CN109688088B - Method, device and tester for testing escape resistance of network intrusion protection system - Google Patents

Method, device and tester for testing escape resistance of network intrusion protection system Download PDF

Info

Publication number
CN109688088B
CN109688088B CN201710976993.XA CN201710976993A CN109688088B CN 109688088 B CN109688088 B CN 109688088B CN 201710976993 A CN201710976993 A CN 201710976993A CN 109688088 B CN109688088 B CN 109688088B
Authority
CN
China
Prior art keywords
escape
combination
test
attack
testing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710976993.XA
Other languages
Chinese (zh)
Other versions
CN109688088A (en
Inventor
熊琦
张宝峰
许源
王峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Information Technology Security Evaluation Center
Original Assignee
China Information Technology Security Evaluation Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Information Technology Security Evaluation Center filed Critical China Information Technology Security Evaluation Center
Priority to CN201710976993.XA priority Critical patent/CN109688088B/en
Publication of CN109688088A publication Critical patent/CN109688088A/en
Application granted granted Critical
Publication of CN109688088B publication Critical patent/CN109688088B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The application provides a method, a device and a tester for testing the escape resistance of a network intrusion protection system, wherein the method comprises the following steps: judging whether an unremoved escape combination matched with the protocol of the attack flow exists or not, if not, counting and outputting the number, success and failure times of the generated escape combination; if the non-traversed escape combination exists, generating a single non-traversed escape combination; performing layer-by-layer encapsulation and variation on the attack codes according to the single escape combination based on a self-built protocol stack to generate test attack flow data; and testing the attack flow data by using the target aircraft, judging a test result, if the escape fails, executing the judgment of whether the non-traversed escape combination action and the subsequent action exist, if the escape succeeds, generating and outputting a minimum escape combination, and executing the judgment of whether the non-traversed escape combination action and the subsequent action exist. The automatic detection of the anti-escape test of the IPS is realized, the test efficiency is improved, and the test cost is reduced.

Description

Method, device and tester for testing escape resistance of network intrusion protection system
Technical Field
The invention relates to the technical field of computer networks, in particular to a method, a device and a tester for testing the escape resistance of a network intrusion protection system for testing the computer network intrusion protection system based on automatic combination.
Background
The intrusion prevention system (Intrusion Prevention System, IPS) is a computer network security facility, and is complementary to antivirus software (Antivirus Programs) and firewall (Application Gateway). After development, the IPS needs to be subjected to a case source test, and currently, a security test for the IPS mainly comprises a functional test and a penetrability test. When the penetrability test is performed on the IPS, the anti-attack escape capability of the service port needs to be detected, namely, specific escape measures are added to the attack traffic which can be identified by the IPS, the original characteristics of the attack traffic are changed, and whether the IPS can accurately identify and block the deformed attack traffic is checked.
In traditional technical scheme, mainly based on the manual work or adopt semi-automatization mode to test when IPS anti-escape detects, this test procedure is wasted time, is wasted effort, and detection efficiency is lower.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a method, an apparatus, and a tester for testing the anti-escape capability of a network intrusion protection system, so as to solve the problems of time and effort consuming and having low detection efficiency caused by performing anti-escape detection on an IPS manually or in a semi-automatic manner in the prior art.
In order to achieve the above object, the embodiment of the present invention provides the following technical solutions:
a method for testing the escape-resistant capability of a network intrusion protection system comprises the following steps:
judging whether an unremoved escape combination matched with the protocol of the attack flow exists or not, if not, counting the number, success and failure times of the generated escape combination, and outputting a statistical result;
if the non-traversed escape combination exists, generating a single non-traversed escape combination;
performing layer-by-layer encapsulation and variation on the attack codes according to the single escape combination based on a self-built protocol stack to generate test attack flow data;
and testing the attack flow data by using the target aircraft, judging a test result, if the escape fails, executing the judgment whether the non-traversed escape combination action and the subsequent action exist, if the escape is successful, generating and outputting a minimum escape combination, and executing the judgment whether the non-traversed escape combination action and the subsequent action exist.
Preferably, in the method for testing the anti-escape capability of the network intrusion protection system, before the attack flow data is tested by using the target aircraft, the method further includes:
setting the number n of test processes running in parallel and an IP address resource range f;
the testing of the attack traffic data with the drone includes:
and selecting a test process and an idle IP address to test the attack traffic data by using the target aircraft.
Preferably, in the method for testing the anti-escape capability of a network intrusion protection system, the testing the attack flow data by using a target aircraft and judging a test result includes:
using a preset network interface to send attack flow data subjected to layer-by-layer encapsulation and mutation to the target aircraft, and obtaining a feedback result of the target aircraft;
and judging whether the attack flow data escapes successfully or not according to the feedback result.
Preferably, in the method for testing the anti-escape capability of the network intrusion protection system, the generating and outputting a minimum escape combination includes:
gradually isolating escape combinations corresponding to the data traffic which escapes successfully to generate a plurality of candidate escape combinations to form a candidate escape set;
each candidate escape combination in the candidate escape set is screened and validated one by one to determine a minimum escape combination.
Preferably, in the method for testing the anti-escape capability of the network intrusion protection system, after each time the attack traffic data is tested by using the target aircraft, the method further includes:
and restoring the target drone to an untriggered state through a virtual machine history snapshot technology.
An anti-escape capability test device of a network intrusion protection system, comprising:
the first judging unit is used for judging whether an un-traversed escape combination matched with the protocol of the attack flow exists or not, if not, outputting a trigger signal to the statistics unit, and if not, outputting the trigger signal to the strategy combination unit;
the statistics unit is used for counting the number, success and failure times of the generated escape combinations when the trigger signals output by the first judgment unit are acquired, and outputting a statistics result;
the strategy combination unit is used for generating a single escape combination which is not traversed when the trigger signal output by the first judgment unit is acquired, and outputting the trigger signal to the test unit;
the test unit is used for carrying out layer-by-layer encapsulation and variation on the attack codes according to the single escape combination based on a self-built protocol stack when the trigger signal output by the strategy combination unit is obtained, so as to generate test attack flow data; testing the attack flow data by using a target aircraft and judging a test result, outputting a trigger signal to a first judging unit if escape fails, and outputting the trigger signal to a minimum escape combination screening unit if escape is successful;
and the minimum escape combination screening unit is used for generating and outputting a minimum escape combination when acquiring the trigger signal output by the testing unit and outputting the trigger signal to the first judging unit.
Preferably, in the above-mentioned network intrusion protection system anti-escape capability test apparatus, further includes: the channel configuration unit is used for setting the number of the test processes running in parallel and the IP address resource range;
the test unit, when testing the attack flow data by using the target aircraft, specifically includes:
and selecting a test process and an idle IP address to test the attack traffic data by using the target aircraft.
Preferably, in the above device for testing the anti-escape capability of a network intrusion protection system, the testing unit is specifically configured to:
using a preset network interface, selecting a test process and an idle IP address to send attack flow data subjected to layer-by-layer encapsulation and variation to the target aircraft, and obtaining a feedback result of the target aircraft;
and judging whether the attack flow data escapes successfully or not according to the feedback result.
Preferably, in the above-mentioned network intrusion protection system anti-escape capability test apparatus, the minimum escape combination screening unit is specifically configured to:
gradually isolating escape combinations corresponding to the data traffic which escapes successfully to generate a plurality of candidate escape combinations to form a candidate escape set;
each candidate escape combination in the candidate escape set is screened and validated one by one to determine a minimum escape combination.
Preferably, in the above-mentioned network intrusion protection system anti-escape capability test apparatus, further includes:
and the initialization unit is used for monitoring the test unit, and outputting a trigger signal to the target aircraft after the test unit tests the attack flow data by using the target aircraft each time, so that the target aircraft is restored to an un-triggered state through a virtual machine history snapshot technology.
A testing machine, a device for testing the anti-escape capability of a network intrusion protection system according to any one of the above embodiments.
Based on the above technical solution, the solution provided by the embodiment of the present invention judges whether all escape combinations are traversed by traversing all escape combinations matched with the protocol of the attack traffic, if all the combinations are traversed, counts the number of generated escape combinations, success and failure times, and outputs a statistical result, if there are non-traversed escape combinations, selects one of the traversed escape combinations as a single escape combination for traversing, at this time, encapsulates and mutates the attack code layer by layer based on the single escape combination based on the self-built protocol stack, generates test attack traffic data, performs anti-escape test on the IPS by using the test attack traffic data, judges whether all the escape combinations are traversed when the attack traffic data fails to escape, generates and outputs a minimum escape combination when the attack traffic data escapes successfully, and judges whether all the escape combinations are traversed. Therefore, automatic detection of the anti-escape test of the IPS is realized, the test efficiency is improved, and the test cost is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a method for testing the escape-resistant capability of a network intrusion protection system according to an embodiment of the present application;
fig. 2 is a schematic diagram of a scenario of anti-escape detection of IPS using an attack tester and a target aircraft according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an anti-escape capability test device of a network intrusion protection system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an anti-escape capability test device of a network intrusion protection system according to another embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Aiming at the problems of time and labor waste and low efficiency when IPS anti-escape detection is carried out based on a manual or semi-automatic mode in the prior art, the application discloses a network intrusion protection system anti-escape capability testing method device and a testing machine for automatically combining anti-escape capability tests aiming at a network intrusion protection system.
Fig. 1 is a flow chart of a method for testing the escape-resistant capability of a network intrusion protection system according to an embodiment of the present application, and referring to fig. 1, the method may include:
step S101: judging whether an unreversed escape combination matched with the protocol of the attack flow exists, if not, executing the step S102, and if so, executing the step S103;
in this step, the escape combination refers to a combination applied to an attack traffic escape policy, each sub-protocol layer of the attack traffic corresponds to multiple escape combinations, for example, the ipv4 protocol corresponds to 8 escape combinations such as "fragmentation", and the TCP protocol corresponds to "emergency"Data "and the like, and in general, attack traffic located in an upper layer protocol can call escape combinations of all lower layer protocols according to protocol characteristics of the attack traffic, for example: using rdp_dos attack traffic (CVE-2012-0002), a total of 18 escape measures for both ipv4, tcp protocol levels can be selected, since the attack load is located at the application layer. By means of random combination, a total escape combination set of 2 can be generated 18 -1 combination, through a self-built protocol stack, the network attack data flow of layers 2-7 can be modified to generate attack traffic with escape policy.
Step S102: counting the number of generated escape combinations, success times and failure times, and outputting a counting result;
in this step, in order to check the performance of the IPS conveniently, in this step, after all the escape combinations are traversed, the traversal result needs to be counted, so as to obtain the number of traversed escape combinations, and the number of success and failure times of the IPS in resisting escape, and according to the number of traversed escape combinations, the number of success and failure times of the IPS in resisting escape, a user can perform preliminary analysis on the performance of the IPS.
Step S103: if there is a non-traversed escape combination, generating a non-traversed single escape combination, and executing step S104;
in this step, if it is determined that there is a traversed escape combination matching the protocol of the attack traffic, a single escape combination matching the protocol of the attack traffic that is not traversed is generated according to a preset rule or according to a random policy.
Step S104: performing layer-by-layer encapsulation and mutation on the attack codes according to the single escape combination based on a self-built protocol stack to generate test attack flow data, and executing step S105;
in the scheme, based on a self-built protocol stack, combined escape is realized, and multiple escape measures can be added according to the protocol characteristics of attack traffic.
In this step, the combination of multiple escape measures may be integrated by using a preset self-built protocol stack, so as to implement the process of packaging and mutating the attack traffic by using the escape combination, for example: by means of a python-based protocol stack rewrite tool such as SCAPY, the attack codes can be packaged and mutated layer by layer according to the escape combination e selected once, so that test attack flow data for testing the IPS are generated.
Specifically, in this step, when performing layer-by-layer encapsulation and mutation processing on the IPS, the specific process may be: firstly, carrying out application layer deformation on an attack test case positioned at an application layer, then carrying out deformation on the attack test case at a transmission layer, and then carrying out deformation on an ipv4 layer.
Step S105: testing the attack flow data by using a target aircraft, and executing a step S106;
when the attack flow data is tested, whether the attack flow can be successfully escaped is determined by utilizing deviation of escape combination understanding between the IPS and the target aircraft, namely 'the IPS cannot understand and release the attack flow, but the target can understand and trigger the loophole', and when the situation happens, the attack flow can be considered to be successfully escaped.
In this step, referring to fig. 2, a tester (attack tester) sends attack traffic data to a target machine through an IPS, and determines whether the attack traffic data can reach the target machine through the IPS, thereby realizing detection of the anti-escape capability of the IPS.
Step S106: judging a test result of the attack flow data for testing, if the test result shows that the escape fails, executing the step S101, and if the escape is successful, executing the step S107;
in the scheme, attack flow data subjected to layer-by-layer encapsulation and mutation can be sent to the target aircraft by using a preset network interface, and a feedback result of the target aircraft can be obtained; and automatically judging whether the attack flow data escapes successfully or not according to the feedback result, without manually checking the equipment alarm record. Of course, besides two cases of successful escape and escape failure, there is a time delay case, when the target aircraft does not give a feedback result yet, waiting is needed to be continued at this time, and the step is executed continuously after waiting for a specific time period, where the specific time period can be set by the user according to the user requirement, for example, the specific time period can be set to 100ms.
Step S107: generating and outputting a minimum escape combination, and executing step S101;
after the minimum escape combination is determined, the method can help the testers to assist the IPS to send the testers to accurately locate and repair the problem.
When the method disclosed by the embodiment of the application is adopted to test the anti-escape performance of the IPS, all escape combinations matched with the protocol of the attack flow are traversed, whether all escape combinations are traversed is judged, if all the escape combinations are traversed, the number of generated escape combinations, success and failure times are counted, a statistical result is output, if the non-traversed escape combinations exist, one traversed escape combination is selected as a single escape combination to be traversed, at this time, the attack code is packaged and mutated layer by layer based on a self-built protocol stack according to the single escape combination, test attack flow data is generated, the anti-escape test is carried out on the IPS by utilizing the test attack flow data, when the attack flow data is in escape failure, whether all the escape combinations are traversed is judged, when the attack flow data is in escape success, the minimum escape combination is generated and output, and whether all the escape combinations are traversed is judged. Therefore, automatic detection of the anti-escape test of the IPS is realized, the test efficiency is improved, and the test cost is reduced.
In the technical solution disclosed in another embodiment of the present application, in order to further improve the test efficiency, the anti-escape test may be performed on the IPS system simultaneously by using multiple channels in parallel, that is, in the above solution, before the attack traffic data is tested by using the target drone, the method further includes:
setting a parallel running test process number n and an IP address resource range f, setting a plurality of parallel running channels according to the preset test process number n and the preset IP address resource range f, and setting a test process and an IP address resource of each channel;
specifically, in this step, to improve efficiency, a self-built protocol stack is used to virtualize a plurality of IP addresses and concurrently perform a plurality of processes, a number n of test processes running in parallel and an IP address resource range f are set, an address pool is used in turn, and test cases are sent, so that parallel testing of IPs is achieved, and testing efficiency is further improved. The value of the IP address resource range f is greater than the value of the test process number n, and a tester can determine to use the values of the process number n and the IP address resource range f according to the performance of the tester.
When the anti-escape capability test is performed on the IPS by using a plurality of parallel channels, an idle channel may be selected randomly or according to a preset rule when the attack traffic data is tested by using the target aircraft, which may specifically include: and selecting a test process and an idle IP address to test the attack traffic data by using the target aircraft. At this time, the scheme provided by the application adopts a multi-task mode, a plurality of test processes are parallel, each test process is distributed with independent IP, mutual interference is avoided, and the test efficiency is improved.
In addition, it should be noted that, in the above method, the occupied state of each parallel channel may be detected in real time, and when an idle channel exists, the above step S101 is executed, so that each channel is kept in the occupied state during the anti-escape test for the IPS.
In step S107, when there is a successful escape of attack traffic data, an escape combination matched with the escaping attack traffic data is obtained, and the escape combination is processed to obtain a minimum escape combination. Gradually isolating escape combinations corresponding to the data traffic which escapes successfully to generate a plurality of candidate escape combinations to form a candidate escape set; each candidate escape combination in the candidate escape set is screened and validated one by one to determine a minimum escape combination. During screening and verification, each candidate escape combination can be adopted to package and mutate attack traffic layer by layer, and anti-escape test is carried out on IPS on the obtained attack traffic data after the candidate escape combination is packaged and mutated, so that minimum escape combinations are obtained through gradual screening.
In the technical solution disclosed in the foregoing embodiments of the present application, since a large amount of attack traffic data needs to be generated when testing the IPS, each attack traffic data performs an anti-escape test on the IPS, when the attack traffic data escapes successfully, the target is triggered, and after the target is triggered, if the next successfully escaped attack traffic data arrives at the target, the target is difficult to respond correctly to the attack traffic data, so, in order to ensure that the target can respond correctly to the escaped attack traffic data, in the foregoing method, after each time the target is used to test the attack traffic data, the method further includes: and restoring the target drone to an untriggered state through a virtual machine history snapshot technology. Specifically, a script may be used at this time, and the target aircraft is automatically restored to the non-triggered state by using the VMWARE-work state remote management function through the virtual machine history snapshot technology.
In summary, the method disclosed in the embodiment of the present application constructs a complete protocol stack of 2-7 layers for attack traffic in advance, and implements a plurality of candidate escape measures on each layer of protocol stack, according to the protocol characteristics of specific attack traffic, simultaneously attaches a plurality of escape measures, automatically determines whether the test case escapes according to the return result, and may also adopt a multitasking mode, parallel a plurality of test processes, repeatedly try, and if a certain combination is found to escape successfully, then adopts a gradual isolation method to locate and output the minimum escape combination, thereby implementing rapid test of the anti-escape performance of the IPS.
Corresponding to the method, the application also discloses a device for testing the escape-resisting capability of the network intrusion protection system, and in this embodiment, the specific working contents of each unit forming the device for testing the escape-resisting capability of the network intrusion protection system are referred to in the content of the embodiment of the method.
The following describes the anti-escape capability test device of the network intrusion protection system provided by the embodiment of the present application, and the anti-escape capability test device of the network intrusion protection system described below and the anti-escape capability test method of the network intrusion protection system described above may be referred to correspondingly with each other.
Referring to fig. 3, the network intrusion prevention system escape-resistant capability test apparatus may include:
the system comprises a first judging unit 100, a counting unit 200, a strategy combining unit 300, a testing unit 400 and a minimum escape combination screening unit 500;
the first judging unit 100 corresponds to step S101 in the above method, and is configured to judge whether there is an un-traversed escape combination matching with the protocol of the attack traffic, if not, output a trigger signal to the statistics unit, otherwise, output a trigger signal to the policy combination unit;
the statistics unit 200 corresponds to step S102 in the above method, and is configured to, when a trigger signal output by the first judging unit is obtained, count the number of generated escape combinations, success times and failure times, and output a statistics result;
the policy combination unit 300 corresponds to step S103 in the above method, and is configured to generate a single escape combination that is not traversed when the trigger signal output by the first determination unit is obtained, and output the trigger signal to the test unit. The policy combination unit 300 may generate a single escape combination matching the protocol of the attack traffic according to a preset rule or according to a random policy when generating the single escape combination;
the test unit 400 corresponds to step S104 in the above method, and is configured to, when the trigger signal output by the policy combination unit is obtained, package and mutate the attack code layer by layer based on the single escape combination based on the self-built protocol stack, and generate test attack traffic data, where a specific process may be: firstly, carrying out application layer deformation on an attack test case positioned at an application layer, then carrying out deformation on the attack test case at a transmission layer, and then carrying out deformation on an ipv4 layer. And then testing the attack flow data by using the target aircraft and judging a test result, outputting a trigger signal to a first judging unit if escape fails, and outputting the trigger signal to a minimum escape combination screening unit if escape is successful. Of course, besides two cases of successful escape and escape failure, there is a delay case, in which the delay time indicates that the target drone has not given a feedback result, and then needs to wait for a specific period of time, and then continue to execute judgment on the test result to judge whether the escape is successful or not, where the specific period of time can be set according to the user requirement, for example, it can be set to 100ms.
The minimum escape combination screening unit 500 is configured to generate and output a minimum escape combination when acquiring the trigger signal output by the test unit.
When the device disclosed in the embodiment of the present application is used to test the anti-escape performance of the IPS, when the first determining unit 100 obtains the trigger signal, it is traversed by all escape combinations matched with the protocol of the attack traffic, and if all the escape combinations are traversed, the trigger statistics unit 200 counts the number of generated escape combinations, success and failure times, and outputs the statistics result, if there is an undeveloped escape combination, the trigger policy combination unit 300 selects one of the traversed escape combinations as a single escape combination to be traversed, at this time, the test unit 400 performs layer-by-layer encapsulation and mutation on the attack code according to the single escape combination based on the self-built protocol stack, generates test attack traffic data, and uses the test attack traffic data to perform anti-escape test on the IPS, when the attack traffic data fails, triggers the first determining unit 100 to determine whether all the escape combinations are traversed, and when the attack traffic data fails to escape, triggers the minimum escape combination screening unit 500 to generate and output the minimum escape combination, and triggers the minimum escape combination screening unit 500 to determine whether all the escape combinations are traversed. Therefore, automatic detection of the anti-escape test of the IPS is realized, the test efficiency is improved, and the test cost is reduced.
Corresponding to the above method, referring to fig. 4, the apparatus disclosed in the above embodiment of the present application may further include: the channel configuration unit 600 is configured to set a plurality of channels running in parallel, and can set a test process and an IP address resource of each channel according to a preset test process number n and an IP address resource range f, and in specific real time, the channel configuration unit 600 uses a self-built protocol stack to virtualize a plurality of IP addresses and concurrent a plurality of processes, sets a test process number n and an IP address resource range f running in parallel, uses an address pool in turn, and sends test cases, where each attack flow data can be used as a test case; the channel configuration unit 600 may further detect the occupied state of each parallel channel in real time, and when there is an idle channel, trigger the first judging unit 100, so that each channel is kept in the occupied state during the anti-escape test for the IPS.
At this time, the test unit 400 is specifically configured to perform the following actions when testing the attack traffic data by using a target drone:
and selecting an idle channel to perform anti-escape test on the IPS by using a target plane and the attack traffic data to perform test.
Corresponding to the method disclosed in the foregoing embodiment, when the test unit tests the attack traffic data by using the target drone and determines a test result, the test unit is specifically configured to:
using a preset network interface, selecting an idle channel, sending attack flow data subjected to layer-by-layer encapsulation and variation to the target aircraft through the IPS, and obtaining a feedback result of the target aircraft;
and judging whether the attack flow data escapes successfully or not according to the feedback result.
Corresponding to the method, the minimum escape combination screening unit in the device is specifically configured to:
gradually isolating escape combinations corresponding to the data traffic which escapes successfully to generate a plurality of candidate escape combinations to form a candidate escape set; each candidate escape combination in the candidate escape set is screened and validated one by one to determine a minimum escape combination. The minimum escape combination screening unit is mainly used for processing the escape combination in the following way: gradually isolating escape combinations corresponding to the data traffic which escapes successfully to generate a plurality of candidate escape combinations to form a candidate escape set; each candidate escape combination in the candidate escape set is screened and validated one by one to determine a minimum escape combination. During screening and verification, each candidate escape combination can be adopted to package and mutate attack traffic layer by layer, and anti-escape test is carried out on IPS on the obtained attack traffic data after the candidate escape combination is packaged and mutated, so that minimum escape combinations are obtained through gradual screening.
Corresponding to the method, in order to ensure that the target can correctly generate the generated feedback information corresponding to the escape result of the attack flow data, the device may further include:
and the initialization unit 700 is used for monitoring the test unit, and outputting a trigger signal to the target machine after the test unit tests the attack flow data by using the target machine each time, so that the target machine is restored to an un-triggered state by the target machine through a virtual machine history snapshot technology. Specifically, the target aircraft is automatically restored to an un-triggered state by using a script and utilizing the remote management function of VMWARE-WORKSTATION through the virtual machine history snapshot technology.
Corresponding to the device, the application also discloses an attack testing machine, which can comprise the network intrusion protection system escape-preventing capability testing device disclosed in any one of the embodiments, wherein in the attack testing machine, each unit in the network intrusion protection system escape-preventing capability testing device can be integrated in a processor in a preset program mode, and when the attack testing machine is adopted to conduct the escape-preventing test on the IPS, the processor in the attack testing machine automatically calls and executes the preset program in the processor.
For convenience of description, the above system is described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for a system or system embodiment, since it is substantially similar to a method embodiment, the description is relatively simple, with reference to the description of the method embodiment being made in part. The systems and system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. The method for testing the escape resistance of the network intrusion protection system is characterized by comprising the following steps of:
judging whether an unremoved escape combination matched with the protocol of the attack flow exists or not, if not, counting the number, success and failure times of the generated escape combination, and outputting a statistical result;
if the non-traversed escape combination exists, generating a single non-traversed escape combination;
the method comprises the steps of carrying out layer-by-layer encapsulation and variation on an attack code according to the single escape combination based on a self-built protocol stack, modifying a network attack data stream of 2-7 layers to generate test attack flow data with multiple escape strategies, wherein the self-built protocol stack is a complete protocol stack of 2-7 layers constructed on the attack flow in advance, a plurality of candidate escape measures are realized on the protocol stack of each layer, and according to the protocol characteristics of specific attack flow, multiple escape measures are added at the same time; the method comprises the following steps of integrating the combination of various escape measures by using a preset self-built protocol stack to realize the encapsulation and variation treatment of attack traffic by adopting the escape combination, and the specific process is as follows when the IPS is encapsulated and varied layer by layer: firstly, carrying out application layer deformation on an attack test case positioned at an application layer, then carrying out deformation on the attack test case at a transmission layer, and then carrying out deformation on an ipv4 layer;
testing the attack flow data by using a target aircraft and judging a test result, if the escape fails, executing the judgment whether the non-traversed escape combination action and the subsequent action exist, if the escape is successful, generating and outputting a minimum escape combination, and executing the judgment whether the non-traversed escape combination action and the subsequent action exist;
before the target aircraft is used for testing the attack flow data, the method further comprises the following steps:
setting the number n of test processes running in parallel and an IP address resource range f;
the testing of the attack traffic data with the drone includes:
and selecting a test process and an idle IP address to test the attack traffic data by using the target aircraft.
2. The method for testing the escape-resistant capability of a network intrusion protection system according to claim 1, wherein the step of testing the attack traffic data by using a target aircraft and judging the test result comprises the steps of:
using a preset network interface to send attack flow data subjected to layer-by-layer encapsulation and mutation to the target aircraft, and obtaining a feedback result of the target aircraft;
and judging whether the attack flow data escapes successfully or not according to the feedback result.
3. The method for testing the escape-resistant capability of a network intrusion prevention system according to claim 1, wherein generating and outputting a minimum escape combination comprises:
gradually isolating escape combinations corresponding to the data traffic which escapes successfully to generate a plurality of candidate escape combinations to form a candidate escape set;
each candidate escape combination in the candidate escape set is screened and validated one by one to determine a minimum escape combination.
4. The method of claim 1, further comprising, after each test of the attack traffic data with a target aircraft:
and restoring the target drone to an untriggered state through a virtual machine history snapshot technology.
5. An apparatus for testing the escape-resistant capability of a network intrusion protection system, comprising:
the first judging unit is used for judging whether an un-traversed escape combination matched with the protocol of the attack flow exists or not, if not, outputting a trigger signal to the statistics unit, and if not, outputting the trigger signal to the strategy combination unit;
the statistics unit is used for counting the number, success and failure times of the generated escape combinations when the trigger signals output by the first judgment unit are acquired, and outputting a statistics result;
the strategy combination unit is used for generating a single escape combination which is not traversed when the trigger signal output by the first judgment unit is acquired, and outputting the trigger signal to the test unit;
the test unit is used for carrying out layer-by-layer encapsulation and variation on the attack codes according to the single escape combination based on a self-built protocol stack when the trigger signal output by the strategy combination unit is obtained, modifying the network attack data flow of the 2-7 layers to generate test attack flow data with multiple escape strategies, wherein the self-built protocol stack is a complete protocol stack of the 2-7 layers for constructing the attack flow in advance, realizing a plurality of candidate escape measures on the protocol stack of each layer, and simultaneously adding multiple escape measures according to the protocol characteristics of the specific attack flow; testing the attack flow data by using a target aircraft and judging a test result, outputting a trigger signal to a first judging unit if escape fails, and outputting the trigger signal to a minimum escape combination screening unit if escape is successful;
the minimum escape combination screening unit is used for generating and outputting a minimum escape combination when acquiring the trigger signal output by the testing unit and outputting the trigger signal to the first judging unit;
wherein, still include: the channel configuration unit is used for setting the number of the test processes running in parallel and the IP address resource range;
the test unit, when testing the attack flow data by using the target aircraft, specifically includes:
and selecting a test process and an idle IP address to test the attack traffic data by using the target aircraft.
6. The device for testing the escape-resistant capability of a network intrusion protection system according to claim 5, wherein the testing unit is configured to, when testing the attack traffic data by using a target aircraft and determining a test result:
using a preset network interface, selecting a test process and an idle IP address to send attack flow data subjected to layer-by-layer encapsulation and variation to the target aircraft, and obtaining a feedback result of the target aircraft;
and judging whether the attack flow data escapes successfully or not according to the feedback result.
7. The device for testing the escape-resistant capability of a network intrusion protection system according to claim 5, wherein the minimum escape combination screening unit is specifically configured to:
gradually isolating escape combinations corresponding to the data traffic which escapes successfully to generate a plurality of candidate escape combinations to form a candidate escape set;
each candidate escape combination in the candidate escape set is screened and validated one by one to determine a minimum escape combination.
8. The network intrusion prevention system escape-resistant capability test device according to claim 5, further comprising:
and the initialization unit is used for monitoring the test unit, and outputting a trigger signal to the target aircraft after the test unit tests the attack flow data by using the target aircraft each time, so that the target aircraft is restored to an un-triggered state through a virtual machine history snapshot technology.
9. A test machine, comprising: a network intrusion prevention system escape resistance testing apparatus according to any one of claims 5-8.
CN201710976993.XA 2017-10-19 2017-10-19 Method, device and tester for testing escape resistance of network intrusion protection system Active CN109688088B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710976993.XA CN109688088B (en) 2017-10-19 2017-10-19 Method, device and tester for testing escape resistance of network intrusion protection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710976993.XA CN109688088B (en) 2017-10-19 2017-10-19 Method, device and tester for testing escape resistance of network intrusion protection system

Publications (2)

Publication Number Publication Date
CN109688088A CN109688088A (en) 2019-04-26
CN109688088B true CN109688088B (en) 2023-07-28

Family

ID=66182996

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710976993.XA Active CN109688088B (en) 2017-10-19 2017-10-19 Method, device and tester for testing escape resistance of network intrusion protection system

Country Status (1)

Country Link
CN (1) CN109688088B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070766B (en) * 2021-11-15 2023-08-11 中国建设银行股份有限公司 Network security product effectiveness detection method and related equipment
CN114553551B (en) * 2022-02-24 2024-02-09 杭州迪普科技股份有限公司 Method and device for testing intrusion prevention system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103746885A (en) * 2014-01-28 2014-04-23 中国人民解放军信息安全测评认证中心 Test system and test method oriented to next-generation firewall

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8763121B2 (en) * 2011-01-20 2014-06-24 F-Secure Corporation Mitigating multiple advanced evasion technique attacks
CN106874755B (en) * 2017-01-22 2019-07-12 中国人民解放军信息工程大学 Most consistent escape error processing apparatus and method
CN106998323B (en) * 2017-03-06 2020-08-14 深信服科技股份有限公司 Application layer network attack simulation method, device and system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103746885A (en) * 2014-01-28 2014-04-23 中国人民解放军信息安全测评认证中心 Test system and test method oriented to next-generation firewall

Also Published As

Publication number Publication date
CN109688088A (en) 2019-04-26

Similar Documents

Publication Publication Date Title
CN107294808B (en) Interface test method, device and system
US10873594B2 (en) Test system and method for identifying security vulnerabilities of a device under test
CN110266737B (en) Method, device, equipment and medium for detecting vulnerability of cross-domain resource sharing
CN104462962B (en) A kind of method for detecting unknown malicious code and binary vulnerability
Fu et al. On recognizing virtual honeypots and countermeasures
CN106998323B (en) Application layer network attack simulation method, device and system
CN112241350B (en) Micro-service evaluation method and device, computing device and micro-service detection system
CN109063486B (en) Safety penetration testing method and system based on PLC equipment fingerprint identification
CN102663274A (en) Method and system for detecting remote computer-invading behavior
CN109688088B (en) Method, device and tester for testing escape resistance of network intrusion protection system
CN107392020A (en) Database manipulation analysis method, device, computing device and computer-readable storage medium
US11636198B1 (en) System and method for cybersecurity analyzer update and concurrent management system
CN107590389B (en) Security testing method and device, electronic equipment and computer storage medium
JP5613000B2 (en) Application characteristic analysis apparatus and program
CN107222332A (en) Method of testing, device, system and machinable medium
US10645098B2 (en) Malware analysis system, malware analysis method, and malware analysis program
CN115225531B (en) Database firewall testing method and device, electronic equipment and medium
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN113098827A (en) Network security early warning method and device based on situation awareness
CN116170225A (en) System testing method, device, equipment and storage medium based on network target range
US9294496B2 (en) Apparatus and method for analyzing vulnerability of zigbee network
CN108363922B (en) Automatic malicious code simulation detection method and system
US20100110899A1 (en) Stressing a network device
CN109889552A (en) Power marketing terminal abnormal flux monitoring method, system and Electric Power Marketing System
CN106709333B (en) A kind of safety detecting method and device of application programming

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant