CN113886838A

Movatterモバイル変換

Info

Publication number: CN113886838A
Application number: CN202111222616.XA
Authority: CN
Inventors: 闵婕
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2021-10-20
Filing date: 2021-10-20
Publication date: 2022-01-04

Abstract

The disclosure provides a vulnerability detection method, a vulnerability detection device, electronic equipment and a medium, and belongs to the technical field of network security. The method comprises the following steps: during vulnerability detection, determining the similarity between a target vulnerability and a vulnerability in a system vulnerability database, wherein the target vulnerability is a vulnerability in a second data source except a first data source used by the system vulnerability database; if the similarity between the vulnerability and the target vulnerability in the system vulnerability database meets a preset threshold value, updating the target vulnerability into the system vulnerability database; and searching the vulnerability of the system based on the updated system vulnerability library, and outputting the vulnerability detection result of the system. Based on the technical scheme provided by the embodiment of the disclosure, the problem that the system still has potential safety hazards due to the fact that some bugs may not be accurately detected in the current bug detection can be solved.

Description

Vulnerability detection method and device, electronic equipment and medium

Technical Field

The disclosure belongs to the technical field of network security, and particularly relates to a vulnerability detection method, device, electronic equipment and medium.

Background

With the rapid development of internet technology, computers and networks are more and more widely applied to the convenience of life, work, entertainment and the like of people, and people pay more and more attention to information security and network security.

Generally, a vulnerability refers to a weakness or defect of a system, and the existence of the vulnerability can make hacking or virus attack easier, and can cause data loss or tampering, privacy disclosure, and even economic loss. In order to improve the security performance of the system, vulnerability detection can be performed on the system. The vulnerability detection is based on existing authoritative vulnerability libraries.

However, the updating period of these vulnerability libraries is long, and some vulnerability libraries are updated only once every month, half year or even a year, and vulnerabilities may be generated at any time, so that the current vulnerability detection may not be able to accurately detect some vulnerabilities, resulting in the system still having potential safety hazards.

Disclosure of Invention

The embodiment of the disclosure aims to provide a vulnerability detection method, a vulnerability detection device, an electronic device and a medium, which can solve the problem that security hidden dangers still exist in a system due to the fact that some vulnerabilities may not be accurately detected in the current vulnerability detection.

In order to solve the technical problem, the present disclosure is implemented as follows:

in a first aspect, an embodiment of the present disclosure provides a vulnerability detection method, which includes: during vulnerability detection, determining the similarity between a target vulnerability and a vulnerability in a system vulnerability database, wherein the target vulnerability is a vulnerability in a second data source except a first data source used by the system vulnerability database; if the similarity between the vulnerability existing in the system vulnerability database and the target vulnerability meets a preset threshold value, updating the target vulnerability into the system vulnerability database; and detecting the vulnerability of the system based on the updated system vulnerability library, and outputting the vulnerability detection result of the system.

In a second aspect, an embodiment of the present disclosure provides a vulnerability detection apparatus, which includes: the device comprises a determining module, an updating module and a detecting module; the determining module is used for determining the similarity between a target vulnerability and a vulnerability in a system vulnerability database during vulnerability detection, wherein the target vulnerability is a vulnerability in a second data source except a first data source used by the system vulnerability database; the updating module is used for updating the target hole to the system hole library if the similarity between the hole in the system hole library and the target hole meets a preset threshold; and the detection module is used for detecting the vulnerability of the system based on the updated system vulnerability library and outputting the vulnerability detection result of the system.

In a third aspect, the disclosed embodiments provide an electronic device, which includes a processor, a memory, and a program or an instruction stored on the memory and executable on the processor, and when executed by the processor, the program or the instruction implements the steps of the vulnerability detection method according to the first aspect.

In a fourth aspect, the present disclosure provides a readable storage medium, on which a program or instructions are stored, where the program or instructions, when executed by a processor, implement the steps of the vulnerability detection method according to the first aspect.

In a fifth aspect, an embodiment of the present disclosure provides a chip, where the chip includes a processor and a communication interface, where the communication interface is coupled to the processor, and the processor is configured to execute a program or instructions to implement the vulnerability detection method according to the first aspect.

In a sixth aspect, the present disclosure provides a computer program product containing instructions which, when run on a computer, cause the computer to perform the steps of the vulnerability detection method according to the first aspect.

Drawings

Fig. 1 is a schematic flow chart of a vulnerability detection method according to an embodiment of the present disclosure;

fig. 2 is a second schematic flowchart of a vulnerability detection method according to the embodiment of the present disclosure;

fig. 3 is a third schematic flow chart of a vulnerability detection method according to the embodiment of the present disclosure;

fig. 4 is a fourth schematic flowchart of a vulnerability detection method provided in the embodiment of the present disclosure;

fig. 5 is a fifth schematic flowchart of a vulnerability detection method provided by the present disclosure;

fig. 6 is a schematic diagram of a possible structure of a vulnerability detection apparatus provided in the embodiment of the present disclosure;

fig. 7 is a second schematic structural diagram of a vulnerability detection apparatus provided in the embodiment of the present disclosure;

fig. 8 is a third schematic view of a possible structure of a vulnerability detection apparatus according to the embodiment of the present disclosure;

fig. 9 is a schematic structural diagram of an electronic device provided in an embodiment of the present disclosure;

fig. 10 is a hardware schematic diagram of an electronic device according to an embodiment of the present disclosure.

Detailed Description

1. vulnerability, knowledge of vulnerability, knowledge entity of vulnerability and vulnerability library

Vulnerability: refers to a vulnerability or defect in a system, the susceptibility of a system to a particular threat attack or hazardous event, or the possibility of a threatening action to make an attack.

Vulnerability knowledge: detailed explanations and examples of vulnerabilities.

Knowledge entity of the vulnerability: vulnerability name (title) and vulnerability details.

A leak library: a database of knowledge entities that incorporates multiple vulnerabilities.

For convenience of description, in the embodiments of the present disclosure, knowledge entities representing vulnerabilities are illustrated.

Technical solutions in the embodiments of the present disclosure will be described below clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be derived by one of ordinary skill in the art from the embodiments disclosed herein without inventive exercise, are intended to be within the scope of the present disclosure.

The terms first, second and the like in the description and in the claims of the present disclosure are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the disclosure may be practiced in sequences other than those illustrated or described herein, and the terms "first," "second," and the like are generally used herein in a generic sense and do not limit the number of terms, e.g., the first term can be one or more than one. In addition, "and/or" in the specification and claims means at least one of connected objects, a character "/" generally means a relationship in which a front and rear related objects are one kind of "or".

The leak detection method provided by the embodiment of the present disclosure is described in detail below with reference to the accompanying drawings by specific embodiments and application scenarios thereof.

Fig. 1 is a schematic flow diagram of a vulnerability detection method provided in an embodiment of the present disclosure, as shown in fig. 1, the method includes the following steps S101 to S103:

s101, during vulnerability detection, the electronic equipment determines similarity of the target vulnerability and the vulnerability in the system vulnerability database.

And the target vulnerability is a vulnerability in a second data source except the first data source used by the system vulnerability library.

It should be noted that, in the embodiment of the present disclosure, the second data source is a data source of a newly acquired vulnerability of the system, compared to the first data source.

It can be understood that the target vulnerability is a newly released or discovered vulnerability in the second data source, and the second data source is not used by the electronic device system vulnerability library.

It should be noted that the first data source includes a data source used by the system vulnerability database before the vulnerability retrieval. Illustratively, the first data source of the system vulnerability database used in the electronic device is data in the vulnerability database from an official or an authority, and a newly released or uploaded vulnerability in a vulnerability discovered by an individual, a forum, a post bar, and the like, at the time of last update.

The second data source comprises the acquired personal discovered bugs and newly released or uploaded bugs such as forums, posts and the like during the bug retrieval.

It should be noted that, the first data source and the second data source may each include at least one data source, and this is not particularly limited in this disclosure.

Currently, an authoritative system vulnerability repository may include: CNNVD (chinese National Information Security system leakage library), OWASP (Open Web Application Security Project), CNVD (chinese National Information Security system leakage library), CICSVD (chinese National Information Security system leakage library), and the like.

It is to be appreciated that the electronic device can determine newly released or discovered vulnerabilities, such as similarity, to vulnerabilities in the system vulnerability library. Vulnerabilities of the newly released or discovered vulnerabilities with a similarity higher than a similarity threshold with vulnerabilities in the system vulnerability database may be added (or linked) to the system vulnerability database before vulnerability detection.

S103, the electronic equipment detects the vulnerability of the system based on the updated system vulnerability library of the system and outputs the vulnerability detection result of the system.

It can be understood that new vulnerabilities are added in the updated system vulnerability database, and the system vulnerability is retrieved based on the updated system vulnerability database, so that the probability of missing vulnerabilities can be reduced, and the security of the system is improved.

Optionally, with reference to fig. 1, as shown in fig. 2, in the vulnerability detection method provided in the embodiment of the present disclosure, before the above S101, the following S104 may further be included:

s104, the electronic equipment determines whether the linguistic data in the vulnerability corpus is matched with vulnerabilities in the system vulnerability database.

The vulnerability corpus indicates code segments containing suspected vulnerabilities detected in files in the electronic device.

It should be noted that each code segment with risk may be referred to as a corpus, that is, corresponds to a vulnerability to be determined.

For example, when detecting a vulnerability, the electronic device may first determine a code segment with a risk detected in the electronic device, determine whether the code segment matches the vulnerability in the system vulnerability library, and if the code segment matches the vulnerability in the system vulnerability library, the code segment is risky, that is, corresponds to a vulnerability. The vulnerability detection result of the electronic device may include the vulnerability corresponding to the section of code segment.

Further, S101 described above may be executed by S101a described above:

s101a, when detecting the vulnerability, if the linguistic data in the vulnerability corpus is not matched with the vulnerability in the system vulnerability database, the electronic equipment determines the similarity between the target vulnerability and the vulnerability in the system vulnerability database.

It should be noted that, if the corpus in the vulnerability corpus matches the vulnerability in the system vulnerability database, it indicates that the knowledge of the vulnerability exists in the system vulnerability database, and if the corpus in the vulnerability corpus does not match the vulnerability in the system vulnerability database, it indicates that the vulnerability knowledge of the vulnerability corresponding to the corpus is missing in the system vulnerability database, and indicates that the vulnerability knowledge in the system vulnerability database may not include the latest vulnerability knowledge.

Based on the scheme, when the electronic equipment detects the system vulnerability, whether the linguistic data in the vulnerability corpus is matched with the vulnerability in the system vulnerability library or not can be judged, and if the linguistic data in the vulnerability corpus are all vulnerabilities in the system vulnerability library, the electronic equipment can directly output a vulnerability detection result; if the language material in the vulnerability language database is not matched with the vulnerabilities in the system vulnerability database, similarity between the target vulnerability and the vulnerabilities in the system vulnerability database is determined, and vulnerability knowledge is supplemented to the system vulnerability database, so that resource waste caused by frequent updating of the system vulnerability database by the electronic equipment can be avoided.

Optionally, in the vulnerability detection method provided in the embodiment of the present disclosure, the following S105 and S106 may also be included:

s105, extracting the keywords of the vulnerability of the first data source by the electronic equipment to obtain a first keyword set.

Illustratively, the first data source may be subject extracted to obtain a vulnerability, and then the attribute of the obtained vulnerability is extracted to obtain a keyword of the vulnerability, so as to form a first keyword set.

The main body extraction represents extracting all vulnerabilities from a data source provided by an official website, namely extracting knowledge entities of the vulnerabilities. The attribute extraction is to extract keywords for the vulnerability, namely extracting keywords for knowledge entities of the vulnerability.

It should be noted that, each time a vulnerability is detected, the obtained first data source is a data source used by the system vulnerability database, that is, each time a vulnerability is detected, the obtained keywords in the second keyword set may include keywords for last detection of the vulnerability added to the system vulnerability database.

S106, extracting the keywords of the vulnerability of the second data source by the electronic equipment to obtain a second keyword set.

For example, the electronic device may obtain the keyword of the vulnerability in the second data source at intervals, for example, every 24 hours, every 12 hours, every day of idle time, and the like, and may also obtain the keyword of the vulnerability in the second data source when vulnerability detection is started, which is not specifically limited in this embodiment of the disclosure.

It should be noted that, each time a vulnerability is detected, the obtained second data source is the latest data source, that is, each time a vulnerability is detected, the obtained keywords in the second keyword set are different.

For example, for a knowledge entity of a vulnerability, at least one keyword may be extracted, and the at least one keyword may each correspond to the vulnerability. That is, each keyword in the first keyword set may correspond to one vulnerability, and each keyword in the second keyword set may correspond to one vulnerability.

Optionally, S105 and S106 may be executed before S101, or when vulnerability detection is started, or may be executed before S104, or may be executed after S104, and fig. 3 in the embodiment of the present disclosure takes S105 and S106 as an example before S104, which is not specifically limited in this embodiment.

Further, S101 or S101a described above can be specifically realized by S101b as follows:

s101b, if the corpus exists in the vulnerability corpus and the vulnerabilities in the system vulnerability database are not matched, the electronic device determines the similarity between the target keywords in the second keyword set and the keywords in the first keyword set.

Exemplarily, assuming that the first keyword set includes m1 keywords of the vulnerability 1, the second keyword set includes m2 keywords of the vulnerability 2, and m1 and m1 are both positive integers, if the similarity between at least one keyword of the m2 keywords of the vulnerability 2 and at least one keyword of the m1 keywords of the vulnerability 1 meets a preset condition, it is determined that the vulnerability 2 is similar to the vulnerability 1.

Based on the scheme, the electronic equipment can judge whether the vulnerability in the newly added data source is similar to the vulnerability in the system vulnerability database or not by extracting the keyword of the vulnerability in the system vulnerability database and the keyword of the vulnerability in the newly added vulnerability data source compared with the system vulnerability database and then judging the similarity between the keyword of the vulnerability in the newly added data source and the keyword of the vulnerability in the system vulnerability database.

Optionally, in the vulnerability detection method provided in the embodiment of the present disclosure, with reference to fig. 3, as shown in fig. 4, the above S101b may be specifically executed through the following S11 and S12:

s11, if the corpus exists in the vulnerability corpus and the vulnerabilities in the system vulnerability library are not matched, the electronic equipment generates a first keyword vector according to the keywords in the first keyword set and generates a second keyword vector according to the keywords in the second keyword set.

S12, the electronic equipment determines the similarity of the target keyword in the second keyword set and each keyword in the first keyword set according to the first keyword vector and the second keyword vector.

And the target closing detection word is any one keyword in the second keyword set.

Based on the scheme, the similarity of the keywords can be calculated in a vector mode, the keywords in the first keyword set are converted into the vector mode, and then whether the two keywords are similar or not can be accurately represented through the similarity calculated by the vector so as to judge whether the vulnerabilities corresponding to the two keywords are similar or not.

Optionally, in the vulnerability detection method provided in the embodiment of the present disclosure, the S12 may be specifically executed through the following S12 a:

s12b, the electronic equipment determines similarity of the target keyword in the second keyword set and each keyword in the first keyword set according to the first keyword vector and the second keyword vector based on the normalized exponential function.

Specifically, each keyword in the first keyword set is preprocessed into a first word vector, keywords in the second keyword set are preprocessed into a second word vector, and a probability value of each keyword in the second keyword set is determined based on a normalized exponential function (i.e., softmax function), the first word vector and the second word vector, and the probability value can reflect the similarity between the keywords.

And if the probability value calculated by the first keyword in the second keyword set is greater than the preset probability value, adding the vulnerability corresponding to the first keyword in the second keyword set into the vulnerability database. And if the probability value calculated by the first keyword in the second keyword set is not greater than the preset probability value, determining the vulnerability corresponding to the first keyword in the second keyword set as a non-vulnerability.

Illustratively, the similarity of the target keyword in the second keyword set and each keyword in the first keyword set may be determined based on formula (1) below.

Wherein X represents a word vector of a keyword in the first keyword set, Y represents a word vector of a keyword in the second keyword set, N represents a total number of the keyword vectors in the second keyword set, and Y represents_iA word vector representing the target keyword in the second set of keywords. Exp (x) ═ e^xAn exponential function with e as base is shown. Wherein, Y_iIs T.

It should be noted that, based on the above formula, given the word vector of the target keyword, the probability of each keyword occurring in association with the target keyword can be calculated, and the higher the probability is, the higher the similarity is, and the lower the probability is, the lower the similarity is.

Illustratively, the probability p corresponding to the keyword d1 is obtained based on the softmax function (i.e., the above formula (1)), and assuming that the probability threshold is 0.4, the vulnerability corresponding to the keyword d1 may be connected to the system vulnerability library when p >0.4, and may not be connected to the system vulnerability library when p < 0.4.

Based on the scheme, the similarity between the target keyword in the second keyword set and each keyword in the first keyword set can be calculated in a vector calculation mode by combining a normalization index function, so that the similarity between the target keyword and each keyword in the first keyword set is determined to meet the preset condition.

Optionally, with reference to fig. 4, as shown in fig. 5, in the vulnerability detection method provided in the embodiment of the present disclosure, after S102, the following S107 and S108 may be further included:

s107, the electronic equipment learns the updated vulnerability in the system vulnerability database and the incidence relation of the keywords of the vulnerability corpus.

The incidence relation can refer to association of keywords during fuzzy query in vulnerability detection.

For example: the search keyword "injection" can associate words such as "command", "SQL", "file path", and the like, so as to obtain a query result: command injection, SQL injection, file path injection.

And S108, if the incidence relation between the first vulnerability and the first keyword meets a preset relation, establishing a search relation between the first vulnerability and the first keyword, wherein the search relation is between the first vulnerability and the second vulnerability.

The first keywords are keywords in a vulnerability corpus, the first vulnerabilities are keywords in an updated system vulnerability database, and the second vulnerabilities are vulnerabilities corresponding to the first keywords in the vulnerability corpus.

It should be noted that, the process of establishing the search relationship may be regarded as a process of completing keyword association, and after the keyword association is completed, when the electronic device searches for a vulnerability of the system, a search range corresponding to the keyword is expanded compared to that before the keyword association is performed, so that a display range of vulnerability search results can be expanded.

It can be understood that after the search relationship among the first vulnerability, the second vulnerability and the first keyword is established, when the electronic device performs vulnerability retrieval, if vulnerability retrieval is performed according to the first keyword, the first vulnerability and the second vulnerability can be detected based on the first keyword.

For example, before the search relationship is not established, when the electronic device searches for a vulnerability, based on the keyword 1, the vulnerability 2 can be retrieved, and the vulnerability 1 cannot be retrieved. If the association relation based on the keyword 1 and the vulnerability 1 meets the preset condition and the search relation between the keyword 1 and the vulnerability 1 is established, the vulnerability 1 and the vulnerability 2 can be retrieved based on the keyword 1 when the electronic equipment searches the vulnerability later.

Based on the scheme, after the electronic equipment updates the new vulnerability to the system vulnerability library, the electronic equipment can learn the incidence relation between the first vulnerability in the system vulnerability library and the first keyword of the corpus in the vulnerability corpus based on the updated system vulnerability library and the vulnerability corpus retrieved in the electronic equipment, and if the incidence relation meets the preset condition, the electronic equipment can establish the search relation among the first vulnerability, the second vulnerability and the first keyword, so that the vulnerability search range of the first keyword can be expanded, and the vulnerability search accuracy of the electronic equipment is improved.

Optionally, in the vulnerability detection method provided in the embodiment of the present disclosure, the step S107 may be specifically executed through the following step S107 a:

s107a, learning the updated vulnerability in the system vulnerability library based on the tensor neural network model, and associating the vulnerability in the vulnerability library with the keywords of the vulnerability corpus.

Illustratively, an NTN (Neural Network) model can be used to mine the association between the vulnerability and the keyword. Namely, the incidence relation between the vulnerability of the updated system vulnerability library and the keyword of the vulnerability in the vulnerability corpus can be predicted deterministically through the NTN model.

Illustratively, the relevance degree of the relevance relationship between the vulnerability in the system vulnerability library and the keywords of the vulnerability corpus can be calculated by combining the following formula (2).

Wherein e represents a vulnerability in the updated system vulnerability library, z represents a key word in a vulnerability corpus, R represents the incidence relation between e and z, g represents the incidence degree of the incidence relation R between the vulnerability e and the vulnerability z, h_iThe slice of the tensor is represented,

is a tensor, k denotes the number of slices,

is a bilinear tensor product, U_RRepresenting the value of an adjustment parameter, V, calculated by the linear layer of the NTN model_RRepresenting the values of the adjustment parameters calculated by the standard layer of the NTN model, b_RIndicating a configurable offset value. f ═ tanh ═ sinh (x)/cosh (x), a standard nonlinear function.

Illustratively, a relationship R can be predicted deterministically by the NTN model for < e, z > and it is determined whether (e, R, z) — (Bengal tiger, has part, tail) this relationship R is true and deterministic.

It should be noted that, in the tensor neural network (NTN) model, a bilinear tensor layer may be used instead of a standard linear neural network layer, and two entity vectors (a vector of a vulnerability and a vector of a keyword, respectively) in multiple dimensions are associated. The likelihood score that two entities are in a particular relationship may be calculated by a function based on the NTN model.

G is a probability score of the association R, and the degree of closeness of the association R between e and z can be determined by the magnitude of g, i.e., the level of the score. The higher the g value is, the more compact the association relationship is, the higher the g value calculated by the word 1 and the vulnerability entity 1 is, which means that the closer the two relationships are, the easier the association learning is completed.

Based on the scheme, the updated relationship between the vulnerability in the system vulnerability database and the keywords of the vulnerability corpus can be learned based on the NTN model, and the closeness degree of the relationship can be determined, so that whether the search relationship needs to be established can be accurately determined.

Example (c):

assume data source A, data source B and data source C are the data sources currently used by the system vulnerability library. And the data source C is a newly added data source. The set of keywords for extracting vulnerabilities from data sources a, B, and C is represented by a first set of keywords X1, and the set of keywords for extracting vulnerabilities from data source D is represented by a second set of keywords Y1. The vulnerability corpus is denoted by M, and the keyword set Z1 represents the set of keywords of the vulnerability extracted from the vulnerability corpus M.

Step 1: determining a keyword set of the vulnerability;

performing main body extraction and attribute extraction on a data source A, a data source B and a data source C used by a system vulnerability library to obtain a first keyword set X1 ═ X ═ of vulnerabilities₁，x₂，...，x_n1}；

Extracting new dataAnd obtaining keywords of the vulnerability in the source D to obtain a second keyword set Y1 ═ Y of the vulnerability₁， y₂，...，y_n2}。

Extracting keywords of the vulnerability in the vulnerability corpus M to obtain a keyword set Z1 ═ Z of the vulnerability₁， z₂，…，z_n3}。

Wherein n1, n2 and n3 are all positive integers.

Step 2: and determining whether the system vulnerability library has the vulnerability in the vulnerability corpus M.

And step 3: and if the vulnerabilities in the vulnerability corpus M are all vulnerabilities in the system vulnerability library, acquiring vulnerability detection results.

And 4, step 4: if the vulnerability exists in the vulnerability corpus M and is not the vulnerability in the system vulnerability library, determining the similarity between the keywords in the first keyword set X1 and the keywords in the second keyword set Y1.

And 5: and adding the vulnerability corresponding to the closing detection in which the similarity between the keywords in the second keyword set Y1 and the keywords in the first keyword set X1 is higher than the similarity threshold into the system vulnerability library.

Step 6: learning the incidence relation between the vulnerability and the keywords based on the vulnerability in the system vulnerability library after the new vulnerability is added and the keyword set Z1 of the vulnerability corpus M, and establishing the search relation between the keywords and the vulnerability based on the learned incidence relation.

And 7: and acquiring a vulnerability detection result of the system based on the system vulnerability library after the new vulnerability is added and the added search relationship.

Based on the scheme, when vulnerability scanning is carried out on software in the system, firstly, gathering and cleaning (namely, extracting key words) are carried out on vulnerability knowledge, and judgment is carried out when searching is carried out in a system vulnerability library. And then judging whether the loophole language material exists in a system loophole library. And if the vulnerability linguistic data exist in the system vulnerability database, obtaining a retrieval result, and ending. If the vulnerability linguistic data does not exist in the vulnerability database, initializing entity representation for newly added vulnerability data in the unsupervised text corpus (namely collected vulnerability knowledge) by using a distributed word vector softmax function, and connecting a newly added data source to the existing vulnerability database. And then, mining the hidden relation between the newly added data and the original data by using an NTN algorithm to obtain an inference result (namely a search relation). The knowledge reasoning operation is added in the original process, so that the purposes of updating the knowledge base in real time and improving the retrieval result are achieved.

It should be noted that, in the vulnerability detection method provided in the embodiment of the present disclosure, the execution subject may be a vulnerability detection apparatus, or a control module of the vulnerability detection apparatus for executing the vulnerability detection method. The method for executing vulnerability detection by a vulnerability detection device is taken as an example in the embodiment of the present disclosure to explain the vulnerability detection device provided by the embodiment of the present disclosure.

Fig. 6 is a schematic structural diagram of a vulnerability detection apparatus according to an embodiment of the present disclosure, as shown in fig. 6, thevulnerability detection apparatus 600 includes: adetermination module 601, anupdate module 602, and adetection module 603; the determiningmodule 601 is configured to determine similarity between a target vulnerability and a vulnerability in a system vulnerability database during vulnerability detection, where the target vulnerability is a vulnerability in a second data source except a first data source used by the system vulnerability database; anupdating module 602, configured to update a target vulnerability to a system vulnerability library if similarity between the vulnerability and the target vulnerability in the system vulnerability library meets a preset threshold; the detectingmodule 603 is configured to detect a system vulnerability based on the updated system vulnerability database, and output a vulnerability detecting result of the system.

Optionally, in combination with fig. 6, as shown in fig. 7, thevulnerability detection apparatus 600 further includes: a matchingmodule 604; thematching module 604 is configured to determine whether the corpus in the vulnerability corpus is matched with vulnerabilities in the system vulnerability database; the determiningmodule 601 is specifically configured to determine similarity between a target vulnerability and a vulnerability in the system vulnerability database if the corpus exists in the vulnerability corpus and the vulnerability in the system vulnerability database is not matched.

Optionally, in combination with fig. 6, as shown in fig. 7, thevulnerability detection apparatus 600 further includes: anextraction module 605; the extractingmodule 605 is configured to extract a keyword of the vulnerability in the first data source to obtain a first keyword set before the determiningmodule 601 determines the similarity between the target vulnerability and the vulnerability in the system vulnerability database; extracting keywords of the vulnerability in the second data source to obtain a second keyword set; a determiningmodule 601, configured to determine similarity between a target keyword in the second keyword set and a keyword in the first keyword set; each keyword in the first keyword set corresponds to one vulnerability, and each keyword in the second keyword set corresponds to one vulnerability.

Optionally, the determiningmodule 601 is specifically configured to generate a first keyword vector according to the keywords in the first keyword set, and generate a second keyword vector according to the keywords in the second keyword set; determining the similarity between the target keyword in the second keyword set and each keyword in the first keyword set according to the first keyword vector and the second keyword vector; and the target keyword is any keyword in the second keyword set.

Optionally, the determiningmodule 601 is specifically configured to determine, based on the normalization indication function, a similarity between a target keyword in the second keyword set and each keyword in the first keyword set according to the first keyword vector and the second keyword vector.

Optionally, with reference to fig. 6, as shown in fig. 8, thevulnerability detection apparatus 600 further includes: alearning module 606 and abuilding module 607; alearning module 606, configured to learn an association relationship between a vulnerability in the updated system vulnerability library and a keyword of a vulnerability corpus; the establishingmodule 607 is configured to establish a search relationship between the first vulnerability and the first keyword, the first vulnerability and the second vulnerability if the association relationship between the first vulnerability and the first keyword meets a preset relationship; the first keywords are keywords in a vulnerability corpus, the first vulnerabilities are keywords in an updated system vulnerability database, and the second vulnerabilities are vulnerabilities corresponding to the first keywords in the vulnerability corpus.

Thelearning module 606 is specifically configured to learn, based on the tensor neural network model, an association relationship between a vulnerability in the updated system vulnerability library and a keyword in the vulnerability corpus.

The embodiment of the disclosure provides a vulnerability detection apparatus, when detecting a vulnerability, firstly determining similarity between a target vulnerability and a vulnerability in a system vulnerability library, then, if the similarity between the vulnerability and the target vulnerability in the system vulnerability library meets a preset threshold, an electronic device can update the target vulnerability to the system vulnerability library, and finally, the electronic device detects the vulnerability of a system of the electronic device based on the updated system vulnerability library of the system and outputs a vulnerability detection result of the system. The target vulnerability is a vulnerability in a second data source except a first data source used by the system vulnerability library, namely, the electronic equipment adds some vulnerabilities which are not in the system vulnerability to the system vulnerability library, such as newly released vulnerabilities in forums, newly discovered vulnerabilities uploaded by individual users and the like, so that vulnerability knowledge in the system vulnerability library is expanded, the vulnerabilities in the system of the electronic equipment can be more accurately retrieved based on the updated system vulnerability library, accuracy and precision of query results are improved, and security risks of the system are reduced.

The vulnerability detection device in the embodiment of the present disclosure may be a device, or may be a component, an integrated circuit, or a chip in a terminal. The device can be mobile electronic equipment or non-mobile electronic equipment. By way of example, the mobile electronic device may be a mobile phone, a tablet computer, a notebook computer, a palm top computer, a vehicle-mounted electronic device, a wearable device, a UMPC (ultra-mobile personal computer), a netbook, a PDA (personal digital assistant), or the like, and the non-mobile electronic device may be a server, a NAS (Network Attached Storage), a PC (personal computer), a TV (television), a counter-top machine, or a self-service machine, and the embodiments of the present disclosure are not limited in particular.

The vulnerability detection apparatus in the embodiments of the present disclosure may be an apparatus having an operating system. The operating system may be an Android (Android) operating system, an ios operating system, or other possible operating systems, and embodiments of the present disclosure are not limited specifically.

The vulnerability detection apparatus provided in the embodiment of the present disclosure can implement each process implemented by the method embodiments of fig. 1 to fig. 5, and is not described herein again in order to avoid repetition.

Optionally, as shown in fig. 9, anelectronic device 900 is further provided in an embodiment of the present disclosure, and includes aprocessor 901, amemory 902, and a program or an instruction stored in thememory 902 and executable on theprocessor 901, where the program or the instruction is executed by theprocessor 901 to implement each process of the foregoing vulnerability detection method embodiment, and can achieve the same technical effect, and in order to avoid repetition, details are not repeated here.

It should be noted that the electronic device in the embodiment of the present disclosure includes the mobile electronic device and the non-mobile electronic device described above.

Fig. 10 is a schematic diagram of a hardware structure of an electronic device implementing an embodiment of the present disclosure.

Theelectronic device 1000 includes, but is not limited to: aradio frequency unit 1001, anetwork module 1002, anaudio output unit 1003, aninput unit 1004, asensor 1005, adisplay unit 1006, a user input unit 1007, aninterface unit 1008, amemory 1009, and aprocessor 1010.

Those skilled in the art will appreciate that theelectronic device 1000 may further comprise a power source (e.g., a battery) for supplying power to various components, and the power source may be logically connected to theprocessor 1010 through a power management system, so as to implement functions of managing charging, discharging, and power consumption through the power management system. The electronic device structure shown in fig. 10 does not constitute a limitation of the electronic device, and the electronic device may include more or less components than those shown, or combine some components, or arrange different components, and thus, the description is not repeated here.

The embodiment of the disclosure provides an electronic device, which determines similarity between a target vulnerability and a vulnerability in a system vulnerability library when detecting the vulnerability, and then if the similarity between the vulnerability and the target vulnerability in the system vulnerability library meets a preset threshold, the electronic device can update the target vulnerability to the system vulnerability library, and finally, the electronic device detects the vulnerability of the system of the electronic device based on the updated system vulnerability library of the system and outputs a vulnerability detection result of the system. The target vulnerability is a vulnerability in a second data source except a first data source used by the system vulnerability library, namely, the electronic equipment adds some vulnerabilities which are not in the system vulnerability to the system vulnerability library, such as newly released vulnerabilities in forums, newly discovered vulnerabilities uploaded by individual users and the like, so that vulnerability knowledge in the system vulnerability library is expanded, vulnerabilities in the system of the electronic equipment can be more accurately retrieved based on the updated system vulnerability library, accuracy and precision of query results are improved, and security risks of the system are reduced.

It is to be understood that, in the embodiment of the present disclosure, theinput Unit 1004 may include a GPU (Graphics Processing Unit) 1041 and amicrophone 1042, and theGraphics processor 1041 processes image data of a still picture or a video obtained by an image capturing device (such as a camera) in a video capturing mode or an image capturing mode. Thedisplay unit 1006 may include adisplay panel 1061, and thedisplay panel 1061 may be configured in the form of a liquid crystal display, an organic light emitting diode, or the like. The user input unit 1007 includes a touch panel 1071 and other input devices 1072. The touch panel 1071 is also referred to as a touch screen. The touch panel 1071 may include two parts of a touch detection device and a touch controller. Other input devices 1072 may include, but are not limited to, a physical keyboard, function keys (e.g., volume control keys, switch keys, etc.), a trackball, a mouse, and a joystick, which are not described in detail herein. Thememory 1009 may be used to store software programs as well as various data, including but not limited to application programs and operating systems.Processor 1010 may integrate an application processor that handles primarily operating systems, user interfaces, application programs, etc. and a modem processor that handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated intoprocessor 1010.

The disclosed embodiment also provides a readable storage medium, where a program or an instruction is stored, and when the program or the instruction is executed by a processor, the program or the instruction implements each process of the above vulnerability detection method embodiment, and can achieve the same technical effect, and in order to avoid repetition, the detailed description is omitted here.

The processor is the processor in the electronic device described in the above embodiment. The readable storage medium includes a computer readable storage medium, such as a computer ROM (Read-Only Memory), a RAM (Random Access Memory), a magnetic disk or an optical disk, and the like.

The embodiment of the present disclosure further provides a chip, where the chip includes a processor and a communication interface, the communication interface is coupled to the processor, and the processor is configured to run a program or an instruction to implement each process of the foregoing vulnerability detection method embodiment, and can achieve the same technical effect, and in order to avoid repetition, the details are not repeated here.

It should be understood that the chips mentioned in the embodiments of the present disclosure may also be referred to as system-on-chip, system-on-chip or system-on-chip, etc.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. Further, it is noted that the scope of the methods and apparatus in the embodiments of the present disclosure is not limited to performing functions in the order shown or discussed, but may include performing functions in a substantially simultaneous manner or in a reverse order based on the functions involved, e.g., the methods described may be performed in an order different than that described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.

Through the above description of the embodiments, those skilled in the art will clearly understand that the above embodiment method can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present disclosure.

While the present disclosure has been described with reference to the embodiments illustrated in the drawings, which are intended to be illustrative rather than restrictive, it will be apparent to those of ordinary skill in the art in light of the present disclosure that many more modifications may be made without departing from the spirit and scope of the disclosure as defined in the appended claims.