CN116436689A

Movatterモバイル変換

Info

Publication number: CN116436689A
Application number: CN202310495387.1A
Authority: CN
Inventors: 伍晨旭
Original assignee: Kangjian Information Technology Shenzhen Co Ltd
Current assignee: Kangjian Information Technology Shenzhen Co Ltd
Priority date: 2023-05-04
Filing date: 2023-05-04
Publication date: 2023-07-14

Abstract

The invention discloses a vulnerability processing method, a vulnerability processing device, a storage medium and electronic equipment. The method comprises the following steps: obtaining vulnerability data from a plurality of vulnerability scanning platforms and asset inventory data from a configuration management database system; performing data association on the vulnerability data and the asset inventory data by using the IP address as a primary key to obtain vulnerability data corresponding to each asset; evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data; and determining a vulnerability set to be repaired according to the level of each vulnerability, and pushing the vulnerability set to be repaired to a vulnerability repair platform. The invention relates to the field of digital medical treatment, and solves the technical problem of low overall-flow closed-loop management efficiency of vulnerability management in the related technology.

Description

Vulnerability processing method and device, storage medium and electronic equipment

Technical Field

The present invention relates to the field of data processing technologies, and in particular, to a vulnerability processing method, a vulnerability processing device, a storage medium, and an electronic device.

Background

With the rapid development of the internet, network security events of network attack by utilizing computer security holes also frequently occur, attack hazard and influence range are also larger and larger, and immeasurable loss is easily caused to enterprises. Therefore, many vulnerability verification tools and products appear in the market, and vulnerability scanning can be performed on a host computer or a WEB system to find vulnerabilities so as to prevent the vulnerabilities.

However, only a simple vulnerability management page is currently available on the market, and the operations of fusion, authority management, vulnerability follow-up and the like cannot be performed with the configuration management database system ucmdb and other piping systems, so that statistics information is required from various vulnerability scanners, vulnerability information is manually repeated and synchronized with developers, the overall process closed-loop management efficiency of vulnerability management is low, and the vulnerability management requirement cannot be effectively met.

Disclosure of Invention

The embodiment of the invention provides a vulnerability processing method, a vulnerability processing device, a storage medium and electronic equipment, which at least solve the technical problem of low overall-process closed-loop management efficiency of vulnerability management in the related technology.

According to an aspect of the embodiment of the present invention, there is provided a vulnerability processing method, including: obtaining vulnerability data from a plurality of vulnerability scanning platforms and asset inventory data from a configuration management database system; performing data association on the vulnerability data and the asset inventory data by using the IP address as a primary key to obtain vulnerability data corresponding to each asset; evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data; and determining a vulnerability set to be repaired according to the level of each vulnerability, and pushing the vulnerability set to be repaired to a vulnerability repair platform.

According to another aspect of the embodiment of the present invention, there is also provided a data processing apparatus including: the acquisition unit is used for acquiring vulnerability data from the plurality of vulnerability scanning platforms and acquiring asset inventory data from the configuration management database system; the association unit is used for carrying out data association on the vulnerability data and the asset list data by taking the IP address as a main key to obtain vulnerability data corresponding to each asset; the evaluation unit is used for evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data; the first determining unit is used for determining a vulnerability set to be repaired according to the level of each vulnerability and pushing the vulnerability set to be repaired to the vulnerability repairing platform.

According to still another aspect of the embodiments of the present invention, there is also provided an electronic device including a memory, in which a computer program is stored, and a processor configured to execute the vulnerability processing method by the computer program.

According to yet another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium having a computer program stored therein, wherein the computer program is configured to perform the above-described vulnerability processing method when run.

In the embodiment of the invention, the method comprises the steps of acquiring vulnerability data from a plurality of vulnerability scanning platforms and acquiring asset inventory data from a configuration management database system; performing data association on the vulnerability data and the asset inventory data by using the IP address as a primary key to obtain vulnerability data corresponding to each asset; evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data; according to the method, since the vulnerability data and the asset list data are subjected to data association, so that the vulnerability data corresponding to each asset can be obtained, and then the vulnerabilities of each asset are rated and repaired without manually synchronizing the information of a plurality of vulnerability scanning platforms, the overall process closed-loop management efficiency of vulnerability management is improved, the vulnerability management requirement can be effectively met, and the technical problem that the overall process closed-loop management efficiency of vulnerability management is low in related technologies is solved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:

FIG. 1 is a schematic illustration of an application environment of an alternative vulnerability processing method according to an embodiment of the present invention;

FIG. 2 is a schematic diagram of an application environment of another alternative vulnerability processing method according to an embodiment of the present invention;

FIG. 3 is a flow diagram of an alternative vulnerability processing according to an embodiment of the present invention;

FIG. 4 is a flow chart of an alternative vulnerability processing method according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of an alternative vulnerability processing device according to an embodiment of the present invention;

fig. 6 is a schematic structural diagram of an alternative electronic device according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

According to an aspect of the embodiment of the present invention, a vulnerability processing method is provided, optionally, as an optional implementation manner, the vulnerability processing method may be applied, but not limited to, in an application environment as shown in fig. 1. The application environment comprises the following steps: a terminal device 102, a network 104 and a server 106 which interact with a user in a man-machine manner. Human-machine interaction can be performed between theuser 108 and the terminal device 102, and a vulnerability processing application program runs in the terminal device 102. The terminal device 102 includes a man-machine interaction screen 1022, a processor 1024 and a memory 1026. The man-machine interaction screen 1022 is used for displaying vulnerability data corresponding to each asset; processor 1024 is used to obtain vulnerability data from the plurality of vulnerability scanning platforms and asset inventory data from the configuration management database system. The memory 1026 is used to store vulnerability data as described above and asset inventory data.

In addition, the server 106 includes a database 1062 and a processing engine 1064, where the database 1062 is used to store parameter information corresponding to a target page of the client. Processing engine 1064 is used to obtain vulnerability data from multiple vulnerability scanning platforms and asset inventory data from the configuration management database system; performing data association on the vulnerability data and the asset inventory data by using the IP address as a primary key to obtain vulnerability data corresponding to each asset; evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data; and determining a vulnerability set to be repaired according to the level of each vulnerability, and pushing the vulnerability set to be repaired to a vulnerability repair platform.

In one or more embodiments, the vulnerability processing method described above may be applied in the application environment shown in fig. 2. As shown in fig. 2, a human-machine interaction may be performed between auser 202 and a user device 204. The user device 204 includes a memory 206 and a processor 208. The user equipment 204 in this embodiment may, but is not limited to, refer to performing the operations performed by the terminal equipment 102 to obtain the vulnerability set to be repaired.

Optionally, the terminal device 102 and the user device 204 include, but are not limited to, a mobile phone, a set top box, a television, a tablet computer, a notebook computer, a PC, a vehicle electronic device, a wearable device, and the like, and the network 104 may include, but is not limited to, a wireless network or a wired network. Wherein the wireless network comprises: WIFI and other networks that enable wireless communications. The wired network may include, but is not limited to: wide area network, metropolitan area network, local area network. The server 106 may include, but is not limited to, any hardware device that may perform calculations. The server may be a single server, a server cluster composed of a plurality of servers, or a cloud server. The above is merely an example, and is not limited in any way in the present embodiment.

As an optional implementation manner, as shown in fig. 3, an embodiment of the present invention provides a vulnerability processing method, which includes the following steps:

s302, obtaining vulnerability data from a plurality of vulnerability scanning platforms and obtaining asset inventory data from a configuration management database system.

Specifically, the vulnerability scanning platform includes, but is not limited to, a host intrusion detection system HDIS, an interactive application security test IAST system, a dynamic application security test DAST system, a container intrusion detection system CIDS, and the like, and the configuration management database system includes, but is not limited to, ucmdb (asset management system), and asset inventory data includes assets such as software, hardware, cloud services, and the like. In an embodiment, the vulnerability scanning platform may be a medical platform, and the vulnerability data includes, but is not limited to, platform vulnerabilities of the medical platform, such as vulnerabilities of data rights including personal health files, prescriptions, inspection reports, etc., or database security vulnerabilities of the medical platform.

S304, performing data association on the vulnerability data and the asset inventory data by using the IP address as a primary key to obtain vulnerability data corresponding to each asset.

Specifically, the vulnerability data and the asset inventory data are subjected to data association through, for example, an IP address and a port number of software, an IP address of hardware and cloud service, and the like, so that vulnerability data corresponding to each asset are obtained.

S306, evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data.

Specifically, in the embodiment of the present invention, the vulnerability data may be rated according to a preset vulnerability rating rule, for example, the vulnerability data is divided into high-risk vulnerabilities, medium-risk vulnerabilities, low-risk vulnerabilities, and the like according to attribute information of each vulnerability in different dimensions.

S308, determining a vulnerability set to be repaired according to the level of each vulnerability, and pushing the vulnerability set to be repaired to a vulnerability repair platform.

Specifically, for example, a high-risk vulnerability and a medium-risk vulnerability are determined as vulnerability sets to be repaired, and the vulnerability sets to be repaired are pushed to a vulnerability repair platform, so that a manager of the vulnerability repair platform performs corresponding repair.

In one or more embodiments, the performing data association on the vulnerability data and the asset inventory data by using the IP address as a primary key to obtain vulnerability data corresponding to each asset includes:

taking the IP address of the vulnerability data as a first main key and taking the IP address of each asset in the asset list data as a second main key;

and associating the first main key with the second main key with the same value to obtain vulnerability data corresponding to each asset.

Specifically, for example, the IP address (first key) of the vulnerability a is 10.0.0.1, the IP address (first key) of the vulnerability B is 10.0.0.2, the IP address (first key) of the vulnerability C is 10.0.0.2, the IP address (second key) of the hardware D in the asset inventory data is 10.0.0.2, and the IP address (second key) of the cloud service E is 10.0.0.1, then the first key and the second key with the same value are associated, so as to obtain vulnerability data corresponding to the asset hardware D as the vulnerability B and the vulnerability C, and the vulnerability data corresponding to the cloud service E as the vulnerability B.

In one or more embodiments, before evaluating the vulnerability data according to the preset vulnerability rating rule to obtain the risk level corresponding to each vulnerability data, the method further includes:

and constructing a preset vulnerability rating rule according to at least one dimension of the attack path, the attack complexity and the authentication level of the vulnerability.

For example, the vulnerability is scored according to at least one dimension of attack path, attack complexity and authentication level of the vulnerability, and the level of the vulnerability is determined according to the score.

In some embodiments, a CVSS score may be generated from a universal vulnerability scoring system (Common Vulnerability Scoring System, CVSS) rule pair, which may also be used to prioritize security tests to ensure that known vulnerabilities are repaired or alleviated during development. CVSS may also be used to prioritize vulnerability management activities such as event response flows, defect tracking and resolution, or enforcement of mitigation controls.

In one or more embodiments, further comprising building vulnerability rating rules through a number of different dimensions: such as an Attack Vector (attach Vector), which reflects the environment in which vulnerabilities may be exploited. The further an attacker is from (e.g., remote initiates an attack with a vulnerability), the higher the base score.

Attack complexity (Attack complexity) this indicator reflects the complexity/ease of exploiting vulnerabilities. With high complexity, an attacker is required to expend a great deal of effort in preparing or executing components for vulnerability. Least complex attacks, the most basic score.

The required privileges (Privileges Required) determine the level of privileges that an attacker must possess to successfully exploit the vulnerability. There are three options None/Low/High. None refers to exploiting vulnerabilities without authentication. Without privileges, the base score is highest.

User Interaction (User Interaction): this item describes whether the vulnerability can be exploited without individual user involvement. This is common in mobile applications where users need to interact with threats (malware) to destroy their devices. As another example, similar to a phishing attack, there is no risk itself, but the attacker uses social engineering to let the victim click on the link and get under attack.

Scope (Scope): the metrics capture whether a vulnerability in a vulnerable component will affect resources in components beyond its secure scope, with the base score being lowest when no change in scope occurs.

The time index measures various aspects of the vulnerability as a known vulnerability based on the current state of the vulnerability, and thus represents a time-varying attribute of the vulnerability, such as the release of official patches. It also includes reporting a confidence indicator that measures the confidence that a vulnerability exists and the confidence that known technical details that prove that the vulnerability is authentic and available. And thus will vary with the lifecycle of the vulnerability.

Environmental indicators that allow security personnel to customize the CVSS score based on the importance of the affected IT asset to IT. The metrics provide a realistic environment of the vulnerability inside the enterprise (including asset criticality, mitigation control identification, and related asset usage affected by the vulnerability).

In one or more embodiments, the constructing the vulnerability rating rule according to at least one dimension of three dimensions of an attack path, an attack complexity and an authentication level of the vulnerability includes:

determining score values of vulnerabilities in three dimensions of attack paths, attack complexity and authentication levels according to a preset score table;

and determining the risk level of each vulnerability according to the attack path, the attack complexity and the weight value of three dimensions of the authentication level and the score value to obtain the preset vulnerability rating rule.

Specifically, for example, a score of 50 in the attack path dimension, a score of 60 in the attack complexity dimension, and a score of 80 in the authentication level dimension are determined according to a preset score table. According to the attack path weight of 0.2, the attack complexity weight of 0.5 and the authentication grade weight of 0.3, the total score of the vulnerability is 50×0.2+60×0.5+80×0.3=64, here, it is assumed that the total score is below 50 and is in low risk grade, 50-80 is in medium risk grade, and 80 is in high risk grade, so the current vulnerability belongs to medium risk grade.

In one or more embodiments, the evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data includes:

for each vulnerability data, acquiring a risk level corresponding to each vulnerability data according to the following operations:

and determining a first score value corresponding to the current vulnerability data in the attack path, a second score value corresponding to the attack complexity and a third score value corresponding to the authentication level according to a preset score table.

For example, a first score of 50 for the vulnerability in the attack path dimension, a second score of 60 for the attack complexity dimension, and a third score of 80 for the authentication level dimension are determined according to a preset score table.

Determining a first product of the first score value and a weight value of the attack path, a second product of the second score value and a weight value of the attack complexity, and a third product of the third score value and a weight value of the authentication level.

According to the weight 0.2 of the attack path, obtaining a first product of a current first score value and the weight value of the attack path as 10 (50 x 0.2); obtaining a second product of a second score value 60 and the weight value of the attack complexity as 30 (60 x 0.5) according to the weight value of the attack complexity of 0.5; obtaining a third product 24 (80 x 0.3) of a third score value 80 and the weight value of the authentication level according to the weight value 0.3 of the authentication level;

and comparing the sum 64 of the first product, the second product and the third product with a preset risk level table to obtain a risk level corresponding to the current vulnerability data. For example, in the preset risk level table, the score is lower than 50, 50-80 are middle risk levels, and 80 or higher are high risk levels, so that the current vulnerability can be judged to belong to the middle risk level.

In one or more embodiments, the determining the vulnerability set to be repaired according to the level of each vulnerability includes:

the risk levels of the loopholes are ranked in order from high to low;

and determining the target loopholes with the risk levels higher than the threshold risk level as a to-be-repaired loophole set according to the sorting result.

Here, for example, after the loopholes scanned by the different loophole scanning platforms are rated, the loopholes are ranked in order from high risk level to low risk level, so as to obtain three risk levels of high risk level, medium risk level and low risk level, wherein the threshold risk level is set as medium risk level, and the target loopholes with high risk level are determined as the loophole set to be repaired.

In one or more embodiments, the vulnerability processing method further includes:

determining vulnerabilities with risk levels smaller than a threshold risk level, and writing the vulnerabilities with information identification errors into a white list; and updating the state of the vulnerability corresponding to the asset inventory data according to the white list.

checking the repaired target loopholes, and judging whether the target loopholes are successfully repaired or not;

when the target vulnerability is successfully repaired, marking the mark of the target vulnerability with successful repair;

and when the target bug repair is unsuccessful, repairing the target bug again based on bug repair description.

periodically updating and displaying the state information of each vulnerability in the vulnerability set;

and sending the state information of the vulnerability set through mail.

Specifically, the state information of each vulnerability in the vulnerability set can be updated according to the set period value, for example, every hour, and the state information of the vulnerability set is sent to the corresponding vulnerability repairing personnel in time through mail.

In an application embodiment, as shown in fig. 4, the vulnerability processing method further includes:

the SOC (secure operation center platform) system obtains vulnerability and asset inventory data from each vulnerability scanning platform and ucmdb through application program interface (Application Program Interface, API) calls.

And 2, associating the vulnerability data with ucmdb data in the SOC system by using the IP as a main key.

And 3, the SOC system automatically evaluates the vulnerability scoring template according to three dimensions of attack path, attack complexity and authentication on the basis of the CVSS system, distributes the vulnerability scored to reach the preset score to corresponding asset operators or vulnerability restoration responsible persons after evaluation, and notifies the login system to process by mail.

And 4, the system establishes an exception condition processing mechanism, fills in false alarm information or white list information on the work order platform, automatically accepts the white list of the loopholes with risk level lower than threshold level acceptance or false alarm, and automatically updates the designated loophole state after approval.

And 5, enabling a developer to start a scanning task through script call at any time in the repairing process, and checking a missing scanning result according to task id call to realize real-time vulnerability verification and update the system vulnerability state.

And 6, updating the data periodically by the platform, updating the vulnerability data change to the display layer in time, and reminding every day through mails.

The embodiment of the invention also has the following beneficial technical effects:

1. avoiding the need to spend a great deal of manpower in the numerous vulnerabilities to do the carding, notification and statistics.

2. And a real-time verification interface is provided through the platform, so that the efficiency of verifying the loopholes by the developer is improved.

3. Perfect vulnerability management, opening false alarm and adding a white channel, forming perfect closed loop of vulnerability management, and being capable of considering various conditions.

It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.

According to another aspect of the embodiment of the present invention, a data processing apparatus for implementing the vulnerability processing method is also provided. As shown in fig. 5, the apparatus includes:

an obtainingunit 502, configured to obtain vulnerability data from a plurality of vulnerability scanning platforms and obtain asset inventory data from a configuration management database system;

the associatingunit 504 is configured to perform data association on the vulnerability data and the asset inventory data by using the IP address as a primary key, so as to obtain vulnerability data corresponding to each asset;

theevaluation unit 506 is configured to evaluate the vulnerability data according to a preset vulnerability rating rule, so as to obtain a risk level corresponding to each vulnerability data;

the first determiningunit 508 is configured to determine a vulnerability set to be repaired according to the level of each vulnerability, and push the vulnerability set to be repaired to a vulnerability repair platform.

In one or more embodiments, the associatingunit 504 includes:

the first determining module is used for taking the IP address of the vulnerability data as a first main key and taking the IP address of each asset in the asset list data as a second main key;

and the association module is used for associating the first primary key with the second primary key with the same value to obtain vulnerability data corresponding to each asset.

In one or more embodiments, the vulnerability processing device further includes:

the construction unit is used for constructing a preset vulnerability rating rule according to at least one dimension of the attack path, the attack complexity and the authentication level of the vulnerability.

In one or more embodiments, the building unit includes:

the second determining module is used for determining the score values of the vulnerability in three dimensions of attack path, attack complexity and authentication level according to a preset score table;

and the third determining module is used for determining the risk level of each vulnerability according to the weight values of three dimensions of the attack path, the attack complexity and the authentication level and the score value to obtain the preset vulnerability rating rule.

In one or more embodiments, theevaluation unit 506 includes:

the fourth determining module is used for determining a first score value corresponding to the current vulnerability data in the attack path, a second score value corresponding to the attack complexity and a third score value corresponding to the authentication grade according to a preset score table;

a fifth determining module configured to determine a first product of the first score value and a weight value of the attack path, a second product of the second score value and a weight value of the attack complexity, and a third product of the third score value and a weight value of the authentication level;

and the comparison module is used for comparing the sum of the first product, the second product and the third product with a preset risk level table to obtain the risk level corresponding to the current vulnerability data.

In one or more embodiments, the first determiningunit 508 includes:

the sorting module is used for sorting according to the order of the risk levels of the loopholes from high to low;

and a sixth determining module, configured to determine, according to the ranking, a target vulnerability with a risk level higher than a threshold risk level as a vulnerability set to be repaired.

In one or more embodiments, the vulnerability processing device further comprises:

the second determining unit is used for determining that the loopholes with the risk level smaller than the threshold risk level and the loopholes with the information identification errors are written into the white list;

and the updating unit is used for updating the state of the vulnerability corresponding to the asset list data according to the white list.

the judging unit is used for verifying the target vulnerability which is repaired and judging whether the target vulnerability is successfully repaired or not;

the marking unit is used for marking the mark of successful repair of the target vulnerability when the repair of the target vulnerability is successful;

and the rehabilitating unit is used for rehabilitating the target vulnerability based on the vulnerability rehabilitation description when the target vulnerability rehabilitation is unsuccessful.

the updating display unit is used for periodically updating and displaying the state information of each vulnerability in the vulnerability set;

and the sending unit is used for sending the state information of the vulnerability set through mail.

According to still another aspect of the embodiments of the present application, there is further provided an electronic device for implementing the above vulnerability processing method, where the electronic device may be a terminal device or a server as shown in fig. 1. The present embodiment is described taking the electronic device as a server as an example. As shown in fig. 6, the electronic device comprises amemory 602 and aprocessor 604, thememory 602 having stored therein a computer program, theprocessor 604 being arranged to perform the steps of any of the method embodiments described above by means of the computer program.

Alternatively, in this embodiment, the electronic device may be located in at least one network device of a plurality of network devices of the computer network.

Alternatively, in the present embodiment, the above-described processor may be configured to execute the following steps by a computer program:

s1, obtaining vulnerability data from a plurality of vulnerability scanning platforms and obtaining asset inventory data from a configuration management database system;

s2, performing data association on the vulnerability data and the asset inventory data by taking the IP address as a primary key to obtain vulnerability data corresponding to each asset;

s3, evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data;

s4, determining a vulnerability set to be repaired according to the level of each vulnerability, and pushing the vulnerability set to be repaired to a vulnerability repair platform.

Alternatively, as will be appreciated by those skilled in the art, the structure shown in fig. 6 is merely illustrative, and the electronic device may be a smart phone (such as an Android mobile phone, an iOS mobile phone, etc.), a tablet computer, a palmtop computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, or other terminal devices. Fig. 6 is not limited to the structure of the electronic device and the electronic apparatus described above. For example, the electronics can also include more or fewer components (e.g., network interfaces, etc.) than shown in fig. 6, or have a different configuration than shown in fig. 6.

Thememory 602 may be used to store software programs and modules, such as program instructions/modules corresponding to the vulnerability processing methods and apparatuses in the embodiments of the present application, and theprocessor 604 executes the software programs and modules stored in thememory 602 to perform various functional applications and data processing, that is, implement the vulnerability processing methods described above. Thememory 602 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples,memory 602 may further include memory located remotely fromprocessor 604, which may be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. Thememory 602 may be, but is not limited to, storing a risk level corresponding to each vulnerability data. As an example, as shown in fig. 6, thememory 602 may include, but is not limited to, the acquiringunit 502, the associatingunit 504, the evaluatingunit 506, and the first determiningunit 508 in the data processing apparatus. In addition, other module units in the vulnerability processing device may be included, but are not limited to, and are not described in detail in this example.

Optionally, thetransmission device 606 is used to receive or transmit data via a network. Specific examples of the network described above may include wired networks and wireless networks. In one example, thetransmission device 606 includes a network adapter (Network Interface Controller, NIC) that may be connected to other network devices and routers via a network cable to communicate with the internet or a local area network. In one example, thetransmission device 606 is a Radio Frequency (RF) module for communicating wirelessly with the internet.

In addition, the electronic device further includes: adisplay 608, configured to display a risk level corresponding to each vulnerability data; and aconnection bus 610 for connecting the respective module parts in the above-described electronic device.

In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting the plurality of nodes through a network communication. Among them, the nodes may form a Peer-To-Peer (P2P) network, and any type of computing device, such as a server, a terminal, etc., may become a node in the blockchain system by joining the Peer-To-Peer network.

In one or more embodiments, the present application also provides a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the vulnerability processing method. Wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.

Alternatively, in the present embodiment, the above-described computer-readable storage medium may be configured to store a computer program for executing the steps of:

Alternatively, in this embodiment, it will be understood by those skilled in the art that all or part of the steps in the methods of the above embodiments may be performed by a program for instructing a terminal device to execute the steps, where the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.

The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.

The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the method of the various embodiments of the present invention.

In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.

In several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and are merely a logical functional division, and there may be other manners of dividing the apparatus in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims

1. A vulnerability processing method, comprising:

obtaining vulnerability data from a plurality of vulnerability scanning platforms and asset inventory data from a configuration management database system;

performing data association on the vulnerability data and the asset inventory data by using the IP address as a primary key to obtain vulnerability data corresponding to each asset;

evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data;

and determining a vulnerability set to be repaired according to the level of each vulnerability, and pushing the vulnerability set to be repaired to a vulnerability repair platform.

2. The method of claim 1, wherein the performing data association between the vulnerability data and the asset inventory data by using the IP address as a primary key to obtain vulnerability data corresponding to each asset comprises:

3. The method of claim 1, wherein before evaluating the vulnerability data according to the preset vulnerability rating rule to obtain the risk level corresponding to each vulnerability data, further comprises:

and constructing the preset vulnerability rating rule according to at least one dimension of the attack path, the attack complexity and the authentication level of the vulnerability.

4. The method of claim 2, wherein constructing the preset vulnerability rating rule according to at least one of three dimensions of an attack path, an attack complexity and an authentication level of the vulnerability comprises:

5. The method of claim 4, wherein the evaluating the vulnerability data according to the preset vulnerability rating rule to obtain the risk level corresponding to each vulnerability data comprises:

determining a first score value corresponding to the current vulnerability data in an attack path, a second score value corresponding to the attack complexity and a third score value corresponding to the authentication level according to a preset score table;

determining a first product of the first score value and a weight value of the attack path, a second product of the second score value and a weight value of the attack complexity, and a third product of the third score value and a weight value of the authentication level;

and comparing the sum of the first product, the second product and the third product with a preset risk level table to obtain a risk level corresponding to the current vulnerability data.

6. The method of claim 1, wherein the determining the set of vulnerabilities to repair based on the level of each vulnerability comprises:

the risk levels of the loopholes are ranked in order from high to low;

7. The method according to claim 1, wherein the method further comprises:

determining vulnerabilities with risk levels smaller than a threshold risk level, and writing the vulnerabilities with information identification errors into a white list;

and updating the state of the vulnerability corresponding to the asset inventory data according to the white list.

8. The method according to claim 1, wherein the method further comprises:

when the target bug is successfully repaired, marking the target bug with a successful repair mark;

9. A vulnerability processing apparatus, comprising:

the acquisition unit is used for acquiring vulnerability data from the plurality of vulnerability scanning platforms and acquiring asset inventory data from the configuration management database system;

the association unit is used for carrying out data association on the vulnerability data and the asset list data by taking the IP address as a main key to obtain vulnerability data corresponding to each asset;

the evaluation unit is used for evaluating the vulnerability data according to a preset vulnerability rating rule to obtain a risk level corresponding to each vulnerability data;

the first determining unit is used for determining a vulnerability set to be repaired according to the level of each vulnerability and pushing the vulnerability set to be repaired to the vulnerability repairing platform.

10. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored program, wherein the program when run performs the method of any one of claims 1 to 8.

11. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method according to any of the claims 1 to 8 by means of the computer program.