CN109688088A - The anti-escape capability test method of network intrusion protection system, device and test machine - Google Patents

The anti-escape capability test method of network intrusion protection system, device and test machine Download PDF

Info

Publication number
CN109688088A
CN109688088A CN201710976993.XA CN201710976993A CN109688088A CN 109688088 A CN109688088 A CN 109688088A CN 201710976993 A CN201710976993 A CN 201710976993A CN 109688088 A CN109688088 A CN 109688088A
Authority
CN
China
Prior art keywords
escape
test
combination
attack traffic
target drone
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710976993.XA
Other languages
Chinese (zh)
Other versions
CN109688088B (en
Inventor
熊琦
张宝峰
许源
王峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Information Technology Security Evaluation Center
Original Assignee
China Information Technology Security Evaluation Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Information Technology Security Evaluation Center filed Critical China Information Technology Security Evaluation Center
Priority to CN201710976993.XA priority Critical patent/CN109688088B/en
Publication of CN109688088A publication Critical patent/CN109688088A/en
Application granted granted Critical
Publication of CN109688088B publication Critical patent/CN109688088B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

This application provides a kind of anti-escape capability test method of network intrusion protection system, device and test machines, method includes: to judge whether there is the escape to match with attack traffic agreement that is not traversing to combine, if not, counting and exporting combined quantity of escaping, success and the frequency of failure of generation;If there is the escape combination not traversed, then a single escape combination not traversed is generated;Attack code is successively encapsulated and made a variation according to single escape combination based on self-built protocol stack, generates test attack traffic data;Attack data on flows is tested using target drone and judges test result, if escape failure, execution judges whether there is the escape combinative movement and its subsequent action not traversed, if escaped successfully, it generates and exports minimum escape combination, execution judges whether there is the escape combinative movement and its subsequent action not traversed.The automatic detection for carrying out anti-escape test to IPS is realized, testing efficiency is improved, reduces testing cost.

Description

The anti-escape capability test method of network intrusion protection system, device and test machine
Technical field
The present invention relates to technical field of the computer network, and in particular to one kind based on automation for being combined to computer network The anti-escape capability test method of the network intrusion protection system that network Intrusion Prevention System is tested, device and test machine.
Background technique
Intrusion prevention system (Intrusion Prevention System hereinafter referred to as IPS) is that computer network is set safely It applies, is to anti-virus software (Antivirus Programs) and firewall (Packet Filter, Application Gateway supplement).IPS needs to carry out the test of case source after the completion of exploitation, currently, the safety test for IPS mainly includes Functional test and Penetrating Test two parts content.When carrying out Penetrating Test to IPS, needs to detect the anti-of functional area and attack Escape capability is hit, i.e., specific escape measure is added to the IPS attack traffic that can be identified, changes the original spy of attack traffic Sign, checks that can IPS correctly identify and block deformed attack traffic.
In conventional solution, it is based primarily upon artificial in the anti-escape detection of IPS or is carried out using semi-automatic mode Test, the test process is time-consuming, laborious, and detection efficiency is lower.
Summary of the invention
In view of this, the embodiment of the invention provides a kind of anti-escape capability test methods of network intrusion protection system, dress Set and test machine, by solve in the prior art because based on it is artificial or using semi-automation in a manner of anti-escape detection is carried out to IPS It is time-consuming caused by and, laborious, the lower problem of detection efficiency.
To achieve the above object, the embodiment of the present invention provides the following technical solutions:
A kind of anti-escape capability test method of network intrusion protection system, comprising:
It judges whether there is the escape to match with attack traffic agreement that is not traversing to combine, if not, statistics generates The combined quantity of escape, successfully and the frequency of failure, and export statistical result;
If there is the escape combination not traversed, then a single escape combination not traversed is generated;
Attack code is successively encapsulated and made a variation according to single escape combination based on self-built protocol stack, generates survey Try attack traffic data;
Test result is tested and judged to the attack traffic data using target drone, if escape failure, executes institute The escape combinative movement and its subsequent action for judging whether there is and not traversing are stated, if escaped successfully, generates and exports minimum and escape Ease combines, and judges whether there is the escape combinative movement and its subsequent action not traversed described in execution.
Preferably, in the anti-escape capability test method of above-mentioned network intrusion protection system, using target drone to the attack stream Before amount data are tested, further includes:
Set the test process number n and IP address scope of resource f run parallel;
It is described that the attack traffic data are tested using target drone, comprising:
A test process and idle IP address is selected to test using target drone the attack traffic data.
Preferably, described to be attacked using target drone to described in the anti-escape capability test method of above-mentioned network intrusion protection system Data on flows is hit to be tested and judge test result, comprising:
Using preset network interface, the attack traffic data after successively being encapsulated and made a variation are sent to target drone, and obtain The feedback result of target drone;
According to the feedback result, judge whether the attack traffic data successfully escape.
Preferably, in the anti-escape capability test method of above-mentioned network intrusion protection system, the generation simultaneously exports minimum and escapes Ease combination, comprising:
The corresponding escape combination of data traffic that success is escaped gradually is isolated, multiple candidate escape combinations are generated, Form candidate escape set;
Each candidate escape combination in candidate escape set is screened and verified one by one, to determine minimum escape group It closes.
Preferably, it in the anti-escape capability test method of above-mentioned network intrusion protection system, is attacked every time using target drone to described It hits after data on flows tested, further includes:
By virtual machine historical snapshot technology, target drone is restored to non-triggering state.
A kind of anti-escape capability test device of network intrusion protection system, comprising:
First judging unit, for judging whether there is the escape group to match with attack traffic agreement that is not traversing It closes, if not, exporting trigger signal to statistic unit, otherwise, exports trigger signal to strategy combination unit;
Statistic unit, for counting the escape of generation when getting the trigger signal of the first judging unit output Combined quantity, success and the frequency of failure, and export statistical result;
Strategy combination unit, for when getting the trigger signal of first judging unit output, not generating one not time The single escape combination gone through, exports trigger signal to test cell;
Test cell, for being based on self-built protocol stack when getting the trigger signal of the strategy combination unit output Attack code is successively encapsulated and made a variation according to single escape combination, generates test attack traffic data;Utilize target Test result is tested and judged to machine to the attack traffic data, if escape failure, exports to the first judging unit and touch It signals, if escaped successfully, exports trigger signal to minimum escape combined sorting unit;
Minimum escape combined sorting unit generates and defeated when for getting the trigger signal of the test cell output Minimum escape combination out, and trigger signal is exported to the first judging unit.
Preferably, in the anti-escape capability test device of above-mentioned network intrusion protection system, further includes: channel configuration unit, For setting the test process number and IP address scope of resource that run parallel;
The test cell is specifically included when being tested using target drone the attack traffic data:
A test process and idle IP address is selected to test using target drone the attack traffic data.
Preferably, in the anti-escape capability test device of above-mentioned network intrusion protection system, the test cell is utilizing target When machine is tested to the attack traffic data and judges test result, it is specifically used for:
Using preset network interface, select a test process and idle IP address send to target drone through successively encapsulation and Attack traffic data after variation, and obtain the feedback result of target drone;
According to the feedback result, judge whether the attack traffic data successfully escape.
Preferably, in the anti-escape capability test device of above-mentioned network intrusion protection system, the minimum escape combined sorting Unit is specifically used for:
The corresponding escape combination of data traffic that success is escaped gradually is isolated, multiple candidate escape combinations are generated, Form candidate escape set;
Each candidate escape combination in candidate escape set is screened and verified one by one, to determine minimum escape group It closes.
Preferably, in the anti-escape capability test device of above-mentioned network intrusion protection system, further includes:
Initialization unit, for monitoring the test cell, when the test cell utilizes target drone to the attack every time After data on flows is tested, for exporting trigger signal to target drone, so that target drone passes through virtual machine historical snapshot technology, Target drone is restored to non-triggering state.
A kind of test machine, the anti-escape capability test dress of network intrusion protection system described in above-mentioned any one embodiment It sets.
Based on the above-mentioned technical proposal, the agreement phase that above scheme provided in an embodiment of the present invention passes through traversal and attack traffic Matched all escape combinations, judge whether all escape combinations are traversed, if all traversals, count the escape of generation Combined quantity, success and the frequency of failure, and export statistical result, are combined if there is the escape not traversed, then select one for The escape combination of traversal is traversed as single escape combination, at this point, based on self-built protocol stack according to the single escape group Conjunction is successively encapsulated and is made a variation to attack code, is generated test attack traffic data, is utilized the test attack traffic data Anti- escape test is carried out to IPS, when attack traffic data escape failure, judges whether all escape combinations are traversed, It when attack traffic data are escaped successfully, generates and exports minimum escape combination, and judge all escape combinations whether quilt Traversal.To realize to the IPS carry out it is anti-escape test automatic detection, improve testing efficiency, reduce test at This.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 shows for a kind of process of the anti-escape capability test method of network intrusion protection system disclosed in the embodiment of the present application It is intended to;
Fig. 2 is the disclosed scene for carrying out anti-escape detection to IPS using attack test machine and target drone of the embodiment of the present application Schematic diagram;
Fig. 3 shows for a kind of structure of the anti-escape capability test device of network intrusion protection system disclosed in the embodiment of the present application It is intended to;
Fig. 4 is a kind of knot of the anti-escape capability test device of network intrusion protection system disclosed in another embodiment of the application Structure schematic diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
It is directed to when carrying out the anti-escape of IPS based on artificial or semi-automatic mode in the prior art and detecting, it is time-consuming and laborious And the problem of low efficiency, automation, which is carried out, for network intrusion protection system this application discloses one kind combines anti-escape capability survey The anti-escape capability test method device of the network intrusion protection system of examination and test machine, the method, device and test machine pass through For the protocol characteristic of attack traffic, the escape measure to match with the protocol characteristic is selected one by one, is generated escape test and is used Example is sent attack traffic, and alerts record judgement according to IPS after being handled using the escape test case attack traffic Testing result.
Fig. 1 shows for a kind of process of the anti-escape capability test method of network intrusion protection system disclosed in the embodiment of the present application It is intended to, referring to Fig. 1, this method may include:
Step S101: judging whether there is the escape to match with attack traffic agreement that is not traversing and combine, if not, Step S102 is executed, if so, executing step S103;
In this step, the escape combination, refers to the combination for being applied to attack traffic escape mechanism, the attack traffic Each sub-protocol level can correspond to a variety of escapes combination, such as 8 kinds of escapes combinations of ipv4 agreement corresponding " fragment ", TCP are assisted 10 kinds of escape combinations such as corresponding " emergency data " are discussed, in general, the attack traffic positioned at upper-layer protocol can call all lower layers The escape of agreement is combined, according to the protocol characteristic of attack traffic, such as: for example: using RDP_DOS attack traffic (CVE-2012- 0002), since attack load is located at application layer, two protocol hierarchies of ipv4, tcp may be selected amounts to 18 kinds of escape measures.It is logical The mode of random combine is crossed, escape combination complete or collected works can be generated, amount to 218- a kind of combination, can be right by self-built protocol stack 2-7 layers of network attack data flow is modified, and the attack traffic with escape mechanism is generated.
Step S102: the combined quantity of the escape of generation, success and the frequency of failure are counted, and exports statistical result;
In this step, it checks the performance of IPS for convenience, in this step, is finished to all escape combination traversals Afterwards, need to count traversing result, count the success of the combined anti-escape of quantity and IPS of escape traversed with The frequency of failure, the quantity combined according to the escape of the traversal, the success of the anti-escape of IPS and frequency of failure user can be to described The performance of IPS carries out preliminary analysis.
Step S103: combining if there is the escape not traversed, then generates a single escape combination not traversed, execute step Rapid S104;
In this step, if it is determined that exist for traversal, when being combined with the escape that the agreement of attack traffic matches, root The single escape that an agreement do not traverse and the attack traffic matches is generated according to preset rules or according to randomized policy Combination.
Step S104: attack code is successively encapsulated and is become according to single escape combination based on self-built protocol stack It is different, test attack traffic data are generated, step S105 is executed;
In the present solution, be based on self-built protocol stack, realize combination escape, can according to the protocol characteristic of attack traffic, A variety of escape measures are added simultaneously.
In this step, the combination of a variety of escape measures can be integrated by using preset self-built protocol stack, thus real Now attack traffic is packaged using escape combination and variation is handled, such as: the association by SCAPY etc. based on python Stack writing instrument is discussed, e is combined in the escape that can be selected according to single, and attack code is successively encapsulated and made a variation, to generate Test attack traffic data for being tested IPS.
Specifically, in this step, when IPS successively being encapsulated and being made a variation processing, detailed process can be with are as follows: first Application layer deformation is carried out to the attack test use-case for being located at application layer, then it is deformed in transport layer again, is then existed Ipv4 layers are deformed.
Step S105: testing the attack traffic data using target drone, executes step S106;
When testing the attack traffic data, success escape is determined, be using right between IPS and target drone What the deviation that escape combination understands was implemented, i.e., " IPS cannot understand that can let pass attack traffic, but target drone is it will be appreciated that and trigger leakage Hole ", it is such when happening, then it is considered attack traffic and successfully escapes.
In this step, referring to fig. 2, test machine (attack test machine) sends attack traffic data to target drone by IPS, sentences Whether the attack traffic data of breaking can reach target drone by the IPS, to realize the inspection to the anti-escape capability of the IPS It surveys.
Step S106: judging the test result that attack traffic data are tested, if test result shows escape failure, S101 is thened follow the steps, if escaped successfully, executes step S107;
In the present solution, specifically can be sent to target drone by using preset network interface and successively be encapsulated and made a variation Attack traffic data afterwards, and obtain the feedback result of target drone;According to the feedback result, to judge automatically the attack traffic Whether data successfully escape, without manually checking that equipment alarm records.Certainly, it removes successfully escape and escape fails both Except situation, there is also being delayed, in delay, target drone does not provide feedback result also, needs to continue waiting at this time, waits This step is continued to execute after specific duration, wherein the specific duration can be according to user demand sets itself, such as it can be with It is set as 100ms.
Step S107: generating and exports minimum escape combination, executes step S101;
After the minimum escape combination determines, it can help to tester and IPS Song Ce manufacturer assisted to be accurately positioned and repair Multiple problem.
When can be carried out test using anti-fugacity of the method disclosed in the embodiment of the present application to IPS, traversal and attack traffic All escapes combination for matching of agreement, judge whether all escape combinations are traversed, if all traversals, statistics life At the combined quantity of escape, success and the frequency of failure, and export statistical result, if there is the escape combination not traversed, then One is selected to be traversed for the escape combination of traversal as single escape combination, at this point, based on self-built protocol stack according to the list Secondary escape combination is successively encapsulated and is made a variation to attack code, is generated test attack traffic data, is attacked using the test Data on flows carries out anti-escape to IPS and tests, and when attack traffic data escape failure, judges whether all escape combinations are equal It is traversed, when attack traffic data are escaped successfully, generates and export minimum escape combination, and judge that all escape combinations are It is no to be traversed.To realize the automatic detection for carrying out anti-escape test to the IPS, testing efficiency is improved, is reduced Testing cost.
Disclosed in another embodiment of the application in technical solution, in order to further increase testing efficiency, it can use simultaneously A plurality of channel parallel carries out anti-escape simultaneously to IPS system and tests, i.e., in above scheme, using target drone to the attack traffic number According to before being tested, further includes:
The test process number n and IP address scope of resource f run parallel is set, it can be according to pre-set test process number Multiple channels run parallel are arranged in n and IP address scope of resource f, and the equal test process of each channel and IP address money is arranged Source;
Specifically, in this step, to improve efficiency, using self-built protocol stack, virtual multiple addresses ip, it is concurrent it is multiple into Journey sets the test process number n and IP address scope of resource f run parallel, uses address pool in turn, sends test case, from And the concurrent testing to IPS is realized, further improve testing efficiency.Wherein, the value of IP address scope of resource f is greater than test The value of process number n, tester can determine according to the performance of test machine using process number n's and ip address resource range f Value, in general, n and f are bigger, and testing efficiency is higher.
When a plurality of parallel channel of use carries out the test of anti-escape capability to IPS, in utilization target drone to the attack traffic Data can select an idle channel at random or according to preset rules when being tested, and can specifically include: one test of selection Process and idle IP address test the attack traffic data using target drone.At this point, scheme provided by the present application is adopted With multitask mode, parallel multiple test processes, each test process distributes individual IP, does not interfere mutually, improve test Efficiency.
In addition, it should be noted that, in the above method can also the occupied state in real time to each parallel channel examine It surveys, when an idle channel is present, executes above-mentioned steps S101, so that in carrying out anti-escape test process to IPS, it is each Channel is held in occupied state.
In step s 107, when there is attack traffic data successfully to escape, the attack traffic data for obtaining escape are matched Escape combination, escape combination is handled to obtain minimum escape combination, specifically, being combined in this method in escape It when being handled, is mainly handled in the following way: the corresponding escape combination of data traffic that success is escaped is carried out Gradually it is isolated, generates multiple candidate escape combinations, form candidate escape set;To each candidate escape in candidate escape set Combination is screened and is verified one by one, to determine minimum escape combination.In screening and verifying, each candidate escape group can be used Conjunction is successively encapsulated and is made a variation to attack traffic respectively, to using the obtained attack after candidate escape assembled package and variation Data on flows carries out anti-escape to IPS and tests, so that Stepwise Screening obtains minimum escape combination.
Disclosed in the above embodiments of the present application in technical solution, when due to testing the IPS, need to generate big The attack traffic data of amount, each attack traffic data carry out anti-escape to IPS respectively and test, when attack traffic data are successfully escaped When ease, target drone can be triggered, after target drone is triggered, if the attack traffic data that next success is escaped reach target drone, target drone It is difficult to correctly respond the attack traffic data, therefore, in order to guarantee that it is correct that target drone can carry out the attack traffic data of escape It responds, in the above method, after being tested every time using target drone the attack traffic data, further includes: pass through virtual machine Target drone is restored to non-triggering state by historical snapshot technology.Specifically, script can be used at this time, VMWARE- is utilized Target drone is automatically restored to non-triggering state by virtual machine historical snapshot technology by the remote management capability of WORKSTATION.
In conclusion the above method disclosed in the embodiment of the present application is by constructing 2-7 layers complete to attack traffic in advance Protocol stack, and realize on the protocol stack of each level several candidate escape measures, according to the protocol characteristic of particular attack flow, Add a variety of escape measures simultaneously, and according to return the result judge automatically test case whether escape, and can also use Multitask mode, parallel multiple test processes, repeated attempt, if it find that a certain combination can successfully escape, then using gradually The method of isolation positions and exports minimum escape combination, to realize the quick test of the anti-escape performance of IPS.
Corresponding to the above method, disclosed herein as well is a kind of anti-escape capability test device of network intrusion protection system, In the present embodiment, the specific works content of each unit of the anti-escape capability test device of network consisting Intrusion Prevention System is asked Referring to the content of above method embodiment.
The anti-escape capability test device of network intrusion protection system provided by the embodiments of the present application is described below, under The anti-escape capability test device of network intrusion protection system and the anti-escape of network described above Intrusion Prevention System of text description Aptitude tests method can correspond to each other reference.
Referring to Fig. 3, the anti-escape capability test device of network intrusion protection system may include:
First judging unit 100, statistic unit 200, strategy combination unit 300, test cell 400 and minimum escape group Close screening unit 500;
First judging unit 100 is corresponding with step S101 in the above method, does not traverse for judging whether there is The escape to match with the agreement of attack traffic combine, if not, to statistic unit export trigger signal, otherwise, to strategy Assembled unit exports trigger signal;
The statistic unit 200 is corresponding with step S102 in the above method, for single when getting first judgement When the trigger signal of member output, the combined quantity of the escape of generation, success and the frequency of failure are counted, and export statistical result;
The strategy combination unit 300 is corresponding with step S103 in the above method, sentences for that ought get described first When the trigger signal of disconnected unit output, a single escape combination not traversed is generated, exports trigger signal to test cell.It is described Strategy combination unit 300 can not be traversed in generation single escape combination according to preset rules or according to randomized policy generation one , the single escape to match with the agreement of the attack traffic combines;
The test cell 400 is corresponding with step S104 in the above method, gets the strategy combination list for working as Member output trigger signal when, based on self-built protocol stack according to the single escape combination to attack code carry out successively encapsulation and Variation generates test attack traffic data, and detailed process can be with are as follows: carries out first to the attack test use-case for being located at application layer Application layer deformation, then again deforms it in transport layer, is then deformed at ipv4 layers.Target drone is recycled to attack to described It hits data on flows and is tested and judged test result, if escape failure, export trigger signal to the first judging unit, if It escapes successfully, exports trigger signal to minimum escape combined sorting unit.Certainly, both feelings of failure of successfully escaping and escape are removed Except condition, there is also being delayed, in delay, shows that target drone does not provide feedback result also, need to continue waiting at this time, etc. The judgement to test result is continued to execute after specific duration, judges success or not of escaping, wherein the specific duration can be according to According to user demand sets itself, such as it can be set to 100ms.
The minimum escape combined sorting unit 500, it is raw when for getting the trigger signal of the test cell output At and export minimum escape combination.
When can be carried out test using anti-fugacity of the device disclosed in the embodiment of the present application to IPS, the first judging unit 100 When getting trigger signal, traversal is combined with all escapes that the agreement of attack traffic matches, and judges all escape combinations Whether it is traversed, if all traversals, the escape that the triggering statistics of statistic unit 200 generates combined quantity, success and failure Number, and export statistical result is combined if there is the escape not traversed, trigger policy assembled unit 300 then select one for time The escape combination gone through is traversed as single escape combination, at this point, test cell 400 is based on self-built protocol stack according to the list Secondary escape combination is successively encapsulated and is made a variation to attack code, is generated test attack traffic data, is attacked using the test Data on flows carries out anti-escape to IPS and tests, when attack traffic data escape failure, triggering the first judging unit 100 judgement Whether all escape combinations are traversed, and when attack traffic data are escaped successfully, trigger minimum escape combined sorting unit After 500 generate and export minimum escape combination, trigger whether minimum escape combined sorting unit 500 judges all escape combinations It is traversed.To realize the automatic detection for carrying out anti-escape test to the IPS, testing efficiency is improved, survey is reduced Try cost.
It corresponds to the above method, can also include: channel in device disclosed in the above embodiments of the present application referring to fig. 4 Configuration single 600, is used to set multiple channels run parallel, can provide according to pre-set test process number n and IP address The equal test process of each channel and IP address resource is arranged in source range f, makes in the specific channel configuration unit 600 in real time With self-built protocol stack, virtual multiple addresses ip, concurrent multiple processes set the test process number n run parallel and IP address money Source range f uses address pool in turn, sends test case, wherein each attack traffic data can be used as a test and use Example;The channel configuration unit 600 can also the occupied state in real time to each parallel channel detect, when there is idle letter When road, first judging unit 100 is triggered, so that each channel is protected in carrying out anti-escape test process to IPS It holds in occupied state.
At this point, the test cell 400 is when testing the attack traffic data using target drone, specifically for holding The following movement of row:
The idle channel usage target drone of selection one and the attack traffic data are tested and carry out anti-escape to the IPS Test.
Corresponding with method disclosed in above-described embodiment, the test cell is in utilization target drone to the attack traffic data When being tested and judging test result, it is specifically used for:
Using preset network interface, an idle channel is selected to send after successively encapsulating and making a variation by IPS to target drone Attack traffic data, and obtain the feedback result of target drone;
According to the feedback result, judge whether the attack traffic data successfully escape.
It corresponds to the above method, the escape combined sorting unit of minimum described in above-mentioned apparatus is specifically used for:
The corresponding escape combination of data traffic that success is escaped gradually is isolated, multiple candidate escape combinations are generated, Form candidate escape set;Each candidate escape combination in candidate escape set is screened and verified one by one, with determination Minimum escape combination.The minimum escape combined sorting unit is when escape combination is handled, mainly in the following way It is handled: the corresponding escape combination of data traffic that success is escaped gradually being isolated, multiple candidate escape combinations are generated, Form candidate escape set;Each candidate escape combination in candidate escape set is screened and verified one by one, with determination Minimum escape combination.In screening and verifying, each candidate escape combination can be used, attack traffic is successively encapsulated respectively And variation, it tests anti-escape is carried out to IPS using the obtained attack traffic data after candidate escape assembled package and variation, To which Stepwise Screening obtains minimum escape combination.
It corresponds to the above method, in order to guarantee that it is opposite with the escape result of attack traffic data that target drone can be properly generated The generation feedback information answered can also include: in above-mentioned apparatus
Initialization unit 700, for monitoring the test cell, when the test cell is attacked using target drone to described every time It hits after data on flows tested, for exporting trigger signal to target drone, so that target drone passes through virtual machine historical snapshot skill Target drone is restored to non-triggering state by art.Specifically, it utilizes the long-range of VMWARE-WORKSTATION by using script Target drone is automatically restored to non-triggering state by virtual machine historical snapshot technology by management function.
Corresponding to the above device, disclosed herein as well is a kind of attack test machine, the attack test machine may include The anti-escape capability test device of network intrusion protection system disclosed in the above-mentioned any one embodiment of the application is surveyed in the attack In test-run a machine, each unit in the anti-escape capability test device of network intrusion protection system can be in a manner of pre-set programs Processor integrated in the processor, when carrying out anti-escape test to IPS using the attack test machine, in attack test machine Automatically it calls and executes the pre-set programs in the processor.
For convenience of description, it is divided into various modules when description system above with function to describe respectively.Certainly, implementing this The function of each module can be realized in the same or multiple software and or hardware when application.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system or For system embodiment, since it is substantially similar to the method embodiment, so describing fairly simple, related place is referring to method The part of embodiment illustrates.System and system embodiment described above is only schematical, wherein the conduct The unit of separate part description may or may not be physically separated, component shown as a unit can be or Person may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can root According to actual need that some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill Personnel can understand and implement without creative efforts.
Professional further appreciates that, unit described in conjunction with the examples disclosed in the embodiments of the present disclosure And algorithm steps, can be realized with electronic hardware, computer software, or a combination of the two, in order to clearly demonstrate hardware and The interchangeability of software generally describes each exemplary composition and step according to function in the above description.These Function is implemented in hardware or software actually, the specific application and design constraint depending on technical solution.Profession Technical staff can use different methods to achieve the described function each specific application, but this realization is not answered Think beyond the scope of this invention.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (11)

1. a kind of anti-escape capability test method of network intrusion protection system characterized by comprising
It judges whether there is the escape to match with attack traffic agreement that is not traversing to combine, if not, statistics generation is escaped The combined quantity of ease, success and the frequency of failure, and export statistical result;
If there is the escape combination not traversed, then a single escape combination not traversed is generated;
Attack code is successively encapsulated and made a variation according to single escape combination based on self-built protocol stack, test is generated and attacks Hit data on flows;
Test result is tested and judged to the attack traffic data using target drone, if escape failure, sentenced described in execution It is disconnected to generate if escaped successfully with the presence or absence of the escape combinative movement and its subsequent action that do not traverse and export minimum escape group It closes, judges whether there is the escape combinative movement and its subsequent action not traversed described in execution.
2. the anti-escape capability test method of network intrusion protection system according to claim 1, which is characterized in that utilize target Before machine tests the attack traffic data, further includes:
Set the test process number n and IP address scope of resource f run parallel;
It is described that the attack traffic data are tested using target drone, comprising:
A test process and idle IP address is selected to test using target drone the attack traffic data.
3. the anti-escape capability test method of network intrusion protection system according to claim 1, which is characterized in that the benefit The attack traffic data are tested with target drone and judge test result, comprising:
Using preset network interface, the attack traffic data after successively being encapsulated and made a variation are sent to target drone, and obtain target drone Feedback result;
According to the feedback result, judge whether the attack traffic data successfully escape.
4. the anti-escape capability test method of network intrusion protection system according to claim 1, which is characterized in that the life At and export minimum escape combination, comprising:
The corresponding escape combination of data traffic that success is escaped gradually is isolated, generates multiple candidate escape combinations, is formed Candidate's escape set;
Each candidate escape combination in candidate escape set is screened and verified one by one, to determine minimum escape combination.
5. the anti-escape capability test method of network intrusion protection system according to claim 1, which is characterized in that benefit every time After being tested with target drone the attack traffic data, further includes:
By virtual machine historical snapshot technology, target drone is restored to non-triggering state.
6. a kind of anti-escape capability test device of network intrusion protection system characterized by comprising
First judging unit combines, such as judging whether there is the escape to match with attack traffic agreement that is not traversing Fruit is no, exports trigger signal to statistic unit, otherwise, exports trigger signal to strategy combination unit;
Statistic unit, for counting the escape combination of generation when getting the trigger signal of the first judging unit output Quantity, success and the frequency of failure, and export statistical result;
Strategy combination unit does not traverse for when getting the trigger signal of first judging unit output, generating one Single escape combination, exports trigger signal to test cell;
Test cell, for being based on self-built protocol stack foundation when getting the trigger signal of the strategy combination unit output The single escape combination is successively encapsulated and is made a variation to attack code, and test attack traffic data are generated;Utilize target drone pair Test result is tested and judged to the attack traffic data, if escape failure, exports triggering letter to the first judging unit Number, if escaped successfully, trigger signal is exported to minimum escape combined sorting unit;
Minimum escape combined sorting unit is generated and is exported most when for getting the trigger signal of the test cell output Small escape combination, and trigger signal is exported to the first judging unit.
7. the anti-escape capability test device of network intrusion protection system according to claim 6, which is characterized in that also wrap It includes: channel configuration unit, for setting the test process number and IP address scope of resource that run parallel;
The test cell is specifically included when being tested using target drone the attack traffic data:
A test process and idle IP address is selected to test using target drone the attack traffic data.
8. the anti-escape capability test device of network intrusion protection system according to claim 6, which is characterized in that the survey Unit is tried when being tested to the attack traffic data using target drone and judging test result, is specifically used for:
Using preset network interface, selects a test process and idle IP address to send to target drone and successively encapsulated and made a variation Attack traffic data afterwards, and obtain the feedback result of target drone;
According to the feedback result, judge whether the attack traffic data successfully escape.
9. the anti-escape capability test device of network intrusion protection system according to claim 6, which is characterized in that minimum is escaped Escape combined sorting unit, is specifically used for:
The corresponding escape combination of data traffic that success is escaped gradually is isolated, generates multiple candidate escape combinations, is formed Candidate's escape set;
Each candidate escape combination in candidate escape set is screened and verified one by one, to determine minimum escape combination.
10. the anti-escape capability test device of network intrusion protection system according to claim 6, which is characterized in that also wrap It includes:
Initialization unit, for monitoring the test cell, when the test cell utilizes target drone to the attack traffic every time After data are tested, for exporting trigger signal to target drone, so that target drone passes through virtual machine historical snapshot technology, by target Machine is restored to non-triggering state.
11. a kind of test machine characterized by comprising network intrusion protection system described in claim 6-10 any one Anti- escape capability test device.
CN201710976993.XA 2017-10-19 2017-10-19 Method, device and tester for testing escape resistance of network intrusion protection system Active CN109688088B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710976993.XA CN109688088B (en) 2017-10-19 2017-10-19 Method, device and tester for testing escape resistance of network intrusion protection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710976993.XA CN109688088B (en) 2017-10-19 2017-10-19 Method, device and tester for testing escape resistance of network intrusion protection system

Publications (2)

Publication Number Publication Date
CN109688088A true CN109688088A (en) 2019-04-26
CN109688088B CN109688088B (en) 2023-07-28

Family

ID=66182996

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710976993.XA Active CN109688088B (en) 2017-10-19 2017-10-19 Method, device and tester for testing escape resistance of network intrusion protection system

Country Status (1)

Country Link
CN (1) CN109688088B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070766A (en) * 2021-11-15 2022-02-18 中国建设银行股份有限公司 Network security product validity detection method and related equipment
CN114553551A (en) * 2022-02-24 2022-05-27 杭州迪普科技股份有限公司 Method and device for testing intrusion prevention system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120192272A1 (en) * 2011-01-20 2012-07-26 F-Secure Corporation Mitigating multi-AET attacks
CN103746885A (en) * 2014-01-28 2014-04-23 中国人民解放军信息安全测评认证中心 Test system and test method oriented to next-generation firewall
CN106874755A (en) * 2017-01-22 2017-06-20 中国人民解放军信息工程大学 The consistent escape error processing apparatus of majority and its method based on mimicry Prevention-Security zero-day attacks
CN106998323A (en) * 2017-03-06 2017-08-01 深信服科技股份有限公司 Application layer network attack emulation mode, apparatus and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120192272A1 (en) * 2011-01-20 2012-07-26 F-Secure Corporation Mitigating multi-AET attacks
CN103746885A (en) * 2014-01-28 2014-04-23 中国人民解放军信息安全测评认证中心 Test system and test method oriented to next-generation firewall
CN106874755A (en) * 2017-01-22 2017-06-20 中国人民解放军信息工程大学 The consistent escape error processing apparatus of majority and its method based on mimicry Prevention-Security zero-day attacks
CN106998323A (en) * 2017-03-06 2017-08-01 深信服科技股份有限公司 Application layer network attack emulation mode, apparatus and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070766A (en) * 2021-11-15 2022-02-18 中国建设银行股份有限公司 Network security product validity detection method and related equipment
CN114070766B (en) * 2021-11-15 2023-08-11 中国建设银行股份有限公司 Network security product effectiveness detection method and related equipment
CN114553551A (en) * 2022-02-24 2022-05-27 杭州迪普科技股份有限公司 Method and device for testing intrusion prevention system
CN114553551B (en) * 2022-02-24 2024-02-09 杭州迪普科技股份有限公司 Method and device for testing intrusion prevention system

Also Published As

Publication number Publication date
CN109688088B (en) 2023-07-28

Similar Documents

Publication Publication Date Title
Park et al. Classification of attack types for intrusion detection systems using a machine learning algorithm
Corona et al. Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
El-Atawy et al. Policy segmentation for intelligent firewall testing
CN109951500A (en) Network attack detecting method and device
CN110445770A (en) Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN110324310A (en) Networked asset fingerprint identification method, system and equipment
CN107819783A (en) A kind of network security detection method and system based on threat information
CN108289088A (en) Abnormal traffic detection system and method based on business model
CN107135093A (en) A kind of Internet of Things intrusion detection method and detecting system based on finite automata
CN106302450B (en) A kind of detection method and device based on malice address in DDOS attack
CN107659583A (en) A kind of method and system attacked in detection thing
KR20060013491A (en) Network attack signature generation
US20090037353A1 (en) Method and system for evaluating tests used in operating system fingerprinting
CN106650425B (en) A kind of control method and device of security sandbox
CN106899608A (en) A kind of method and device of the attack purpose IP for determining DDOS attack
CN107294953A (en) Attack operation detection method and device
CN106708700A (en) Operation and maintenance monitoring method and device applied to server side
CN109688088A (en) The anti-escape capability test method of network intrusion protection system, device and test machine
CN112217777A (en) Attack backtracking method and equipment
Sharma et al. Analysis of NSL KDD dataset using classification algorithms for intrusion detection system
CN109005181A (en) A kind of detection method, system and the associated component of DNS amplification attack
CN107196969B (en) The automatic identification and verification method and system of attack traffic
Dressler et al. Flow-based worm detection using correlated honeypot logs
CN106209456A (en) A kind of kernel state lower network fault detection method and device
CN111541706B (en) Method for detecting system anti-DDoS performance

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant