CN114928564A - Function verification method and device of security component - Google Patents
Function verification method and device of security component Download PDFInfo
- Publication number
- CN114928564A CN114928564A CN202110152435.8A CN202110152435A CN114928564A CN 114928564 A CN114928564 A CN 114928564A CN 202110152435 A CN202110152435 A CN 202110152435A CN 114928564 A CN114928564 A CN 114928564A
- Authority
- CN
- China
- Prior art keywords
- test sample
- test
- result
- equipment
- component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 108
- 238000012795 verification Methods 0.000 title claims abstract description 106
- 238000012360 testing method Methods 0.000 claims abstract description 399
- 230000006870 function Effects 0.000 claims abstract description 135
- 230000001681 protective effect Effects 0.000 claims abstract description 81
- 238000001514 detection method Methods 0.000 claims description 135
- 238000012545 processing Methods 0.000 claims description 37
- 241000700605 Viruses Species 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 14
- 239000003999 initiator Substances 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 abstract description 22
- 230000009286 beneficial effect Effects 0.000 abstract description 5
- 238000012546 transfer Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 9
- 239000012634 fragment Substances 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000005065 mining Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 238000012790 confirmation Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000009412 basement excavation Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000011217 control strategy Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 238000013467 fragmentation Methods 0.000 description 2
- 238000006062 fragmentation reaction Methods 0.000 description 2
- 230000006798 recombination Effects 0.000 description 2
- 238000005215 recombination Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013024 troubleshooting Methods 0.000 description 2
- 102100026278 Cysteine sulfinic acid decarboxylase Human genes 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000037361 pathway Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 108010064775 protein C activator peptide Proteins 0.000 description 1
- 238000004549 pulsed laser deposition Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0805—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
Abstract
The application provides a function verification method and device of a security component, and belongs to the technical field of networks. The method and the device for testing the safety component provide the testing message or the message stream bearing the testing file to the protection device as the testing sample, the testing sample as the input flow sequentially flows through the safety component in the protection device, the safety component tests the testing sample to generate a testing result, the testing result generated by the safety component is compared with an expected result, and whether the safety component is normal in function is judged according to the compared result. The method supports the work performance verification under the condition that the protective equipment is deployed in an actual network, is suitable for the scene that the security component is frequently upgraded and changed, and is beneficial to timely finding the security component with invalid functions in actual application. Meanwhile, the method supports the automatic execution of the function verification process, avoids the complex operation of manual testing, and improves the testing efficiency.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to a method and an apparatus for verifying a function of a security component.
Background
In order to improve the security of the local area network, many enterprises have protection devices such as a firewall and a security gateway. Many security components are typically integrated into the guard device, such as a fragmentation serialization (serialization) processing component, a session reassembly (reassembling) component, a traffic detection component, a file restoration component, a file detection component, a protocol identification component, a domain name detection component, and so forth. The protection device carries out attack detection on the message through a series of security components so as to timely block the attack when the attack is found, thereby ensuring the network security of the local area network.
At present, the function of a security component in a protective device is ensured by depending on a function test flow before the protective device leaves a factory. For example, a tester of a manufacturer of the protective device mainly tests functions of the security components included in the protective device, and the tester judges whether the functions of the security components are normal according to a test result.
However, the above method can only ensure that the function of the protection device is normal when the protection device leaves the factory, and in the use process after the protection device is deployed to the existing network, the security component in the protection device is frequently upgraded and changed, and the function failure of the security component may occur in the change process, and meanwhile, no tester performs the function test on the security component, so that the security component with the function failure cannot be found in time. It can be seen that the above method does not work well for the functional verification of the security component.
Disclosure of Invention
The embodiment of the application provides a function verification method and device for a security component, which can improve the effect of function verification of the security component. The technical scheme is as follows.
In a first aspect, a method for verifying a function of a security component is provided, the method comprising: providing a test sample to the protection device, wherein the test sample comprises at least one item of test messages or message streams carrying test files; obtaining a detection result generated by detecting the test sample by a safety component in the protective equipment; comparing the detection result with an expected result corresponding to the test sample; and if the detection result is consistent with the expected result, determining that the safety component is in normal function.
The method includes the steps that a test message or a message flow carrying a test file and the like are used as test samples to be provided for the protective device, the test samples serve as input flow and sequentially flow through the security components in the protective device, the security components test the test samples to generate detection results, the detection results generated by the security components are compared with expected results, and whether the security components are normal in function or not is judged according to the comparison results. The method supports the work performance verification under the condition that the protective equipment is deployed in an actual network, is suitable for the scene that the security component is frequently upgraded and changed, and is beneficial to timely finding the security component with invalid functions in actual application. Meanwhile, the method supports automatic execution of a function verification process, avoids complex operation of manual testing, and improves testing efficiency. Therefore, the method improves the effect of verifying the functions of the security component.
Optionally, the test sample comprises a first test sample, and before providing the test sample to the guard device, the method further comprises: receiving a download request from the protective device, wherein the download request comprises a device identifier of the protective device; and querying from a sample library according to the equipment identification to obtain the first test sample, wherein the first test sample is a test sample corresponding to the equipment identification in the sample library, and the sample library comprises at least one group of corresponding relations between the equipment identification and the test sample.
The mode is favorable for providing the test sample which is more matched with the specific function of the equipment, is convenient for pertinently verifying by using different test samples on different equipment, and is favorable for more precise and flexible functional verification.
Optionally, after comparing the detection result with an expected result corresponding to the test sample, the method further includes: and generating a functional verification result according to whether the detection result is consistent with the expected result, wherein the functional verification result is used for indicating whether the function of the security component is normal.
Optionally, the method further comprises: responding to a registration request containing an administrator account and the equipment identifier of the protective equipment, and storing the corresponding relation between the equipment identifier and the administrator account in an account information table; storing the corresponding relation between the function verification result and the equipment identification in a result information table; and responding to a query request containing the administrator account, querying the account information table and the result information table according to the administrator account so as to obtain a function verification result corresponding to the equipment identifier, and providing the function verification result corresponding to the equipment identifier for an initiator of the query request.
According to the mode, on one hand, an information channel is provided for an administrator to help the administrator know whether the functions of all components of the protective equipment are normal or not, on the other hand, access control is performed based on the account, a visitor with the account of the administrator can obtain information whether the functions of the components of the protective equipment are normal or not, and a visitor without the account of the administrator cannot obtain information whether the functions of the components of the protective equipment are normal or not, so that information safety is improved.
Optionally, after generating the function verification result, the method further includes: if the function verification result indicates that the function of the security component is abnormal, upgrading the security component; or if the function verification result indicates that the security component is not normal in function, sending a notification message, wherein the notification message is used for notifying an administrator of the protection device or the function verification result of the protection device.
Under the condition that the safety component is found to be abnormal in function through testing, the safety component is automatically upgraded, or an administrator or protective equipment is actively informed of the abnormal condition of the component, so that the fault of the component is treated in a closed loop mode, and the fault is automatically corrected.
Optionally, the providing a test sample to the guard device comprises: and encrypting the test sample, and sending the encrypted test sample to the protection equipment.
The method helps to avoid the test sample from being intercepted to cause the functional verification failure.
Optionally, the method is performed by a server deployed in the internet, and the guard device is deployed in a local area network, where the local area network is configured with an access control policy, the access control policy is used to prohibit the guard device in the local area network from receiving data from the internet, and the providing a test sample to the guard device includes: sending the test sample to the guard device in the local area network; the method further comprises the following steps: and if the test sample is successfully transmitted to the protection equipment, determining that the protection of the local area network has a vulnerability.
The method can evaluate the network security of the local area network, and supports attack demonstration or network security defense evaluation scenes.
Optionally, the detection result includes an attack type, a protocol type, a virus type, a malicious domain name, a malicious Internet Protocol (IP) address, or an indicator of no attack.
The above mode supports the test of various assemblies such as an IPS assembly, a protocol identification assembly, a file detection assembly, a domain name detection assembly, an IP address detection assembly and the like, and the test function is more comprehensive and diversified.
In a second aspect, a functional verification device for a security component is provided, the functional verification device having the functionality to implement the method of the first aspect or any one of the alternatives of the first aspect. The functions can be realized by hardware, and the functions can also be realized by executing corresponding software by hardware. The hardware or software includes one or more units corresponding to the above functions.
In a third aspect, there is provided a test server comprising a memory, a network interface and at least one processor, the test server being configured to implement the functionality of the first aspect or any of the alternatives of the first aspect.
In a fourth aspect, a network system is provided, where the network system includes the test server provided in the third aspect and a protection device.
In a fifth aspect, a computer-readable storage medium is provided, where at least one instruction is stored, and when the instruction is executed on a computer, the instruction causes the computer to execute the method provided by the first aspect or any one of the optional manners of the first aspect.
A sixth aspect provides a computer program product comprising one or more computer program instructions which, when loaded and executed by a computer, cause the computer to perform the method of the first aspect or any of the alternatives of the first aspect.
In a seventh aspect, a chip is provided, which includes a memory and a processor, where the memory is used to store computer instructions, and the processor is used to call and execute the computer instructions from the memory, so as to perform the method in the first aspect and any possible implementation manner of the first aspect.
Drawings
Fig. 1 is a schematic diagram of an application scenario provided in an embodiment of the present application;
fig. 2 is a flowchart of a method for verifying a function of a security component according to an embodiment of the present disclosure;
FIG. 3 is a content diagram of a PCAP file provided by an embodiment of the present application;
FIG. 4 is a content diagram of another PCAP file provided in an embodiment of the present application;
FIG. 5 is a content diagram of another PCAP file provided by an embodiment of the present application;
fig. 6 is a schematic diagram of another application scenario provided in an embodiment of the present application;
fig. 7 is a flowchart of another method for verifying the function of a security component according to an embodiment of the present application;
FIG. 8 is a flow diagram of another method for verifying functionality of a security component provided by an embodiment of the present application;
fig. 9 is a flowchart of another method for verifying the function of a security component according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a test server according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a function verification device of a security component according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, the following detailed description of the embodiments of the present application will be made with reference to the accompanying drawings.
The related art relies on a function testing process before the protective device leaves a factory to ensure the functions of the security components in the protective device. However, this approach has a number of drawbacks. Firstly, it cannot be guaranteed that the detection function is still normal after the protective device subjected to the function test before leaving the factory is deployed in the actual network environment. Secondly, the fault point needs to be manually positioned after the protective equipment fails. Thirdly, troubleshooting is passive, and troubleshooting cannot be predicted in advance only after a component in the protective equipment fails.
The embodiment of the application provides a method for realizing high-efficiency safety component function verification based on linkage of a test server and protective equipment, wherein a test sample is issued to the test sample deployed in an actual network environment, the test sample sequentially flows through each safety component in the protective equipment as input flow, each safety component detects the test sample to generate a corresponding detection result, the detection result is compared with an expected result, and whether the safety component in the protective equipment has a normal function or not is judged according to the comparison result. Firstly, the method supports the use process of the protective equipment deployed in the existing network to be executed, so that all-weather guarantee is finally realized on the safety component of the existing network equipment. Second, the method can be performed automatically by the test server, reducing reliance on human operations, thereby facilitating rapid functional testing of the security component. The test server can test a large amount of protection equipment, and uniformly manage and maintain the test samples and the test results, so that the security of the large amount of protection equipment in the network can be analyzed from the whole view angle, and the protection weak points and the protection loopholes can be found. Thirdly, the function verification process is actively initiated to the component, so that the function fault of the component can be sensed in advance, and the network safety risk caused by the component fault is avoided.
The following illustrates an application scenario of the embodiment of the present application.
Fig. 1 is a schematic diagram of an application scenario provided in an embodiment of the present application. Fig. 1 shows a scenario in which the test server 11 interacts with the protective equipment 21, the protective equipment 22, the protective equipment 23, and the protective equipment 24.
The test server 11 is optionally deployed in the internet (or extranet), and the test server 11 is sometimes referred to as a cloud server. The test server 11 stores test samples, where the test samples include attack messages, message streams carrying malicious files, and the like. The test server 11 includes a result comparison module. The result comparison module is used for comparing the detection result sent by the protective equipment with an expected result so as to judge whether the functions of the safety components in the protective equipment are normal.
The guard equipment 21, the guard equipment 22, the guard equipment 23, and the guard equipment 24 are respectively deployed in local area networks of different customers. As shown in fig. 1, the protection device 21 is deployed at the boundary of the client-local area network, the protection device 22 is deployed at the boundary of the client-second local area network, the protection device 23 is deployed at the boundary of the client-third local area network, and the protection device 24 is deployed at the boundary of the client-N local area network. The following description will be made by taking one guard 24 in fig. 1 as an example, and the principle of the other guard in fig. 1 can refer to the guard 24.
The securing device 24 is used to secure the local area network of the client N. As shown in fig. 1, the local area network of the client N includes devices such as clients, servers, switches, etc., which are devices to be protected by the protection device 24. The guard device 24 is specifically used to protect these devices in the local area network from attacks that an attacker launches from the internet, or to protect these devices in the local area network from being utilized by an attacker to propagate a threat.
The protective device 24 includes, but is not limited to, a firewall, a security gateway (e.g., a router or a switch), an Intrusion Detection System (IDS) class device, an Intrusion Prevention System (IPS) class device, a Unified Threat Management (UTM) device, an anti-virus (AV) device, a distributed denial of service attack (DDoS) resistant device, and an integration of one or more of a Next Generation Firewall (NGFW).
The protective equipment 24 includes a plurality of safety components. As shown in fig. 1, the security components in the guard device 24 include, but are not limited to, a fragmentation serialization processing component, a session reassembly component, a traffic detection component, a file detection component, a protocol identification component, a file restoration component, a domain name detection component, a blacklist component, a whitelist component, or a reputation detection component. It should be noted that fig. 1 is only an exemplary illustration, and some of the components shown in fig. 1 may be included in the protection device, or more components may be included in the protection device. The protection device 24 performs security detection on the packet flows entering and exiting the local area network through a plurality of security components, thereby determining whether the packet in the packet flow is an attack packet and whether the file carried in the packet flow is a malicious file. The multiple security components in the protective equipment 24 may optionally be in a serial processing relationship or a parallel processing relationship. The function of each safety component in the protective equipment 24 will be described below.
The fragment serialization processing component is used for reordering and reassembling Internet Protocol (IP) fragments and discarding fragments which are overlapped, incomplete or otherwise invalid.
And the session recombination component is used for arranging all messages according to the sequence. For a Transmission Control Protocol (TCP), the session reassembly component is specifically configured to order and reassemble each TCP packet in a TCP stream into an entire TCP session. Optionally, the message processed by the session reassembling component is obtained after being processed by the fragment serialization processing component.
The flow detection component is used for matching (attack signature) data in the message with attack signatures in the signature library, and if the data in the message is matched with the attack signatures, the message is determined to be offensive. Attack signatures are used to characterize network intrusion behavior. The signature library contains signatures of various known attacks or signatures set by an administrator.
The file detection module is used for matching the data in the file with the attack characteristics in the characteristic library, and determining the file as a malicious file if the data in the file is matched with the attack characteristics in the characteristic library. The attack characteristics are used for describing the characteristics of malicious files such as viruses and trojans. The feature library contains features of various known malicious files.
The protocol identification component is used to identify the protocol on which the message is based. In some embodiments, the protocol identification component is specifically configured to identify an application layer protocol on which the message is based, for example, a hypertext transfer protocol (HTTP), a File Transfer Protocol (FTP), a Simple Mail Transfer Protocol (SMTP), and the like.
The file restoration component is used for obtaining the file from the message. Specifically, after the protocol identification component identifies the application layer protocol, the file restoration module performs application layer protocol analysis on one or more messages based on the application layer protocol, and recombines the load field of the analysis result, thereby obtaining the file.
The blacklist component is used for detecting whether the source address of the message hits the blacklist or not, if the source address of the message hits the blacklist, the message is discarded, and the subsequent detection process is not continued.
The white list component is used for detecting whether the source address of the message hits the white list, and if the source address of the message hits the white list, the message is released without continuing the subsequent further detection process.
The domain name detection component is used for detecting the domain name of the initiator of the message or the domain name contained in the file.
The credit detection component is used for detecting the content contained in the message, such as URL or file, the credit comes from the alarm hash (hash) generated by the history detection content, and the high-efficiency content detection is realized by comparing the hash of the new file with the hash in the credit without scanning and detecting the content again.
The following illustrates a method flow of the embodiments of the present application.
Fig. 2 is a flowchart of a method for verifying the function of a security component according to an embodiment of the present application. The method shown in fig. 2 includes the following steps S201 to S207.
Optionally, a network deployment scenario on which the method shown in fig. 2 is based is shown in fig. 1. For example, referring to fig. 1, the protecting device in the method shown in fig. 2 is the protecting device 24 in fig. 1, the testing server in the method shown in fig. 2 is the testing server 11 in fig. 1, and the security component tested by the method shown in fig. 2 is at least one of a fragment serialization processing component, a session reassembly component, a traffic detection component, a file detection component, a protocol identification component, a file restoration component, a domain name detection component, an IP address detection component, a blacklist component, a whitelist component, or a reputation detection component inside the protecting device 24 in fig. 1.
The method shown in fig. 2 describes the process by taking a test server and a protection device as examples, where the protection device is mainly responsible for detecting a test sample and executing step S202, step S203, and step S204 in fig. 2, and the test server is mainly responsible for comparing a detection result with an expected result to determine whether a security component is working normally and executing step S201, step S205, step S206, and step S207 in fig. 2. When the test server and the protection device are jointly implemented, step S201, step S202, step S203, step S204, step S205, step S206 and step S207 are all performed by a device in which the test server and the protection device are integrated. For example, when the test server is integrated on the protection device, the following steps performed by the test server are actually performed by the protection device.
Step S201, the test server provides a test sample for the protection device.
The test sample is used for testing whether the safety component in the protective equipment is normal in function. The test sample includes at least one of a test message or a message stream carrying a test file. The test messages include, but are not limited to, attack messages or normal messages.
The attack message is a message for initiating network attack through the message. For example, the attack message is a flood attack message, a buffer overflow attack message, or a single packet attack message (e.g., a malformed message, a scan-type attack message, etc.). The normal message is, for example, a traffic message from the client.
Test files include, without limitation, malicious files or normal files. The malicious file as the test file is, for example, an executable file, and an attack on the client may be caused after the malicious file is executed on the client. The malicious file contains malicious code. For example, a malicious file is a file that contains a virus, a trojan, or a worm.
In some embodiments, the test sample is at least one Packet Capture (PCAP) file. The PCAP file is a file generated after capturing network traffic through an interface. The contents of the PCAP file contain the message stream. Specifically, the data structure of the PCAP file is similar to the header, the packet 1, the packet 2 … …, and the packet n, where the packet 1 and the packet 2 … … are packet flows in the PCAP file. Optionally, a message flow in the PCAP file as the test sample carries a file, and the file carried by the message flow in the PCAP file is the test file. Alternatively, the content carried by the message stream in the PCAP file as the test sample is other data than the file, such as a web page, multimedia data, and the like.
The contents of the PCAP file as a test sample are illustrated below. Referring to fig. 3, 4 and 5, fig. 3, 4 and 5 show the contents of three PCAP files.
Figure 3 shows the contents of a powershell script attack (powershell attack) message. The underlined portion of fig. 3 represents the content of the request message, and the non-underlined portion of fig. 3 represents the content of the response message. Ps1. the content of the malicious file is shown in bold font in fig. 3. Ps1 HTTP/1.1 and host:185.128.41.90:44 in FIG. 3 mean that a client requests to obtain a file, namely, ps1, from a server with an IP address of 185.128.41.90:44 by adopting a get method based on the HTTP 1.1 protocol. HTTP/1.1200 ok in FIG. 3 indicates that the server response was successful.
Fig. 4 shows the contents of a mining login attack (mining login attack) message. The meaning of the data in fig. 4 is the four-time interaction process of the mine excavation logging attack. The first step is that a client sends a mine digging login request; the second step is that the service end returns the contents of the ore digging work; thirdly, sending a heartbeat keeping request to the server by the client; and fourthly, confirming the heartbeat request of the client by the server.
FIG. 5 shows the contents of a message carrying a mine excavation virus. The underlined portion of fig. 5 represents the content of the request message, and the non-underlined portion of fig. 5 represents the content of the response message. The content of the file, core. Get/w/southern.txt HTTP/1.1host:185.128.41.90:443 in FIG. 5 means that the client requests to obtain file southern.txt from the server with IP address 185.128.41.90:443 by using get method based on HTTP 1.1 protocol. HTTP/1.1200 ok in FIG. 5 indicates that the server response was successful. Txt is a malicious file that contains a mine mining virus (coin mini virus).
By adopting the PCAP file as a sample used when verifying the functions of the protective equipment components, the protective equipment can conveniently acquire a plurality of test messages in batch, and the test server can conveniently separately provide the test messages of different attack types for the protective equipment.
Specific implementations of the test server providing the test sample include, but are not limited to, the following first to second implementations.
In the first implementation mode, the test server sends the test sample to the protective equipment.
In some embodiments, the guard device pulls the test sample from the test server. Specifically, the guard device sends a sample acquisition request to the test server. And the test server responds to the sample acquisition request of the protective equipment and sends the test sample to the protective equipment. Optionally, the sample acquisition request is triggered by a command input by an administrator to the guard device; alternatively, the sample acquisition request is triggered once every set time period.
In other embodiments, the test server actively pushes the test sample to the guard device. For example, the test server periodically pushes the test sample. Or when a newly added test sample occurs, the test server pushes the newly added test sample to the protection device.
And in the second implementation mode, the test server stores the test sample to a specified storage address which can be accessed by the protection equipment.
The specified storage address is, for example, a storage directory on the file transfer server. The File Transfer server includes, but is not limited to, an HTTP server, an FTP server, a Secure File Transfer Protocol (SSH File Transfer Protocol or Secure FTP, SFTP) server, a Network File System (NFS) server, and the like.
And under the condition of adopting the second implementation mode, the file transmission server serves as a transfer between the test server and the protection equipment, and the file transmission server is responsible for sending the test sample to the protection equipment. Optionally, the test server and the file transfer server provide the test sample by a linkage. Specifically, after the test server saves the test sample to the file transfer server, the test server sends a transmission instruction to the file transfer server. The meaning of the transmission instruction is to instruct the file transmission server to send the test sample to the guard device. And the file transmission server responds to the transmission instruction of the test server and sends the test sample to the protection equipment.
Step S202, the protection device receives a test sample from the test server.
For example, referring to the scenario shown in fig. 1, the guard device 24 pulls the test sample from the test server 11.
Step S203, the protective device detects the test sample through the safety component to generate a detection result.
The content of the detection result includes various cases. Optionally, the detection result is used to indicate whether the test sample is attacked or not. For example, the detection result is an indicator of an attack or an indicator of no attack. Or, optionally, the detection result is attack-related information in the test sample. For example, the detection result includes an attack type, a protocol type, a virus type, a malicious domain name, or a malicious IP address.
The attack type is the type to which the attack existing in the test sample belongs. The attack type is a detection result of an IPS component in the protection equipment. The IPS component comprises the fragment serialization processing component, the session recombination component, the flow detection component, the protocol identification component and the domain name detection component.
The protocol type is the type of protocol on which the attack is launched. The protocol type is the detection result of the protocol identification component.
The virus type is the type of virus in the test file. The virus type is the detection result of the file detection component.
The malicious domain name is a domain name in an attack message serving as a test message. And the malicious domain name is a detection result of the domain name detection component.
The malicious IP address is a source IP address of an attack message serving as a test sample, or is an IP address contained in a malicious file serving as a test file. And the malicious IP address is a detection result of the IP address detection component.
The non-attack indicator is used to indicate that no attack is present in the test sample. The attack-free indicator is a detection result of an IPS component or a file detection component in the protection device.
For example, referring to table 1 below, the test samples are the 3 attacking PCAPs shown in table 1. The attack PCAP is an aggressive PCAP file, and the content of the attack PCAP comprises an attack message flow.
TABLE 1
In table 1, the attack PCAP numbered 1 is 001.PCAP, the 001.PCAP includes a message of a mining logging attack, after the 001.PCAP passes through each security component in the protection device, the detection result generated by the IPS component is a mining logging attack (a type of attack), the detection result generated by the protocol identification component is Jsonrpc/Stratum (a protocol type), the detection result of the file detection component is none, and the detection result of the domain name or the IP component is ss.antpool.com (a malicious domain name).
The attack PCAP with the number of 2 is 002.PCAP, the 002.PCAP comprises messages of powershell script attack, after the PCAP passes through each security component in the protective device, the detection result generated by the IPS component is powershell attack (powershell script attack, an attack type), the detection result generated by the protocol identification component is HTTP (a protocol type), the detection result of the file detection component is none, and the detection result of the domain name or the IP component is evail.
The attack PCAP numbered 3 was 003. PCAP. PCAP includes a packet stream carrying file coherence. Txt is a file containing a coin mini virus. Txt passes through each security component in the protection device, the detection result generated by the IPS component is none, the detection result generated by the protocol identification component is HTTP (a protocol type), the detection result of the file detection component is a coin minus virus, and the detection result of the domain name or IP component is 185.128.41.90 (a malicious IP address).
Optionally, each safety component in the guard device serially processes the test sample. For example, firstly, the safety component 1 detects a test sample, and the safety component 1 sends the detected test sample to the safety component 2; the safety component 2 then tests the test sample after testing by the safety component 1. Or, optionally, each safety component in the protection device processes the test sample in parallel, for example, the safety component 1 and the safety component 2 detect the test sample simultaneously.
And step S204, the protection equipment sends the detection result to the test server.
For example, referring to the scenario shown in fig. 1, the protection device 24 uploads the detection result to the test server 11.
And S205, the test server acquires the detection result of the protective equipment.
Optionally, the detection result is the content of a detection log (also called check log). The test log is a log generated by the security component testing the test sample. The test log includes at least the test results as shown in table 1. Optionally, the detection log further comprises a detection time, an identification of the security component, and the like. The implementation manner of the step S204 is that the protection device sends a detection log containing the detection result. The implementation manner of the step S205 is that the test server receives the detection log from the protection device, and the test server obtains the detection result from the detection log.
Step S206, the test server compares the detection result with an expected result corresponding to the test sample.
The expected result indicates a detection result generated by the normally functioning safety component detecting the test sample. For example, in a case that the test sample includes an attack packet or a packet stream carrying a malicious file, an expected result corresponding to the test sample indicates that the test sample has an attack, for example, the expected result includes an attack type, a protocol type, a virus type, a malicious domain name, or a malicious IP address. For another example, in a case where the test sample includes a normal message or a message stream carrying a normal file, the expected result corresponding to the test sample indicates that there is no attack in the test sample (or the test sample is normal). The expected result includes, for example, an indicator of no attack, a protocol type, a normal domain name, or a normal IP address.
In some embodiments, the test server pre-stores the expected results. For example, the test server maintains a library of expected results that includes correspondences between test samples and expected results. And the test server queries the expected result from the expected result library according to the test sample to obtain the expected result.
Alternatively, the expected result is generated by manual annotation by an administrator.
And step S207, if the detection result is consistent with the expected result, the testing server determines that the safety component is normal in function.
For example, in the case where the test sample includes an attack message or a message stream carrying a malicious file, the test server determines that the security component is not functioning properly if the detection result includes an indicator of no attack. For another example, in the case that the test sample includes a normal message or a message stream carrying a normal file, if the detection result includes an attack type, the test server determines that the security component is not functioning properly.
Further optionally, the test server determines that the security component is not functioning properly if the detection result is inconsistent with the expected result.
In the method provided by this embodiment, a test packet or a packet stream carrying a test file, etc. is provided as a test sample to the protection device, the test sample sequentially flows through the security components in the protection device as an input flow, the security components test the test sample to generate a detection result, the detection result generated by the security components is compared with an expected result, and whether the security components are functioning normally is determined according to the comparison result. The method supports the work performance verification under the condition that the protective equipment is deployed in an actual network, is suitable for the scene that the security component is frequently upgraded and changed, and is beneficial to timely finding the security component with invalid functions in actual application. Meanwhile, the method supports the automatic execution of the function verification process, avoids the complex operation of manual testing, and improves the testing efficiency. Therefore, the method improves the effect of verifying the functions of the security component.
Step S201 of the method shown in fig. 2 is further described below, and is described in detail in steps S2011 to S2014. The following steps S2011 to S2014 are described by taking the provided test sample as the first test sample.
Step S2011, the protection device generates a download request and sends the download request to the test server.
The download request requests a test sample to be downloaded from a test server. The download request includes the device identification of the guard device and the address of the test server. The download request is, for example, a file transfer protocol based request. For example, the download request is an HTTP request or an FTP request.
The device identification is used to identify the protection device. Optionally, the device identifier in this embodiment is an Electronic Serial Number (ESN). The ESN is data that uniquely identifies a device, also called the device's own electronic label, e.g., 1020608946. Because the ESN is the unique ID, the type of the equipment can be determined according to the ESN, and therefore, the subsequent processing process is more convenient. Alternatively, the device identification is an IP address or a MAC address. In some embodiments, the device identification is pre-stored in the guard device.
The address of the test server is, for example, an IP address or a domain name of the test server. In some embodiments, the address of the test server is entered into the protective equipment by an administrator. For example, the configuration specification of the protection device contains the address of the test server, and the administrator configures the address given by the specification into the protection device. In other embodiments, before the protective device leaves the factory, the manufacturer stores the address of the test server in the configuration file of the protective device in advance, and after the protective device is deployed and powered on in an actual network, the manufacturer automatically reads the address of the test server from the configuration file and sends a download request to the test server when a set condition is met. The set conditions include, but are not limited to, after initialization is completed, or after operation in the actual network has exceeded a predetermined period of time. In other embodiments, the vendor sends the address of the test server along with the component update package to the protection device already deployed in the actual network so that the address of the test server can be updated.
In an exemplary embodiment, the download request is an HTTP request, the address of the test server is sec. The guard device sends a download request containing the following contents so as to pull the attack PCAP file from the test server in an HTTP download manner.
GET/PCAPesn=1020608946HTTP/1.1
host:sec.huawei.com
Step S2012, the test server receives a download request from the protection device.
And S2013, the test server queries from the sample library to obtain a first test sample according to the equipment identifier carried in the downloading request.
The first test sample is a test sample corresponding to the device identifier in the sample library, and the sample library includes at least one set of correspondence between the device identifier and the test sample.
Step S2014, the test server sends the first test sample to the protection device.
For example, the device identifier is an ESN, the test sample is an attack PCAP file, and a one-to-one correspondence between the ESN and the attack PCAP file is stored in the sample library. And the test server acquires the ESN carried by the download request, queries the sample library according to the ESN carried by the download request so as to obtain an attack PCAP file corresponding to the ESN, and returns the attack PCAP file corresponding to the ESN to the protective equipment.
Optionally, the sample library includes correspondence between device identifications of different types of the protection devices and different types of test samples, so that the test server provides different types of test samples for the different types of protection devices by using the sample library. For example, the sample library includes a correspondence between a device identifier of a firewall and a Server Message Block (SMB) brute-force attack PCAP, a correspondence between a device identifier of a situation-aware device and a command and control (C & C) remote control attack PCAP, and a correspondence between a device identifier of an IPS device and a Structured Query Language (SQL) injection attack PCAP. After receiving a downloading request from a firewall, the testing server inquires an SMB brute force attack PCAP from the sample library according to the equipment identification of the firewall in the downloading request and provides the SMB brute force attack PCAP for the firewall; after receiving the downloading request from the situation awareness equipment, the test server inquires a C & C remote control attack PCAP from the sample library according to the equipment identification of the situation awareness equipment in the downloading request, and provides the C & C remote control attack PCAP for the situation awareness equipment.
In consideration of the fact that functions required to be verified by different devices may be different, the test server provides the test samples through the steps S2011 to S2014, which is beneficial to providing the test samples more matched with specific functions of the devices, is convenient for performing targeted verification on different devices by using different test samples, and is beneficial to more precise and flexible function verification.
In some embodiments, after the testing server executes step S206 in the method shown in fig. 2, the testing server generates a functional verification result according to whether the detection result is consistent with the expected result, and stores the generated functional verification result, so as to determine whether the function is normal through the interactive functional verification result.
The functional verification result is used to indicate whether the function of the security component is normal. For example, the functional verification result includes a first indicator or a second indicator. Indicating that the security component is functioning properly if the functional verification result includes the first indicator; if the functional verification result includes a second indicator, indicating that the security component is malfunctioning. Optionally, the functional verification result further includes an identification of the security component, thereby indicating the particular security component to which the result corresponds.
For an example of how to use the above function verification result, see the following cases one to three.
In case one, a functional verification result is provided to a registrant of the administrator account.
Case one includes the following steps a to D.
And step A, the test server responds to the registration request and stores the corresponding relation between the equipment identification and the administrator account in the account information table.
The registration request is used for requesting registration of an administrator account. The registration request contains an administrator account and the equipment identifier of the protective equipment. The registration request is triggered by a registration operation of an administrator of the guard.
The account information table is used for storing information related to the administrator account. The account information table includes a correspondence between at least one set of device identifiers and administrator accounts. After receiving the registration request, the test server obtains the device identifier and the administrator account from the registration request, and correspondingly stores the obtained device identifier and the administrator account into an account information table.
In some embodiments, the registration request further includes a password. And the test server obtains the password from the registration request, and stores the corresponding relation between the administrator account and the password in the account information table.
Illustratively, the administrator registers a unique administrator account number according to the ESN of the protective equipment, and three fields are filled in during registration: ESN, username (username) and password (password), thereby triggering the registration request. The content of the ESN field is a device identifier, the content of the username field is an administrator account, and the content of the password field is a password.
Alternatively, step a is performed before step S201 in the method shown in fig. 2.
And step B, the test server stores the corresponding relation between the function verification result and the equipment identification in a result information table.
The result information table is used for storing information related to the function verification result. The result information table includes a correspondence between at least one set of device identification and the function verification result.
Optionally, when the protection device executes step S202 in fig. 2, on the basis of sending the detection result to the test server, the protection device also sends the device identifier of the protection device to the test server. For example, the protection device encapsulates the detection result and the device identifier in the same message and sends the same message to the test server. When executing step S203 in fig. 2, the test server further receives the device identifier from the protection device on the basis of receiving the detection result from the protection device. And B, when the test server executes the step B, storing the corresponding relation between the equipment identification and the function verification result which are uploaded by the protective equipment along with the detection result into a result information table.
And C, responding to the query request, and querying the account information table and the result information table by the test server according to the administrator account, so as to obtain a function verification result corresponding to the equipment identifier.
The query request is used for querying the function verification result of the security component in the protection device. The query request contains an administrator account.
Optionally, after the test server obtains the administrator account from the query request, the test server queries an account information table according to the administrator account, so as to obtain a device identifier corresponding to the administrator account; and then, the test server queries the result information table according to the equipment identifier, so as to obtain a function verification result corresponding to the equipment identifier.
And step D, the test server provides a function verification result corresponding to the equipment identification to the initiator of the query request.
Optionally, the initiator of the query request is an administrator or a third party.
Optionally, in a scenario where multiple protection devices exist, the account information table stores a correspondence between one administrator account and device identifiers of the multiple protection devices. The test server queries the account information table and the result information table according to the administrator account, so that a plurality of function verification results corresponding to the plurality of equipment identifications are obtained, and the plurality of function verification results are provided for an initiator of the query request, so that an administrator can check the condition of each protection equipment in a batch manner.
In some embodiments, before the test server provides the function verification result, it is determined whether the administrator account is in a login state, the function verification result is provided when the administrator account is in the login state, and the function verification result is refused to be provided when the administrator account is in a non-login state. One way for the administrator account to log in is for the administrator to trigger a login request, which includes the administrator account and a password. And the test server receives the login request, and inquires an account information table according to the administrator account in the login request to obtain a password corresponding to the administrator account. And if the password in the login request is the same as the password obtained by inquiring from the account information table, determining that the password is correct, and agreeing to the login request. And if the password in the login request is different from the password obtained by inquiring from the account information table, determining that the password is wrong, and rejecting the login request.
Through the manner provided by the steps A to D, on one hand, an information channel is provided for an administrator to help the administrator know whether the functions of all components of the protective equipment are normal, on the other hand, access control is performed based on the account number, the visitor who holds the account number of the administrator can obtain the information whether the functions of the components of the protective equipment are normal, and the visitor who does not hold the account number of the administrator cannot obtain the information whether the functions of the components of the protective equipment are normal, so that the information safety is improved.
And in the second case, the component is triggered to be upgraded according to the function verification result.
In some embodiments, the test server or the safeguarding device upgrades the security component if the functional verification result indicates that the security component is not functioning properly. For example, the test server sends an upgrade instruction to the protection device, where the upgrade instruction carries resources required for upgrading the security component, such as a patch file or a latest version of an installation package. The security device executes the upgrade instructions to upgrade the security component.
And thirdly, notifying according to the function verification result.
In some embodiments, the test server sends a notification message if the functional verification result indicates that the security component is not functioning properly. The notification message is used for informing an administrator of the protective equipment or a functional verification result of the protective equipment. For example, in the case where the destination of the notification message is an administrator, the test server sends the notification message to the administrator by means of mail, short message, or the like, thereby notifying the administrator that the security component is not functioning properly so that the administrator may handle the failure existing on the security component; for another example, in the case that the destination of the notification message is a protection device, the test server notifies the protection device that the security component is not functioning properly by sending the notification message, so that the protection device upgrades the security component, thereby automatically correcting the failure.
In some embodiments, step S201 in the method shown in fig. 2 is implemented by means of encrypted downloading. Specifically, the test server encrypts the test sample to obtain the encrypted test sample. And the test server sends the encrypted test sample to the protection equipment. The protection device receives the encrypted test sample from the test server, decrypts the encrypted test sample to obtain a test sample in a plaintext form, and detects the test sample in the plaintext form.
Optionally, the test sample is downloaded based on HTTPS by implementing encryption, and specifically, the specific process of step S201 includes: the protection device negotiates with a test server to establish an HTTPS connection when a test sample needs to be obtained, generates a Hyper Text Transfer Protocol Secure (HTTPS) request, and sends the HTTPS request to the test server through the HTTPS connection. The test server receives an HTTPS request from the protective device and generates an HTTPS response. The HTTPS response includes the encrypted test sample. And the test server sends an HTTPS response to the protection device through the HTTPS connection. The guard device receives an HTTPS response from the test server, and obtains encrypted test samples from the HTTPS response.
Optionally, the same key is used for both the test server encryption and the guard device decryption. Or optionally, the test server encrypts the test sample by using a public key of the protection device, and the protection device decrypts the encrypted test sample by using a private key of the protection device.
By adopting the encryption downloading mode, the failure of functional verification caused by interception of the test sample is avoided. Specifically, a plurality of protective devices may be deployed in the local area network, and in a case where the test sample is an attack message or a message stream carrying a malicious file, if the test sample is transmitted in a plaintext form, the test sample may be intercepted by a security device deployed at a position ahead of the protective device to be tested, so that the test sample cannot be transmitted to the protective device to be tested, and a subsequent functional verification process cannot be continued. And through encrypting the test sample, the test sample is transmitted in a ciphertext mode, so that the probability that the test sample is intercepted by safety equipment at the front deployment position can be reduced, and the transmission success rate of the test sample is improved.
In some embodiments, the network security of the local area network is evaluated using the method illustrated in FIG. 2. Specifically, in the method shown in fig. 2, the protection device is deployed in a local area network, and in the method shown in fig. 2, the test server is deployed in the internet. The local area network is configured with an access control policy, and the access control policy is used for prohibiting the protection equipment in the local area network from receiving data from the Internet. For example, the access control policy includes matching conditions and actions. The source address of the matched condition in the access control strategy comprises an IP address or a network segment of the Internet, and the action in the access control strategy comprises prohibition.
After the test server in the internet sends the test sample to the protection equipment in the local area network, if the test sample is successfully transmitted to the protection equipment, the test server in the internet determines that the protection of the local area network has a bug. One possible implementation of determining that the test sample is successfully transmitted to the guard device is that if the guard device successfully receives the test sample from the test server in the internet, the guard device generates a confirmation message and sends the confirmation message to the test server in the internet. After the test server in the Internet sends the test sample, if the confirmation message from the protective equipment is received within a certain time, the test sample is determined to be successfully transmitted to the protective equipment.
Through the above manner, in the actual network usage, it can be evaluated not only whether the detection function of the protection device is normal, but also whether the local area network is safely deployed, for example, see fig. 6, where the protection device is the firewall in fig. 6. As shown in fig. 6, the firewall is used as a client for detecting the protection vulnerability of the local area network, the firewall is placed inside the local area network, and a plurality of switches are deployed in front of the firewall. And if the test sample enters the local area network from the Internet and reaches the firewall after passing through the plurality of switches, judging that the network protection of the local area network has a vulnerability. The use mode supports attack demonstration or network security defense evaluation scenes, and has high value.
The method shown in FIG. 2 is illustrated below with reference to an example.
Example 1
As shown in fig. 7, example 1 includes the following steps 1 to 5. The test sample in fig. 2 is the attack PCAP in fig. 7. The protective equipment in fig. 2 is the firewall deployed in the customer N lan of fig. 7. The test server in fig. 2 is the test server in fig. 7 deployed in the internet.
1. The firewall is connected to the client N local area network, network communication is guaranteed, a forwarding function can be completely provided, and meanwhile the firewall can be connected with the Internet. A firewall administrator registers an account number in a cloud (a test server in the Internet), sets options to connect the test server, and starts operation of pulling attack PCAP.
In addition, a firewall administrator configures a firewall security policy (each security component) and upgrades each component detection library (in the actual use process, due to the long time of sales and deployment, the firewall component detection library lags behind the latest detection library, the latest detection library is updated every day, and the component detection function needs to be guaranteed to be in the latest state in order to guarantee the detection capability and effect).
The firewall administrator logs in the internet server address (the address is given by the product specification), and after the firewall administrator finishes registration, the firewall starts the detection function. After the detection function is started, the firewall is actively connected with the address of the internet server, and the firewall pulls the PCAP attack file from the internet server.
2. The firewall takes the attack PCAP pulled from the test server as the input of the detection function, and all the security components cooperate with each other in the detection flow to detect the attack PCAP.
3. Each security component processes the network traffic in the attack PCAP and generates a corresponding detection result.
Under the condition of actual deployment, a user downloads a file from the Internet, the flow carrying the file passes through a firewall, and finally the file is transmitted to user equipment. In this process, the downloaded file will pass through the security components in its entirety. The process of pulling the corresponding attack PCAP by the firewall is consistent with the actual deployment situation. The attack PCAP is processed in the firewall in the form of message flow, and in the processing process, after the message flow of each security component is detected, each security component generates a corresponding detection log after processing the attack PCAP.
4. And the firewall uploads the detection result corresponding to each component to a test server in the Internet.
After the firewall generates the detection result, the firewall can actively upload the detection result to the internet server. And uploading the detection result and simultaneously carrying the firewall device identification, such as the ESN.
5. And the test server compares the detection result uploaded by the firewall with an expected result so as to determine whether the function of the security component is normal. If the security component is not functioning properly, the test server notifies an administrator to address the corresponding failure or to automatically correct the failure.
In addition, the test server also associates the acquired detection log with the account created by the firewall administrator in the step 1 according to the device identifier.
In addition, after the testing server completes the function verification, the function verification result is synchronized to the firewall. If the firewall determines that a certain component is abnormal in function according to the function verification result returned by the test server, the firewall actively upgrades the corresponding component or notifies an administrator of processing through a message, so that the fault is eliminated. Wherein, the synchronization comprises two modes. The first synchronization mode is that after the firewall uploads the detection log, the test server in the internet directly returns the function verification result. And the second method is that after the firewall uploads the detection log, the firewall actively sends a request to a test server in the internet at intervals to obtain the function verification result in batches.
The embodiment is based on the cloud-firewall architecture, high-efficiency verification and evaluation of the functions of the firewall safety components are achieved, the use effect and the use cost of the security component are greatly improved compared with those of the related technology, testing in actual data can be achieved, verification and evaluation of the functions of the security components can be achieved by 100%, and component functional faults can be sensed in advance, so that the safety risk of a client local area network caused by component faults is avoided.
Alternatively, the deployment location of the test server in fig. 7 is changed from being deployed in the internet to being deployed in a local area network. As shown in fig. 8, the test service is provided by placing a general server or a third party device as a test server in a local area network, which can also achieve the intended goal.
The functionality of the test server in fig. 7 may also be placed inside the guard. As shown in fig. 9, the testing service is placed in a firewall (a kind of protection device), and the firewall calls the internal testing service to test the security component, thereby providing the functional verification service.
The basic hardware structure of the test server is illustrated below.
Fig. 10 is a schematic structural diagram of a test server according to an embodiment of the present application. The test server 600 shown in fig. 10 is used to implement the methods performed by the test server in the various embodiments described above.
Optionally, referring to fig. 1, the test server 600 shown in fig. 10 is the test server 11 in fig. 1.
Optionally, referring to fig. 2, the testing server 600 shown in fig. 10 is the testing server in the method shown in fig. 2.
The test server 600 comprises at least one processor 601, a memory 602 and at least one network interface 603.
The processor 601 is, for example, a Central Processing Unit (CPU), a Network Processor (NP), a Graphics Processing Unit (GPU), a neural-Network Processing Unit (NPU), a Data Processing Unit (DPU), a microprocessor, or one or more integrated circuits for implementing the present disclosure. For example, the processor 601 includes an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. PLDs are, for example, Complex Programmable Logic Devices (CPLDs), field-programmable gate arrays (FPGAs), General Array Logic (GALs), or any combination thereof.
The Memory 602 is, for example, but not limited to, a read-only Memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only Memory (EEPROM), a compact disk read-only Memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Optionally, the memory 602 is separate and coupled to the processor 601 through an internal connection 604. Alternatively, the memory 602 and the processor 601 are optionally integrated.
The network interface 603 uses any transceiver or the like for communicating with other devices or a communication network. The network interface 603 includes, for example, at least one of a wired network interface or a wireless network interface. The wired network interface is, for example, an ethernet interface. The ethernet interface is for example an optical interface, an electrical interface or a combination thereof. The wireless network interface is, for example, a Wireless Local Area Network (WLAN) interface, a cellular network interface, or a combination thereof.
In some embodiments, processor 601 includes one or more CPUs, such as CPU0 and CPU1 shown in FIG. 10.
In some embodiments, test server 600 optionally includes a plurality of processors, such as processor 601 and processor 605 shown in FIG. 10. Each of these processors is, for example, a single-core processor (single-CPU) or, for example, a multi-core processor (multi-CPU). A processor herein may alternatively refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In some embodiments, the test server 600 also includes an internal connection 604. The processor 601, the memory 602, and the at least one network interface 603 are connected by an internal connection 604. Internal connections 604 comprise pathways that convey information between the aforementioned components. Optionally, the internal connection 604 is a single board or a bus. Alternatively, the internal connections 604 are divided into address buses, data buses, control buses, and the like.
In some embodiments, the test server 600 also includes an input-output interface 606. The input-output interface 606 is connected to the internal connection 604.
In some embodiments, the input/output interface 606 is used to interface with an input device, and receive commands or data related to the above embodiments, such as expected results corresponding to the test sample, an administrator account number, and an address of the test server, which are input by a user through the input device. Input devices include, but are not limited to, a keyboard, a touch screen, a microphone, a mouse or a sensing device, etc.
In some embodiments, the input-output interface 606 is also used to connect with output devices. The input/output interface 606 outputs intermediate results and/or final results, such as functional verification results, generated by the processor 301 executing the method of fig. 2 via the output device. Output devices include, but are not limited to, a display, a printer, a projector, and the like.
Alternatively, the processor 601 may implement the method in the above embodiment by reading the program code 610 saved in the memory 602, or the processor 601 may implement the method in the above embodiment by internally storing the program code. In the case where the processor 601 implements the method in the above-described embodiment by reading the program code 610 stored in the memory 602, the program code implementing the function verification method provided in the embodiment of the present application is stored in the memory 602.
The memory 602 is used to store program code 610; the processor 601, after reading the program code 610 stored in the memory 602, is configured to perform the following operations: instructing the network interface 603 to provide a test sample to the protection device, where the test sample includes at least one of a test packet or a packet stream carrying a test file; obtaining a detection result generated by detecting the test sample by the security component in the protective equipment through the network interface 603; comparing the detection result with an expected result corresponding to the test sample; and if the detection result is consistent with the expected result, determining that the safety component is in normal function.
Optionally, the memory 602 is also used for storing a sample library. The processor 601 is further configured to, after reading the program code 610 stored in the memory 602, perform the following operations: receiving a download request from the protection device through the network interface 603, where the download request includes a device identifier of the protection device; a first test sample is obtained from a sample library query stored in memory 602 based on the device identification.
Optionally, the processor 601 is further configured to, after reading the program code 610 stored in the memory 602, perform the following operations: and generating a functional verification result according to whether the detection result is consistent with the expected result, wherein the functional verification result is used for indicating whether the function of the security component is normal.
Optionally, the memory 602 is further configured to store an account information table and a result information table. The processor 601 is further configured to, after reading the program code 610 stored in the memory 602, perform the following operations: in response to a registration request containing an administrator account and a device identifier of a protection device, received by the network interface 603, storing a corresponding relationship between the device identifier and the administrator account in an account information table stored in the memory 602; the correspondence between the function verification result and the device identifier is saved in a result information table stored in the memory 602; in response to the query request including the administrator account received by the network interface 603, the account information table and the result information table in the memory 602 are queried according to the administrator account, so as to obtain a function verification result corresponding to the device identifier, and instruct the network interface 603 to provide the function verification result corresponding to the device identifier to an initiator of the query request.
Optionally, the processor 601 is further configured to, after reading the program code 610 stored in the memory 602, perform the following operations: if the function verification result indicates that the function of the security component is abnormal, upgrading the security component; or, if the function verification result indicates that the security component is not functioning normally, a notification message is sent through the network interface 603, where the notification message is used to notify an administrator of the security device or the function verification result of the security device.
Optionally, the processor 601 is further configured to, after reading the program code 610 stored in the memory 602, perform the following operations: the test sample is encrypted and the encrypted test sample is sent to the protection device via the network interface 603.
Optionally, the test server 600 is a server deployed in the internet, and the protective device is deployed in a local area network, where the local area network is configured with an access control policy, the access control policy is used to prohibit the protective device in the local area network from receiving data from the internet, and the processor 601 is configured to send the test sample to the protective device in the local area network through the network interface 603; the processor 601 is further configured to, after reading the program code 610 stored in the memory 602, perform the following operations: and if the test sample is successfully transmitted to the protection equipment, determining that the protection of the local area network has a vulnerability.
For more details of the processor 601 to implement the above functions, reference is made to the foregoing description of the various method embodiments, which are not repeated here.
Fig. 11 is a schematic structural diagram of a function verification device for a security component according to an embodiment of the present application. The apparatus 700 shown in fig. 11, for example, implements the functionality of the test server in the method shown in fig. 2.
Referring to fig. 11, the apparatus 700 includes a providing unit 701, an obtaining unit 702, and a processing unit 703. The various elements in apparatus 700 are implemented in whole or in part by software, hardware, firmware, or any combination thereof. A unit 701 is provided for enabling the apparatus 700 to execute S201 in the method shown in fig. 2. The obtaining unit 702 is configured to support the apparatus 700 to execute S205 in the method shown in fig. 2. The processing unit 703 is configured to support the apparatus 700 to execute S206 and S207 of the method shown in fig. 2.
Optionally, the apparatus 700 further includes a receiving unit and a querying unit, the receiving unit is configured to support the apparatus 700 to perform step S2012. The querying element is configured to enable the apparatus 700 to perform step S2013.
Optionally, the processing unit 703 is further configured to enable the apparatus 700 to generate a function verification result.
Optionally, the apparatus 700 further includes a saving unit and an inquiring unit, where the saving unit is configured to support the apparatus 700 to save a corresponding relationship between the device identifier and the administrator account in the account information table. The query unit is configured to query the account information table and the result information table by the support apparatus 700 according to the administrator account, so as to obtain a function verification result corresponding to the device identifier.
Optionally, the processing unit 703 is further configured to enable the apparatus 700 to upgrade the security component.
Optionally, the apparatus 700 further comprises a sending unit, configured to support the apparatus 700 to send the notification message.
Optionally, the processing unit 703 is further configured to enable the apparatus 700 to encrypt the test sample. A unit 701 is provided for enabling the apparatus 700 to send the encrypted test sample to the protection device.
The apparatus embodiment depicted in fig. 11 is merely illustrative, and for example, the above described division of units is only one type of division of logical functions, and in actual implementation, there may be other divisions, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. Each functional unit in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The above units in fig. 11 may be implemented in the form of hardware, or may be implemented in the form of software functional units. For example, when implemented in software, the processing unit 703 and the querying unit may be implemented by software functional units generated by the processor 601 in fig. 10 after reading program codes stored in the memory 602. The above units in fig. 11 may also be implemented by different hardware in the apparatus shown in fig. 10, for example, the processing unit 703 is implemented by a part of processing resources (e.g., one core or two cores in a multi-core processor) in the processor 601 in fig. 10, and the querying unit is implemented by the rest of processing resources (e.g., other cores in the multi-core processor) in the processor 601 in fig. 10, or by a field-programmable gate array (FPGA), a coprocessor, or other programmable devices. The providing unit 701, the acquiring unit 702, and the transmitting unit are implemented by the network interface 603 in fig. 10. Obviously, the above functional units may also be implemented by combining software and hardware, for example, the query unit is implemented by a hardware programmable device, and the processing unit 703 is a software functional unit generated by the CPU reading program codes stored in the memory.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on differences from other embodiments. Wherein, a refers to B, meaning a simple variant in which a is the same as B or a is B.
The above-described embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions described in accordance with the embodiments of the application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and these modifications or substitutions do not depart from the scope of the technical solutions of the embodiments of the present application.
Claims (20)
1. A method of functional verification of a security component, the method comprising:
providing a test sample to the protection device, wherein the test sample comprises at least one of a test message or a message stream carrying a test file;
obtaining a detection result generated by detecting the test sample by a safety component in the protective equipment;
comparing the detection result with an expected result corresponding to the test sample;
and if the detection result is consistent with the expected result, determining that the safety component is in normal function.
2. The method of claim 1, wherein the test sample comprises a first test sample, and wherein prior to providing the test sample to the protective equipment, the method further comprises:
receiving a download request from the protective device, wherein the download request comprises a device identifier of the protective device;
and querying from a sample library according to the equipment identification to obtain the first test sample, wherein the first test sample is a test sample corresponding to the equipment identification in the sample library, and the sample library comprises at least one group of corresponding relations between the equipment identification and the test sample.
3. The method of claim 1, wherein after comparing the test result to an expected result corresponding to the test sample, the method further comprises:
and generating a functional verification result according to whether the detection result is consistent with the expected result, wherein the functional verification result is used for indicating whether the function of the security component is normal.
4. The method of claim 3, further comprising:
responding to a registration request containing an administrator account and the equipment identifier of the protection equipment, and storing the corresponding relation between the equipment identifier and the administrator account in an account information table;
storing the corresponding relation between the function verification result and the equipment identification in a result information table;
and responding to a query request containing the administrator account, querying the account information table and the result information table according to the administrator account, thereby obtaining a function verification result corresponding to the equipment identifier, and providing the function verification result corresponding to the equipment identifier for an initiator of the query request.
5. The method of claim 3, wherein after generating the functional verification result, the method further comprises:
if the function verification result indicates that the function of the security component is abnormal, upgrading the security component; alternatively, the first and second electrodes may be,
and if the function verification result indicates that the function of the security component is abnormal, sending a notification message, wherein the notification message is used for notifying an administrator of the protective device or the function verification result of the protective device.
6. The method of claim 1, wherein providing the test sample to the guard device comprises:
and encrypting the test sample, and sending the encrypted test sample to the protection equipment.
7. The method of claim 1, wherein the method is performed by a server deployed in the Internet and wherein the guard device is deployed in a local area network, wherein the local area network is configured with an access control policy that prohibits guard devices in the local area network from receiving data from the Internet,
the providing of the test sample to the guard device comprises: sending the test sample to the guard device in the local area network;
the method further comprises the following steps: and if the test sample is successfully transmitted to the protection equipment, determining that the protection of the local area network has a vulnerability.
8. The method of claim 1, wherein the detection result comprises an attack type, a protocol type, a virus type, a malicious domain name, a malicious IP address, or an indicator of no attack.
9. A functional verification apparatus for a security component, the apparatus comprising:
the protection device comprises a providing unit, a processing unit and a processing unit, wherein the providing unit is used for providing a test sample to the protection device, and the test sample comprises at least one item of a test message or a message stream carrying a test file;
the acquisition unit is used for acquiring a detection result generated by detecting the test sample by the safety component in the protective equipment;
the processing unit is used for comparing the detection result with an expected result corresponding to the test sample;
the processing unit is further configured to determine that the security component is functioning properly if the detection result is consistent with the expected result.
10. The apparatus of claim 9, wherein the test sample comprises a first test sample, the apparatus further comprising: a receiving unit and an inquiring unit;
the receiving unit is configured to receive a download request from the protection device, where the download request includes a device identifier of the protection device;
the query unit is configured to query a sample library according to the device identifier to obtain the first test sample, where the first test sample is a test sample corresponding to the device identifier in the sample library, and the sample library includes a correspondence between at least one set of device identifiers and the test samples.
11. The apparatus according to claim 9, wherein the processing unit is further configured to generate a functional verification result according to whether the detection result is consistent with the expected result, and the functional verification result is used to indicate whether the security component is functioning normally.
12. The apparatus of claim 11, further comprising: a storage unit and a query unit;
the storage unit is configured to, in response to a registration request including an administrator account and an equipment identifier of the protection equipment, store a correspondence between the equipment identifier and the administrator account in an account information table; storing the corresponding relation between the function verification result and the equipment identification in a result information table;
the query unit is configured to, in response to a query request including the administrator account, query the account information table and the result information table according to the administrator account, thereby obtaining a function verification result corresponding to the device identifier, and provide the function verification result corresponding to the device identifier to an initiator of the query request.
13. The apparatus of claim 11, wherein the processing unit is further configured to upgrade the security component if the functional verification result indicates that the security component is not functioning properly;
the device further comprises: a sending unit, configured to send a notification message if the functional verification result indicates that the security component is not functional normally, where the notification message is used to notify an administrator of the protection device or the protection device of the functional verification result.
14. The apparatus of claim 9, wherein the processing unit is configured to encrypt the test sample;
and the providing unit is used for sending the encrypted test sample to the protection equipment.
15. The apparatus of claim 9, wherein the apparatus is a server deployed in the Internet, wherein the guard device is deployed in a local area network, wherein the local area network is configured with an access control policy that prohibits guard devices in the local area network from receiving data from the Internet,
the providing unit is used for sending the test sample to the protection equipment in the local area network;
the processing unit is further configured to determine that a vulnerability exists in the protection of the local area network if the test sample is successfully transmitted to the protection device.
16. A test server, characterized in that the test server comprises: a memory, a network interface, and at least one processor;
the memory is used for storing program codes;
the at least one processor, after reading the program code stored in the memory, is configured to:
instructing the network interface to provide a test sample to the protection device, wherein the test sample comprises at least one of a test message or a message stream carrying a test file;
obtaining a detection result generated by detecting the test sample by a security component in the protective equipment through the network interface;
comparing the detection result with an expected result corresponding to the test sample;
and if the detection result is consistent with the expected result, determining that the safety component is in normal function.
17. The test server of claim 16, wherein the test sample comprises a first test sample, and wherein the at least one processor, upon reading the program code stored in the memory, is further configured to:
receiving a download request from the protective device through the network interface, wherein the download request comprises a device identifier of the protective device;
and querying a sample library stored in the memory according to the equipment identifier to obtain the first test sample, wherein the first test sample is a test sample corresponding to the equipment identifier in the sample library, and the sample library comprises at least one group of corresponding relations between the equipment identifier and the test sample.
18. The test server of claim 16, wherein the at least one processor, when further configured to read the program code stored in the memory, is further configured to:
and generating a functional verification result according to whether the detection result is consistent with the expected result, wherein the functional verification result is used for indicating whether the function of the security component is normal.
19. The test server of claim 18, wherein the at least one processor, when further configured to read the program code stored in the memory, is further configured to:
in response to a registration request which is received by the network interface and contains an administrator account and the equipment identifier of the protective equipment, storing the corresponding relation between the equipment identifier and the administrator account in an account information table stored in the memory;
storing the corresponding relation between the function verification result and the equipment identification in a result information table stored in the memory;
and responding to a query request containing the administrator account received by the network interface, querying the account information table and the result information table in the storage according to the administrator account, thereby obtaining a function verification result corresponding to the equipment identifier, and indicating the network interface to provide the function verification result corresponding to the equipment identifier for an initiator of the query request.
20. A computer program product comprising one or more computer program instructions to, when loaded and executed by a computer, cause the computer to perform the method of functional verification of a security component of any of claims 1 to 8.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110152435.8A CN114928564A (en) | 2021-02-03 | 2021-02-03 | Function verification method and device of security component |
| PCT/CN2021/113909 WO2022166166A1 (en) | 2021-02-03 | 2021-08-20 | Function verification method and apparatus for security component |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110152435.8A CN114928564A (en) | 2021-02-03 | 2021-02-03 | Function verification method and device of security component |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114928564A true CN114928564A (en) | 2022-08-19 |
Family
ID=82740652
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110152435.8A Pending CN114928564A (en) | 2021-02-03 | 2021-02-03 | Function verification method and device of security component |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN114928564A (en) |
| WO (1) | WO2022166166A1 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113704749B (en) * | 2020-05-20 | 2024-03-19 | 中国移动通信集团浙江有限公司 | Malicious mining detection processing method and device |
| CN116669064B (en) * | 2022-12-08 | 2024-04-05 | 荣耀终端有限公司 | Wireless protocol testing method and electronic equipment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2782311A1 (en) * | 2013-03-18 | 2014-09-24 | British Telecommunications public limited company | Methods of testing a firewall, and apparatus therefor |
| CN108521354B (en) * | 2018-04-17 | 2020-12-15 | 中国人民解放军战略支援部队信息工程大学 | Device and method for testing protection capability of IPv6 firewall |
| CN110430096A (en) * | 2019-08-06 | 2019-11-08 | 深圳市同维通信技术有限公司 | A kind of gateway test method and equipment |
| CN111600781B (en) * | 2020-07-27 | 2020-10-16 | 中国人民解放军国防科技大学 | Firewall system stability testing method based on tester |
-
2021
- 2021-02-03 CN CN202110152435.8A patent/CN114928564A/en active Pending
- 2021-08-20 WO PCT/CN2021/113909 patent/WO2022166166A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022166166A1 (en) | 2022-08-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10354072B2 (en) | System and method for detection of malicious hypertext transfer protocol chains | |
| US10757134B1 (en) | System and method for detecting and remediating a cybersecurity attack | |
| Antonakakis et al. | Understanding the mirai botnet | |
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| US10225280B2 (en) | System and method for verifying and detecting malware | |
| US7877795B2 (en) | Methods, systems, and computer program products for automatically configuring firewalls | |
| US8474044B2 (en) | Attack-resistant verification of auto-generated anti-malware signatures | |
| US9436820B1 (en) | Controlling access to resources in a network | |
| US8997201B2 (en) | Integrity monitoring to detect changes at network device for use in secure network access | |
| EP3374870B1 (en) | Threat risk scoring of security threats | |
| US20170070518A1 (en) | Advanced persistent threat identification | |
| CN111295640A (en) | Fine-grained firewall policy enforcement using session APP ID and endpoint process ID correlation | |
| WO2022166166A1 (en) | Function verification method and apparatus for security component | |
| EP2541877A1 (en) | Method for changing a server address and related aspects | |
| CN104796386B (en) | Botnet detection method, device and system | |
| Lin et al. | Secure and transparent network traffic replay, redirect, and relay in a dynamic malware analysis environment | |
| EP2541861A1 (en) | Server security systems and related aspects | |
| JP2022541250A (en) | Inline malware detection | |
| EP2360612A1 (en) | Security system for disabling a software contaminant and related aspects | |
| Ayala et al. | How hackers gain access to a healthcare facility or hospital network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |