CN114640484A - Network security countermeasure method and device and electronic equipment - Google Patents

Network security countermeasure method and device and electronic equipment Download PDF

Info

Publication number
CN114640484A
CN114640484A CN202011387397.6A CN202011387397A CN114640484A CN 114640484 A CN114640484 A CN 114640484A CN 202011387397 A CN202011387397 A CN 202011387397A CN 114640484 A CN114640484 A CN 114640484A
Authority
CN
China
Prior art keywords
host
defense
score
attack
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011387397.6A
Other languages
Chinese (zh)
Inventor
董航
张峰
安宝宇
陈昊
徐一
徐扬
白雪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202011387397.6A priority Critical patent/CN114640484A/en
Publication of CN114640484A publication Critical patent/CN114640484A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides a network security countermeasure method, a network security countermeasure device and electronic equipment, and relates to the technical field of network security. The network security countermeasure method comprises the following steps: firstly, attack operation is launched to the host computer at the defense side by utilizing each preset risk item of the host computer at the defense side. Then, determining an emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side; determining a reinforcement score of the host at the defense side according to the attack cost and the repair result of the host at the defense side on the preset risk items; and determining the counterattack score of the host at the defense side according to the counterattack operation initiated by the host at the defense side to the network security counterattack attack platform. And finally, determining the defense score of the host at the defense side according to the emergency response score, the reinforcement score and the counterattack score. The network security training closer to the actual network attack scene is carried out on the defenders, and the defending capability of the defenders on the network attack is improved.

Description

Network security countermeasure method and device and electronic equipment
[ technical field ] A method for producing a semiconductor device
The present application relates to the field of network security technologies, and in particular, to a network security countermeasure method, an apparatus, and an electronic device.
[ background of the invention ]
With the wide application and rapid development of internet technology, various network attacks emerge endlessly, and network information security events occur occasionally. Under the circumstance, it is very important to use the network security countermeasure platform to perform related network security training on defensive personnel.
The network security training mode of the current network security countermeasure platform mainly comprises the following steps: a Capture of Flag (CTF) mode, a war sharing mode, an Attack and Defense (AWD) mode, a highland mode, and The like. Firstly, the training mode of the platform is not consistent with the actual network attack scene, and the actual combat is weak; secondly, the training mode of the platform gives more importance to the training of the attack skills, and the training content is not matched with the actual requirements of the defensive personnel.
[ summary of the invention ]
The embodiment of the application provides a network security countermeasure method, a network security countermeasure device and electronic equipment, so that network security training closer to an actual network attack scene is realized, and the defense capability of defenders against network attacks is improved.
In a first aspect, an embodiment of the present application provides a network security countermeasure method, including: initiating attack operation to the host at the defense side by utilizing each preset risk item of the host at the defense side; determining an emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side to the attack operation; determining a reinforcement score of the host at the defense side according to the attack cost and the repair result of the host at the defense side on the preset risk items; determining a counterattack score of the host at the defense side according to counterattack operation initiated by the host at the defense side to the network security counterattack platform; and determining the defense score of the host at the defense side according to the emergency response score, the reinforcement score and the counterattack score.
In one possible implementation manner, before initiating an attack operation to the host at the defense side by using each preset risk item of the host at the defense side, the method further includes: implanting a first risk item into a defense-side host; and implanting a second risk item into the network security countermeasure attack platform; wherein the first risk item or the second risk item may include any one or more of the following: a vulnerability is preset; pre-arranging a rear door; and presetting a virus program.
In one possible implementation manner, determining an emergency response score of the defense-side host according to an emergency response operation of the defense-side host to the attack operation includes: initiating vulnerability attack to a host at a defense side by using a preset vulnerability of the host at the defense side, and determining a vulnerability repair score of the host at the defense side according to a defense result of the host at the defense side to the vulnerability attack; a preset back door of a host at a defense side is utilized to launch a back door attack to the host at the defense side, and a back door clearing score of the host at the defense side is determined according to a defense result of the host at the defense side to the back door attack; the method comprises the steps of initiating data stealing attack to a host at a defense side by using a preset virus program of the host at the defense side, and determining a data protection score of the host at the defense side according to a defense result of the host at the defense side on the data stealing attack.
In one possible implementation manner, determining a reinforcement score of the defense-side host according to the attack cost and the repair result of the defense-side host to the preset risk item includes: determining a repaired preset risk item from preset risk items of the host at the defense side; determining a reinforcement score of the host at the defense side according to the attack cost of the attack operation corresponding to the repaired preset risk item; wherein the attack cost may include: attack aging; and (5) attack tools.
In one possible implementation manner, determining a counter attack score of the defense-side host according to a counter attack operation initiated by the defense-side host to the network security counter attack platform includes: according to the duration of searching the attack information of the network security anti-attack platform by the host at the defense side, determining the traceability value of the host at the defense side; determining a file acquisition score of the host at the defense side according to the time length of the host at the defense side for acquiring a target file from a network security countermeasure attack platform; and determining the counterattack score of the host at the defense side according to the traceability score and the file acquisition score.
In one possible implementation manner, determining the defense score of the defense-side host according to the emergency response score, the reinforcement score and the counterattack score includes: respectively determining the weighted values of the emergency response score, the reinforcement score and the counterattack score according to preset weights; and adding the weighted values of the emergency response score, the reinforcement score and the counterattack score to determine the defense score of the defense-side host.
In a second aspect, an embodiment of the present application provides a network security countermeasure device, including: the attack module is used for initiating attack operation to the host at the defense side by utilizing each preset risk item of the host at the defense side; the determining module is used for determining an emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side to the attack operation; the determining module is further used for determining a reinforcement score of the defense side host according to the attack cost and the repair result of the defense side host on the preset risk item; the determining module is further configured to determine a counterattack score of the defense-side host according to a counterattack operation initiated by the defense-side host to the network security counterattack attack platform; and the scoring module is used for determining the defense score of the defense side host according to the emergency response score, the reinforcement score and the counterattack score.
In one possible implementation manner, the apparatus further includes: the risk implantation module is used for implanting a first risk item into the defense side host; and implanting a second risk item into the network security anti-attack platform; wherein the first risk item or the second risk item may include any one or more of the following: a vulnerability is preset; pre-arranging a rear door; and presetting a virus program.
In a third aspect, an embodiment of the present application provides an electronic device, including: at least one processor; and at least one memory communicatively coupled to the processor, wherein: the memory stores program instructions executable by the processor, which when called by the processor are capable of performing the method as described above.
In a fourth aspect, embodiments of the present application provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the method as described above.
In the technical scheme, firstly, attack operation is initiated to the host at the defense side by utilizing each preset risk item of the host at the defense side. Then, determining an emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side to the attack operation; determining a reinforcement score of the host at the defense side according to the attack cost and the repair result of the host at the defense side on the preset risk items; and determining the counterattack score of the host at the defense side according to the counterattack operation initiated by the host at the defense side to the network security counterattack attack platform. And finally, determining the defense score of the host at the defense side according to the emergency response score, the reinforcement score and the counterattack score. Therefore, network security training closer to the actual network attack scene is realized, and the defense capability of defensive personnel on network attack is improved.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of one embodiment of a network security countermeasure method of the present application;
FIG. 2 is a schematic structural diagram of an embodiment of the network security countermeasure device of the present application;
FIG. 3 is a schematic structural diagram of another embodiment of the network security countermeasure device of the present application;
fig. 4 is a schematic structural diagram of an embodiment of an electronic device according to the present application.
[ detailed description ] embodiments
For better understanding of the technical solutions of the present application, the following detailed descriptions of the embodiments of the present application are provided with reference to the accompanying drawings.
It should be understood that the embodiments described are only a few embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terminology used in the embodiments of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the examples of this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the embodiment of the application, a network security anti-attack platform can be provided. The network security countermeasure attack platform can be used for executing the network security countermeasure method provided by the embodiment of the application. The network security training closer to the actual network attack scene is performed on the defenders, and the defending capability of the defenders against the network attack is improved.
Fig. 1 is a flowchart of an embodiment of a network security countermeasure method according to the present application. As shown in fig. 1, the network security countermeasure method may include:
and 101, initiating attack operation to the host at the defense side by utilizing each preset risk item of the host at the defense side.
In the embodiment of the application, a network attack party in an actual scene can be simulated by a network security countermeasure attack platform, and attack operation is initiated to the host at the defense side. The defense party is trained by simulating a real network attack scene, and the defense capability of the defense party is improved.
Before the network security anti-attack platform initiates attack operation to the host at the defense side, a first risk item can be implanted into the host at the defense side according to the design of the question. So as to launch attack operation to the host at the defense side by using the first risk item. And preparing a trigger and a botnet for the network security countermeasure attack platform so that the network security countermeasure attack platform can simulate the network attacker in the actual scene. And implanting the second risk item into the network security countermeasure attack platform so that the defense side host can initiate counterattack operation on the network security countermeasure attack platform. Wherein the first risk item or the second risk item may include: and (4) presetting bugs, presetting backdoors and presetting virus programs.
The attack operation initiated to the host on the defense side may include, for example: the method comprises the following steps of security scanning attack, system vulnerability attack, brute force cracking attack, denial of service attack, website content tampering, remote control trojan horse and the like.
And 102, determining an emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side to the attack operation.
In the embodiment of the present application, due to the attack operation on the host at the defense side in step 101, the host at the defense side may have a server interrupt. At this time, the defense side host can judge the current service states of the plurality of servers and recover the normal service functions of the servers.
On the basis, aiming at the attack operation of the network security anti-attack platform, the defense side host can initiate emergency response operation. The emergency response operations may include, for example: searching and clearing backdoor files, confusing backdoor files, deleting newly-built malicious users, killing Trojan horse immortal horse processes, repairing bugs and the like.
In the embodiment of the application, besides the attack operation of the simulated attacker, the network security countermeasure attack platform can also detect the defense operation of the defense side and score the defense operation of the host of the defense side.
Specifically, the network security countermeasure attack platform can determine the emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side.
In some embodiments, the network security countermeasure attack platform may perform multiple times of interception attack detection, backdoor cleaning detection, and data protection detection on the defense-side host according to a preset time interval. And determining the vulnerability repair capability, the backdoor clearing capability and the data protection capability of the host at the defense side at each time node. And determining the emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side at each time node.
For any operation of determining the emergency response score of the host on the defense side, the specific implementation method is as follows.
In some embodiments, interception attack detection may be performed to determine vulnerability fix scores for the defending side hosts. The network security countermeasure attack platform can launch vulnerability attack to the host at the defense side by using the preset vulnerability of the host at the defense side, and detect the capability of the host at the defense side for intercepting the attack. If the host on the defense side successfully defends, the preset bug can be proved to be repaired. Otherwise, the preset bug is considered not to be repaired. And determining the vulnerability repair score of the host at the defense side according to the defense result of the host at the defense side to vulnerability attack.
In other embodiments, a back door clearing test may be performed to determine a back door clearing score for the defending side host. The network security countermeasure attack platform can carry out existence verification on a preset backdoor in the host machine at the defense side. Specifically, whether the preset backdoor still exists can be determined by executing a detection script preset by the host at the defense side. Thereby determining the back door clearance score of the defending side host. Or, a preset back door of the defense side host can be utilized to launch back door attack to the defense side host. And determining a back door clearing score of the host at the defense side according to a defense result of the host at the defense side to the back door attack.
In other embodiments, data protection detection may be performed to determine a data protection score for the defending side host. The network security anti-attack platform can steal target data in the host at the defense side by using a preset virus program of the host at the defense side. If the target data is stolen successfully, the host at the defense side can be considered not to kill the preset virus program, and the data protection fails; on the contrary, the defense side-describing machine is considered to have better data protection capability. And determining the data protection score of the host at the defense side according to the data protection result of the host at the defense side.
And 103, determining the reinforcement value of the host at the defense side according to the attack cost and the repair result of the host at the defense side on the preset risk items.
In the embodiment of the application, the network security countermeasure attack platform can determine the reinforcement score of the host at the defense side after the attack operation is finished.
Specifically, the repaired preset risk items can be determined from the preset risk items of the host on the defense side. The preset risk items subjected to repair can be completely repaired preset risk items or partially repaired preset risk items.
And determining the attack operation corresponding to the repaired preset risk item. And determining the limiting capacity of the repaired preset risk item on the attack operation according to the increase condition of the repaired preset risk item on the attack cost of the attack operation. Thereby determining the reinforcement score of the defending side host.
Wherein, the attack cost may include: attack timelines and attack tools. If the repaired preset risk items prolong the time of the system being broken; alternatively, the expected attack effect is reduced; or, the addition of an additional attack tool and the increase of the flow consumption for the attack can be considered as the increase of the attack cost and the restriction of the attack operation.
For example. By utilizing the target loophole in the defense side host, the network security anti-attack platform can break through the defense measure originally, and the execution of any code of the system level administrator authority is realized. And the defense side host machine repairs the target loophole, so that the network security anti-attack platform is limited to be executed by any code of the authority of a common user, and the important files of the system can only be read by the code execution without being written. At this time, it is considered that the defense-side host reinforcement operation reduces the expected attack effect, and the attack operation is restricted.
And step 104, determining the counter attack score of the host at the defense side according to the counter attack operation initiated by the host at the defense side to the network security counter attack platform.
In the embodiment of the application, in the counterattack stage, firstly, the defense side host can search the attack information of the network security counterattack attack platform according to the information such as the login log, the middleware log, the data traffic and the like. Attack information may include, for example: attacker IP, attacker host information and board hopping machine used by the attacker.
After determining the attack information of the network security countermeasure attack platform, the defense side host can initiate counterattack operation to the network security countermeasure attack platform. The defense side host can acquire the target file in the network security countermeasure attack platform by utilizing the preset risk items in the network security countermeasure attack platform. And submitting the acquired target file to a target address in a network security anti-attack platform. The network security counterattack platform receives the target file submitted by the host at the defense side, and the host at the defense side can be considered to successfully counterattack.
In the counterattack process of the host on the defense side, the network security counterattack platform can determine the counterattack score of the host on the defense side. Specifically, firstly, the source tracing value of the host at the defense side can be determined according to the duration of searching the attack information of the network security anti-attack platform by the host at the defense side. And then, determining a file acquisition score of the host at the defense side according to the time length of the host at the defense side for acquiring the target file from the network security countermeasure attack platform. And finally, adding the traceability score and the file acquisition score to determine a counterattack score of the host at the defense side.
And 105, determining the defense score of the host at the defense side according to the emergency response score, the reinforcement score and the counterattack score.
In some embodiments, the emergency response score, the reinforcement score, and the counter-attack score obtained in the previous steps may be added, and the obtained sum may be determined as the defense score of the defense-side host.
In other embodiments, the weighting values for the emergency response score, the reinforcement score, and the counterattack score may be determined based on predetermined weights. The preset weight can be set according to the needs of actual conditions. The weighted values of the emergency response score, reinforcement score, and counterattack score may then be added to determine the defense score of the defense-side host.
In the embodiment of the application, the network security countermeasure method is divided into three stages: an emergency response phase, a reinforcement phase, and a counterattack phase. Firstly, attack operation is launched to the host computer at the defense side by utilizing each preset risk item of the host computer at the defense side. Then, an emergency response score, a reinforcement score and a counterattack score of the defense-side host are respectively determined. And finally, determining the defense score of the host at the defense side according to the emergency response score, the reinforcement score and the counterattack score. Therefore, network security training closer to the actual network attack scene is realized, and the defense capability of defensive personnel on network attack is improved.
In another embodiment of the present application, different from the above embodiments, the network security countermeasure method of the present application can be divided into four stages: emergency response stage, reinforcement stage, traceability stage and counterattack stage. And respectively determining an emergency response score, a reinforcement score, a traceability score and a counterattack score of the host computer at the defense side. And determining the defense score of the host computer at the defense side according to the emergency response score, the reinforcement score, the traceability score and the counterattack score of the host computer at the defense side.
Firstly, the emergency response score of the defense side host can be determined according to the emergency response operation of the defense side host to the attack operation. The specific implementation manner can refer to step 102 in the above embodiment, and is not described again.
And then, determining the reinforcement score of the host at the defense side according to the attack cost and the repair result of the host at the defense side on the preset risk items. The specific implementation manner can refer to step 103 in the above embodiment, and is not described again.
Secondly, the source tracing value of the host at the defense side can be determined according to the duration of searching the attack information of the network security anti-attack platform by the host at the defense side.
And finally, determining the file acquisition score of the host at the defense side according to the time length of the host at the defense side for acquiring the target file from the network security countermeasure attack platform.
In some embodiments, the emergency response score, the reinforcement score, the traceability score and the counter score obtained in the previous steps can be added, and the obtained sum value can be determined as the defense score of the defense side host.
In other embodiments, the weighted values of the emergency response score, the reinforcement score, the traceability score, and the counterattack score may be determined according to predetermined weights. The preset weight can be set according to the needs of actual conditions. Then, the weighted values of the emergency response score, the reinforcement score, the traceability score and the counterattack score can be added to determine the defense score of the host computer on the defense side.
In the embodiment of the application, the network security countermeasure method is divided into four stages: emergency response stage, reinforcement stage, traceability stage and counterattack stage. Firstly, attack operation is launched to the host computer at the defense side by utilizing each preset risk item of the host computer at the defense side. And then respectively determining an emergency response score, a reinforcement score, a traceability score and a counterattack score of the defense-side host. And finally, determining the defense score of the host at the defense side according to the emergency response score, the reinforcement score, the traceability score and the counterattack score. Therefore, network security training closer to the actual network attack scene is realized, and the defense capability of defensive personnel on network attack is improved.
Fig. 2 is a schematic structural diagram of an embodiment of the network security countermeasure device according to the present application. The network security countermeasure device in this embodiment may be used as a network security countermeasure apparatus to implement the network security countermeasure method provided in this embodiment. As shown in fig. 2, the network security countermeasure device may include: attack module 21, determination module 22 and scoring module 23.
And the attack module 21 is configured to initiate an attack operation to the defense-side host by using each preset risk item of the defense-side host.
And the determining module 22 is used for determining the emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side to the attack operation. And the reinforcement score of the host at the defense side is determined according to the attack cost and the repair result of the host at the defense side to the preset risk items. And the method is also used for determining the counter-attack score of the host at the defense side according to the counter-attack operation initiated by the host at the defense side to the network security counter-attack platform.
And the scoring module 23 is used for determining the defense score of the host at the defense side according to the emergency response score, the reinforcement score and the counterattack score.
In a specific implementation process, the determining module 22 is specifically configured to, when determining the emergency response score of the host at the defense side, initiate a vulnerability attack to the host at the defense side by using a preset vulnerability of the host at the defense side, and determine the vulnerability repair score of the host at the defense side according to a defense result of the host at the defense side against the vulnerability attack. And initiating a back door attack to the defense side host by using a preset back door of the defense side host, and determining a back door clearing score of the defense side host according to a defense result of the defense side host on the back door attack. And initiating a data stealing attack to the host at the defense side by using a preset virus program of the host at the defense side, and determining a data protection score of the host at the defense side according to a defense result of the host at the defense side on the data stealing attack.
The determining module 22 is specifically configured to determine the repaired preset risk items from the preset risk items of the defense-side host when the determining module is configured to determine the reinforcement score of the defense-side host. And determining the reinforcement score of the host at the defense side according to the attack cost of the attack operation corresponding to the repaired preset risk item. Wherein, the attack cost may include: attack timeliness and attack tools.
The determining module 22 is specifically configured to determine the traceable score of the host at the defense side according to the duration of the host at the defense side searching the attack information of the network security countermeasure attack platform when the determining module is used for determining the counterattack score of the host at the defense side. And determining a file acquisition score of the host at the defense side according to the time length of the host at the defense side for acquiring the target file from the network security countermeasure attack platform. And determining the counterattack score of the host at the defense side according to the traceability score and the file acquisition score.
Further, the scoring module 23 is specifically configured to determine weighted values of the emergency response score, the reinforcement score and the counterattack score according to preset weights when the scoring module is configured to determine the defense score of the defense-side host. And adding the weighted values of the emergency response value, the reinforcement value and the counterattack value to determine the defense value of the host at the defense side.
In the network security countermeasure apparatus, first, the attack module 21 initiates an attack operation to the defense-side host by using each preset risk item of the defense-side host. Then, the determining module 22 determines an emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side to the attack operation; determining a reinforcement score of the host at the defense side according to the attack cost and the repair result of the host at the defense side on the preset risk items; and determining the counterattack score of the host at the defense side according to the counterattack operation initiated by the host at the defense side to the network security counterattack attack platform. Finally, the scoring module 23 determines the defense score of the host at the defense side according to the emergency response score, the reinforcement score and the counterattack score. Therefore, network security training closer to the actual network attack scene is realized, and the defense capability of defensive personnel on network attack is improved.
Fig. 3 is a schematic structural diagram of another embodiment of the network security countermeasure device of the present application. Compared with the network security countermeasure device shown in fig. 2, the difference is that the network security countermeasure device shown in fig. 3 may further include: a risk implantation module 31.
A risk implantation module 31, configured to implant a first risk item into the defense-side host; and implanting the second risk item into the network security anti-attack platform.
Wherein the first risk item or the second risk item may include any one or more of the following risk items: and (4) presetting bugs, presetting backdoors and presetting virus programs.
Fig. 4 is a schematic structural diagram of an embodiment of an electronic device according to the present application. As shown in fig. 4, the electronic device may include at least one processor; and at least one memory communicatively coupled to the processor, wherein: the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the network security countermeasure method provided by the embodiment of the application.
The electronic device may be a network security countermeasure device, and the embodiment does not limit the specific form of the electronic device.
FIG. 4 illustrates a block diagram of an exemplary electronic device suitable for use in implementing embodiments of the present application. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 4, the electronic device is in the form of a general purpose computing device. Components of the electronic device may include, but are not limited to: one or more processors 410, a memory 430, and a communication bus 440 that connects the various system components (including the memory 430 and the processors 410).
Communication bus 440 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. These architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus, to name a few.
Electronic devices typically include a variety of computer system readable media. Such media may be any available media that is accessible by the electronic device and includes both volatile and nonvolatile media, removable and non-removable media.
Memory 430 may include computer system readable media in the form of volatile Memory, such as Random Access Memory (RAM) and/or cache Memory. The electronic device may further include other removable/non-removable, volatile/nonvolatile computer system storage media. Although not shown in FIG. 4, a disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a Compact disk Read Only Memory (CD-ROM), a Digital versatile disk Read Only Memory (DVD-ROM), or other optical media) may be provided. In these cases, each drive may be connected to the communication bus 440 by one or more data media interfaces. Memory 430 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the application.
A program/utility having a set (at least one) of program modules, including but not limited to an operating system, one or more application programs, other program modules, and program data, may be stored in memory 430, each of which examples or some combination may include an implementation of a network environment. The program modules generally perform the functions and/or methodologies of the embodiments described herein.
The electronic device may also communicate with one or more external devices (e.g., keyboard, pointing device, display, etc.), one or more devices that enable a user to interact with the electronic device, and/or any devices (e.g., network card, modem, etc.) that enable the electronic device to communicate with one or more other computing devices. Such communication may occur via communication interface 420. Furthermore, the electronic device may also communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public Network such as the Internet) via a Network adapter (not shown in FIG. 4) that may communicate with other modules of the electronic device via the communication bus 440. It should be appreciated that although not shown in FIG. 4, other hardware and/or software modules may be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, Redundant processing units, external disk drive Arrays, disk array (RAID) systems, tape Drives, and data backup storage systems, among others.
The processor 410 executes programs stored in the memory 430 to perform various functional applications and data processing, such as implementing the network security countermeasure method provided by the embodiment of the present application.
The embodiment of the present application further provides a non-transitory computer-readable storage medium, where the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions enable the computer to execute the network security countermeasure method provided in the embodiment of the present application.
The non-transitory computer readable storage medium described above may take any combination of one or more computer readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read Only Memory (ROM), an Erasable Programmable Read Only Memory (EPROM), a flash Memory, an optical fiber, a portable compact disc Read Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of Network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing steps of a custom logic function or process, and alternate implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
It should be noted that the terminal according to the embodiments of the present application may include, but is not limited to, a Personal Computer (Personal Computer; hereinafter, referred to as PC), a Personal Digital Assistant (Personal Digital Assistant; hereinafter, referred to as PDA), a wireless handheld device, a Tablet Computer (Tablet Computer), a mobile phone, an MP3 player, an MP4 player, and the like.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions in actual implementation, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A network security countermeasure method is characterized in that the method is applied to a network security countermeasure attack platform; the method comprises the following steps:
initiating attack operation to the host at the defense side by utilizing each preset risk item of the host at the defense side;
determining an emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side to the attack operation;
determining a reinforcement score of the host at the defense side according to the attack cost and the repair result of the host at the defense side on the preset risk items;
determining a counterattack score of the host at the defense side according to counterattack operation initiated by the host at the defense side to the network security counterattack platform;
and determining the defense score of the host at the defense side according to the emergency response score, the reinforcement score and the counterattack score.
2. The method of claim 1, wherein before initiating an attack operation to the defending side host by using each preset risk item of the defending side host, the method further comprises:
implanting a first risk item into a defense-side host; and implanting a second risk item into the network security countermeasure attack platform;
wherein the first risk item or the second risk item may include any one or more of the following: presetting a vulnerability; pre-arranging a rear door; and presetting a virus program.
3. The method of claim 1, wherein determining the contingency response score of the defending side host according to the contingency response operation of the defending side host to the attack operation comprises:
initiating vulnerability attack to a host at a defense side by using a preset vulnerability of the host at the defense side, and determining a vulnerability repair score of the host at the defense side according to a defense result of the host at the defense side to the vulnerability attack;
a preset back door of a host at a defense side is utilized to launch a back door attack to the host at the defense side, and a back door clearing score of the host at the defense side is determined according to a defense result of the host at the defense side to the back door attack;
the method comprises the steps of initiating data stealing attack to a host at a defense side by using a preset virus program of the host at the defense side, and determining a data protection score of the host at the defense side according to a defense result of the host at the defense side on the data stealing attack.
4. The method of claim 1, wherein determining the reinforcement score of the defense-side host according to the attack cost and the repair result of the defense-side host on the preset risk item comprises:
determining a repaired preset risk item from preset risk items of the host at the defense side;
determining a reinforcement score of the host at the defense side according to the attack cost of the attack operation corresponding to the repaired preset risk item;
wherein the attack cost may include: attack aging; and (5) attack tools.
5. The method of claim 1, wherein determining the counter-attack score of the defense-side host according to the counter-attack operation of the defense-side host to the network security counter-attack platform comprises:
according to the duration of searching the attack information of the network security anti-attack platform by the host at the defense side, determining the traceability value of the host at the defense side;
determining a file acquisition score of the host at the defense side according to the time length of the host at the defense side for acquiring a target file from a network security countermeasure attack platform;
and determining the counterattack score of the host at the defense side according to the traceability score and the file acquisition score.
6. The method of any of claims 3-5, wherein determining the defense score of the defending side host from the emergency response score, reinforcement score, and the counterattack score comprises:
respectively determining the weighted values of the emergency response score, the reinforcement score and the counterattack score according to preset weights;
and adding the weighted values of the emergency response score, the reinforcement score and the counterattack score to determine the defense score of the host computer on the defense side.
7. A network security countermeasure apparatus, comprising:
the attack module is used for initiating attack operation to the host at the defense side by utilizing each preset risk item of the host at the defense side;
the determining module is used for determining an emergency response score of the host at the defense side according to the emergency response operation of the host at the defense side to the attack operation;
the determining module is further used for determining a reinforcement score of the defense side host according to the attack cost and the repair result of the defense side host on the preset risk item;
the determining module is further configured to determine a counterattack score of the defense-side host according to a counterattack operation initiated by the defense-side host to the network security counterattack attack platform;
and the scoring module is used for determining the defense score of the defense side host according to the emergency response score, the reinforcement score and the counterattack score.
8. The apparatus of claim 7, further comprising:
the risk implantation module is used for implanting a first risk item into the defense side host; and implanting a second risk item into the network security countermeasure attack platform;
wherein the first risk item or the second risk item may include any one or more of the following: presetting a vulnerability; pre-arranging a rear door; and presetting a virus program.
9. An electronic device, comprising:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 6.
10. A non-transitory computer-readable storage medium storing computer instructions that cause a computer to perform the method of any one of claims 1 to 6.
CN202011387397.6A 2020-12-01 2020-12-01 Network security countermeasure method and device and electronic equipment Pending CN114640484A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011387397.6A CN114640484A (en) 2020-12-01 2020-12-01 Network security countermeasure method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011387397.6A CN114640484A (en) 2020-12-01 2020-12-01 Network security countermeasure method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN114640484A true CN114640484A (en) 2022-06-17

Family

ID=81944876

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011387397.6A Pending CN114640484A (en) 2020-12-01 2020-12-01 Network security countermeasure method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN114640484A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116129884A (en) * 2023-03-29 2023-05-16 杭州海康威视数字技术股份有限公司 Voice countermeasure sample defense method, device and equipment based on sensitive frequency band adjustment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116129884A (en) * 2023-03-29 2023-05-16 杭州海康威视数字技术股份有限公司 Voice countermeasure sample defense method, device and equipment based on sensitive frequency band adjustment
CN116129884B (en) * 2023-03-29 2023-06-27 杭州海康威视数字技术股份有限公司 Voice countermeasure sample defense method, device and equipment based on sensitive frequency band adjustment

Similar Documents

Publication Publication Date Title
Lemay et al. Survey of publicly available reports on advanced persistent threat actors
RU2514141C1 (en) Method of emulating system function calls for evading emulation countermeasures
US11991203B2 (en) Method and system for generating stateful attacks
RU2514140C1 (en) System and method for improving quality of detecting malicious objects using rules and priorities
CN106557697B (en) System and method for generating a set of disinfection records
EP3371953B1 (en) System and methods for detecting domain generation algorithm (dga) malware
RU2697950C2 (en) System and method of detecting latent behaviour of browser extension
CN105760787B (en) System and method for the malicious code in detection of random access memory
US10372907B2 (en) System and method of detecting malicious computer systems
RU2748518C1 (en) Method for counteracting malicious software (malware) by imitating test environment
CN110837644B (en) System penetration testing method and device and terminal equipment
Akram et al. How to build a vulnerability benchmark to overcome cyber security attacks
CN112926055A (en) Virus attack defense method based on time probability attack graph
CN114640484A (en) Network security countermeasure method and device and electronic equipment
EP3252645B1 (en) System and method of detecting malicious computer systems
CN110909349B (en) detection method and system for rebound shell in dock container
US11681798B2 (en) Security screening of a universal serial bus device
CN113824678A (en) System and method for processing information security events to detect network attacks
CN114257415B (en) Network attack defending method, device, computer equipment and storage medium
JP7309098B2 (en) Attack progress evaluation device, attack progress evaluation method, and attack progress evaluation program
CN116861418B (en) Penetration test method, device, equipment and storage medium for 32-bit Windows sandbox
US20230396646A1 (en) Identifying computer systems for malware infection mitigation
Hovmark et al. Towards Extending Probabilistic Attack Graphs with Forensic Evidence: An investigation of property list files in macOS
EP3522057A1 (en) System and method of detecting hidden behavior of a browser extension
Agaji et al. AN EXPERIMENTAL STACK ATTACKS DETECTION AND RECOVERY FRAMEWORK USING AGENTS, CHECKPOINTS AND ROLLBACK

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination