漏洞知识图谱数据库详细设计 郝伟 2021/02/17 [TOC]

1. Plant UML 常用符号

@startuml
abstract        abstract
abstract class  "abstract class"
annotation      annotation
circle          circle
()              circle_short_form
class           class
diamond         diamond
<>              diamond_short_form
entity          entity
enum            enum
interface       interface
@enduml

2. 系统整体架构

@startuml
class User{}
class Account{}
class Host{}
class Software{}
class Vulnerability{}
class Platform
class IP{}
class Address{}
class Port{}
class DNSName{}
class AddressRange{}
class Service{}
class Malware{}
class Flow{}

User "1" --> "n" Account : hasAccount
Account "1" --> "1" Host : loginsInTo
Host "1" --> "n" Software : runs
Host "1" --> "n" Address : exposes
Host "1" --> "n" IP : hasIP
Host --> Platform: runsOn
Address "1" --> "1" IP: hasIP
Address "1" --> "1" Port: hasPort
Address "1" --> "1" DNSName: hasDNSName
Flow "1" --> "2" Address: hasAddress(src, dst)
IP --> AddressRange: inRange
Port "1" --> "1" Service: hasKnownService
Software "1" --> "n" Vulnerability: hasVulnerability
Software "1" --> "n" Flow : hasFlow
Software "1" --> "n" Platform : runsOn
Malware --> Vulnerability : exploits
Malware --> Address : communicatesWith
Malware "1" --> "n" Platform : runsOn

@enduml

3. 节点定义

@startuml
class GObject{
    string id  // 节点编号（唯一）
    string description // 节点描述
    string obj_name // 对象名称，与类名相同
    string data_source // 数据源
    enum type ['v', 'e']    
    double score // 节点的评分
    double score_max // 节点评分上限
    double score_min // 节点评分下限
    double score_description // 节点信息描述
}
note left of GObject::"enum type ['v', 'e']"
  所有数据只有两种类型：节点或边。
end note

class Vertex {
    type='v'
}

class User{
    string name
    string user_type
    string mailbox
    string userinfo // 待加入
}

class Account{
    string uid
    string pwd
    string source
}

class Host{
    string name
    string running_status
    PlatformType sys_type
}

class Software{
    string nvdId
    string status
    string vendor
    string version
    string language: [cn, en, de, jp]
}

class Platform{
    string name // Ubuntu, Dubian, Windows 10, MacOS, etc
    string Platform_type: [Win, Linux, Unix, IOT, Others]
    string version
    string infomation
}

class Vulnerability{
    string cveid
    string comments
    string solution
    date publish_date
    double cvss_score
    double impact
}

class IP{
    string ip
    int ipInt
    string countryCode
}

enum country{
    string name
    string code
}

class Address{

}

class Port{

}

class DNSName{
    string name
    string dnstype
}

class AddressRange{
    string startIP
    int start_int_IP
    string endIP
    int end_int_IP
}

class Service{
    string name
    string stype
    string version
    string[] notes
}

class Malware{
    string nvdId
    string avName
    string[] aliases
    string sha1hashes
    string md5hashes
    string platform_type: [win, linux, iot]
    string platform_version
    string Malware_type: [exp, poc, payload]
    string signature_date
    string modified_date
}

class Flow{
    string protocal // 流所使用的协议
    string protocal_layer // 所在的层
}



Edge  --> GObject
Vertex  --> GObject
User --> Vertex
Account --> Vertex
Host --> Vertex
Software --> Vertex
Vulnerability --> Vertex
IP --> Vertex
Address --> Vertex
Port --> Vertex
DNSName --> Vertex
AddressRange --> Vertex
Service --> Vertex
Malware --> Vertex
Flow --> Vertex
Attack --> Vertex
Attacker --> Vertex


Software --> "hasVal" Vulnerability

@enduml

4. 边定义

@startuml

class GObject{
    string id  // 节点编号（唯一）
    string description // 节点描述
    string obj_name // 对象名称，与类名相同
    string data_source // 数据源
    enum type ['v', 'e']    
    double score // 节点的评分
    double score_max // 节点评分上限
    double score_min // 节点评分下限
    double score_description // 节点信息描述
}

class Edge {
    static int counter // 全局计数器
    Vertex inV  // 进节点
    Vertex outV // 出节点
    type='e'
}

class hasAccount{}
class logsInTo{}
class logsInFrom{}
class runs{}
class runsAs{}
class hasVulnerability{}
class usesAddress{}
class hasDNSName{}
class hasIP{}
class hasPort{}
class inAddressRange{}
class hasKnownService{}
class dstAddress{}
class srcAddress{}
class hasFlow{}
class involvesMalware{}
class exploits{}
class communicatesWith{}
class runsOn{}


Edge  --> GObject
hasAccount --> Edge
logsInTo --> Edge
logsInFrom --> Edge
runs --> Edge
runsAs --> Edge
hasVulnerability --> Edge
usesAddress --> Edge
hasDNSName --> Edge
hasIP --> Edge
hasPort --> Edge
inAddressRange --> Edge
hasKnownService --> Edge
dstAddress --> Edge
srcAddress --> Edge
hasFlow --> Edge
involvesMalware --> Edge
exploits --> Edge
includesFlow --> Edge
communicatesWith --> Edge
runsOn --> Edge
@enduml

5. 参考资料

• Plant UML 类视图画法，https://plantuml.com/zh/class-diagram
• OpenAPI规范，https://swagger.io/docs/specification/data-models/oneof-anyof-allof-not/
• 关于Ontology的论文，http://121.199.10.158:8107/c5p8d4he6gjkxm0oq1zrbslt2v37wify9aun/mpan.x20kdf.zaksu-o021tvvtqw.com/paper_reading/pr202102.html
• Ontology数据schema，https://github.com/stucco-archive/ontology/blob/master/stucco_schema.json
• Ontology数据schema分析图（1.7M，建立下载到本地查看），http://47.98.163.233/html/images/schema_overview.png