CN116527353A - Network protection equipment validity verification system and method based on attack behavior simulation - Google Patents
Network protection equipment validity verification system and method based on attack behavior simulation Download PDFInfo
- Publication number
- CN116527353A CN116527353A CN202310446812.8A CN202310446812A CN116527353A CN 116527353 A CN116527353 A CN 116527353A CN 202310446812 A CN202310446812 A CN 202310446812A CN 116527353 A CN116527353 A CN 116527353A
- Authority
- CN
- China
- Prior art keywords
- attack
- module
- receiving end
- master control
- control end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004088 simulation Methods 0.000 title claims abstract description 38
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000012795 verification Methods 0.000 title claims abstract description 32
- 238000004891 communication Methods 0.000 claims abstract description 25
- 230000001681 protective effect Effects 0.000 claims abstract description 8
- 230000006399 behavior Effects 0.000 claims description 61
- 238000001514 detection method Methods 0.000 claims description 43
- 238000012360 testing method Methods 0.000 claims description 41
- 238000002955 isolation Methods 0.000 claims description 17
- 238000007726 management method Methods 0.000 claims description 12
- 230000000903 blocking effect Effects 0.000 claims description 10
- 230000000694 effects Effects 0.000 claims description 9
- 230000002155 anti-virotic effect Effects 0.000 claims description 7
- 239000000523 sample Substances 0.000 claims description 6
- 238000011217 control strategy Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 claims description 4
- 241000700605 Viruses Species 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 3
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 230000000007 visual effect Effects 0.000 claims description 3
- 238000003032 molecular docking Methods 0.000 claims description 2
- 238000009434 installation Methods 0.000 claims 1
- 230000007547 defect Effects 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000013522 software testing Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 6
- 238000001914 filtration Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000007639 printing Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention belongs to the technical field of software testing technology application, and particularly relates to a network protection device validity verification system and method based on attack behavior simulation. The aim is to solve the problem that the protection equipment is not normally operated because of equipment defects or personnel configuration errors and the like when the protection equipment is deployed in the target network. The prior art cannot verify in real time whether they possess the intended protective effect. The main scheme comprises a master control end and a receiving end; the master control end comprises a task management and target range guide and adjustment module, a basic communication module, a master control end control module, an attack flow recording and customizing module, a virtualized node generating and controlling module and a master control end log recording and alarming module; the receiving end comprises a basic communication module, a receiving end control and control module, an attack flow replay module, a virtualized node generation and control module, an attack behavior simulation module and a receiving end log recording module.
Description
Technical Field
The invention belongs to the technical field of software testing technology application, and particularly relates to a network protection device validity verification system and method based on attack behavior simulation.
Background
A network protection device is a device that aims to protect a target network from malicious attacks so that the network system can function properly under potential risk. However, network protection devices often have some available weak points due to various limitations, such as security defects of the device itself or incorrect configuration of operation staff during use. The presence of these weak points greatly reduces the security of the target network, and once they are discovered and utilized by an attacker, it poses a significant threat to the target network.
Common network protection devices include firewalls, IDS, IPS, WAF, antivirus software, host auditing software, etc., but cannot determine in real time whether these deployed network protection devices have the intended protection effect.
The firewall is disposed between two important nodes in series, such as between an intranet and an extranet, all the flow entering and exiting the intranet flows through the firewall, and the firewall performs rule matching on the flow, so that isolation and filtering effects are achieved. The firewall should have 3 basic features:
1. all network data flows between the target network and the external network must pass through the firewall;
2. only data streams conforming to the security policy can pass through the firewall;
3. the firewall itself should have very strong immunity against attacks;
once the above 3 basic features are breached, the firewall's isolation, filtering action will fail and the target network will be exposed to external network threats.
And the IDS is used for detecting hidden danger through rule matching log analysis. The work adopts a parallel mode and has no blocking capability. And the IPS is used for detecting the intrusion and stopping the intrusion behavior in real time by analyzing the network traffic. Both working principles are based on capturing characteristics (flow and log) of attack behaviors, if the attack behaviors appear and the attack behaviors cannot be timely alarmed and blocked, the invasion suffered by the target network cannot be timely found and stopped.
The host auditing software monitors behaviors and processes of the target terminal, including real-time monitoring of file operation behaviors, external equipment mounting and unloading behaviors, printing and recording behaviors, network access behaviors and the like, and blocking against illegal behaviors. The antivirus software monitors files stored by the target terminal and processes to be operated, and detects and blocks threats. If the two files do not normally block malicious files and behaviors, the target terminal cannot be effectively protected when being attacked.
Even if the above-described protection device is deployed in the target network, there is a possibility that the protection device does not function properly because of a device defect or a person configuration error or the like. It is currently impossible to verify in real time whether they have the intended protective effect. Once the protective equipment fails, the target network will be exposed to network threats.
Disclosure of Invention
Aiming at the problems, the invention aims to provide a network protection equipment effectiveness verification system and method based on attack behavior simulation, which adopts an attack behavior simulation mode to verify whether network protection equipment deployed in a target network has an expected protection effect or not in real time, and reports in time when a vulnerable point of protection failure is found so as to enable operation and maintenance personnel to repair the vulnerable point at the first time. The technical proposal is as follows:
a network protection device validity verification system based on attack behavior simulation comprises a master control end and a receiving end; the master control end comprises a task management and target range guide and adjustment module, a basic communication module, a master control end control module, an attack flow recording and customizing module, a virtualized node generating and controlling module and a master control end log recording and alarming module; the receiving end comprises a basic communication module, a receiving end control and control module, an attack flow replay module, a virtualized node generation and control module, an attack behavior simulation module and a receiving end log recording module;
(1) The task management and target range guiding and adjusting module supports visual configuration management and adjustment aiming at various protective equipment and use scenes, supports a docking network target range adjusting interface, and provides network topology design and built-in topology templates based on a network target range and one-key deployment application of a virtualized terminal;
the base communication module: the basic communication module supports multiple ends and establishes encryption communication connection based on asymmetric encryption, such as a master control module, a receiving module and a receiving module; under the condition that the uplink switch port is a Trunk port, the basic communication module can configure the transmitted data packet, and change the VLAN label to support autonomous access to each VLAN subnet;
(2) The control system comprises a control system composed of a master control end control module and a receiving end control and control module, wherein a remote long connection service based on asymmetric encryption is established between the receiving end and the master control end through a basic communication module, basic remote control commands are sent through the remote long connection service by using various remote control functions, and the receiving end executes the commands in sequence to realize a control effect;
(3) The attack flow recording and customizing module is a main control end special module, which is used for capturing and storing corresponding attack flow based on a flow probe when the attack behavior simulating module initiates network attack, analyzing and modifying customized network flow packet information, and specifically comprises an attack initiating end, a receiving end ip, a port, mac addresses, network protocols and the like;
the attack flow replay module is a special module of the receiving end and is used for supporting the repeated play of the flow aiming at the appointed link after receiving the flow replay instruction of the main control end and receiving the encrypted flow packet from the main control end through the encrypted connection;
(4) The virtualized node generation and control module receives a dock target mirror image generation instruction from the master control end for the receiving end, and firstly checks whether the local machine has a dock virtualized environment or not, supports dock virtualized deployment or not when the local machine does not have the environment, pulls a dock virtualized environment deployment file from the master control end and completes deployment; after the environment is ready, the docker target image (usually with specific network services and vulnerabilities) is pulled from the master and deployed and the response results will be returned. The target mirror image defaults to install the receiving end control and control module, and can be scheduled in use;
(5) The attack behavior simulation module is a special module of the receiving end, and the receiving end controls the terminal to generate corresponding attack or stressed behavior after attack according to a received basic control instruction or a flow instruction formed by combining a plurality of preset basic control instructions by combining the input simulation based on a mouse and a keyboard with a virtual hardware generation scheme;
(6) The master control end log recording and alarming module and the receiving end log recording module record all behaviors generated during the running period of software, including detection events aiming at a certain protection device in the network topology and generation events of virtualized nodes, record connectivity test and attack flow, and provide record granularity management and control. The master control end log record and alarm module supports the receiving of alarm logs from the tested network protection equipment and the SOC unified scheduling system and analyzes the alarm logs into attack events.
The verification method of the network protection equipment validity verification system based on attack behavior simulation adopts the following deployment modes: deploying the master control end in a service area, deploying the receiving end in any terminal group, configuring the type of the port on the switch as Trunk, and enabling the master control end and the receiving end to be capable of automatically accessing each VLAN sub-network; after deployment, the master control end and the receiving end are initialized first, and then different strategies are selected according to different detection types.
Further, when the detection type is a firewall access control policy, a receiving end is deployed outside the firewall in an initialization stage, firstly, a connectivity test flow is generated by the receiving end and is sent to a master control end through the firewall, and the test flow traverses N ports to sequentially verify isolation effectiveness; then, the master control end generates connectivity test flow, and sends the connectivity test flow to the receiving end through the firewall, and the test flow traverses N ports to sequentially verify isolation effectiveness; and sending the verification result to the master control end for summarizing and outputting alarm information and report.
Further, when the detection type is switch VLAN isolation validity, connecting the two receiving ends A, B to the switch, fixing the VLAN of the receiving end a, traversing the other receiving end B to access all the opened VLANs, and generating connectivity test traffic to send to the receiving end a; after the test is finished, the VLAN of the receiving end A is changed, and the receiving end B traverses and skips the VLAN with tested connectivity; and (3) repeating the steps for n (n+1)/2 times to finish the verification of the VLAN isolation validity, wherein a receiving end A sends a verification result to a master control end, and the master control end outputs alarm information and reports.
Furthermore, when the detection type is that the IPS attack is detected and blocked, the main control end and the receiving end are connected in series at two sides of the IPS and the network layer is reachable, the main control end generates a virtual target node and provides service, the receiving end targets at the main control end, generates attack flow or virtualizes an attack node and implements attack operation, and the receiving end is used for forming a test report according to the success of the attack or the information intercepted by the IPS and sends the test report to the main control end.
Furthermore, when the detection type is IDS attack detection, the accessibility of the master control end, the receiving end and the IDS network layer is ensured, the master control end generates a virtual target node and provides service, the receiving end aims at the master control end to generate attack flow or virtualize an attack node and implement attack operation, and the master control end pulls IDS log information and forms a test report.
Furthermore, when the detection type is WAF attack detection and blocking, the main control end and the receiving end are ensured to be connected in series at two sides of the WAF and the network layer is reachable, the main control end generates a virtual target node and provides service, the receiving end takes the main control end as a target, generates attack flow or virtualizes an attack node and implements attack operation, and the receiving end intercepts information according to the success of the attack or the WAF and sends the information to the main control end to form a test report.
Further, when the detection type is terminal illegal behaviors, the receiving end generates illegal behavior control information and sends the illegal behavior control information to the target node for execution, and the target is a virtual machine provided with host auditing software; when detecting illegal external access, generating virtual external equipment by adopting a DSF method, mounting, and judging whether to block mounting and generate alarm information by detecting a drive letter, a system log and a host audit software log; when the multi-disk mounting is detected, the multi-disk is virtually constructed and mounted, and finally the target node sends a judging result of whether to trigger an alarm or not and a relevant log to the master control end to form a test report.
Furthermore, when the detection type is that the terminal malicious sample is detected, the receiving end simultaneously generates an attack node and a target node, and anti-virus software which is configured in the same way and deployed in the network is installed and deployed through the server, the attack node generates a plurality of types of malicious samples and sends the malicious samples to the target node for execution, and the target node sends virus detection information to the master control end to form a test report.
The beneficial effects of the invention are as follows:
1. according to the invention, by adopting an attack behavior simulation mode, whether the network protection equipment deployed in the target network has an expected protection effect is verified in real time, and timely report is carried out when the vulnerable point of protection failure is found, so that operation and maintenance personnel can repair the vulnerable point at the first time; the method can be applied to vulnerability detection and security audit of the protective equipment, replaces a manual scheme, and automatically verifies the effectiveness of the network protective equipment.
2. The attack flow recording and customizing module and the attack flow replay module work cooperatively, so that the problem that when attack behavior simulation is inconvenient to develop due to safety and confidentiality, incapability of deployment of a target system and the like in certain environments, the attack flow replay module adopts an alternative scheme of flow replay, so that the attack flow recording and customizing module is higher in safety (no actual attack behavior occurs) and higher in availability (no target system deployment and no attack tool call are required). When the receiving end carries out attack behavior simulation, the master control end attack flow recording and customizing module records and stores the sent and received flow, and the recorded attack flow is replayed in the subsequent scene through the receiving end attack flow replay module, so that the effect of checking the protection effectiveness by the flow is achieved.
Drawings
Fig. 1 is a schematic diagram of the overall architecture of the network protection device validity verification method based on the attack behavior simulation.
Fig. 2 is a schematic diagram of a deployment method of the network protection device validity verification method based on attack behavior simulation.
Fig. 3 is a schematic diagram of a protection effectiveness verification flow of the network protection device effectiveness verification method based on attack behavior simulation.
Detailed Description
The invention will now be described in further detail with reference to the drawings and to specific examples.
The network protection equipment effectiveness verification system based on the attack behavior simulation comprises a protection effectiveness system architecture, a master control end and a receiving end, wherein the master control end comprises a task management module, a basic communication module, a control module, a flow generation module, a virtualization node generation and control module and a log recording module; the receiving end comprises a basic communication module, a control and controlled module, a virtualized node generation and control module, a behavior simulation module and a log recording module.
Fig. 1 is a schematic diagram of the overall architecture of the network protection device validity verification system based on the attack behavior simulation. As shown in fig. 1, the method includes a protection effectiveness system architecture including a master control end and a receiving end, wherein the master control end includes a task management and target range guiding and adjusting module, a basic communication module, a master control end control module, an attack flow recording and customizing module, a virtualization node generating and controlling module and a master control end log recording and alarming module; the receiving end comprises a basic communication module, a receiving end control and control module, an attack flow replay module, a virtualized node generation and control module, an attack behavior simulation module and a receiving end log recording module.
The task management module provides visual configuration management and scheduling for various protective devices and usage scenarios.
The basic communication module comprises a main control end and a receiving end, the main control end communication module supports to simultaneously establish network connection with a plurality of receiving ends, the receiving end communication module supports to communicate with the main control end and other receiving ends, and the communication module can configure a transmitted data packet to change VLAN labels to support autonomous access to each VLAN subnet under the condition that an uplink switch port is a Trunk port.
The control module of the master control end and the controlled module of the receiving end form a set of control system, a special remote service is established between the receiving end and the master control end through the basic communication module, basic remote control commands are sent through various remote control functions through the remote service, and the receiving end executes the commands in sequence to achieve a control effect.
The attack flow recording and customizing module is a main control end specific module, which is used for capturing and storing corresponding attack flow based on a flow probe when the attack behavior simulating module initiates network attack, analyzing and modifying customized network flow packet information, and specifically comprises an attack initiating end, a receiving end ip, a port, a mac address, a network protocol and the like.
The attack flow replay module is a special module of the receiving end and is used for supporting the repeated play of the flow aiming at the appointed link after receiving the flow replay instruction of the main control end and receiving the encrypted flow packet from the main control end through the encrypted connection.
The virtualized node generation and control module receives a dock target mirror image generation instruction from the master control end for the receiving end, and firstly checks whether the local machine has a dock virtualized environment or not, supports dock virtualized deployment or not when the local machine does not have the environment, pulls a dock virtualized environment deployment file from the master control end and completes deployment; after the environment is ready, the docker target image (usually with specific network services and vulnerabilities) is pulled from the master and deployed and the response results will be returned. The target mirror will default to the receiver control and control module and can be scheduled in use.
The attack behavior simulation module is a special module of the receiving end, and the receiving end controls the terminal to generate corresponding attack or stressed behavior after attack according to a received basic control instruction or a flow instruction formed by combining a plurality of preset basic control instructions by combining input simulation based on a mouse and a keyboard with a virtual hardware generation scheme.
The master control end log recording and alarming module and the receiving end log recording module record all behaviors generated during the running period of software, including detection events aiming at a certain protection device in the network topology and generation events of virtualized nodes, record connectivity test and attack flow, and provide record granularity management and control. The master control end log record and alarm module supports the receiving of alarm logs from the tested network protection equipment and the SOC unified scheduling system and analyzes the alarm logs into attack events.
The invention is suitable for verifying the protection effectiveness of the network protection equipment, and solves the verification problem of whether the protection of the protection equipment in actual network is effective or not and whether the configuration is wrong or not. The integrated solution of whether the protection functions such as an access control strategy for a firewall, a detection blocking function of an IPS/IDS for network layer attack, a detection blocking function of WAF for application layer attack, a detection blocking function of anti-virus software for malicious samples, a detection blocking function of host audit software for illegal behaviors are effective or not is provided. By the design of autonomous access of the subnetwork, the scheme provided by the invention can be deployed for long-term operation once, and the potential risk in the network is effectively found on the premise of not damaging the original network topology and not affecting the normal function use, so that the hidden danger in the network is reduced.
Fig. 2 is a schematic diagram of a deployment method of the network protection device validity verification method based on attack behavior simulation. Fig. 2 shows a typical corporate intranet topology, which includes protection devices such as a firewall and an IPS, where the switch performs VLAN isolation on different user groups, and the terminal deploys antivirus software and host auditing software. The topology is used for explaining the software deployment position in the invention, namely, the master control end is deployed in a service area, the receiving end is deployed in any terminal group, and the type of the port on the switch is configured as Trunk. When the effectiveness of the firewall access control strategy is tested, the receiving ends are required to be deployed outside the firewall in series, and when the isolation effect between the user groups is tested, two receiving ends are required to be deployed.
Fig. 3 is a schematic diagram of a protection effectiveness verification flow of the network protection device effectiveness verification method based on attack behavior simulation.
As can be seen from fig. 3, after the master and the receiving terminals are deployed according to the topology of fig. 2, the master and the receiving terminals are initialized first, and then different strategies are selected according to different detection types.
When the detection type is a firewall access control strategy, a receiving end is deployed outside the firewall in an initialization stage, firstly, a connectivity test flow is generated by the receiving end and is sent to a master control end through the firewall, 65535 ports are traversed by the test flow, and isolation effectiveness is sequentially verified; and then, the master control end generates connectivity test traffic and sends the connectivity test traffic to the receiving end through the firewall, and the test traffic traverses 65535 ports to sequentially verify the isolation effectiveness. And sending the verification result to the master control end to collect and output alarm information and report.
When the detection type is switch VLAN isolation effectiveness, two receiving ends A, B are connected to a switch, VLAN of a receiving end A is fixed, the other receiving end B traverses and accesses all the opened VLANs, and connectivity test traffic is generated and sent to the receiving end A. After the test is finished, the VLAN of the receiving end A is changed, and the receiving end B traverses and skips the VLAN with tested connectivity. And (3) repeating the steps for n (n+1)/2 times to finish the verification of the VLAN isolation validity, wherein a receiving end A sends a verification result to a master control end, and the master control end outputs alarm information and reports.
When the detection type is that the IPS attack is detected and blocked, the main control end and the receiving end are connected in series at two sides of the IPS and the network layer is reachable, the main control end generates a virtual target node and provides service, the receiving end aims at the main control end, generates attack flow or virtualizes an attack node and implements attack operation, and the receiving end is used for forming a test report according to the information that the attack is successful or intercepted by the IPS and sends the test report to the main control end.
When the detection type is IDS attack detection, the accessibility of the master control end, the receiving end and an IDS network layer is ensured, the master control end generates a virtual target node and provides service, the receiving end aims at the master control end, generates attack flow or virtualizes an attack node and implements attack operation, and the master control end pulls IDS log information and forms a test report.
When the detection type is WAF attack detection and blocking, the main control end and the receiving end are connected in series at two sides of the WAF and the network layer is reachable, the main control end generates a virtual target node and provides service, the receiving end aims at the main control end, generates attack flow or virtualizes an attack node and implements attack operation, and the receiving end intercepts information according to the attack success or the WAF and sends the information to the main control end to form a test report.
When the detection type is that the terminal violates the rules, the receiving end generates control information of the rules (such as mounting of the rule-breaking external equipment, rule-breaking printing and burning, mounting of a virtual multi-hard disk and the like) and sends the control information to the target node for execution, and the target is a virtual machine provided with host auditing software. In order to ensure the self-adaptability of the verification method and not to damage the isolation of the target network, the method designs a virtual device generation scheme. When detecting illegal external access, generating virtual external equipment by adopting a DSF method, mounting, and judging whether to block mounting, generate alarm information and the like by detecting a drive letter, a system log and a host audit software log; when the multi-disk mounting is detected, the multi-disk is virtually constructed and mounted, and finally the target node sends a judging result of whether to trigger an alarm or not and a relevant log to the master control end to form a test report.
When the detection type is that a terminal malicious sample is detected and killed, the receiving end simultaneously generates an attack node and a target node, anti-virus software which is configured in the same way and deployed in the network is installed and deployed through the server, the attack node generates a plurality of types of malicious samples and sends the malicious samples to the target node for execution, and the target node sends virus detection information to the master control end to form a test report.
Claims (10)
1. The network protection equipment effectiveness verification system based on the attack behavior simulation is characterized by comprising a master control end and a receiving end;
the master control end comprises:
the system comprises a task management and target range guide and adjustment module, a basic communication module, a master control end control module, an attack flow recording and customizing module, a virtualized node generation and control module and a master control end log recording and alarming module;
the receiving end comprises:
the system comprises a basic communication module, a receiving end control and control module, an attack flow replay module, a virtualized node generation and control module, an attack behavior simulation module and a receiving end log recording module.
2. The network protection device validity verification system based on attack behavior simulation according to claim 1, wherein,
the task management and target range guiding and adjusting module supports visual configuration management and adjustment aiming at various protective equipment and use scenes, supports a docking network target range adjusting interface, and provides network topology design and built-in topology templates based on a network target range and one-key deployment application of a virtualized terminal;
the base communication module: the basic communication module supports multiple ends and establishes encryption communication connection based on asymmetric encryption, such as a master control module, a receiving module and a receiving module; under the condition that the uplink switch port is a Trunk port, the basic communication module can configure the transmitted data packet, and change the VLAN label to support autonomous access to each VLAN subnet;
the control system comprises a control system composed of a master control end control module and a receiving end control and control module, wherein a remote long connection service based on asymmetric encryption is established between the receiving end and the master control end through a basic communication module, basic remote control commands are sent through the remote long connection service by using various remote control functions, and the receiving end executes the commands in sequence to realize a control effect;
the attack flow recording and customizing module is used for supporting capturing and storing corresponding attack flow based on the flow probe when the attack behavior simulating module initiates network attack, analyzing and modifying customized network flow packet information, and specifically comprises an attack initiating end, a receiving end ip, a port, a mac address and a network protocol;
the attack flow replay module supports to replay the flow for the appointed link after receiving the flow replay instruction of the master control end and receiving the encrypted flow packet from the master control end through the encrypted connection;
the virtualized node generation and control module receives a dock target mirror image generation instruction from the master control end for the receiving end, and firstly checks whether the local machine has a dock virtualized environment or not, supports dock virtualized deployment or not when the local machine does not have the environment, pulls a dock virtualized environment deployment file from the master control end and completes deployment; and after the environment is prepared, pulling the dock target mirror image from the master control end, deploying and returning a response result. The target mirror image defaults to install the receiving end control and control module, and can be scheduled in use;
the attack behavior simulation module is used for controlling the terminal to generate corresponding attack or stressed behavior after attack by simulating a virtual hardware generation scheme based on the input of a mouse and a keyboard and according to a received basic control instruction or a flow instruction formed by combining a plurality of preset basic control instructions by a receiving end;
the master control end log recording and alarming module and the receiving end log recording module record all behaviors generated during the running period of software, including detection events aiming at a certain protection device in network topology and generation events of virtualized nodes, record connectivity test and attack flow, provide record granularity control, and support the receiving of alarm logs from the tested network protection device and the SOC unified scheduling system and analyze the alarm logs into attack events.
3. The verification method of the network protection equipment validity verification system based on attack behavior simulation is characterized by adopting the following deployment mode: deploying the master control end in a service area, deploying the receiving end in any terminal group, configuring the type of the port on the switch as Trunk, and enabling the master control end and the receiving end to be automatically accessed into each VLAN sub-network; after deployment, the master control end and the receiving end are initialized first, and then different strategies are selected according to different detection types.
4. The method for verifying the effectiveness of the network protection equipment by adopting the attack behavior simulation according to claim 3, wherein when the detection type is a firewall access control strategy, a receiving end is deployed outside a firewall in an initialization stage, firstly, connectivity test flow is generated by the receiving end and is sent to a master control end through the firewall, and the test flow traverses N ports to verify the effectiveness of isolation in turn; then, the master control end generates connectivity test flow, and sends the connectivity test flow to the receiving end through the firewall, and the test flow traverses N ports to sequentially verify isolation effectiveness; and sending the verification result to the master control end for summarizing and outputting alarm information and report.
5. The method for verifying the effectiveness of network protection equipment by adopting attack behavior simulation according to claim 3, wherein when the detection type is switch VLAN isolation effectiveness, two receiving ends A, B are connected to a switch, VLAN of a receiving end A is fixed, the other receiving end B is traversed and accessed to all the opened VLANs, and connectivity test traffic is generated and sent to the receiving end A; after the test is finished, the VLAN of the receiving end A is changed, and the receiving end B traverses and skips the VLAN with tested connectivity; and (3) repeating the steps for n (n+1)/2 times to finish the verification of the VLAN isolation validity, wherein a receiving end A sends a verification result to a master control end, and the master control end outputs alarm information and reports.
6. The method for verifying the effectiveness of the network protection device by adopting the attack behavior simulation according to claim 3, wherein when the detection type is IPS attack detection and blocking, the method ensures that a master control end and a receiving end are connected in series at two sides of the IPS and a network layer is reachable, the master control end generates a virtual target node and provides service, the receiving end aims at the master control end, generates attack flow or virtualizes an attack node and implements attack operation, and the receiving end intercepts information according to the success of the attack or the IPS and sends the information to the master control end to form a test report.
7. The method for verifying the validity of the network protection device by adopting the attack behavior simulation as claimed in claim 3, wherein when the detection type is IDS attack detection, the total control end and the receiving end are ensured to be reachable with an IDS network layer, the total control end generates virtual target nodes and provides services, the receiving end aims at the total control end to generate attack flow or virtualize an attack node and implement attack operation, and the total control end pulls IDS log information and forms a test report.
8. The method for verifying the effectiveness of the network protection device by adopting the attack behavior simulation according to claim 3, wherein when the detection type is WAF attack detection and blocking, the method ensures that a master control end and a receiving end are connected in series at two sides of the WAF and network layers are reachable, the master control end generates virtual target nodes and provides services, the receiving end aims at the master control end to generate attack flow or virtualize an attack node and implement attack operation, and the receiving end intercepts information according to the attack success or the WAF and sends the information to the master control end to form a test report.
9. The method for verifying the effectiveness of the network protection device by adopting the attack behavior simulation according to claim 3, wherein when the detection type is the terminal violation behavior, the receiving end generates the violation behavior control information and sends the violation behavior control information to the target node for execution, and the target is a virtual machine provided with host auditing software; when detecting illegal external access, generating virtual external equipment by adopting a DSF method, mounting, and judging whether to block mounting and generate alarm information by detecting a drive letter, a system log and a host audit software log; when the multi-disk mounting is detected, the multi-disk is virtually constructed and mounted, and finally the target node sends a judging result of whether the illegal act triggers an alarm or not and a relevant log to the master control end to form a test report.
10. The method for verifying the effectiveness of the network protection device by adopting the attack behavior simulation according to claim 3, wherein when the detection type is terminal malicious sample detection, the receiving end simultaneously generates an attack node and a target node, and anti-virus software configured in the same way as the network is deployed through the installation of the server, the attack node generates a plurality of types of malicious samples and sends the malicious samples to the target node for execution, and the target node sends virus detection information to the master control end to form a test report.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310446812.8A CN116527353B (en) | 2023-04-24 | 2023-04-24 | Network protection equipment validity verification system and method based on attack behavior simulation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310446812.8A CN116527353B (en) | 2023-04-24 | 2023-04-24 | Network protection equipment validity verification system and method based on attack behavior simulation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116527353A true CN116527353A (en) | 2023-08-01 |
| CN116527353B CN116527353B (en) | 2024-02-20 |
Family
ID=87407595
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310446812.8A Active CN116527353B (en) | 2023-04-24 | 2023-04-24 | Network protection equipment validity verification system and method based on attack behavior simulation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116527353B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116886423A (en) * | 2023-08-15 | 2023-10-13 | 广东中山网传媒信息科技有限公司 | Method and system for detecting security abnormality of server |
| CN116955967A (en) * | 2023-09-20 | 2023-10-27 | 成都无糖信息技术有限公司 | System and method for simulating investigation and adjustment in network target range |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| US20180152470A1 (en) * | 2016-11-29 | 2018-05-31 | Lixin Lu | Method of improving network security by learning from attackers for detecting network system's weakness |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
-
2023
- 2023-04-24 CN CN202310446812.8A patent/CN116527353B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103139184A (en) * | 2011-12-02 | 2013-06-05 | 中国电信股份有限公司 | Intelligent network firewall device and network attack protection method |
| CN104410617A (en) * | 2014-11-21 | 2015-03-11 | 西安邮电大学 | Information safety attack and defense system structure of cloud platform |
| US20180152470A1 (en) * | 2016-11-29 | 2018-05-31 | Lixin Lu | Method of improving network security by learning from attackers for detecting network system's weakness |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116886423A (en) * | 2023-08-15 | 2023-10-13 | 广东中山网传媒信息科技有限公司 | Method and system for detecting security abnormality of server |
| CN116886423B (en) * | 2023-08-15 | 2024-02-06 | 广东中山网传媒信息科技有限公司 | Method, system, storage medium and equipment for detecting server security abnormality |
| CN116955967A (en) * | 2023-09-20 | 2023-10-27 | 成都无糖信息技术有限公司 | System and method for simulating investigation and adjustment in network target range |
| CN116955967B (en) * | 2023-09-20 | 2023-12-08 | 成都无糖信息技术有限公司 | System and method for simulating investigation and adjustment in network target range |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116527353B (en) | 2024-02-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Fovino et al. | An experimental platform for assessing SCADA vulnerabilities and countermeasures in power plants | |
| CN116527353B (en) | Network protection equipment validity verification system and method based on attack behavior simulation | |
| US10362048B2 (en) | Distributed online wireless security test system | |
| EP1356626B1 (en) | Verifying the integrity of computer networks and implementation of counter measures | |
| US8737197B2 (en) | Sequential heartbeat packet arrangement and methods thereof | |
| Fovino et al. | Cyber security assessment of a power plant | |
| CN107733878B (en) | Safety protection device of industrial control system | |
| Ádám et al. | Artificial neural network based IDS | |
| RU2739864C1 (en) | System and method of correlating events for detecting information security incident | |
| KR20170091989A (en) | System and method for managing and evaluating security in industry control network | |
| Rahman et al. | Holistic approach to arp poisoning and countermeasures by using practical examples and paradigm | |
| Carcano et al. | Scada malware, a proof of concept | |
| KR20020075319A (en) | Intelligent Security Engine and Intelligent and Integrated Security System Employing the Same | |
| CN112073371A (en) | Malicious behavior detection method for weak supervision routing equipment | |
| Araújo et al. | EICIDS-elastic and internal cloud-based detection system | |
| Sanz et al. | A cooperation-aware virtual network function for proactive detection of distributed port scanning | |
| Gupta et al. | Building secure products and solutions | |
| Arreaga et al. | Security Vulnerability Analysis for IoT Devices Raspberry Pi using PENTEST | |
| Cisco | Scenarios | |
| US20200382552A1 (en) | Replayable hacktraps for intruder capture with reduced impact on false positives | |
| Mell | Understanding intrusion detection systems | |
| Masera et al. | Security assessment of a turbo-gas power plant | |
| Ao | Design and deployment of border security in multimedia network | |
| Adenuga-Taiwo et al. | Security analysis of onos software-defined network platform | |
| Kiuchi et al. | Security technologies, usage and guidelines in SCADA system networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |