开源软件供应链漏洞威胁智能感知
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

TP311

基金项目:

中国科学院战略性先导科技专项(XDA0320401); 国家自然科学基金青年项目(62202457)


Intelligent Perception for Vulnerability Threats in Open-source Software Supply Chain
Author:
Affiliation:

Fund Project:

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    开源软件的繁荣推动了软件领域的蓬勃发展, 也促使以开源软件为基础的供应链开发模式的形成. 开源软件供应链本质上是个复杂的供应链拓扑网络, 由开源生态的关键元素及其关联关系构成, 其产品全球化等优势有助于提高软件行业的开发效率. 然而, 开源软件供应链也存在依赖关系复杂、传播范围广泛、攻击面暴露扩大等特点, 带来了新的安全风险. 现有的以安全漏洞、威胁情报为基础的安全管理虽然可以实现安全预警、预先防御, 但是由于漏洞威胁信息获取不及时、缺少攻击技术和缓解措施等信息, 严重影响了漏洞处理效率. 针对上述问题, 设计并实现一种针对开源软件供应链的漏洞威胁智能感知方法, 包括两部分: 1)构建CTI (网络威胁情报)知识图谱, 在其构建的过程中使用到相关技术, 可以实现安全情报的实时分析与处理, 尤其提出SecERNIE模型以及软件包命名矩阵, 分别缓解漏洞威胁关联挖掘的问题和开源软件别名的问题. 2)漏洞风险信息推送, 以软件包命名矩阵为基础, 构建软件包过滤规则, 实现开源系统漏洞实时过滤与推送. 通过实验验证所提方法的有效性和可用性. 实验结果显示, 相较于NVD等传统漏洞平台, 本方法平均感知时间最高提前90.03天; 在操作系统软件覆盖率上提升74.37%, 并利用SecERNIE模型实现63492个CVE漏洞与攻击技术实体之间的关联关系映射. 特别地, 针对openEuler操作系统, 可追踪的系统软件覆盖率达到92.76%, 并累计感知6239个安全漏洞; 同时, 还发现openEuler中891条漏洞与攻击的关联关系, 进而获取到相应的解决方案, 为漏洞处理提供了参考依据. 在真实攻击环境验证2种典型的攻击场景, 证明所提方法在漏洞威胁感知方面的良好的效果.

    Abstract:

    The prosperity of open-source software has spurred robust growth in the software industry and has also facilitated the formation of a supply chain development model based on open-source software. Essentially, the open-source software supply chain is a complex topology network, composed of key elements of the open-source ecosystem and their interrelations. Its globalized product advantages contribute to enhancing the development efficiency of the software industry. However, the open-source software supply chain also has characteristics such as intricate dependencies, widespread propagation, and an expanded attack surface, introducing new security risks. Although existing security management based on vulnerabilities and threat intelligence can achieve early warnings and proactive defense, the efficiency of vulnerability handling is severely affected due to delays in obtaining vulnerability threat information, and the lack of attack techniques and mitigation measures. Addressing these issues, a vulnerability threat intelligence sensing method for the open-source software supply chain is designed and implemented, which includes two parts: 1) Construction of the cyber threat intelligence (CTI) knowledge graph. In the process of constructing it, relevant technologies are utilized to achieve real-time analysis and processing of security intelligence. Particularly, the SecERNIE model and the software package naming matrix are introduced to address the challenges of vulnerability threat correlation mining and open-source software alias issues, respectively. 2) Vulnerability risk information push,based on the software package naming matrix, software package filtering rules are established to enable real-time filtering and pushing of vulnerabilities in open-source systems. This study validates the effectiveness and applicability of the proposed method through experiments. Results show that, compared to traditional vulnerability platforms like NVD, the proposed method advances the sensing time by an average of 90.03 days. The coverage rate of operating system software increases by 74.37%, and using the SecERNIE model, the relationships between 63492 CVE vulnerabilities and attack technique entities are mapped. Specifically, for the openEuler operating system, the traceable system software coverage rate reaches 92.76%, with 6239 security vulnerabilities detected. This study also identifies 891 vulnerability-attack correlations in openEuler, obtaining corresponding solutions that serve as a reference for vulnerability handling. Two typical attack scenarios in a real attack environment are verified, demonstrating the efficacy of the proposed method in vulnerability threat perception.

    参考文献
    相似文献
    引证文献
引用本文

王丽敏,吴敬征,武延军,芮志清,罗天悦,屈晟,杨牧天.开源软件供应链漏洞威胁智能感知.软件学报,,():1-26

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2022-11-29
  • 最后修改日期:2023-05-10
  • 录用日期:
  • 在线发布日期: 2024-11-01
  • 出版日期:
文章二维码
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号