and the patch description information is used to describe the characteristics of the operating environment of the computer software after the patch is installed by the computer.
  • the determining unit 502 is configured to determine whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability and the current software operating environment of the host device.
  • the determining unit 502 is further configured to determine the risk of the first vulnerability according to the determination result of whether the host device has installed the patch.
  • the determining unit 502 determines whether the host device has installed the patch corresponding to the first vulnerability according to the patch description information of the first vulnerability, and the determining unit 502 then determines whether the host device has installed the patch corresponding to the first vulnerability. As a result, the risk of the first vulnerability is determined. It can accurately analyze whether vulnerabilities are at risk, avoid vulnerabilities that have been patched, and improve the accuracy of vulnerability risk analysis.
  • FIG. 6 another embodiment of the host device in the embodiment of the present application includes:
  • the obtaining unit 601 is configured to obtain a first vulnerability identifier, and the first vulnerability identifier is used to indicate that the first vulnerability exists in the first application software installed on the host device.
  • the obtaining unit 601 is further configured to obtain patch description information of the first vulnerability according to the first vulnerability identifier, and the patch description information is used to describe the characteristics of the operating environment of the computer software after the patch is installed by the computer.
  • the determining unit 602 is configured to determine whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability and the current software operating environment of the first host device.
  • the determining unit 602 is further configured to determine the risk of the first vulnerability according to the determination result of whether the host device has installed the patch.
  • the host device in this embodiment further includes a sending unit 603.
  • the sending unit 603 is configured to send first application software information to the management device, where the first application software information includes an identifier of the first application software or a version number of the first application software.
  • the sending unit 603 is further configured to send a determination result to the management device, and the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability, and the first vulnerability is a vulnerability existing in the first application software installed on the host device.
  • the determining unit 602 is specifically configured to determine that the host device has installed the patch program if the current software operating environment of the host device has the characteristics described in the patch description information of the first vulnerability; if the current software operating environment of the host device does not have the first vulnerability The feature described in the patch description information confirms that the host device is not installed with the patch.
  • the determining unit 602 is specifically configured to determine that the first vulnerability corresponds to a low risk value if the determination result is that the host device has installed a patch, and the low risk value indicates that the risk is lower than the warning threshold. If the determination result is that the host device has not installed the patch, it is determined that the first vulnerability corresponds to a high risk value, and the high risk value indicates that the risk is higher than the warning threshold.
  • the patch description information includes at least one of registry information, file system directory information, configuration file information, and application software hash value.
  • Fig. 7 is a schematic structural diagram of a management device provided by an embodiment of the present application.
  • the management device shown in FIG. 7 is the management device in the embodiments described in FIG. 1 and FIG. 2.
  • the management device shown in FIG. 7 includes a receiving unit 701 and a marking unit 702.
  • the receiving unit 701 is configured to receive a determination result sent by the host device, and the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability, and the first vulnerability is a vulnerability existing in the first application software installed on the host device.
  • the marking unit 702 is configured to mark the risk of the first vulnerability on the host device according to the determination result.
  • the receiving unit 701 receives the determination result sent by the host device, and the marking unit 702 marks the risk of the first vulnerability on the host device according to the determination result of whether the host device has installed the patch corresponding to the first vulnerability. It can accurately analyze whether vulnerabilities are at risk, avoid vulnerabilities that have been patched, and improve the accuracy of vulnerability risk analysis.
  • FIG. 8 is a schematic diagram of another structure of a management device provided by an embodiment of the present application.
  • the receiving unit 801 is configured to receive a determination result sent by the host device, and the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability, and the first vulnerability is a vulnerability existing in the first application software installed on the host device.
  • the marking unit 802 is configured to mark the risk of the first vulnerability on the host device according to the determination result.
  • the receiving unit 801 is further configured to receive first application software information sent by the host device, where the first application software information includes the identification of the first application software or the version number of the first application software.
  • the receiving unit 801 is also configured to receive the determination result sent by the host device.
  • the management device in this embodiment further includes a query unit 803.
  • the query unit 803 is configured to query the vulnerability database for at least one vulnerability identifier corresponding to the first application software information according to the first application software information, and the vulnerability database stores a correspondence between the first application software information and the at least one vulnerability identifier.
  • the sending unit 804 is configured to send at least one vulnerability identifier to the host device.
  • FIG. 9 it is a schematic structural diagram of another device according to an embodiment of this application, and the device is a management device.
  • FIG. 9 is a schematic structural diagram of a management device provided by an embodiment of the present application.
  • the management device 900 may include one or more processors (central processing units, CPU) 901 and a memory 902.
  • the memory 902 stores one or more Operating system and/or program code.
  • the memory 902 may be volatile storage or persistent storage.
  • the program stored in the memory 902 may include one or more modules, and each module may include a series of instruction operations on the management device.
  • the processor 901 may be configured to be coupled with the memory 902, and after reading a series of instructions in the memory 902, the management device 900 can execute the steps and functions described in the foregoing embodiments.
  • the management device 900 may also include one or more power supplies, one or more wired or wireless network interfaces 903, one or more input and output interfaces 904, and the input and output interfaces 904 are connected to an output device such as the display 905, one or more The above operating systems, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
  • the processor 901 can perform operations performed by the management device in the embodiments shown in FIG. 7 and FIG. 8, and details are not described herein again.
  • the processor 901 of the management device can perform the actions performed by the marking unit 702 in FIG. 7, and the network interface 903 in the management device can perform the actions performed by the receiving unit 701 in FIG. 7.
  • the implementation principles and technical effects are similar. , I won’t repeat it here.
  • the processor 901 of the management device can perform the actions performed by the marking unit 802 and the query unit 803 in FIG. 8, and the network interface 903 in the management device can perform the actions performed by the receiving unit 801 and the sending unit 804 in FIG. 8 , Its implementation principle and technical effect are similar, so I won’t repeat it here.
  • the host device 1000 may include one or more central processing units (CPU) 1001 and a memory 1005, and the memory 1005 stores one or more application programs or data.
  • CPU central processing units
  • the memory 1005 stores one or more application programs or data.
  • the memory 1005 may be volatile storage or persistent storage.
  • the program stored in the memory 1005 may include one or more modules, and each module may include a series of command operations on the gateway device.
  • the central processor 1001 may be configured to be coupled with the memory 1005, and after reading a series of instructions in the memory 1005, the host device 1000 can execute the steps and functions described in the above-mentioned embodiments.
  • the host device 1000 may also include one or more power supplies 1002, one or more wired or wireless network interfaces 1003, one or more input and output interfaces 1004, and/or one or more operating systems, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
  • one or more power supplies 1002 one or more wired or wireless network interfaces 1003, one or more input and output interfaces 1004, and/or one or more operating systems, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
  • the central processing unit 1001 of the host device may perform the actions performed by the determining unit 502 in FIG. 5, and the wired or wireless network interface 1003 or the input/output interface 1004 in the host device may perform the operations performed by the obtaining unit 501 in FIG.
  • the action, its implementation principle and technical effect are similar, and will not be repeated here.
  • the central processing unit 1001 of the host device can execute the actions performed by the determining unit 602 in FIG. 6, and the wired or wireless network interface 1003 or the input/output interface 1004 in the host device can execute the acquiring unit 601 and sending in FIG.
  • the implementation principles and technical effects of the actions performed by the unit 603 are similar, and will not be repeated here.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solutions of the embodiments of the present application are essentially or the part that contributes to the prior art or the part of the technical solutions can be embodied in the form of a software product, and the computer software product is stored in a storage medium.
  • Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disks or optical disks and other media that can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

A vulnerability processing method, used to the field of communications. The method comprises: a host device first obtains a first vulnerability identifier, and according to the first vulnerability identifier, obtains patch description information of a first vulnerability; the host device determines, according to the patch description information of the first vulnerability and the current software running environment of a first host device, whether a patch program corresponding to the first vulnerability is installed in the host device; and the host device determines, according to the result of determining whether the patch program corresponding to the first vulnerability is installed in the host device, the risk of the first vulnerability. The present invention can accurately analyze whether a vulnerability has a risk, avoids that a patched vulnerability is considered to have the risk, and improves the accuracy of vulnerability risk analysis.

Description

一种漏洞处理方法及相关设备Vulnerability processing method and related equipment
本申请要求于2019年12月30日提交中国专利局、申请号为201911398368.7、发明名称为“一种漏洞处理方法及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on December 30, 2019, the application number is 201911398368.7, and the title of the invention is "a method for processing loopholes and related equipment", the entire content of which is incorporated into this application by reference in.
技术领域Technical field
本申请涉及计算机网络技术领域,特别涉及一种漏洞处理方法及相关设备。This application relates to the field of computer network technology, in particular to a vulnerability processing method and related equipment.
背景技术Background technique
漏洞,也被称为脆弱性(Vulnerability)是指在计算机***安全方面的缺陷,使得计算机***或其应用数据的保密性、完整性、可用性、访问控制等面临威胁。漏洞是在硬件、软件、协议的具体实现或***安全策略上存在的缺陷。漏洞可能来自应用软件或操作***设计时的缺陷或编码时产生的错误,也可能来自业务在交互处理过程中的设计缺陷或逻辑流程上的不合理之处。这些缺陷、错误或不合理之处可能被有意或无意地利用,从而对一个组织的资产或运行造成不利影响,因此需要对漏洞的风险进行判断。Vulnerabilities, also known as vulnerabilities (Vulnerability) refer to defects in computer system security, which threaten the confidentiality, integrity, availability, and access control of the computer system or its application data. Vulnerabilities are defects in the specific implementation of hardware, software, and protocols or system security strategies. Vulnerabilities may come from defects in the design of application software or operating systems or errors in coding, or from design defects in the interactive processing of the business or unreasonable logic flow. These flaws, errors or unreasonable points may be intentionally or unintentionally exploited, thereby adversely affecting an organization's assets or operations, so the risk of vulnerabilities needs to be judged.
现有获取主机漏洞信息的方式是获取主机上已安装的应用软件的版本,然后在漏洞库中查询已安装的应用软件的版本对应的漏洞信息,从而得到主机的漏洞信息,其中漏洞库是应用软件提供商或者第三方机构发布的,漏洞信息包括漏洞标识和相关漏洞描述信息。The existing method of obtaining vulnerability information of the host is to obtain the version of the application software installed on the host, and then query the vulnerability information corresponding to the version of the installed application software in the vulnerability database, thereby obtaining the vulnerability information of the host, where the vulnerability database is the application Vulnerability information issued by software providers or third-party organizations includes vulnerability identification and related vulnerability description information.
但是,上述获取主机的漏洞信息的方案可能存在误报,即生成的主机的漏洞信息中包括一些实际上无法被攻击者利用的漏洞信息。较高的误报率或误报数量会造成一系列不利影响,例如网络管理员的精力被分散在大量的误报中,而无法及时消除真正具有威胁的漏洞。However, the above scheme for obtaining vulnerability information of the host may have false positives, that is, the generated vulnerability information of the host includes some vulnerability information that cannot actually be exploited by an attacker. A high false positive rate or number of false positives will cause a series of adverse effects. For example, the energy of network administrators is scattered among a large number of false positives, and the real threat vulnerabilities cannot be eliminated in time.
发明内容Summary of the invention
本申请实施例提供了一种漏洞处理方法及相关设备,能够提升漏洞风险分析的准确性。The embodiments of the present application provide a vulnerability processing method and related equipment, which can improve the accuracy of vulnerability risk analysis.
本申请实施例第一方面提供了一种漏洞处理方法,该方法包括:主机设备获取第一漏洞标识,该第一漏洞标识用于指示主机设备上安装的第一应用软件中存在第一漏洞。然后主机设备根据第一漏洞标识获取第一漏洞的补丁描述信息,该补丁描述信息用于描述补丁程序被计算机安装后计算机软件运行环境的特点。主机设备根据第一漏洞的补丁描述信息以及第一主机设备当前的软件运行环境,确定主机设备是否已安装第一漏洞对应的补丁程序。主机设备根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险。The first aspect of the embodiments of the present application provides a vulnerability processing method. The method includes: a host device obtains a first vulnerability identifier, where the first vulnerability identifier is used to indicate that a first vulnerability exists in the first application software installed on the host device. Then, the host device obtains patch description information of the first vulnerability according to the first vulnerability identifier, and the patch description information is used to describe the characteristics of the operating environment of the computer software after the patch is installed by the computer. The host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability and the current software operating environment of the first host device. The host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch.
本申请实施例中,主机设备根据第一漏洞的补丁描述信息,确定主机设备是否已安装第一漏洞对应的补丁程序,再根据主机设备是否已安装第一漏洞对应的补丁程序的确定结果,确定第一漏洞的风险。可以准确分析漏洞是否有风险,避免已经打过补丁的漏洞被认为有风险,提升漏洞风险分析的准确性。In the embodiment of this application, the host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability, and then determines whether the host device has installed the patch program corresponding to the first vulnerability. The risk of the first vulnerability. It can accurately analyze whether vulnerabilities are at risk, avoid vulnerabilities that have been patched, and improve the accuracy of vulnerability risk analysis.
可选地,在第一方面的一种可能的实现方式中,上述步骤:主机设备根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险,包括:如果确定结果为主机设备已安装补丁程序,则主机设备确定第一漏洞对应低风险值,该低风险值指示风险低于警示阈值。Optionally, in a possible implementation of the first aspect, the above step: the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch, including: if the determination result is that the host device has When the patch program is installed, the host device determines that the first vulnerability corresponds to a low risk value, and the low risk value indicates that the risk is lower than the warning threshold.
该种可能的实现方式中,如果主机设备已安装补丁程序,主机设备确定第一漏洞属于低风险的漏洞。从而向用户提示第一漏洞被利用的风险低,从而向用户提供关于漏洞风险的有区分度的信息,或者省略向用户提示低风险的漏洞,便于降低用户对低风险的漏洞的关注度。In this possible implementation manner, if the host device has installed a patch, the host device determines that the first vulnerability is a low-risk vulnerability. In this way, the user is notified that the risk of the first vulnerability being exploited is low, thereby providing the user with differentiated information about the vulnerability risk, or omitting the prompting of low-risk vulnerabilities to the user, so as to reduce the user's attention to the low-risk vulnerabilities.
可选地,在第一方面的一种可能的实现方式中,上述步骤:主机设备根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险,包括:如果确定结果为主机设备未安装补丁程序,则主机设备确定第一漏洞对应高风险值,该高风险值指示风险高于警示阈值。Optionally, in a possible implementation of the first aspect, the above step: the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch, including: if the determination result is that the host device has not When the patch program is installed, the host device determines that the first vulnerability corresponds to a high risk value, and the high risk value indicates that the risk is higher than the warning threshold.
该种可能的实现方式中,如果主机设备未安装补丁程序,主机设备确定第一漏洞属于高风险的漏洞,从而向用户提示第一漏洞被利用的风险高,从而向用户提供关于漏洞风险的有区分度的信息。或者省略向用户提示低风险的漏洞,而仅向用户提示高风险的漏洞,这样,使得用户集中关注高风险的漏洞,如仅针对高风险的漏洞下载对应补丁程序,减少了用户的工作量。In this possible implementation, if the host device does not install the patch, the host device determines that the first vulnerability is a high-risk vulnerability, and thus prompts the user that the risk of the first vulnerability is high, thereby providing the user with information about the vulnerability risk. Discrimination information. Or omit prompting users of low-risk vulnerabilities, and only prompt users of high-risk vulnerabilities, so that users can focus on high-risk vulnerabilities, such as downloading corresponding patches for only high-risk vulnerabilities, reducing the user's workload.
可选地,在第一方面的一种可能的实现方式中,上述步骤:主机设备根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险之后,方法还包括:主机设备向管理设备发送确定结果。Optionally, in a possible implementation of the first aspect, the above steps: after the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed a patch, the method further includes: The device sends the determination result.
该种可能的实现方式中,主机设备根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险之后,主机设备向管理设备发送确定结果。这样管理设备能够根据确定结果标记主机设备上第一漏洞的风险高低。为管理设备进一步分析提供依据,例如管理设备根据主机设备上高风险漏洞和低风险漏洞的分析情况,分析主机设备的整体风险,或者管理设备根据确定结果有针对性地向主机推送高风险漏洞需要的补丁程序。In this possible implementation manner, after the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch program, the host device sends the determination result to the management device. In this way, the management device can mark the risk of the first vulnerability on the host device according to the determination result. Provide a basis for further analysis of the management device, for example, the management device analyzes the overall risk of the host device based on the analysis of the high-risk vulnerabilities and low-risk vulnerabilities on the host device, or the management device sends high-risk vulnerabilities to the host in a targeted manner based on the determination results Patch.
可选地,在第一方面的一种可能的实现方式中,上述步骤:主机设备根据第一漏洞的补丁描述信息以及所述主机设备当前的软件运行环境,确定主机设备是否已安装补丁程序,包括:如果所述主机设备当前的软件运行环境具有第一漏洞的补丁描述信息所描述的特点,则主机设备确定主机设备已安装补丁程序。如果主机设备当前的软件运行环境不具有第一漏洞的补丁描述信息所描述的特点,则主机设备确定主机设备未安装补丁程序。Optionally, in a possible implementation of the first aspect, the above steps: the host device determines whether the host device has installed the patch according to the patch description information of the first vulnerability and the current software operating environment of the host device, Including: if the current software operating environment of the host device has the characteristics described by the patch description information of the first vulnerability, the host device determines that the host device has installed the patch. If the current software operating environment of the host device does not have the characteristics described in the patch description information of the first vulnerability, the host device determines that the host device has not installed the patch program.
该种可能的实现方式中,根据主机设备当前的软件运行环境是否具有第一漏洞的补丁描述信息所描述的特点来判断主机设备是否安装补丁程序。避免补丁程序的重复安装,提升后期漏洞分析的准确性。In this possible implementation manner, it is determined whether the host device installs the patch program according to whether the current software operating environment of the host device has the characteristics described in the patch description information of the first vulnerability. Avoid repeated installation of patches and improve the accuracy of later vulnerability analysis.
可选地,在第一方面的一种可能的实现方式中,上述步骤:主机设备根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险之后,还包括:主机设备标记第一漏洞对应的风值险。Optionally, in a possible implementation of the first aspect, the above steps: after the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch, the method further includes: the host device marks the first vulnerability Vulnerability risk corresponding to the vulnerability.
该种可能的实现方式中,主机设备根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险之后,标记第一漏洞对应的风险值。一方面识别出实际上无风险的漏洞,从而降低误报。另一方面识别出高风险的漏洞,从而及时向用户提示风险。In this possible implementation manner, the host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch, and then marks the risk value corresponding to the first vulnerability. On the one hand, vulnerabilities that are actually risk-free are identified, thereby reducing false alarms. On the other hand, high-risk vulnerabilities are identified, so as to prompt users of risks in time.
可选地,在第一方面的一种可能的实现方式中,上述步骤:补丁描述信息包括注册表信息、文件***目录信息、配置文件信息和应用软件哈希值中的至少一种。Optionally, in a possible implementation of the first aspect, the above step: the patch description information includes at least one of registry information, file system directory information, configuration file information, and application software hash value.
该种可能的实现方式提升了方案的可实现性。This possible implementation method improves the feasibility of the solution.
本申请实施例第二方面提供一种漏洞处理方法,该方法包括:管理设备接收主机设备发送的确定结果,该确定结果用于表示主机设备是否已安装第一漏洞对应的补丁程序,第一漏 洞为主机设备上安装的第一应用软件中存在的漏洞。管理设备根据确定结果,标记主机设备上第一漏洞的风险。A second aspect of the embodiments of the present application provides a vulnerability processing method. The method includes: a management device receives a determination result sent by a host device, and the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability. Vulnerabilities in the first application software installed on the host device. The management device marks the risk of the first vulnerability on the host device according to the determination result.
本申请实施例中,管理设备接收主机设备发送的确定结果,根据主机设备是否已安装第一漏洞对应的补丁程序的确定结果,标记主机设备上第一漏洞的风险。上述确定结果为管理设备进一步分析提供依据,例如管理设备根据主机设备上高风险漏洞和低风险漏洞的分析情况,分析主机设备的整体风险,或者管理设备根据确定结果有针对性地向主机推送高风险漏洞需要的补丁程序。In the embodiment of the present application, the management device receives the determination result sent by the host device, and marks the risk of the first vulnerability on the host device according to the determination result of whether the host device has installed the patch corresponding to the first vulnerability. The above determination results provide a basis for further analysis of the management device. For example, the management device analyzes the overall risk of the host device based on the analysis of high-risk vulnerabilities and low-risk vulnerabilities on the host device, or the management device can specifically push high-risk vulnerabilities to the host based on the determination results. Patches required for risk vulnerabilities.
可选地,在第二方面的一种可能的实现方式中,上述步骤:管理设备根据确定结果,标记主机设备上第一漏洞的风险,包括:如果确定结果表示主机设备已安装补丁程序,则管理设备标记主机设备上第一漏洞对应低风险值,低风险值指示风险低于警示阈值。Optionally, in a possible implementation of the second aspect, the above step: the management device marks the risk of the first vulnerability on the host device according to the determination result, including: if the determination result indicates that the host device has installed a patch, then The management device marks the first vulnerability on the host device corresponding to a low risk value, and the low risk value indicates that the risk is lower than the warning threshold.
该种可能的实现方式中,管理设备如果确定结果表示主机设备已安装补丁程序,则标记主机设备上第一漏洞对应低风险值。提升了管理设备对于主机设备管理的精细度。In this possible implementation manner, if the determination result of the management device indicates that the host device has installed the patch, it marks the first vulnerability on the host device as corresponding to a low risk value. Improve the fineness of the management device for the management of the host device.
可选地,在第二方面的一种可能的实现方式中,上述步骤:管理设备根据确定结果,标记主机设备上第一漏洞的风险,包括:如果确定结果表示主机设备未安装补丁程序,则管理设备标记主机设备上第一漏洞对应高风险值,高风险值指示风险高于警示阈值。Optionally, in a possible implementation of the second aspect, the above step: the management device marks the risk of the first vulnerability on the host device according to the determination result, including: if the determination result indicates that the host device has not installed a patch, then The management device marks the first vulnerability on the host device corresponding to a high risk value, and the high risk value indicates that the risk is higher than the warning threshold.
该种可能的实现方式中,管理设备如果确定结果表示主机设备未安装补丁程序,则标记主机设备上第一漏洞对应高风险值。这样,管理设备能够仅关注高风险的漏洞,如仅针对高风险的漏洞下载对应补丁程序,减少了管理设备对低风险漏洞下载补丁程序的工作量。In this possible implementation manner, if the determination result of the management device indicates that the host device has not installed the patch, it marks the first vulnerability on the host device as corresponding to a high risk value. In this way, the management device can only focus on high-risk vulnerabilities, such as downloading corresponding patches only for high-risk vulnerabilities, which reduces the workload of the management device for downloading patches for low-risk vulnerabilities.
可选地,在第二方面的一种可能的实现方式中,上述步骤:管理设备接收主机设备发送的确定结果之前,还包括:管理设备接收主机设备发送的第一应用软件信息,第一应用软件信息包括第一应用软件的标识或第一应用软件的版本号。管理设备根据第一应用软件信息,在漏洞库中查询第一应用软件信息对应的至少一个漏洞标识,漏洞库中保存有第一应用软件信息和至少一个漏洞标识的对应关系。管理设备向主机设备发送至少一个漏洞标识。Optionally, in a possible implementation manner of the second aspect, the above steps: before the management device receives the determination result sent by the host device, further includes: the management device receives the first application software information sent by the host device, and the first application The software information includes the identification of the first application software or the version number of the first application software. The management device queries the vulnerability database for at least one vulnerability identifier corresponding to the first application software information according to the first application software information, and the vulnerability database stores a correspondence between the first application software information and the at least one vulnerability identifier. The management device sends at least one vulnerability identifier to the host device.
该种可能的实现方式中,管理设备可以根据接收到主机设备发送的第一应用软件信息,向主机设备发送第一应用软件信息对应的漏洞标识。方便管理设备统一管理主机设备。In this possible implementation manner, the management device may send the vulnerability identifier corresponding to the first application software information to the host device according to the received first application software information sent by the host device. Convenient management equipment unified management of host equipment.
本申请第三方面提供一种主机设备,用于执行上述第一方面或第一方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行上述第一方面或第一方面的任意可能的实现方式中的方法的模块或单元。The third aspect of the present application provides a host device, which is used to execute the foregoing first aspect or any possible implementation of the first aspect. Specifically, the device includes a module or unit for executing the above-mentioned first aspect or any possible implementation of the first aspect.
本申请第四方面提供一种管理设备,用于执行上述第二方面或第二方面的任意可能的实现方式中的方法。具体地,该装置包括用于执行上述第二方面或第二方面的任意可能的实现方式中的方法的模块或单元。The fourth aspect of the present application provides a management device for executing the foregoing second aspect or any possible implementation method of the second aspect. Specifically, the device includes a module or unit for executing the foregoing second aspect or any possible implementation of the second aspect.
本申请第五方面提供一种主机设备,该主机设备包括至少一个处理器、存储器和通信接口。处理器与存储器和通信接口耦合。存储器用于存储指令,处理器用于执行该指令,通信接口用于在处理器的控制下与管理设备进行通信。该指令在被处理器执行时,使处理器执行第一方面或第一方面的任意可能的实现方式中的方法。A fifth aspect of the present application provides a host device, which includes at least one processor, a memory, and a communication interface. The processor is coupled with the memory and the communication interface. The memory is used to store instructions, the processor is used to execute the instructions, and the communication interface is used to communicate with the management device under the control of the processor. When the instruction is executed by the processor, the processor executes the method in the first aspect or any possible implementation manner of the first aspect.
本申请第六方面提供一种管理设备,该管理设备包括至少一个处理器、存储器和通信接口。处理器与存储器和通信接口耦合。存储器用于存储指令,处理器用于执行该指令,通信接口用于在处理器的控制下与主机设备进行通信。该指令在被处理器执行时,使处理器执行 第二方面或第二方面的任意可能的实现方式中的方法。A sixth aspect of the present application provides a management device, which includes at least one processor, a memory, and a communication interface. The processor is coupled with the memory and the communication interface. The memory is used to store instructions, the processor is used to execute the instructions, and the communication interface is used to communicate with the host device under the control of the processor. When the instruction is executed by the processor, the processor executes the second aspect or the method in any possible implementation manner of the second aspect.
本申请第七方面提供了一种计算机存储介质,该计算机存储介质中存储有指令,该指令在计算机上执行时,使得计算机执行前述第一方面或第一方面的任意可能的实现方式、第二方面或第二方面的任意可能的实现方式中的方法。The seventh aspect of the present application provides a computer storage medium that stores instructions in the computer storage medium. When the instructions are executed on a computer, the computer executes the foregoing first aspect or any possible implementation manner of the first aspect, and the second Aspect or any possible implementation of the second aspect.
本申请第八方面提供了一种计算机程序产品,该计算机程序产品在计算机上执行时,使得计算机执行前述第一方面或第一方面的任意可能的实现方式、第二方面或第二方面的任意可能的实现方式中的方法。The eighth aspect of the present application provides a computer program product. When the computer program product is executed on a computer, the computer executes any possible implementation of the first aspect or the first aspect, and any of the second aspect or the second aspect. Methods in possible implementations.
本申请第九面提供一种漏洞的处理***,包括管理设备和至少一个主机设备;管理设备用于接收主机设备发送的第一应用软件信息,第一应用软件信息包括第一应用软件的标识或第一应用软件的版本号;管理设备还用于根据第一应用软件信息,在漏洞库中查询第一应用软件信息对应的至少一个漏洞标识,漏洞库中保存有第一应用软件信息和至少一个漏洞标识的对应关系。管理设备还用于向主机设备发送至少一个漏洞标识。主机设备用于向管理设备发送第一应用软件信息,主机设备还用于接收管理设备发送的至少一个漏洞标识,主机设备还用于向管理设备发送确定结果,确定结果用于表示主机设备是否已安装第一漏洞对应的补丁程序,第一漏洞为主机设备上安装的第一应用软件中存在的漏洞。The ninth aspect of the present application provides a vulnerability processing system, including a management device and at least one host device; the management device is used to receive first application software information sent by the host device, and the first application software information includes the identification or The version number of the first application software; the management device is also used to query the vulnerability database for at least one vulnerability identifier corresponding to the first application software information according to the first application software information, and the vulnerability database stores the first application software information and at least one Correspondence of vulnerability identification. The management device is also used to send at least one vulnerability identifier to the host device. The host device is used to send the first application software information to the management device, the host device is also used to receive at least one vulnerability identifier sent by the management device, the host device is also used to send a determination result to the management device, and the determination result is used to indicate whether the host device has Install the patch corresponding to the first vulnerability, where the first vulnerability is a vulnerability existing in the first application software installed on the host device.
其中,第三、第五、第七、第八方面或者其中任一种可能实现方式所带来的技术效果可参见第一方面或第一方面不同可能实现方式所带来的技术效果,此处不再赘述。Among them, the technical effects brought by the third, fifth, seventh, eighth aspects or any one of the possible implementation manners can be referred to the technical effects brought by the first aspect or the different possible implementation manners of the first aspect, here No longer.
其中,第四、第六、第八、第八方面或者其中任一种可能实现方式所带来的技术效果可参见第二方面或第二方面不同可能实现方式所带来的技术效果,此处不再赘述。Among them, the technical effects brought by the fourth, sixth, eighth, and eighth aspects or any one of the possible implementation manners can be referred to the technical effects brought about by the second aspect or the different possible implementation manners of the second aspect, here No longer.
附图说明Description of the drawings
图1为本申请实施例中的漏洞处理***的应用场景示意图;Figure 1 is a schematic diagram of an application scenario of a vulnerability processing system in an embodiment of the application;
图2为本申请实施例中漏洞处理方法一个流程示意图;FIG. 2 is a schematic diagram of a process of a vulnerability processing method in an embodiment of the application;
图3为本申请实施例中差异文件的创建过程示意图;FIG. 3 is a schematic diagram of the process of creating a difference file in an embodiment of the application;
图4为本申请实施例中漏洞处理方法另一流程示意图;FIG. 4 is a schematic diagram of another process of the vulnerability processing method in an embodiment of the application;
图5为本申请实施例中主机设备一个结构示意图;FIG. 5 is a schematic diagram of a structure of a host device in an embodiment of the application;
图6为本申请实施例中主机设备另一结构示意图;FIG. 6 is a schematic diagram of another structure of a host device in an embodiment of the application;
图7为本申请实施例中管理设备一个结构示意图;FIG. 7 is a schematic diagram of a structure of a management device in an embodiment of the application;
图8为本申请实施例中管理设备另一结构示意图;FIG. 8 is a schematic diagram of another structure of a management device in an embodiment of the application;
图9为本申请实施例中管理设备另一结构示意图;FIG. 9 is a schematic diagram of another structure of a management device in an embodiment of the application;
图10为本申请实施例中主机设备另一结构示意图。FIG. 10 is a schematic diagram of another structure of a host device in an embodiment of the application.
具体实施方式Detailed ways
本申请实施例提供了一种漏洞处理方法及相关设备。基于该方法,主机设备获得漏洞标识(该漏洞标识用于指示本主机设备上所安装的应用软件中存在的漏洞)后,根据漏洞标识获取对应的补丁描述信息,从而确定本主机设备是否已安装用于修补该漏洞的补丁程序,根据确定结果进一步确定漏洞的风险,从而提升了漏洞风险分析的准确性。根据场景的不同,在主机设备执行上述方法的过程中可能需要一个或多个其他设备的配合。The embodiment of the application provides a vulnerability processing method and related equipment. Based on this method, after the host device obtains the vulnerability identifier (the vulnerability identifier is used to indicate the vulnerability in the application software installed on the host device), the corresponding patch description information is obtained according to the vulnerability identifier, thereby determining whether the host device has been installed The patch program used to fix the vulnerability further determines the risk of the vulnerability based on the determination result, thereby improving the accuracy of vulnerability risk analysis. According to different scenarios, the host device may require the cooperation of one or more other devices in the process of executing the foregoing method.
下面将结合各个附图对本申请技术方案的实现原理、具体实施方式及其对应能够达到的有益效果进行详细的阐述。The implementation principles, specific implementation manners and corresponding beneficial effects of the technical solutions of the present application will be described in detail below in conjunction with the respective drawings.
附图1为本申请实施例提供的漏洞处理***的应用场景示意图。请参阅图1,本申请实施例中的漏洞处理***中包括:管理设备101,以及至少一个主机设备。为简明起见,仅以一个管理设备101以及三个主机设备102至104为例进行示意性说明。在实际应用中,本申请实施例的应用场景中有更多的管理设备或者没有管理设备,或本申请实施例的应用场景中至少有一个主机设备。本申请实施例对主机设备的数目不进行限定。其中,管理设备101通过网络与主机设备102至104连接。Fig. 1 is a schematic diagram of an application scenario of a vulnerability processing system provided by an embodiment of the application. Referring to FIG. 1, the vulnerability processing system in the embodiment of the present application includes: a management device 101 and at least one host device. For the sake of brevity, only one management device 101 and three host devices 102 to 104 are taken as examples for schematic description. In actual applications, there are more management devices or no management devices in the application scenario of the embodiment of the present application, or there is at least one host device in the application scenario of the embodiment of the present application. The embodiment of the present application does not limit the number of host devices. Wherein, the management device 101 is connected to the host devices 102 to 104 through a network.
可选地,管理设备101通过局域网与主机设备102至104连接,或管理设备101通过因特网与主机设备102至104连接。可选地,用于连接管理设备101与主机设备102至104的网络为因特网(internet)、物联网或无线热点(wireless fidelity,WiFi)网络等网络,具体此处不做限定。Optionally, the management device 101 is connected to the host devices 102 to 104 via a local area network, or the management device 101 is connected to the host devices 102 to 104 via the Internet. Optionally, the network used to connect the management device 101 and the host devices 102 to 104 is a network such as the Internet, the Internet of Things, or a wireless fidelity (WiFi) network, which is not specifically limited here.
管理设备101以及主机设备102至104之间可以通过有线网络连接,也可以通过无线网络连接。如果是通过有线网络连接,一般的连接方式为光纤网络;如果是通过无线网络连接,一般的连接方式为WiFi网路,或者为蜂窝状无线网络,或者是其他类型的无线网络。The management device 101 and the host devices 102 to 104 may be connected through a wired network or through a wireless network. If it is connected through a wired network, the general connection method is an optical fiber network; if it is connected through a wireless network, the general connection method is a WiFi network, or a cellular wireless network, or other types of wireless networks.
可选地,主机设备102至104是个人计算机、服务器、笔记本电脑、虚拟机、可穿戴设备、手机、智慧屏电视、扫地机器人、投影仪、平板电脑、交换机、无线接入点(access point,AP)设备、智能摄像头、婴儿监视器、家庭路由器等等具备计算能力和网络连接能力的设备。主机设备中安装有代理程序(agent)。代理程序是指用于实现预定功能的小程序。代理程序通常支持与指定网际互联协议(Internet Protocol,IP)地址的通信对端设备上安装的管理程序(master)进行交互,例如接收管理程序发送的指令、根据指令执行对应功能、以及向管理程序发送数据等等。Optionally, the host devices 102 to 104 are personal computers, servers, laptops, virtual machines, wearable devices, mobile phones, smart screen TVs, sweeping robots, projectors, tablets, switches, wireless access points (access points, AP) devices, smart cameras, baby monitors, home routers, and other devices with computing capabilities and network connection capabilities. An agent is installed in the host device. The agent program refers to a small program used to implement predetermined functions. The agent program usually supports interaction with the management program (master) installed on the communication peer device of the designated Internet Protocol (IP) address, such as receiving instructions sent by the management program, executing corresponding functions according to the instructions, and sending the management program to the management program. Send data and so on.
管理设备101是个人计算机、服务器等具备一定计算能力、存储能力和网络连接能力的设备。管理设备安装有管理程序(master)。The management device 101 is a personal computer, a server, and other devices that have certain computing capabilities, storage capabilities, and network connection capabilities. A management program (master) is installed on the management device.
管理设备101的主要功能是管理主机设备102至104,向主机设备102至104下发指令以及接收主机设备102至104上报的数据等。The main function of the management device 101 is to manage the host devices 102 to 104, to issue instructions to the host devices 102 to 104, and to receive data reported by the host devices 102 to 104.
主机设备102至104的主要功能是安全检测以及响应管理设备101。The main functions of the host devices 102 to 104 are security detection and response management device 101.
下面结合图1所示的应用场景,对本申请实施例提供的漏洞处理方法进行描述。The vulnerability processing method provided in the embodiment of the present application will be described below in conjunction with the application scenario shown in FIG. 1.
本申请实施例中提供了多种漏洞处理方法,例如主机设备与管理设备交互实现的漏洞处理方法、或主要由主机设备执行的漏洞处理方法等等,下面分别描述。The embodiments of the present application provide a variety of vulnerability processing methods, such as a vulnerability processing method implemented by a host device interacting with a management device, or a vulnerability processing method mainly executed by the host device, etc., which are described separately below.
一、主机设备与管理设备交互实现的漏洞处理方法。1. The vulnerability processing method realized by the interaction between the host device and the management device.
图2是本申请实施例提供的漏洞处理方法的流程示意图。在本实施例中,管理设备通过以局域网为例的网络与主机设备连接。Fig. 2 is a schematic flowchart of a vulnerability processing method provided by an embodiment of the present application. In this embodiment, the management device is connected to the host device through a network taking a local area network as an example.
200,主机设备向管理设备发送的第一应用软件信息。200. The first application software information sent by the host device to the management device.
第一软件信息用于描述主机设备上安装的第一应用软件。本申请实施例中出现的“第一”、“第二”仅是为了区分不同对象,而不表示顺序关系。例如“第一应用软件”中的“第一”是为了与其他应用软件相区分。The first software information is used to describe the first application software installed on the host device. The "first" and "second" appearing in the embodiments of the present application are only used to distinguish different objects, and do not indicate a sequence relationship. For example, the "first" in "first application software" is to distinguish it from other applications.
可选地,第一应用软件信息包括第一应用软件的标识,和/或第一应用软件的版本号。Optionally, the first application software information includes an identification of the first application software, and/or a version number of the first application software.
201、管理设备获取第一应用软件信息对应的漏洞标识。201. The management device obtains a vulnerability identifier corresponding to the first application software information.
本实施例中,管理设备获取第一应用软件信息对应的漏洞标识的方式有很多种,下面分别描述。In this embodiment, there are many ways for the management device to obtain the vulnerability identifier corresponding to the first application software information, which are described separately below.
方式1、管理设备从第一云设备上获取第一应用软件信息对应的漏洞标识。具体地,管理设备向主机设备发送软件信息获取指令。主机设备根据该获取指令向管理设备发送第一应用软件信息。管理设备获得第一应用软件信息后,从第一云设备上获取第一应用软件信息对应的漏洞标识。Manner 1. The management device obtains the vulnerability identifier corresponding to the first application software information from the first cloud device. Specifically, the management device sends a software information acquisition instruction to the host device. The host device sends the first application software information to the management device according to the acquisition instruction. After obtaining the first application software information, the management device obtains the vulnerability identifier corresponding to the first application software information from the first cloud device.
本申请实施例中,第一应用软件为主机设备上安装的应用软件。示例性的,第一应用软件为奥多比阅读器(adobe reader),第一应用软件的版本号为11.0.0.379。可以理解的是此处是举例,第一应用软件还可以是其他应用软件,具体此处不做限定。In the embodiment of the present application, the first application software is the application software installed on the host device. Exemplarily, the first application software is an Adobe reader, and the version number of the first application software is 11.0.0.379. It can be understood that this is an example, and the first application software may also be other application software, which is not specifically limited here.
可选地,第一应用软件信息包括第一应用软件的标识(identity document,ID)、第一应用软件的版本号、第一应用软件的厂商名称等其他与第一应用软件相关的参数中的至少一种,具体此处不做限定。Optionally, the first application software information includes the identity document (ID) of the first application software, the version number of the first application software, the manufacturer name of the first application software, and other parameters related to the first application software. At least one type, which is not specifically limited here.
管理设备接收主机设备发送的第一应用软件信息。管理设备向第一云设备发送第一应用软件信息。第一云设备中保存有第一漏洞库,第一漏洞库包括第一应用软件信息与漏洞标识的关联关系。The management device receives the first application software information sent by the host device. The management device sends the first application software information to the first cloud device. A first vulnerability database is stored in the first cloud device, and the first vulnerability database includes an association relationship between the first application software information and the vulnerability identifier.
示例性的,第一漏洞库中的一个表项中包括第一应用软件的名称、第一应用软件的版本号、第一应用软件对应的漏洞列表之间的对应关系。这种对应关系可以表示为:Exemplarily, an entry in the first vulnerability database includes the name of the first application software, the version number of the first application software, and the correspondence between the vulnerability list corresponding to the first application software. This correspondence can be expressed as:
|adobe reader|11.0.0.379|CVE XXXXX、CVE MMMMM。|adobe reader|11.0.0.379|CVE XXXXX, CVE MMMMM.
其中,CVE XXXXX、CVE MMMMM为漏洞标识。该表项用于表示名称为adobe reader的版本号为11.0.0.379的应用软件中存在两个漏洞,分别为CVE XXXXX和CVE MMMMM。Among them, CVE XXXXX and CVE MMMMM are vulnerability identifiers. This entry is used to indicate that there are two vulnerabilities in the application software named adobe reader with version number 11.0.0.379, namely CVE XXXXX and CVE MMMMM.
本申请实施例是以通用漏洞披露(Common Vulnerabilities and Exposures,CVE)为例对漏洞标识进行举例说明的。CVE是一个与资讯安全有关的数据库,收集各种资安弱点及漏洞并给予编号以便于公众查阅,该数据库现由美国非营利组织MITRE所属的国家网络安全联邦基金研发中心(National Cybersecurity FFRDC)所营运维护。漏洞标识也可以是中国国家信息安全漏洞库(china national vulnerability database of information security,CNNVD)等漏洞库发布的漏洞标识。第一云设备根据管理设备发送的第一应用软件信息,从第一漏洞库中查找到包含第一应用软件信息对应的漏洞标识的表项。可选地,该表项中包括第一应用软件信息与漏洞标识的关联关系。第一应用软件信息与漏洞标识的关联关系为第一应用软件的ID与漏洞标识的关联关系或第一应用软件的版本号与漏洞标识的关联关系。此后,第一云设备向管理设备发送查找到的表项中包括的漏洞标识。正如前面所描述的,第一漏洞库是CVE,或CNNVD。The embodiment of this application uses Common Vulnerabilities and Exposures (CVE) as an example to illustrate the vulnerability identification. CVE is a database related to information security. It collects various information security weaknesses and vulnerabilities and gives them numbers for public access. The database is now owned by the National Cybersecurity Federal Fund R&D Center (National Cybersecurity FFRDC) affiliated to the U.S. non-profit organization MITRE. Operation and maintenance. The vulnerability identification can also be the vulnerability identification issued by the China National Vulnerability Database of Information Security (CNNVD) and other vulnerability libraries. According to the first application software information sent by the management device, the first cloud device finds an entry containing the vulnerability identifier corresponding to the first application software information from the first vulnerability database. Optionally, the entry includes the association relationship between the first application software information and the vulnerability identifier. The association relationship between the first application software information and the vulnerability identifier is the association relationship between the ID of the first application software and the vulnerability identifier or the association relationship between the version number of the first application software and the vulnerability identifier. Thereafter, the first cloud device sends the vulnerability identifier included in the found entry to the management device. As described earlier, the first vulnerability library is CVE, or CNNVD.
可选地,管理设备为了便于后续管理所需,基于第一软件信息与主机设备的标识,生成第一软件资产标识。主机设备的标识包括主机设备的IP地址、或者主机设备的媒体访问控制(Media Access Control,MAC)地址等等。第一软件资产标识与第一软件信息与主机的标识的组合相对应。这种对应关系可以表示为:Optionally, the management device generates the first software asset identifier based on the first software information and the identifier of the host device to facilitate subsequent management requirements. The identifier of the host device includes the IP address of the host device, or the media access control (Media Access Control, MAC) address of the host device, and so on. The first software asset identifier corresponds to the combination of the first software information and the identifier of the host. This correspondence can be expressed as:
|12345|adobe reader|11.0.0.379|IP:10.0.0.123。|12345|adobe reader|11.0.0.379|IP: 10.0.0.123.
软件资产标识指示了一个特定主机上的第一应用软件,在上面的例子中软件资产标识为 12345。该第一软件资产标识对应的是IP地址10.0.0.123上的adobe reader,且软件adobe reader的版本号为11.0.0.379。The software asset identifier indicates the first application software on a specific host. In the above example, the software asset identifier is 12345. The first software asset identifier corresponds to the adobe reader on the IP address 10.0.0.123, and the version number of the software adobe reader is 11.0.0.379.
第一软件资产标识在管理设备管理的范围内是唯一的。换句话说,当应用软件信息中包括应用软件名称和应用软件版本号时,如果主机设备的IP地址、应用软件名称和应用软件版本号三者中有一个不同,就需要使用两个不同的软件资产标识来分别表示。例如,需要使用两个不同的软件资产标识来表示同一主机设备上的两个不同的应用软件信息。如:The first software asset identifier is unique within the scope of management equipment management. In other words, when the application software information includes the application software name and the application software version number, if one of the host device’s IP address, application software name, and application software version number is different, two different software must be used Asset identification to indicate separately. For example, two different software asset identifiers need to be used to represent two different application software information on the same host device. Such as:
|12345|adobe reader|11.0.0.379|IP:10.0.0.123。|12345|adobe reader|11.0.0.379|IP: 10.0.0.123.
|12346|adobe reader|11.0.0.380|IP:10.0.0.123。|12346|adobe reader|11.0.0.380|IP: 10.0.0.123.
例如,需要使用两个不同的软件资产标识来表示不同主机设备上的两个相同的应用软件信息。如:For example, two different software asset identifiers need to be used to represent two identical application software information on different host devices. Such as:
|12345|adobe reader|11.0.0.379|IP:10.0.0.123。|12345|adobe reader|11.0.0.379|IP: 10.0.0.123.
|12347|adobe reader|11.0.0.380|IP:10.0.0.124。|12347|adobe reader|11.0.0.380|IP: 10.0.0.124.
管理设备基于第一云设备返回的漏洞标识在本地保存第一软件资产标识对应的漏洞标识,以便于后续资产管理所需,第一软件资产标识对应的漏洞标识表示为:The management device locally stores the vulnerability identifier corresponding to the first software asset identifier based on the vulnerability identifier returned by the first cloud device to facilitate subsequent asset management. The vulnerability identifier corresponding to the first software asset identifier is expressed as:
|12345|CVE XXXXX、CVE MMMMM。|12345|CVE XXXXX, CVE MMMMM.
管理设备在接收到主机设备发送的第一应用软件信息后,从第一云设备中查询到对应的漏洞标识,这样管理设备本地不需要保存第一漏洞库,从而节省管理设备的存储空间。After receiving the first application software information sent by the host device, the management device queries the corresponding vulnerability identifier from the first cloud device, so that the management device does not need to store the first vulnerability database locally, thereby saving storage space of the management device.
可选地,管理设备预先从第一云设备中整体下载第一漏洞库,并在本地保存下载的第一漏洞库。管理设备在接收到主机发送的第一应用软件信息后,在本地保存的第一漏洞库中查询第一应用软件信息对应的漏洞标识。换句话说,管理设备在接收主机设备发送的第一应用软件信息之前,管理设备从第一云设备获取第一漏洞库。主机设备向管理设备发送第一应用软件信息后,管理设备根据接收到的第一应用软件信息,进行本地数据库查询。这种方式与管理设备每次从主机设备上获得第一应用软件信息后,都需要从第一云设备中查询对应的漏洞标识的方式相比,可以减少管理设备与第一云设备的交互次数,从而缩短网络传输造成的时延,提高管理设备获得漏洞标识的速度。Optionally, the management device downloads the first vulnerability database as a whole from the first cloud device in advance, and saves the downloaded first vulnerability database locally. After receiving the first application software information sent by the host, the management device queries the vulnerability identifier corresponding to the first application software information in the first vulnerability database stored locally. In other words, before the management device receives the first application software information sent by the host device, the management device obtains the first vulnerability database from the first cloud device. After the host device sends the first application software information to the management device, the management device performs a local database query according to the received first application software information. Compared with the method in which the management device needs to query the corresponding vulnerability identifier from the first cloud device every time the management device obtains the first application software information from the host device, it can reduce the number of interactions between the management device and the first cloud device. , Thereby shortening the time delay caused by network transmission, and improving the speed at which the management device obtains the vulnerability identification.
方式2、管理设备通过扫描工具获取第一软件资产标识对应的漏洞标识。Manner 2: The management device obtains the vulnerability identifier corresponding to the first software asset identifier through the scanning tool.
管理设备通过扫描工具向主机设备发送探测报文,管理设备获取主机设备针对探测报文返回的应答报文,应答报文的内容能反映出漏洞信息。The management device sends a detection message to the host device through the scanning tool, and the management device obtains the response message returned by the host device for the detection message, and the content of the response message can reflect the vulnerability information.
管理设备在获得主机设备的应答报文后,管理设备根据应答报文从第二漏洞库中查询应答报文对应的漏洞标识,从而确定第一软件资产标识对应的漏洞标识。第二漏洞库中包括应答报文(或者说应答报文中特定字段的内容)与漏洞标识的对应关系。第二漏洞库由管理设备中的扫描工具所提供。第二漏洞库是安全专家根据网络***安全漏洞、黑客攻击案例的分析和***管理员关于网络***安全配置的实际经验以及其他的内容,具体此处不做限定,综合形成的一个***漏洞库。可选地,管理设备基于查询第二漏洞库得到漏洞标识在本地保存第一软件资产标识对应的漏洞信息,以便于后续资产管理所需,第一软件资产标识对应的漏洞标识表示为:After the management device obtains the response message from the host device, the management device queries the second vulnerability database for the vulnerability identifier corresponding to the response message according to the response message, thereby determining the vulnerability identifier corresponding to the first software asset identifier. The second vulnerability database includes the correspondence between the response message (or the content of the specific field in the response message) and the vulnerability identifier. The second vulnerability database is provided by the scanning tool in the management device. The second vulnerability library is a comprehensive system vulnerability library formed by security experts based on the analysis of network system security vulnerabilities, hacker attack cases, and system administrators’ actual experience on network system security configuration and other content. The specifics are not limited here. Optionally, the management device locally stores the vulnerability information corresponding to the first software asset identifier based on querying the second vulnerability database to obtain the vulnerability identifier, so as to facilitate subsequent asset management. The vulnerability identifier corresponding to the first software asset identifier is expressed as:
|12345|CVE XXXXX、CVE MMMMM。|12345|CVE XXXXX, CVE MMMMM.
202、管理设备向主机设备发送漏洞标识。202. The management device sends a vulnerability identifier to the host device.
管理设备确定第一应用软件信息对应的漏洞标识后,管理设备向主机设备发送该漏洞标识。After the management device determines the vulnerability identifier corresponding to the first application software information, the management device sends the vulnerability identifier to the host device.
可选地,当第一应用软件信息对应多个漏洞标识时,管理设备向主机设备逐个发送第一应用软件信息对应的漏洞标识,或者向主机设备逐个发送第一应用软件信息对应的所有漏洞标识。以前面实例中第一应用软件信息对应两个漏洞标识CVE XXXXX、CVE MMMMM为例:Optionally, when the first application software information corresponds to multiple vulnerability identifiers, the management device sends the vulnerability identifiers corresponding to the first application software information to the host device one by one, or sends all the vulnerability identifiers corresponding to the first application software information to the host device one by one . Take the first application software information corresponding to the two vulnerability identifiers CVE XXXXX and CVE MMMMM in the previous example as an example:
|adobe reader|11.0.0.379|CVE XXXXX、CVE MMMMM。|adobe reader|11.0.0.379|CVE XXXXX, CVE MMMMM.
管理设备向主机设备逐个发送CVE XXXXX、CVE MMMMM,或者一并发送CVE XXXXX和CVE MMMMM。The management device sends CVE XXXXX and CVE MMMMM to the host device one by one, or sends CVE XXXXX and CVE MMMMM together.
需要说明的是,图2中步骤200-步骤202是主机设备获得以CVE XXXXX或CVE MMMMM为例的第一漏洞标识的一种可能的实现方式。主机设备也可以采用其他方式获得第一漏洞标识,例如根据本地保存的第一漏洞库,或者漏洞扫描工具来确定第一漏洞标识。所述第一漏洞标识用于指示所述主机设备上安装的第一应用软件中存在第一漏洞。本申请实施例不限定主机设备获得第一漏洞标识的具体方式。It should be noted that step 200 to step 202 in FIG. 2 are a possible implementation manner for the host device to obtain the first vulnerability identifier using CVE XXXXX or CVE MMMMM as an example. The host device may also obtain the first vulnerability identifier in other ways, such as determining the first vulnerability identifier according to a locally stored first vulnerability library or a vulnerability scanning tool. The first vulnerability identifier is used to indicate that a first vulnerability exists in the first application software installed on the host device. The embodiment of the present application does not limit the specific way for the host device to obtain the first vulnerability identifier.
203、主机设备根据第一漏洞标识获取第一漏洞的补丁描述信息。203. The host device obtains patch description information of the first vulnerability according to the first vulnerability identifier.
可选地,主机设备在获取第一漏洞标识后,主机设备向管理设备发送第一漏洞标识。在上面的例子中第一漏洞标识为CVE XXXXX、CVE MMMMM二者之一。管理设备向第二云设备发送第一漏洞标识。第二云设备保存有第一补丁描述信息库,第一补丁描述信息库中的表项中包括漏洞标识与补丁描述信息的关联关系。可选地,第二云设备与第一云设备为同一设备或不同设备。Optionally, after the host device obtains the first vulnerability identifier, the host device sends the first vulnerability identifier to the management device. In the above example, the first vulnerability is identified as one of CVE XXXXX and CVE MMMMM. The management device sends the first vulnerability identifier to the second cloud device. The second cloud device stores the first patch description information base, and the entries in the first patch description information base include the association relationship between the vulnerability identifier and the patch description information. Optionally, the second cloud device and the first cloud device are the same device or different devices.
可选地,管理设备在步骤201获取至少一个漏洞标识后,管理设备无需等待接收主机设备发送的漏洞标识,而是直接向第二云设备发送至少一个漏洞标识中的第一漏洞标识,以获取第一漏洞标识对应的补丁描述信息。管理设备根据第一软件资产标识,将获取的补丁描述信息推送给主机。Optionally, after the management device obtains at least one vulnerability identifier in step 201, the management device does not need to wait to receive the vulnerability identifier sent by the host device, but directly sends the first vulnerability identifier of the at least one vulnerability identifier to the second cloud device to obtain Patch description information corresponding to the first vulnerability identifier. The management device pushes the acquired patch description information to the host according to the first software asset identifier.
其中,补丁描述信息是第二云设备提前创建的。补丁描述信息用于描述补丁程序被计算机安装后计算机软件运行环境的特点。示例性的,计算机存在补丁(patch)日志文件:|adobe reader|11.0.0.379|CVE XXXXX|add/root/config/adobe/patchXXXXX.log。Wherein, the patch description information is created in advance by the second cloud device. Patch description information is used to describe the characteristics of the computer software operating environment after the patch is installed by the computer. Exemplarily, a patch log file exists on the computer: |adobe reader|11.0.0.379|CVEXXXXX|add/root/config/adobe/patchXXXXX.log.
可选地,补丁描述信息为差异(difference,DIFF)文件。DIFF文件的创建过程如图3所示,在一个隔离专用主机上的第一应用软件打补丁之前保留第一快照,在一个隔离专用主机上安装第一应用软件的补丁之后保留第二快照。第二云设备根据第一快照和第二快照生成DIFF文件。DIFF文件用于描述补丁程序被计算机安装前后计算机中第一应用软件的运行环境特点。其中,DIFF文件包括一个描述信息或多个描述信息。描述信息的具体情况由创建DIFF文件当时的需要所设置。可选地,DIFF文件中包括注册表变化、***目录文件变化、配置文件变化、应用软件哈希变化等至少一种可以体现差异的特点。Optionally, the patch description information is a difference (DIFF) file. The creation process of the DIFF file is shown in Figure 3, the first snapshot is retained before the first application software on an isolated dedicated host is patched, and the second snapshot is retained after the patch of the first application software is installed on an isolated dedicated host. The second cloud device generates a DIFF file according to the first snapshot and the second snapshot. The DIFF file is used to describe the operating environment characteristics of the first application software in the computer before and after the patch is installed by the computer. Among them, the DIFF file includes one description information or multiple description information. The specific situation of the description information is set by the needs at the time when the DIFF file is created. Optionally, the DIFF file includes at least one feature that can reflect the difference, such as registry changes, system catalog file changes, configuration file changes, and application software hash changes.
计算机是指有计算能力的设备,主机设备为计算机中的一种。在某些场景下,计算机和主机指代同一概念。A computer refers to a device with computing capability, and the host device is a type of computer. In some scenarios, computer and host refer to the same concept.
第二云设备接收到管理设备发送的第一漏洞标识后,第二云设备根据第一漏洞标识,从第一补丁描述信息库中查询到包含接收到的漏洞标识对应的补丁描述信息的表项。第二云设备向管理设备发送该表项中包含的补丁描述信息。管理设备接收到补丁描述信息后,向主机 设备发送该补丁描述信息。After the second cloud device receives the first vulnerability identifier sent by the management device, the second cloud device queries the first patch description information database for the entry containing the patch description information corresponding to the received vulnerability identifier according to the first vulnerability identifier . The second cloud device sends the patch description information contained in the entry to the management device. After receiving the patch description information, the management device sends the patch description information to the host device.
可选地,管理设备预先从第二云设备中整体下载第一补丁描述信息库,并在本地保存下载的第一补丁描述信息库。管理设备获得漏洞标识后,在本地保存的第一补丁描述信息库中查询该漏洞标识对应的补丁描述信息(即第一漏洞的补丁描述信息)。换句话说,管理设备向主机设备发送第一漏洞的补丁描述信息之前,管理设备从第二云设备获取第一补丁描述信息库。管理设备在步骤201中获取第一软件资产标识对应的漏洞标识之后,进行本地数据库查询从而得到漏洞标识对应的补丁描述信息。这种方式与管理设备每次得到漏洞标识后,都需要从第二云设备中查询对应的补丁描述信息的方式相比,可以减少管理设备与第二云设备的交互次数,从而缩短网络传输造成的时延,提高管理设备获得补丁描述信息的速度。Optionally, the management device downloads the first patch description information database as a whole from the second cloud device in advance, and saves the downloaded first patch description information database locally. After obtaining the vulnerability identifier, the management device queries the patch description information corresponding to the vulnerability identifier (that is, the patch description information of the first vulnerability) in the first patch description information database stored locally. In other words, before the management device sends the patch description information of the first vulnerability to the host device, the management device obtains the first patch description information database from the second cloud device. After obtaining the vulnerability identifier corresponding to the first software asset identifier in step 201, the management device performs a local database query to obtain patch description information corresponding to the vulnerability identifier. Compared with the method in which the management device needs to query the corresponding patch description information from the second cloud device every time the management device obtains the vulnerability identifier, this method can reduce the number of interactions between the management device and the second cloud device, thereby shortening the network transmission. The delay, which improves the speed at which the management device obtains patch description information.
204、主机设备根据第一漏洞的补丁描述信息,确定主机设备是否已安装第一漏洞对应的补丁程序。204. The host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability.
主机设备获取到第一漏洞的补丁描述信息后,主机设备通过主机代理程序扫描主机设备当前的软件运行环境,从而确定主机设备当前的软件运行环境是否具有第一漏洞的补丁描述信息所描述的特点。其中,软件运行环境包括但不限于注册表、文件***、操作***进程列表、逻辑端口开启列表等等。After the host device obtains the patch description information of the first vulnerability, the host device scans the current software operating environment of the host device through the host agent program to determine whether the current software operating environment of the host device has the characteristics described in the patch description information of the first vulnerability . Among them, the software operating environment includes but is not limited to the registry, file system, operating system process list, logical port opening list, and so on.
示例性的,步骤204中获取到第一漏洞的补丁描述信息有十项特点,主机设备通过主机代理程序扫描主机设备当前的软件运行环境,发现主机设备具有第一漏洞的补丁描述信息所描述的九项特点。这表明该主机设备的第一应用软件运行环境不具有第一漏洞的补丁描述信息所描述的特点,即主机设备未安装第一漏洞对应的补丁程序。Exemplarily, the patch description information of the first vulnerability obtained in step 204 has ten characteristics. The host device scans the current software operating environment of the host device through the host agent program, and finds that the host device has the patch description information of the first vulnerability. Nine characteristics. This indicates that the operating environment of the first application software of the host device does not have the characteristics described by the patch description information of the first vulnerability, that is, the host device does not install the patch program corresponding to the first vulnerability.
可选地,第一漏洞的补丁描述信息所描述的特点包括注册表的键值中存在一个预定键值对、或者预定子键值对。这个预定键值对、或者预定子键值对是因安装补丁程序而增加的、或者因安装补丁程序而置位的。Optionally, the feature described in the patch description information of the first vulnerability includes a predetermined key-value pair or a predetermined sub-key-value pair in the key value of the registry. This predetermined key-value pair or predetermined sub-key-value pair is added due to the installation of a patch, or set due to the installation of a patch.
可选地,第一漏洞的补丁描述信息所描述的特点包括操作***日志(log)文件中存在一个预定记录。该预定记录是因安装补丁程序而增加的。Optionally, the feature described by the patch description information of the first vulnerability includes a predetermined record in the operating system log file. The scheduled record is increased due to patch installation.
可选地,第一漏洞的补丁描述信息所描述的特点包括一个预定文件***路径中存在一个预定文件,该预定文件包括可执行文件或日志文件(如步骤203举例的patch日志文件)。这个预定文件***路径中的预定文件是因安装补丁程序而增加的。类似地,第一漏洞的补丁描述信息所描述的特点包括一个预定文件***路径中不存在一个预定文件,该预定文件是因安装补丁程序而被删除的。Optionally, the feature described in the patch description information of the first vulnerability includes a predetermined file in a predetermined file system path, and the predetermined file includes an executable file or a log file (such as the patch log file exemplified in step 203). The predetermined file in the predetermined file system path is increased by installing a patch. Similarly, the characteristics described in the patch description information of the first vulnerability include that a predetermined file does not exist in a predetermined file system path, and the predetermined file is deleted due to the installation of a patch.
示例性的,预定文件为patch日志文件,主机设备通过主机代理程序扫描主机设备当前的文件***。如果扫描后发现主机设备当前的文件***中存在patchXXXXX.log,则该主机设备当前的软件运行环境具有第一漏洞的补丁描述信息所描述的特点,即主机设备已安装第一漏洞对应的补丁程序。Exemplarily, the predetermined file is a patch log file, and the host device scans the current file system of the host device through the host agent program. If patchXXXXX.log is found in the current file system of the host device after scanning, the current software operating environment of the host device has the characteristics described in the patch description information of the first vulnerability, that is, the host device has installed the patch corresponding to the first vulnerability .
本申请实施例中,如果主机设备含有补丁描述信息中所有的特点,则该主机设备当前的软件运行环境具有第一漏洞的补丁描述信息所描述的特点,即主机设备已安装第一漏洞对应的补丁程序。In the embodiment of the present application, if the host device contains all the features in the patch description information, the current software operating environment of the host device has the features described in the patch description information of the first vulnerability, that is, the host device has installed the corresponding feature of the first vulnerability. Patch.
205、主机设备根据主机设备是否已安装第一漏洞对应的补丁程序的确定结果,确定第一漏洞的风险。205. The host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch corresponding to the first vulnerability.
如果主机设备没有安装第一漏洞对应的补丁程序,那就意味着该第一漏洞有被攻击者利用的风险,则主机设备确定该第一漏洞对应低风险值,低风险值指示风险低于警示阈值。如果主机设备已安装第一漏洞对应的补丁程序,那就意味着该第一漏洞为无法被攻击者利用的漏洞,则主机设备确定该第一漏洞对应高风险值,高风险值指示风险高于警示阈值。If the host device does not install the patch corresponding to the first vulnerability, it means that the first vulnerability is at risk of being exploited by an attacker. The host device determines that the first vulnerability corresponds to a low risk value, and the low risk value indicates that the risk is lower than the warning Threshold. If the host device has installed the patch corresponding to the first vulnerability, it means that the first vulnerability is a vulnerability that cannot be exploited by an attacker, and the host device determines that the first vulnerability corresponds to a high risk value, and the high risk value indicates that the risk is higher than Warning threshold.
可选地,风险值用数值表示,不同数值表示不同风险。一种可能性是数值越高表示风险越高,例如1表示风险高于警示阈值,0表示风险低于警示阈值。另一种可能性是数值越高表示风险越低,例如1表示风险低于警示阈值,0表示风险高于警示阈值。Optionally, the risk value is represented by a numerical value, and different numerical values represent different risks. One possibility is that the higher the value, the higher the risk. For example, 1 means the risk is higher than the warning threshold, and 0 means the risk is lower than the warning threshold. Another possibility is that the higher the value, the lower the risk. For example, 1 means the risk is lower than the warning threshold, and 0 means the risk is higher than the warning threshold.
可选地,风险值也可以用字母或字符串表示,例如用字母D或者字符串“dangerous”表示风险高于警示阈值,用字母S或者字符串“safe”表示风险低于警示阈值。Optionally, the risk value can also be represented by letters or character strings, for example, the letter D or the character string "dangerous" indicates that the risk is higher than the warning threshold, and the letter S or the character string "safe" indicates that the risk is lower than the warning threshold.
假定在本实施例中,风险值用数值表示、且1表示风险高于警示阈值,0表示风险低于警示阈值。主机设备确定漏洞标识CVE XXXXX对应的漏洞已安装对应的补丁程序,因此CVE XXXXX对应的低风险值0;漏洞标识CVE MMMMM对应的漏洞未安装对应的补丁程序,因此CVE XXXXX对应的高风险值1。Assume that in this embodiment, the risk value is represented by a numerical value, and 1 means that the risk is higher than the warning threshold, and 0 means that the risk is lower than the warning threshold. The host device determines that the vulnerability corresponding to the vulnerability identifier CVE XXXXX has installed the corresponding patch, so the low risk value corresponding to CVE XXXXX is 0; the vulnerability corresponding to the vulnerability identifier CVE MMMMM does not have the corresponding patch installed, so the high risk value corresponding to CVE XXXXX 1 .
206、主机设备向管理设备发送确定结果。206. The host device sends the determination result to the management device.
在主机设备确定第一漏洞的风险后,主机设备向管理设备发送确定结果。确定结果包括第一漏洞对应的风险值。可选地,确定结果中还包括主机设备是否已安装第一漏洞对应的补丁程序的文字说明或者指示。After the host device determines the risk of the first vulnerability, the host device sends the determination result to the management device. The determination result includes the risk value corresponding to the first vulnerability. Optionally, the determination result also includes a text description or an indication of whether the host device has installed the patch program corresponding to the first vulnerability.
207、管理设备根据确定结果标记主机设备上第一漏洞的风险。207. The management device marks the risk of the first vulnerability on the host device according to the determination result.
管理设备接收到的确定结果后,则管理设备为第一软件资产标识标记对应的确定结果。After the management device receives the determination result, the management device marks the determination result corresponding to the first software asset identification mark.
继续上面的例子,假定管理设备接收到的漏洞标识CVE XXXXX对应的确定结果是“0,patch is installed”,该确定结果表示漏洞标识CVE XXXXX对应低风险值0,以及文字说明指明主机设备已安装CVE XXXXX对应的补丁程序。假定管理设备接收到的漏洞标识CVE MMMMM对应的确定结果是“1,patch is not installed”,该确定结果表示漏洞标识CVE MMMMM对应的高风险值1,以及文字说明指明主机设备未安装CVE MMMMM对应的补丁程序。Continuing the above example, suppose that the determination result corresponding to the vulnerability identifier CVE XXXXX received by the management device is "0, patch is installed", the determination result indicates that the vulnerability identifier CVE XXXXX corresponds to the low risk value 0, and the text indicates that the host device has been installed Patch program corresponding to CVE XXXXX. Assuming that the determination result corresponding to the vulnerability identifier CVE MMMMM received by the management device is "1, patch is not installed", the determination result indicates the high risk value 1 corresponding to the vulnerability identifier CVE MMMMM, and the text description indicates that the host device does not have the corresponding CVE MMMMM installed. Patch.
管理设备接收到上述确认结果后,为第一软件资产标识标记对应的确定结果,例如:After receiving the above confirmation result, the management device marks the corresponding determination result for the first software asset identification mark, for example:
12345|CVE XXXXX:0,patch is installed|CVE MMMMM:1,patch is not installed。12345|CVE XXXXX:0, patch is installed|CVE MMMMM: 1, patch is not installed.
本申请实施例中,主机设备针对一个漏洞,根据该漏洞对应的补丁描述信息来评估漏洞的威胁,从而提升漏洞分析的准确性,一方面识别出实际上无风险的漏洞,即已经安装过对应补丁程序的漏洞,从而降低误报;另一方面识别出高风险的漏洞,即未安装过对应补丁程序的漏洞,从而及时向用户提示风险。这样,主机设备的用户能够仅关注高风险的漏洞,如仅针对高风险的漏洞下载对应补丁程序,减少了用户的工作量。In the embodiment of this application, the host device evaluates the threat of a vulnerability according to the patch description information corresponding to the vulnerability, thereby improving the accuracy of vulnerability analysis. On the one hand, it identifies a vulnerability that is actually risk-free, that is, the corresponding vulnerability has been installed. Patch vulnerabilities, thereby reducing false alarms; on the other hand, identifying high-risk vulnerabilities, that is, vulnerabilities that have not been installed with corresponding patches, so as to prompt users of risks in time. In this way, the user of the host device can only focus on high-risk vulnerabilities, such as downloading corresponding patches for only high-risk vulnerabilities, which reduces the workload of the user.
二、主机设备实现的漏洞处理方法。2. The vulnerability processing method implemented by the host device.
图4是本申请实施例提供的漏洞处理方法的流程示意图。在本实施例中,主机设备连接网络。Fig. 4 is a schematic flowchart of a vulnerability processing method provided by an embodiment of the present application. In this embodiment, the host device is connected to the network.
401、主机设备获取漏洞标识。401. The host device obtains a vulnerability identifier.
可选地,主机设备通过与另一网络设备的交互获取漏洞标识。例如主机设备向第三云设备发送第一应用软件信息。第三云设备中保存有第三漏洞库,第三漏洞库包括第一应用软件信息与第一漏洞标识的关联关系。Optionally, the host device obtains the vulnerability identifier through interaction with another network device. For example, the host device sends the first application software information to the third cloud device. A third vulnerability database is stored in the third cloud device, and the third vulnerability database includes an association relationship between the first application software information and the first vulnerability identifier.
示例性的,第三漏洞库中的一个表项中包括第一应用软件的名称、第一应用软件的版本号、第一应用软件对应的漏洞列表之间的对应关系。这种对应关系可以表示为:Exemplarily, an entry in the third vulnerability database includes the name of the first application software, the version number of the first application software, and the correspondence between the vulnerability list corresponding to the first application software. This correspondence can be expressed as:
|adobe reader|11.0.0.379|CVE XXXXX、CVE MMMMM。|adobe reader|11.0.0.379|CVE XXXXX, CVE MMMMM.
其中,CVE XXXXX、CVE MMMMM为漏洞标识。该表项用于表示名称为adobe reader的版本号为11.0.0.379的应用软件中存在两个漏洞,分别为CVE XXXXX和CVE MMMMM。Among them, CVE XXXXX and CVE MMMMM are vulnerability identifiers. This entry is used to indicate that there are two vulnerabilities in the application software named adobe reader with version number 11.0.0.379, namely CVE XXXXX and CVE MMMMM.
第三云设备根据主机设备发送的第一应用软件信息,从第三漏洞库中查找到包含第一应用软件信息对应的漏洞标识的表项。According to the first application software information sent by the host device, the third cloud device finds an entry containing the vulnerability identifier corresponding to the first application software information from the third vulnerability database.
可选地,该表项中包括第一应用软件信息与第一漏洞标识的关联关系。第一应用软件信息与第一漏洞标识的关联关系为第一应用软件的ID与第一漏洞标识的关联关系或第一应用软件的版本号与第一漏洞标识的关联关系。此后,第三云设备向主机设备发送查找到的表项中包括的第一漏洞标识。第三漏洞库与前面图2对应的实施例所描述的第一漏洞库类似,第三漏洞库是CVE,或CNNVD。Optionally, the entry includes an association relationship between the first application software information and the first vulnerability identifier. The association relationship between the first application software information and the first vulnerability identifier is the association relationship between the ID of the first application software and the first vulnerability identifier or the association relationship between the version number of the first application software and the first vulnerability identifier. Thereafter, the third cloud device sends the first vulnerability identifier included in the found entry to the host device. The third vulnerability library is similar to the first vulnerability library described in the embodiment corresponding to FIG. 2, and the third vulnerability library is CVE, or CNNVD.
可选地,主机设备预先从第三云设备中整体下载第三漏洞库,并在本地保存下载的第三漏洞库。在本地保存的第三漏洞库中查询第一应用软件信息对应的第一漏洞标识。换句话说,在主机设备向第三云设备发送的第一应用软件信息之前,主机设备从第三云设备获取第三漏洞库。主机设备根据第一应用软件信息,进行本地数据库查询。这种方式与主机设备每次都需要从第三云设备中查询对应的漏洞标识的方式相比,可以减少主机设备与第三云设备的交互次数,从而缩短网络传输造成的时延,提高主机设备获得漏洞标识的速度。Optionally, the host device downloads the third vulnerability database as a whole from the third cloud device in advance, and saves the downloaded third vulnerability database locally. Query the first vulnerability identifier corresponding to the first application software information in the third vulnerability database stored locally. In other words, before the host device sends the first application software information to the third cloud device, the host device obtains the third vulnerability database from the third cloud device. The host device performs a local database query based on the first application software information. Compared with the method in which the host device needs to query the corresponding vulnerability identifier from the third cloud device every time, this method can reduce the number of interactions between the host device and the third cloud device, thereby shortening the delay caused by network transmission and improving the host device. The speed at which the device obtains the vulnerability identification.
需要说明的是,图4中步骤401是主机设备获得以CVE XXXXX或CVE MMMMM为例的第一漏洞标识的一种可能的实现方式。主机设备也可以采用其他方式获得第一漏洞标识,例如主机设备也可以根据本地保存的第三漏洞库来确定第一漏洞标识,或者漏洞扫描工具来确定第一漏洞标识。所述第一漏洞标识用于指示所述主机设备上安装的第一应用软件中存在第一漏洞。本申请实施例不限定主机设备获得第一漏洞标识的具体方式。It should be noted that step 401 in FIG. 4 is a possible implementation manner for the host device to obtain the first vulnerability identifier using CVE XXXXX or CVE MMMMM as an example. The host device may also obtain the first vulnerability identifier in other ways. For example, the host device may also determine the first vulnerability identifier according to a third vulnerability library stored locally, or a vulnerability scanning tool may determine the first vulnerability identifier. The first vulnerability identifier is used to indicate that a first vulnerability exists in the first application software installed on the host device. The embodiment of the present application does not limit the specific way for the host device to obtain the first vulnerability identifier.
402、主机设备根据第一漏洞标识获取第一漏洞的补丁描述信息。402. The host device obtains patch description information of the first vulnerability according to the first vulnerability identifier.
可选地,主机设备在获取第一漏洞标识后,主机设备向第四云设备发送第一漏洞标识。在上面的例子中第一漏洞标识为CVE XXXXX、CVE MMMMM二者之一。第四云设备保存有第二补丁描述信息库,第二补丁描述信息库中的表项中包括漏洞标识与补丁描述信息的关联关系。可选地,第四云设备与第三云设备为同一设备或不同设备。Optionally, after the host device obtains the first vulnerability identifier, the host device sends the first vulnerability identifier to the fourth cloud device. In the above example, the first vulnerability is identified as one of CVE XXXXX and CVE MMMMM. The fourth cloud device stores a second patch description information database, and the entries in the second patch description information database include the association relationship between the vulnerability identifier and the patch description information. Optionally, the fourth cloud device and the third cloud device are the same device or different devices.
其中,补丁描述信息是第四云设备提前创建的。补丁描述信息用于描述补丁程序被计算机安装后计算机软件运行环境的特点。示例性的,计算机存在补丁(patch)日志文件:|adobe reader|11.0.0.379|CVE XXXXX|add/root/config/adobe/patchXXXXX.log。Among them, the patch description information is created in advance by the fourth cloud device. Patch description information is used to describe the characteristics of the computer software operating environment after the patch is installed by the computer. Exemplarily, a patch log file exists on the computer: |adobe reader|11.0.0.379|CVEXXXXX|add/root/config/adobe/patchXXXXX.log.
可选地,补丁描述信息为差异(difference,DIFF)文件。DIFF文件的创建过程如前述图3对应的描述类似,此处不再赘述。Optionally, the patch description information is a difference (DIFF) file. The creation process of the DIFF file is similar to the description corresponding to Figure 3 above, and will not be repeated here.
第四云设备接收到主机设备发送的第一漏洞标识后,第四云设备根据第一漏洞标识,从第二补丁描述信息库中查询到包含接收到的漏洞标识对应的补丁描述信息的表项。第四云设备向主机设备发送该表项中包含的补丁描述信息。After the fourth cloud device receives the first vulnerability identifier sent by the host device, the fourth cloud device queries the second patch description information database for the entry containing the patch description information corresponding to the received vulnerability identifier according to the first vulnerability identifier . The fourth cloud device sends the patch description information contained in the entry to the host device.
可选地,主机设备预先从第四云设备中整体下载第二补丁描述信息库,并在本地保存下载的第二补丁描述信息库。在本地保存的第二补丁描述信息库中查询该漏洞标识对应的补丁 描述信息(即第一漏洞的补丁描述信息)。Optionally, the host device downloads the second patch description information database as a whole from the fourth cloud device in advance, and saves the downloaded second patch description information database locally. The patch description information corresponding to the vulnerability identifier (that is, the patch description information of the first vulnerability) is queried in the second patch description information database stored locally.
可选地,第二补丁描述信息库与第一补丁描述信息库为同一数据库或不同数据库。Optionally, the second patch description information base and the first patch description information base are the same database or different databases.
403、主机设备根据第一漏洞的补丁描述信息,确定主机设备是否已安装第一漏洞对应的补丁程序。403. The host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability.
404、主机设备根据主机设备是否已安装第一漏洞对应的补丁程序的确定结果,确定第一漏洞的风险。404. The host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch corresponding to the first vulnerability.
本实施例中的步骤403和步骤404与前述图2所对应的步骤204和步骤205类似,此处不再赘述。Step 403 and step 404 in this embodiment are similar to step 204 and step 205 corresponding to FIG. 2, and will not be repeated here.
405、主机设备根据确定结果标记主机设备上第一漏洞的风险。405. The host device marks the risk of the first vulnerability on the host device according to the determination result.
主机设备确定第一漏洞的风险后,则主机设备为第一软件资产标识标记对应的风险。例如:12345|CVE XXXXX:0,patch is installed|CVE MMMMM:1,patch is not installed。其中,“0,patch is installed”表示漏洞标识CVE XXXXX对应低风险值0,以及文字说明指明主机设备已安装CVE XXXXX对应的补丁程序。“1,patch is not installed”表示漏洞标识CVE MMMMM对应的高风险值1,以及文字说明指明主机设备未安装CVE MMMMM对应的补丁程序。After the host device determines the risk of the first vulnerability, the host device marks the corresponding risk for the first software asset identification. For example: 12345|CVE XXXXX:0, patch is installed|CVE MMMMM: 1, patch is not installed. Among them, "0, patch is installed" means that the vulnerability identifier CVE XXXXX corresponds to a low risk value of 0, and the text indicates that the host device has installed the patch corresponding to CVE XXXXX. "1, patch is not installed" indicates the high risk value 1 corresponding to the vulnerability identifier CVE MMMMM, and the text description indicates that the patch program corresponding to CVE MMMMM is not installed on the host device.
本申请实施例中,主机设备不依赖于管理设备完成漏洞处理,减少与管理设备之间交互所产生的数据传输,节省时间,从而更加有效率的进行上述漏洞处理流程。且主机设备针对一个漏洞,根据该漏洞对应的补丁描述信息来评估漏洞的威胁,从而提升漏洞分析的准确性,一方面识别出实际上无风险的漏洞,即已经安装过对应补丁程序的漏洞,从而降低误报;另一方面识别出高风险的漏洞,即未安装过对应补丁程序的漏洞,从而及时向用户提示风险。这样,主机设备的用户能够仅关注高风险的漏洞,如仅针对高风险的漏洞下载对应补丁程序,减少了用户的工作量。In the embodiment of the present application, the host device does not rely on the management device to complete the vulnerability processing, reduces the data transmission generated by the interaction with the management device, saves time, and thus performs the above-mentioned vulnerability processing process more efficiently. For a vulnerability, the host device evaluates the threat of the vulnerability according to the patch description information corresponding to the vulnerability, thereby improving the accuracy of vulnerability analysis. On the one hand, it identifies vulnerabilities that are actually risk-free, that is, vulnerabilities that have already installed the corresponding patch. Thereby reducing false alarms; on the other hand, high-risk vulnerabilities are identified, that is, vulnerabilities that have not been installed with corresponding patches, so as to prompt users of risks in time. In this way, the user of the host device can only focus on high-risk vulnerabilities, such as downloading corresponding patches for only high-risk vulnerabilities, which reduces the workload of the user.
上面对本申请实施例提供的漏洞处理方法进行了描述,下面对本申请实施例中的主机设备进行描述。图5是本申请实施例提供的主机设备的结构示意图,本申请实施例中主机设备包括获取单元501和确定单元502。可选地,图5所示的主机设备是图1、图2以及图4所描述的实施例中的主机设备。The vulnerability processing method provided in the embodiment of the present application is described above, and the host device in the embodiment of the present application is described below. FIG. 5 is a schematic structural diagram of a host device provided in an embodiment of the present application. In the embodiment of the present application, the host device includes an obtaining unit 501 and a determining unit 502. Optionally, the host device shown in FIG. 5 is the host device in the embodiments described in FIG. 1, FIG. 2 and FIG. 4.
获取单元501,用于获取第一漏洞标识,第一漏洞标识用于指示主机设备上安装的第一应用软件中存在第一漏洞。The obtaining unit 501 is configured to obtain a first vulnerability identifier, and the first vulnerability identifier is used to indicate that the first vulnerability exists in the first application software installed on the host device.
获取单元501,还用于根据第一漏洞标识获取第一漏洞的补丁描述信息,补丁描述信息用于描述补丁程序被计算机安装后计算机软件运行环境的特点。The obtaining unit 501 is further configured to obtain patch description information of the first vulnerability according to the first vulnerability identifier, and the patch description information is used to describe the characteristics of the operating environment of the computer software after the patch is installed by the computer.
确定单元502,用于根据第一漏洞的补丁描述信息以及所述主机设备当前的软件运行环境,确定主机设备是否已安装第一漏洞对应的补丁程序。The determining unit 502 is configured to determine whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability and the current software operating environment of the host device.
确定单元502,还用于根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险。The determining unit 502 is further configured to determine the risk of the first vulnerability according to the determination result of whether the host device has installed the patch.
本实施例中,主机设备中各单元所执行操作的详细过程与前述图2和图4所示实施例中描述的类似,此处不再赘述。In this embodiment, the detailed process of operations performed by each unit in the host device is similar to that described in the foregoing embodiment shown in FIG. 2 and FIG. 4, and will not be repeated here.
本实施例中,确定单元502根据第一漏洞的补丁描述信息,确定主机设备是否已安装第一漏洞对应的补丁程序,确定单元502再根据主机设备是否已安装第一漏洞对应的补丁程序 的确定结果,确定第一漏洞的风险。可以准确分析漏洞是否有风险,避免已经打过补丁的漏洞被认为有风险,提升漏洞风险分析的准确性。In this embodiment, the determining unit 502 determines whether the host device has installed the patch corresponding to the first vulnerability according to the patch description information of the first vulnerability, and the determining unit 502 then determines whether the host device has installed the patch corresponding to the first vulnerability. As a result, the risk of the first vulnerability is determined. It can accurately analyze whether vulnerabilities are at risk, avoid vulnerabilities that have been patched, and improve the accuracy of vulnerability risk analysis.
请参阅图6,本申请实施例中主机设备另一实施例包括:Referring to FIG. 6, another embodiment of the host device in the embodiment of the present application includes:
获取单元601,用于获取第一漏洞标识,第一漏洞标识用于指示主机设备上安装的第一应用软件中存在第一漏洞。The obtaining unit 601 is configured to obtain a first vulnerability identifier, and the first vulnerability identifier is used to indicate that the first vulnerability exists in the first application software installed on the host device.
获取单元601,还用于根据第一漏洞标识获取第一漏洞的补丁描述信息,补丁描述信息用于描述补丁程序被计算机安装后计算机软件运行环境的特点。The obtaining unit 601 is further configured to obtain patch description information of the first vulnerability according to the first vulnerability identifier, and the patch description information is used to describe the characteristics of the operating environment of the computer software after the patch is installed by the computer.
确定单元602,用于根据第一漏洞的补丁描述信息以及第一主机设备当前的软件运行环境,确定主机设备是否已安装第一漏洞对应的补丁程序。The determining unit 602 is configured to determine whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability and the current software operating environment of the first host device.
确定单元602,还用于根据主机设备是否已安装补丁程序的确定结果,确定第一漏洞的风险。The determining unit 602 is further configured to determine the risk of the first vulnerability according to the determination result of whether the host device has installed the patch.
本实施例中的主机设备还包括发送单元603。The host device in this embodiment further includes a sending unit 603.
发送单元603,用于向管理设备发送第一应用软件信息,第一应用软件信息包括第一应用软件的标识或第一应用软件的版本号。The sending unit 603 is configured to send first application software information to the management device, where the first application software information includes an identifier of the first application software or a version number of the first application software.
发送单元603,还用于向管理设备发送确定结果,确定结果用于表示主机设备是否已安装第一漏洞对应的补丁程序,第一漏洞为主机设备上安装的第一应用软件中存在的漏洞。The sending unit 603 is further configured to send a determination result to the management device, and the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability, and the first vulnerability is a vulnerability existing in the first application software installed on the host device.
确定单元602,具体用于如果主机设备当前的软件运行环境具有第一漏洞的补丁描述信息所描述的特点,则确定主机设备已安装补丁程序;如果主机设备当前的软件运行环境不具有第一漏洞的补丁描述信息所描述的特点,确定主机设备未安装补丁程序。The determining unit 602 is specifically configured to determine that the host device has installed the patch program if the current software operating environment of the host device has the characteristics described in the patch description information of the first vulnerability; if the current software operating environment of the host device does not have the first vulnerability The feature described in the patch description information confirms that the host device is not installed with the patch.
确定单元602,具体用于如果确定结果为主机设备已安装补丁程序,确定第一漏洞对应低风险值,低风险值指示风险低于警示阈值。如果确定结果为主机设备未安装补丁程序,确定第一漏洞对应高风险值,高风险值指示风险高于警示阈值。The determining unit 602 is specifically configured to determine that the first vulnerability corresponds to a low risk value if the determination result is that the host device has installed a patch, and the low risk value indicates that the risk is lower than the warning threshold. If the determination result is that the host device has not installed the patch, it is determined that the first vulnerability corresponds to a high risk value, and the high risk value indicates that the risk is higher than the warning threshold.
补丁描述信息包括注册表信息、文件***目录信息、配置文件信息和应用软件哈希值中的至少一种。The patch description information includes at least one of registry information, file system directory information, configuration file information, and application software hash value.
本实施例中,主机设备中各单元所执行操作的详细过程与前述图2和图4所示实施例中描述的类似,此处不再赘述。In this embodiment, the detailed process of operations performed by each unit in the host device is similar to that described in the foregoing embodiment shown in FIG. 2 and FIG. 4, and will not be repeated here.
图7是本申请实施例提供的管理设备的结构示意图。可选地,图7所示的管理设备为图1、图2所描述的实施例中的管理设备。图7所示的管理设备包括接收单元701和标记单元702。Fig. 7 is a schematic structural diagram of a management device provided by an embodiment of the present application. Optionally, the management device shown in FIG. 7 is the management device in the embodiments described in FIG. 1 and FIG. 2. The management device shown in FIG. 7 includes a receiving unit 701 and a marking unit 702.
接收单元701,用于接收主机设备发送的确定结果,确定结果用于表示主机设备是否已安装第一漏洞对应的补丁程序,第一漏洞为主机设备上安装的第一应用软件中存在的漏洞。The receiving unit 701 is configured to receive a determination result sent by the host device, and the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability, and the first vulnerability is a vulnerability existing in the first application software installed on the host device.
标记单元702,用于根据确定结果,标记主机设备上第一漏洞的风险。The marking unit 702 is configured to mark the risk of the first vulnerability on the host device according to the determination result.
本实施例中,管理设备中各单元所执行操作的详细过程与前述图2所示实施例中描述的类似,此处不再赘述。In this embodiment, the detailed process of operations performed by each unit in the management device is similar to that described in the foregoing embodiment shown in FIG. 2 and will not be repeated here.
本实施例中,接收单元701接收主机设备发送的确定结果,标记单元702根据主机设备是否已安装第一漏洞对应的补丁程序的确定结果,标记主机设备上第一漏洞的风险。可以准确分析漏洞是否有风险,避免已经打过补丁的漏洞被认为有风险,提升漏洞风险分析的准确性。In this embodiment, the receiving unit 701 receives the determination result sent by the host device, and the marking unit 702 marks the risk of the first vulnerability on the host device according to the determination result of whether the host device has installed the patch corresponding to the first vulnerability. It can accurately analyze whether vulnerabilities are at risk, avoid vulnerabilities that have been patched, and improve the accuracy of vulnerability risk analysis.
图8是本申请实施例提供的管理设备的另一结构示意图。FIG. 8 is a schematic diagram of another structure of a management device provided by an embodiment of the present application.
接收单元801,用于接收主机设备发送的确定结果,确定结果用于表示主机设备是否已安装第一漏洞对应的补丁程序,第一漏洞为主机设备上安装的第一应用软件中存在的漏洞。The receiving unit 801 is configured to receive a determination result sent by the host device, and the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability, and the first vulnerability is a vulnerability existing in the first application software installed on the host device.
标记单元802,用于根据确定结果,标记主机设备上第一漏洞的风险。The marking unit 802 is configured to mark the risk of the first vulnerability on the host device according to the determination result.
接收单元801,还用于接收主机设备发送的第一应用软件信息,第一应用软件信息包括第一应用软件的标识或第一应用软件的版本号。The receiving unit 801 is further configured to receive first application software information sent by the host device, where the first application software information includes the identification of the first application software or the version number of the first application software.
接收单元801,还用于接收主机设备发送的确定结果。The receiving unit 801 is also configured to receive the determination result sent by the host device.
本实施例中的管理设备还包括查询单元803。The management device in this embodiment further includes a query unit 803.
查询单元803,用于根据第一应用软件信息,在漏洞库中查询第一应用软件信息对应的至少一个漏洞标识,漏洞库中保存有第一应用软件信息和至少一个漏洞标识的对应关系。The query unit 803 is configured to query the vulnerability database for at least one vulnerability identifier corresponding to the first application software information according to the first application software information, and the vulnerability database stores a correspondence between the first application software information and the at least one vulnerability identifier.
发送单元804,用于向主机设备发送至少一个漏洞标识。The sending unit 804 is configured to send at least one vulnerability identifier to the host device.
本实施例中,管理设备中各单元所执行操作的详细过程与前述图2所示实施例中描述的类似,此处不再赘述。In this embodiment, the detailed process of operations performed by each unit in the management device is similar to that described in the foregoing embodiment shown in FIG. 2 and will not be repeated here.
如图9所示,为本申请实施例的又一种设备的结构示意图,该设备为管理设备。As shown in FIG. 9, it is a schematic structural diagram of another device according to an embodiment of this application, and the device is a management device.
图9是本申请实施例提供的一种管理设备结构示意图,该管理设备900可以包括一个或一个以上处理器(central processing units,CPU)901和存储器902,该存储器902中存储有一个或一个以上的操作***和/或程序代码。FIG. 9 is a schematic structural diagram of a management device provided by an embodiment of the present application. The management device 900 may include one or more processors (central processing units, CPU) 901 and a memory 902. The memory 902 stores one or more Operating system and/or program code.
其中,存储器902可以是易失性存储或持久存储。存储在存储器902的程序可以包括一个或一个以上模块,每个模块可以包括对管理设备中的一系列指令操作。更进一步地,处理器901可以设置为与存储器902耦合,读取存储器902中的一系列指令后使得管理设备900执行上述实施例中描述的步骤和功能。Among them, the memory 902 may be volatile storage or persistent storage. The program stored in the memory 902 may include one or more modules, and each module may include a series of instruction operations on the management device. Furthermore, the processor 901 may be configured to be coupled with the memory 902, and after reading a series of instructions in the memory 902, the management device 900 can execute the steps and functions described in the foregoing embodiments.
管理设备900还可以包括一个或一个以上电源,一个或一个以上有线或无线网络接口903,一个或一个以上输入输出接口904,输入输出接口904与以显示器905为例的输出设备连接,一个或一个以上操作***,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM等。The management device 900 may also include one or more power supplies, one or more wired or wireless network interfaces 903, one or more input and output interfaces 904, and the input and output interfaces 904 are connected to an output device such as the display 905, one or more The above operating systems, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
该处理器901可以执行前述图7和图8所示实施例中管理设备所执行的操作,具体此处不再赘述。The processor 901 can perform operations performed by the management device in the embodiments shown in FIG. 7 and FIG. 8, and details are not described herein again.
在一些实施例中,管理设备的处理器901可以执行图7中标记单元702执行的动作,管理设备中的网络接口903可以执行图7中接收单元701执行的动作,其实现原理和技术效果类似,在此不再赘述。In some embodiments, the processor 901 of the management device can perform the actions performed by the marking unit 702 in FIG. 7, and the network interface 903 in the management device can perform the actions performed by the receiving unit 701 in FIG. 7. The implementation principles and technical effects are similar. , I won’t repeat it here.
在一些实施例中,管理设备的处理器901可以执行图8中标记单元802以及查询单元803执行的动作,管理设备中的网络接口903可以执行图8中接收单元801以及发送单元804执行的动作,其实现原理和技术效果类似,在此不再赘述。In some embodiments, the processor 901 of the management device can perform the actions performed by the marking unit 802 and the query unit 803 in FIG. 8, and the network interface 903 in the management device can perform the actions performed by the receiving unit 801 and the sending unit 804 in FIG. 8 , Its implementation principle and technical effect are similar, so I won’t repeat it here.
如图10所示,为本申请实施例的又一种设备的结构示意图,该设备为主机设备。该主机设备1000可以包括一个或一个以***处理器(central processing units,CPU)1001和存储器1005,该存储器1005中存储有一个或一个以上的应用程序或数据。As shown in FIG. 10, it is a schematic structural diagram of another device according to an embodiment of this application, and the device is a host device. The host device 1000 may include one or more central processing units (CPU) 1001 and a memory 1005, and the memory 1005 stores one or more application programs or data.
其中,存储器1005可以是易失性存储或持久存储。存储在存储器1005的程序可以包括一个或一个以上模块,每个模块可以包括对网关设备中的一系列指令操作。更进一步地,中 央处理器1001可以设置为与存储器1005耦合,读取存储器1005中的一系列指令后使得主机设备1000执行上述实施例中描述的步骤和功能。Among them, the memory 1005 may be volatile storage or persistent storage. The program stored in the memory 1005 may include one or more modules, and each module may include a series of command operations on the gateway device. Further, the central processor 1001 may be configured to be coupled with the memory 1005, and after reading a series of instructions in the memory 1005, the host device 1000 can execute the steps and functions described in the above-mentioned embodiments.
主机设备1000还可以包括一个或一个以上电源1002,一个或一个以上有线或无线网络接口1003,一个或一个以上输入输出接口1004,和/或,一个或一个以上操作***,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM等。The host device 1000 may also include one or more power supplies 1002, one or more wired or wireless network interfaces 1003, one or more input and output interfaces 1004, and/or one or more operating systems, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
在一些实施例中,主机设备的中央处理器1001可以执行图5中确定单元502执行的动作,主机设备中的有线或无线网络接口1003或者输入输出接口1004可以执行图5中获取单元501执行的动作,其实现原理和技术效果类似,在此不再赘述。In some embodiments, the central processing unit 1001 of the host device may perform the actions performed by the determining unit 502 in FIG. 5, and the wired or wireless network interface 1003 or the input/output interface 1004 in the host device may perform the operations performed by the obtaining unit 501 in FIG. The action, its implementation principle and technical effect are similar, and will not be repeated here.
在一些实施例中,主机设备的中央处理器1001可以执行图6中确定单元602执行的动作,主机设备中的有线或无线网络接口1003或者输入输出接口1004可以执行图6中获取单元601以及发送单元603执行的动作,其实现原理和技术效果类似,在此不再赘述。In some embodiments, the central processing unit 1001 of the host device can execute the actions performed by the determining unit 602 in FIG. 6, and the wired or wireless network interface 1003 or the input/output interface 1004 in the host device can execute the acquiring unit 601 and sending in FIG. The implementation principles and technical effects of the actions performed by the unit 603 are similar, and will not be repeated here.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请实施例的范围。A person of ordinary skill in the art may realize that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the embodiments of the present application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的***、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the system, device and unit described above can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请实施例所提供的几个实施例中,应该理解到,所揭露的***、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个***,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in the embodiments of the present application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请实施例各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in the various embodiments of the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请实施例各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application are essentially or the part that contributes to the prior art or the part of the technical solutions can be embodied in the form of a software product, and the computer software product is stored in a storage medium. , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disks or optical disks and other media that can store program codes. .
以上所述,仅为本申请实施例的具体实施方式,但本申请实施例的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请实施例揭露的技术范围内,可轻易想到变化或 替换,都应涵盖在本申请实施例的保护范围之内。因此,本申请实施例的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of the embodiments of the present application, but the protection scope of the embodiments of the present application is not limited to this. Any person skilled in the art can easily fall within the technical scope disclosed in the embodiments of the present application. Any change or replacement should be included in the protection scope of the embodiments of the present application. Therefore, the protection scope of the embodiments of the present application should be subject to the protection scope of the claims.

Claims (21)

  1. 一种漏洞处理方法,其特征在于,包括:A vulnerability processing method, which is characterized in that it includes:
    主机设备获取第一漏洞标识,所述第一漏洞标识用于指示所述主机设备上安装的第一应用软件中存在第一漏洞;The host device obtains a first vulnerability identifier, where the first vulnerability identifier is used to indicate that a first vulnerability exists in the first application software installed on the host device;
    所述主机设备根据所述第一漏洞标识获取所述第一漏洞的补丁描述信息,所述补丁描述信息用于描述补丁程序被计算机安装后计算机软件运行环境的特点;Acquiring, by the host device, patch description information of the first vulnerability according to the first vulnerability identifier, where the patch description information is used to describe the characteristics of the operating environment of the computer software after the patch is installed by the computer;
    所述主机设备根据所述第一漏洞的补丁描述信息以及所述主机设备当前的软件运行环境,确定所述主机设备是否已安装所述第一漏洞对应的补丁程序;The host device determines whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability and the current software operating environment of the host device;
    所述主机设备根据所述主机设备是否已安装所述补丁程序的确定结果,确定所述第一漏洞的风险。The host device determines the risk of the first vulnerability according to the determination result of whether the host device has installed the patch program.
  2. 根据权利要求1所述的漏洞处理方法,其特征在于,所述主机设备根据所述主机设备是否已安装所述补丁程序的确定结果,确定所述第一漏洞的风险包括:The vulnerability processing method according to claim 1, wherein the host device determining the risk of the first vulnerability according to a determination result of whether the host device has installed the patch program comprises:
    如果所述确定结果为所述主机设备已安装所述补丁程序,则所述主机设备确定所述第一漏洞对应低风险值,所述低风险值指示风险低于警示阈值。If the determination result is that the host device has installed the patch program, the host device determines that the first vulnerability corresponds to a low risk value, and the low risk value indicates that the risk is lower than a warning threshold.
  3. 根据权利要求1所述的漏洞处理方法,其特征在于,所述主机设备根据所述主机设备是否已安装所述补丁程序的确定结果,确定所述第一漏洞的风险包括:The vulnerability processing method according to claim 1, wherein the host device determining the risk of the first vulnerability according to a determination result of whether the host device has installed the patch program comprises:
    如果所述确定结果为所述主机设备未安装所述补丁程序,则所述主机设备确定所述第一漏洞对应高风险值,所述高风险值指示风险高于警示阈值。If the determination result is that the host device has not installed the patch program, the host device determines that the first vulnerability corresponds to a high risk value, and the high risk value indicates that the risk is higher than a warning threshold.
  4. 根据权利要求1至3中任一项所述的漏洞处理方法,其特征在于,所述主机设备根据所述第一漏洞的补丁描述信息以及所述主机设备当前的软件运行环境,确定所述主机设备是否已安装所述补丁程序,包括:The vulnerability processing method according to any one of claims 1 to 3, wherein the host device determines the host device according to the patch description information of the first vulnerability and the current software operating environment of the host device Whether the device has the patch program installed, including:
    如果所述主机设备当前的软件运行环境具有所述第一漏洞的补丁描述信息所描述的特点,则所述主机设备确定所述主机设备已安装所述补丁程序;If the current software operating environment of the host device has the characteristics described in the patch description information of the first vulnerability, the host device determines that the host device has installed the patch program;
    如果所述主机设备当前的软件运行环境不具有所述第一漏洞的补丁描述信息所描述的特点,则所述主机设备确定所述主机设备未安装所述补丁程序。If the current software operating environment of the host device does not have the characteristics described by the patch description information of the first vulnerability, the host device determines that the host device has not installed the patch program.
  5. 根据权利要求1至4中任一项所述的漏洞处理方法,其特征在于,所述补丁描述信息包括注册表信息、文件***目录信息、配置文件信息和应用软件哈希值中的至少一种。The vulnerability processing method according to any one of claims 1 to 4, wherein the patch description information includes at least one of registry information, file system directory information, configuration file information, and application software hash value .
  6. 一种漏洞处理方法,其特征在于,包括:A vulnerability processing method, which is characterized in that it includes:
    管理设备接收主机设备发送的确定结果,所述确定结果用于表示所述主机设备是否已安装第一漏洞对应的补丁程序,所述第一漏洞为所述主机设备上安装的第一应用软件中存在的漏洞;The management device receives the determination result sent by the host device, the determination result is used to indicate whether the host device has installed the patch corresponding to the first vulnerability, and the first vulnerability is in the first application software installed on the host device Existing loopholes;
    所述管理设备根据所述确定结果,标记所述主机设备上所述第一漏洞的风险。The management device marks the risk of the first vulnerability on the host device according to the determination result.
  7. 根据权利要求6所述的漏洞处理方法,其特征在于,所述管理设备根据所述确定结果,标记所述主机设备上所述第一漏洞的风险包括:The vulnerability processing method according to claim 6, wherein the management device marking the risk of the first vulnerability on the host device according to the determination result comprises:
    如果所述确定结果表示所述主机设备已安装所述补丁程序,则所述管理设备标记所述主机设备上所述第一漏洞对应低风险值,所述低风险值指示风险低于警示阈值。If the determination result indicates that the host device has installed the patch program, the management device marks the first vulnerability on the host device with a low risk value corresponding to the low risk value, and the low risk value indicates that the risk is lower than a warning threshold.
  8. 根据权利要求6所述的漏洞处理方法,其特征在于,所述管理设备根据所述确定结果,标记所述主机设备上所述第一漏洞的风险包括:The vulnerability processing method according to claim 6, wherein the management device marking the risk of the first vulnerability on the host device according to the determination result comprises:
    如果所述确定结果表示所述主机设备未安装所述补丁程序,则所述管理设备标记所述主机设备上所述第一漏洞对应高风险值,所述高风险值指示风险高于警示阈值。If the determination result indicates that the host device has not installed the patch program, the management device marks the first vulnerability on the host device with a high risk value corresponding to the high risk value, and the high risk value indicates that the risk is higher than a warning threshold.
  9. 一种主机设备,其特征在于,包括:A host device, characterized in that it comprises:
    获取单元,用于获取第一漏洞标识,所述第一漏洞标识用于指示所述主机设备上安装的第一应用软件中存在第一漏洞;An obtaining unit, configured to obtain a first vulnerability identifier, where the first vulnerability identifier is used to indicate that a first vulnerability exists in the first application software installed on the host device;
    所述获取单元,还用于根据所述第一漏洞标识获取所述第一漏洞的补丁描述信息,所述补丁描述信息用于描述补丁程序被计算机安装后计算机软件运行环境的特点;The obtaining unit is further configured to obtain patch description information of the first vulnerability according to the first vulnerability identifier, where the patch description information is used to describe the characteristics of the operating environment of the computer software after the patch is installed by the computer;
    确定单元,用于根据所述第一漏洞的补丁描述信息以及所述第一主机设备当前的软件运行环境,确定所述主机设备是否已安装所述第一漏洞对应的补丁程序;A determining unit, configured to determine whether the host device has installed the patch program corresponding to the first vulnerability according to the patch description information of the first vulnerability and the current software operating environment of the first host device;
    所述确定单元,还用于根据所述主机设备是否已安装所述补丁程序的确定结果,确定所述第一漏洞的风险。The determining unit is further configured to determine the risk of the first vulnerability according to the determination result of whether the host device has installed the patch program.
  10. 根据权利要求9所述的主机设备,其特征在于,所述确定单元,具体用于如果所述确定结果为所述主机设备已安装所述补丁程序,确定所述第一漏洞对应低风险值,所述低风险值指示风险低于警示阈值。The host device according to claim 9, wherein the determining unit is specifically configured to determine that the first vulnerability corresponds to a low risk value if the determination result is that the host device has installed the patch program, The low risk value indicates that the risk is below the warning threshold.
  11. 根据权利要求9所述的主机设备,其特征在于,所述确定单元,具体用于如果所述确定结果为所述主机设备未安装所述补丁程序,确定所述第一漏洞对应高风险值,所述高风险值指示风险高于警示阈值。The host device according to claim 9, wherein the determining unit is specifically configured to determine that the first vulnerability corresponds to a high risk value if the determination result is that the patch program is not installed on the host device, The high risk value indicates that the risk is higher than the warning threshold.
  12. 根据权利要求9至11中任一项所述的主机设备,其特征在于,所述确定单元,具体用于如果所述主机设备当前的软件运行环境具有所述第一漏洞的补丁描述信息所描述的特点,则确定所述主机设备已安装所述补丁程序;如果所述主机设备当前的软件运行环境不具有所述第一漏洞的补丁描述信息所描述的特点,确定所述主机设备未安装所述补丁程序。The host device according to any one of claims 9 to 11, wherein the determining unit is specifically configured to: if the current software operating environment of the host device has the patch description information of the first vulnerability described If the current software operating environment of the host device does not have the characteristics described in the patch description information of the first vulnerability, it is determined that the host device has not installed the patch program; The patch program.
  13. 根据权利要求9至12中任一项所述的主机设备,其特征在于,所述补丁描述信息包括注册表信息、文件***目录信息、配置文件信息和应用软件哈希值中的至少一种。The host device according to any one of claims 9 to 12, wherein the patch description information includes at least one of registry information, file system directory information, configuration file information, and application software hash value.
  14. 一种管理设备,其特征在于,包括:A management device, characterized in that it comprises:
    接收单元,用于接收主机设备发送的确定结果,所述确定结果用于表示所述主机设备是否已安装第一漏洞对应的补丁程序,所述第一漏洞为所述主机设备上安装的第一应用软件中存在的漏洞;The receiving unit is configured to receive a determination result sent by the host device, where the determination result is used to indicate whether the host device has installed the patch corresponding to the first vulnerability, and the first vulnerability is the first installed on the host device. Vulnerabilities in application software;
    标记单元,用于根据所述确定结果,标记所述主机设备上所述第一漏洞的风险。The marking unit is configured to mark the risk of the first vulnerability on the host device according to the determination result.
  15. 根据权利要求14所述的管理设备,其特征在于,所述标记单元,具体用于如果所述确定结果表示所述主机设备已安装所述补丁程序,标记所述主机设备上所述第一漏洞对应低风险值,所述低风险值指示风险低于警示阈值。The management device according to claim 14, wherein the marking unit is specifically configured to mark the first vulnerability on the host device if the determination result indicates that the host device has installed the patch program Corresponding to a low risk value, the low risk value indicates that the risk is below the warning threshold.
  16. 根据权利要求14所述的管理设备,其特征在于,所述标记单元,具体用于如果所述确定结果表示所述主机设备未安装所述补丁程序,标记所述主机设备上所述第一漏洞对应高风险值,所述高风险值指示风险高于警示阈值。The management device according to claim 14, wherein the marking unit is specifically configured to mark the first vulnerability on the host device if the determination result indicates that the patch program is not installed on the host device Corresponding to a high risk value, the high risk value indicates that the risk is higher than the warning threshold.
  17. 一种主机设备,其特征在于,包括:A host device, characterized in that it comprises:
    处理器、存储器、总线、输入输出接口;Processor, memory, bus, input and output interface;
    所述处理器与所述存储器、输入输出接口相连;The processor is connected to the memory and the input/output interface;
    所述总线分别连接所述处理器、存储器以及输入输出接口相连;The bus is connected to the processor, the memory, and the input/output interface respectively;
    所述处理器执行如权利要求1至5中任一项所述的方法。The processor executes the method according to any one of claims 1 to 5.
  18. 一种管理设备,其特征在于,包括:A management device, characterized in that it comprises:
    处理器、存储器、总线、输入输出接口;Processor, memory, bus, input and output interface;
    所述处理器与所述存储器、输入输出接口相连;The processor is connected to the memory and the input/output interface;
    所述总线分别连接所述处理器、存储器以及输入输出接口相连;The bus is connected to the processor, the memory, and the input/output interface respectively;
    所述处理器执行如权利要求6至8中任一项所述的方法。The processor executes the method according to any one of claims 6 to 8.
  19. 一种漏洞的处理***,其特征在于,包括:管理设备和至少一个主机设备;A vulnerability processing system, which is characterized by comprising: a management device and at least one host device;
    所述管理设备用于接收所述主机设备发送的第一应用软件信息,所述第一应用软件信息包括所述第一应用软件的标识或所述第一应用软件的版本号;The management device is configured to receive first application software information sent by the host device, where the first application software information includes an identifier of the first application software or a version number of the first application software;
    所述管理设备还用于根据第一应用软件信息,在漏洞库中查询所述第一应用软件信息对应的至少一个漏洞标识,所述漏洞库中保存有所述第一应用软件信息和至少一个漏洞标识的对应关系;The management device is further configured to query at least one vulnerability identifier corresponding to the first application software information in a vulnerability database according to the first application software information, and the vulnerability database stores the first application software information and at least one vulnerability identifier. Correspondence of vulnerability identification;
    所述管理设备还用于向所述主机设备发送所述至少一个漏洞标识;The management device is further configured to send the at least one vulnerability identifier to the host device;
    所述主机设备用于向所述管理设备发送所述第一应用软件信息;The host device is used to send the first application software information to the management device;
    所述主机设备还用于接收所述管理设备发送的所述漏洞标识;The host device is further configured to receive the vulnerability identifier sent by the management device;
    所述主机设备还用于向所述管理设备发送确定结果,所述确定结果用于表示所述主机设备是否已安装第一漏洞对应的补丁程序,所述第一漏洞为所述主机设备上安装的第一应用软件中存在的漏洞。The host device is further configured to send a determination result to the management device, the determination result is used to indicate whether the host device has installed a patch corresponding to the first vulnerability, and the first vulnerability is the installation Vulnerabilities in the first application software.
  20. 一种计算机存储介质,其特征在于,所述计算机存储介质中存储有指令,所述指令在计算机上执行时,使得所述计算机执行如权利要求1至8中任一项所述的方法。A computer storage medium, characterized in that instructions are stored in the computer storage medium, and when the instructions are executed on a computer, the computer executes the method according to any one of claims 1 to 8.
  21. 一种计算机程序产品,其特征在于,所述计算机程序产品在计算机上执行时,使得所述计算机执行如权利要求1至8中任一项所述的方法。A computer program product, characterized in that, when the computer program product is executed on a computer, the computer executes the method according to any one of claims 1 to 8.
PCT/CN2020/109106 2019-12-30 2020-08-14 Vulnerability processing method and related device WO2021135257A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911398368.7 2019-12-30
CN201911398368.7A CN113127875A (en) 2019-12-30 2019-12-30 Vulnerability processing method and related equipment

Publications (1)

Publication Number Publication Date
WO2021135257A1 true WO2021135257A1 (en) 2021-07-08

Family

ID=76687531

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/109106 WO2021135257A1 (en) 2019-12-30 2020-08-14 Vulnerability processing method and related device

Country Status (2)

Country Link
CN (1) CN113127875A (en)
WO (1) WO2021135257A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810389A (en) * 2021-08-31 2021-12-17 杭州电子科技大学 Vulnerability selection method and device in vulnerability repair process of DHR (distributed Hash Table) system
CN114996720A (en) * 2022-08-01 2022-09-02 北京中科微澜科技有限公司 Vulnerability influence range detection method and device, storage medium and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986283A (en) * 2010-11-16 2011-03-16 北京安天电子设备有限公司 Method and system for detecting existed Windows system bugs
CN108363926A (en) * 2017-10-19 2018-08-03 北京安天网络安全技术有限公司 A kind of loophole defence method and system
CN109359468A (en) * 2018-08-23 2019-02-19 阿里巴巴集团控股有限公司 Leak detection method, device and equipment
CN109409096A (en) * 2018-11-15 2019-03-01 百度在线网络技术(北京)有限公司 Kernel loophole restorative procedure, device, server and system
US20190253328A1 (en) * 2018-02-14 2019-08-15 Cisco Technology, Inc. Detecting bug patterns across evolving network software versions

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986283A (en) * 2010-11-16 2011-03-16 北京安天电子设备有限公司 Method and system for detecting existed Windows system bugs
CN108363926A (en) * 2017-10-19 2018-08-03 北京安天网络安全技术有限公司 A kind of loophole defence method and system
US20190253328A1 (en) * 2018-02-14 2019-08-15 Cisco Technology, Inc. Detecting bug patterns across evolving network software versions
CN109359468A (en) * 2018-08-23 2019-02-19 阿里巴巴集团控股有限公司 Leak detection method, device and equipment
CN109409096A (en) * 2018-11-15 2019-03-01 百度在线网络技术(北京)有限公司 Kernel loophole restorative procedure, device, server and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810389A (en) * 2021-08-31 2021-12-17 杭州电子科技大学 Vulnerability selection method and device in vulnerability repair process of DHR (distributed Hash Table) system
CN113810389B (en) * 2021-08-31 2022-10-14 杭州电子科技大学 Vulnerability selection method and device in vulnerability repair process of DHR (distributed Hash Table) system
CN114996720A (en) * 2022-08-01 2022-09-02 北京中科微澜科技有限公司 Vulnerability influence range detection method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN113127875A (en) 2021-07-16

Similar Documents

Publication Publication Date Title
US10176321B2 (en) Leveraging behavior-based rules for malware family classification
US20240054234A1 (en) Methods and systems for hardware and firmware security monitoring
US8413130B2 (en) System and method for self policing of authorized configuration by end points
US9471469B2 (en) Software automation and regression management systems and methods
CN110914823B (en) System and method for detecting vulnerabilities on servers
US10986117B1 (en) Systems and methods for providing an integrated cyber threat defense exchange platform
JP2019512817A (en) System and method for automatic device detection
US20200213365A1 (en) Tag-Based Security Policy Creation in a Distributed Computing Environment
KR20130105627A (en) Reputation checking obtained files
US11290322B2 (en) Honeypot asset cloning
US11621974B2 (en) Managing supersedence of solutions for security issues among assets of an enterprise network
US10122739B2 (en) Rootkit detection system and method
US11522901B2 (en) Computer security vulnerability assessment
WO2021135257A1 (en) Vulnerability processing method and related device
US11411997B2 (en) Active fingerprinting for transport layer security (TLS) servers
US20210382986A1 (en) Dynamic, Runtime Application Programming Interface Parameter Labeling, Flow Parameter Tracking and Security Policy Enforcement
US20240022590A1 (en) Vulnerability scanning of a remote file system
CN104980407A (en) Misinformation detecting method and device
CN113497786A (en) Evidence obtaining and tracing method and device and storage medium
JP2013109553A (en) Program white list distribution device and method
US20150339476A1 (en) Methods, systems, and computer readable mediums for providing supply chain validation
US11386194B1 (en) Generating and validating activation codes without data persistence
CN105099797A (en) False alarm detection method and device
KR20200075725A (en) Method and apparatus for detecting a device abnormality symptom through comprehensive analysis of a plurality of pieces of device information
US20240020390A1 (en) Vulnerability assessment of machine images in development phase

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20909336

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20909336

Country of ref document: EP

Kind code of ref document: A1