CN109842632B - Vulnerability determination method and system of network system and related components - Google Patents
Vulnerability determination method and system of network system and related components Download PDFInfo
- Publication number
- CN109842632B CN109842632B CN201910239330.9A CN201910239330A CN109842632B CN 109842632 B CN109842632 B CN 109842632B CN 201910239330 A CN201910239330 A CN 201910239330A CN 109842632 B CN109842632 B CN 109842632B
- Authority
- CN
- China
- Prior art keywords
- attack
- simulation
- network system
- vulnerability
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a vulnerability determining method of a network system, which comprises the steps of obtaining threat information of the network system and analyzing the threat information to obtain a plurality of sub information; determining an attack simulation vector corresponding to each sub intelligence in an attack simulation knowledge base; executing simulation attack operation in the network system by using all the attack simulation vectors to obtain a simulation attack result; and determining the vulnerability information of the network system according to the simulation attack result. The method can determine the vulnerability of the network system and analyze the security situation of the network system. The application also discloses a vulnerability determination system of the network system, a computer readable storage medium and an electronic device, which have the beneficial effects.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and a system for determining vulnerability of a network system, a computer-readable storage medium, and an electronic device.
Background
Current IT environments are full of traditional, modern, dynamic assets, and network systems embrace virtual and cloud assets in addition to physical servers, which can be deployed quickly as needed, but these flexible assets increase the risk exposure of the network system.
In order to deal with the risks, a large number of safety devices are purchased and mechanically stacked together in the related art. However, the above-mentioned unknown mechanical stacking cannot determine the vulnerability in the network system, and cannot fully understand the security protection capability of the network system.
Therefore, how to determine the vulnerability of the network system and analyze the security situation of the network system is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the present application is to provide a vulnerability determination method and system for a network system, a computer-readable storage medium and an electronic device, which can determine vulnerability of the network system and analyze security situation of the network system.
In order to solve the above technical problem, the present application provides a vulnerability determining method for a network system, where the vulnerability determining method includes:
obtaining threat information of a network system and analyzing the threat information to obtain a plurality of sub information;
determining an attack simulation vector corresponding to each sub intelligence in an attack simulation knowledge base;
executing simulation attack operation in the network system by using all the attack simulation vectors to obtain a simulation attack result;
and determining the vulnerability information of the network system according to the simulation attack result.
Optionally, the executing the simulated attack operation in the network system by using all the attack simulation vectors includes:
putting all attack simulation vectors into a simulation vector pool, and executing duplication removal operation and correlation analysis operation on the simulation vector pool to obtain target attack simulation vectors; the simulation vector pool refers to a storage space for storing simulation vectors;
and executing the simulation attack operation in the target node of the network system by using the target attack simulation vector.
Optionally, the executing, by using the target attack simulation vector, the simulation attack operation in the target node of the network system includes:
adjusting the configuration parameters of each target attack simulation vector according to the parameter information of the target node of the network system;
and executing simulation attack operation corresponding to the target attack simulation vector after the configuration parameters are adjusted in the target node.
Optionally, after the vulnerability information of the network system is determined according to the simulation attack result, the method further includes:
and generating a corresponding safety protection scheme for the network system according to the vulnerability information.
Optionally, the threat intelligence comprises any one or combination of asset intelligence, traffic intelligence, vulnerability intelligence, and malware intelligence.
Optionally, the method further includes:
and determining an attack chain corresponding to the attack simulation vector according to the simulation attack result so as to execute attack tracing operation by using the attack chain.
The present application also provides a vulnerability determination system of a network system, the vulnerability determination system including:
the information acquisition module is used for acquiring threat information of the network system and analyzing the threat information to obtain a plurality of sub information;
the vector determination module is used for determining an attack simulation vector corresponding to each piece of sub information in an attack simulation knowledge base;
the simulation attack module is used for executing simulation attack operation in the network system by utilizing all the attack simulation vectors to obtain a simulation attack result;
and the vulnerability determining module is used for determining vulnerability information of the network system according to the simulation attack result.
Optionally, the simulation attack module includes:
the preprocessing unit is used for putting all the attack simulation vectors into a simulation vector pool, and executing duplication removal operation and correlation analysis operation on the simulation vector pool to obtain target attack simulation vectors;
and the simulation unit is used for executing the simulation attack operation in the target node of the network system by using the target attack simulation vector.
Optionally, the simulation unit includes:
the parameter configuration subunit is used for adjusting the configuration parameters of each target attack simulation vector according to the parameter information of the target node of the network system;
and the execution subunit is used for executing the simulation attack operation corresponding to the target attack simulation vector after the configuration parameters are adjusted in the target node.
Optionally, the method further includes:
and the arrangement scheme generation module is used for generating a corresponding safety protection scheme for the network system according to the vulnerability information after the vulnerability information of the network system is determined according to the simulation attack result.
Optionally, the threat intelligence comprises any one or combination of asset intelligence, traffic intelligence, vulnerability intelligence, and malware intelligence.
Optionally, the method further includes:
and the source tracing module is used for determining an attack chain corresponding to the attack simulation vector according to the simulation attack result so as to execute attack source tracing operation by using the attack chain.
The present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed, the computer program implements the steps executed by the vulnerability determination method of the network system.
The application also provides an electronic device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the steps executed by the vulnerability determination method of the network system when calling the computer program in the memory.
The application provides a vulnerability determination method of a network system, which comprises the steps of obtaining threat information of the network system and analyzing the threat information to obtain a plurality of sub information; determining an attack simulation vector corresponding to each sub intelligence in an attack simulation knowledge base; executing simulation attack operation in the network system by using all the attack simulation vectors to obtain a simulation attack result; and determining the vulnerability information of the network system according to the simulation attack result.
According to the method and the system, the corresponding attack simulation vectors in the attack simulation knowledge base are determined according to each sub-information in the obtained threat information, and the attack simulation knowledge base comprises the simulation vectors corresponding to each attack step of the attack chain, so that the attack simulation vectors can be utilized to carry out simulation attack in a network system to obtain the corresponding simulation attack results. According to the method and the system, threat information and an attack simulation knowledge base are combined, the network system is subjected to simulation attack, vulnerability information of the network system can be determined, and the safety protection capability of the network system can be evaluated according to the vulnerability. Therefore, the vulnerability of the network system can be determined, and the security situation of the network system can be analyzed. The application also provides a vulnerability determination system of the network system, a computer readable storage medium and an electronic device, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a flowchart of a vulnerability determination method of a network system according to an embodiment of the present application;
fig. 2 is a flowchart of a method for simulating an attack according to an embodiment of the present application;
fig. 3 is a flowchart of another vulnerability determination method for a network system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a vulnerability determination system of a network system according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a vulnerability determination method of a network system according to an embodiment of the present application.
The specific steps may include:
s101: obtaining threat information of a network system and analyzing the threat information to obtain a plurality of sub information;
the purpose of this step is to know the network security status of the network system, and the threat intelligence acquired here may be information that is acquired and stored in a preset location in advance before this step, or information that is acquired only when this step is executed, and is not limited here.
Threat intelligence refers to all clues needed to recover an attack that has occurred and to predict an attack that has not occurred. The threat intelligence obtained by the embodiment can be various and is divided according to different obtaining modes, and the threat intelligence can be passively collected information and actively collected information. Specifically, passive information collection refers to querying the target system information through third-party data without establishing any contact with the target system (i.e., the network system of the embodiment), which is often referred to as stepping on a point. Techniques for passive information collection may include the gathering and utilization of various open-source intelligence, such as information collection using a search engine. Active information collection refers to information collection by directly contacting a target system, and the active information collection is performed no matter whether a target website is crawled or communication is performed with target personnel.
Of course, if partitioned according to intelligence content, threat intelligence may include any one or a combination of asset intelligence, fingerprint intelligence, traffic intelligence, vulnerability intelligence, and malware intelligence. Specifically, the asset information refers to the network IP and domain name assets and their attributes, such as DNS resolution records, ICP filing information, whois information, fingerprint information, etc., which are precisely discovered using passive and active information collection methods. Fingerprint intelligence refers to a subset of asset intelligence, including operating systems, port services, WEB containers (e.g., apache), site-building languages (e.g., php), site-building front-end frameworks (e.g., jquery), site-building back-end frameworks (e.g., django), firewall information, and so on. The flow information is collected flow information based on network flow full-image monitoring, SNMP (simple network management protocol) monitoring or Netflow monitoring, such as data flow quintuple information and flow size. The vulnerability information refers to information such as a vulnerability base database and a latest utilization posture of a 0day vulnerability (in-field vulnerability). Malware intelligence refers to the malware (lemonades, mining, remote control, etc.) base database as well as the latest active malware data, such as: the C2 domain name or IP address, the malware MD5 value, the vulnerability of malware exploitation, the malware file and the process behavior. Vulnerabilities and malware intelligence may not be limited to vulnerabilities and malware known to the organization network, but may also include external up-to-date vulnerabilities and malware intelligence.
The threat information obtained in the step can be a combination of a plurality of sub-information, and the sub-information can be asset information, fingerprint information, flow information, vulnerability information or malicious software information, so that on the basis of obtaining the threat information, the step firstly analyzes the threat information to obtain a plurality of sub-information so as to execute subsequent operation on each sub-information. As a possible implementation, the type of each sub intelligence may be determined, and the type information of each sub intelligence may be further sent to the maintenance personnel, so that the maintenance personnel can know the formation status of the threat intelligence.
S102: determining an attack simulation vector corresponding to each sub intelligence in an attack simulation knowledge base;
the attack simulation knowledge base is a concept in network security detection, and in order to comprehensively explain the attack simulation knowledge base, an ATT & CK threat detection knowledge base needs to be explained first. The ATT & CK refers to the tactics, the technology and the common knowledge, the ATT & CK threat detection knowledge base is a network opponent tactics and technology knowledge base which is continuously summarized based on Kill Chain, can clarify threats, defines the threats by a universal language and a universal framework, and is constructed by continuously collecting various attack detection analysis accumulation, and the ATT & CK threat detection knowledge base is also called an attack knowledge graph. The network architecture can now be considered to be hierarchical and may include hierarchies of terminals, branches, borders, parks, data centers, clouds, and the like. The attack simulation knowledge base is a specific implementation of the ATT & CK threat detection knowledge base, and the attack simulation knowledge base can not only comprise a single-layer simulation attack vector, but also comprise a plurality of attack steps for splitting an attack scene into Kill Chain, and a plurality of layers of simulation attack vectors matched with the plurality of attack steps.
The attack simulation knowledge base can have attack simulation vectors corresponding to each sub information, and the step can determine the corresponding attack simulation vectors according to the type and the specific content of each sub information. For example, the sub intelligence is asset intelligence (i.e. asset information found by an asset discovery engine), the content of the asset intelligence is a website framework for fingerprint assets existing struts2, and harmless struts2 simulation attack vectors can be matched by matching with an attack simulation knowledge base.
It should be noted that, for the same sub-report, there may be a plurality of corresponding attack simulation vectors, and certainly there may be an attack simulation vector that does not exist in the attack simulation knowledge base and corresponds to specific sub-information, and the number of attack simulation vectors corresponding to sub-information is not limited in this embodiment.
S103: executing simulation attack operation in the network system by using all the attack simulation vectors to obtain a simulation attack result;
on the basis of obtaining the attack simulation vector, the corresponding simulation attack operation can be executed in the network system by utilizing the attack simulation vector. Specifically, each attack simulation vector may be scheduled to a corresponding network node, and adaptive configuration parameter adjustment may also be performed on each attack simulation vector, which may be set according to an actual application scenario, and this embodiment is not specifically limited.
The method comprises the following steps of carrying out simulation attack on a plurality of nodes of the network system by combining an attack simulation knowledge base according to threat intelligence of the network system so as to detect the defense capacity of the network system to the simulation attack. It can be understood that the step executes the simulated attack operation in the network system, belongs to a harmless security test for the network system, and does not bring actual damage to the network system.
It can be understood that the process of performing the simulation attack operation by using the attack simulation vector in S103 is equivalent to constructing a simulation attack chain by using all the attack simulation vectors, and the simulation attack on the network system is realized by using the simulation attack chain. The attack chain is an abstraction of the attack scenario, and the following attack phases can be executed: (1) reconnaissance stage: namely a detection stage, namely a stepping point, collecting target information and finding weak points; (2) stage of evaporation: namely a weaponization stage, and manufacturing an attack tool for a target system; (3) a Delivery stage: namely, delivering the attack tool to a target system in a tool delivering stage; (4) exploit phase: opening malicious software on a target system by using a victim or launching a vulnerability attack aiming at the target system to acquire a target control right; (5) an instrumentation phase: a remote control program installed on the target system; (6) command & Control phase: namely, in the command and control stage, after the host is successfully controlled, a communication channel is established with a remote control server on the Internet; (7) the Add Actions phase: after the above stage, the attacker will continue to steal the information about the target system, destroy the integrity and availability of the information, and further control the machine to jump and attack other machines, expanding the scope of influence. The embodiment can determine the stage of each attack simulation vector in the attack chain by performing correlation analysis on all the attack simulation vectors, further generate the simulation attack chain and determine vulnerability information in the network system by using the simulation attack chain.
S104: and determining the vulnerability information of the network system according to the simulation attack result.
After the simulation attack operation is performed on the network system, result feedback information corresponding to each attack simulation vector can be obtained, and then all the result feedback information is synthesized to obtain an attack simulation result. The attack simulation result can comprise the influence degree of the simulation attack operation on the network system, and the vulnerability information in the network system can be determined according to the simulation attack result. The vulnerability refers to security vulnerability which is easy to attack, has poor security defense capability and needs targeted reinforcement in a network system.
In the embodiment, the corresponding attack simulation vector in the attack simulation knowledge base is determined according to each sub-information in the obtained threat information, and because the attack simulation knowledge base comprises the simulation vectors corresponding to each attack step of the attack chain, the corresponding simulation attack result can be obtained by carrying out simulation attack in the network system by using the attack simulation vectors. According to the embodiment, threat intelligence and an attack simulation knowledge base are combined, the vulnerability information of the network system can be determined by carrying out simulation attack on the network system, and the safety protection capability of the network system can be evaluated according to the vulnerability. Therefore, the embodiment can determine the vulnerability of the network system and analyze the security situation of the network system.
Referring to fig. 2, fig. 2 is a flowchart of a method for simulating an attack provided in an embodiment of the present application, where this step is further described in S103 in the embodiment corresponding to fig. 1, and a more preferred implementation may be obtained by combining this embodiment with the embodiment corresponding to fig. 1, where this embodiment may include the following steps:
s201: putting all attack simulation vectors into a simulation vector pool, and executing duplication removal operation and correlation analysis operation on the simulation vector pool to obtain target attack simulation vectors;
the method comprises the following steps that on the basis of matching sub information with attack simulation vectors of an attack simulation knowledge base, after the attack simulation vectors corresponding to the sub information are matched, the attack simulation vectors can be placed into a simulation vector pool until all the attack simulation vectors matched with the sub information are placed into the simulation vector pool. The simulation vector pool refers to a storage space for storing simulation vectors, and may be pre-constructed before this step, or may be constructed while matching attack simulation vectors, and is not limited herein. It should be noted that, there may be a case where the same attack simulation vector corresponds to multiple pieces of sub-intelligence, and therefore, it is necessary to perform a deduplication operation on the simulation vector pool so as to remove duplicate attack simulation vectors. The step can also determine the stage of the attack simulation vector in the simulation vector pool belonging to the attack chain through the correlation analysis operation.
S202: and executing the simulation attack operation in the target node of the network system by using the target attack simulation vector.
On the basis of removing repeated attack simulation vectors and determining the stage of the target attack simulation vector in an attack chain, the step executes simulation attack operation in a target node of the network system by using the target attack simulation vector. As a possible implementation, the relevant operation of S202 may include the following steps: (1) adjusting the configuration parameters of each target attack simulation vector according to the parameter information of the target node of the network system; (2) and executing simulation attack operation corresponding to the target attack simulation vector after the configuration parameters are adjusted in the target node. The feasible implementation method can determine the position information, the interface parameters and the like of the node of the target attack simulation vector executing the attack access operation by adjusting the configuration parameters, so that the target attack simulation vector after the configuration parameters are adjusted can really act on the specific node of the network system.
As a further supplement to the corresponding embodiment in fig. 1, after the vulnerability information of the network system is determined according to the simulation attack result in S104, a corresponding security protection scheme may also be generated for the network system according to the vulnerability information. The security protection scheme can include information such as security device arrangement strategy and security detection severity, so that the security protection system of the network system can be adjusted according to the security protection scheme, the protection of weak points is enhanced, and the security of the network system is improved. Of course, after the vulnerability information of the network system is determined according to the simulation attack result, the attack chain corresponding to the attack simulation vector is determined according to the simulation attack result, so that the attack tracing operation is executed by using the attack chain.
Referring to fig. 3, fig. 3 is a flowchart of another vulnerability determining method of a network system provided in an embodiment of the present application, and this embodiment combines the embodiments corresponding to fig. 1 and fig. 2 and the above supplements to obtain a more preferred implementation of the vulnerability determining method, which may include the following steps:
s301: obtaining threat information of a network system and analyzing the threat information to obtain a plurality of sub information;
s302: determining an attack simulation vector corresponding to each sub intelligence in an attack simulation knowledge base;
s303: putting all attack simulation vectors into a simulation vector pool, and executing duplication removal operation and correlation analysis operation on the simulation vector pool to obtain target attack simulation vectors;
s304: adjusting the configuration parameters of each target attack simulation vector according to the parameter information of the target node of the network system;
each target attack simulation vector can be configured through a configuration center, the process can be automatically realized according to asset information, and manual intervention can be performed on scheduling of the target attack simulation vectors through WEBUI.
S305: executing simulation attack operation corresponding to the target attack simulation vector after the configuration parameters are adjusted in the target node to obtain a simulation attack result;
the configured simulation vectors can be loaded to assets or nodes of each layer of the network through the dispatching center for execution. The network system can feed back the execution state to the scheduling center, feed back the execution result to the data center, judge whether the execution is finished by the scheduling center, and gather all the execution results by the data center to obtain the vulnerability information.
S306: and determining the vulnerability information of the network system according to the simulation attack result.
S307: and determining an attack chain corresponding to the attack simulation vector according to the simulation attack result so as to execute attack tracing operation by using the attack chain.
After all the attack simulation vectors are executed, the attack simulation result can be displayed in the WEBUI, and the attack simulation result can comprise the display of the whole attack chain, the display of assets and the display of vulnerabilities. When a real attack occurs, the vulnerability information obtained in this embodiment can also be used for tracing the source of the attack.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a vulnerability determination system of a network system according to an embodiment of the present application;
the system may include:
an information acquisition module 100, configured to acquire threat information of a network system and analyze the threat information to obtain a plurality of sub information;
the vector determination module 200 is configured to determine an attack simulation vector corresponding to each piece of sub-intelligence in an attack simulation knowledge base;
the simulation attack module 300 is configured to execute a simulation attack operation in the network system by using all attack simulation vectors to obtain a simulation attack result;
and the vulnerability determining module 400 is used for determining vulnerability information of the network system according to the simulation attack result.
In the embodiment, the corresponding attack simulation vector in the attack simulation knowledge base is determined according to each sub-information in the obtained threat information, and because the attack simulation knowledge base comprises the simulation vectors corresponding to each attack step of the attack chain, the corresponding simulation attack result can be obtained by carrying out simulation attack in the network system by using the attack simulation vectors. According to the embodiment, threat intelligence and an attack simulation knowledge base are combined, the vulnerability information of the network system can be determined by carrying out simulation attack on the network system, and the safety protection capability of the network system can be evaluated according to the vulnerability. Therefore, the embodiment can determine the vulnerability of the network system and analyze the security situation of the network system.
Further, the simulation attack module 300 includes:
the preprocessing unit is used for putting all the attack simulation vectors into a simulation vector pool, and executing duplication removal operation and correlation analysis operation on the simulation vector pool to obtain target attack simulation vectors;
and the simulation unit is used for executing the simulation attack operation in the target node of the network system by using the target attack simulation vector.
Further, the simulation unit includes:
the parameter configuration subunit is used for adjusting the configuration parameters of each target attack simulation vector according to the parameter information of the target node of the network system;
and the execution subunit is used for executing the simulation attack operation corresponding to the target attack simulation vector after the configuration parameters are adjusted in the target node.
Further, the method also comprises the following steps:
and the arrangement scheme generation module is used for generating a corresponding safety protection scheme for the network system according to the vulnerability information after the vulnerability information of the network system is determined according to the simulation attack result.
Further, threat intelligence includes any one or combination of asset intelligence, traffic intelligence, vulnerability intelligence, and malware intelligence.
Further, the method also comprises the following steps:
and the source tracing module is used for determining an attack chain corresponding to the attack simulation vector according to the simulation attack result so as to execute attack source tracing operation by using the attack chain.
Since the embodiment of the system part corresponds to the embodiment of the method part, the embodiment of the system part is described with reference to the embodiment of the method part, and is not repeated here.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application further provides an electronic device, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the electronic device may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (14)
1. A vulnerability determination method of a network system, comprising:
obtaining threat intelligence of a network system and analyzing the threat intelligence to obtain a plurality of sub-intelligence; wherein the threat intelligence includes clues needed to recover an attack that has occurred and to predict an attack that has not occurred;
determining an attack simulation vector corresponding to each sub intelligence in an attack simulation knowledge base;
executing simulation attack operation in the network system by using all the attack simulation vectors to obtain a simulation attack result;
and determining the vulnerability information of the network system according to the simulation attack result.
2. The vulnerability determination method of claim 1, wherein performing simulated attack operations in the network system using all the attack simulation vectors comprises:
putting all the attack simulation vectors into a simulation vector pool, and executing deduplication operation and correlation analysis operation on the simulation vector pool to obtain target attack simulation vectors;
and executing simulation attack operation in the target node of the network system by using the target attack simulation vector.
3. The vulnerability determination method of claim 2, wherein performing a simulated attack operation in a target node of the network system using the target attack simulation vector comprises:
adjusting the configuration parameters of each target attack simulation vector according to the parameter information of the target node of the network system;
and executing simulation attack operation corresponding to the target attack simulation vector after the configuration parameters are adjusted in the target node.
4. The vulnerability determination method according to claim 1, after determining vulnerability information of the network system according to the simulation attack result, further comprising:
and generating a corresponding safety protection scheme for the network system according to the vulnerability information.
5. The vulnerability determination method of claim 1, wherein the threat intelligence comprises any one or a combination of asset intelligence, traffic intelligence, vulnerability intelligence and malware intelligence.
6. The vulnerability determination method according to any of claims 1 to 5, characterized by further comprising:
and determining an attack chain corresponding to the attack simulation vector according to the simulation attack result so as to execute attack tracing operation by using the attack chain.
7. A vulnerability determination system of a network system, comprising:
the information acquisition module is used for acquiring threat information of a network system and analyzing the threat information to obtain a plurality of sub information; wherein the threat intelligence includes clues needed to recover an attack that has occurred and to predict an attack that has not occurred;
the vector determination module is used for determining an attack simulation vector corresponding to each piece of sub-intelligence in an attack simulation knowledge base;
the simulation attack module is used for executing simulation attack operation in the network system by utilizing all the attack simulation vectors to obtain a simulation attack result;
and the vulnerability determining module is used for determining vulnerability information of the network system according to the simulation attack result.
8. The vulnerability determination system of claim 7, wherein the simulated attack module comprises:
the preprocessing unit is used for putting all the attack simulation vectors into a simulation vector pool, and executing duplication removal operation and correlation analysis operation on the simulation vector pool to obtain target attack simulation vectors;
and the simulation unit is used for executing simulation attack operation in the target node of the network system by utilizing the target attack simulation vector.
9. The vulnerability determination system of claim 8, wherein the simulation unit comprises:
the parameter configuration subunit is configured to adjust a configuration parameter of each target attack simulation vector according to parameter information of a target node of the network system;
and the execution subunit is used for executing the simulation attack operation corresponding to the target attack simulation vector after the configuration parameters are adjusted in the target node.
10. The vulnerability determination system of claim 7, further comprising:
and the arrangement scheme generation module is used for generating a corresponding safety protection scheme for the network system according to the vulnerability information after the vulnerability information of the network system is determined according to the simulation attack result.
11. The vulnerability determination system of claim 7, wherein the threat intelligence comprises any one or combination of asset intelligence, traffic intelligence, vulnerability intelligence and malware intelligence.
12. The vulnerability determination system of any of claims 7 to 11, further comprising:
and the source tracing module is used for determining an attack chain corresponding to the attack simulation vector according to the simulation attack result so as to execute attack source tracing operation by using the attack chain.
13. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the vulnerability determination method of the network system according to any one of claims 1 to 6.
14. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the vulnerability determination method of the network system according to any of claims 1 to 6 when executing said computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910239330.9A CN109842632B (en) | 2019-03-27 | 2019-03-27 | Vulnerability determination method and system of network system and related components |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910239330.9A CN109842632B (en) | 2019-03-27 | 2019-03-27 | Vulnerability determination method and system of network system and related components |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109842632A CN109842632A (en) | 2019-06-04 |
| CN109842632B true CN109842632B (en) | 2021-11-19 |
Family
ID=66886356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910239330.9A Active CN109842632B (en) | 2019-03-27 | 2019-03-27 | Vulnerability determination method and system of network system and related components |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109842632B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110278201B (en) * | 2019-06-12 | 2022-08-23 | 深圳市腾讯计算机系统有限公司 | Security policy evaluation method and device, computer readable medium and electronic device |
| CN110430190B (en) * | 2019-08-05 | 2022-08-02 | 北京经纬信安科技有限公司 | Deception defense system based on ATT & CK, construction method and full link defense realization method |
| CN110912945B (en) * | 2019-12-31 | 2022-03-22 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
| CN111209570B (en) * | 2019-12-31 | 2022-10-21 | 杭州安恒信息技术股份有限公司 | Method for creating safe closed loop process based on MITER ATT & CK |
| CN111756762A (en) * | 2020-06-29 | 2020-10-09 | 北京百度网讯科技有限公司 | Vehicle safety analysis method and device, electronic equipment and storage medium |
| CN111565205B (en) * | 2020-07-16 | 2020-10-23 | 腾讯科技(深圳)有限公司 | Network attack identification method and device, computer equipment and storage medium |
| CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
| CN113014589A (en) * | 2021-03-05 | 2021-06-22 | 公安部第三研究所 | 5G communication safety test method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20080065084A (en) * | 2007-01-08 | 2008-07-11 | 유디코스모 주식회사 | Method and apparatus for analyzing network vulnerability using the attack simulation |
| CN107196910B (en) * | 2017-04-18 | 2019-09-10 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and deployment framework based on big data analysis |
| CN108200095B (en) * | 2018-02-09 | 2021-02-23 | 华北电力科学研究院有限责任公司 | Method and device for determining vulnerability of Internet boundary security policy |
-
2019
- 2019-03-27 CN CN201910239330.9A patent/CN109842632B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109842632A (en) | 2019-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109842632B (en) | Vulnerability determination method and system of network system and related components | |
| EP4124975A1 (en) | Discovering cyber-attack process model based on analytical attack graphs | |
| CN108696473B (en) | Attack path restoration method and device | |
| CN107465651B (en) | Network attack detection method and device | |
| CN112054996B (en) | Attack data acquisition method and device for honeypot system | |
| CN107196895B (en) | Network attack tracing implementation method and device | |
| US10282542B2 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| US20120311562A1 (en) | Extendable event processing | |
| KR101534192B1 (en) | System for providing cybersecurity realtime training against attacks and method thereof | |
| Çeker et al. | Deception-based game theoretical approach to mitigate DoS attacks | |
| CN111756759A (en) | Network attack tracing method, device and equipment | |
| CN110493238A (en) | Defence method, device, honey pot system and honey jar management server based on honey jar | |
| CN107733725B (en) | Safety early warning method, device, equipment and storage medium | |
| CN109327449B (en) | Attack path restoration method, electronic device and computer readable storage medium | |
| CN108234400B (en) | Attack behavior determination method and device and situation awareness system | |
| Zhang et al. | Effective network vulnerability assessment through model abstraction | |
| Ranjan et al. | User behaviour analysis using data analytics and machine learning to predict malicious user versus legitimate user | |
| CN110602134B (en) | Method, device and system for identifying illegal terminal access based on session label | |
| Ha et al. | On the effectiveness of structural detection and defense against P2P-based botnets | |
| Bombardieri et al. | Honeypot-powered malware reverse engineering | |
| JP7207536B2 (en) | RULE GENERATION DEVICE, RULE GENERATION METHOD, AND PROGRAM | |
| Khan et al. | Lightweight testbed for cybersecurity experiments in scada-based systems | |
| Ahmed et al. | A proactive approach to protect cloud computing environment against a distributed denial of service (DDoS) attack | |
| Seth et al. | An effective DOS attack detection model in cloud using artificial bee colony optimization | |
| CN110224975A (en) | The determination method and device of APT information, storage medium, electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |