安全漏洞库构建及应用研究综述  被引量：1

作　　者：曹旭栋 黄在起 陈禹劼 王文杰 史慧洋 李书豪 张玉清 CAO Xu-Dong;HUANG Zai-Qi;CHEN Yu-Jie;WANG Wen-Jie;SHI Hui-Yang;LI Shu-Hao;ZHANG Yu-Qing(National Computer Network Intrusion Protection Center,University of Chinese Academy of Sciences,Beijing 101408;Zhongguancun Laboratory,Beijing 100094;Hangzhou Institution of Technology,Xidian University,Hangzhou 311231;College of Cyberspace Security,Hainan University,Haikou 570228)

机构地区：[1]中国科学院大学国家计算机网络入侵防范中心,北京101408 [2]中关村实验室,北京100094 [3]西安电子科技大学杭州研究院,杭州311231 [4]海南大学网络空间安全学院,海口570228

出　　处：《计算机学报》2024年第5期1082-1119,共38页Chinese Journal of Computers

基　　金：国家重点研发计划项目(2023YFB3106400,2023QY1202);国家自然科学基金重点项目(U2336203,U1836210);海南省重点研发计划项目(GHYF2022010);北京市自然科学基金(4242031)资助.

摘　　要：在以计算机和网络为基础的信息社会中,计算机和网络系统中存在的漏洞给网络信息安全带来了巨大挑战,大部分网络攻击往往都是基于漏洞发起的,并且随着近些年来漏洞数量的急剧增加以及发现速度的加快,收集、整理和利用已有漏洞就变得越来越重要.而漏洞库作为信息安全基础设施中重要的一环,不仅能够保存各类漏洞的基本信息、特征、解决方案等属性,还能快速响应漏洞信息并及时进行传播,提高公众应对信息安全威胁的能力.同时,随着机器学习、自然语言处理等技术的发展,越来越多的工作开始关注人工智能技术在智能化漏洞信息处理中的应用,漏洞库能作为其中的一个重要数据基础,在计算机领域中发挥着越来越重要的作用.漏洞库研究已成为计算机领域的一个研究热点和重点.本文首次从基础知识、背景、理论方法和创新等方面对近些年来围绕漏洞库的研究进行了全面调查,具体包括以下内容:(1)回顾了漏洞及漏洞库的背景知识,包括定义及分类;还阐述了漏洞发布与漏洞库之间的关系;(2)对漏洞库的发展现状进行介绍,同时介绍了漏洞库建设的相关标准;(3)归纳并总结了已有研究围绕漏洞库建设在漏洞信息收集、管理、字段补全以及质量评价等方面的进展;(4)归纳并总结了已有研究基于漏洞库数据分别在漏洞预测与扫描、漏洞修补、软件安全性及成分分析、网络攻击建模、安全态势分析以及漏洞特征的规律及关联性挖掘等方向的应用;(5)讨论了漏洞库研究存在的挑战和未来的研究方向.In the information society based on computers and networks,vulnerabilities in computer and network systems have brought great challenges to network information security.Most network attacks are launched based on vulnerabilities,and with the sharp increase in the number of vulnerabilities and the speed of discovery in recent years,it is becoming more and more important to collect,manage and exploit existing vulnerabilities.On this basis,as an important part of information security infrastructure,vulnerability database can not only store basic information,characteristics,solutions and other attributes of various vulnerabilities,but also quickly respond to vulnerability information and disseminate it in a timely manner to improve the public's ability to deal with information security threats.At the same time,with the development of machine learning,natural language processing and other technologies,more and more researchers are paying attention to the application of artificial intelligence technology in intelligently processing vulnerability information.The vulnerability database can serve as an important data foundation and play an increasingly important role in the field of computers.Vulnerability database research has become a popular research topic in the field of computer science.This paper is the first comprehensive survey of research on vulnerability databases in recent years,from multiple perspectives including basic concepts,background knowledge,theoretical frameworks,and innovation points.The specific contents include the following:(1)Reviewed the background knowledge of vulnerabilities and vulnerability databases,including definitions and classifications,and also elaborated on the relationship between vulnerability publication and vulnerability databases;(2)Introduced the development status of vulnerability databases,and also discussed standards related to vulnerability database construction;(3)Classified and summarized the existing research progress in vulnerability information collection,management,fill

关 键 词：安全漏洞 漏洞报告 漏洞数据库 漏洞自动化评估 漏洞生命周期 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]