Network security vulnerability detection method, device and equipment

Abstract

Embodiments of the present application provide a network security vulnerability detection method, device and equipment. The method comprises: obtaining access data of a target network, determining a request data and response data pair from the access data; in response to detecting sensitive information affecting data security from the response data of the request data and response data pair, determining a request element corresponding to the sensitive information from the request data of the request data and response data pair; replacing a parameter of the request element, and reconstructing the request data using the request element after the parameter is replaced to obtain target request data; obtaining target response data in the access data corresponding to the target request data, and determining that the target network has a network security vulnerability if the sensitive information is detected in the target response data. The method is used to improve the protection effect of network security vulnerability.

Description

Technical Field

[0001] This application relates to the field of communications, and in particular to a method, apparatus and device for detecting network security vulnerabilities. Background Technology

[0002] As the cybersecurity situation becomes increasingly complex both domestically and internationally, the demand for network data security is also growing.

[0003] In terms of protecting against cybersecurity vulnerabilities, the relevant technologies involve passive protection solutions that collect and analyze network request and response data from ongoing or past cybersecurity incidents caused by vulnerabilities to improve network security. However, proactive protection solutions lack the ability to actively detect potential cybersecurity vulnerabilities and utilize detected vulnerabilities for protection before a cybersecurity incident occurs.

[0004] Passive protection solutions suffer from the problem that their protection against network security vulnerabilities lags behind the occurrence of network security incidents, resulting in poor protection effectiveness. Summary of the Invention

[0005] This application provides a method, apparatus, and device for detecting network security vulnerabilities, in order to improve the protection effect against network security vulnerabilities.

[0006] In a first aspect, embodiments of this application provide a network security vulnerability detection method, including:

[0007] Obtain inbound and outbound network data of the target network, and determine the request data and response data pairs from the inbound and outbound network data;

[0008] In response to detecting sensitive information affecting data security from the response data of the request data and response data pair, a request element corresponding to the sensitive information is determined from the request data of the request data and response data pair.

[0009] Replace the parameters of the request element, and reconstruct the request data using the request element with the replaced parameters to obtain the target request data;

[0010] Obtain the target response data from the inbound / outbound network data corresponding to the target request data. If the target response data contains the sensitive information, determine that the target network has a network security vulnerability.

[0011] Secondly, embodiments of this application provide a network security vulnerability detection device, comprising:

[0012] The data acquisition module is used to acquire inbound and outbound data of the target network and determine request data and response data pairs from the inbound and outbound data;

[0013] A data extraction module is used to determine the request element corresponding to the sensitive information from the request data and response data pair in response to detecting sensitive information affecting data security from the response data of the request data and response data pair.

[0014] The data reconstruction module is used to replace the parameters of the request element and reconstruct the request data using the request element with the replaced parameters to obtain the target request data;

[0015] The data analysis module is used to obtain the target response data in the inbound and outbound network data corresponding to the target request data. If the sensitive information is detected in the target response data, it is determined that the target network has a network security vulnerability.

[0016] Thirdly, embodiments of this application provide a network security vulnerability detection device, including: a memory and a processor;

[0017] The memory stores computer-executed instructions;

[0018] The processor executes computer execution instructions stored in the memory, causing the processor to perform the first aspect and / or various possible implementations of the first aspect as described above.

[0019] Fourthly, embodiments of this application provide a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement the first aspect and / or various possible implementations of the first aspect. Attached Figure Description

[0020] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.

[0021] Figure 1 Flowchart of the network security vulnerability detection method provided in this application Figure 1 ;

[0022] Figure 2 Flowchart of the network security vulnerability detection method provided in this application Figure 2 ;

[0023] Figure 3 A schematic diagram of the parameters of a purely numeric format request element in replacement request data provided for this application;

[0024] Figure 4 A schematic diagram of the network security vulnerability detection device provided in this application;

[0025] Figure 5A schematic diagram of the network security vulnerability detection device provided in this application.

[0026] The accompanying drawings illustrate specific embodiments of this application, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concept of this application to those skilled in the art through reference to particular embodiments. Detailed Implementation

[0027] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this application. Rather, they are merely examples of apparatuses and methods consistent with some aspects of this application as detailed in the appended claims.

[0028] First, let me explain the terms used in this application:

[0029] JWT stands for JSON Web Token. Based on JSON, it's a concise, URL-secure token standard for securely transmitting information between two parties. It can be verified and its security ensured through digital signatures. JWTs are commonly used for authentication and information exchange.

[0030] To protect network data security, enterprises and institutions currently adopt protective measures based on two aspects to address network data security risks caused by the leakage of sensitive information. One aspect is conducting network security vulnerability detection during incidents caused by network security vulnerabilities; the other is conducting analysis and processing related to network security vulnerabilities after such incidents occur.

[0031] Because the protective measures based on the above two aspects rely on alerts when a cybersecurity incident occurs or on post-incident detection, they cannot proactively detect cybersecurity vulnerabilities or estimate the potential losses caused by cybersecurity vulnerabilities before a cybersecurity incident occurs. Furthermore, since these protective measures rely on existing rules for regular expression matching or fingerprint matching of network data to extract relevant data causing cybersecurity vulnerabilities from network request and response data, the rule base used for matching has a high lag and the matching identification method is relatively simple, resulting in inaccurate data extraction and thus affecting the effectiveness of cybersecurity vulnerability protection.

[0032] Based on the above analysis, it can be concluded that the relevant technologies, which detect and analyze network security vulnerabilities when or after a network security incident occurs, have the technical problem of lagging behind the occurrence of network security incidents in protecting against network security vulnerabilities, resulting in poor protection effectiveness.

[0033] The network security vulnerability detection method, apparatus, and equipment provided in this application actively acquire inbound and outbound network data of the target network, analyze the inbound and outbound network data, and detect potential network security vulnerabilities. This proactively discovers network security vulnerabilities in the target network and solves the technical problem that the protection against network security vulnerabilities lags behind the occurrence of network data security incidents, resulting in poor protection effectiveness.

[0034] The technical solution of this application and how it solves the above-mentioned technical problems will be described in detail below with specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments. The embodiments of this application will be described below with reference to the accompanying drawings.

[0035] Figure 1 Flowchart of the network security vulnerability detection method provided in this application Figure 1 ,like Figure 1 As shown, the method includes:

[0036] S101: Obtain the inbound and outbound data of the target network, and determine the request data and response data pairs from the inbound and outbound data.

[0037] The network security vulnerability detection method provided in this application is for detecting whether a target network has network security vulnerabilities. The target network refers to the internal internet of an enterprise, which exchanges data with the external internet through network entry and exit points. Therefore, inbound and outbound network data can be obtained using these network entry and exit points. This data includes multiple pairs of request data sent by clients and response data returned by the server.

[0038] S102: In response to detecting sensitive information affecting data security from the response data of the request data and response data pair, determine the request element corresponding to the sensitive information from the request data of the request data and response data pair.

[0039] In this step, the sensitive information affecting data security detected from the response data includes at least one data security threat point, and the request elements identified from the request data include at least one request element.

[0040] It should be noted that a data security threat point refers to a data security element in the response data. The data content of this data security element may result in the unauthorized acquisition, access, use, or disclosure of users' personal privacy or sensitive corporate information.

[0041] The request element refers to the request parameters in the request data. By changing these request parameters, the returned content corresponding to sensitive information in the response data may be affected.

[0042] S103: Replace the parameters of the request element and reconstruct the request data using the request element with the replaced parameters to obtain the target request data.

[0043] In this step, when replacing the parameters of the request elements, the replacement parameters used have the same data structure as the parameters corresponding to the original request elements. Compared with the original request data, the parameters corresponding to the request elements in the reconstructed target request data are not equal, while other parameters are equal.

[0044] S104: Obtain the target response data from the inbound / outbound data corresponding to the target request data. If sensitive information is detected in the target response data, determine that there is a network security vulnerability in the target network.

[0045] In this step, target request data is sent to the target network via the network ingress / egress point, and the corresponding target response data is obtained.

[0046] A confirmed cybersecurity vulnerability refers to a cybersecurity vulnerability that causes the leakage of user information or corporate information during network requests and responses.

[0047] The network security vulnerability detection method provided in this application actively acquires request and response data pairs from the inbound and outbound data of a target network. Sensitive information affecting data security is extracted from the response data, and corresponding request elements are extracted from the corresponding request data. The request data is reconstructed based on these request elements to obtain target request data with the same data structure. The presence of sensitive information in the target response data corresponding to the target request data determines whether a network security vulnerability exists in the target network. This allows for the detection of network security vulnerabilities before a network security incident occurs, thereby improving the effectiveness of network security vulnerability protection.

[0048] Figure 2 Flowchart of the network security vulnerability detection method provided in this application Figure 2 ,like Figure 2 As shown, the embodiments of this application are in Figure 1 Based on this, a detailed explanation of network security vulnerability detection methods is provided, which include:

[0049] S201: Obtain inbound and outbound network data of the target network from the full traffic backtracking device deployed at the network entry and exit points of the target network.

[0050] In this step, the full-traffic backtracking device deployed at the network ingress and egress points of the target network has the function of capturing network traffic data and can store the captured data. Network data can be captured using network interception devices or other means. The captured data can be stored in a database or on other devices with data storage capabilities. The method provided in this application does not limit the means of capturing network data or the storage method of the captured network data.

[0051] S202: Determine the request data and response data pairs from the incoming and outgoing network data, and preprocess the request data and response data pairs.

[0052] Generally, for secure network data transmission, request and response data are encrypted before transmission; unencrypted data is plaintext. Network data is transmitted as a data stream, which is captured and stored by network entry and exit points. Therefore, the preprocessing of request and response data includes two processes: data decryption and data formatting.

[0053] The data decryption process includes: if the request data and response data are encrypted, then the corresponding decryption algorithm is used to decrypt the request data and response data to obtain the plaintext data corresponding to each of the request data and response data.

[0054] The data formatting process includes: formatting the plaintext data of the request data and response data according to their respective data formats. For example, if the data format of the request data and response data is JSON, then the plaintext data of the request data and response data is formatted based on the JSON data format; if the data format of the request data and response data is XML, then the plaintext data of the request data and response data is formatted based on the XML data format.

[0055] It should be noted that, since the network security vulnerability detection method provided in this application is for detecting whether a target network has security vulnerabilities, the request data used in this step is the request data sent to the server of the target network, and the response data used is the response data returned from the server of the target network.

[0056] S203: Detect sensitive information that affects data security from the response data in the request data and response data pair.

[0057] The sensitive information affecting data security mentioned in this application refers to confidential data. Regarding data confidentiality, the method provided in this application focuses on preventing data from being accessed and used by unauthorized personnel or entities. It requires strict access control during data storage, transmission, and use. For example, it restricts access to relevant data through authentication, password protection, and other means.

[0058] Sensitive information affecting data security includes at least one of the following five types: basic personal information, personal identity information, personal social information, basic corporate information, and corporate business information. Each type of data comprises multiple data security elements, and each data security element corresponds to a data security threat point. For example:

[0059] The data security elements included in basic personal information include: name, gender, ethnicity, nationality, mobile phone number / landline number, email address, date of birth, address / household registration information, and other basic personal information.

[0060] Personal identification information includes data security elements such as: genes, fingerprints / eyes / faces / voiceprints / palm prints, handwriting signatures, and other characteristics (such as gait, video recordings, etc.).

[0061] Personal social information includes the following data security elements: property information (such as bank balance, transfer records, real estate records, etc.), financial information (such as credit information, insurance information, etc.), social relationship information, educational background information, family member information, and other social information.

[0062] The data security elements included in basic enterprise information include: credit information, tax information, undisclosed judicial information, and other basic enterprise information.

[0063] The data security elements included in enterprise business information include: confidentiality agreement information, financial information (such as investment and wealth management information, trust information, etc.), sales data (such as sales records, order information, etc.), supply chain data (such as supplier information, inventory status, logistics information, etc.), customer relationship management data (such as customer interaction records, service requests, complaint handling information, etc.), and other enterprise business information.

[0064] S204: In response to the detection of sensitive information affecting data security in the response data, the request element corresponding to the sensitive information is determined from the corresponding request data.

[0065] In this step, the data format of the request element corresponding to sensitive information includes at least one of the following five data formats: pure numeric data format, username data format, JWT data format, mobile phone number data format, and ID card number data format.

[0066] S205: Replace the parameters of the request element and reconstruct the request data using the request element with the replaced parameters to obtain the target request data.

[0067] In this step, an exhaustive approach can be used to replace the parameters of the request elements. That is, for each request element, an exhaustive method is used to generate a replacement parameter with the same data format, and this replacement parameter replaces the original parameter. For example, for a request element in pure numeric format, the original parameter is 10001, and the exhaustive method generates a replacement parameter of 10010. Therefore, 10010 is used to replace 10001 in the request data to obtain the target request data. Figure 3 A schematic diagram illustrating the parameters of a purely numeric format request element in replacement request data provided for this application, as shown below. Figure 3 As shown, the request data is a GET request for HTTP version 1.1, where the id parameter in the user information userinfo is 10001. After reconstruction, the generated target request data is a GET request for HTTP version 1.1, where the id parameter in the user information userinfo is 10010.

[0068] S206: In response to the detection of sensitive information in the target request data, it is determined that a network security vulnerability exists in the target network.

[0069] This step and Figure 1 The steps for identifying network security vulnerabilities in a target network are the same as those in other methods, and will not be repeated here.

[0070] S207: In response to the determination that a network security vulnerability exists in the target network, the parameters of the request elements are replaced in batches, and the request data is reconstructed using the request elements with the replaced parameters to obtain multiple target request data.

[0071] In this step, the request data is reconstructed to obtain the implementation methods of multiple target request data. Figure 1 The steps for reconstructing the request data in the middle to obtain the target request data are the same, and will not be repeated here.

[0072] It should be noted that using batch reconstruction request data to make batch network requests is to simulate attackers attacking network security vulnerabilities, providing analytical data for subsequent assessment of the scale of network security vulnerabilities.

[0073] S208: Determine the scale of a network security vulnerability based on the target response data in the inbound and outbound network data corresponding to multiple target request data.

[0074] In this step, the scale of cybersecurity vulnerabilities is assessed by analyzing the number of request and response pairs with cybersecurity vulnerabilities in the batch of target request and response data, and the number of request and response pairs without cybersecurity vulnerabilities. This assessment facilitates the protection against cybersecurity vulnerabilities based on the results.

[0075] In the steps described above, the method provided in this application actively acquires inbound and outbound network data from the enterprise's internal internet, analyzes the request and response data pairs, and determines whether network security vulnerabilities exist within the enterprise's internal internet. This advances the detection of network security vulnerabilities before a network security incident occurs. After discovering a network security vulnerability, batch request data is reconstructed, and network requests are sent to the enterprise's internal internet to simulate an attacker's attack on the network security vulnerability. By analyzing the number of request / response pairs containing network security vulnerabilities and the number of request / response pairs without network security vulnerabilities, the scale of the network security vulnerability is estimated, facilitating protection based on the assessment results.

[0076] In some implementations of this embodiment, in order to improve the recognition rate of sensitive information and request elements, detect sensitive information that affects data security from response data, and determine the request elements corresponding to the sensitive information from request data, the method includes: inputting request data and response data into a pre-trained language processing model, and having the language processing model output the sensitive information and request elements.

[0077] The training process for the above language processing model includes the following four stages:

[0078] Pre-training phase: Acquire multiple historical request and response data pairs; these pairs include those with and without cybersecurity vulnerabilities; construct a training dataset based on these pairs to pre-train the language processing model, resulting in the pre-trained language processing model.

[0079] It should be noted that in this stage, the training dataset consists of multiple historical request and response data pairs that have undergone text cleaning, deduplication, and other processing. The language processing model obtained after the pre-training stage can identify the data structure of the data messages corresponding to the request and response data.

[0080] Instruction fine-tuning stage: The parameters of the pre-trained language processing model are fine-tuned using instruction data to obtain the fine-tuned language processing model; wherein, the instruction data is used to instruct the language processing model to identify request elements and sensitive information.

[0081] In this stage, the instruction data consists of multiple pairs of request data and response data. The request elements in the request data and the sensitive information in the response data are all labeled with identifiable tags so that the language processing model can learn to recognize the request elements in the request data and the sensitive information in the response data.

[0082] Reward model training phase: During training, reward information is determined based on the relationship between the output of the language processing model and the true output value according to the preset reward function; the parameters of the language processing model are adjusted according to the reward information.

[0083] In this stage, the reward function is designed to determine the relationship between the output of the language processing model and the true output value, and to assign higher scores to samples of request data and response data pairs that correctly identify request elements and / or data security threats. This guides the language processing model to adjust its parameters based on the scores, thereby optimizing the recognition performance of the language processing model.

[0084] Reinforcement learning fine-tuning phase: Based on the sensitive information and request elements output by the language processing model and the actual determined sensitive information and request elements, the parameters of the language processing model are fine-tuned.

[0085] In this stage, the generated language processing model is put into real-world application scenarios for learning, and the model parameters are adjusted in real time based on actual feedback information so that the model can adapt to the ever-changing network environment.

[0086] The following example illustrates the implementation process of a real-world network security vulnerability detection method, providing a detailed explanation of the method provided in this application.

[0087] A company's internet gateway's full traffic backtracking device collected all outbound and inbound traffic data from the company's internal internet over the past three months and stored it in a database. Through retrieval, it was discovered that a certain response data contained a user's name and mobile phone number. Backtracking the corresponding request data yielded a pair of request and response data.

[0088] Analysis revealed that the response data and corresponding request data were encrypted using an encryption algorithm. Decryption of the response data and request data using the corresponding decryption algorithm yielded their respective plaintext data. Language processing model analysis of the plaintext data corresponding to the request data confirmed the presence of a purely numeric request element, CardID. Using an exhaustive search method, a randomly generated CardID with the same data format was used as a new parameter, replacing the old CardID with the newly generated one, thus obtaining the target request data.

[0089] The target request data is used to send a network request to a server on the enterprise's intranet, and the target response data is returned by the server.

[0090] The language processing model was used to detect the user's name and mobile phone number information corresponding to the newly generated CardID from the target response data, thereby confirming the discovery of a network security vulnerability.

[0091] Using the same method, multiple target request data with different CardIDs are constructed in batches, and multiple network requests are sent to the server on the enterprise's intranet using the batch-constructed target request data, resulting in multiple target response data returned by the server.

[0092] The language processing model is used to analyze the multiple target request data and target response data pairs sent in this batch. The number of request-response data pairs that detect request elements from the target request data and sensitive information from the target response data is counted. The counts are analyzed and compared with the total number of request-response pairs to estimate the scale of the network security vulnerability. Based on the scale of the network security vulnerability, specific protective measures are taken.

[0093] Figure 4 This is a schematic diagram of the network security vulnerability detection device provided in this application, such as... Figure 4 As shown, the network security vulnerability detection device 40 provided in this embodiment includes:

[0094] The data acquisition module 401 is used to acquire the inbound and outbound data of the target network and determine the request data and response data pairs from the inbound and outbound data.

[0095] The data extraction module 402 is used to determine the request element corresponding to the sensitive information from the request data of the request data and response data pair in response to the detection of sensitive information affecting data security from the response data of the request data and response data pair.

[0096] The data reconstruction module 403 is used to replace the parameters of the request elements and reconstruct the request data using the request elements with the replaced parameters to obtain the target request data.

[0097] The data analysis module 404 is used to obtain the target response data in the inbound and outbound network data corresponding to the target request data. If sensitive information is detected in the target response data, it is determined that there is a network security vulnerability in the target network.

[0098] In one possible implementation, the data extraction module 402 is further configured to input the request data and response data pair into a pre-trained language processing model, which outputs sensitive information and the request elements.

[0099] In one possible implementation, the data reconstruction module 403 is further configured to, in response to determining that a network security vulnerability exists in the target network, batch replace the parameters of the request elements, and reconstruct the request data using the request elements with the replaced parameters, thereby obtaining multiple target request data.

[0100] The data analysis module 404 is also used to determine the scale of network security vulnerabilities based on the target response data in the inbound and outbound network data corresponding to multiple target request data.

[0101] In one possible implementation, the data extraction module 402 is further configured to obtain a trained language processing model using the following model training operations: acquiring multiple historical request and response data pairs; the multiple historical request and response data pairs include request and response data pairs with and without network security vulnerabilities; constructing a training dataset based on the multiple historical request and response data pairs, pre-training the language processing model, and obtaining a pre-trained language processing model; fine-tuning the parameters of the pre-trained language processing model using instruction data, and obtaining a fine-tuned language processing model; wherein, the instruction data is used to instruct the language processing model to identify request elements and sensitive information.

[0102] In one possible implementation, the data extraction module 402 is further used to determine reward information during training based on the relationship between the output of the language processing model and the true output value according to the preset reward function; and to adjust the parameters of the language processing model based on the reward information.

[0103] In one possible implementation, the data extraction module 402 is further used to fine-tune the parameters of the language processing model based on the sensitive information and request elements output by the language processing model and the actually determined sensitive information and request elements.

[0104] In one possible implementation, the sensitive information affecting data security extracted by the data extraction module 402 includes at least one of the following five types of data: basic personal information, personal identity information, personal social information, basic enterprise information, and enterprise business information.

[0105] The data format of the request element corresponding to sensitive information includes at least one of the following five data formats: pure numeric data format, username data format, JWT data format, mobile phone number data format, and ID card number data format.

[0106] The network security vulnerability detection device provided in this embodiment can execute the method provided in the above method embodiment. Its implementation principle and technical effect are similar, and will not be described in detail here.

[0107] Figure 5This is a structural diagram of the network security vulnerability detection device provided in this application. Figure 5 As shown, the electronic device 50 provided in this embodiment includes at least one processor 501 and a memory 502. Optionally, the device 50 further includes a communication component 503. The processor 501, memory 502, and communication component 503 are connected via a bus 504.

[0108] In a specific implementation, at least one processor 501 executes computer execution instructions stored in memory 502, causing at least one processor 501 to perform the above-described method.

[0109] The specific implementation process of processor 501 can be found in the above method embodiments, and its implementation principle and technical effect are similar. It will not be repeated here.

[0110] In the above embodiments, it should be understood that the processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), etc. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in this invention can be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules within the processor.

[0111] The memory may include random access memory (RAM) and may also include non-volatile memory (NVM), such as at least one disk storage device.

[0112] The bus can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc. For ease of illustration, the buses shown in the accompanying drawings are not limited to a single bus or a single type of bus.

[0113] This application also provides a computer program product, including a computer program that, when executed by a processor, implements the above-described method.

[0114] This application also provides a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, implement the above-described method.

[0115] The aforementioned readable storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk. The readable storage medium can be any available medium accessible to a general-purpose or special-purpose computer.

[0116] An exemplary readable storage medium is coupled to a processor, enabling the processor to read information from and write information to the readable storage medium. Of course, the readable storage medium can also be a component of the processor. The processor and the readable storage medium can reside in an Application Specific Integrated Circuit (ASIC). Alternatively, the processor and the readable storage medium can exist as discrete components in the device.

[0117] The division of units is merely a logical functional division; in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, devices, or units, and may be electrical, mechanical, or other forms.

[0118] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0119] In addition, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0120] If a function is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0121] Those skilled in the art will understand that all or part of the steps of the above-described method embodiments can be implemented by hardware related to program instructions. The aforementioned program can be stored in a computer-readable storage medium. When executed, the program performs the steps of the above-described method embodiments; and the aforementioned storage medium includes various media capable of storing program code, such as ROM, RAM, magnetic disks, or optical disks.

[0122] Finally, it should be noted that other embodiments of the invention will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention that follow the general principles of the invention and include common knowledge or customary techniques in the art not disclosed herein, and is not limited to the precise structures described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of the invention is limited only by the appended claims.

Claims

1. A method for detecting network security vulnerabilities, characterized in that, include: Obtain inbound and outbound network data of the target network, and determine the request data and response data pairs from the inbound and outbound network data; Detect sensitive information that affects data security from the response data of the request data and response data pair; The sensitive information affecting data security refers to data security elements contained in the response data that involve user personal privacy or sensitive corporate information; the sensitive information affecting data security includes at least one of the following five types of information: basic personal information, personal identity information, personal social information, basic corporate information, and corporate business information; wherein, the basic personal information includes name, gender, contact information, and address information; the personal identity information includes at least one of genetic information, fingerprints, voiceprints, facial features, palm prints, and handwriting signatures; the personal social information includes at least one of property information, social relationship information, educational information, and family member information; the basic corporate information includes at least one of credit information, tax information, and undisclosed judicial information; and the corporate business information includes at least one of confidentiality agreement information, sales data, supply chain data, and customer relationship management data; In response to detecting sensitive information affecting data security from the response data of the request data and response data pair, a request element corresponding to the sensitive information is determined from the request data of the request data and response data pair. Replace the parameters of the request element, and reconstruct the request data using the request element with the replaced parameters to obtain the target request data; Obtain the target response data from the inbound / outbound network data corresponding to the target request data. If the target response data contains the sensitive information, determine that the target network has a network security vulnerability.

2. The method according to claim 1, characterized in that, The response involves detecting sensitive information affecting data security from the response data of the request data and response data pair, and determining the request element corresponding to the sensitive information from the request data of the request data and response data pair, including: The request data and response data are input into a pre-trained language processing model, which then outputs the sensitive information and the request elements.

3. The method according to claim 1, characterized in that, The method further includes: In response to determining that the target network has a network security vulnerability, the parameters of the request elements are replaced in batches, and the request data is reconstructed using the request elements with replaced parameters to obtain multiple target request data; The scale of the network security vulnerability is determined based on the target response data in the inbound and outbound network data corresponding to multiple target request data.

4. The method according to any one of claims 1-3, characterized in that, The method also includes a model training operation to obtain a trained language processing model: Acquire multiple historical request and response data pairs; the multiple historical request and response data pairs include request and response data pairs with network security vulnerabilities and request and response data pairs without network security vulnerabilities; Based on the multiple historical request and response data, a training dataset is constructed, and the language processing model is pre-trained to obtain the pre-trained language processing model. The parameters of the pre-trained language processing model are fine-tuned using instruction data to obtain a fine-tuned language processing model; wherein the instruction data is used to instruct the language processing model to identify request elements and sensitive information.

5. The method according to claim 4, characterized in that, The model training operation also includes: During training, reward information is determined based on the relationship between the output of the language processing model and the true value of the output according to the preset reward function. The parameters of the language processing model are adjusted based on the reward information.

6. The method according to claim 5, characterized in that, The method further includes: fine-tuning the parameters of the language processing model based on the sensitive information and request elements output by the language processing model and the actually determined sensitive information and request elements.

7. The method according to claim 1, characterized in that, The data format of the request element corresponding to the sensitive information includes at least one of the following five data formats: pure numeric data format, username data format, JWT data format, mobile phone number data format, and ID card number data format.

8. A network security vulnerability detection device, characterized in that, include: The data acquisition module is used to acquire inbound and outbound data of the target network and determine request data and response data pairs from the inbound and outbound data; The data extraction module is used to detect sensitive information that affects data security from the response data of the request data and response data pair; The sensitive information affecting data security refers to data security elements contained in the response data that involve user personal privacy or enterprise sensitive information; the sensitive information affecting data security includes at least one of the following five types of information: basic personal information, personal identity information, personal social information, basic enterprise information, and enterprise business information; wherein, the basic personal information includes name, gender, contact information, and address information; the personal identity information includes at least one of genetic information, fingerprint, voiceprint, facial features, palm print, and handwriting signature; the personal social information includes at least one of property information, social relationship information, educational information, and family member information; the basic enterprise information includes at least one of credit information, tax information, and undisclosed judicial information; the enterprise business information includes at least one of confidentiality contract information, sales data, supply chain data, and customer relationship management data; in response to detecting sensitive information affecting data security from the response data of the request data and response data pair, the request element corresponding to the sensitive information is determined from the request data of the request data and response data pair; The data reconstruction module is used to replace the parameters of the request element and reconstruct the request data using the request element with the replaced parameters to obtain the target request data; The data analysis module is used to obtain the target response data in the inbound and outbound network data corresponding to the target request data. If the sensitive information is detected in the target response data, it is determined that the target network has a network security vulnerability.

9. A device for discovering enterprise data security vulnerabilities, characterized in that, include: Memory, processor; The memory stores computer-executed instructions; The processor executes computer execution instructions stored in the memory, causing the processor to perform the method as described in any one of claims 1-7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, are used to implement the method as described in any one of claims 1-7.

Images