Search

CN-119622742-B - Vulnerability exploitation time prediction method, device, computer equipment and storage medium

CN119622742BCN 119622742 BCN119622742 BCN 119622742BCN-119622742-B

Abstract

The embodiment of the application provides a method, a device, computer equipment, a storage medium and a computer program product for predicting vulnerability exploitation time, and relates to the technical field of network security. The method comprises the steps of obtaining vulnerability feature data of a target vulnerability, obtaining a heterogeneous vulnerability feature map of the target vulnerability according to the vulnerability feature data, obtaining target combination features of the target vulnerability based on the heterogeneous vulnerability feature map by utilizing a pre-built vulnerability utilization prediction model under the condition that the vulnerability utilization rate of the target vulnerability is larger than a preset utilization threshold value, and obtaining the vulnerability utilization time of the target vulnerability based on the target combination features by utilizing a pre-built vulnerability utilization time prediction model. The method improves the accuracy of the prediction of the exploit and the accuracy of the prediction of the exploit time.

Inventors

  • LIU YONGCHENG
  • HUANG HUAN
  • Qin Zongguo

Assignees

  • 中国人寿保险股份有限公司

Dates

Publication Date
20260505
Application Date
20241129

Claims (7)

  1. 1. A method for exploit time prediction, the method comprising: obtaining vulnerability characteristic data of a target vulnerability, wherein the vulnerability characteristic data comprises vulnerability description text data and vulnerability inherent characteristic data; Determining various nodes of the target vulnerability and node information of various nodes, wherein the various nodes comprise word nodes, document nodes, characteristic nodes, author nodes and vulnerability nodes; Determining a plurality of edges of the target vulnerability according to the node information; The method comprises the steps of determining a plurality of edges of a target vulnerability, wherein the method comprises the steps of constructing edges between a current word node and a current document node according to a word frequency-inverse document frequency value of the current word node as an edge weight value for any word node in a plurality of word nodes of the target vulnerability, and determining the edges between the current word node and other word nodes except the current word node according to the association degree between any one of the word nodes and the other word nodes; Constructing a heterogeneous vulnerability feature graph of the target vulnerability according to the plurality of nodes and the plurality of edges; Under the condition that the utilization probability value of the target vulnerability is larger than a preset utilization threshold value, utilizing a first layer of convolution layer contained in a pre-constructed vulnerability utilization prediction model to perform feature extraction on the heterogeneous vulnerability feature map to obtain vulnerability feature information of the target vulnerability, and acquiring target combination features of the target vulnerability according to the vulnerability feature information and the heterogeneous vulnerability feature map; And acquiring the exploit time of the target vulnerability based on the target combination characteristic by utilizing a pre-constructed regression model based on a gradient lifting decision tree.
  2. 2. The method of claim 1, wherein the plurality of nodes includes word nodes and document nodes; the determining the multiple nodes of the target vulnerability includes: taking each document in a plurality of documents contained in the vulnerability characteristic data as a document node; Word segmentation processing is carried out on document text data of each document to obtain a plurality of words of each document; and taking each word in the plurality of words as a word node to obtain a plurality of word nodes.
  3. 3. The method of claim 2, wherein the node information of the term node includes a weight value of a node weight; the determining, according to the node information, a plurality of edges of the target vulnerability includes: acquiring the weight value of the node weight of any current word node in a plurality of word nodes; determining a current document node corresponding to the current word node; and determining edges between the current word node and the current document node according to the weight value of the node weight.
  4. 4. The method of claim 2, wherein the plurality of nodes further comprises a feature node, an author node, and a vulnerability node; the determining the multiple edges of the target vulnerability includes: Determining a characteristic value of the characteristic node, and determining edges of the document node and the characteristic node according to the characteristic value; determining that an edge weight value of an edge between the vulnerability node and the document node is 1; an edge weight value of 1 for an edge between the author node and the document node is determined.
  5. 5. An exploit time prediction apparatus, the apparatus comprising: The data acquisition module is used for acquiring vulnerability characteristic data of the target vulnerability; The feature map construction module is used for determining various nodes of the target vulnerability and node information of various nodes, wherein the various nodes comprise word nodes, document nodes, feature nodes, author nodes and vulnerability nodes, determining a plurality of edges of the target vulnerability according to the node information, wherein the determining of the edges of the target vulnerability comprises the steps of constructing edges between the current word nodes and the current document nodes according to a word frequency-inverse document frequency value of the current word nodes as an edge weight value for any one of the word nodes of the target vulnerability, and determining edges between the current word nodes and the rest word nodes according to the association degree between any one of the word nodes and the rest word nodes except the current word nodes; The feature extraction module is used for extracting features of the heterogeneous vulnerability feature map by utilizing a first layer convolution layer contained in a pre-constructed vulnerability exploitation prediction model under the condition that the exploitation probability value of the target vulnerability is larger than a preset exploitation threshold value to obtain vulnerability feature information of the target vulnerability, and acquiring target combination features of the target vulnerability according to the vulnerability feature information and the heterogeneous vulnerability feature map; And the prediction module is used for acquiring the exploit time of the target vulnerability based on the target combination characteristic by utilizing a pre-constructed regression model based on a gradient lifting decision tree.
  6. 6. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1-4 when the computer program is executed.
  7. 7. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any of claims 1-4.

Description

Vulnerability exploitation time prediction method, device, computer equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a computer device, a storage medium, and a computer program product for predicting exploit time. Background In the field of network security, vulnerabilities are weak points of software products that an attacker can exploit to break the confidentiality, integrity or availability of a system hosting the product and cause damage, while potentially producing immeasurable serious consequences. In general, in order to guarantee network security, availability of vulnerabilities and exploit time need to be predicted. In the prior related art, the problem of incomplete extraction of the vulnerability characteristics exists, so that the problem of low accuracy of vulnerability availability prediction and vulnerability utilization time prediction can be caused, and the guarantee of network safety is not facilitated. Disclosure of Invention In view of the foregoing, it is desirable to provide a method, an apparatus, a computer device, a storage medium, and a computer program product for exploit time prediction. In a first aspect, the present application provides a method for exploit time prediction. The method comprises the following steps: Obtaining vulnerability characteristic data of a target vulnerability; according to the vulnerability characteristic data, acquiring a heterogeneous vulnerability characteristic diagram of the target vulnerability; Under the condition that the vulnerability utilization rate of the target vulnerability is larger than a preset utilization threshold value, utilizing a pre-constructed vulnerability utilization prediction model to acquire target combination features of the target vulnerability based on the heterogeneous vulnerability feature map; and acquiring the exploit time of the target vulnerability based on the target combination characteristics by utilizing a pre-constructed exploit time prediction model. In one embodiment, the obtaining the heterogeneous vulnerability feature map of the target vulnerability according to the vulnerability feature data includes determining multiple nodes of the target vulnerability and node information of the nodes, determining multiple edges of the target vulnerability according to the node information, and constructing the heterogeneous vulnerability feature map of the target vulnerability according to the multiple nodes and the multiple edges. In one embodiment, the multiple nodes comprise word nodes and document nodes, the multiple nodes for determining the target vulnerability comprise taking each of multiple documents contained in the vulnerability feature data as a document node, carrying out word segmentation processing on document text data of each document to obtain multiple words of each document, and taking each word of the multiple words as a word node to obtain multiple word nodes. In one embodiment, the node information of the word nodes comprises weight values of node weights, and the determining of the multiple edges of the target vulnerability according to the node information comprises the steps of obtaining the weight values of the node weights of any one current word node in the word nodes, determining the current document node corresponding to the current word node, and determining the edge between the current word node and the current document node according to the weight values of the node weights. In one embodiment, determining the plurality of edges of the target vulnerability according to the node information includes obtaining a degree of association between any one current word node of the plurality of word nodes and other word nodes except the current word node, and determining the edges between the current word node and the other word nodes according to the degree of association. In one embodiment, the plurality of nodes further includes a feature node, an author node, and a vulnerability node; The method for determining the multiple edges of the target vulnerability comprises the steps of determining the characteristic value of the characteristic node, determining the edges of the document node and the characteristic node according to the characteristic value, determining the edge weight value of the edge between the vulnerability node and the document node to be 1, and determining the edge weight value of the edge between the author node and the document node to be 1. In one embodiment, the exploit prediction model comprises a first layer of convolution layer, the exploit pre-built exploit prediction model is used for acquiring target combination features of the target vulnerability based on the heterogeneous vulnerability feature map, the exploit pre-built exploit prediction model comprises the steps of extracting features of the heterogeneous vulnerability feature map by using th