CAJ | 학술논문

当前,主要的开源Web漏洞扫描工具如Nikto、Nessus等都存在误报率与漏报率较高、评估不准确、扫描效率较低等问题.本文对漏洞扫描过程进行建模,在传统的基于配置的扫描策略上,提出了一种基于场景的扫描策略.使用场景树描述漏洞场景,并给出了场景树的构建及维护策略.最后,以Nikto的漏洞数据库为例,示范了如何将多条漏洞用例转化为场景树描述.使用漏洞场景扫描策略可以提高扫描效率,减小误报率,提高评估的准确度.
당전,주요적개원Web루동소묘공구여Nikto、Nessus등도존재오보솔여루보솔교고、평고불준학、소묘효솔교저등문제.본문대루동소묘과정진행건모,재전통적기우배치적소묘책략상,제출료일충기우장경적소묘책략.사용장경수묘술루동장경,병급출료장경수적구건급유호책략.최후,이Nikto적루동수거고위례,시범료여하장다조루동용례전화위장경수묘술.사용루동장경소묘책략가이제고소묘효솔,감소오보솔,제고평고적준학도.
Recently, Web vulnerability scanning has an important role in network security. However, the most popular open-source web vulnerability scanners, such as Nikto, Nessus, etc., have been criticized for their high false alarms, inaccurate evaluation and low sanning efficiency. In this paper, the process of vulnerability scanning is modeled accurately and a new scenario-based scanning strategy is presented. Vulnerability scenario is described by a scenario tree. The algorithms of how to construct and maintain scenario trees in vulnerability databases are also proposed. Finally, we analyze the vulnerability database of Nikto and demonstrate how to construct a scenario tree using its vulnerability records. We prove and validate that the scenario-based scanning strategy can improve the efficiency and veracity of vulnerability sanning.