[go: up one dir, main page]

CN119203161A - A RCE vulnerability and threat identification method based on full-link tracking information - Google Patents

A RCE vulnerability and threat identification method based on full-link tracking information Download PDF

Info

Publication number
CN119203161A
CN119203161A CN202411401905.XA CN202411401905A CN119203161A CN 119203161 A CN119203161 A CN 119203161A CN 202411401905 A CN202411401905 A CN 202411401905A CN 119203161 A CN119203161 A CN 119203161A
Authority
CN
China
Prior art keywords
rce
vulnerability
information
full
transaction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411401905.XA
Other languages
Chinese (zh)
Inventor
杨应军
钱晓斌
李宗洋
王源昭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jinyue Smart Technology Co ltd
Original Assignee
Beijing Jinyue Smart Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jinyue Smart Technology Co ltd filed Critical Beijing Jinyue Smart Technology Co ltd
Priority to CN202411401905.XA priority Critical patent/CN119203161A/en
Publication of CN119203161A publication Critical patent/CN119203161A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Evolutionary Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses an RCE vulnerability and threat identification method based on full-link tracking information, which comprises the following steps of S1, deploying a full-link tracking analysis system, S2, starting a target range environment, activating a target range simulation environment through a full-link tracking analysis system agent and being used for safety test, S3, executing operation and data recording, wherein the operation and data recording comprises remote code execution of an RCE vulnerability target machine in the target range environment, S4, generating an automatic sample, generating a fine tuning sample of a large language identification model, S5, writing the generated fine tuning sample into a training file, preparing for fine tuning of the RCE large language identification model, and accurately identifying RCE vulnerability and threat in a diversified programming language environment.

Description

RCE vulnerability and threat identification method based on full-link tracking information
Technical Field
The invention belongs to the technical field, and particularly relates to an RCE vulnerability and threat identification method based on full-link tracking information.
Background
RCE (Remote Code or Command Execution remote code execution) vulnerabilities are a serious cyber security threat that allows an attacker to execute arbitrary code or commands on the victim's remote system. Such vulnerabilities enable an attacker to bypass the normal operating boundaries of the application and directly control the core functions of the target server or system. The consequences of an attack may include data leakage, system damage, malware installation, and even complete control of the target system. RCE vulnerabilities typically stem from applications failing to exercise strict rights control when validating user input or handling sensitive operations.
With the continued advancement of network attack technology, RCE attacks become more complex and difficult to guard against. Although existing security measures are continually updated, they tend to be difficult to fully identify and defend against RCE attacks in a diverse network environment. Therefore, developing more efficient identification and defense means is critical to maintaining network security.
(1) Active vulnerability ambiguity test
One of the disadvantages of the conventional vulnerability fuzzy test is that the internal structure and code of the program cannot be checked, the discovery problem can only infer the possible cause according to the result, which requires a lot of effort and time, and the accurate internal position and the real cause of the vulnerability cannot be effectively located. The second disadvantage is that fuzzing may not be able to perform a valid test because some security measures of the application may lead to session failure.
The active RCE vulnerability test based on the full-link tracking information can improve efficiency by utilizing automatic test, and can more accurately locate the position and reason of the vulnerability. Under the condition that the automatic active fuzzy test fails, RCE vulnerabilities in the application system can be timely found and identified through passive transaction processing and call tree monitoring, and the specific positions of the RCE vulnerabilities in the system can be clearly determined.
(2) Passive RCE threat identification
Although the traditional threat monitoring system based on the traffic can detect RCE attack behaviors, whether a target system has a vulnerability or not and whether the attack can cause actual harm or not cannot be accurately judged, so that certain false alarm and false alarm exist. In contrast, the RCE threat identification technology based on full link tracking can comprehensively track the processing process of the request in the system, including links such as initiation, processing and response of the request. By analyzing the call tree processed by the request, the key methods and functions of the internal call of the code can be tracked, so that the external request can reach the risk function or method, and the RCE threat can be accurately identified. The method not only can judge whether the system has the loopholes, but also can locate the internal accurate position and cause of the loopholes under the condition that the loopholes exist, and the whole process is completely shown.
Therefore, the invention provides an RCE vulnerability and threat identification method based on full link tracking information, which is used for solving the problems raised by the background technology.
Disclosure of Invention
Aiming at the problems of the background technology, the invention aims to provide an RCE vulnerability and threat identification method based on full-link tracking information, which is used for solving the defects of the prior art in the aspects of RCE vulnerability detection and threat identification.
In order to achieve the technical purpose, the invention adopts the following technical scheme:
an RCE vulnerability and threat identification method based on full link tracking information comprises the following steps:
the method comprises the following steps of S1, deploying a full-link tracking analysis system, wherein the full-link tracking analysis system is used for monitoring and recording the completed application program request and response process;
s2, starting a target range environment, activating a target range simulation environment through a full-link tracking analysis system agent, and using the environment for safety test;
S3, executing operation and data records, wherein the operation and data records comprise remote code execution of the RCE vulnerability target machine in a shooting range environment;
s4, generating an automatic sample, wherein the automatic sample is used for generating a fine tuning sample of a large language identification model;
and S5, writing a training file, and writing the generated fine tuning sample into the training file to prepare for fine tuning of the RCE large language identification model.
Further defined, the step S3 further includes the following specific steps:
s3.1, loading corresponding attack loads by using an attack tool or a manual mode according to the target range vulnerability data, and executing test operation;
s3.2, recording the path information of the target range in detail, wherein the path information, the request parameters, the RCE threat marks and the RCE vulnerability marks comprise URL, a removal protocol header and an IP address;
In the RCE threat mark, 0 indicates that no RCE vulnerability attack exists, 1 indicates that RCE vulnerability attack exists, and in the RCE vulnerability mark, 0 indicates that no RCE vulnerability attack exists, and 1 indicates that RCE vulnerability attack exists.
Further defined, the step S4 further includes the following specific steps:
s4.1, reading a target range path information list;
s4.2, inquiring all transaction IDs and URLs thereof entering a target range website through a full-link tracking analysis system, and creating a transaction ID list;
and S4.3, traversing the transaction ID list.
Further defined, the step S4.3 further includes:
s4.31, calling a transaction detail API of the full-link application analysis platform to acquire transaction detailed information;
S4.32, extracting call tree information of the transaction processing, wherein the call tree information comprises a request path, request parameters, an application program first response function and a transaction processing characteristic key function;
S4.34, inquiring RCE attack and RCE vulnerability marks in a target range path information list according to the request path;
and S4.35, generating samples for fine-tuning a large language identification model, wherein the samples comprise a request path, request parameters, an application program initial response function, a transaction characteristic key function and a path RCE vulnerability mark.
Further defined, the step S5 further includes the following specific steps:
s5.1, sample data preparation, reading a pre-generated fine adjustment sample, and formatting the data into a question-answer form so as to enhance the understanding and prediction capability of the model;
Specifically, the question-answer samples include:
asking if the following transaction is judged whether RCE attack or RCE loophole exists or not by taking the following transaction information as the beginning, and then listing the request path, the request parameters, the application program first response function and the transaction characteristic key function information in detail;
The reply information comprises a request path, request parameters, whether RCE vulnerabilities exist, whether RCE attacks exist or not, details of the vulnerabilities and attack load information;
S5.2, performing fine adjustment of the model;
Specifically, the formatted question-answer sample is used to start the fine tuning process of the large language model, the bottom layer parameters of the pre-training model are frozen to keep the general characteristics, the top layer parameters are updated or added again, and the fine tuning is continued until the preset training step or error threshold value is reached;
s5.3, model verification, namely evaluating the trimmed model by using a test sample;
Specifically, if the recognition rate of the model reaches or exceeds 80%, the model training is considered to be successful and can be used for practical application;
And S5.4, continuously optimizing and iterating, and continuously optimizing a fine tuning strategy and sample selection of the model according to test feedback.
Further defined, the full-link tracking analysis system of S1 comprises a data collector, a web server and a data collection agent;
The data collector is responsible for collecting the data of the complete application access process, including the links of initiating, processing and responding the request;
The web server provides a user interface and an API interface for accessing and managing the full-link analysis system, and is also used for processing the request from the front end and interacting with the back end component;
The data acquisition agent is deployed on each server or application instance and is used for collecting and transmitting data to the data acquisition device or the Web server.
Further defined, active RCE vulnerability discovery and passive RCE threat identification are also included.
Further defined, the active RCE vulnerability discovery comprises the steps of:
S10, vulnerability test preparation, namely loading corresponding RCE attack load or constructing an abnormal request according to the development language of a target application system so as to carry out fuzzy test on the system;
and S11, full-link tracking inquiry, namely periodically inquiring full-link tracking data of the target application in a specific time range, and analyzing the transaction ID and the request path information.
S12, transaction analysis, namely, according to the transaction ID, using a full-link application analysis transaction detail api to query transaction details, and extracting key information from transaction detail data, wherein the key information comprises a request path, a request parameter and call tree information;
s13, submitting large model analysis, submitting the extracted transaction information to an RCE large language identification model, and requesting the model to analyze whether RCE vulnerabilities and specific positions thereof exist or not;
S14, vulnerability identification and positioning, analyzing submitted information by an RCE large language identification model, identifying whether RCE vulnerabilities exist in a request path, and if the vulnerabilities are found, providing vulnerability position information of an application system by the model;
Specifically, the vulnerability location information includes an entry function or method for the first processing request of the application system and a function or method for the final execution of the RCE in the dependency library.
Further defined, the passive RCE threat identification includes the steps of:
S20, monitoring and inquiring in real time, wherein the real-time inquiring target is applied to all transaction processing within the time range recorded by the full-link tracking analysis system;
S21, transaction analysis, namely, according to the transaction ID, using a full-link application analysis transaction detail api to query transaction details, and extracting key information, including request paths, request parameters and call tree information, from transaction detail data;
S22, submitting information and inquiring, submitting the extracted transaction information to an RCE large language identification model, and inquiring whether an RCE vulnerability exploitation attack exists or not and whether an RCE vulnerability exists or not;
S23, judging attack and vulnerability, analyzing submitted information by the RCE large language identification model, judging whether an RCE remote code executing attack behavior exists or not, and judging whether a corresponding RCE vulnerability exists in a target application or not;
s24, safety response measures, wherein if only attack behaviors are detected and no loopholes exist in target applications, the linkage safety equipment executes safety protection measures, including blocking malicious requests, recording related logs and notifying a system administrator;
If an attack is detected and a vulnerability exists in the target application, not only the safety protection measures are executed, but also detailed position, related functions and method information of the vulnerability are submitted, and meanwhile, an organization technology team evaluates and judges possible damage conditions.
The invention has the beneficial effects that:
1. The invention provides an RCE vulnerability and threat identification method based on full link tracking information, which is mainly characterized in that a fine tuning sample is constructed, and an RCE large language identification model is trained, so that the RCE vulnerability and vulnerability information can be accurately identified, and the accurate position and the real cause of the RCE vulnerability can be positioned. Meanwhile, by means of an RCE large language identification model and combining a full-link tracking analysis system, whether remote code execution loopholes or threats exist or not is judged according to analysis results under two scenes of active RCE loophole mining and passive RCE threat identification.
2. The method breaks through the limitation of the traditional technology, can accurately identify RCE loopholes and threats in various programming language environments, not only remarkably improves the accuracy and efficiency of identification, but also reduces the possibility of false alarm and missing report. Through application of the RCE large language identification model, the invention can provide deeper analysis and more accurate vulnerability localization, simultaneously rapidly adapt to and identify the emerging RCE attack mode, and has stronger adaptability and expansibility.
Drawings
The invention can be further illustrated by means of non-limiting examples given in the accompanying drawings;
FIG. 1 is a schematic diagram of an embodiment of an RCE vulnerability and threat identification method based on full link tracking information;
fig. 2 is a schematic structural diagram of an embodiment of an RCE vulnerability and threat identification method based on full link tracking information.
Detailed Description
In order that those skilled in the art will better understand the present invention, the following technical scheme of the present invention will be further described with reference to the accompanying drawings and examples. The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that all directional indicators (such as up, down, left, right, front, and rear are used in the embodiments of the present invention) are merely for explaining the relative positional relationship, movement conditions, and the like between the components in a certain specific posture (as shown in the drawings), and if the specific posture is changed, the directional indicators are changed accordingly.
Furthermore, the description of "first," "second," etc. in this disclosure is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present invention. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The method comprises the steps of training an RCE large language identification model through constructing a fine tuning sample, enabling the RCE large language identification model to accurately identify RCE attack characteristics and vulnerability information, positioning accurate positions and real reasons of RCE vulnerabilities, and judging whether remote code execution vulnerabilities or threats exist according to analysis results by means of the RCE large language identification model and combining a full-link tracking analysis system under two scenes of active RCE vulnerability mining and passive RCE threat identification.
As shown in fig. 1, the RCE vulnerability and threat identification method based on full link tracking information of the present invention includes the following steps:
the method comprises the following steps of S1, deploying a full-link tracking analysis system, wherein the full-link tracking analysis system is used for monitoring and recording the completed application program request and response process;
s2, starting a target range environment, activating a target range simulation environment through a full-link tracking analysis system agent, and using the environment for safety test;
S3, executing operation and data records, wherein the operation and data records comprise remote code execution of the RCE vulnerability target machine in a shooting range environment;
s4, generating an automatic sample, wherein the automatic sample is used for generating a fine tuning sample of a large language identification model;
and S5, writing a training file, and writing the generated fine tuning sample into the training file to prepare for fine tuning of the RCE large language identification model.
The basic decision principle of fine tuning execution of the RCE large language identification model is as follows:
In many programming languages, such as PHP, java and Python, there are some risk functions that, if improperly used, may raise serious security issues, especially remote code execution RCE vulnerabilities. Common risk functions are exemplified as follows:
PHP:eval(),assert(),preg_replace(),call_user_func(),call_user_func_array(),array_map(),system,shell_exec,popen,passthru,proc_open
Java:ProcessBuilder.start(),Runtime.getRuntime().exec()
Python:eval,exec,subprocess,os.system,commands
The core goal of Fine tuning of the RCE large language identification model is to further train the pre-training model by using the Fine-tuning technology, so that the model can deeply analyze the call tree in the full-link tracking data, and accurately identify the risk function related to the remote code execution attack. After the model is trained, whether the functions are used for executing RCE attacks can be judged, so that potential RCE vulnerabilities and ongoing attack behaviors can be effectively identified.
Preferably, the step S3 further includes the following specific steps:
s3.1, loading corresponding attack loads by using an attack tool or a manual mode according to the target range vulnerability data, and executing test operation;
s3.2, recording the path information of the target range in detail, wherein the path information, the request parameters, the RCE threat marks and the RCE vulnerability marks comprise URL, a removal protocol header and an IP address;
In the RCE threat mark, 0 indicates that no RCE vulnerability attack exists, 1 indicates that RCE vulnerability attack exists, and in the RCE vulnerability mark, 0 indicates that no RCE vulnerability attack exists, and 1 indicates that RCE vulnerability attack exists.
Preferably, the step S4 further includes the following specific steps:
s4.1, reading a target range path information list;
s4.2, inquiring all transaction IDs and URLs thereof entering a target range website through a full-link tracking analysis system, and creating a transaction ID list;
and S4.3, traversing the transaction ID list.
Preferably, the step S4.3 further includes:
s4.31, calling a transaction detail API of the full-link application analysis platform to acquire transaction detailed information;
S4.32, extracting call tree information of the transaction processing, wherein the call tree information comprises a request path, request parameters, an application program first response function and a transaction processing characteristic key function;
S4.34, inquiring RCE attack and RCE vulnerability marks in a target range path information list according to the request path;
and S4.35, generating samples for fine-tuning a large language identification model, wherein the samples comprise a request path, request parameters, an application program initial response function, a transaction characteristic key function and a path RCE vulnerability mark.
Preferably, the step S5 further includes the following specific steps:
s5.1, sample data preparation, reading a pre-generated fine adjustment sample, and formatting the data into a question-answer form so as to enhance the understanding and prediction capability of the model;
Specifically, the question-answer samples include:
asking if the following transaction is judged whether RCE attack or RCE loophole exists or not by taking the following transaction information as the beginning, and then listing the request path, the request parameters, the application program first response function and the transaction characteristic key function information in detail;
The reply information comprises a request path, request parameters, whether RCE vulnerabilities exist, whether RCE attacks exist or not, details of the vulnerabilities and attack load information;
S5.2, performing fine adjustment of the model;
Specifically, the formatted question-answer samples are used to start the fine tuning process of the large language model, freeze the bottom parameters of the pre-training model, keep the general characteristics, update or add the top parameters (to adapt to new tasks), and the fine tuning is continued until reaching the preset training step or error threshold (ensuring the accuracy and efficiency of the model);
s5.3, model verification, namely evaluating the trimmed model by using a test sample;
Specifically, if the recognition rate of the model reaches or exceeds 80%, the model training is considered to be successful and can be used for practical application;
and S5.4, continuously optimizing and iterating, and continuously optimizing a fine tuning strategy and sample selection of the model according to test feedback. Therefore, the model can be ensured to adapt to new data and scenes, and high accuracy and robustness are maintained.
As shown in fig. 2, preferably, the full-link tracking analysis system of S1 includes a data collector, a web server and a data collection agent;
The data acquisition device is responsible for acquiring the data of the complete application access process, including the steps of initiating, processing and responding the request, so that the data of key methods, functions and the like called in the code can be acquired by deeply analyzing the call tree of the request processing;
The web server provides a user interface and an API interface for accessing and managing the full-link analysis system, and is also used for processing the request from the front end and interacting with the back end component;
the data acquisition agent is deployed on each server or application instance and is used for collecting and transmitting data to the data acquisition device or the Web server, so that the real-time performance and the integrity of the data can be ensured.
Preferably, active RCE vulnerability discovery and passive RCE threat identification are also included.
Preferably, the active RCE vulnerability discovery comprises the following steps:
S10, vulnerability test preparation, namely loading corresponding RCE attack load or constructing an abnormal request according to the development language of a target application system so as to carry out fuzzy test on the system;
and S11, full-link tracking inquiry, namely periodically inquiring full-link tracking data of the target application in a specific time range, and analyzing the transaction ID and the request path information.
S12, transaction analysis, namely, according to the transaction ID, using a full-link application analysis transaction detail api to query transaction details, and extracting key information from transaction detail data, wherein the key information comprises a request path, a request parameter and call tree information;
s13, submitting large model analysis, submitting the extracted transaction information to an RCE large language identification model, and requesting the model to analyze whether RCE vulnerabilities and specific positions thereof exist or not;
S14, vulnerability identification and positioning, analyzing submitted information by an RCE large language identification model, identifying whether RCE vulnerabilities exist in a request path, and if the vulnerabilities are found, providing vulnerability position information of an application system by the model;
Specifically, the vulnerability location information includes an entry function or method for the first processing request of the application system and a function or method for the final execution of the RCE in the dependency library.
Preferably, the passive RCE threat identification includes the steps of:
S20, monitoring and inquiring in real time, wherein the real-time inquiring target is applied to all transaction processing within the time range recorded by the full-link tracking analysis system;
S21, transaction analysis, namely, according to the transaction ID, using a full-link application analysis transaction detail api to query transaction details, and extracting key information, including request paths, request parameters and call tree information, from transaction detail data;
S22, submitting information and inquiring, submitting the extracted transaction information to an RCE large language identification model, and inquiring whether an RCE vulnerability exploitation attack exists or not and whether an RCE vulnerability exists or not;
S23, judging attack and vulnerability, analyzing submitted information by the RCE large language identification model, judging whether an RCE remote code executing attack behavior exists or not, and judging whether a corresponding RCE vulnerability exists in a target application or not;
s24, safety response measures, wherein if only attack behaviors are detected and no loopholes exist in target applications, the linkage safety equipment executes safety protection measures, including blocking malicious requests, recording related logs and notifying a system administrator;
If an attack is detected and a vulnerability exists in the target application, not only the safety protection measures are executed, but also detailed position, related functions and method information of the vulnerability are submitted, and meanwhile, an organization technology team evaluates and judges possible damage conditions.
The above embodiments are merely illustrative of the principles of the present invention and its effectiveness, and are not intended to limit the invention. Modifications and variations may be made to the above-described embodiments by those skilled in the art without departing from the spirit and scope of the invention. Accordingly, it is intended that all equivalent modifications and variations of the invention be covered by the claims of this invention, which are within the skill of those skilled in the art, can be made without departing from the spirit and scope of the invention disclosed herein.

Claims (9)

1.一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于,包括如下步骤:1. A RCE vulnerability and threat identification method based on full-link tracking information, characterized in that it includes the following steps: S1:部署全链路跟踪分析系统,所述全链路跟踪分析系统用于监控和记录完成的应用程序请求和响应过程;S1: deploy a full-link tracking and analysis system, which is used to monitor and record the completed application request and response process; S2:启动靶场环境,通过全链路跟踪分析系统代理,激活靶场模拟环境,并用于安全测试;S2: Start the range environment, activate the range simulation environment through the full-link tracking and analysis system agent, and use it for safety testing; S3:执行操作与数据记录,所述操作与数据记录包括在靶场环境中RCE漏洞靶机进行远程代码执行;S3: Execute operations and data records, wherein the operations and data records include remote code execution on a target machine with an RCE vulnerability in a range environment; S4:自动化样本生成,所述自动化样本用于生成大语言识别模型的微调样本;S4: Automatic sample generation, where the automatic samples are used to generate fine-tuning samples for a large language recognition model; S5:写入训练文件,将生成的微调样本写入训练文件,为RCE大语言识别模型微调做准备。S5: Write the training file and write the generated fine-tuning samples into the training file to prepare for fine-tuning the RCE large language recognition model. 2.根据权利要求1所述的一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于,所述S3还包括以下具体步骤:2. According to the RCE vulnerability and threat identification method based on full-link tracking information of claim 1, it is characterized in that S3 also includes the following specific steps: S3.1:根据靶场漏洞资料,利用攻击工具或手工方式加载对应的攻击载荷,执行测试操作;S3.1: Based on the vulnerability data of the target range, use attack tools or manually load the corresponding attack payload and perform the test operation; S3.2:详细记录靶场路径信息,路径信息、请求参数、RCE威胁标记和RCE漏洞标记,所述路径信息包括URL、去除协议头和IP地址;S3.2: Record the range path information in detail, including the path information, request parameters, RCE threat tags, and RCE vulnerability tags. The path information includes the URL, protocol headers, and IP addresses. 其中,所述RCE威胁标记中,“0”表示不存在RCE漏洞攻击,“1”表示存在RCE漏洞攻击;所述RCE漏洞标记中,“0”表示不存在RCE漏洞攻击,“1”表示存在RCE漏洞攻击。Among them, in the RCE threat mark, "0" indicates that there is no RCE vulnerability attack, and "1" indicates that there is an RCE vulnerability attack; in the RCE vulnerability mark, "0" indicates that there is no RCE vulnerability attack, and "1" indicates that there is an RCE vulnerability attack. 3.根据权利要求1所述的一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于,所述S4还包括以下具体步骤:3. According to the RCE vulnerability and threat identification method based on full-link tracking information of claim 1, it is characterized in that S4 also includes the following specific steps: S4.1:读取靶场路径信息列表;S4.1: Read the shooting range path information list; S4.2:通过全链路跟踪分析系统,查询所有进入靶场网站的事务处理ID及其URL,创建事务处理ID列表;S4.2: Through the full-link tracking and analysis system, query all transaction IDs and their URLs entering the shooting range website and create a transaction ID list; S4.3:对事务处理ID列表进行遍历。S4.3: Traverse the transaction ID list. 4.根据权利要求3所述的一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于,所述S4.3中还包括:4. According to the RCE vulnerability and threat identification method based on full-link tracking information of claim 3, it is characterized in that S4.3 also includes: S4.31:调用全链路应用分析平台事务详情API,获取到事务处理详细信息;S4.31: Call the transaction details API of the full-link application analysis platform to obtain detailed transaction processing information; S4.32:提取事务处理的调用树信息,包括请求路径、请求参数、应用程序首响应函数和事务处理特征性关键函数;S4.32: Extract the call tree information of transaction processing, including request path, request parameters, application first response function and transaction processing characteristic key functions; S4.34:根据请求路径,在靶场路径信息列表中查询RCE攻击及RCE漏洞标记;S4.34: According to the request path, query the RCE attack and RCE vulnerability mark in the range path information list; S4.35:生成用于微调大语言识别模型的样本,所述样本包括:请求路径、请求参数、应用程序首响应函数、事务处理特征性关键函数和路径RCE漏洞标记。S4.35: Generate a sample for fine-tuning a large language recognition model, wherein the sample includes: a request path, request parameters, an application first response function, a transaction processing characteristic key function, and a path RCE vulnerability marker. 5.根据权利要求1所述的一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于,所述S5还包括以下具体步骤:5. According to the RCE vulnerability and threat identification method based on full-link tracking information of claim 1, it is characterized in that S5 also includes the following specific steps: S5.1:样本数据准备,读取预先生成的微调样本,再将数据格式化为问答形式,以增强模型的理解和预测能力;S5.1: Sample data preparation, reading pre-generated fine-tuning samples and formatting the data into question-answer format to enhance the model's understanding and prediction capabilities; 具体的,问答样本包括:Specifically, the sample questions and answers include: 提问:若以“请判断以下事务处理是否存在RCE攻击或RCE漏洞,事务处理信息如下:”为开头,然后详细列出请求路径、请求参数、应用程序首响应函数以及事务处理特征性关键函数信息;Question: If you start with "Please determine whether the following transaction processing has RCE attacks or RCE vulnerabilities, the transaction processing information is as follows:", and then list the request path, request parameters, application first response function, and transaction processing characteristic key function information in detail; 回答:则回答的信息包括:请求路径、请求参数、是否存在RCE漏洞、是否存在RCE攻击、漏洞的详情以及攻击载荷信息;Answer: The answer includes: request path, request parameters, whether there is an RCE vulnerability, whether there is an RCE attack, vulnerability details, and attack payload information; S5.2:模型微调执行;S5.2: Model fine-tuning execution; 具体的,使用格式化后的问答样本,启动大语言模型的微调过程;冻结预训练模型的底层参数,保持通用特征;再更新或添加顶层参数,微调将持续至达到预定的训练步骤或误差阈值;Specifically, the formatted question and answer samples are used to start the fine-tuning process of the large language model; the bottom-level parameters of the pre-trained model are frozen to keep the common features; the top-level parameters are then updated or added, and the fine-tuning will continue until the predetermined training steps or error threshold are reached; S5.3:模型验证,对微调后的模型使用测试样本进行评估;S5.3: Model validation, evaluate the fine-tuned model using test samples; 具体的,若模型的识别率达到或超过80%,则认为模型训练成功,可以用于实际应用;若识别率未达标,需进一步分析原因,需要增加更多样本或调整微调参数,然后重新进行微调;Specifically, if the recognition rate of the model reaches or exceeds 80%, the model training is considered successful and can be used for practical applications; if the recognition rate does not meet the standard, further analysis of the reasons is required, and more samples need to be added or fine-tuning parameters need to be adjusted, and then fine-tuning should be performed again; S5.4:持续优化与迭代,根据测试反馈,不断优化模型的微调策略和样本选择。S5.4: Continuously optimize and iterate, and continuously optimize the model's fine-tuning strategy and sample selection based on test feedback. 6.根据权利要求1所述的一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于:所述S1的全链路跟踪分析系统包括数据采集器、web服务端和数据采集代理;6. According to claim 1, a RCE vulnerability and threat identification method based on full-link tracking information is characterized in that: the full-link tracking and analysis system of S1 includes a data collector, a web server and a data collection agent; 所述数据采集器负责采集完整的应用访问过程的数据,包括请求的发起、处理以及响应环节;The data collector is responsible for collecting data from the entire application access process, including the initiation, processing and response of requests; 所述web服务端提供用户界面和API接口,用于访问和管理全链路分析系统,还用于处理来自前端的请求,并与后端组件进行交互;The web server provides a user interface and an API interface for accessing and managing the full-link analysis system, and is also used to process requests from the front end and interact with back-end components; 所述数据采集代理部署在各个服务器或应用实例上,用于收集和传输数据到数据采集器或Web服务端。The data collection agent is deployed on each server or application instance, and is used to collect and transmit data to the data collector or Web server. 7.根据权利要求1所述的一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于:还包括主动式RCE漏洞挖掘和被动式RCE威胁识别。7. According to claim 1, a RCE vulnerability and threat identification method based on full-link tracking information is characterized in that it also includes active RCE vulnerability mining and passive RCE threat identification. 8.根据权利要求7所述的一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于:所述主动式RCE漏洞挖掘包括如下步骤:8. According to claim 7, a RCE vulnerability and threat identification method based on full-link tracking information is characterized in that: the active RCE vulnerability mining includes the following steps: S10:漏洞测试准备,根据目标应用系统的开发语言,装载相应的RCE攻击载荷或构造异常请求,以对系统进行模糊测试;S10: Vulnerability test preparation: according to the development language of the target application system, load the corresponding RCE attack payload or construct an abnormal request to perform fuzz testing on the system; S11:全链路跟踪查询,定期查询目标应用在特定时间范围内的全链路跟踪数据,并解析出事务处理ID和请求路径信息。S11: Full-link tracking query, regularly query the full-link tracking data of the target application within a specific time range, and parse the transaction processing ID and request path information. S12:事务处理分析,根据事务处理ID,使用全链路应用分析事务处理详情api查询事务处理详情,对事务处理详情数据提取关键信息,其中包括请求路径、请求参数和调用树信息;S12: Transaction analysis: Based on the transaction ID, use the full-link application analysis transaction details API to query the transaction details and extract key information from the transaction details data, including request path, request parameters, and call tree information. S13:提交大模型分析,将提取的事务处理信息提交给RCE大语言识别模型,请求模型分析是否存在RCE漏洞及其具体位置;S13: Submit the large model analysis, submit the extracted transaction processing information to the RCE large language recognition model, and request the model to analyze whether there is an RCE vulnerability and its specific location; S14:漏洞识别与定位,RCE大语言识别模型分析提交的信息,识别出请求路径中是否存在RCE漏洞,若发现漏洞,模型将提供应用系统的漏洞位置信息;S14: Vulnerability identification and location. The RCE large language recognition model analyzes the submitted information and identifies whether there is an RCE vulnerability in the request path. If a vulnerability is found, the model will provide vulnerability location information for the application system. 具体的,漏洞位置信息包括应用系统第一个处理请求的入口函数或方法和依赖库中最终执行RCE的函数或方法。Specifically, the vulnerability location information includes the first entry function or method of the application system to process the request and the function or method in the dependent library that ultimately executes the RCE. 9.根据权利要求:7所述的一种基于全链路跟踪信息的RCE漏洞及威胁识别方法,其特征在于:所述被动式RCE威胁识别包括如下步骤:9. According to claim 7, a RCE vulnerability and threat identification method based on full-link tracking information is characterized in that: the passive RCE threat identification includes the following steps: S20:实时监控与查询,实时查询目标应用在全链路跟踪分析系统记录的时间范围内的所有事务处理;S20: Real-time monitoring and query, real-time query of all transaction processing of the target application within the time range recorded by the full-link tracking and analysis system; S21:事务处理分析,根据事务处理ID,使用全链路应用分析事务处理详情api查询事务处理详情,对事务处理详情数据提取关键信息,包括请求路径、请求参数和调用树信息;S21: Transaction analysis: Based on the transaction ID, use the full-link application analysis transaction details API to query the transaction details and extract key information from the transaction details data, including request path, request parameters, and call tree information. S22:信息提交与询问,将提取的事务信息提交给RCE大语言识别模型,询问是否存在RCE漏洞利用攻击及是否存在RCE漏洞;S22: Information submission and inquiry, submitting the extracted transaction information to the RCE large language recognition model to inquire whether there is an RCE vulnerability exploitation attack and whether there is an RCE vulnerability; S23:攻击与漏洞判断,RCE大语言识别模型分析提交的信息,判断是否存在RCE远程代码执行攻击行为,以及目标应用是否存在相应的RCE漏洞;S23: Attack and vulnerability judgment: The RCE large language recognition model analyzes the submitted information to determine whether there is an RCE remote code execution attack behavior and whether the target application has a corresponding RCE vulnerability; S24:安全响应措施,如果只检测到攻击行为而目标应用不存在漏洞,联动安全设备执行安全防护措施,包括阻断恶意请求、记录相关日志和通知系统管理员;S24: Security response measures: if only attack behavior is detected and the target application does not have a vulnerability, the security device will be linked to execute security protection measures, including blocking malicious requests, recording relevant logs, and notifying the system administrator; 如果检测到攻击行为且目标应用存在漏洞,除了执行上述安全防护措施外,还需提交漏洞的详细位置、相关函数和方法信息,同时,组织技术团队对可能的受损情况进行评估和研判。If an attack is detected and a vulnerability exists in the target application, in addition to implementing the above security protection measures, you must submit the detailed location of the vulnerability, related functions and methods, and organize a technical team to evaluate and determine the possible damage.
CN202411401905.XA 2024-10-09 2024-10-09 A RCE vulnerability and threat identification method based on full-link tracking information Pending CN119203161A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411401905.XA CN119203161A (en) 2024-10-09 2024-10-09 A RCE vulnerability and threat identification method based on full-link tracking information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411401905.XA CN119203161A (en) 2024-10-09 2024-10-09 A RCE vulnerability and threat identification method based on full-link tracking information

Publications (1)

Publication Number Publication Date
CN119203161A true CN119203161A (en) 2024-12-27

Family

ID=94059793

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411401905.XA Pending CN119203161A (en) 2024-10-09 2024-10-09 A RCE vulnerability and threat identification method based on full-link tracking information

Country Status (1)

Country Link
CN (1) CN119203161A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100293616A1 (en) * 2009-05-15 2010-11-18 Frederick Young Web Application Vulnerability Scanner
CN115333854A (en) * 2022-09-14 2022-11-11 郭伟基 Cloud service vulnerability prediction method adopting AI and big data analysis and big data system
CN116915459A (en) * 2023-07-13 2023-10-20 上海戎磐网络科技有限公司 Network threat analysis method based on large language model
CN118157961A (en) * 2024-03-15 2024-06-07 国网湖北省电力有限公司信息通信公司 Active simulation intrusion assessment and full-link visual protection system, method and equipment
CN118468284A (en) * 2024-05-10 2024-08-09 中国科学技术大学苏州高等研究院 Smart contract cross-contract fuzz testing method and system guided by large language model

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100293616A1 (en) * 2009-05-15 2010-11-18 Frederick Young Web Application Vulnerability Scanner
CN115333854A (en) * 2022-09-14 2022-11-11 郭伟基 Cloud service vulnerability prediction method adopting AI and big data analysis and big data system
CN116915459A (en) * 2023-07-13 2023-10-20 上海戎磐网络科技有限公司 Network threat analysis method based on large language model
CN118157961A (en) * 2024-03-15 2024-06-07 国网湖北省电力有限公司信息通信公司 Active simulation intrusion assessment and full-link visual protection system, method and equipment
CN118468284A (en) * 2024-05-10 2024-08-09 中国科学技术大学苏州高等研究院 Smart contract cross-contract fuzz testing method and system guided by large language model

Similar Documents

Publication Publication Date Title
US10505966B2 (en) Cross-site request forgery (CSRF) vulnerability detection
US20180349602A1 (en) Security testing framework including virtualized server-side platform
CN113158197B (en) SQL injection vulnerability detection method and system based on active IAST
CN110414222B (en) A method and device for detecting application privacy leakage problem based on component association
CN120050079A (en) Network security penetration detection method and system based on artificial intelligence
CN115408697B (en) Defensive personnel capability assessment method, device, equipment and product in network target range
CN118174928B (en) Coping strategy updating method, system and equipment based on automatic simulation attack
CN108989294A (en) A kind of method and system for the malicious user accurately identifying website visiting
CN113595975A (en) Detection method and device for Webshell of Java memory
CN111611590A (en) Method and device for data security related to application program
CN117150488A (en) Ground-leaving attack detection method and system based on time sequence analysis and memory evidence obtaining
CN112565278A (en) Attack capturing method and honeypot system
CN107819758A (en) A kind of IP Camera leak remote detecting method and device
CN108040036A (en) A kind of industry cloud Webshell safety protecting methods
CN118568737B (en) A software security penetration testing method and system
CN111104670B (en) APT attack identification and protection method
CN119211091A (en) An automatic fuzz testing system for network protocols
CN119203161A (en) A RCE vulnerability and threat identification method based on full-link tracking information
CN119167360A (en) A method for batch detection of malicious behavior of Android applications
CN116318783B (en) Network industrial control equipment safety monitoring method and device based on safety index
CN116318809B (en) Identification method, device, medium and equipment for violent cracking database behaviors
CN112699373A (en) Method and device for detecting SQL injection vulnerability in batch
CN113094715B (en) Network security dynamic early warning system based on knowledge graph
Zhu et al. Evaluating Ethereum reentrancy detection tools via mutation testing
CN116248402A (en) WAF rule evaluation method based on regular analytic tree

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination