èŠ‚ç‚¹æ–‡çŒ®

åˆ†å¸ƒå¼æ¼æ´žè¯„ä¼°ç³»ç»Ÿçš„è®¾è®¡ä¸Žå®žçŽ°

Design and Implementation of Distributed Vulnerability Assessment System

åˆ†é¡µä¸‹è½½
åˆ†ç« ä¸‹è½½
æ•´æœ¬ä¸‹è½½
åœ¨çº¿é˜…è¯»
ä¸æ”¯æŒè¿…é›·ç‰ä¸‹è½½å·¥å…·ï¼Œè¯·å–æ¶ˆåŠ é€Ÿå·¥å…·åŽä¸‹è½½ã€‚

ã€ä½œè€…ã€‘ å¼ æž—ï¼›

ã€å¯¼å¸ˆã€‘ é«˜å²ï¼›

ã€ä½œè€…åŸºæœ¬ä¿¡æ¯ã€‘ è¥¿åŒ—å¤§å¦ ï¼Œ è®¡ç®—æœºè½¯ä»¶ä¸Žç†è®ºï¼Œ 2009ï¼Œ ç¡•å£«

ã€æ‘˜è¦ã€‘ è®¡ç®—æŠ€æœ¯çš„å‘å±•ç»™äººä»¬ç”Ÿæ´»å¸¦æ¥äº†æ·±è¿œçš„å½±å“,åœ¨ç”Ÿäº§ç³»ç»Ÿä¸æ™®éå¼•å…¥äº†ç§ç±»ç¹å¤šçš„è®¡ç®—ç³»ç»Ÿã€‚ä¸€æ–¹é¢,è®¡ç®—æŠ€æœ¯çš„è¿›æ¥æé«˜äº†ç¤¾ä¼šç”Ÿäº§åŠ›,å¦ä¸€æ–¹é¢,è®¡ç®—æŠ€æœ¯æœ¬èº«çš„è„†å¼±æ€§ä¹Ÿè®©ç”Ÿäº§ç³»ç»Ÿé¢ä¸´å¨èƒã€‚è®¡ç®—ç³»ç»Ÿçš„æ¼æ´žå¸¸ä¸ºæ”»å‡»è€…æ‰€åˆ©ç”¨,ä»Žè€Œå¯¹ç”Ÿäº§ç³»ç»Ÿé€ æˆä¸€å®šçš„å½±å“,è€Œåœ¨ç”Ÿäº§ç³»ç»Ÿä¸å¼•å…¥æ¼æ´žè¯„ä¼°ç³»ç»Ÿ,å¯ä¸€å®šç¨‹åº¦åœ°ç¼“è§£è¿™ç§ä¸åˆ©å½±å“,å·©å›ºç”Ÿäº§ç³»ç»Ÿçš„å®‰å…¨æ€§ã€‚æ¼æ´žæ›éœ²çš„å¢žé•¿è¾ƒä¹‹è¡¥ä¸å‘å¸ƒè¦å¿«çš„äº‹å®žä¸Žå®‰å…¨å·¥å…·ç”Ÿäº§å•†çš„æŠ€æœ¯åŠ›é‡é…ç½®ä¸å‡è¡¡çš„äº‹å®žéƒ½ä½¿å¾—å®‰å…¨å·¥å…·ç”Ÿäº§å•†å½¼æ¤ä¹‹é—´éœ€è¦æ›´å®½å¹¿èŒƒå›´çš„åˆä½œä¸Žç†è§£ã€‚è€Œå®‰å…¨å·¥å…·ç”Ÿäº§å•†ä¹‹é—´æŠ€æœ¯æ ‡å‡†çš„ä¸ä¸€è‡´ä½¿å¾—å½¼æ¤ä¹‹é—´ä¸èƒ½ç›¸äº’ç†è§£å’Œæ¶ˆè´¹å¯¹æ–¹ç”Ÿäº§çš„å®‰å…¨æ•°æ®,ä½¿å¾—æ¼æ´žè¯„ä¼°æ—¥è¶‹å¤æ‚,ä¸åˆ©äºŽæ¼æ´žçš„å¿«é€ŸæŽ’é™¤ã€‚å¦å¤–,è®¡ç®—ç½‘ç»œåœ¨è§„æ¨¡ã€é…ç½®ã€æ€§èƒ½ä¸Šçš„å·®å¼‚å¯¹æ¼æ´žè¯„ä¼°ä¹Ÿæœ‰ç€ä¸åŒçš„éœ€æ±‚,è€Œå•ä¸€ç»“æž„åž‹æ¼æ´žè¯„ä¼°æŠ€æœ¯è¦ä¹ˆéœ€è¦è¾ƒé«˜çš„è®¡ç®—æˆæœ¬,è¦ä¹ˆéœ€è¦é¢å¤–çš„ç½‘ç»œèµ„æº,å¯¹è®¡ç®—ç½‘ç»œé€ æˆä¸€å®šå½±å“,ä¸èƒ½é€‚åº”å¤šç§è®¡ç®—ç½‘ç»œã€‚åŸºäºŽä¸Šè¿°äº‹å®žçš„è€ƒè™‘,ä¸ºäº†å‡å°‘è®¡ç®—æˆæœ¬ã€èŠ‚çœç½‘ç»œå¼€é”€ã€ç¼©çŸæ¼æ´žå‘çŽ°åˆ°åº”ç”¨è¡¥ä¸ä¹‹é—´çš„çª—å£æœŸ,ç»è¿‡å¯¹æ¼æ´žè¯„ä¼°ç›¸å…³çš„ç†è®ºä¸ŽæŠ€æœ¯çš„ç ”ç©¶åŽ,æœ¬æ–‡è®¾è®¡å¹¶ä¸”åˆæ¥å®žçŽ°äº†ä¸€ä¸ªåˆ†å±‚å¤šæœåŠ¡å™¨åž‹,æ··åˆç»“æž„åž‹åˆ†å¸ƒå¼æ¼æ´žè¯„ä¼°ç³»ç»Ÿã€‚è¯¥ç³»ç»Ÿ1)é‡‡ç”¨å¤šæœåŠ¡å™¨ç»“æž„ä»¥å®žçŽ°å®¢æˆ·ä¸šåŠ¡çš„åˆ†æµ;2)é‡‡ç”¨åˆ†å±‚ç»“æž„å¯¹å¤šæœåŠ¡å™¨è¿›è¡Œç»Ÿä¸€é›†ä¸çš„ç®¡ç†;3)æ”¯æŒå¤šç§æ¼æ´žè¯„ä¼°æŠ€æœ¯,å¯æ ¹æ®è®¡ç®—ç½‘ç»œè¿è¡ŒçŠ¶å†µé€‰æ‹©åˆé€‚çš„æ¼æ´žè¯„ä¼°æ–¹å¼;4)é‡‡ç”¨æ’ä»¶æž¶æž„ä»¥æé«˜ç³»ç»Ÿçš„æ‰©å±•æ€§,å¯é€šè¿‡æ·»åŠ æ’ä»¶çš„æ–¹å¼å¯¹æ–°æ¼æ´žè¿›è¡Œè¯„ä¼°;5)é‡‡ç”¨NASLè„šæœ¬ç‰æˆç†ŸæŠ€æœ¯ä»¥å®žçŽ°åŸºäºŽç½‘ç»œçš„æ¼æ´žè¯„ä¼°;6)å¼•å…¥CPEã€CVEã€OVALç‰å›½é™…æ ‡å‡†å¢žå¼ºå®‰å…¨å·¥å…·ä¹‹é—´çš„äº’æ“ä½œæ€§;7)ç»™å‡ºäº†åŸºäºŽwebçš„å‹å¥½çš„äººæœºäº¤äº’ç•Œé¢,å¯æ–¹ä¾¿åœ°æµè§ˆ/å‘çŽ°ä¸»æœº,æ·»åŠ /åˆ é™¤è¯„ä¼°ä»»åŠ¡ç‰ã€‚è¯¥ç³»ç»Ÿçš„å®žçŽ°è¯æ˜Žè¯¥è®¾è®¡æ–¹æ¡ˆå…·å¤‡è¾ƒå¼ºçš„ä¼¸ç¼©æ€§,è¾ƒé«˜çš„å®žç”¨ä»·å€¼,æœ‰åˆ©äºŽæ¶ˆé™¤å®‰å…¨å·¥å…·ç”Ÿäº§å•†çš„æŠ€æœ¯åŠ›é‡é…ç½®å·®å¼‚,æœ‰åˆ©äºŽç¼©çŸæ¼æ´žå‘çŽ°åˆ°åº”ç”¨è¡¥ä¸ä¹‹é—´çš„çª—å£æœŸ,æœ‰åˆ©äºŽå¢žå¼ºç”Ÿäº§ç³»ç»Ÿçš„å®‰å…¨æ€§ã€‚æ›´å¤š è¿˜åŽŸ

ã€Abstractã€‘ The development of computing technologies brought peopleâ€™s lives profound influences, various computing systems were introduced into production systems. On the one hand, advances in computing technologies improved the social productive forces; on the other hand, vulnerabilities of computing technologies themselves threatened production systems. Vulnerabilities in computing systems are often used by attackers and affect production systems certainly. The introduction of vulnerability assessment system into production systems can alleviate the adverse effects and consolidate the security of production systems.The fact that the growth speed of vulnerability exposure is faster than patching publishing, and the imbalance in technical force configuration between security tools manufacturers make them need a broader range of cooperation and understanding. Differences between standards in use make manufacturers can not understand and consume security data produced by them each other and vulnerability assessment more difficult and complex to cleanup. In addition, the differences in size, configuration, performance of computing networks make them have different requirements on vulnerability assessment, while a single structure-based vulnerability assessment technologies require either higher computing cost or additional network resources, place certain affection on computing networks, are not applicable to every computing network.Considering the above facts, to reduce computing cost, save network expense and shorten the window between vulnerability exposure and patching publishing, after research on vulnerability assessment relevant rationale and technologies, the paper designs and initially implements an multi-tiered servers-based, mixed-structural, distributed vulnerability assessment system.The system 1) arranges multiple servers to handle clientsâ€™ business; 2) centralizes the management of servers by demarcating servers into multiple layers; 3) supports multiple vulnerability assessment methods and can select appropriate method according to the performance of the computing network; 4) uses plug-in architecture to improve the scalablility of the system and can assessment new vulnerabilities through adding new plugins; 5) uses mature techonologies such as NASL to archive network-based vulnerability assessment; 6) introduces international standards such as CPE, CVE, OVAL to strengthen the interoperability between security tools; 7) has a friendly web-based human-machine interface, operators can browse/discovery hosts, add/remove assessment tasks through it.The implementation of the system proves that the design schema has strong flexiblility,highly utility value, is helpful to eliminate differences in technical force configuration between security tools manufacturers, shorten the window between vulnerability exposure and patching publishing and strenthen the security of production systems.æ›´å¤š è¿˜åŽŸ

ã€å…³é”®è¯ã€‘ æ¼æ´žï¼› æ¼æ´žè¯„ä¼°ï¼› å¼€æ”¾å¼æ¼æ´žè¯„ä¼°è¯è¨€ï¼› å…¬å…±å¹³å°æžšä¸¾ï¼› å…¬å…±æ¼æ´žæ›éœ²ï¼›
ã€Key wordsã€‘ vulnerabilityï¼› vulnerability assessmentï¼› OVALï¼› CPEï¼› CVEï¼›

ã€ç½‘ç»œå‡ºç‰ˆæŠ•ç¨¿äººã€‘ è¥¿åŒ—å¤§å¦

ã€åˆ†ç±»å·ã€‘TP393.08
ã€è¢«å¼•é¢‘æ¬¡ã€‘5
ã€ä¸‹è½½é¢‘æ¬¡ã€‘163
æ”»è¯»æœŸæˆæžœ

çŸ¥ç½‘èŠ‚ä¸‹è½½

èŠ‚ç‚¹æ–‡çŒ®ä¸ï¼š

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

æœ¬æ–‡çš„å¼•æ–‡ç½‘ç»œ

èŠ‚ç‚¹æ–‡çŒ®

èŠ‚ç‚¹æ–‡çŒ®

åˆ†å¸ƒå¼æ¼æ´žè¯„ä¼°ç³»ç»Ÿçš„è®¾è®¡ä¸Žå®žçŽ°

Design and Implementation of Distributed Vulnerability Assessment System

æœ¬æ–‡é“¾æŽ¥çš„æ–‡çŒ®ç½‘ç»œå›¾ç¤º:

åˆ†å¸ƒå¼æ¼æ´žè¯„ä¼°ç³»ç»Ÿçš„è®¾è®¡ä¸Žå®žçŽ°