| The development of computing technologies brought people's lives profound influences, various computing systems were introduced into production systems. On the one hand, advances in computing technologies improved the social productive forces; on the other hand, vulnerabilities of computing technologies themselves threatened production systems. Vulnerabilities in computing systems are often used by attackers and affect production systems certainly. The introduction of vulnerability assessment system into production systems can alleviate the adverse effects and consolidate the security of production systems.The fact that the growth speed of vulnerability exposure is faster than patching publishing, and the imbalance in technical force configuration between security tools manufacturers make them need a broader range of cooperation and understanding. Differences between standards in use make manufacturers can not understand and consume security data produced by them each other and vulnerability assessment more difficult and complex to cleanup. In addition, the differences in size, configuration, performance of computing networks make them have different requirements on vulnerability assessment, while a single structure-based vulnerability assessment technologies require either higher computing cost or additional network resources, place certain affection on computing networks, are not applicable to every computing network.Considering the above facts, to reduce computing cost, save network expense and shorten the window between vulnerability exposure and patching publishing, after research on vulnerability assessment relevant rationale and technologies, the paper designs and initially implements an multi-tiered servers-based, mixed-structural, distributed vulnerability assessment system.The system 1) arranges multiple servers to handle clients' business; 2) centralizes the management of servers by demarcating servers into multiple layers; 3) supports multiple vulnerability assessment methods and can select appropriate method according to the performance of the computing network; 4) uses plug-in architecture to improve the scalablility of the system and can assessment new vulnerabilities through adding new plugins; 5) uses mature techonologies such as NASL to archive network-based vulnerability assessment; 6) introduces international standards such as CPE, CVE, OVAL to strengthen the interoperability between security tools; 7) has a friendly web-based human-machine interface, operators can browse/discovery hosts, add/remove assessment tasks through it.The implementation of the system proves that the design schema has strong flexiblility,highly utility value, is helpful to eliminate differences in technical force configuration between security tools manufacturers, shorten the window between vulnerability exposure and patching publishing and strenthen the security of production systems. |
PDF Full Text Request