2017 2nd International Conference on Artificial Intelligence and Engineering Applications (AIEA 2017)
ISBN: 978-1-60595-485-1
Research and Design of Network Version
Vulnerability Scanning System Based on WEB
YONGCAI XIAO, HAO YANG, NAN LIN and LINGLING ZHANG
ABSTRACT
Based on the solution of large enterprise network security vulnerability scanning problem, this article proposes a network version vulnerability scanning system based on web, perfectly match the features of its so many branches. This system server based on port scanning module and crawling module as the core, wherein a combination scanning mode including fully connected scanning mode and semi connected scanning mode was adopted in the port scanning module. The prototype experiment proves its feasibility in this article, so this system can be applied well in the enterprise which having many branches.
KEYWORDS
WEB, Network, Vulnerability Scanning, System.
INTRODUCTION
Recently, with the information application expanded in the enterprise, the problem of information security is becoming more and more serious, then host, terminal and application system vulnerability become one essential part of the information security problem.
Traditionally we rely on portable equipment using random sampling method, but it’s not only so hard to do vulnerability detection scanning with fully coverage, but also so difficult to ensure finishing the work timely.
Therefore, the research and design of network version vulnerability scanning system based on WEB is the best way to solve this problem.
Client design
The client adopts B/S structure with https to implement, in order to increase the security of the system. Following designs was mainly used to give users such friendly user interface.
(1) Parameter prompts are used to input interface. Users only need to input IP and corresponding port of the target system to be detected, then, any other options can be attached to the back of the input IP, target network or host in a way of parameters.
(2) Various parameter input mode. In addition to providing manual input, file input mode was also supported.
_________________________________________
(3) Diversify report of the result. Word, Excel and Pdf document and some other format can be supported in the report for the convenience of users.
(4) Repair advice contact to vulnerability one to one. In order to solve the vulnerability timely and comfortably, vulnerability is contact to repair base one to one in the backstage, also the result will integrate the repair advice, thus, users can get obviously repair service.
Server design
The server mainly consists of main control module which is also the core of the whole system. The server firstly accept the custom scan request submitted by clients, then schedule each module according to the control strategy, and search the relevant feature database, after that, advises are given using the plug-in library, meanwhile, according to the custom format, the scan result will be written to the report. On the other hand, port scanning module and crawling module is the core of the main control module.
Port scanning module
Ping packet is commonly used in port scanning, but this way will produce flooding packet which will increase the burden of the enterprise network. So this article adopts a combination method of fully connected scanning and semi-connected scanning to design the port scanning module.
Fully connected scanning firstly establish a socket (socket (NET,STREAM,0)), which use the default TCP/IP protocol, then send a connection request to target host through connect(net,(structs, addr)). If the port is open, some message will return, so the scanning detection can be started.
[image:2.612.214.390.464.663.2]Semi-connected scanning is achieved by parsing TCP/IP packet, the specific process is shown as figure 1.
start
Set root URL
Effective
URL? Reset URL
Crawl thread of extracting links
Unsearchqueue
Analysis thread of extracting protocol data
Protocol database
Complete
Finish N
Y
N
[image:3.612.204.380.53.251.2]Y
Figure 2. Flow chart of crawling module extract protocol data.
This design of using the combination of two scanning mode not only can effectively avoid the extra burden to the enterprise network, but also can be the maximum to avoid partial coverage problem.
Crawling module
Crawling module is the core equipment to realize vulnerability detect, it can use the function of Libwhisker directly by function call. In order to extract the scanned data of equipment by crawling module, the first step is response analysis, at this stage, first peer off the non-key content of the response, then, analysis the key part of the response, extract various data including command, links, file name, input domain of the form, hidden domain and selected domain etc. After analysis, the second step is to save the protocol data to the specific protocol data table in the protocol database. Figure 2 shows the flow chart of the process crawling module extract protocol data.
The two major tasks of crawling modules is crawling and analysis, access to data by crawling, carry on the contrast analysis calling vulnerability feature library. These two processes are intertwined, while crawl side analysis, ultimately complete the scanning detection and generate result data.
Database design
As the client vulnerability submitted to the server, database information provides strong support for whole judgment and processing. At the same time, based on premise of history, a best vulnerability solution can be given. The database of this system consists of vulnerability database, plug-in library and repair database.
TABLE 1. FRAME OF BASIC VULNERABILITY INFORMATION.
Field Type
ID INTEGER
NAME VARCHAR
TYPE INTEGER
DESCRIPTION VARCHAR
LEVEL INTEGER
TABLE 2. FRAME OF PLUG-IN BASIC INFORMATION TABLE.
Field Type
ID INTEGER
NAME VARCHAR
STYPE INTEGER
ROUTE VARCHAR
PORT INTEGER
[image:4.612.87.506.309.430.2]IP ADDRESS INTEGER
TABLE 3. FRAME OF REPAIR SCHEME BASIC INFORMATION TABLE.
Field Type
ID INTEGER
NAME VARCHAR
DESCRIPTION VARCHAR
STYPE VARCHAR
ROUTE VARCHAR
PARAMETERS INTEGER
Plug-in library stored plug-in relevant information used for vulnerability verification module, where the most important content is plug-in basic information table. This table provides common attacks such as buffer overflow attacks and denial of service attacks. The frame of plug-in basic information table is as shown in table 2.
Repair database store relevant information about vulnerability repair scheme, provide all kinds of repair scheme. Table 3 is the frame of basic information about repair scheme.
SYSTEM TEST
On the basis of design model, a prototype is proposed. Then, with using this prototype, one enterprise internal host running the Windows7 operating system was tested. Result shows that vulnerability number is four including one low risk vulnerability and three information -vulnerability, meanwhile, warning and prompt number is zero.
According to the scanning result, repair advice and detail description were given in the system, this article shows the low-risk vulnerability result.
Repair advise: If anonymous IPC$ connection is not necessary, please delete anonymous IPC$ connection. Operate as the following steps to delete anonymous IPC$ connection:
Input in the CMD console window: net share IPC$ /DELETE.
Or enter "management tools" -- > "local security policy" -- > "local policy" -- > "security options" -- > double left click on the "for additional restrictions on anonymous connections", select "no explicit anonymous permissions cannot access".
According to the test result, this system work well on port scanning of host, operating system overview, vulnerability detect, and can obtain relevant repair advise. So this system hits the design target, and proves to be practical.
CONCLUSION
Based on solving the outstanding problem of information security vulnerability scanning of the large enterprise, this article research the vulnerability scanning technology, proposed a network version vulnerability scanning system based on WEB. In the end, prototype was proposed on the design model to prove the feasibility. This system is particularly suitable for large enterprise with many branches. Limited to time, environment, shallow network security knowledge and some other reasons, the prototype system still need further improvement. The next stage, how to optimize the algorithm to improve the efficiency and accuracy of scanning and how to improve the plug-in technology to meet more vulnerability scanning demand will be the focus of research.
ACKNOWLEDGMENTS
This work was supported by Project: “Study on Intelligent Safety Detection System of Information Network in Jiangxi Power Grid Base on Novel Vulnerability Detection Technology of CSRF” (52182014001K)
REFERENCES
1. A. Dessiatnikoff, R. Akrout, E. Alata, M. Kaâniche, and V. Nicomette, "A clustering approach for web vulnerabilities detection," in Proc. 17th IEEE Pacific Rim Int. Symp. on Dependable Computing (PRDC-2011), Pasadena, CA, USA, 2011.
2. Elizabeth Fong, Vadim Okun. "Web Application Scanners: Definitions and Functions " Proceedings of the 40th Hawaii International Conference on System Sciences, 2007.
3. AnantaSec. "Web Vulnerability Scanners Evaluation". January, 2009.
4. Sreenivasa Rao B, Kumar N, "Web application vulnerability detection using dynamic analysis with penetration testing". Int. J. Enterp. Comput. Bus. 2 (1), 16–40, 2012.
5. Armando, R. Carbone, L. Compagna, K. Li, G. Pellegrino, "Modelchecking Driven Security Testing of Web-based Applications", MDV Workshop, collocated with ICST, Paris, 2010.
6. Open Web Application Security Project [EB/OL]. 2011 [2011-06- 13].http://www.owasp.org/ 7. J. Bau, E. Bursztein, D. Gupta, J. Mitchell, "in State of the Art: Automated Black-Box Web
Application Vulnerability Testing". 2010 IEEE Symposium on Security and Privacy, pp. 332–345, 2010
