CN114157480A - Method, device, equipment and storage medium for determining network attack scheme - Google Patents
Method, device, equipment and storage medium for determining network attack scheme Download PDFInfo
- Publication number
- CN114157480A CN114157480A CN202111455071.7A CN202111455071A CN114157480A CN 114157480 A CN114157480 A CN 114157480A CN 202111455071 A CN202111455071 A CN 202111455071A CN 114157480 A CN114157480 A CN 114157480A
- Authority
- CN
- China
- Prior art keywords
- attack
- network attack
- host
- scheme
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 230000006399 behavior Effects 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 5
- 230000004927 fusion Effects 0.000 claims description 4
- 238000012163 sequencing technique Methods 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 3
- 239000000126 substance Substances 0.000 claims description 2
- 238000004590 computer program Methods 0.000 description 12
- 238000011156 evaluation Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 8
- 238000012360 testing method Methods 0.000 description 8
- 230000007123 defense Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000000694 effects Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/30—Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
- G06F16/36—Creation of semantic tools, e.g. ontology or thesauri
- G06F16/367—Ontology
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Animal Behavior & Ethology (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the disclosure provides a method, a device, equipment and a storage medium for determining a network attack scheme. The method comprises the following steps: acquiring resource information of an attack source host and host information of an attack target host; determining a target network attack scheme from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host; the network attack knowledge graph is constructed according to a network attack triple, and the network attack triple comprises the resource information of an attack source host corresponding to the network attack scheme, the network attack scheme and the host information of an attack target host corresponding to the network attack scheme. In this way, the target network attack scheme suitable for attacking both parties can be automatically and quickly determined based on the network attack knowledge graph, and the determination efficiency of the network attack scheme is improved.
Description
Technical Field
The present disclosure relates to the field of network security, and in particular, to a method, an apparatus, a device, and a storage medium for determining a network attack scheme.
Background
In recent years, network attack events are frequent, and trojan horse, worm and lasso attacks on the internet come out endlessly, which poses a serious threat to network security. Therefore, it is necessary to perform attack and defense tests on the network and test the protection capability of the network. However, in the network attack and defense test, a fixed attack scheme is made mainly depending on the personal ability and experience of an attacker, and the efficiency is low.
Disclosure of Invention
The present disclosure provides a method, an apparatus, a device, and a storage medium for determining a network attack scheme, which can improve the determination efficiency of the network attack scheme.
In a first aspect, an embodiment of the present disclosure provides a method for determining a network attack scheme, where the method includes:
acquiring resource information of an attack source host and host information of an attack target host;
determining a target network attack scheme from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host; the network attack knowledge graph is constructed according to a network attack triple, and the network attack triple comprises the resource information of an attack source host corresponding to the network attack scheme, the network attack scheme and the host information of an attack target host corresponding to the network attack scheme.
In some implementations of the first aspect, the obtaining resource information of the attack source host and host information of the attack destination host includes:
executing the query instruction corresponding to the resource information to acquire the resource information of the attack source host;
and carrying out host scanning on the attack target host to obtain host information of the attack target host.
In some implementations of the first aspect, the establishing of the cyber attack knowledge-graph includes:
acquiring network attack behavior data;
carrying out knowledge extraction on the network attack behavior data to obtain a network attack triple;
and carrying out knowledge fusion and knowledge processing on the network attack triples to obtain a network attack knowledge map.
In some implementations of the first aspect, determining the target network attack scenario from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host includes:
determining one or more candidate network attack schemes matched with the resource information and the host information from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host;
calculating an attack coefficient of each candidate network attack scheme;
and determining the candidate network attack scheme with the attack coefficient meeting the preset attack condition as a target network attack scheme.
In some implementations of the first aspect, calculating the attack coefficient for each candidate cyber-attack scenario includes:
determining attack indexes which are met by each candidate network attack scheme from a plurality of preset attack indexes;
and calculating the sum of the weights of each candidate network attack scheme according to the weight corresponding to the attack index which is in accordance with each candidate network attack scheme, and taking the sum of the weights of each candidate network attack scheme as an attack coefficient of each candidate network attack scheme.
In some implementation manners of the first aspect, determining a candidate network attack scenario in which an attack coefficient satisfies a preset attack condition as a target network attack scenario includes:
determining a candidate network attack scheme with an attack coefficient larger than or equal to a preset threshold value as a target network attack scheme; alternatively, the first and second electrodes may be,
and sequencing the candidate network attack schemes according to the sequence of the attack coefficients from large to small, and determining that the first N candidate network attack schemes are target network attack schemes, wherein N is a positive integer greater than or equal to 1.
In some implementations of the first aspect, the method further comprises:
and outputting prompt information of the target network attack scheme, and prompting a user to execute corresponding attack operation.
In a second aspect, an embodiment of the present disclosure provides a device for determining a network attack scheme, where the device includes:
the acquisition module is used for acquiring the resource information of the attack source host and the host information of the attack target host;
the determining module is used for determining a target network attack scheme from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host; the network attack knowledge graph is constructed according to a network attack triple, and the network attack triple comprises the resource information of an attack source host corresponding to the network attack scheme, the network attack scheme and the host information of an attack target host corresponding to the network attack scheme.
In a third aspect, an embodiment of the present disclosure provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method as described above.
In a fourth aspect, the disclosed embodiments provide a non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method as described above.
In a fifth aspect, the disclosed embodiments provide a computer program product comprising a computer program that, when executed by a processor, implements a method as described above.
According to the network attack knowledge graph, the target network attack scheme suitable for attacking both parties can be automatically and quickly determined according to the resource information of the attack source host and the host information of the attack target host, the determination efficiency of the network attack scheme is improved, and the subsequent network attack and defense test can be conveniently carried out.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present disclosure, and are not intended to limit the disclosure thereto, and the same or similar reference numerals will be used to indicate the same or similar elements, where:
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented;
fig. 2 is a flowchart illustrating a method for determining a network attack scenario according to an embodiment of the present disclosure;
fig. 3 is a flowchart illustrating a method for determining another network attack scenario provided by an embodiment of the present disclosure;
fig. 4 is a block diagram illustrating a determining apparatus of a network attack scheme according to an embodiment of the present disclosure;
FIG. 5 sets forth a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In view of the problems in the background art, embodiments of the present disclosure provide a method, an apparatus, a device, and a storage medium for determining a network attack scheme. Specifically, a target network attack scheme suitable for attacking both parties can be automatically and quickly determined from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host, so that the determination efficiency of the network attack scheme is improved, and the subsequent network attack and defense test is conveniently carried out.
The following describes a method, an apparatus, a device, and a storage medium for determining a network attack scenario provided by the embodiments of the present disclosure in detail through specific embodiments with reference to the accompanying drawings.
Fig. 1 shows a schematic diagram of an exemplary operating environment 100 in which embodiments of the present disclosure can be implemented, and as shown in fig. 1, the operating environment 100 may include an electronic device 110, an attack source host 120, and an attack destination host 130, and the electronic device 110 may be communicatively connected to the attack source host 120 and the attack destination host 130 through a wired network or a wireless network.
The electronic device 110 may be a mobile electronic device or a non-mobile electronic device. For example, the Mobile electronic device may be a tablet Computer, a notebook Computer, a palmtop Computer, an Ultra-Mobile Personal Computer (UMPC), or the like, and the non-Mobile electronic device may be a Personal Computer (PC), a server, or the like. Attack source host 120 is the host that initiates the attack and attack destination host 130 is the host that is attacked. Optionally, the electronic device 110 may also serve as the attack source host 120, which is not limited herein.
As an example, the electronic device 110 may obtain resource information of the attack source host 120 and host information of the attack destination host 130, may use the resource information as an attribute of a resource entity to characterize the resource entity, and may use the host information as an attribute of a host entity to characterize the host entity.
And then automatically and quickly determining a target network attack scheme suitable for attacking both parties from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host, thereby improving the determination efficiency of the network attack scheme. The network attack knowledge graph is a knowledge graph, namely a knowledge base, constructed according to network attack triplets, and the network attack triplets comprise resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and host information of an attack target host corresponding to the network attack scheme. In the network attack knowledge graph, resource information is used as attributes for representing resource entities, a network attack scheme is used as attributes for representing attack behaviors, namely relationships, and host information is used as attributes for representing host entities.
The following describes in detail a determination method of a network attack scenario provided by an embodiment of the present disclosure, where an execution subject of the determination method may be the electronic device 110 shown in fig. 1.
Fig. 2 shows a flowchart of a method 200 for determining a network attack scenario provided by an embodiment of the present disclosure, and as shown in fig. 2, the method 200 may include the following steps:
s210, acquiring the resource information of the attack source host and the host information of the attack destination host.
Specifically, the query instruction corresponding to the resource information can be executed, and the resource information of the attack source host can be quickly acquired. The resource information may include an attack utilization tool, a user login credential, and the like, and may be used as an attribute of the resource entity to characterize the resource entity.
The host scanning can be carried out on the attack target host, and the host information of the attack target host can be quickly acquired. The host information may include operating system information, port service information, permission level information, application information, and the like, and may be used as an attribute of the host entity to characterize the host entity.
It should be noted that the attributes of the host entity are all obtained in the current attack activity, and most of the attributes of the resource entity are accumulated by the attacker and a small part of the attributes are generated in the current attack activity.
S220, determining a target network attack scheme from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host.
The network attack knowledge graph is constructed according to a network attack triple, and the network attack triple comprises the resource information of an attack source host corresponding to the network attack scheme, the network attack scheme and the host information of an attack target host corresponding to the network attack scheme. In the network attack knowledge graph, resource information is used as attributes for representing resource entities, a network attack scheme is used as attributes for representing attack behaviors, namely relationships, and host information is used as attributes for representing host entities. That is, the resource information and the host information are associated based on a network attack scheme.
Therefore, the target network attack scheme matched with the resource information of the current attack source host and the host information of the current attack destination host can be determined from the network attack knowledge graph.
In some embodiments, one or more candidate network attack scenarios that match the resource information and the host information may be determined from the network attack knowledge graph based on the resource information of the attack source host and the host information of the attack destination host.
Attack coefficients for each candidate network attack scenario are then calculated. Specifically, the attack index that each candidate network attack scheme conforms to may be determined from a plurality of preset attack indexes, the sum of the weights of each candidate network attack scheme is calculated according to the weight corresponding to the attack index that each candidate network attack scheme conforms to, and the sum of the weights of each candidate network attack scheme is used as the attack coefficient of each candidate network attack scheme. In this way, the attack coefficient of each candidate network attack scheme can be quickly calculated by combining the attack indexes.
Optionally, the sum of the weights of each candidate network attack scenario may be calculated by a preset summation formula, where the preset summation formula may be as follows:
wherein the content of the first and second substances,s represents the sum of the weights of the candidate network attack schemes, n represents the number of evaluation indexes, and kiWeight, x, representing the ith evaluation indexiAnd indicating the boolean value of the candidate network attack scheme relative to the ith evaluation index, specifically, if the candidate network attack scheme conforms to the ith evaluation index, the boolean value of the ith evaluation index is 1, and if the candidate network attack scheme does not conform to the ith evaluation index, the boolean value of the ith evaluation index is 0.
Optionally, the weight of the evaluation index may be set according to an actual attack principle, for example, permission residence is prior to other operations, cross-network segment attack is prior to attack in a network segment, permission of other hosts is obtained based on a legal user credential prior to exploit attack, passive information collection based on the hosts is prior to active network scanning, and no limitation is made herein.
Assuming that attack indexes 1-4 are set, the specific steps are as follows:
attack index 1: whether authority resident operation is performed in the network;
attack index 2: whether it is a cross-segment attack;
attack index 3: whether an intrusion detection alarm is triggered;
attack index 4: the attack process will not fail.
And setting the weight of the evaluation index according to the attack principle, and considering the influence of the network environment, wherein the weight of the attack index 1 is 0.4, the weight of the attack index 2 is 0.3, the weight of the attack index 3 is 0.2, and the weight of the attack index 4 is 0.1.
And then determining a candidate network attack scheme with the attack coefficient meeting the preset attack condition as a target network attack scheme. Specifically, the candidate network attack scheme with the attack coefficient greater than or equal to the preset threshold may be determined as the target network attack scheme. And sequencing a plurality of candidate network attack schemes according to the sequence of the attack coefficients from large to small, and determining the first N candidate network attack schemes as the target network attack scheme, wherein N is a positive integer greater than or equal to 1. In this way, the network attack scheme with the prominent attack effect can be selected as the target network attack scheme from the at least one candidate network attack scheme based on the attack coefficient.
In some embodiments, the network attack knowledge graph establishment process may include:
and acquiring the network attack behavior data, such as acquiring the network attack behavior data from a network security forum, an encyclopedia, news information or a conversation. And extracting knowledge of the network attack behavior data to obtain a network attack triple, and then carrying out knowledge fusion and knowledge processing on the network attack triple to obtain a network attack knowledge map. Therefore, a knowledge base for assisting the user in performing the network attack and defense test can be quickly constructed based on a large amount of network attack behavior data.
According to the embodiment of the disclosure, the target network attack scheme suitable for attacking both parties can be automatically and rapidly determined from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host, so that the determination efficiency of the network attack scheme is improved, and the subsequent network attack and defense test is conveniently carried out.
In some embodiments, a prompt message of the target network attack scheme may be output to prompt the user to execute the corresponding attack operation, so that the user can execute the network attack and defense test conveniently.
The following may describe the determining method 200 provided in the embodiment of the present disclosure in detail with reference to fig. 3, which is as follows:
as shown in fig. 3, the operating system information, the port service information, the authority level information, and the like of the attack source host, the attack utilization tool, the user login credential, and the like of the attack destination host may be obtained, and the operating system information, the port service information, and the authority level information may be used as the attributes of the host entity, and the attack utilization tool, the user login credential, and the like may be used as the attributes of the resource entity.
And then inputting the attributes of the resource entities and the attributes of the host entity into a network attack knowledge graph, and determining candidate network attack schemes from the network attack knowledge graph, wherein the candidate network attack schemes comprise an attack scheme 1, an attack scheme 2 and an attack scheme 3. And then, calculating attack coefficients of an attack scheme 1, an attack scheme 2 and an attack scheme 3, wherein the attack coefficient of the attack scheme 3 is larger than that of the attack scheme 1, the attack coefficient of the attack scheme 1 is larger than that of the attack scheme 2, and the attack scheme 3, the attack scheme 1 and the attack scheme 2 are output according to the descending order of the attack coefficients. And then the determination of the network attack scheme is completed.
It is noted that while for simplicity of explanation, the foregoing method embodiments have been described as a series of acts or combination of acts, it will be appreciated by those skilled in the art that the present disclosure is not limited by the order of acts, as some steps may, in accordance with the present disclosure, occur in other orders and concurrently. Further, those skilled in the art should also appreciate that the embodiments described in the specification are exemplary embodiments and that acts and modules referred to are not necessarily required by the disclosure.
The above is a description of embodiments of the method, and the embodiments of the apparatus are further described below.
Fig. 4 is a block diagram illustrating a determining apparatus 400 of a network attack scenario provided according to an embodiment of the present disclosure, and as shown in fig. 4, the determining apparatus 400 may include:
the obtaining module 410 is configured to obtain resource information of the attack source host and host information of the attack destination host.
And the determining module 420 is configured to determine the target network attack scheme from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host. The network attack knowledge graph is constructed according to a network attack triple, and the network attack triple comprises the resource information of an attack source host corresponding to the network attack scheme, the network attack scheme and the host information of an attack target host corresponding to the network attack scheme.
In some embodiments, the obtaining module 410 is specifically configured to:
and executing the query instruction corresponding to the resource information to acquire the resource information of the attack source host.
And carrying out host scanning on the attack target host to obtain host information of the attack target host.
In some embodiments, the network attack knowledge graph establishing process comprises:
acquiring network attack behavior data;
carrying out knowledge extraction on the network attack behavior data to obtain a network attack triple;
and carrying out knowledge fusion and knowledge processing on the network attack triples to obtain a network attack knowledge map.
In some embodiments, the determining module 420 is specifically configured to:
and determining one or more candidate network attack schemes matched with the resource information and the host information from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host.
And calculating the attack coefficient of each candidate network attack scheme.
And determining the candidate network attack scheme with the attack coefficient meeting the preset attack condition as a target network attack scheme.
In some embodiments, the determining module 420 is specifically configured to:
and determining the attack indexes which are met by each candidate network attack scheme from a plurality of preset attack indexes.
And calculating the sum of the weights of each candidate network attack scheme according to the weight corresponding to the attack index which is in accordance with each candidate network attack scheme, and taking the sum of the weights of each candidate network attack scheme as an attack coefficient of each candidate network attack scheme.
In some embodiments, the determining module 420 is specifically configured to:
determining a candidate network attack scheme with an attack coefficient larger than or equal to a preset threshold value as a target network attack scheme; alternatively, the first and second electrodes may be,
and sequencing the candidate network attack schemes according to the sequence of the attack coefficients from large to small, and determining that the first N candidate network attack schemes are target network attack schemes, wherein N is a positive integer greater than or equal to 1.
In some embodiments, the determining means 400 further comprises:
and the output module is used for outputting prompt information of the target network attack scheme and prompting a user to execute corresponding attack operation.
It can be understood that each module/unit in the determining apparatus 400 shown in fig. 4 has a function of implementing each step in the determining method 200 provided by the embodiment of the present disclosure, and can achieve the corresponding technical effect, and for brevity, no further description is provided herein.
FIG. 5 illustrates a block diagram of an electronic device 500 that may be used to implement embodiments of the present disclosure. The electronic device 500 is intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device 500 may also represent various forms of mobile devices, such as personal digital assistants, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 5, the electronic device 500 may include a computing unit 501 that may perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM)502 or a computer program loaded from a storage unit 508 into a Random Access Memory (RAM) 503. In the RAM503, various programs and data required for the operation of the electronic apparatus 500 can also be stored. The calculation unit 501, the ROM502, and the RAM503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
A number of components in the electronic device 500 are connected to the I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, or the like; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508, such as a magnetic disk, optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the electronic device 500 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general-purpose and/or special-purpose processing components having processing and computing capabilities. Some examples of the computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 501 performs the various methods and processes described above, such as the method 200. For example, in some embodiments, the method 200 may be implemented as a computer program product, including a computer program, tangibly embodied in a computer-readable medium, such as the storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 500 via the ROM502 and/or the communication unit 509. When the computer program is loaded into RAM503 and executed by the computing unit 501, one or more steps of the method 200 described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the method 200 by any other suitable means (e.g., by means of firmware).
The various embodiments described herein above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a computer-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be noted that the present disclosure also provides a non-transitory computer readable storage medium storing computer instructions, where the computer instructions are used to enable a computer to execute the method 200 and achieve the corresponding technical effects achieved by the method according to the embodiments of the present disclosure, and for brevity, the detailed description is omitted here.
Additionally, the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method 200.
To provide for interaction with a user, the above-described embodiments may be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The embodiments described above may be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user may interact with an implementation of the systems and techniques described herein), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved, and the present disclosure is not limited herein.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (10)
1. A method for determining a network attack scenario, the method comprising:
acquiring resource information of an attack source host and host information of an attack target host;
determining a target network attack scheme from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host; the network attack knowledge graph is constructed according to a network attack triple, and the network attack triple comprises the resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and the host information of an attack target host corresponding to the network attack scheme.
2. The method of claim 1, wherein the obtaining resource information of the attack source host and host information of the attack destination host comprises:
executing the query instruction corresponding to the resource information to acquire the resource information of the attack source host;
and carrying out host scanning on the attack target host to obtain host information of the attack target host.
3. The method of claim 1, wherein the network attack knowledge graph building process comprises:
acquiring network attack behavior data;
carrying out knowledge extraction on the network attack behavior data to obtain the network attack triple;
and carrying out knowledge fusion and knowledge processing on the network attack triples to obtain the network attack knowledge graph.
4. The method according to claim 1, wherein the determining a target cyber attack scheme from the cyber attack knowledge graph according to the resource information of the attack source host and the host information of the attack destination host comprises:
determining one or more candidate network attack schemes matched with the resource information and the host information from the network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host;
calculating an attack coefficient of each candidate network attack scheme;
and determining the candidate network attack scheme with the attack coefficient meeting the preset attack condition as the target network attack scheme.
5. The method of claim 4, wherein the calculating the attack coefficient for each candidate cyber-attack scenario comprises:
determining attack indexes which are met by each candidate network attack scheme from a plurality of preset attack indexes;
and calculating the sum of the weights of each candidate network attack scheme according to the weight corresponding to the attack index which is in accordance with each candidate network attack scheme, and taking the sum of the weights of each candidate network attack scheme as an attack coefficient of each candidate network attack scheme.
6. The method according to claim 4, wherein the determining that the candidate network attack scheme with the attack coefficient satisfying the preset attack condition is the target network attack scheme comprises:
determining a candidate network attack scheme with an attack coefficient larger than or equal to a preset threshold value as the target network attack scheme; alternatively, the first and second electrodes may be,
and sequencing the candidate network attack schemes according to the sequence of the attack coefficients from large to small, and determining that the first N candidate network attack schemes are the target network attack schemes, wherein N is a positive integer greater than or equal to 1.
7. The method according to any one of claims 1-6, further comprising:
and outputting prompt information of the target network attack scheme to prompt a user to execute corresponding attack operation.
8. An apparatus for determining a network attack scenario, the apparatus comprising:
the acquisition module is used for acquiring the resource information of the attack source host and the host information of the attack target host;
the determining module is used for determining a target network attack scheme from a network attack knowledge graph according to the resource information of the attack source host and the host information of the attack target host; the network attack knowledge graph is constructed according to a network attack triple, and the network attack triple comprises the resource information of an attack source host corresponding to a network attack scheme, the network attack scheme and the host information of an attack target host corresponding to the network attack scheme.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium having stored thereon computer instructions for causing a computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111455071.7A CN114157480B (en) | 2021-12-01 | 2021-12-01 | Method, device, equipment and storage medium for determining network attack scheme |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111455071.7A CN114157480B (en) | 2021-12-01 | 2021-12-01 | Method, device, equipment and storage medium for determining network attack scheme |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114157480A true CN114157480A (en) | 2022-03-08 |
| CN114157480B CN114157480B (en) | 2024-01-26 |
Family
ID=80455658
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111455071.7A Active CN114157480B (en) | 2021-12-01 | 2021-12-01 | Method, device, equipment and storage medium for determining network attack scheme |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114157480B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114615092A (en) * | 2022-05-11 | 2022-06-10 | 安徽华云安科技有限公司 | Network attack sequence generation method, device, equipment and storage medium |
| CN116866193A (en) * | 2023-09-05 | 2023-10-10 | 中国电子信息产业集团有限公司第六研究所 | Network attack drilling method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011079669A1 (en) * | 2009-12-28 | 2011-07-07 | 成都市华为赛门铁克科技有限公司 | Method, device and system for network attack protection |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN112187773A (en) * | 2020-09-23 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Method and device for mining network security vulnerability |
| CN113407728A (en) * | 2021-05-07 | 2021-09-17 | 浙江工业大学 | Knowledge graph construction and query recommendation system in radio signal attack and defense field |
| CN113438249A (en) * | 2021-06-30 | 2021-09-24 | 北京科东电力控制系统有限责任公司 | Attack tracing method based on strategy |
-
2021
- 2021-12-01 CN CN202111455071.7A patent/CN114157480B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011079669A1 (en) * | 2009-12-28 | 2011-07-07 | 成都市华为赛门铁克科技有限公司 | Method, device and system for network attack protection |
| CN109005069A (en) * | 2018-08-29 | 2018-12-14 | 中国人民解放军国防科技大学 | Network security knowledge graph association analysis method based on heaven-earth integrated network |
| CN111193749A (en) * | 2020-01-03 | 2020-05-22 | 北京明略软件系统有限公司 | Attack tracing method and device, electronic equipment and storage medium |
| CN112187773A (en) * | 2020-09-23 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Method and device for mining network security vulnerability |
| CN113407728A (en) * | 2021-05-07 | 2021-09-17 | 浙江工业大学 | Knowledge graph construction and query recommendation system in radio signal attack and defense field |
| CN113438249A (en) * | 2021-06-30 | 2021-09-24 | 北京科东电力控制系统有限责任公司 | Attack tracing method based on strategy |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114615092A (en) * | 2022-05-11 | 2022-06-10 | 安徽华云安科技有限公司 | Network attack sequence generation method, device, equipment and storage medium |
| CN114615092B (en) * | 2022-05-11 | 2022-08-02 | 安徽华云安科技有限公司 | Network attack sequence generation method, device, equipment and storage medium |
| CN116866193A (en) * | 2023-09-05 | 2023-10-10 | 中国电子信息产业集团有限公司第六研究所 | Network attack drilling method and device, electronic equipment and storage medium |
| CN116866193B (en) * | 2023-09-05 | 2023-11-21 | 中国电子信息产业集团有限公司第六研究所 | Network attack drilling method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114157480B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114157480B (en) | Method, device, equipment and storage medium for determining network attack scheme | |
| CN112953938B (en) | Network attack defense method, device, electronic equipment and readable storage medium | |
| CN113312611A (en) | Password detection method, device, equipment and computer readable storage medium | |
| CN113312560A (en) | Group detection method and device and electronic equipment | |
| CN113395297B (en) | Vulnerability processing method, device, equipment and computer readable storage medium | |
| CN115589339A (en) | Network attack type identification method, device, equipment and storage medium | |
| CN113553370B (en) | Abnormality detection method, abnormality detection device, electronic device, and readable storage medium | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| CN116015860A (en) | Network asset simulation method, device, equipment and medium based on honeypot technology | |
| CN113452700B (en) | Method, device, equipment and storage medium for processing safety information | |
| CN110830518B (en) | Traceability analysis method and device, electronic equipment and storage medium | |
| CN111431764B (en) | Node determining method, device, system and medium | |
| CN113704256A (en) | Data identification method and device, electronic equipment and storage medium | |
| CN115378746B (en) | Network intrusion detection rule generation method, device, equipment and storage medium | |
| CN113591088B (en) | Identification recognition method and device and electronic equipment | |
| CN114615092B (en) | Network attack sequence generation method, device, equipment and storage medium | |
| CN115576852B (en) | Quality evaluation method, device, equipment and storage medium of fuzzy test case | |
| CN113868660B (en) | Training method, device and equipment for malicious software detection model | |
| CN116341023B (en) | Block chain-based service address verification method, device, equipment and storage medium | |
| CN117499161B (en) | Network security testing method and device, electronic equipment and storage medium | |
| CN113836509B (en) | Information acquisition method, device, electronic equipment and storage medium | |
| CN109635533B (en) | Identity recognition method, device, equipment and medium | |
| CN116248340A (en) | Interface attack detection method and device, electronic equipment and storage medium | |
| CN115801324A (en) | Attack trapping method and device, electronic equipment and storage medium | |
| CN116112245A (en) | Attack detection method, attack detection device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |