颜读（151）：精读博士论文第三章安全威胁的实体识别与定位（5）

分享兴趣，传播快乐，

增长见闻，留下美好！

亲爱的您，这里是LearningYard学苑。

今天小编为大家带来

“颜读（151）：精读博士论文《物联网设备安全威胁检测与分析》第三章安全威胁的实体识别与定位（5）”

欢迎您的访问！

Share interest, spread happiness,

increase knowledge, and leave beautiful.

Dear, this is the LearningYard Academy!

Today, the editor brings the

"Yan Du (151): A close reading of Chapter 3 Entity Identification and Location of Security Threats (5) of the doctoral dissertation ‘Research on Software Supply Chain Security Protection Strategies Based on Blockchain’."

Welcome to visit!

今天小编将从思维导图、精读内容、知识补充三个板块为大家带来《物联网设备安全威胁检测与分析》第三章安全威胁的实体识别与定位（5）的介绍。

Today, the editor will present an introduction to Chapter 3, Entity Identification and Location of Security Threats (5) of IoT Device Security Threat Detection and Analysis, covering three key sections: Mind Mapping, In-depth Reading, and Supplementary Knowledge.

一、思维导图（Mind Mapping）

二、精读内容（Conduct in-depth reading of the material）

1.数据采集与整理（Data Collection and Organization）

安全报告数据源。本研究搜集整理了一份可采集的安全报告数据源列表，数据源大致可以分为三类：综合安全数据库，安全咨询信息库以及语言生态安全建议汇总。此外还包括安全社区，厂商安全告警及服务提供商。

Data sources for security reports. This study has compiled a list of accessible security report data sources, which can be broadly categorized into three types: comprehensive security databases, security advisory repositories, and aggregated security recommendations from the language ecosystem. Additionally, the list encompasses security communities, vendor security alerts, and service providers.

2.安全报告内实体信息缺失的量化分析（Quantitative Analysis of Missing Entity Information in Safety Reports）

指向软件生态的链接缺失。漏洞安全报告中会含有几个到几十个指向不同引用信息源的参考链接，指向的信息源包括但不限于厂商安全建议，信息安全平台及漏洞数据库归档等。然而实际问题是参考链接往往是不完备的，有些报告内不仅不含有正确指向开源软件生态的链接，甚至有一部分安全报告存在参考链接缺失的问题。CPE内的信息缺失。一般来说典型的通用平台枚举CPE内会含有“target_sw”字段作为目标软件生态的漏洞信息描述。通用平台枚举CPE内一定会含有所描述的与实际产品唯一对应的产品或软件名，但此字段的可信性也值得考量。

Links pointing to the software ecosystem are missing. Vulnerability reports typically contain numerous reference links pointing to various sources of information—such as vendor security advisories, information security platforms, and vulnerability database archives. However, a practical issue is that these reference links are often incomplete; some reports lack links pointing to the relevant open-source software ecosystem, while others omit reference links entirely. Information within the CPE is missing. Typically, a Common Platform Enumeration (CPE) entry includes a "target_sw" field to describe the target software ecosystem associated with the vulnerability. While a CPE entry invariably includes the name of the product or software—uniquely identifying the item in question—the reliability of this specific field warrants scrutiny.

3.安全威胁信息的实体识别和定位（Entity identification and localization for security threat information）

本研究针对177,841份漏洞安全报告以及2,673,313份来自六个软件生态的软件包信息进行了大规模安全威胁实体的识别以及关联定位。CPE信息的修订与补全。经过对现有通用平台枚举CPE的分析，本研究建议在构建类似产品及软件包索引时应注意以下两方面问题。第一点是在目标软件名属性内填写与目标软件生态内实际包名一致的包信息，以构建安全社区与开发社区的统一标识。第二点是校准并填充目标软件平台“target_sw”属性。报告内引用链接的补全。给定一个软件包，其对应软件生态会在包管理器的网站内构建一个索引页面，在安全报告内加入该链接可以有效的为开发人员以及自动化分析工具提供检索便利。

This study conducted large-scale identification and correlation mapping of security threat entities, utilizing 177,841 vulnerability reports and package information for 2,673,313 packages across six software ecosystems. Regarding the revision and completion of CPE (Common Platform Enumeration) data, an analysis of existing CPE entries suggests that two key factors should be considered when constructing indices for similar products and packages. First, the "target software name" attribute should specify the package name exactly as it appears in the corresponding ecosystem, thereby establishing a unified identifier shared by both the security and developer communities. Second, the "target_sw" attribute must be accurately calibrated and populated. Regarding the inclusion of reference links in reports, every package has a corresponding index page on its ecosystem's package manager website; embedding this link in security reports facilitates efficient retrieval for both developers and automated analysis tools.

4. 安全威胁与物联网设备关联分析（Analysis of the Association Between Security Threats and IoT Devices）

漏洞和物联网设备之间的关系。物联网设备漏洞的分布是一个长尾分布，而不是均匀分布。换句话说，排名前十的设备类型（或设备供应商）对应了大多数漏洞。漏洞类型与物联网设备之间的关系。给定一个映射（CVE-ID,产品类型/供应商/产品），可以根据其CVE-ID找到相应的漏洞类型。在这里，用CWE来表示漏洞类型。漏洞影响与物联网设备之间的关系。给定一个映射（CVE-ID，类型/供应商/产品），研究进一步衡量了漏洞对物联网设备威胁的严重程度。利用CVSS评分来表示漏洞的严重程度，其范围是从0到10。CVSS分数越高，损失就越大且越容易发生。

The relationship between vulnerabilities and IoT devices. The distribution of vulnerabilities across IoT devices follows a long-tail pattern rather than a uniform distribution; in other words, the top ten device types (or vendors) account for the majority of vulnerabilities. The relationship between vulnerability types and IoT devices. Given a mapping of (CVE-ID, product type/vendor/product), the corresponding vulnerability type can be identified via the CVE-ID; here, CWE is used to represent the vulnerability type. The relationship between vulnerability impact and IoT devices. Given a mapping of (CVE-ID, type/vendor/product), the study further assesses the severity of the threat posed by the vulnerability to the IoT device. CVSS scores, ranging from 0 to 10, are used to indicate severity; a higher CVSS score signifies a greater potential impact and a higher likelihood of occurrence.

三、知识补充（Supplementary knowledge）

CVSS评分表示漏洞影响与物联网设备之间的关系。给定一个映射（CVE-ID，类型/供应商/产品），研究进一步衡量了漏洞对物联网设备威胁的严重程度。利用CVSS评分来表示漏洞的严重程度，其范围是从0到10。CVSS分数越高，损失就越大且越容易发生。

The CVSS score represents the relationship between the impact of a vulnerability and the IoT device. Based on the mapping of (CVE-ID, Type/Vendor/Product), the study further assesses the severity of the threat posed by vulnerabilities to IoT devices. CVSS scores, ranging from 0 to 10, are used to represent vulnerability severity; a higher CVSS score indicates greater potential impact and a higher likelihood of occurrence.

今天的分享就到这里了，

如果您对文章有独特的想法，

欢迎给我们留言，

让我们相约明天。

祝您今天过得开心快乐！

That's all for today's sharing.

If you have a unique idea about the article,

please leave us a message,

and let us meet tomorrow.

I wish you a nice day!

翻译：Google翻译

参考资料：ChatGPT

参考文献：宋金珂. 物联网设备安全威胁检测与分析[D]. 北京交通大学, 2024.

本文由LearningYard学苑整理发出，如有侵权请在后台留言！