CN109842632A - A kind of tender spots of network system determines method, system and associated component - Google Patents
A kind of tender spots of network system determines method, system and associated component Download PDFInfo
- Publication number
- CN109842632A CN109842632A CN201910239330.9A CN201910239330A CN109842632A CN 109842632 A CN109842632 A CN 109842632A CN 201910239330 A CN201910239330 A CN 201910239330A CN 109842632 A CN109842632 A CN 109842632A
- Authority
- CN
- China
- Prior art keywords
- attack
- information
- network system
- emulation
- tender spots
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
This application discloses a kind of tender spots of network system to determine method, and the tender spots determines that method includes obtaining the threat information of network system and parsing that information is threatened to obtain multiple sub- information;The corresponding attack artificial vector of each sub- information is determined in attack simulating knowledge base;Emulation attack operation is executed in network system using all attack artificial vectors, obtains emulation attack result;The tender spots information of network system is determined according to emulation attack result.This method can determine the tender spots of network system, analyze the security postures of network system.Disclosed herein as well is a kind of tender spots of network system to determine system, a kind of computer readable storage medium and a kind of electronic equipment, has the above beneficial effect.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of tender spots of network system determine method, system,
A kind of computer readable storage medium and a kind of electronic equipment.
Background technique
Traditional, modern, dynamic assets, other than physical server, network are filled in current IT environment
System is also embracing virtual and cloud assets, these assets can according to need rapid deployment, but these elastic assets increase
The risk exposure face of network system.
In order to cope with risk, one is stacked on by purchased a large amount of safety equipments and these plant machineries in the related technology
It rises.But the above-mentioned tender spots that can not be learnt mechanical superposition and can not determine in network system, it also can not be to the peace of network system
Full guard ability is comprehensively understood.
Therefore, the tender spots for how determining network system, the security postures for analyzing network system are those skilled in the art
The technical issues that need to address at present.
Summary of the invention
The tender spots that the purpose of the application is to provide a kind of network system determines method, system, a kind of computer-readable deposits
Storage media and a kind of electronic equipment can determine the tender spots of network system, analyze the security postures of network system.
In order to solve the above technical problems, the tender spots that the application provides a kind of network system determines method, the tender spots is true
The method of determining includes:
Obtaining the threat information of network system and parsing threatens information to obtain multiple sub- information;
The corresponding attack artificial vector of each sub- information is determined in attack simulating knowledge base;
Emulation attack operation is executed in network system using all attack artificial vectors, obtains emulation attack result;
The tender spots information of network system is determined according to emulation attack result.
Optionally, emulation attack operation is executed in network system using all attack artificial vectors includes:
All attack artificial vectors are put into artificial vector pond, deduplication operation and association analysis are executed to artificial vector pond
Operation obtains target attack artificial vector;Wherein, artificial vector pond refers to the memory space for storing artificial vector;
Emulation attack operation is executed in the destination node of network system using target attack artificial vector.
Optionally, emulation attack operation packet is executed in the destination node of network system using target attack artificial vector
It includes:
The configuration parameter of each target attack artificial vector is adjusted according to the parameter information of the destination node of network system;
The corresponding emulation attack operation of target attack artificial vector after executing adjustment configuration parameter in destination node.
Optionally, after determining the tender spots information of network system according to emulation attack result, further includes:
It is that network system generates corresponding security protection scheme according to tender spots information.
Optionally, threatening information includes any one of assets information, flow information, loophole information and Malware information
Or appoint several combinations.
Optionally, further includes:
The corresponding attack chain of attack artificial vector is determined according to emulation attack result, is traced back to execute attack using attack chain
Source operation.
Present invention also provides a kind of tender spots of network system to determine system, which determines that system includes:
Information obtains module, threatens information to obtain multiple sub- information for obtaining the threat information of network system and parsing;
Vector determining module, for determining the corresponding attack artificial vector of each sub- information in attack simulating knowledge base;
Emulation attack module is obtained for executing emulation attack operation in network system using all attack artificial vectors
To emulation attack result;
Tender spots determining module, for determining the tender spots information of network system according to emulation attack result.
Optionally, emulation attack module includes:
Pretreatment unit executes artificial vector pond and goes for all attack artificial vectors to be put into artificial vector pond
Operation and association analysis operate to obtain target attack artificial vector again;
Simulation unit, for executing emulation attack behaviour in the destination node of network system using target attack artificial vector
Make.
Optionally, simulation unit includes:
Parameter configuration subelement, each target attack of parameter information adjustment for the destination node according to network system are imitative
The configuration parameter of true vector;
Subelement is executed, it is corresponding for executing the target attack artificial vector after adjusting configuration parameter in destination node
Emulate attack operation.
Optionally, further includes:
Arrangement generation module, for according to emulation attack result determine the tender spots information of network system after,
It is that network system generates corresponding security protection scheme according to tender spots information.
Optionally, threatening information includes any one of assets information, flow information, loophole information and Malware information
Or appoint several combinations.
Optionally, further includes:
Module of tracing to the source is attacked for determining the corresponding attack chain of attack artificial vector according to emulation attack result to utilize
It hits chain execution and attacks operation of tracing to the source.
Present invention also provides a kind of computer readable storage mediums, are stored thereon with computer program, computer program
Realize that the tender spots of above-mentioned network system determines the step of method executes when execution.
Present invention also provides a kind of electronic equipment, including memory and processor, computer journey is stored in memory
Sequence, processor realize the step that the tender spots of above-mentioned network system determines that method executes when calling the computer program in memory
Suddenly.
This application provides a kind of tender spots of network system to determine method, including obtaining the threat information of network system simultaneously
Parsing threatens information to obtain multiple sub- information;Determined in attack simulating knowledge base the corresponding attack of each sub- information emulate to
Amount;Emulation attack operation is executed in network system using all attack artificial vectors, obtains emulation attack result;According to emulation
Attack result determines the tender spots information of network system.
The application is determined in attack simulating knowledge base according to each sub- information in the threat information of acquisition and is attacked accordingly
Artificial vector can be with since attack simulating knowledge base includes to attack the corresponding artificial vector of each attack step of chain
Emulation attack is carried out in network system using attack artificial vector obtains corresponding emulation attack result.The application is by by prestige
Side of body information is combined with attack simulating knowledge base, and carrying out emulation attack to network system can determine that the tender spots of network system is believed
Breath, and then can be evaluated according to security protection ability of the tender spots to network system.Therefore, the application can determine network
The tender spots of system analyzes the security postures of network system.The tender spots that the application additionally provides a kind of network system simultaneously is true
Determine system, a kind of computer readable storage medium and a kind of electronic equipment, there is above-mentioned beneficial effect, details are not described herein.
Detailed description of the invention
In ord to more clearly illustrate embodiments of the present application, attached drawing needed in the embodiment will be done simply below
It introduces, it should be apparent that, the drawings in the following description are only some examples of the present application, for ordinary skill people
For member, without creative efforts, it is also possible to obtain other drawings based on these drawings.
Fig. 1 determines the flow chart of method for a kind of tender spots of network system provided by the embodiment of the present application;
Fig. 2 is a kind of flow chart for emulating attack method provided by the embodiment of the present application;
Fig. 3 is that the tender spots of another kind network system provided by the embodiment of the present application determines the flow chart of method;
Fig. 4 determines the structural schematic diagram of system for a kind of tender spots of network system provided by the embodiment of the present application.
Specific embodiment
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application
In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is
Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall in the protection scope of this application.
Below referring to Figure 1, Fig. 1 determines method for a kind of tender spots of network system provided by the embodiment of the present application
Flow chart.
Specific steps may include:
S101:, which obtaining the threat information of network system, and parses threat information obtains multiple sub- information;
Wherein, the purpose of this step is the security status of awareness network system, and the threat information obtained herein can
To be the information for being obtained and stored in predeterminated position in advance before this step, it is also possible to just start to obtain when this step executes
The information taken, herein without limiting.
Information is threatened to refer in order to restore all clues required for the attack occurred and the nonevent attack of prediction.This reality
Apply example acquisition threat information can there are many, divided according to the difference of acquisition modes, threaten information that can collect to be passive
Information and active collection information.Specifically, Passive Information Gathering refer to not with goal systems (the i.e. network system of the present embodiment
System) any connection is directly established, by third party's data query target system information, often it is referred to as setting foot-point.Passive Information Gathering
Technological means may include it is various open source information collection and utilization, such as utilize search engine carry out information collection.Actively
Information collection refers to that direct contact target system carries out information search, either crawls targeted website, or carry out with target person
Communication belongs to initiative information collection.
Certainly, if being divided according to information content, threaten information may include assets information, fingerprint information, flow information,
Any one of loophole information and Malware information appoint several combinations.Specifically, assets information refers to using passive and main
The network IP and domain name assets and its attribute that dynamic formation gathering method is precisely found, for example, dns resolution record, ICP record information,
Whois information, finger print information etc..Fingerprint information refers to the subset of assets information, including operating system, miniport service, WEB container
(such as apache), language of building a station (such as php), front end frame of building a station (such as jquery), rearward end frame of building a station (such as django), fire prevention
Wall information etc..Flow information be based on the monitoring of network flow full mirror image, the monitoring based on SNMP (Simple Network Management Protocol) or
The flow information that monitoring based on Netflow is collected into, such as data flow five-tuple information and uninterrupted.Loophole information
Refer to the information such as vulnerability basic database and the newest utilization posture of 0day loophole (loophole out of office).Malware information refers to that malice is soft
Part (extort software, dig mine software, remote control software etc.) basic database and it is newest enliven malware data, such as: the domain C2
The information such as loophole, malware file and the process behavior that name or IP address, Malware MD5 value, Malware utilize.Loophole
Can be not limited to tissue network known bugs and Malware with Malware information, also may include external newest loophole and
Malware information.
This step, which obtains and threatens information, to be the combination of the sub- information of multiple types, this little information can be assets feelings
Report, fingerprint information, flow information, loophole information or Malware information, therefore on the basis of obtaining threat information, this step
Suddenly first to threatening information to be parsed to obtain multiple sub- information, to execute subsequent operation to each sub- information.As one
The feasible embodiment of kind, can determine the type of each sub- information, and then the type of each sub- information is sent to maintenance personnel
Information, so that maintenance personnel understands the constitution state of threat information.
S102: the corresponding attack artificial vector of each sub- information is determined in attack simulating knowledge base;
Wherein, attack simulating knowledge base is the concept in network security detection, for comprehensive interpretation Attack modeling knowledge
Library is firstly the need of explaining ATT&CK threat detection knowledge base.ATT&CK refers to confrontation tactics, technology and common sense, and ATT&CK is threatened
Detection knowledge base is based on Kill Chain (attack chain) the network opponent tactics persistently summarized and technological know-how library, this is known
Threat can be illustrated and be threatened with general language and frame to define by knowing library, by constantly collecting various attack detectings
Analysis is accumulated and is constructed, and ATT&CK threat detection knowledge base is also attack knowledge map.The present network architecture may be considered
Level, may include the levels such as terminal, branch, boundary, garden, data center, cloud.Attack simulating knowledge base is ATT&CK prestige
The specific implementation of side of body detection knowledge base, attack simulating knowledge base both may include being directed to single layer analogue simulation vector of attack, can also
To include the multiple attack steps split into Attack Scenarios on Kill Chain, the multiple attack steps of multilayer are mutually matched to be imitated
True simulation vector of attack.
There may be attack artificial vector corresponding with each sub- information in attack simulating knowledge base, this step can
To determine corresponding attack artificial vector according to the type of each sub- information and particular content.Such as sub- information is assets information
(i.e. the assets information of assets discovery engine discovery), the content of assets information is fingerprint assets builds a station frame there are struts2, leads to
It crosses and is matched with attack simulating knowledge base, harmless struts2 emulation vector of attack can be matched to.
It should be noted that for same sub- information, there may be multiple corresponding attacks emulate to
Amount, naturally it is also possible to which there are the corresponding attack artificial vector of specific sub- information, this implementation are not present in attack simulating knowledge base
Example attack artificial vector quantity not corresponding to sub- information is defined.
S103: executing emulation attack operation using all attack artificial vectors in network system, obtains emulation attack knot
Fruit;
Wherein, on the basis of obtaining attack artificial vector, it can use attack artificial vector and executed in network system
Corresponding emulation attack operation.Specifically, each attack artificial vector can be dispatched to corresponding network node, it can also be right
Each attack artificial vector carries out the configuration parameter adjustment of adaptability, this process can be configured according to practical application scene,
The present embodiment is without specifically limiting.
The purpose of this step is according to the threat information combination attack simulating knowledge base of network system to network system
Multiple nodes carry out emulation attack, to detect network system to the defence capability of emulation attack.It is understood that this step exists
What is executed in network system is emulation attack operation, belongs to the harmless safety test for network system, can't be to network
System brings actual destruction.
Institute is utilized it is understood that being equivalent in S103 using the process that attack artificial vector carries out emulation attack operation
Some attack artificial vector building emulation attack chains realize that the emulation to network system is attacked using emulation attack chain.Attack chain
Be to be abstracted to Attack Scenarios, can execute following phase of the attack: (1) the Reconnaisance stage: i.e. reconnaissance phase is also named
It sets foot-point, collect target information and finds tender spots;(2) the eaponization stage: i.e. the weaponization stage makes for goal systems
Attack tool;(3) the Delivery stage: i.e. attack tool is consigned to goal systems by the delivery tool stage;(4) Exploit rank
Section: opening Malware using victim on the target system or initiates loophole attack for goal systems, and purpose obtains target
Control;(5) remote control program on the target system the Installation stage: is installed;(6)Command&Control
Stage: i.e. order and control stage, successfully remote control server establishes communication channel on internet after control host;(7)And
The Actions stage: after the above-mentioned stage, attacker will continue to steal related target system information, destroy the integrality of information
And availability, and further control machine jumps attack other machines, widen one's influence range.The present embodiment can be by all
Attack artificial vector is associated analysis and determines each attack artificial vector stage locating in attack chain, and then generates emulation
Attack chain simultaneously determines the tender spots information in network system using emulation attack chain.
S104: the tender spots information of network system is determined according to emulation attack result.
Wherein, the corresponding result of available each attack artificial vector after carrying out emulation attack operation to network system
Feedback information, and then comprehensive all result feedback informations obtain attack simulation result.Attack simulation result may include emulation
Attack operation can determine that the tender spots in network system is believed according to emulation attack result for the influence degree of network system
Breath.Tender spots refers to that the safety that attack, security defense capability is poor, needs to carry out specific aim reinforcing is subject in network system is crisp
Weakness.
The present embodiment is determined in attack simulating knowledge base according to each sub- information in the threat information of acquisition and is attacked accordingly
Artificial vector is hit, it, can since attack simulating knowledge base includes to attack the corresponding artificial vector of each attack step of chain
Corresponding emulation attack result is obtained to carry out emulation attack in network system using attack artificial vector.The present embodiment passes through
Information will be threatened to combine with attack simulating knowledge base, the fragility of network system can be determined by carrying out emulation attack to network system
Point information, and then can be evaluated according to security protection ability of the tender spots to network system.Therefore, the present embodiment can be true
The tender spots for determining network system analyzes the security postures of network system.
Fig. 2 is referred to below, and Fig. 2 is a kind of flow chart for emulating attack method, this step provided by the embodiment of the present application
Suddenly it is to be further described to S103 in the corresponding embodiment of Fig. 1, the present embodiment embodiment corresponding with figure 1 above can be mutually tied
Conjunction obtains more preferably embodiment, and the present embodiment may comprise steps of:
S201: all attack artificial vectors are put into artificial vector pond, execute deduplication operation and pass to artificial vector pond
Connection analysis operation obtains target attack artificial vector;
Wherein, this step, which is built upon, carries out matched base for sub- information and the attack artificial vector of attack simulating knowledge base
On plinth, attack artificial vector can be put into artificial vector pond after being matched to attack artificial vector corresponding with sub- information
Until all attack artificial vectors to match with sub- information are put into artificial vector pond.Artificial vector pond refers to for storing
The memory space of artificial vector can construct artificial vector pond in advance before this step, can also be matched to attack emulation
Artificial vector pond is constructed while vector, herein without limiting.It should be noted that may exist same attack artificial vector
Therefore the case where corresponding multiple sub- information, needs to execute deduplication operation to artificial vector pond, so as to remove duplicate attack emulate to
Amount.This step can also be operated by association analysis can determine that artificial vector is attacked in artificial vector pond belongs to the rank for attacking chain
Section.
S202: emulation attack operation is executed in the destination node of network system using target attack artificial vector.
It is removing duplicate attack artificial vector and is determining the target attack artificial vector stage locating in attack chain
On the basis of, this step executes emulation attack operation using target attack artificial vector in the destination node of network system.As
A kind of feasible embodiment, the relevant operation of S202 may comprise steps of: (1) according to the destination node of network system
Parameter information adjusts the configuration parameter of each target attack artificial vector;(2) after executing adjustment configuration parameter in destination node
The corresponding emulation attack operation of target attack artificial vector.Above-mentioned feasible embodiment can be true by adjusting configuration parameter
It sets the goal and attacks location information, the interface parameters of node etc. that artificial vector executes attack access operation, make to adjust configuration parameter
Target attack artificial vector afterwards can veritably act on the specific node of network system.
As the further supplement of embodiment corresponding for Fig. 1, network system is determined according to emulation attack result in S104
It can also be that network system generates corresponding security protection scheme according to tender spots information after the tender spots information of system.The peace
It may include the information such as safety equipment placement policies, safety detection Stringency in full protection scheme, so as to according to security protection
Scheme is adjusted the security protection system of network system, reinforces the protection of tender spots, improves the safety of network system.When
So, it can also be determined after determining the tender spots information of network system according to emulation attack result according to emulation attack result
The corresponding attack chain of artificial vector is attacked, attacks operation of tracing to the source to execute using attack chain.
Fig. 3 is referred to below, and Fig. 3 is that the tender spots of another kind network system provided by the embodiment of the present application determines method
Flow chart, the present embodiment carries out the corresponding embodiment of Fig. 1, Fig. 2 and above-mentioned supplement to finish conjunction, obtain more preferably
Tender spots determines the embodiment of method, may comprise steps of:
S301:, which obtaining the threat information of network system, and parses threat information obtains multiple sub- information;
S302: the corresponding attack artificial vector of each sub- information is determined in attack simulating knowledge base;
S303: all attack artificial vectors are put into artificial vector pond, execute deduplication operation and pass to artificial vector pond
Connection analysis operation obtains target attack artificial vector;
S304: joined according to the configuration that the parameter information of the destination node of network system adjusts each target attack artificial vector
Number;
Wherein it is possible to be configured by configuration center to each target attack artificial vector, which can be root
It automates and realizes according to assets information, manual intervention can also be carried out to the scheduling of target attack artificial vector by WEBUI.
S305: the corresponding emulation attack behaviour of target attack artificial vector after executing adjustment configuration parameter in destination node
Make, obtains emulation attack result;
It is executed wherein it is possible to load configured artificial vector by control centre to each layer assets in network or node.Net
Execution state can be fed back to control centre by network system, and implementing result is fed back to data center, be by control centre's judgement
It is no to be finished, all implementing results are summarized by data center to obtain tender spots information.
S306: the tender spots information of network system is determined according to emulation attack result.
S307: the corresponding attack chain of attack artificial vector is determined according to emulation attack result, to execute using attack chain
Attack operation of tracing to the source.
Wherein, after all attack artificial vectors are finished, attack simulation result can be shown in WEBUI, attack
Simulation result may include displaying, the displaying of assets and the displaying of tender spots of entire attack chain.When true attack occurs, this
The tender spots information that embodiment obtains can be also used for attack tracing to the source.
Fig. 4 is referred to, Fig. 4 determines the structure of system for a kind of tender spots of network system provided by the embodiment of the present application
Schematic diagram;
The system may include:
Information obtains module 100, threatens information to obtain multiple sub- feelings for obtaining the threat information of network system and parsing
Report;
Vector determining module 200, for determined in attack simulating knowledge base the corresponding attack of each sub- information emulate to
Amount;
Emulation attack module 300, for executing emulation attack operation in network system using all attack artificial vectors,
Obtain emulation attack result;
Tender spots determining module 400, for determining the tender spots information of network system according to emulation attack result.
The present embodiment is determined in attack simulating knowledge base according to each sub- information in the threat information of acquisition and is attacked accordingly
Artificial vector is hit, it, can since attack simulating knowledge base includes to attack the corresponding artificial vector of each attack step of chain
Corresponding emulation attack result is obtained to carry out emulation attack in network system using attack artificial vector.The present embodiment passes through
Information will be threatened to combine with attack simulating knowledge base, the fragility of network system can be determined by carrying out emulation attack to network system
Point information, and then can be evaluated according to security protection ability of the tender spots to network system.Therefore, the present embodiment can be true
The tender spots for determining network system analyzes the security postures of network system.
Further, emulation attack module 300 includes:
Pretreatment unit executes artificial vector pond and goes for all attack artificial vectors to be put into artificial vector pond
Operation and association analysis operate to obtain target attack artificial vector again;
Simulation unit, for executing emulation attack behaviour in the destination node of network system using target attack artificial vector
Make.
Further, simulation unit includes:
Parameter configuration subelement, each target attack of parameter information adjustment for the destination node according to network system are imitative
The configuration parameter of true vector;
Subelement is executed, it is corresponding for executing the target attack artificial vector after adjusting configuration parameter in destination node
Emulate attack operation.
Further, further includes:
Arrangement generation module, for according to emulation attack result determine the tender spots information of network system after,
It is that network system generates corresponding security protection scheme according to tender spots information.
Further, threatening information includes any in assets information, flow information, loophole information and Malware information
Or appoint several combinations.
Further, further includes:
Module of tracing to the source is attacked for determining the corresponding attack chain of attack artificial vector according to emulation attack result to utilize
It hits chain execution and attacks operation of tracing to the source.
Since the embodiment of components of system as directed is corresponded to each other with the embodiment of method part, the embodiment of components of system as directed is asked
Referring to the description of the embodiment of method part, wouldn't repeat here.
Present invention also provides a kind of computer readable storage mediums, have computer program thereon, the computer program
It is performed and step provided by above-described embodiment may be implemented.The storage medium may include: USB flash disk, mobile hard disk, read-only deposit
Reservoir (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), magnetic disk or
The various media that can store program code such as CD.
Present invention also provides a kind of electronic equipment, may include memory and processor, have meter in the memory
Calculation machine program may be implemented provided by above-described embodiment when the processor calls the computer program in the memory
Step.Certain electronic equipment can also include various network interfaces, the components such as power supply.
Each embodiment is described in a progressive manner in specification, the highlights of each of the examples are with other realities
The difference of example is applied, the same or similar parts in each embodiment may refer to each other.For system disclosed in embodiment
Speech, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place is referring to method part illustration
?.It should be pointed out that for those skilled in the art, under the premise of not departing from the application principle, also
Can to the application, some improvement and modification can also be carried out, these improvement and modification also fall into the protection scope of the claim of this application
It is interior.
It should also be noted that, in the present specification, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also including other elements that are not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.Under the situation not limited more, the element limited by sentence "including a ..." is not arranged
Except there is also other identical elements in the process, method, article or apparatus that includes the element.
Claims (14)
1. a kind of tender spots of network system determines method characterized by comprising
It obtains the threat information of network system and parses the threat information and obtain multiple sub- information;
The corresponding attack artificial vector of each sub- information is determined in attack simulating knowledge base;
Emulation attack operation is executed in the network system using all attack artificial vectors, obtains emulation attack knot
Fruit;
The tender spots information of the network system is determined according to the emulation attack result.
2. tender spots determines method according to claim 1, which is characterized in that using all attack artificial vectors in institute
Stating execution emulation attack operation in network system includes:
All attack artificial vectors are put into artificial vector pond, deduplication operation and association are executed to the artificial vector pond
Analysis operation obtains target attack artificial vector;
Emulation attack operation is executed in the destination node of the network system using the target attack artificial vector.
3. tender spots determines method according to claim 2, which is characterized in that using the target attack artificial vector in institute
Stating execution emulation attack operation in the destination node of network system includes:
The configuration ginseng of each target attack artificial vector is adjusted according to the parameter information of the destination node of the network system
Number;
The corresponding emulation attack operation of target attack artificial vector after executing adjustment configuration parameter in the destination node.
4. tender spots determines method according to claim 1, which is characterized in that determining institute according to the emulation attack result
After the tender spots information for stating network system, further includes:
It is that the network system generates corresponding security protection scheme according to the tender spots information.
5. tender spots determines method according to claim 1, which is characterized in that the threat information includes assets information, stream
It measures any one of information, loophole information and Malware information or appoints several combinations.
6. determining method to any one of 5 tender spots according to claim 1, which is characterized in that further include:
The corresponding attack chain of the attack artificial vector is determined according to the emulation attack result, to hold using the attack chain
Row attacks operation of tracing to the source.
7. a kind of tender spots of network system determines system characterized by comprising
Information obtains module, obtains multiple sub- information for obtaining the threat information of network system and parsing the threat information;
Vector determining module, for determining the corresponding attack artificial vector of each sub- information in attack simulating knowledge base;
Emulation attack module, for executing emulation attack behaviour in the network system using all attack artificial vectors
Make, obtains emulation attack result;
Tender spots determining module, for determining the tender spots information of the network system according to the emulation attack result.
8. tender spots determines system according to claim 7, which is characterized in that the emulation attacks module and includes:
Pretreatment unit holds the artificial vector pond for all attack artificial vectors to be put into artificial vector pond
Row deduplication operation and association analysis operate to obtain target attack artificial vector;
Simulation unit is attacked for being executed emulation in the destination node of the network system using the target attack artificial vector
Hit operation.
9. tender spots determines system according to claim 8, which is characterized in that the simulation unit includes:
Parameter configuration subelement, each target of parameter information adjustment for the destination node according to the network system are attacked
Hit the configuration parameter of artificial vector;
Subelement is executed, it is corresponding for executing the target attack artificial vector after adjusting configuration parameter in the destination node
Emulate attack operation.
10. tender spots determines system according to claim 7, which is characterized in that further include:
Arrangement generation module, for according to it is described emulation attack result determine the network system tender spots information it
It afterwards, is that the network system generates corresponding security protection scheme according to the tender spots information.
11. tender spots determines system according to claim 7, which is characterized in that the threat information includes assets information, stream
It measures any one of information, loophole information and Malware information or appoints several combinations.
12. determining system according to any one of claim 7 to 11 tender spots, which is characterized in that further include:
It traces to the source module, for determining the corresponding attack chain of the attack artificial vector according to the emulation attack result, with convenience
It is executed with the attack chain and attacks operation of tracing to the source.
13. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program realizes the tender spots of the network system as described in any one of claim 1 to 6 when the computer program is executed by processor
The step of determining method.
14. a kind of electronic equipment characterized by comprising
Memory, for storing computer program;
Processor realizes the fragility of the network system as described in any one of claim 1 to 6 when for executing the computer program
Point determines the step of method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910239330.9A CN109842632B (en) | 2019-03-27 | 2019-03-27 | Vulnerability determination method and system of network system and related components |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910239330.9A CN109842632B (en) | 2019-03-27 | 2019-03-27 | Vulnerability determination method and system of network system and related components |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109842632A true CN109842632A (en) | 2019-06-04 |
CN109842632B CN109842632B (en) | 2021-11-19 |
Family
ID=66886356
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910239330.9A Active CN109842632B (en) | 2019-03-27 | 2019-03-27 | Vulnerability determination method and system of network system and related components |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109842632B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110278201A (en) * | 2019-06-12 | 2019-09-24 | 深圳市腾讯计算机系统有限公司 | Security strategy evaluation method and device, computer-readable medium and electronic equipment |
CN110430190A (en) * | 2019-08-05 | 2019-11-08 | 北京经纬信安科技有限公司 | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method |
CN110912945A (en) * | 2019-12-31 | 2020-03-24 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
CN111209570A (en) * | 2019-12-31 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Method for creating safe closed loop process based on MITER ATT & CK |
CN111565205A (en) * | 2020-07-16 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack identification method and device, computer equipment and storage medium |
CN111756762A (en) * | 2020-06-29 | 2020-10-09 | 北京百度网讯科技有限公司 | Vehicle safety analysis method and device, electronic equipment and storage medium |
CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
CN113014589A (en) * | 2021-03-05 | 2021-06-22 | 公安部第三研究所 | 5G communication safety test method and system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20080065084A (en) * | 2007-01-08 | 2008-07-11 | 유디코스모 주식회사 | Method and apparatus for analyzing network vulnerability using the attack simulation |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN108200095A (en) * | 2018-02-09 | 2018-06-22 | 华北电力科学研究院有限责任公司 | The Internet boundaries security strategy fragility determines method and device |
-
2019
- 2019-03-27 CN CN201910239330.9A patent/CN109842632B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20080065084A (en) * | 2007-01-08 | 2008-07-11 | 유디코스모 주식회사 | Method and apparatus for analyzing network vulnerability using the attack simulation |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN108200095A (en) * | 2018-02-09 | 2018-06-22 | 华北电力科学研究院有限责任公司 | The Internet boundaries security strategy fragility determines method and device |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110278201A (en) * | 2019-06-12 | 2019-09-24 | 深圳市腾讯计算机系统有限公司 | Security strategy evaluation method and device, computer-readable medium and electronic equipment |
CN110430190A (en) * | 2019-08-05 | 2019-11-08 | 北京经纬信安科技有限公司 | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method |
CN110430190B (en) * | 2019-08-05 | 2022-08-02 | 北京经纬信安科技有限公司 | Deception defense system based on ATT & CK, construction method and full link defense realization method |
CN110912945A (en) * | 2019-12-31 | 2020-03-24 | 深信服科技股份有限公司 | Network attack entry point detection method and device, electronic equipment and storage medium |
CN111209570A (en) * | 2019-12-31 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Method for creating safe closed loop process based on MITER ATT & CK |
CN111756762A (en) * | 2020-06-29 | 2020-10-09 | 北京百度网讯科技有限公司 | Vehicle safety analysis method and device, electronic equipment and storage medium |
CN111565205A (en) * | 2020-07-16 | 2020-08-21 | 腾讯科技(深圳)有限公司 | Network attack identification method and device, computer equipment and storage medium |
CN112532631A (en) * | 2020-11-30 | 2021-03-19 | 深信服科技股份有限公司 | Equipment safety risk assessment method, device, equipment and medium |
CN113014589A (en) * | 2021-03-05 | 2021-06-22 | 公安部第三研究所 | 5G communication safety test method and system |
Also Published As
Publication number | Publication date |
---|---|
CN109842632B (en) | 2021-11-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109842632A (en) | A kind of tender spots of network system determines method, system and associated component | |
US9680867B2 (en) | Network stimulation engine | |
US9954884B2 (en) | Method and device for simulating network resiliance against attacks | |
US7996201B2 (en) | Network security modeling system and method | |
US11709944B2 (en) | Intelligent adversary simulator | |
CN109617865A (en) | A kind of network security monitoring and defence method based on mobile edge calculations | |
KR101534194B1 (en) | cybersecurity practical training system and method that reflects the intruder behavior patterns | |
CN109347881A (en) | Network protection method, apparatus, equipment and storage medium based on network cheating | |
CN105978904B (en) | A kind of intrusion detection method and electronic equipment | |
CN110839031A (en) | Malicious user behavior intelligent detection method based on reinforcement learning | |
Lin et al. | Effective proactive and reactive defense strategies against malicious attacks in a virtualized honeynet | |
Molina-Markham et al. | Network defense is not a game | |
KR20060027748A (en) | Dynamic simulation system and method reflecting user's input on network security simulation | |
Rastegari et al. | Testing a distributed denial of service defence mechanism using red teaming | |
Ošlejšek et al. | Towards a unified data storage and generic visualizations in cyber ranges | |
Anastasiadis et al. | A Novel High-Interaction Honeypot Network for Internet of Vehicles | |
CN111355691A (en) | Method for pseudo hiding of key nodes with heterogeneous redundant interference | |
Yun et al. | A scalable, ordered scenario-based network security simulator | |
Drew et al. | Testing deception with a commercial tool simulating cyberspace | |
Priyadarsini et al. | A signalling game-based security enforcement mechanism for SDN controllers | |
CN117610026B (en) | Honey point vulnerability generation method based on large language model | |
CN114765553A (en) | Security management method and device for access data, computer equipment and storage medium | |
Salatino et al. | Detecting DDoS Attacks Through AI driven SDN Intrusion Detection System | |
Yun et al. | Dynamic Simulation on Network Security Simulator Using SSFNET | |
Kharchenko et al. | Scenario-Based Markovian Modeling of Web-System Availability Considering Attacks on Vulnerabilities. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |