CN112448857A - Construction method, device and equipment of target range and storage medium - Google Patents
Construction method, device and equipment of target range and storage medium Download PDFInfo
- Publication number
- CN112448857A CN112448857A CN202110132946.3A CN202110132946A CN112448857A CN 112448857 A CN112448857 A CN 112448857A CN 202110132946 A CN202110132946 A CN 202110132946A CN 112448857 A CN112448857 A CN 112448857A
- Authority
- CN
- China
- Prior art keywords
- network
- training
- evaluation
- flow
- shooting range
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Abstract
The embodiment of the invention discloses a construction method, a device, equipment and a storage medium of a target range, wherein the construction method of the target range comprises the following steps: firstly, simulation software and a network system need to be scheduled, and network flow of a user and a network shooting range is simulated, so that a shooting range platform system is constructed; secondly, managing and scheduling normal network service flow in the training process so as to simulate a network administrator and special network services; finally, a feasible evaluation model is dynamically constructed. The complexity of deployment in the training process of the existing network target range can be obviously reduced, the operation and maintenance deployment difficulty is reduced, and a system can be quickly constructed for training.
Description
Technical Field
The invention relates to the technical field of shooting ranges, in particular to a construction method, a construction device, construction equipment and a storage medium of a shooting range, and particularly relates to an intention-based construction method, a construction device, construction equipment and a storage medium of a shooting range.
Background
Cyber Attacks (also known as Cyber Attacks) refer to any type of offensive action directed to a computer information system, infrastructure, computer network, or personal computer device. For computers and computer networks, destroying, revealing, modifying, disabling software or services, stealing or accessing data from any computer without authorization, is considered an attack in computers and computer networks. Network attacks are becoming more and more intense, especially after the network space field rises to the strategic height of network operations, network attack events occur almost every day, and at present, security software and hardware developed by network security manufacturers to the greatest extent always have gaps in the aspect of protecting the information security of individuals and enterprises. In detail, the current network security technology and products only solve the problem of one half of security, and the other more critical half of security needs the intervention and resolution of network security technicians at critical time. This places a demand on the network security technician who must be able to perform the network security post capability and possess the corresponding problem solving skills. Current network security skill training methods rely heavily on security experts or network teams that provide challenging training paths and opponents to grind tactics against each other for the security training of network personnel.
In network shooting ranges, copying the information system environment is the main core capability of the network shooting ranges. The first goal of the network shooting range is to replicate the critical information infrastructure and system production environment, based on which trainees can repeatedly exercise against network attack penetration means, network combat tactics, protection reinforcement strategies, etc. And secondly, performing business applications such as risk assessment, product testing, education training, emergency drilling and the like based on the replication environment. Meanwhile, the shooting range can also carry out summary statistical analysis on the data in the drilling evaluation process, and output the capability judgment and efficiency evaluation results. Until now, network shooting ranges have become essential network space security core infrastructures for network space security research, learning, testing, verification, drilling and the like of all countries, and all countries in the world pay high attention to network shooting range construction as an important means for network security technical capability support.
However, in the shooting range training in the prior art, particularly in a computer competition system in the network shooting range training process, the complexity of the whole competition monitoring process deployment is high, and the operation and maintenance deployment difficulty is large.
Disclosure of Invention
The embodiment of the invention provides a construction method, a device, equipment and a storage medium of a shooting range, which can obviously reduce the complexity of deployment in the training process of the existing network shooting range, reduce the difficulty of operation and maintenance deployment and quickly construct a system for training.
The embodiment of the invention provides a construction method of a target range, which comprises the following steps:
firstly, simulation software and a network system need to be scheduled, and network flow of a user and a network shooting range is simulated, so that a shooting range platform system is constructed;
secondly, managing and scheduling normal network service flow in the training process so as to simulate a network administrator and special network services;
finally, a feasible evaluation model is dynamically constructed.
Further, the method for constructing the shooting range platform system comprises the following steps:
the construction of an evaluation task model can be carried out according to the context of the pilot task, and a related automatic script for testing and attacking and defending training based on the shooting range environment is provided; the constructed shooting range environment can be tested, offended and defended and trained on the basis of the shooting range environment, and an administrator can monitor the shooting range task activity condition of the participants in real time and intervene the tasks of the participants. The task scheduling manager can schedule a wide range of resources and participate in the shooting range drill, and has many-to-many views.
Further, the method for dynamically constructing a feasible evaluation model includes:
before task construction, selecting corresponding task evaluation and analysis templates for different training subjects, contents and objects according to training requirements or evaluation indexes; during training, monitoring the training situation and the field of the trained personnel through a visual means and method; the task evaluation and deduction automatic display method comprises the steps of automatically displaying comprehensive effects and performance evaluation of trial tests on network flow, attack tools, defense equipment and support guarantee equipment; after training, evaluating tactics, techniques and processes in the process of drilling and fighting, and giving out comprehensive analysis results and suggestions; performing visualization process deduction and traceability analysis on the task; through an automatic evaluation system constructed by the shooting range, systematic review and analysis evaluation can be carried out according to the organization and implementation conditions reflected in the training process.
Further, the method for constructing the shooting range platform system further comprises the following steps: and automatically deploying and setting the industrial network environment of the target range, and generating the industrial network topology.
Further, the method for simulating a network administrator and a special network service further comprises: and automatically constructing a threat flow and service flow simulation mechanism, and forming a simulation mechanism of attack flow and normal service access flow in the shooting range environment.
Further, the method for dynamically constructing a feasible evaluation model further includes: the automatic evaluation mechanism and the template of the industry are provided, automatic deployment and setting of the probes are carried out according to the evaluation mechanism, deep analysis is carried out according to collected data, data support for analyzing and judging the training environment is achieved, and training results are displayed.
The embodiment of the invention also provides a construction device of a target range, which comprises:
the construction module is used for scheduling simulation software and a network system, and simulating network flow of a user and a network target range so as to construct a target range platform system;
the simulation module is used for managing and scheduling normal network service flow in the training process so as to simulate a network administrator and special network services;
and the evaluation module is used for dynamically constructing a feasible evaluation model.
The embodiment of the invention also provides construction equipment of the target range, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the construction method of the target range when executing the program.
The embodiment of the invention also provides a computer-readable storage medium, which stores computer-executable instructions, wherein the computer-executable instructions are used for executing the construction method of the firing ground.
The embodiment of the invention comprises the following steps: firstly, simulation software and a network system need to be scheduled, and network flow of a user and a network shooting range is simulated, so that a shooting range platform system is constructed; secondly, managing and scheduling normal network service flow in the training process so as to simulate a network administrator and special network services; finally, a feasible evaluation model is dynamically constructed. Therefore, the complexity of deployment in the construction process of the existing shooting range, particularly the network shooting range, can be obviously reduced, the operation and maintenance deployment difficulty is reduced, and a system can be quickly constructed for training. The standardized process is realized by deep analysis of the industry and the shallow intention of the user, and the training process is streamlined, automated and standardized to meet the requirement of each industry on training professionals in respective information fields.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
FIG. 1 is an overall flow chart of the construction method of the firing ground according to the embodiment of the present invention;
FIG. 2 is a block diagram of the construction apparatus of the firing ground according to an embodiment of the present invention;
FIG. 3 is a block diagram of the system for constructing a shooting range platform according to an embodiment of the present invention;
FIG. 4 is a flow chart of the construction of a shooting range platform system according to an embodiment of the present invention;
FIG. 5 is a block diagram of the dynamically constructed feasible evaluation model of an embodiment of the present invention;
FIG. 6 is a flow chart of an evaluation method under the process analysis of an embodiment of the present invention;
fig. 7 is a flow chart of a flow and evaluation process of an embodiment of the present invention.
FIG. 8 is a schematic illustration of the parameters of the firing range input by the interface of an embodiment of the present invention.
Fig. 9 is a schematic diagram of selecting a corresponding network template according to an embodiment of the present invention.
Fig. 10 is a schematic diagram of the selection of a service according to an industry selected by a user and the setting of a policy of a probe according to the service according to the embodiment of the present invention.
FIG. 11 is a schematic illustration of training evaluation of an embodiment of the present invention.
FIG. 12 is a diagram illustrating binding according to an embodiment of the invention.
Detailed Description
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
The embodiment of the invention can obviously reduce the deployment complexity of the existing shooting range construction process, reduce the operation and maintenance deployment difficulty, and quickly construct a system for training. In the network training target range, the construction process of the target range is the core for showing the real-time control and the flexible command application of people to the network safety training process, is the main link for realizing the virtual-real world interaction, and can ensure that all the links of the training operate orderly and efficiently according to the preset network safety training process and assumption. Therefore, the intention-based shooting range construction process comprises training planning, training initial state construction, monitoring and evaluation system configuration, and relevant process analysis and data collection for monitoring and managing the whole shooting range in a full access mode. The analysis means, the judgment rules and the performance evaluation standards in the shooting range training are automatically configured so as to achieve the evaluation and judgment on the training quality of the trained personnel. And through effect evaluation, training activities are comprehensively analyzed, training current situations and the whole training capacity level are prepared to be mastered, problems in training are searched, reasons appearing in the training are analyzed, and targeted improvement measures are made. Therefore, an efficient and innovative shooting range training platform can be constructed, the minute level of competition and training scenes is provided to be constructed according to the intention of a user, the operation and maintenance burden is reduced, multiple competition repeated execution utilization can be achieved, and dynamic deployment of repeated construction can be achieved. After the training is finished, an evaluation report can be generated for evaluating the personnel, so that the effect of repeated exercise of the training personnel can be evaluated. A clear process is provided through an intention range, and the training process is streamlined, automated and standardized to meet the requirement of each industry on training professionals in respective information fields.
In view of the above situation, in order to quickly construct and configure a firing ground and provide a reliable firing ground training platform, as shown in fig. 1, an embodiment of the present invention provides a method for constructing a firing ground, which can schedule and arrange a network simulation scene module satisfying the firing ground according to subject and context data to realize automatic construction of a firing ground use environment, and an embodiment of the present invention provides a method for configuring real environment modeling elements, and a synthetic construction environment is formed by configuring and setting networks, devices, traffic, attacks, personnel interaction behaviors, and the like of the modeling elements, so as to simulate a digital network environment in the real world for network training and provide a controlled and instrumented environment for use, research and evaluation of network space security; that is to say, the construction of the target range environment usually requires configuring networks, devices, traffic, attacks, human interaction behaviors, etc., and requires systematic and detailed setting of people, machines, materials, methods, and rings to achieve the simulation of the environment. The construction process of the target range is high in deployment complexity and difficult to operate and maintain. The construction process of the target range of the embodiment of the invention is a core for showing real-time control and flexible command application of a person to a network security training process, is a main link for realizing virtual-real world interaction, can ensure that all the training links orderly and efficiently operate according to a preset network security training process and assumption, and a target range guiding and adjusting system, a virtualization network, an attack engine, a flow generator and a virtual SOC are generally required to be used for training planning (configuration and the like), constructing a training initial situation, monitoring a training state and transmitting state information and commands of a management process in the network target range. The intention-based shooting range construction process is a scheme management and application process for scheduling each functional component in a shooting range to be combined into a single test scheme through deep industry analysis and user shallow intention data and signal analysis. The construction of a target range generally needs to generate a task system, set task management parameters, configure operation monitoring rules and monitoring personnel, set a situation display scheme, configure a data acquisition strategy, configure task scripts of various roles, ensure that training is smoothly developed according to a preset scenario, and provide data support for training evaluation, which specifically comprises the following steps:
The scheduling simulation software and the network system simulate network flow of users and network shooting ranges, virtual-real combination, virtual internet, a data center, a backbone network and other simulation shooting ranges are realized on the network system, the shooting range platform system is formed, the completed shooting range platform system is constructed, an administrator can be granted the authority of managing the shooting ranges, and operations such as adding, deleting, modifying and checking resources of the shooting ranges are performed, and in addition, in one embodiment, the method for constructing the shooting range platform system comprises the following steps:
the construction of an evaluation task model can be carried out according to the context of the pilot task, and a related automatic script for testing and attacking and defending training based on the shooting range environment is provided; the constructed shooting range environment can be tested, offended and defended and trained on the basis of the shooting range environment, and an administrator can monitor the shooting range task activity condition of the participants in real time and intervene the tasks of the participants. The task scheduling manager can schedule a wide range of resources and participate in the shooting range drill, and has many-to-many views. The context described above is to aggregate the network typical networking scenarios and the industry services of the industry, and to aggregate the industry services for probe deployment. For example, in a telecommunication metropolitan area network target range, the target range typically forms a network in a networking mode of an access layer, a convergence layer and a core layer, the access layer focuses on the accessed service, the domestic service is from L2VPN to the edge, the convergence layer is from L3VPN, and the edge has L2-L3 bridging service. The criteria and monitoring views for evaluation are differentiated for different shooting range environments, that is, shooting range construction is performed according to the aforementioned context, and related deployments are constructed according to industry-common templates.
As shown in fig. 3-4, the training process is streamlined, automated and standardized by implementing the shooting range standardization construction process through deep industry parsing and user shallow intent. And automatically constructing a target range according to the selection of a user, and achieving the automation of network deployment, operation and maintenance by scheduling and arranging a basic resource environment, a network environment and each functional component module. The intention construction in the target range is that a typical service network scene of the user industry is generated according to the typical service scene selected by the user industry and the networking topology; role setting selection is carried out according to the personnel scale set by a user, for example, a Hongyu team, namely the Hongyu team, is responsible for using attack weapons and technologies (such as penetration test and the like) to deploy, attacking a target range target and carrying out attack drilling; the blue team, which is responsible for managing the availability, expandability, safety and stability of infrastructure such as networks, applications and the like, and performing defense and countermeasure; the green team is responsible for simulating legal user operation behaviors connected to the infrastructure of blue team management in a wired or wireless mode; white team-white team creates a network attack and defense scene, and monitors and manages the confrontation progress and situation of the red and blue teams in real time; the yellow team is responsible for normal operation of the network target range and reports attack and defense situations to an observer; gray team-gray team maintains normal traffic and service requests; purple team-ensuring and furthest improving red team and blue team's efficiency, purple team through with blue team's defense strategy and control with red threat and the leak of discovering integrate, add unified rule, realize red blue team's achievement maximize in the attack and defense process, the final goal is to solve the core problem of not shared information between red blue team. Of course, the above roles can be dynamically selected according to the scale of the game, and part of the roles can be automatically set; the shooting range construction scene virtualization terminal equipment can be selectively installed according to scenes and training requirements, can provide relevant attack automation, can automatically generate background data and flow, can simulate a more real environment, and can provide an operation and maintenance training management interface for opening and closing settings after construction.
Wherein, the normal network service traffic needs to be managed and scheduled in the training process. The method comprises the steps of establishing high-simulation network management and service flow in a shooting range to simulate a network administrator and special network services, carrying out traditional training, enabling related network flow to be clean, easily analyzing related message data, and needing to generate various service access flows in an environment as much as possible in order to be close to a real environment, such as OA system related personnel login query service data flow, daily mail sending flow, internal chat software flow and the like.
The flow of the high simulation needs to simulate the flow rule under the real scene as realistically as possible, and some self-adaptive flow adjustment can be carried out according to the configuration. Such as simulating and synthesizing a virtual human agent plug-in set of tools such as a mail client, a Web client, an SSH client and the like using a network shooting range. When the virtual human agent plug-in set runs in the shooting range environment, the description parameters or the self-defined default parameters defined by the user roles are set according to the shooting range, network flow of user operation behaviors such as mail sending, Web access, SSH connection and the like is created, and natural flow is provided for the shooting range. In addition, flow orchestration requires providing abnormal threat flows, creating a large number of realistic threat flows destined for interactive and range training role positions, generating some deliberate safety events for testing training trainers, testing target software, verifying the robustness of research target systems, etc. And provides a test data stream for equipment test according to a specific scene, and provides some technical means for relevant personnel for attack or defense.
Thus, scene simulation setting is carried out by combining the industry scale and training personnel, and the network flow simulation of the shooting range based on the intention comprises the self-defined generation of threat flow and service flow, so that the method is used for simulating the training environment of the simulation shooting range.
And step 103, finally, dynamically constructing a feasible evaluation model.
The shooting range platform system constructed based on the intention can efficiently evaluate the configuration effect, provides evaluation data for a training side management team to know the training current situation and the overall training capacity level of mastering personnel, facilitates the training side to find problems in training, analyzes the reasons appearing and makes targeted improvement measures. In one embodiment, the method for dynamically constructing a feasible evaluation model includes:
before task construction, selecting corresponding task evaluation and analysis templates for different training subjects, contents and objects according to training requirements or evaluation indexes; during training, monitoring the training situation and the field of the trained personnel through a visual means and method; the task evaluation and deduction automatic display method comprises the steps of automatically displaying comprehensive effects and performance evaluation of trial tests on network flow, attack tools, defense equipment and support guarantee equipment; after training, evaluating tactics, techniques and processes in the process of drilling and fighting, and giving out comprehensive analysis results and suggestions; performing visualization process deduction and traceability analysis on the task; through an automatic evaluation system constructed by the shooting range, systematic review and analysis evaluation can be carried out according to the organization and implementation conditions reflected in the training process. The specific steps are shown in fig. 4:
step 1-0, a user creates a shooting range, and parameters of the shooting range are input through an interface, wherein the parameters of the shooting range input through the interface are shown in FIG. 8.
Step 1-1, selecting a network according to a scene selected by a user, and selecting a corresponding network template, wherein a specific network template is shown in fig. 9.
Selecting the corresponding network template can be: and selecting industries, wherein typical networking is directly selected and needs fine adjustment, and the typical networking can also be directly selected.
And 1-2, selecting a service according to the industry selected by the user, and setting a probe strategy according to the service. As shown in fig. 10:
and 1-3, selecting a relevant acquisition template by the evaluation system according to the parameters of the user and the industry probe data in combination with the scene for training and evaluation.
And the training evaluation is to perform weighted calculation from all directions according to the target complexity, the target importance degree, the target result and other dimensional directions, and obtain a final result through calculation. Each dimension above can be configured with a specific sub-dimension collector for final evaluation.
And 1-4, selecting roles, setting role parameters according to training directions such as training tasks, emergency responses and the like, and enabling specific personnel to bind subsequently.
Thus, as shown in fig. 5, for different industries, operation and maintenance rules are dynamically injected, the strategies under the scheduling physical and virtualization platforms are adjusted in the competition process, and the attack mode and the attack strength are changed through strategy adjustment. Auditing the personnel behavior records in the audit; the comprehensive audit audits the whole attack flow, whether the behavior of the training personnel is standard or not can be judged through the comprehensive audit of different audit component functions, and the comprehensive ability of the personnel is judged. The configuration of the relevant process analysis and data acquisition is used for monitoring and managing the whole range. As shown in fig. 6, the integrated evaluation analysis process then analyzes the match process data to determine the behavior of the attack and defense operation. For example, operations of scanning detection, DDOS attack and the like performed by an attacker on a defender, emergency response tests, response time and the like are already performed, and evaluation is performed through a set of comprehensive evaluation system; in the evaluation process of the upper complaint scene, the effect evaluation of the training task can be carried out according to the complexity of the dynamically injected flow and the background flow for evaluation reference, and the emergency disposal behavior of the personnel is dynamically analyzed according to the industry by adopting a related evaluation model in combination with the basic level of the personnel. The whole analysis and evaluation flow establishes a related evaluation system according to various industries, and the evaluation system is applied to the current evaluation flow so as to comprehensively evaluate the training ability of personnel and provide reliable evidence chain support for the training of a trainer. While figure 7 collects data, distributes relevant expert knowledge base content, and provides the basic support for data analysis, based on algorithms. The training is supported by the assessment of the whole process, so that the training activities can be analyzed quickly and comprehensively, the management team of the training party can know the training current situation of the master and the whole training capacity level to provide assessment data, the training party can conveniently find out problems in the training, the reasons of the training can be analyzed, and targeted improvement measures can be made. The analysis means, the judgment rules and the performance evaluation standards in the shooting range training are automatically configured so as to achieve the evaluation and judgment on the training quality of the trained personnel. And through effect evaluation, training activities are comprehensively analyzed, training current situations and the whole training capacity level are prepared to be mastered, problems in training are searched, reasons appearing in the training are analyzed, and targeted improvement measures are made.
In one embodiment, the method of constructing a drone platform system further comprises: the automatic deployment and setting of the industry network environment of the firing ground allows a typical industry network topology to be generated.
As shown in fig. 5, the specific steps are as follows:
the virtual machine dynamically injects probes for different hosts, collects the flow under physical and virtualization platforms in the construction process of a target range, and collects the host behaviors of the virtual host and the physical host. Auditing the flow behavior record in the flow audit, and auditing the operation behavior of the host in the host audit; the whole attack process is audited in the comprehensive audit, and the behavior of the training personnel can be judged through the comprehensive audit of different audit component functions. The scheme of dynamic deployment and dynamic monitoring of the computer competition system can monitor the whole construction process of the target range and provide evidence support on a data chain for an organizer.
Description of the drawings: the main process of the closed-loop monitoring of the whole system comprises the following steps: according to the attack result submitted by the user, combining with flow analysis and user behavior analysis, proving the compliance rationality of user operation, really attacking and acquiring the data value, but not acquiring the data value by other third party means, auditing the legal compliance of the operation of related personnel, and checking that a control center outputs the result of the whole attack flow feedback attack and defense data chain; the training process monitoring system audits the whole training process according to the flow audit and the host behavior audit result; the control center is linked with a host auditing system deployed on a host and a network flow auditing system for auditing results, and identifies the operation behaviors of each training link; the control center is respectively communicated with the network flow auditing system and the host auditing system and is used for forwarding fusion analysis of information between the network flow auditing system and the host auditing system.
In the embodiment of the present invention, acquiring traffic data of a host and a switch port, and determining whether the traffic data is normal specifically includes: performing mirror image setting on the host port flow and the switch port flow to obtain mirror image flow; carrying out data analysis on the mirror image flow; and judging whether the flow data is normal or not according to the data analysis result. Further, data analysis is performed on the mirror image flow, specifically: and carrying out protocol analysis and flow monitoring analysis on the mirror flow.
Performing data analysis on the mirror image flow by mirroring the physical network flow and the port flow under the cloud platform; the system carries out protocol analysis and flow monitoring analysis in a mirror image mode to find attack and defense behaviors between the operation host and the target host, whether the received and sent message data meet normal step behaviors in a construction process of a target range or not is judged, when an attack condition occurs, data statistics analysis is carried out in a log display center, flow audit can analyze behavior actions of related flow, and support is provided for judging operation behaviors and result validity of a subsequent target range constructed on the target range through a flow forwarding time track. And flow audit carries out flow data analysis, and when the abnormal condition of the protocol port data transmitted and received by the target host is found, an abnormal alarm is output in the control center.
According to the training requirements, probes are dynamically deployed in the environment loading process, the preset inoperable behavior of a target host is monitored, and the operation process data of both attacking and defending parties is audited; meanwhile, related audit data are stored at the end of the inspection host, and the related inspection host alarms the abnormal operation; normal operating behavior may enable operational history playback. The deployment process is fully automated and process data collection can be stored at an audit trail center.
Further, after sending the alarm information, the method further includes: and resetting the state of the host. The state reset is a virtualized device reset of the virtualized platform, and is recovered after a system similar to a personal computer is damaged, but the virtualization completes the reset recovery at the minute level. When the state of the target machine is monitored, after the alarm is given for the abnormal condition, the state of the host machine can be reset.
In one embodiment, the method for simulating a network administrator and a specialized network service further comprises: a threat flow and service flow simulation mechanism is automatically constructed, a simulation mechanism used for forming attack flow and normal service access flow in a target range environment is used, related network flow of the simulation mechanism is relatively clean, related message data are easy to analyze, in order to be close to a real environment, various service access flows are required to be generated in the environment as much as possible, for example, related personnel of an OA system log in to inquire service data flow, daily mail sending flow, internal chat software flow and the like. The flow simulation mechanisms can better simulate and simulate a shooting range system on line, and the simulation degree of the shooting range is improved.
In one embodiment, the method for dynamically constructing a feasible evaluation model further comprises: the automatic evaluation mechanism and the template of the industry are provided, automatic deployment and setting of the probes are carried out according to the evaluation mechanism, deep analysis is carried out according to collected data, data support for analyzing and judging the training environment is achieved, and training results are displayed. The part is mainly an evaluation, a specific evaluation template design scheme can be independently written,
as shown in fig. 6:
1. the main process of the closed-loop monitoring of the whole system comprises the following steps: building policies according to scenarios, loading services
2. Combining with flow analysis and user behavior analysis, proving the compliance rationality of user operation, and auditing the whole competition process by a process auditing system according to the flow auditing and host behavior auditing results;
3. the result data value is obtained to audit the legal compliance of the operation of related personnel, and the check control center outputs the result of the attack and defense data chain fed back by the whole attack flow;
4. the control center is linked with a host auditing system deployed on a host and a network flow auditing system for auditing results, and identifies operation behaviors in the training process; the control center is respectively communicated with the network flow auditing system and the host auditing system and is used for forwarding fusion analysis of information between the network flow auditing system and the host auditing system.
FIG. 6 is a further description of FIG. 5, with reference to the above service description, a schematic diagram, a flow diagram, not two things — illustration: the main process of the closed-loop monitoring of the whole system comprises the following steps: according to the attack result submitted by the user, combining with flow analysis and user behavior analysis, proving the compliance rationality of user operation, really attacking and acquiring the data value, but not acquiring the data value by other third party means, auditing the legal compliance of the operation of related personnel, and checking that a control center outputs the result of the whole attack flow feedback attack and defense data chain; the training process monitoring system audits the whole training process according to the flow audit and the host behavior audit result; the control center is linked with a host auditing system deployed on a host and a network flow auditing system for auditing results, and identifies the operation behaviors of each training link; the control center is respectively communicated with the network flow auditing system and the host auditing system and is used for forwarding fusion analysis of information between the network flow auditing system and the host auditing system.
As shown in fig. 7, the flow generating system functions as follows:
1. generating background noise to the environment, simulating the real environment, and generating related industry background data aiming at the current scene topology and the business industry;
2. the tool flow is used for simulating and simulating the attack of a third party, and the data of the attack process can be provided for the evaluation center;
3. the host probe can collect the operation of related personnel, respond to data and provide the data to the evaluation module for comprehensive analysis;
4. the flow collection data is also provided to the relevant personnel for analysis.
In addition, the embodiment of the invention can also automatically configure the network, the flow and the evaluation system, and the configuration processes are standardized processes for deep industry analysis and user shallow intention.
In summary, the method of the embodiment of the invention realizes a standardized shooting range construction process by deep analysis of industries and the shallow intention of users, and carries out the process, automation and standardization on the training process to meet the requirement of each industry on training of professionals in respective information fields; the configuration process of the configuration personnel can be optimized according to the industry of the configuration personnel and the machine learning of the training process, configuration guidance is provided, and the configuration burden of a training party is reduced; the deployment complexity in the existing shooting range training process can be solved, the operation and maintenance deployment difficulty is reduced, and a system can be quickly constructed for training; the intention is to construct simplified configuration for data monitoring, effect evaluation and the like in the training process according to industry big data analysis and the configuration direction of personnel, so that the minimum configuration and the most complete task training analysis display can be achieved.
As shown in fig. 2, an embodiment of the present invention further provides an apparatus for constructing a firing ground, including:
the construction module 71 is used for scheduling simulation software and a network system, and simulating network traffic of users and a network shooting range so as to construct a shooting range platform system;
a simulation module 72, configured to manage and schedule normal network service traffic in a training process, so as to simulate a network administrator and special network services;
and an evaluation module 73 for dynamically constructing a feasible evaluation model.
As shown in fig. 3, the parts in the figure are explained as follows:
environment: mainly comprises a bottom operating system and a bottom OS + hardware environment;
communication: mainly data communication between and within components
The evaluation management module is mainly an evaluation management system:
A) collecting: system data acquisition, process data collection, for supporting analytical systems
B) And (3) analysis: and integrating and carding the acquired data according to the knowledge base.
C) An expert database: and (4) obtaining related data attributes such as viruses, attacks, abnormal accesses and the like according to the collected characteristics of the data of the historical experience database.
D) Monitoring: and monitoring the collected data.
E) And (3) displaying: and analyzing the evaluated data and displaying.
The network shooting range scene mainly comprises the following elements in the network shooting range construction process:
A) physical equipment: the system is mainly used for constructing related equipment of virtualized resources, or related physical hardware equipment constructed by a target range, real equipment which cannot be virtualized, a real physical route or some special equipment;
B) virtual resources: mainly related resources of virtualization construction, virtualization mirror images, virtualization networks and the like;
C) an industry scene: in a typical networking scene of a certain industry, different industries have networking modes and networking scenes with respective characteristics;
D) service scene: business deployment logic of specific businesses such as certain online shopping mall business, ERP business, OA business and the like, and a front-end + back-end + database mode;
E) tool: application tools for scene use, such as probes for data acquisition, software tools for data management and user use;
F) task, scenario: describing content currently believed to be relevant to the scenario;
G) role: the characters in the scene, such as red, blue, white, green, gray, etc.
The embodiment of the invention also provides construction equipment of the target range, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the construction method of the target range when executing the program.
The embodiment of the invention also provides a computer-readable storage medium, which stores computer-executable instructions, wherein the computer-executable instructions are used for executing the construction method of the firing ground.
In this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, or other various media capable of storing program codes.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or modulated data signals such as a carrier wave or other transport mechanism and includes any information delivery media.
Claims (9)
1. A method of constructing a firing ground, comprising:
firstly, simulation software and a network system need to be scheduled, and network flow of a user and a network shooting range is simulated, so that a shooting range platform system is constructed;
secondly, managing and scheduling normal network service flow in the training process so as to simulate a network administrator and special network services;
finally, a feasible evaluation model is dynamically constructed.
2. The method of construction of a firing ground according to claim 1, characterized in that it comprises:
the construction of an evaluation task model can be carried out according to the context of the pilot task, and a related automatic script for testing and attacking and defending training based on the shooting range environment is provided; the constructed shooting range environment can be tested, attacked and defended and trained on the basis of the shooting range environment, and a manager can monitor the shooting range task activity condition of a participant in real time and intervene in the participant task; the task scheduling manager can schedule a wide range of resources and participate in the shooting range drill, and has many-to-many views.
3. The method of claim 1, wherein the method of dynamically constructing a feasible assessment model comprises:
before task construction, selecting corresponding task evaluation and analysis templates for different training subjects, contents and objects according to training requirements or evaluation indexes; during training, monitoring the training situation and the field of the trained personnel through a visual means and method; the task evaluation and deduction automatic display method comprises the steps of automatically displaying comprehensive effects and performance evaluation of trial tests on network flow, attack tools, defense equipment and support guarantee equipment; after training, evaluating tactics, techniques and processes in the process of drilling and fighting, and giving out comprehensive analysis results and suggestions; performing visualization process deduction and traceability analysis on the task; through an automatic evaluation system constructed by the shooting range, systematic review and analysis evaluation can be carried out according to the organization and implementation conditions reflected in the training process.
4. The method of construction of a firing ground according to claim 1, characterized in that it further comprises: and automatically deploying and setting the industrial network environment of the target range, and generating the industrial network topology.
5. The method of construction of a firing ground according to claim 1, wherein said method of simulating a network administrator and specialized network services further comprises: and automatically constructing a threat flow and service flow simulation mechanism, and forming a simulation mechanism of attack flow and normal service access flow in the shooting range environment.
6. The method of constructing a firing ground of claim 1, wherein the method of dynamically constructing a feasible assessment model further comprises: the automatic evaluation mechanism and the template of the industry are provided, automatic deployment and setting of the probes are carried out according to the evaluation mechanism, deep analysis is carried out according to collected data, data support for analyzing and judging the training environment is achieved, and training results are displayed.
7. An apparatus for constructing a firing ground, comprising:
the construction module is used for scheduling simulation software and a network system, and simulating network flow of a user and a network target range so as to construct a target range platform system;
the simulation module is used for managing and scheduling normal network service flow in the training process so as to simulate a network administrator and special network services;
and the evaluation module is used for dynamically constructing a feasible evaluation model.
8. A construction apparatus for a range, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the program, implements the construction method for a range according to any one of claims 1 to 6.
9. A computer-readable storage medium having stored thereon computer-executable instructions for performing the method of constructing a firing ground of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110132946.3A CN112448857A (en) | 2021-02-01 | 2021-02-01 | Construction method, device and equipment of target range and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110132946.3A CN112448857A (en) | 2021-02-01 | 2021-02-01 | Construction method, device and equipment of target range and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112448857A true CN112448857A (en) | 2021-03-05 |
Family
ID=74739762
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110132946.3A Pending CN112448857A (en) | 2021-02-01 | 2021-02-01 | Construction method, device and equipment of target range and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112448857A (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113438103A (en) * | 2021-06-08 | 2021-09-24 | 博智安全科技股份有限公司 | Large-scale network target range and construction method, construction device and construction equipment thereof |
| CN113473472A (en) * | 2021-09-02 | 2021-10-01 | 北京信联科汇科技有限公司 | Power network target range terminal access simulation and attack replay method and system |
| CN113792895A (en) * | 2021-09-02 | 2021-12-14 | 成都仁达至信科技有限公司 | Training guiding and guaranteeing system |
| CN113852504A (en) * | 2021-09-26 | 2021-12-28 | 北京工业大学 | Equal-protection-environment-oriented lightweight industrial control flow attack and defense simulation method |
| CN114257506A (en) * | 2021-12-21 | 2022-03-29 | 北京知道未来信息技术有限公司 | Network target range construction method and device, back-end server and readable storage medium |
| CN114285667A (en) * | 2021-12-30 | 2022-04-05 | 湖南泛联新安信息科技有限公司 | Network target range flow real-time acquisition system and method |
| CN114301784A (en) * | 2021-12-09 | 2022-04-08 | 中国国家铁路集团有限公司 | Network shooting range training environment construction method and device, electronic equipment and storage medium |
| CN114422446A (en) * | 2022-03-29 | 2022-04-29 | 南京赛宁信息技术有限公司 | Application layer background traffic scheduling method and system in target range |
| CN114417633A (en) * | 2022-01-27 | 2022-04-29 | 北京永信至诚科技股份有限公司 | Network shooting range scene construction method and system based on parallel simulation six-tuple |
| CN114615013A (en) * | 2022-01-29 | 2022-06-10 | 北京永信至诚科技股份有限公司 | Comprehensive auditing method and system for network shooting range |
| CN114629682A (en) * | 2022-02-09 | 2022-06-14 | 烽台科技(北京)有限公司 | Method, device, terminal and storage medium for allocating industrial control network target range |
| CN114785718A (en) * | 2022-04-07 | 2022-07-22 | 南京赛宁信息技术有限公司 | Network target range flow acquisition and analysis system and method |
| CN115242562A (en) * | 2022-09-26 | 2022-10-25 | 中电运行(北京)信息技术有限公司 | Network security target range based on virtualization technology and operation method thereof |
| CN115277217A (en) * | 2022-07-29 | 2022-11-01 | 软极网络技术(北京)有限公司 | System for constructing heterogeneous network target range virtual network |
| CN116506440A (en) * | 2023-06-19 | 2023-07-28 | 中国人民解放军陆军航空兵学院 | LVC (Linear variable capacitance) integration method and system for combined test training |
| CN116527536A (en) * | 2023-04-28 | 2023-08-01 | 北京永信至诚科技股份有限公司 | Test evaluation method, device and system based on parallel simulation |
| CN117319094A (en) * | 2023-11-30 | 2023-12-29 | 西安辰航卓越科技有限公司 | SDN network attack and defense target range platform system |
| CN117808275A (en) * | 2024-03-01 | 2024-04-02 | 江苏天创科技有限公司 | ACS visualization technology-based target range management method and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107817756A (en) * | 2017-10-27 | 2018-03-20 | 西北工业大学 | Networking DNC system target range design method |
| CN110068250A (en) * | 2019-03-21 | 2019-07-30 | 南京砺剑光电技术研究院有限公司 | Shoot training of light weapons wisdom target range system |
| CN111294333A (en) * | 2020-01-14 | 2020-06-16 | 中国传媒大学 | Construction system of open type adaptive vulnerability drilling platform |
| US20200210599A1 (en) * | 2018-12-31 | 2020-07-02 | Ultimate Knowledge Corporation | OpenDash System For Managing A Plurality Of Software Services Including Within A Cyber Range |
-
2021
- 2021-02-01 CN CN202110132946.3A patent/CN112448857A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107817756A (en) * | 2017-10-27 | 2018-03-20 | 西北工业大学 | Networking DNC system target range design method |
| US20200210599A1 (en) * | 2018-12-31 | 2020-07-02 | Ultimate Knowledge Corporation | OpenDash System For Managing A Plurality Of Software Services Including Within A Cyber Range |
| CN110068250A (en) * | 2019-03-21 | 2019-07-30 | 南京砺剑光电技术研究院有限公司 | Shoot training of light weapons wisdom target range system |
| CN111294333A (en) * | 2020-01-14 | 2020-06-16 | 中国传媒大学 | Construction system of open type adaptive vulnerability drilling platform |
Non-Patent Citations (2)
| Title |
|---|
| 姜山: "装备网络靶场的设计与实现", 《中国优秀硕士学位论文全文数据库 工程科技II辑》 * |
| 孙震: "高效能网络靶场的设计与实现", 《电信网技术》 * |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113438103A (en) * | 2021-06-08 | 2021-09-24 | 博智安全科技股份有限公司 | Large-scale network target range and construction method, construction device and construction equipment thereof |
| CN113438103B (en) * | 2021-06-08 | 2023-08-22 | 博智安全科技股份有限公司 | Large-scale network shooting range, construction method, construction device and construction equipment thereof |
| CN113473472A (en) * | 2021-09-02 | 2021-10-01 | 北京信联科汇科技有限公司 | Power network target range terminal access simulation and attack replay method and system |
| CN113473472B (en) * | 2021-09-02 | 2021-11-12 | 北京信联科汇科技有限公司 | Power network target range terminal access simulation and attack replay method and system |
| CN113792895A (en) * | 2021-09-02 | 2021-12-14 | 成都仁达至信科技有限公司 | Training guiding and guaranteeing system |
| CN113852504A (en) * | 2021-09-26 | 2021-12-28 | 北京工业大学 | Equal-protection-environment-oriented lightweight industrial control flow attack and defense simulation method |
| CN114301784A (en) * | 2021-12-09 | 2022-04-08 | 中国国家铁路集团有限公司 | Network shooting range training environment construction method and device, electronic equipment and storage medium |
| CN114301784B (en) * | 2021-12-09 | 2024-02-09 | 中国国家铁路集团有限公司 | Method and device for constructing network target range training environment, electronic equipment and storage medium |
| CN114257506B (en) * | 2021-12-21 | 2024-04-02 | 北京知道未来信息技术有限公司 | Network target range construction method and device, back-end server and readable storage medium |
| CN114257506A (en) * | 2021-12-21 | 2022-03-29 | 北京知道未来信息技术有限公司 | Network target range construction method and device, back-end server and readable storage medium |
| CN114285667A (en) * | 2021-12-30 | 2022-04-05 | 湖南泛联新安信息科技有限公司 | Network target range flow real-time acquisition system and method |
| CN114285667B (en) * | 2021-12-30 | 2023-06-02 | 湖南泛联新安信息科技有限公司 | Real-time acquisition system and method for network target range flow |
| CN114417633A (en) * | 2022-01-27 | 2022-04-29 | 北京永信至诚科技股份有限公司 | Network shooting range scene construction method and system based on parallel simulation six-tuple |
| CN114615013A (en) * | 2022-01-29 | 2022-06-10 | 北京永信至诚科技股份有限公司 | Comprehensive auditing method and system for network shooting range |
| CN114629682B (en) * | 2022-02-09 | 2023-06-09 | 烽台科技(北京)有限公司 | Industrial control network target range allocation method, device, terminal and storage medium |
| CN114629682A (en) * | 2022-02-09 | 2022-06-14 | 烽台科技(北京)有限公司 | Method, device, terminal and storage medium for allocating industrial control network target range |
| CN114422446A (en) * | 2022-03-29 | 2022-04-29 | 南京赛宁信息技术有限公司 | Application layer background traffic scheduling method and system in target range |
| CN114785718A (en) * | 2022-04-07 | 2022-07-22 | 南京赛宁信息技术有限公司 | Network target range flow acquisition and analysis system and method |
| CN114785718B (en) * | 2022-04-07 | 2023-06-30 | 南京赛宁信息技术有限公司 | Network target range flow acquisition and analysis system and method |
| CN115277217B (en) * | 2022-07-29 | 2024-01-26 | 软极网络技术(北京)有限公司 | Construction system of foreign domain network target range virtual network |
| CN115277217A (en) * | 2022-07-29 | 2022-11-01 | 软极网络技术(北京)有限公司 | System for constructing heterogeneous network target range virtual network |
| CN115242562B (en) * | 2022-09-26 | 2022-11-29 | 中电运行(北京)信息技术有限公司 | Network security target range based on virtualization technology and operation method thereof |
| CN115242562A (en) * | 2022-09-26 | 2022-10-25 | 中电运行(北京)信息技术有限公司 | Network security target range based on virtualization technology and operation method thereof |
| CN116527536A (en) * | 2023-04-28 | 2023-08-01 | 北京永信至诚科技股份有限公司 | Test evaluation method, device and system based on parallel simulation |
| CN116527536B (en) * | 2023-04-28 | 2024-04-09 | 北京永信至诚科技股份有限公司 | Test evaluation method, device and system based on parallel simulation |
| CN116506440A (en) * | 2023-06-19 | 2023-07-28 | 中国人民解放军陆军航空兵学院 | LVC (Linear variable capacitance) integration method and system for combined test training |
| CN116506440B (en) * | 2023-06-19 | 2023-08-29 | 中国人民解放军陆军航空兵学院 | LVC (Linear variable capacitance) integration method and system for combined test training |
| CN117319094A (en) * | 2023-11-30 | 2023-12-29 | 西安辰航卓越科技有限公司 | SDN network attack and defense target range platform system |
| CN117319094B (en) * | 2023-11-30 | 2024-03-15 | 西安辰航卓越科技有限公司 | SDN network attack and defense target range platform system |
| CN117808275A (en) * | 2024-03-01 | 2024-04-02 | 江苏天创科技有限公司 | ACS visualization technology-based target range management method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112448857A (en) | Construction method, device and equipment of target range and storage medium | |
| KR102113587B1 (en) | Mission-based game-implemented cyber education system and method | |
| US11140193B2 (en) | Device cybersecurity risk management | |
| Davis et al. | A Survey of Cyber Ranges and Testbeds. | |
| Seker et al. | The concept of cyber defence exercises (cdx): Planning, execution, evaluation | |
| Čeleda et al. | Kypo–a platform for cyber defence exercises | |
| CN111327463B (en) | Industrial Internet security practical training platform based on virtualization | |
| Gutzwiller et al. | A task analysis toward characterizing cyber-cognitive situation awareness (CCSA) in cyber defense analysts | |
| Granåsen et al. | Measuring team effectiveness in cyber-defense exercises: a cross-disciplinary case study | |
| US20080183520A1 (en) | Methods and apparatus for evaluating an organization | |
| Andreolini et al. | A framework for the evaluation of trainee performance in cyber range exercises | |
| CN109543933B (en) | Network security personnel skill evaluation system | |
| Maennel et al. | Improving and measuring learning effectiveness at cyber defense exercises | |
| WO2018216000A1 (en) | A system and method for on-premise cyber training | |
| CN113872960A (en) | Network security target range for power industry and operation method thereof | |
| Rehberger | Cybersecurity Attacks–Red Team Strategies: A practical guide to building a penetration testing program having homefield advantage | |
| Østby et al. | A socio-technical framework to improve cyber security training: A work in progress | |
| Aoyama et al. | Studying resilient cyber incident management from large-scale cyber security training | |
| WO2022256698A1 (en) | Incident response simulation and learning system | |
| Østby et al. | EXCON teams in cyber security training | |
| Russo et al. | Cybersecurity exercises: wargaming and red teaming | |
| Al-Karaki et al. | Advancing CyberSecurity Education and Training: Practical Case Study of Running Capture the Flag (CTF) on the Metaverse vs. Physical Settings | |
| Crichlow | A study on Blue Team’s OPSEC failures | |
| Blumbergs et al. | Crossed swords: A cyber red team oriented technical exercise | |
| North | Attack-based network defense |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210305 |
|
| RJ01 | Rejection of invention patent application after publication |