阅读说明：本技术 漏洞的联动扫描方法 (Linkage scanning method for loopholes ) 是由 刘亚轩 何建锋 陈宏伟 于 2020-12-03 设计创作，主要内容包括：本发明公开一种漏洞的联动扫描方法,提供一种信息互通机制,通过预设的可靠认证措施,保证联动设备的可信任,当非漏扫设备发现安全事件需要进一步进行漏扫以发现潜在威胁时,能够向漏扫设备发起请求,并且漏扫设备将相应的扫描结果返回给请求设备,以便采取适当的动作。同时对于扫描结果上报防火墙等串联设备,进行相应的阻断或丢弃处理措施,有利于更深更广的对网络的系统保护。(The invention discloses a linkage scanning method of a vulnerability, and provides an information intercommunication mechanism, which ensures the credibility of linkage equipment through preset reliable authentication measures, can initiate a request to the missed scanning equipment when the non-missed scanning equipment finds that a security event needs to be further missed scanned to find a potential threat, and returns a corresponding scanning result to the request equipment by the missed scanning equipment so as to take proper action. Meanwhile, corresponding blocking or discarding treatment measures are carried out on the scanning result reporting firewall and other series devices, so that deeper and wider system protection on the network is facilitated.)

1. The linkage scanning method of the loophole is characterized by comprising the following steps:

monitoring a scanning request from non-missing scanning equipment; if the equipment passes the authentication, receiving a linkage message in the scanning request, creating and starting a corresponding scanning task according to the message content, and executing vulnerability scanning on a target specified by the scanning request;

and returning the scanning result of the scanning task to the request equipment, and executing a corresponding handling action according to the scanning result.

2. The linked scanning method according to claim 1, wherein the authentication process of the non-scanning device comprises:

after the equipment is accessed to the network and the configuration is completed, reporting the IP and the first character string of the equipment to a trust list, and locally storing the first character string;

the non-missing scanning device sends a self IP to the missing scanning device while initiating a scanning request, and the missing scanning device returns a second character string to the non-missing scanning device after receiving the IP of the non-missing scanning device;

the non-missing scanning device encrypts the first character string and the second character string to generate a first key and sends the first key to the missing scanning device;

the missed scanning equipment acquires a corresponding first character string according to the IP inquiry trust list of the non-missed scanning equipment, and encrypts the first character string and the second character string to generate a second key; and comparing the first key with the second key, if the first key and the second key are consistent, the authentication is passed, otherwise, the authentication is not passed.

3. The linkage scanning method according to claim 2, wherein the first character string is a timestamp when the device reports the IP, and the second character string is a timestamp when the missing-scan device receives the IP of the non-missing-scan device; the encryption mode of the character string is MD5 encryption.

4. The linked scanning method according to claim 2, wherein after the reconfiguration of the device, the device IP is updated again and the corresponding first character string is regenerated.

5. The linkage scanning method according to any one of claim 2, wherein the non-scanning-missing device that passes the authentication does not perform the authentication any more for the scanning request initiated by the non-scanning-missing device within a preset time period.

6. The linkage scanning method according to claim 1, further comprising reporting a scanning result of the scanning task to a firewall or a gateway device, and determining whether to perform data blocking or subnet isolation on the scanning target according to the scanning result.

7. The linked scanning method according to claim 1, wherein the scanning task is distributed to the scanning engines with the most available resources, and if there are at least two scanning engines with the most available resources, one scanning engine is randomly selected.

8. The linkage scanning method according to claim 1, wherein before executing the scanning task, the method comprises judging whether the scanning target is online through a ping mechanism, adding the online target into a scanning queue for vulnerability scanning, and continuously judging whether the non-online target is online at regular time.

Technical Field

The invention belongs to the technical field of network security, and particularly relates to a linkage scanning implementation method for security vulnerabilities.

Background

The openness and interconnectivity of informatization and the internet make internal networks and hosts of enterprises and organizations extremely easy to be targets or carriers of attacks, so the importance of internal computer network security is more important. With the development of communication and network technologies, special devices different from conventional firewalls and other security devices, such as intrusion detection systems, intrusion prevention systems, information auditing systems, vulnerability scanning systems, etc., have come into existence, and they respectively undertake different security protection tasks with their own functions. However, in the prior art, these devices are parallel access networks, and although threat factors in the networks can be found in time, effective blocking or isolation measures cannot be made, and serial devices such as firewalls or gateways are still needed for the devices. Due to the limitation of information resource sharing of various devices, an effective linkage scheme is still lacked among the current devices, and the technical problem that high cooperative work is difficult to realize is still urgently to be solved. For example, how to realize linkage leakage scanning of non-leakage scanning equipment after a security event occurs and timely threat blocking of linkage series equipment are one of common problems in reality.

Disclosure of Invention

In view of the foregoing background, the present invention is directed to a method for linked scanning and leakage, in which after a non-leakage device finds a security event, the non-leakage device requests the leakage scanning device to perform vulnerability scanning through an effective linking measure, and a firewall and other series devices are used to block and isolate a subnet or a host in time.

The specific technical scheme of the invention is as follows:

the linkage scanning method of the loophole comprises the following steps: monitoring a scanning request from non-missing scanning equipment; if the equipment passes the authentication, receiving a linkage message in the scanning request, creating and starting a corresponding scanning task according to the message content, and executing vulnerability scanning on a target specified by the scanning request; and returning the scanning result of the scanning task to the request equipment, and executing a corresponding handling action according to the scanning result.

The authentication process of the non-missed-scan device comprises the following steps:

after the equipment is accessed to the network and the configuration is completed, reporting the IP and the first character string of the equipment to a trust list, and locally storing the first character string;

the non-missing scanning device sends a self IP to the missing scanning device while initiating a scanning request, and the missing scanning device returns a second character string to the non-missing scanning device after receiving the IP of the non-missing scanning device;

the non-missing scanning device encrypts the first character string and the second character string to generate a first key and sends the first key to the missing scanning device;

the missed scanning equipment acquires a corresponding first character string according to the IP inquiry trust list of the non-missed scanning equipment, and encrypts the first character string and the second character string to generate a second key; and comparing the first key with the second key, if the first key and the second key are consistent, the authentication is passed, otherwise, the authentication is not passed.

The first character string is a time stamp when the device reports the IP, and the second character string is a time stamp when the missed-scanning device receives the IP of the non-missed-scanning device.

And after the equipment is reconfigured, updating the IP of the equipment again and regenerating the corresponding first character string.

And the non-scanning device which passes the authentication does not authenticate the initiated scanning request within a preset time period.

The linkage scanning method also comprises the steps of reporting the scanning result of the scanning task to a firewall or gateway equipment, and judging whether to execute data blocking or subnet isolation on a scanning target according to the scanning result;

and distributing the scanning task to the scanning engine with the most available resources, and randomly selecting one scanning engine if at least two scanning engines with the most available resources exist.

Before executing the scanning task, judging whether the scanning target is on-line through a ping mechanism, adding the on-line target into a scanning queue for vulnerability scanning, and continuously judging whether the off-line target is on-line at regular time.

By adopting the technical scheme, the invention has the following beneficial effects: the information intercommunication mechanism is provided, the credibility of the linkage equipment is ensured through preset reliable authentication measures, when the non-leakage-scanning equipment finds that the security event needs to be further subjected to leakage scanning to find a potential threat, a request can be sent to the leakage-scanning equipment, and the leakage-scanning equipment returns a corresponding scanning result to the request equipment so as to take a proper action. Meanwhile, corresponding blocking or discarding treatment measures are carried out on the scanning result reporting firewall and other series devices, so that deeper and wider system protection on the network is facilitated.

Drawings

FIG. 1 is a schematic diagram of a workflow of an embodiment of a linkage scanning method for vulnerabilities of the present invention;

fig. 2 is a schematic diagram illustrating an authentication process of a missing scanning device to a non-missing scanning device in the vulnerability linkage scanning method embodiment of the present invention.

Detailed Description

The following describes a specific technical solution for achieving the technical object of the present invention in detail with reference to the accompanying drawings and embodiments.

As shown in fig. 1, the linkage scanning method for vulnerabilities includes: monitoring a scanning request from non-missing scanning equipment; if the equipment passes the authentication, receiving a linkage message in the scanning request, creating and starting a corresponding scanning task according to the message content, and executing vulnerability scanning on a target specified by the scanning request; and returning the scanning result of the scanning task to the request equipment, and executing a corresponding handling action according to the scanning result.

And the non-scanning device which passes the authentication does not authenticate the initiated scanning request within a preset time period.

The linkage scanning method also comprises the steps of reporting the scanning result of the scanning task to a firewall or gateway equipment, and judging whether to execute data blocking or subnet isolation on a scanning target according to the scanning result;

and distributing the scanning task to the scanning engine with the most available resources, and randomly selecting one scanning engine if at least two scanning engines with the most available resources exist.

Before executing the scanning task, judging whether the scanning target is on-line through a ping mechanism, adding the on-line target into a scanning queue for vulnerability scanning, and continuously judging whether the off-line target is on-line at regular time.

The linkage message content at least comprises a requested parameter list, a scanning target IP, a scanning type and the like. And the missed scanning equipment creates a corresponding scanning task according to the message content and executes vulnerability scanning on the specified scanning target.

As shown in fig. 2, the authentication process of the non-missing-scanning device by the missing-scanning device includes:

after the equipment is accessed to the network and the configuration is completed, reporting the equipment IP and a first time stamp to a trust list, and locally storing the first time stamp; the trust list may be located at a server device.

And the non-missing scanning equipment sends the own IP to the missing scanning equipment while initiating a scanning request, and the missing scanning equipment returns a second timestamp to the non-missing scanning equipment after receiving the IP of the non-missing scanning equipment.

And the non-scanning device carries out MD5 encryption on the first timestamp and the second timestamp to generate a first key, and sends the first key to the scanning device.

The missed scanning equipment acquires a corresponding first time stamp according to the IP inquiry trust list of the non-missed scanning equipment, and MD5 encryption is carried out on the first time stamp and a second character string to generate a second key; and comparing the first key with the second key, if the first key and the second key are consistent, the authentication is passed, otherwise, the authentication is not passed.

And after the equipment is reconfigured, updating the IP of the equipment again and regenerating the corresponding first time stamp.

The first timestamp is a timestamp when the device reports the IP, and the second timestamp is a timestamp when the device which is not scanning the IP receives the IP.

In the authentication process, the first secret key is generated by the non-scanning device, the second secret key is generated by the scanning device according to the trusted list acquisition information, and the data sources of the two secret keys are independent from each other, which is beneficial to ensuring the validity of authentication.

The technical scheme of the invention provides an information intercommunication mechanism, which ensures the credibility of linkage equipment through preset reliable authentication measures, can initiate a request to the missed scanning equipment when the non-missed scanning equipment finds that a security event needs to be further missed scanned to find a potential threat, and returns a corresponding scanning result to the request equipment by the missed scanning equipment so as to take proper action. Meanwhile, corresponding blocking or discarding treatment measures are carried out on the scanning result reporting firewall and other series devices, so that deeper and wider system protection on the network is facilitated.