An Efficient Method for Scheduling Massive Vulnerability Scanning Plug-ins

Abstract

More and more security vulnerabilities were found in network softwares nowadays, making network security assessment one of the most important tasks for IT administrators. Vulnerability scanner is the key application for fulfilling such tasks. However, large numbers of vulnerabilities result in even larger number of vulnerability plug-ins including common plug-ins and specific plug-ins, which may involve complex dependencies. Therefore, how to schedule such large number of plug-ins in an efficient manner is a key problem for improving the performance of vulnerability scanners. We analyze the current algorithms and find that they doesn't take the dependencies into consideration or doesn't handle it properly, which would waste a considerable CPU time for scanning. This paper proposes an efficient plug-in scheduling algorithm based on DAG graph. We formalize plug-in scheduling as a tree-like topological sorting problem using DAG theory, in which multi-thread is treated as task lines and all plug-ins are deployed on the task lines. Each task line is occupied by the plug-ins for a period of executing time and waiting time. By constructing the DAG graph of all plug-ins and computing their ``height'' value, sorting the plug-ins and aligning them to a linked list for scheduling, we solve the plug-in dependency problem properly, therefore eliminate the possibilities that non-ready plug-ins being scheduled to execute. We carry out experiments to validate the effectiveness of our algorithm.