Target device repair method, apparatus, medium, and device

What is AI technical title?
AI technical title is built by PatSnap AI team. It summarizes the technical point description of the patent document.
By assessing vulnerabilities in electronic devices and their impact on related devices, determining the scores and urgency of critical attack types, the problem of a lack of scientific basis for fixing electronic device vulnerabilities was solved, thereby improving the security and stability of industrial control networks.

CN118054946BActive Publication Date: 2026-06-19HANGZHOU GUYI NETWORK TECH CO LTD

View PDF 2 Cites 0 Cited by

Patent Information

Authority / Receiving Office: CN · China
Patent Type: Patents(China)
Current Assignee / Owner: HANGZHOU GUYI NETWORK TECH CO LTD
Filing Date: 2024-02-19
Publication Date: 2026-06-19

Application Information

Patent Timeline

19 Feb 2024

Application

19 Jun 2026

Publication

CN118054946B

IPC: H04L9/40

Explore More Agents

Novelty Search
Search existing technologies and assess novelty
↗
FTO
Analyze whether a product may infringe others' patents
↗
Design FTO
Check prior-design risk for exterior design
↗
Drafting
Draft patent application text based on a technical solution
↗
Find Solutions with TRIZ
Generate feasible solution to solve your technical challenge
↗

Similar Technology Patents

Get free access to AI patent search and analysis

Check patentability, review prior art and ask IP Agent with full patent context.

AI Technical Summary

⚠Technical Problem

The lack of clear remediation solutions for vulnerabilities in different electronic devices in the current technology leads to a lack of scientific basis for vulnerability remediation, which may affect the normal operation of equipment and cause industrial control network security incidents.

⚗Method used

By acquiring the vulnerability set of the target device, identifying the set of key attack types, and scoring the urgency of remediation based on the completeness of the attack chain and the total impact on associated devices, the urgency level of remediation and the remediation method are determined.

🎯Benefits of technology

It enables accurate assessment and orderly repair of vulnerabilities in electronic devices, improves the accuracy and efficiency of vulnerability repair, and safeguards the equipment security of industrial control networks.

✦ Generated by Eureka AI based on patent content.

Smart Images

Figure CN118054946B_ABST

Patent Text Reader

Abstract

This application relates to the field of information security testing technology, and in particular to a method, apparatus, medium, and electronic device for repairing target devices. The method includes: obtaining a target vulnerability set D; obtaining a set of critical attack types M based on D; further obtaining a critical attack type score set H; determining the repair urgency score HD of the target device; and finally, determining the repair urgency level of the target device and repairing the target device. This application considers the total device impact value corresponding to each critical attack type and the completeness of the attack chain corresponding to each critical attack type, resulting in a more accurate representation of the comprehensive harm of the critical attack type by the repair urgency score. Furthermore, it achieves accurate assessment of the vulnerability of electronic devices, and further enables orderly repair based on the vulnerabilities of electronic devices, thus better maintaining the security environment of the target device and its associated industrial control network.

Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of information security testing technology, and in particular to a method, apparatus, medium and electronic device for repairing a target device. Background Technology

[0002] With the development of information technology, vulnerabilities in electronic devices within industrial control networks (ICS) have become increasingly prominent, severely impacting the security and stability of electronic devices and even the entire ICS network. Therefore, patching these vulnerabilities is crucial. However, current technologies lack clear solutions for patching different electronic device vulnerabilities. This lack of scientific basis for vulnerability patching may affect the normal operation of electronic devices and could even lead to ICS network security incidents. Summary of the Invention

[0003] The technical problem this application aims to solve is: how to perform targeted repairs for different electronic device vulnerabilities, thereby improving the accuracy and efficiency of electronic device vulnerability repair.

[0004] To address the aforementioned technical problems, according to a first aspect of this application, a method for repairing a target device is provided, comprising:

[0005] S100, acquire the vulnerabilities existing in the target device to obtain the target vulnerability set D = (D1, D2, ..., Di, ..., Dn); i = 1, 2, ..., n; where Di is the vulnerability identifier of the i-th target vulnerability existing in the target device; n is the number of target vulnerabilities existing in the target device; each target vulnerability corresponds to at least one attack stage;

[0006] S200, based on D and several preset attack types, a critical attack type set M = (M1, M2, ..., Mp, ..., Mq) is obtained; p = 1, 2, ..., q; where q is the number of critical attack types; each preset attack type includes at least one attack stage; Mp is the p-th critical attack type; a critical attack type is a preset attack type that contains at least one attack stage corresponding to any target vulnerability; Mp = (Mp1, Mp2, ..., Mpb, ..., Mpf(p)); b = 1, 2, ..., f(p); f(p) is the number of critical attack stages of the p-th critical attack type; Mpb is the b-th critical attack stage of the p-th critical attack type; a critical attack stage is the attack stage corresponding to the target vulnerability;

[0007] S300, based on M, the critical attack type score set H = (H1, H2, ..., Hp, ..., Hq) is obtained; where Hp is the critical attack type score corresponding to Mp; Hp satisfies the following condition: Hp = e GpWpWhere Gp is the total device impact value of all associated devices corresponding to the target device; the associated devices communicate directly with the target device and directly control the target device; Wp is the completeness of the attack chain for the p-th critical attack type; Wp = f(p) / NUMp; NUMp is the number of attack links corresponding to the p-th critical attack type;

[0008] S400, based on H, determine the urgency level of the target equipment's repair into HD;

[0009] S500, based on HD, determines the repair urgency level of the target device and repairs the target device.

[0010] According to a second aspect of this application, a target equipment repair apparatus is provided, comprising:

[0011] The vulnerability acquisition module is used to acquire vulnerabilities existing in the target device to obtain a target vulnerability set D = (D1, D2, ..., Di, ..., Dn); i = 1, 2, ..., n; where Di is the i-th vulnerability existing in the target device; n is the number of target vulnerabilities existing in the target device; each target vulnerability corresponds to at least one attack stage;

[0012] The critical type acquisition module is used to obtain a critical attack type set M = (M1, M2, ..., Mp, ..., Mq) based on D and several preset attack types; p = 1, 2, ..., q; where q is the number of critical attack types; each preset attack type includes at least one attack step; Mp is the p-th critical attack type; a critical attack type is a preset attack type that contains at least one attack step corresponding to any target vulnerability; Mp = (Mp1, Mp2, ..., Mpb, ..., Mpf(p)); b = 1, 2, ..., f(p); f(p) is the number of critical attack steps of the p-th critical attack type; Mpb is the b-th critical attack step of the p-th critical attack type; a critical attack step is the attack step corresponding to the target vulnerability.

[0013] The scoring determination module is used to obtain a critical attack type score set H = (H1, H2, ..., Hp, ..., Hq) based on M; where Hp is the critical attack type score corresponding to Mp; Hp satisfies the following condition: Hp = e GpWp Where Gp is the total device impact value of all associated devices corresponding to the target device; the associated devices communicate directly with the target device and directly control the target device; Wp is the completeness of the attack chain for the p-th critical attack type; Wp = f(p) / NUMp; NUMp is the number of attack links corresponding to the p-th critical attack type;

[0014] The repair score acquisition module is used to determine the repair urgency score (HD) of the target device based on H.

[0015] The repair module is used to determine the repair urgency level of the target device based on the HD (High-Level Diagram) and then repair the target device.

[0016] According to a third aspect of this application, a non-transitory computer-readable storage medium is provided, wherein at least one instruction or at least one program is stored in the storage medium, and the at least one instruction or at least one program is loaded and executed by a processor to implement the above-described target device repair method.

[0017] According to a fourth aspect of this application, an electronic device is provided, including a processor and the aforementioned non-transitory computer-readable storage medium.

[0018] This application has at least the following beneficial effects:

[0019] The target device remediation method provided in this application firstly identifies vulnerabilities in the target device to obtain a target vulnerability set D. Here, for the industrial control network where the target device is located, there may be several electronic devices with vulnerabilities; each target vulnerability corresponds to at least one attack link. Secondly, based on D and several preset attack types, a set of critical attack types M is obtained. Here, based on the vulnerabilities in the target device and several preset attack types, several critical attack types are determined, and each critical attack type contains at least one attack link corresponding to any target vulnerability; that is, critical attack types are attack types that may launch attacks against the target device. Then, based on the completeness of the attack chain of each critical attack type (the proportion of its critical attack links to the total attack links) and the total device impact value of all associated devices, a critical attack type score is obtained for each critical attack type. The higher the critical attack type score, the higher the completeness of the attack chain of the critical attack type, indicating a greater likelihood that the critical attack type will launch an attack against the target device. Within the industrial control network where the target device resides, the target device has corresponding associated devices (electronic devices that can directly communicate with and control the target device). Each associated device of the target device has a corresponding device influence value, i.e., the influence value on the target device. Here, the larger the device influence value of the associated devices of the target device, the greater the harm to the target device and its associated devices if the target device is attacked by a certain critical attack type. That is, according to the function trend, in this application, when scoring each critical attack type, not only is the completeness of the attack chain of each critical attack type considered, but also the total device influence value of all associated devices corresponding to the target device. If the total device influence value of a certain critical attack type is low, it means that if the target device is attacked by that critical attack type, the degree of harm to the target device and its associated devices is low; even if its attack chain completeness is high (the probability of the target device being attacked by that critical attack type is high), the overall harm to the target device is still low. Conversely, if the total impact value of a certain critical attack type is high, it indicates that if the target device is attacked by that critical attack type, the harm to the target device and its associated devices is high; while if the attack chain is less complete (the probability of the target device being attacked by that critical attack type is low), the overall harm to the target device is also lower (the probability of occurrence is low). Next, the urgency score for repairing the target device is obtained. Finally, based on the above urgency score, the vulnerability level of the target device is determined, and different repair methods are set for target devices with different vulnerability levels.This application considers the total device impact value corresponding to each critical attack type and the completeness of the attack chain corresponding to each critical attack type. Compared to only considering the completeness of the attack chain corresponding to each critical attack type, it takes into account both the probability of being attacked by that critical attack type and the degree of harm that critical attack type causes to the target device and its associated devices. The resulting repair urgency score, representing the overall harm of the critical attack type, is more accurate. Furthermore, different repair methods are set for electronic devices with different vulnerability levels. This achieves accurate assessment of the vulnerability of electronic devices, and further, orderly repair based on the vulnerability of electronic devices can better maintain the security environment of the target device and the industrial control network it resides in. Attached Figure Description

[0020] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0021] Figure 1 A flowchart illustrating a target device repair method provided in one embodiment of this application;

[0022] Figure 2 This is a structural block diagram of a target device repair apparatus provided in one embodiment of this application. Detailed Implementation

[0023] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0024] like Figure 1 As shown, a method for repairing a target device according to an embodiment of this application is provided, comprising:

[0025] S100, obtain the vulnerabilities existing in the target device to obtain the target vulnerability set D = (D1, D2, ..., Di, ..., Dn); i = 1, 2, ..., n; where Di is the vulnerability identifier of the i-th target vulnerability existing in the target device; n is the number of target vulnerabilities existing in the target device; each target vulnerability corresponds to at least one attack step.

[0026] Specifically, the target device can be any vulnerable electronic device within the industrial control network. All vulnerabilities existing in the target device are identified as target vulnerabilities, resulting in D. Here, each target vulnerability corresponds to at least one attack element (i.e., the attack element is easier to execute when the vulnerability exists), and multiple attack elements can form an attack type.

[0027] S200, based on D and several preset attack types, obtain the critical attack type set M = (M1, M2, ..., Mp, ..., Mq); p = 1, 2, ..., q; where q is the number of critical attack types; each preset attack type includes at least one attack stage; Mp is the p-th critical attack type; a critical attack type is a preset attack type that contains at least one attack stage corresponding to any target vulnerability; Mp = (Mp1, Mp2, ..., Mpb, ..., Mpf(p)); b = 1, 2, ..., f(p); f(p) is the number of critical attack stages of the p-th critical attack type; Mpb is the b-th critical attack stage of the p-th critical attack type; a critical attack stage is the attack stage corresponding to the target vulnerability.

[0028] Specifically, step S200 includes:

[0029] S210, obtain the attack links corresponding to each of the several preset attack types to obtain the attack type set G = (G1, G2, ..., Gj, ..., Gm); j = 1, 2, ..., m; where m is the number of preset attack types; Gj is the preset j-th attack type; Gj = (Gj1, Gj2, ..., Gja, ..., Gjf(j)); a = 1, 2, ..., f(j); where Gja is the preset a-th attack link of the j-th attack type; f(j) is the number of attack links of the j-th attack type.

[0030] Here, each of the several preset attack types has at least one corresponding attack step. All attack steps corresponding to each attack type are obtained. Here, the aforementioned vulnerability corresponds to at least one attack step in G, while the target device may have multiple vulnerabilities. That is, vulnerabilities in the target device may correspond to different attack types. Here, different attack types may cause different attack intensities (severity of harm) to the target device or other related devices of the target device.

[0031] S220, based on D and G, we obtain the critical attack type set M = (M1, M2, ..., Mp, ..., Mq).

[0032] In this embodiment, based on the attack links corresponding to all target vulnerabilities of the target device, key attack types that can be matched with the target device are determined. A key attack type is defined as containing at least one attack link corresponding to any target vulnerability of the target device. Each key attack type also includes several key attack links; and each key attack link is the attack link corresponding to the target vulnerability. Here, based on the attack links corresponding to all target vulnerabilities of the target device, key attack types containing attack links corresponding to any target vulnerability and key attack links corresponding to each key attack type are determined. Therefore, a key attack type indicates a higher probability that the target device is vulnerable to that attack type. That is, the more key attack types the target device corresponds to, the more different attack types the target device may be attacked by, indicating that the target device and its associated devices are more vulnerable; here, associated devices are other electronic devices that can directly communicate with and control the target device. On the other hand, for two different key attack types, the more key attack links they contain, the higher the probability that that key attack type will attack the target device.

[0033] S300, based on M, the critical attack type score set H = (H1, H2, ..., Hp, ..., Hq) is obtained; where Hp is the critical attack type score corresponding to Mp; Hp satisfies the following condition: Hp = e GpWp Where Gp is the total device impact value of all associated devices corresponding to the target device; the associated devices communicate directly with the target device and directly control the target device; Wp is the completeness of the attack chain for the p-th critical attack type; Wp = f(p) / NUMp; NUMp is the number of attack links corresponding to the p-th critical attack type.

[0034] Specifically, within the industrial control network where the target device is located, the target device has corresponding associated devices (electronic devices that can communicate directly with and control the target device); each associated device of the target device has a corresponding device influence value, that is, the influence value on the target device. Here, the larger the device influence value of the associated devices of the target device, the greater the harm to the target device and its associated devices if the target device is attacked by a certain key attack type.

[0035] Therefore, in this embodiment, when scoring each critical attack type, not only the completeness of the attack chain for each critical attack type is considered, but also the total device impact value of all associated devices corresponding to the target device. For example, if the total device impact value of a certain critical attack type is low, it means that if the target device is attacked by that critical attack type, the harm to the target device and its associated devices is low; even if its attack chain completeness is high (the probability of the target device being attacked by that critical attack type is high), the overall harm to the target device is still low. Conversely, if the total device impact value of a certain critical attack type is high, it means that if the target device is attacked by that critical attack type, the harm to the target device and its associated devices is high; even if its attack chain completeness is low (the probability of the target device being attacked by that critical attack type is low), the overall harm to the target device is still low (the probability of occurrence is low).

[0036] In summary, this embodiment considers both the total device impact value corresponding to each critical attack type and the completeness of the attack chain corresponding to each critical attack type when scoring critical attack types. Compared to only considering the completeness of the attack chain corresponding to each critical attack type, this embodiment considers the probability of being attacked by the critical attack type and also takes into account the degree of harm of the critical attack type to the target device and its associated devices. The comprehensive harm of the critical attack type represented by the obtained critical attack type score is more accurate.

[0037] S400, based on H, determine the urgency level of the target equipment repair as HD.

[0038] Specifically, in one embodiment, step S400 includes:

[0039] S410, based on H, obtain the repair urgency score of the target device HD = MAX(H); where MAX() is a preset maximum value determination function.

[0040] Here, the maximum value in H is used as the repair urgency score HD of the target device. The maximum value in H is the most reliable reference. Using it as the repair urgency score HD of the target device is simple to calculate and relatively accurate.

[0041] In another embodiment, step S400 further includes:

[0042] S420, obtain the key attack type scores in H corresponding to attack chain completeness greater than the preset attack chain completeness, and obtain the target attack type score set L = (L1, L2, ..., Lx, ..., Ly); x = 1, 2, ..., y; where Lx is the key attack type score corresponding to the xth attack chain completeness greater than the preset attack chain completeness; y is the number of key attack type scores corresponding to the attack chain completeness greater than the preset attack chain completeness; y ≤ q.

[0043] Here, since different preset attack types may contain some common basic attack steps, a particular attack step corresponding to a vulnerability in the target device may match most preset attack types. However, if the completeness of the attack chain for a certain preset attack type is extremely low, its impact on the final remediation urgency score is minimal. Nevertheless, to comprehensively consider the influence of multiple effective critical attack types as much as possible, this embodiment sets a preset attack chain completeness level. The score of the critical attack type in H whose attack chain completeness is greater than the preset attack chain completeness level is taken as the effective critical attack type score.

[0044] S430, based on L, the repair urgency score of the target device is obtained as HD = z1*L1 + z2*L2 + ... + zx*Lx + ... + zy*Ly; where z1, z2, ..., zx, ..., zy are preset attack type weights.

[0045] Specifically, after determining the effective critical attack type scores, they are weighted and summed to obtain the final repair urgency score HD of the target device. Here, z1, z2, ..., zx, ..., zy can be determined according to the severity of the corresponding critical attack type, that is, the greater the severity of the critical attack type, the greater the weight value.

[0046] In summary, this embodiment sets a preset attack chain completeness level to comprehensively consider the impact of multiple effective critical attack types on the target device. Critical attack type scores in H with attack chain completeness levels greater than the preset attack chain completeness level are considered valid critical attack type scores. These scores are then weighted and summed to obtain the final repair urgency score (HD) for the target device. Critical attack types that have little impact on the calculation of the final repair urgency score are filtered out, reducing computational load and improving the accuracy of the repair urgency score (HD).

[0047] In another exemplary embodiment of this application, the above-mentioned repair urgency score HD can also be obtained through the following steps:

[0048] S440, obtain the key attack type scores in H that are greater than the preset attack type score, and obtain the target attack type score set B = (B1, B2, ..., Bc, ..., Bd); c = 1, 2, ..., d; where Bc is the key attack type score of the c-th key attack type score that is greater than the preset attack type score; y is the number of key attack type scores that are greater than the preset attack type score; d ≤ q.

[0049] Here, since different preset attack types may contain some common basic attack links, a particular attack link corresponding to a vulnerability in the target device may match most preset attack types. However, if the completeness of the attack chain for a certain preset attack type is extremely low, its impact on the final calculation of the urgency score for remediation is minimal. Nevertheless, to comprehensively consider the impact of multiple effective critical attack types as much as possible, this embodiment sets a preset attack type score. The critical attack type score in H that is greater than the preset attack type score is considered a valid critical attack type score (target attack type score).

[0050] S450, according to B, the repair urgency score of the target device is obtained as HD = g1*B1 + g2*B2 + ... + gc*Bc + ... + gd*Bd; where g1, g2, ..., gc, ..., gd are preset attack type weights.

[0051] Specifically, after determining the effective critical attack type scores, they are weighted and summed to obtain the final repair urgency score HD of the target device. Here, z1, z2, ..., zx, ..., zy can be determined according to the severity of the corresponding critical attack type, that is, the greater the severity of the critical attack type, the greater the weight value.

[0052] In summary, this embodiment sets a preset attack type score to comprehensively consider the impact of multiple effective critical attack types on the target device. Attack type scores in H that are greater than the preset attack type score are considered valid critical attack type scores (target attack type scores). These scores are then weighted and summed to obtain the final repair urgency score (HD) for the target device. Critical attack types that have little impact on the calculation of the final repair urgency score are filtered out, reducing computational load and improving the accuracy of the repair urgency score (HD).

[0053] S500, based on HD, determines the repair urgency level of the target device and repairs the target device.

[0054] Specifically, step S500 also includes:

[0055] S510, based on HD, determine the repair urgency level DJ of the target device.

[0056] Here, if HD≤FY1, the repair urgency level of the target device is determined to be Level 3; if FY1<HD<FY2, the repair urgency level of the target device is determined to be Level 2; if HD≥FY2, the repair urgency level of the target device is determined to be Level 1; where FY1 is the preset first repair urgency threshold and FY2 is the preset second repair urgency threshold.

[0057] S520, based on the DJ's traversal of the preset repair list library, adds the identifier corresponding to the target device to the corresponding target repair list; wherein, the repair list library contains several repair lists; each repair list corresponds to a repair method and a repair urgency level; any two different repair lists correspond to different repair methods; any two different repair lists correspond to different vulnerability levels; any two different vulnerability levels correspond to different repair priorities.

[0058] Here, the preset repair list library contains several repair lists, and each repair list corresponds to a repair method and a vulnerability level; that is, different vulnerability levels are applicable to different repair methods; however, different target devices belonging to the same vulnerability level may have different repair urgency scores. Although the same repair method can be used, the repair priority is different. That is, for different target devices belonging to the same vulnerability level, the higher the repair urgency score, the higher the repair priority.

[0059] S530, repair the target device according to the corresponding repair list.

[0060] Here, the target device is repaired based on the repair method corresponding to its location in the repair list, and the repair priority corresponding to the urgency of the target device within that repair list. That is, within the industrial control network where the target device resides, there may be several vulnerable electronic devices, each with different vulnerabilities. The repair method and priority for each electronic device (including the target device) are determined according to the above method, and each vulnerable electronic device is repaired.

[0061] In one exemplary embodiment of this application, Hp may also satisfy the following condition: Hp = e Wp Where Wp represents the completeness of the attack chain for the p-th critical attack type; Wp = f(p) / NUMp; NUMp represents the number of attack links corresponding to the p-th critical attack type.

[0062] Specifically, this embodiment determines the critical attack type score of the target device based on the completeness of the attack chain. According to the function trend, for a target device, when the completeness of the attack chain corresponding to a certain critical attack type is low, the target device is less likely to be attacked by that critical attack type. Conversely, as the completeness of the attack chain corresponding to a critical attack type increases, the likelihood of the target device being attacked by that critical attack type increases significantly, and this increase is faster than the increase when the attack chain completeness is low. In other words, the more complete the attack chain corresponding to a critical attack type becomes, the faster the likelihood of it attacking the target device increases. This achieves accurate evaluation of the critical attack type score of the target device.

[0063] In one exemplary embodiment of this application, Hp may also satisfy the following condition: Hp = e KpWp Where Wp represents the completeness of the attack chain for the p-th critical attack type; Wp = f(p) / NUMp; NUMp represents the number of attack links corresponding to the p-th critical attack type; and Kp represents the severity score corresponding to Fp.

[0064] Specifically, each preset attack type has a corresponding severity score. That is, the degree of harm posed by each preset attack type to the target device is different. The higher the severity score of a preset attack type, the greater its harm to the target device, and vice versa. Therefore, in this embodiment, when scoring each key attack type, not only the completeness of the attack chain for each key attack type is considered, but also its severity score. For example, if the severity score of a certain key attack type is low, it means that if the target device is attacked by this key attack type, the harm to the target device and its associated devices is low; even if its attack chain completeness is high (the probability of the target device being attacked by this key attack type is high), the overall harm to the target device is still low. Conversely, if the severity score of a certain key attack type is high, it means that if the target device is attacked by this key attack type, the harm to the target device and its associated devices is high; even if its attack chain completeness is low (the probability of the target device being attacked by this key attack type is low), the overall harm to the target device is still low (the probability of occurrence is low).

[0065] In summary, in this embodiment, the critical attack type score considers both the severity score of each critical attack type and the completeness of the attack chain corresponding to each critical attack type. Compared to only considering the completeness of the attack chain corresponding to each critical attack type, this approach considers both the possibility of being attacked by that critical attack type and the severity of that critical attack type, resulting in a more accurate comprehensive severity assessment of the critical attack type.

[0066] Embodiments of this application also provide a target device repair apparatus 100, such as... Figure 2 As shown, it includes:

[0067] The vulnerability acquisition module 110 is used to acquire vulnerabilities existing in the target device to obtain a target vulnerability set D = (D1, D2, ..., Di, ..., Dn); i = 1, 2, ..., n; where Di is the i-th vulnerability existing in the target device; n is the number of target vulnerabilities existing in the target device; each target vulnerability corresponds to at least one attack step.

[0068] The critical type acquisition module 120 is used to obtain a critical attack type set M = (M1, M2, ..., Mp, ..., Mq) based on D and several preset attack types; p = 1, 2, ..., q; where q is the number of critical attack types; each preset attack type includes at least one attack step; Mp is the p-th critical attack type; a critical attack type is a preset attack type that contains at least one attack step corresponding to any target vulnerability; Mp = (Mp1, Mp2, ..., Mpb, ..., Mpf(p)); b = 1, 2, ..., f(p); f(p) is the number of critical attack steps of the p-th critical attack type; Mpb is the b-th critical attack step of the p-th critical attack type; a critical attack step is the attack step corresponding to the target vulnerability.

[0069] The scoring determination module 130 is used to obtain a critical attack type score set H = (H1, H2, ..., Hp, ..., Hq) based on M; where Hp is the critical attack type score corresponding to Mp; Hp satisfies the following condition: Hp = e GpWp Where Gp is the total device impact value of all associated devices corresponding to the target device; the associated devices communicate directly with the target device and directly control the target device; Wp is the completeness of the attack chain for the p-th critical attack type; Wp = f(p) / NUMp; NUMp is the number of attack links corresponding to the p-th critical attack type.

[0070] Repair score acquisition module 140 is used to determine the repair urgency score HD of the target device based on H.

[0071] Repair module 150 is used to determine the repair urgency level of the target device based on HD and to repair the target device.

[0072] Embodiments of this application also provide a computer program product including program code that, when the program product is run on an electronic device, causes the electronic device to perform the steps of the methods described above according to various exemplary embodiments of this application.

[0073] Furthermore, although the steps of the method in this disclosure are described in a specific order in the accompanying drawings, this does not require or imply that the steps must be performed in that specific order, or that all the steps shown must be performed to achieve the desired result. Additional or alternative steps may be omitted, multiple steps may be combined into one step, and / or a step may be broken down into multiple steps.

[0074] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

[0075] In an exemplary embodiment of this disclosure, an electronic device capable of implementing the above-described method is also provided.

[0076] Those skilled in the art will understand that various aspects of this application can be implemented as a system, method, or program product. Therefore, various aspects of this application can be specifically implemented in the following forms: a completely hardware implementation, a completely software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, collectively referred to herein as a "circuit," "module," or "system."

[0077] An electronic device according to this embodiment of the present application. The electronic device is merely an example and should not be construed as limiting the functionality and scope of use of the embodiments of this application.

[0078] Electronic devices are manifested in the form of general-purpose computing devices. Components of an electronic device may include, but are not limited to: at least one processor, at least one memory, and buses connecting different system components (including memory and processor).

[0079] The memory stores program code that can be executed by a processor, causing the processor to perform the steps described in the "Exemplary Methods" section above, according to various exemplary embodiments of this application.

[0080] The storage may include readable media in the form of volatile storage, such as random access memory (RAM) and / or cache memory, and may further include read-only memory (ROM).

[0081] The storage may also include programs / utilities having a set (at least one) of program modules, including but not limited to: an operating system, one or more applications, other program modules, and program data, each or some combination of these examples may include an implementation of a network environment.

[0082] A bus can represent one or more of several bus architectures, including a memory bus or memory controller, a peripheral bus, a graphics acceleration port, a processor, or a local bus that uses any of the various bus architectures.

[0083] The electronic device can also communicate with one or more external devices (e.g., keyboards, pointing devices, Bluetooth devices, etc.), one or more devices that enable a user to interact with the electronic device, and / or any device that enables the electronic device to communicate with one or more other computing devices (e.g., routers, modems, etc.). This communication can be achieved through input / output (I / O) interfaces. Furthermore, the electronic device can communicate with one or more networks (e.g., local area networks (LANs), wide area networks (WANs), and / or public networks, such as the Internet) via a network adapter. As shown in the figure, the network adapter communicates with other modules of the electronic device via a bus. It should be understood that, although not shown in the figure, other hardware and / or software modules can be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.

[0084] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this disclosure can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, terminal device, or network device, etc.) to execute the methods according to the embodiments of this disclosure.

[0085] In exemplary embodiments of this disclosure, a computer-readable storage medium is also provided, on which a program product capable of implementing the methods described above is stored. In some possible implementations, various aspects of this application may also be implemented as a program product including program code, which, when the program product is run on a terminal device, causes the terminal device to perform the steps of the various exemplary embodiments of this application described in the "Exemplary Methods" section above.

[0086] The program product may employ any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of readable storage media include: electrical connections having one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0087] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A readable signal medium may also be any readable medium other than a readable storage medium, capable of sending, propagating, or transmitting programs for use by or in conjunction with an instruction execution system, apparatus, or device.

[0088] The program code contained on the readable medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

[0089] Program code for performing the operations of this application can be written in any combination of one or more programming languages, including object-oriented programming languages such as Java and C++, and conventional procedural programming languages such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's computing device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0090] Furthermore, the above figures are merely illustrative of the processes included in the method according to exemplary embodiments of this application, and are not intended to be limiting. It is readily understood that the processes shown in the above figures do not indicate or limit the temporal order of these processes. Additionally, it is readily understood that these processes may be executed synchronously or asynchronously, for example, in multiple modules.

[0091] It should be noted that although several modules or units for the device used to perform actions have been mentioned in the detailed description above, this division is not mandatory. In fact, according to embodiments of this disclosure, the features and functions of two or more modules or units described above can be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided and embodied by multiple modules or units.

[0092] The above are merely specific embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A target device repair method, characterized by, The method includes: S100, acquire the vulnerabilities existing in the target device to obtain the target vulnerability set D=(D1, D2, ..., Di, ..., Dn); i=1, 2, ..., n; where Di is the vulnerability identifier of the i-th target vulnerability existing in the target device; n is the number of target vulnerabilities existing in the target device; each target vulnerability corresponds to at least one attack stage; S200, based on D and several preset attack types, a critical attack type set M = (M1, M2, ..., Mp, ..., Mq) is obtained; p = 1, 2, ..., q; where q is the number of critical attack types; each preset attack type includes at least one attack stage; Mp is the p-th critical attack type; a critical attack type is a preset attack type that contains at least one attack stage corresponding to any target vulnerability; Mp = (Mp1, Mp2, ..., Mpb, ..., Mpf(p)); b = 1, 2, ..., f(p); f(p) is the number of critical attack stages of the p-th critical attack type; Mpb is the b-th critical attack stage of the p-th critical attack type; a critical attack stage is the attack stage corresponding to the target vulnerability. S300, based on M, obtain the critical attack type score set H = (H1, H2, ..., Hp, ..., Hq); where Hp is the critical attack type score corresponding to Mp; Hp satisfies the following condition: Hp = e GpWp Where Gp is the total device impact value of all associated devices corresponding to the target device; the associated devices communicate directly with the target device and directly control the target device; Wp is the completeness of the attack chain for the p-th critical attack type; Wp=f(p) / NUMp; NUMp is the number of attack links corresponding to the p-th critical attack type; S400, based on H, determine the urgency level of the target equipment's repair into HD; S500, based on HD, determines the repair urgency level of the target device and repairs the target device; Step S400 further includes: S420, obtain the key attack type scores in H corresponding to attack chain completeness greater than the preset attack chain completeness, and obtain the target attack type score set L=(L1, L2, ..., Lx, ..., Ly); x=1, 2, ..., y; where Lx is the key attack type score corresponding to the xth attack chain completeness greater than the preset attack chain completeness; y is the number of key attack type scores corresponding to the attack chain completeness greater than the preset attack chain completeness; y≤q; S430, obtaining the repair emergency degree of the target device according to L ; wherein, z1, z2, …, zx, …, zy are preset attack type weights.

2. The target device repair method of claim 1, wherein Step S200 includes: S210, obtain the attack steps corresponding to each of the several preset attack types to obtain the attack type set G=(G1, G2, ..., Gj, ..., Gm); j=1,2, ...,m; where m is the number of preset attack types; Gj is the preset j-th attack type; Gj=(Gj1, Gj2, ..., Gja, ..., Gjf(j)); a=1,2, ...,f(j); where Gja is the preset j-th attack type a-th attack step; f(j) is the preset j-th attack type number of attack steps; S220, based on D and G, we obtain the critical attack type set M = (M1, M2, ..., Mp, ..., Mq).

3. The target device repair method of claim 1, wherein Step S400 further includes: S410, based on H, obtain the repair urgency score of the target device HD=MAX(H); where MAX() is a preset maximum value determination function.

4. The target equipment repair method according to claim 1, characterized in that, Step S500 further includes: S510, based on HD, determine the repair urgency level DJ of the target device; S520, based on DJ's traversal of the preset repair list library, adds the identifier corresponding to the target device to the corresponding target repair list; wherein, the repair list library contains several repair lists; each repair list corresponds to a repair method and a repair urgency level; any two different repair lists correspond to different repair methods; any two different repair lists correspond to different vulnerability levels; any two different vulnerability levels correspond to different repair priorities; S530, repair the target device according to the corresponding repair list.

5. The target device repair method of claim 4, wherein, DJs must meet the following criteria: If HD≤FY1, the repair urgency level of the target device is determined to be Level 3; if FY1<HD<FY2, the repair urgency level of the target device is determined to be Level 2; if HD≥FY2, the repair urgency level of the target device is determined to be Level 1; where FY1 is the preset first repair urgency threshold and FY2 is the preset second repair urgency threshold.

6. An apparatus for repairing a target device, the apparatus comprising: The device includes: The vulnerability acquisition module is used to acquire vulnerabilities existing in the target device to obtain a target vulnerability set D=(D1, D2, ..., Di, ..., Dn); i=1, 2, ..., n; where Di is the i-th vulnerability existing in the target device; n is the number of target vulnerabilities existing in the target device; each target vulnerability corresponds to at least one attack stage; The critical type acquisition module is used to obtain a critical attack type set M = (M1, M2, ..., Mp, ..., Mq); p = 1, 2, ..., q; where q is the number of critical attack types; each preset attack type includes at least one attack step; Mp is the p-th critical attack type; a critical attack type is a preset attack type that contains at least one attack step corresponding to any target vulnerability; Mp = (Mp1, Mp2, ..., Mpb, ..., Mpf(p)); b = 1, 2, ..., f(p); f(p) is the number of critical attack steps of the p-th critical attack type; Mpb is the b-th critical attack step of the p-th critical attack type; a critical attack step is the attack step corresponding to the target vulnerability. The scoring determination module is used to obtain a critical attack type score set H = (H1, H2, ..., Hp, ..., Hq) based on M; where Hp is the critical attack type score corresponding to Mp; Hp satisfies the following condition: Hp = e GpWp Where Gp is the total device impact value of all associated devices corresponding to the target device; the associated devices communicate directly with the target device and directly control the target device; Wp is the completeness of the attack chain for the p-th critical attack type; Wp=f(p) / NUMp; NUMp is the number of attack links corresponding to the p-th critical attack type; The repair score acquisition module is used to determine the repair urgency score (HD) of the target device based on H. The repair module is used to determine the repair urgency level of the target device based on the HD (High-Level Diagnostic Tool) and to repair the target device accordingly. The repair score acquisition module is also used for: Obtain the critical attack type scores in H corresponding to attack chain completeness levels greater than the preset attack chain completeness level, resulting in the target attack type score set L = (L1, L2, ..., Lx, ..., Ly); x = 1, 2, ..., y; where Lx is the critical attack type score corresponding to the x-th attack chain completeness level greater than the preset attack chain completeness level; y is the number of critical attack type scores corresponding to the attack chain completeness level greater than the preset attack chain completeness level; y ≤ q; According to L, the repair emergency degree of the target device is obtained ; wherein, z1, z2, …, zx, …, zy are preset attack type weights. 7.A non-transitory computer-readable storage medium having stored therein at least one instruction or at least one piece of program, characterized in that, The at least one instruction or the at least one program segment is loaded and executed by the processor to implement the method as described in any one of claims 1-6.

8. An electronic device, comprising: A computer program product comprising a processor and the non-transitory computer readable storage medium of claim 7.

Citation Information

Patent Citations

Security measurement method of industrial control system based on attack graph
CN112114579A
Quantitative index optimization method for safety of industrial control system
CN116886329A

Patent Information

AI Technical Summary

Abstract

Description

Patent Citations

Security measurement method of industrial control system based on attack graph

Quantitative index optimization method for safety of industrial control system