Search

CN-121997333-A - Automatic security hole repairing method and device, electronic equipment and medium

CN121997333ACN 121997333 ACN121997333 ACN 121997333ACN-121997333-A

Abstract

The invention relates to an automatic security vulnerability restoration method, an automatic security vulnerability restoration device, electronic equipment and a medium, wherein the method comprises the steps of obtaining an original vulnerability report; analyzing an original vulnerability report to obtain standardized vulnerability information, matching the standardized vulnerability information with patch metadata in a patch library, directly calling a target pre-stored patch to carry out vulnerability repair if the target pre-stored patch corresponding to the standardized vulnerability information is matched, and generating candidate repair patches according to the standardized vulnerability information if the target pre-stored patch corresponding to the standardized vulnerability information is not matched so as to carry out vulnerability repair based on the candidate repair patches. The scheme realizes 'patch second level call and no patch Ding Jishi self-making' in minute level through acquiring, analyzing, matching/generating a single automatic path to repair, thoroughly avoids manual intervention and waiting, furthest compresses a system exposure window and ensures that the bug is repaired.

Inventors

  • SONG CHUNLIANG

Assignees

  • 北京思特奇信息技术股份有限公司

Dates

Publication Date
20260508
Application Date
20251229

Claims (10)

  1. 1. An automated security breach remediation method, comprising: acquiring an original vulnerability report; analyzing the original vulnerability report to obtain standardized vulnerability information; Matching the standardized vulnerability information with patch metadata in a patch library, and if the standardized vulnerability information is matched with a target pre-stored patch corresponding to the standardized vulnerability information, directly calling the target pre-stored patch to carry out vulnerability restoration; And if the target pre-stored patch corresponding to the standardized vulnerability information is not matched, generating a candidate repair patch according to the standardized vulnerability information so as to repair the vulnerability based on the candidate repair patch.
  2. 2. The method of claim 1, wherein generating candidate repair patches from the normalized vulnerability information comprises: If the vulnerability type corresponding to the standardized vulnerability information is a common vulnerability, invoking a repair rule matched with the vulnerability type to generate a candidate repair patch according to a preset repair rule base; if the type of the vulnerability corresponding to the standardized vulnerability information is a code-level vulnerability, locating a vulnerability code row through a static application program security test technology, and generating a repair code as a candidate repair patch by combining a program analysis technology.
  3. 3. The method according to claim 1, wherein the method further comprises: Automatically constructing an isolation test environment consistent with the target production environment; Verifying a target patch through the isolation test environment, wherein the target patch is a candidate repair patch or a target pre-stored patch, and the verification comprises safety effectiveness verification, functional regression verification and performance and stability verification; And when the target patch is verified, deploying the target patch to an online production environment.
  4. 4. A method as defined in claim 3, wherein upon failure of the target patch verification, the method further comprises: and generating a failure log, feeding back the failure log to the patch library, and triggering alarm notification.
  5. 5. The method of claim 3, wherein after deploying the target patch to an online production environment, the method further comprises: monitoring key indexes of the loopholes corresponding to the original loopholes report in the process of repairing the loopholes by the target patches; And judging whether the loopholes corresponding to the original loophole reports are repaired by the target patches according to the key indexes.
  6. 6. An automated security breach remediation device, comprising: The acquisition module is used for acquiring an original vulnerability report; The analysis module is used for analyzing the original vulnerability report to obtain standardized vulnerability information; The first repair module is used for matching the standardized vulnerability information with patch metadata in a patch library, and if the standardized vulnerability information is matched with a target pre-stored patch corresponding to the standardized vulnerability information, the target pre-stored patch is directly called to repair the vulnerability; And the second repair module is used for generating candidate repair patches according to the standardized vulnerability information when the target pre-stored patches corresponding to the standardized vulnerability information are not matched, so as to repair the vulnerability based on the candidate repair patches.
  7. 7. The apparatus of claim 6, wherein the second repair module, when generating a candidate repair patch based on the normalized vulnerability information, is specifically configured to: If the vulnerability type corresponding to the standardized vulnerability information is a common vulnerability, invoking a repair rule matched with the vulnerability type to generate a candidate repair patch according to a preset repair rule base; if the type of the vulnerability corresponding to the standardized vulnerability information is a code-level vulnerability, locating a vulnerability code row through a static application program security test technology, and generating a repair code as a candidate repair patch by combining a program analysis technology.
  8. 8. The apparatus of claim 6, wherein the apparatus further comprises: The system comprises a verification module, a target patch management module and a target production environment, wherein the verification module is used for automatically constructing an isolation test environment consistent with the target production environment, verifying the target patch through the isolation test environment, wherein the target patch is a candidate repair patch or a target pre-stored patch, the verification comprises safety validity verification, functional regression verification and performance and stability verification, and when the target patch passes the verification, the target patch is deployed to the online production environment.
  9. 9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1-5 when the computer program is executed.
  10. 10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the method of any of claims 1-5.

Description

Automatic security hole repairing method and device, electronic equipment and medium Technical Field The invention relates to the technical field of computer information security, in particular to an automatic security hole repairing method, an automatic security hole repairing device, electronic equipment and a medium. Background Security vulnerabilities in software systems are one of the major security threats. The traditional bug repairing flow is seriously dependent on manual operation, and generally comprises the steps of discovering the bug by a security team, manually analyzing the root cause of the bug, writing repairing patches by developers, performing function and regression testing on the patches by testers, and finally deploying by operation and maintenance staff. This procedure has the following inherent drawbacks: 1. The method has low efficiency and long period, and needs cross-department cooperation from the discovery of the vulnerability to the final repair, so that the process is complicated, and the key vulnerability can be utilized before the vulnerability is repaired. 2. Highly dependent on expert experience, vulnerability analysis, patch development and testing are all seriously dependent on personal abilities of security experts and developers, and are difficult to deal with massive vulnerabilities on a large scale. 3. The repair risk is high, namely, a patch written manually can be considered, and the risk of introducing new loopholes and causing system compatibility problems or performance degradation exists, namely, the problem of repairing one loophole and bringing more problems is solved. 4. The patch management is chaotic, namely in large enterprises with thousands of servers and complex applications, the manual tracking of the vulnerability influence range, the distribution and the deployment of patches are extremely prone to error, and miss-hit are caused. Some existing automated security tools (e.g., vulnerability scanners) can only find problems, but cannot automatically and reliably solve the problems. Therefore, a technical scheme capable of realizing automation and intellectualization of the whole process of bug repair and effectively controlling repair risk is urgently needed. Disclosure of Invention The invention aims to solve at least one technical problem by providing an automatic security hole repairing method, an automatic security hole repairing device, electronic equipment and a medium. In a first aspect, the technical solution for solving the technical problems is as follows, an automated security breach repairing method, which includes: acquiring an original vulnerability report; analyzing the original vulnerability report to obtain standardized vulnerability information; matching the standardized vulnerability information with patch metadata in a patch library, and if the standardized vulnerability information is matched with a target pre-stored patch corresponding to the standardized vulnerability information, directly calling the target pre-stored patch to repair the vulnerability; If the target pre-stored patch corresponding to the standardized vulnerability information is not matched, generating candidate repair patches according to the standardized vulnerability information so as to perform vulnerability repair based on the candidate repair patches. The method has the beneficial effects that the patch repair is directly invoked when the original vulnerability report is acquired, the standardized vulnerability information is analyzed to obtain the standardized vulnerability information, the standardized vulnerability information is matched with patch metadata in a patch library, and the patch repair is directly invoked when the standardized vulnerability information is matched with a target pre-stored patch, and candidate repair patches are generated according to the standardized vulnerability information when the standardized vulnerability information is not matched with the target pre-stored patch. On the basis of the technical scheme, the invention can be improved as follows. Further, generating candidate repair patches according to the standardized vulnerability information includes: If the vulnerability type corresponding to the standardized vulnerability information is a common vulnerability, invoking a repair rule matched with the vulnerability type to generate a candidate repair patch according to a preset repair rule base; if the type of the loophole corresponding to the standardized loophole information is a code-level loophole, locating a loophole code row through a static application program security test technology, and generating a repair code as a candidate repair patch by combining a program analysis technology. Further, the method comprises the following steps: Automatically constructing an isolation test environment consistent with the target production environment; Verifying a target patch by isolating a test environment, wherein the tar