Embodiments of the present disclosure relate to the field of network security and, particularly, to a method and a device for vulnerability scanning.
With the development of computer network technology, the network security technology also continuously evolves. If there are major vulnerabilities in the server, hackers can steal important information from the server or client via those vulnerabilities, resulting in serious consequences. Thus, the significance of network security has become increasingly prominent.
The prior art mainly protects the network security by remotely detecting vulnerability on a server using a vulnerability scanner. Specifically, the vulnerability scanner acts as a client to send a connection request message to the server. The server replies to the connection request message, and sends a reply message back to the vulnerability scanner. Then, the vulnerability scanner will make analysis and determine whether there is any vulnerability in the server according to the reply message.
Since a complete network environment includes not only the server, but also the clients connected to the server, the security of the entire network environment cannot be verified by the prior art which performs remote security check for the server only.
Embodiments of the present disclosure provide a method and a device for scanning the vulnerability, so as to detect the security of an entire network environment.
An aspect of the embodiments of the present disclosure provides a vulnerability scanning method, including:
acquiring, by a reverse scanning agent module, a client message;
transmitting, by the reverse scanning agent module, a client message to a vulnerability scanner, so that the vulnerability scanner identifies a vulnerability of the client according to the client message, or the reverse scanning agent module identifies the vulnerability of the client according to the client message and transmits the vulnerability of the client to the vulnerability scanner; and
receiving, by the reverse scanning agent module, a control instruction from the vulnerability scanner; changing, by the reverse scanning agent module, a manner and/or a mode of operation according to the control instruction; and updating, by the reverse scanning agent module, a vulnerability rule.
Another aspect of the embodiments of the present disclosure provides a reverse scanning agent module, including:
a message acquiring module, configured to acquire a client message;
a transmitting module, configured to transmit the client message to a vulnerability scanner, so that the vulnerability scanner identifies a vulnerability of the client according to the client message, or to a message identifying and transmitting module which is configured to identify a vulnerability of the client according to the client message, and transmit the vulnerability of the client to the vulnerability scanner; and
a receiving and controlling module, configured to receive a control instruction from the vulnerability scanner, and change a manner and/or a mode of operation according to the control instruction, so as to update a vulnerability rule.
Yet another aspect of the embodiments of the present disclosure provides a vulnerability scanner, including:
a receiving module, configured to receive a client message transmitted from a reverse scanning agent module; or receive a vulnerability of the client transmitted from the reverse scanning agent module;
a message identifying module, configured to identify a vulnerability of the client according to the client message;
an instruction transmitting module, configured to transmit a control instruction to the reverse scanning agent module, so that the reverse scanning agent module changes the manner and/or mode of operation according to the control instruction, and updates a vulnerability rule.
Yet another aspect of the embodiments of the present disclosure provides a vulnerability scanning system, including the above described reverse scanning agent module and vulnerability scanner.
The method and device for vulnerability scanning provided in the embodiments of the present disclosure acquire the client message through the reverse scanning agent module, and then analyze the client message to identify the vulnerabilities in the client, which supplements the basis of server security issue remote detection with client security issue analysis, thereby realizing security detection for the entire network environment.
Step S101: a reverse scanning agent module acquires a client message.
The reverse scanning agent module is installed on a server, where the reverse scanning agent module acquires a client message in that: the reverse scanning agent module acquires a service request message and a reply message transmitted from the client during an interaction between the client and the server; or the reverse scanning agent module transmits a constructive test message to the client for acquiring a respond message from the client in response to the constructed test message.
As shown in
Step S102: the reverse scanning agent module transmits the client message to the vulnerability scanner, so that the vulnerability scanner identifies a vulnerability of the client according to the client message; or the reverse scanning agent module identifies a vulnerability of the client according to the client message, and transmits the vulnerability of the client to the vulnerability scanner.
The reverse scanning agent module 23 on the server 22 further includes two operating modes: an agent mode and a resident mode. The agent mode means that the reverse scanning agent module 23 directly transmits the acquired messages from the client 24 to the vulnerability scanner 21 for analyzing. The resident mode means that the reverse scanning agent module 23 analyzes the acquired message transmitted from the client 24 in order to obtain an intermediate processing result, and then transmits the intermediate processing result to the vulnerability scanner 21.
Step S103: the reverse scanning agent module receives control instruction from the vulnerability scanner, changes an operating manner and/or mode according to the control instruction, and updates a vulnerability rule.
The vulnerability scanner 21 realizes control over the reverse scanning agent module 23 by transmitting the control instruction thereto. In particular, the reverse scanning agent module 23 changes its operating manner and/or mode according to the control instruction and updates the vulnerability rule.
The embodiment of the disclosure acquires the client message via the reverse scanning agent module, and analyzes the client message to identify the vulnerability of the client, which supplements the basis of server security issue remote detection with client security issue analysis, thereby realizing security detection for the entire network environment.
On the basis of the above described embodiment, the vulnerability scanner identifies the vulnerability of the client according to the client message in that: identifying the vulnerability of the client according to a characteristic field of the service request message, the reply message and/or the respond message; or identifying the vulnerability of the client by matching the service request message, the reply message and/or the respond message with a preset interaction message, a preset message sequence or a vulnerability characteristics rule.
The embodiment of the present disclosure can, through the cooperation between any operation manners and any operation modes of the reverse scanning agent module 23, acquire the message transmitted from the client 24, and analyze and process the message. The execution subject, which identifies the vulnerability of the client according to the message transmitted from the client, may be the server 22 or the vulnerability scanner 21. The particular identification method includes: 1) identifying the vulnerability of the client according to the characteristic field of the service request message, the reply message and/or the respond message; 2) identifying the vulnerability of the client by matching the service request message, the reply message and/or the respond message with a preset interaction message, a preset message sequence or a vulnerability characteristics rule.
Method 1): If the User-Agent field of the service request message transmitted from the client 24 is:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0; or
Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0; or
Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00;
By analyzing the User-Agent field, information, such as the version and model of the browser as well as the type of the operating system used on the client 24, can be obtained. By matching relevant information obtained from the analysis of the User-Agent field with a vulnerability database commonly known in the art, it can be determined whether any vulnerability is in the client 24.
In an existing vulnerability database, the data retrieval is performed with a priority based on the level of association between the vulnerability and different information, as well as the number of vulnerabilities. For example, starting from the version of the browser, it can be determined that the following vulnerabilities might be found in the client:
Mozilla Firefox/Thunderbird/SeaMonkey Browser Engine Memory Security Vulnerabilities (CVE-2013-5609);
Mozilla Firefox/Thunderbird/SeaMonkey Browser Engine Memory Security Vulnerabilities (CVE-2013-5610);
And then, proceeding to the OS version, the following vulnerabilities might be found in the client:
Windows kernel information leakage vulnerabilities (MS13-048), Microsoft Windows LPC and LPC port denial of service vulnerabilities.
In addition, the embodiment of the disclosure is not limited to the detection of the User-Agent field, and may detect other fields of the message transmitted from the client 24.
Method 2): For a known vulnerability type, a typical message format and interaction sequence for the vulnerability's particular request can be pre-stored. For example, for a multiple malformed HTML parsing denial of service vulnerability in an Opera Web browsers, a typical message or sequence, in particular, a malformed request message, of the vulnerability can be pre-stored by the reverse scanning agent module, so as to match the acquired client message with the malformed request message. Or, the reverse scanning agent module can, operating in the reverse scanning mode, transmit a constructed test message to the client, so as to check whether any malformed request message is returned from the client. In order to ensure accuracy rate, the existence of such vulnerabilities in the client browser can be determined after several matching hits. The typical message or sequence characteristics can be specifically defined against different vulnerabilities.
Embodiments of the disclosure provide two approaches to identify vulnerabilities in a client.
The network defect information includes a network defect density and a network security level. The obtaining network defect information according to the vulnerability of the server and the vulnerability of the client includes the steps of:
Step S301: classifying the vulnerability of the server and the vulnerability of the client according to at least one first classification rule in order to obtain a network defect type set which includes at least one kind of network defect. The first classification rule may indicate a classification based on an attribute inherent to the vulnerability. As an example only, the first classification rule may be WASC2.0, whereby the vulnerabilities may be classified into network defects such as SQL injection, denial of service (DoS), cross-site scripting (XSS), etc. As another example, the first classification rule may be OWSAP-2013.
The classifying the vulnerability of the server and the vulnerability of the client according to at least one first classification rule in order to obtain a network defect type set includes: classifying, according to an m-th first classification rule in the at least one first classification rule, the vulnerability of the server and the vulnerability of the client into a first set pnm={δ0m, δ1m, δ2m, . . . , δim, . . . δn-1m}, where m≥1, n≥1, the first set includes n types of network defects, δim represents an (i+1)-th type of network defect obtained by classifying the vulnerabilities according to the m-th first classification rule, and for i, jϵ[0, n−1] and i≠j, δim, δjm≠∅, δimIδjm=∅ and δ0mUδ1mUδ2mU . . . Uδn-1m=pnm are satisfied; and determining, in the first classification rule, a first target classification rule which classifies the vulnerabilities into N or less than N types of network defects, and classifying the vulnerabilities according to the first target classification rule in order to obtain a first set which constitutes the network defect type set δp=Un=1NUr=F(n)Ui=0n-1δir, where F(n) is a mapping function of n, and represents the first target classification rule for classifying the vulnerabilities into n≥N types of network defects, Ur=F(n)Ui=0n-1δir represents the set of n≤N types of network defects obtained by classifying the vulnerabilities.
The vulnerabilities mentioned in this step refer to a collection of vulnerabilities in both the server 22 and the client 24. The vulnerabilities are classified according to a plurality of first classification rules. Assuming that the vulnerabilities are classified to a first set pnm={δ0m, δ1m, δ2m, . . . , δim, . . . δn-1m}, where m≥1, n≥1, the first set includes n types of network defects, δim represents an (i+1)-th type of network defect obtained by classifying the vulnerabilities according to the m-th first classification rule, and for i,jϵ[0, n−1] and i≠j, δim, δjm≠∅, δimIδjm=∅ and δ0mUδ1mUδ2mU . . . Uδn-1m=pnm are satisfied. However, the n types of network defects are not always obtained each time a first classification rule is applied to classify the vulnerabilities. That is, the number n is variable in that the number of network defect types obtained by classifying the vulnerabilities according to first classification rules other than the m-th first classification rule may be larger than, less than, or equal to the n. Using the N as a threshold for the number of the network defect types, a first target classification rule, which can be used to classify the vulnerabilities into less than or equal to N types of network defects, is selected from the first classification rules, and is accordingly used to classify the vulnerabilities to obtain a first set that includes a network defect type set δpUn=1NUr=F(n)Ui=0n-1δir, where F(n) is a mapping function of n, and represents the first target classification rule for classifying the vulnerabilities into n≤N types of network defects, and Ur=F(n)Ui=0n-1δir represents the set of n≤N types of network defects obtained by classifying the vulnerabilities.
Step S302: classifying a network region, which includes the server and the client, according to at least one second classification rule, in order to obtain a network sub-region set which includes at least one network sub-region. The second classification rule may indicate a classification based on a attribute associated with vulnerability distribution with respect to, by way of example only, browser types, locations, etc.
The classifying a network region, which includes the server and the client, according to at least one second classification rule in order to obtain a network sub-region set includes: classifying, according to a t-th second classification rule in the at least one second classification rule, the network region into a second set ρt={ρ0t, ρ1t, ρ2t, . . . , ρst, . . . , ρS-1t}, where t≥1, S≥1, ρSt represents an (S+1)-th network sub-region obtained by classifying the network region according to the t-th second classification rule, and for i, jϵ[0, S−1] and i≠j, ρit, ρjt≠∅, ρitIρjt=∅ and ρ0tUρ1tUρ2tU . . . UρS-1t=ρt are satisfied; and
classifying the network region according to T of the second classification rules separately, in order to obtain a second set which constitutes a network sub-region set ρ=Ut=1TUS=0G(t)ρSt, where G(t) represents the number of network sub-regions obtained by classifying the network region according to the t-th second classification rule.
The network region in this step refers to a network region including the server and the client. The network regions are classified into a second set ρt={ρ0t, ρ1t, ρ2t, . . . , ρst, . . . ρS-1t}, where t≥1 and S≥1, according to the t-th second classification rule in the second classification rule. The ρst represents an (s+1)-th network sub-region obtained by classifying the network regions according to the t-th second classification rule, and for i, jϵ[0,S−1] and i≠j, ρit, ρjt≠∅, ρitIρjt=∅ and ρ0tUρ1tUρ2tU . . . UρS-1t=ρt are satisfied. Assuming that the t-th second classification rule refers to the browser type of the client, then ρ0t represents a network sub-region in which the browser type of the client is IE browser, ρ1t represents a network sub-region in which the browser type of the client is Fire Fox browser, ρ2t represents a network sub-region in which the browser type of the client is Opera browser . . . , and ρS-1t represents a network sub-region in which the browser type of the client is SOGOU browser. Different second sets are obtained by classifying the network regions based on different second classification rules. The network sub-region set ρ=Ut=1TUS=0G(t)ρSt includes the second sets obtained by classifying the network regions according to each of the second classification rules in the embodiment of the disclosure, where G(t) represents the number of the network sub-regions obtained after classifying the network regions according to the t-th second classification rule.
Step S303: obtaining the network defect density according to the network defect type set and the network sub-region set.
The network defect density includes a network defect density in the network sub-region and a device defect density in the network sub-region.
The network defect density in the network sub-region represents the density of a certain type of network defect in a particular network sub-region, and the device defect density in the network sub-region represents the number of clients having a certain network defect in a particular network sub-region. That is, the network defect density in the network sub-region and the device defect density in the network sub-region are two aspects for assessing the network defect density.
The obtaining the network defect density according to the network defect type set and the network sub-region set includes: obtaining the network defect density τt,Sm,i=C(Qρ
obtaining the device defect density φm,it,s=C(Qσ
Step S304: obtaining the network security level according to the network defect density.
The network security level includes a first network security level and a second network security level.
A network sub-region with higher network defect density has lower network security level, and a network sub-region with lower network defect density has higher network security level. Since two approaches are included in the step S303 for assessing the network defect density, there are, accordingly, two corresponding network security levels: a first network security level and a second network security level. In particular, the first network security level corresponds to the network defect density in the network sub-region, and the second network security level corresponds to the device defect density in the network sub-region, where the first and second network security levels are also quantities for assessing, from two aspects, the network security level.
The obtaining the network security level according to the network defect density includes:
obtaining the first network security level γt,S=Un=1NUm=F(n)Ui=0n-1γt,sm,i according to the network defect density τt,sm,i=C(Qρ
obtaining the second network security level γt,s=Un=1NUm=F(n)Ui=0n-1γm,it,s according to the device defect density φm,it,s=C(Qσ
The embodiment of the disclosure classifies the vulnerabilities in the server and the client according to different first classification rules in order to obtain the network defect type set; classifies the network region, which includes the server and the client, according to different second classification rules in order to obtain the network sub-region set; obtains the network defect density according to the network defect type set and the network sub-region set; and obtains network security levels according to the network defect density, thereby realizing a quantitative description of the network security level.
On the basis of above described embodiments, the γt,sm,i=Y1(τt,sm,i) is γt,sm,i=α1+β1/τt,sm,i; the γm,it,s=Y2(φm,it,s) is γm,it,s=α2+β2/φm,it,s, where α1, β1, α2, β2 are constants.
The higher the network defect density is, the lower the network security level of the network sub-region is; and the lower the network defect density is, the higher the network security level of the network sub-region is. That is, the network security level is inversely proportional to the network defect density. In the above described embodiments, the association between the network security level and the network defect density is expressed by the monotonic decreasing functions Y1 and Y2. The embodiment of the present disclosure preferably uses γt,sm,i=α1+β1/τt,sm,i and γm,it,s=α2+β2/φm,it,s to express the monotonic decreasing functions Y1 and Y2, where α1, β1, α2, β2 are constants.
The network defect information further includes: a network defect density distribution and a network security level distribution. The network defect density distribution includes a distribution function of the network defect density in the network sub-region, and a distribution function of the device defect density in the network sub-region. The network security level distribution includes a distribution of the first network security level and a distribution of the second network security level, where the distribution function of the network defect density in the network sub-region is τtm,i=Us=0G(t)τt,sm,i, the distribution function of the device defect density in the network sub-region is φm,it=Us=0G(t)φm,it,s, the distribution of the first network security level is γt=Us=0G(t)Un=1NUm=F(n)Ui=0n-1γt,sm,i, and the distribution of the second network security level is γt=Us=0G(t)Un=1NUm=F(n)Ui=0n-1γm,it,s.
The aforementioned embodiments demonstrate the security of the network by using the first network security level and the second network security level, and the embodiment of the present disclosure demonstrates the security of the network by using the distribution of the first network security level and the distribution of the second network security level.
The embodiment of the disclosure specifically defines the association between the network security level and the network defect density, while additionally including the network security level distribution as a means to determine the security of the network.
The reverse scanning agent module 23 is installed on a server. The message acquiring module 231 is configured to acquire a service request message and a reply message transmitted from the client during an interaction between the client and the server; or the transmitting module 232 is further configured to transmit a constructed test message to the client; and the message acquiring module 231 is configured to acquire a respond message from the client in response to the constructed test message.
The message identifying and transmitting module 233 is configured to identify the vulnerability of the client according to the characteristic field of the service request message, the reply message and/or the respond message; or identify the vulnerability of the client by matching the service request message, the reply message and/or the respond message with a preset interaction message, a preset message sequence or a vulnerability characteristics rule.
The message acquiring module 231 is further configured to acquire the vulnerability of the server. As shown in
The embodiment of the disclosure acquires the client message via the reverse scanning agent module, and analyzes the client message to identify the vulnerability of the client, which supplements the basis of server security issue remote detection with client security issue analysis, thereby realizing security detection for the entire network environment.
The message identifying module 212 is configured to identify the vulnerability of the client according to the characteristic field of the service request message, the reply message and/or the respond message; or identify the vulnerability of the client by matching the service request message, the reply message and/or the respond message with a preset interaction message, a preset message sequence or a vulnerability characteristics rules.
The receiving module 211 is further configured to acquire a vulnerability of the server. As shown in
The embodiment of the disclosure acquires the client message via the reverse scanning agent module and then analyzes the client message to identify the vulnerability of the client, which supplements the basis of server security issue remote detection with client security issue analysis, thereby realizing security detection for the entire network environment.
The vulnerability scanning system provided in the embodiment of the disclosure can perform the processing flow provided in the vulnerability scanning method embodiment.
In summary, the embodiment of the disclosure acquires the client message through reverse scanning agent module, and analyzes the client message to identify the vulnerability of the client, which supplements the basis of server security issue remote detection with client security issue analysis, thereby realizing security detection for the entire network environment. In addition, the embodiment of the disclosure classifies the vulnerabilities both in the server and the client according to different first classification rules in order to obtain the network defect type set; classifies the network regions, which includes the server and the client, according to different second classification rules in order to obtain the network sub-region set; obtains the network defect density according to the network defect type set and the network sub-region set; and obtains the network security level according to the network defect density, thereby realizing a quantitative description of the network security level. The embodiment of the disclosure specifically defines the association between the network security level and the network defect density, while additionally contributing a new way, which is accomplished via the network security level distribution, to determine the security of network.
In the several embodiments provided in the present disclosure, it should be understood that, the disclosed device and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative, e.g. the units are categorized according to logical functions only, and other categories can be used in actual implementations. For instance, multiple units or components may be combined or integrated into another system, or some features can be omitted or skipped. Moreover, an illustrated or discussed coupling or direct coupling or communication connection may be an indirect coupling or communicative connection an interface, device or unit, and may be in electrical, mechanical, or other forms.
The units described as separate components may or may not be physically separated, and components shown in a single unit may or may not be in a physical unit, i.e., the components may be located in one place or may be distributed in a plurality of networked units. Some or all of the units may be selected according to the actual needs in realizing the objectives of the solutions of the embodiments.
In addition, various functional units in various embodiments of the present disclosure may be integrated into a single processing unit, or each unit may be presented in physically separated forms, or two or more units may be integrated into a single unit. The above-mentioned integrated unit can be implemented in the form of a hardware or in the form of a hardware plus software functional units.
The above described integrated unit, which is implemented in the form of software functional units, may be stored in a computer-readable storage medium. The software functional unit described above is stored in a storage medium, and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor to execute some steps of the methods described in various embodiments of the present disclosure. The storage medium described above includes a USB disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, an optical disk, and the like, each of which can store program code.
It will be apparent to those of ordinary skill in the art that, for the convenience and conciseness of the descriptions, various functional modules described above are divided by way of example only. In practical applications, various functions described above may be assigned to different functional modules. That is, the device may be internally structured into divisions of different functional modules in order to accomplish all or some of the functions described above. The particular operational process of the aforementioned device can be understood by referring to corresponding processes in the foregoing method embodiments, which will not be repeated herein.
Finally, it should be noted that the foregoing embodiments are merely intended for describing, rather than limiting, the technical solutions of the present disclosure. Although the present disclosure is described in detail with reference to the foregoing embodiments, persons of ordinary skill in the art should understand that it remains possible to make modifications to the technical solutions described in the foregoing embodiments, or make equivalent replacements to some or all technical features therein. However, these modifications or replacements do not make the essence of corresponding technical solutions depart from the scope of the technical solutions in the embodiments of the present disclosure.
Number | Date | Country | Kind |
---|---|---|---|
2014 1 0802136 | Dec 2014 | CN | national |
This application is a continuation of International Application No. PCT/CN2015/091030, filed on Sep. 29, 2015, which claims priority to Chinese Patent Application No. 201410802136.4, filed on Dec. 19, 2014. The disclosures of the aforementioned applications are hereby incorporated by reference in their entireties.
Number | Name | Date | Kind |
---|---|---|---|
9203851 | Wang | Dec 2015 | B1 |
20100071024 | Eyada | Mar 2010 | A1 |
20100175134 | Ali-Ahmad | Jul 2010 | A1 |
20140082739 | Chess | Mar 2014 | A1 |
20140137180 | Lukacs et al. | May 2014 | A1 |
Number | Date | Country |
---|---|---|
101064736 | Oct 2007 | CN |
101340434 | Jan 2009 | CN |
101588247 | Nov 2009 | CN |
102082659 | Jun 2011 | CN |
102664876 | Sep 2012 | CN |
102945340 | Feb 2013 | CN |
103679026 | Mar 2014 | CN |
103890771 | Jun 2014 | CN |
103929323 | Jul 2014 | CN |
104506522 | Apr 2015 | CN |
2003-271469 | Sep 2003 | JP |
2005-503053 | Jan 2005 | JP |
2005-341167 | Dec 2005 | JP |
2006-526221 | Nov 2006 | JP |
2007-272396 | Oct 2007 | JP |
2007-325293 | Dec 2007 | JP |
2009-514093 | Apr 2009 | JP |
Entry |
---|
International Search Report of corresponding International PCT Application No. PCT/CN2015/091030, dated Jan. 4, 2016. |
Chinese First Examination Report of corresponding Chinese patent Application No. 201410802136.4, dated Apr. 21, 2017. |
The Japanese Examination Report of corresponding Japan patent application No. 2017-532916, dated May 23, 2018. |
Number | Date | Country | |
---|---|---|---|
20170270304 A1 | Sep 2017 | US |
Number | Date | Country | |
---|---|---|---|
Parent | PCT/CN2015/091030 | Sep 2015 | US |
Child | 15614568 | US |