CN112714138A - Test method, device, equipment and storage medium based on attack flow - Google Patents
Test method, device, equipment and storage medium based on attack flow Download PDFInfo
- Publication number
- CN112714138A CN112714138A CN202110329875.6A CN202110329875A CN112714138A CN 112714138 A CN112714138 A CN 112714138A CN 202110329875 A CN202110329875 A CN 202110329875A CN 112714138 A CN112714138 A CN 112714138A
- Authority
- CN
- China
- Prior art keywords
- packet
- attack
- tested
- test
- attack traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a test method, a test device, equipment and a storage medium based on attack traffic.A test device loaded with a DPDK program generates at least one attack traffic packet to be tested by acquiring an original attack traffic packet and modifying the original attack traffic packet based on a constructed mutator, sends at least one test data packet corresponding to each attack traffic packet to be tested to equipment to be tested, receives at least one feedback data packet returned by the equipment to be tested, and finally determines a test result of the equipment to be tested according to sending information of the at least one test data packet and receiving information of the at least one feedback data packet. In the technical scheme, the data processing efficiency is improved by processing based on the test equipment loaded with the DPDK program, and the individualized customization of the attack flow information to be tested is realized by constructing the mutator, so that the diversified tests of the attack flow are enriched, and the test accuracy is improved.
Description
Technical Field
The present application relates to the field of test technologies, and in particular, to a test method, device, apparatus, and storage medium based on attack traffic.
Background
With the rapid development of information technology, various new technologies, new business states and new applications are continuously emerging, and the threat of network security is increased dramatically. Data leakage, cloud platform security risk, and other issues are becoming more severe, and network security challenges associated with emerging technologies such as blockchains, car networking, and the like are also increasing. In the face of the strong demands of the key industries such as industry, finance, energy and the like, and emerging industries such as e-commerce, smart cities and the like on network security products, services and solutions, it is very necessary to determine the performance and the safety protection capability of network security products such as network security enterprises and internet enterprises.
In the prior art, performance and safety protection capability of network security products such as network equipment are usually tested in a flow playback mode, specifically, functions and performance of the network equipment are tested by using test data acquired from an online real user use scene, and the flow playback mode can quickly and comprehensively check whether a system has risks. Thus, attack testing based on traffic replay is a common attack approach.
However, there are several disadvantages in using traffic replay for attack testing: the covered attack test types are few, and the common replay attack is realized by processing the data packet based on the Linux kernel protocol stack, so that the data processing efficiency is low, and the test result is inaccurate.
Disclosure of Invention
The application provides a test method, a test device, test equipment and a storage medium based on attack traffic, which are used for solving the problems of low data processing efficiency and inaccurate test results in the existing test process.
According to a first aspect of the present application, the present application provides a test method based on attack traffic, which is applied to a test device loaded with a DPDK program, and the method includes:
acquiring an original attack flow packet, wherein the attack flow of the original attack flow packet is generated by an attacker initiating an attack action through the Internet;
modifying the original attack traffic packet based on a constructed hop transformer to generate at least one attack traffic packet to be tested, wherein the constructed hop transformer comprises: determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range;
sending at least one test data packet corresponding to each attack flow packet to be tested to equipment to be tested, and receiving at least one feedback data packet returned by the equipment to be tested, wherein each feedback data packet is a test data packet forwarded or processed by the equipment to be tested;
and determining the test result of the equipment to be tested according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet.
In a possible design of the first aspect, the modifying the original attack traffic packet by constructing a jumper to generate at least one attack traffic packet to be tested includes:
analyzing the original attack traffic packet, and determining a plurality of message fields of the original attack traffic packet;
modifying target message fields in the plurality of message fields according to the jump starting position, the jump domain type, the jump mode and the jump variable value or the jump variable range specified by the constructed jump transformer to obtain at least one attack flow packet to be tested;
the jump starting position is used for indicating the starting subscript position of a jump domain in a message; the jump domain type is used for specifying a variable type of a jump domain; the hopping pattern specifies a transformation pattern of a hopping domain variable.
In another possible design of the first aspect, before the sending the at least one test data packet corresponding to each attack traffic packet to be tested to the device to be tested, the method further includes:
and updating the attack traffic library according to the at least one attack traffic packet to be detected.
Optionally, before the updating the attack traffic library according to the at least one attack traffic packet to be detected, the method further includes:
constructing an attack traffic library according to an attack traffic packet in a known attack library;
or
And generating the attack traffic library according to the known attack library and the self-defined original attack traffic packet.
In yet another possible design of the first aspect, before sending the at least one test data packet corresponding to each attack traffic packet to be tested to the device to be tested, the method further includes:
for each attack flow packet to be detected, determining the data direction and the data sequence of each data packet according to the port type and the timestamp information of each data packet in the attack flow packet to be detected;
and dividing the attack traffic packets to be tested according to the data direction and the data sequence of each data packet to obtain at least one test data packet corresponding to the attack traffic packets to be tested.
In yet another possible design of the first aspect, the determining a test result of the device under test according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet includes:
when the receiving information of each feedback data packet is the same as the sending information of the corresponding test data packet, determining that a vulnerability exists when the equipment to be tested processes the attack behavior corresponding to the test data packet;
and when the receiving information of each feedback data packet is different from the sending information of the corresponding test data packet, determining that the equipment to be tested has the capability of processing the attack behavior corresponding to the test data packet.
In another possible design of the first aspect, the sending, to the device under test, at least one test data packet corresponding to each attack traffic packet under test includes:
sequentially sending each test data packet corresponding to each attack traffic packet to be tested to equipment to be tested according to the packet sending interval and the packet sending sequence in the original traffic packet;
or
And sequentially sending each test data packet corresponding to each attack flow packet to be tested to the equipment to be tested according to a preset packet sending rate.
According to a second aspect of the present application, there is provided a test apparatus based on attack traffic, which is applied to a test device loaded with a DPDK program, and the apparatus includes:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an original attack traffic packet, and the attack traffic of the original attack traffic packet is generated by an attacker initiating an attack behavior through the Internet;
a processing module, configured to modify the original attack traffic packet based on a constructed hop transformer, and generate at least one attack traffic packet to be detected, where the constructed hop transformer includes: determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range;
the receiving and sending module is used for sending at least one test data packet corresponding to each attack flow packet to be tested to the equipment to be tested and receiving at least one feedback data packet returned by the equipment to be tested, wherein each feedback data packet is a test data packet forwarded or processed by the equipment to be tested;
the processing module is further configured to determine a test result of the device under test according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet.
In a possible design of the second aspect, the processing module is configured to modify the original attack traffic packet by constructing a mutator, and generate at least one attack traffic packet to be detected, where the method specifically includes:
the processing module is specifically configured to:
analyzing the original attack traffic packet, and determining a plurality of message fields of the original attack traffic packet;
modifying target message fields in the plurality of message fields according to the jump starting position, the jump domain type, the jump mode and the jump variable value or the jump variable range specified by the constructed jump transformer to obtain at least one attack flow packet to be tested;
the jump starting position is used for indicating the starting subscript position of a jump domain in a message; the jump domain type is used for specifying a variable type of a jump domain; the hopping pattern specifies a transformation pattern of a hopping domain variable.
In another possible design of the second aspect, the processing module is further configured to update an attack traffic library according to the at least one attack traffic packet to be tested.
Optionally, the processing module is further configured to:
constructing an attack traffic library according to an attack traffic packet in a known attack library;
or
And generating the attack traffic library according to the known attack library and the self-defined original attack traffic packet.
In yet another possible design of the second aspect, the processing module is further configured to:
for each attack flow packet to be detected, determining the data direction and the data sequence of each data packet according to the port type and the timestamp information of each data packet in the attack flow packet to be detected;
and dividing the attack traffic packets to be tested according to the data direction and the data sequence of each data packet to obtain at least one test data packet corresponding to the attack traffic packets to be tested.
In another possible design of the second aspect, the processing module is configured to determine a test result of the device under test according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet, and specifically:
the processing module is specifically configured to:
when the receiving information of each feedback data packet is the same as the sending information of the corresponding test data packet, determining that a vulnerability exists when the equipment to be tested processes the attack behavior corresponding to the test data packet;
and when the receiving information of each feedback data packet is different from the sending information of the corresponding test data packet, determining that the equipment to be tested has the capability of processing the attack behavior corresponding to the test data packet.
In another possible design of the second aspect, the transceiver module is configured to send at least one test data packet corresponding to each attack traffic packet to be tested to the device to be tested, and specifically, the transceiver module is configured to:
the receiving and sending module is specifically used for sequentially sending each test data packet corresponding to each attack traffic packet to be tested to the equipment to be tested according to the packet sending interval and the packet sending sequence in the original traffic packet;
or
The receiving and sending module is specifically configured to send each test data packet corresponding to each attack traffic packet to be tested to the device to be tested in sequence according to a preset packet sending rate.
According to a third aspect of the present application, there is provided a test device based on attack traffic, comprising: a memory, a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to execute the attack traffic based testing method according to the first possible design.
According to a fourth aspect of the present application, there is provided a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the computer-executable instructions are used to implement the attack traffic-based testing method according to the various possible designs of the first aspect.
According to a fifth aspect of the present application, there is provided a computer program product comprising: computer program having computer executable instructions for implementing the method of the first aspect as contemplated by the various possibilities of the first aspect.
According to the attack traffic-based test method, the attack traffic-based test device, the test device and the storage medium, the original attack traffic packet can be obtained by the test device, the original attack traffic packet is modified based on the construction of the jumper, at least one attack traffic packet to be tested is generated, and the construction of the jumper comprises the following steps: determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range, sending at least one test data packet corresponding to each attack flow packet to be tested to the equipment to be tested, receiving at least one feedback data packet returned by the equipment to be tested, and finally determining a test result of the equipment to be tested according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet. In the technical scheme, the data processing efficiency is improved by processing based on the test equipment loaded with the DPDK program, and the individualized customization of the attack flow information to be tested is realized by constructing the mutator, so that the diversified tests of the attack flow are enriched, and the test accuracy is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic structural diagram of a test system based on attack traffic according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a test system based on attack traffic according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a test system based on attack traffic according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a first embodiment of a test method based on attack traffic according to an embodiment of the present application;
fig. 5 is a schematic flowchart of a second embodiment of a test method based on attack traffic according to an embodiment of the present application;
fig. 6 is a schematic flowchart of a third embodiment of a test method based on attack traffic provided in the embodiment of the present application;
fig. 7 is a schematic structural diagram of an embodiment of a test apparatus based on attack traffic according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another embodiment of a test apparatus based on attack traffic according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a test device based on attack traffic according to an embodiment of the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. These drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the inventive concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
With the rapid development of information technology, the continuous emergence of internet, mobile terminals and instant messaging, the threat of network security is increased dramatically. In recent years, problems such as data leakage and cloud platform security risk are becoming more severe, and network security challenges related to emerging technologies such as block chaining and car networking are also increasing.
In the face of the strong demands of the key industries such as industry, finance and energy, and emerging industries such as e-commerce and smart cities on network security products, services and solutions, network security enterprises, internet enterprises, telecom operators, equipment manufacturers and the like are also accelerating to perform security layout, and accordingly, the network security products and the security protection capability are tested without a testing technology and a platform which have the advantages of scale, real environment simulation and various network attack scenes manufacturing.
Flow playback is generally applied to function and performance testing, and is similar to automatic testing in the traditional sense, except that data of the automatic testing is derived from an online real user use scene. The flow playback can also quickly and comprehensively check whether the system has risks. In the related art, an attack test based on traffic playback is a common attack method. However, this solution has several disadvantages: the types of the covered attack tests are few, for example, a common network attack testing platform Burp Suite is an integrated platform for testing and attacking web applications, and is mainly directed at an attack platform of HTTP. Currently, a common flow playback attack is to process a data packet based on a protocol stack of a Linux kernel, and has a relatively low performance; the flow information is not individually customized, so that the testing depth is influenced.
Specifically, the protocol stack of the Linux kernel may generate frequent interrupt processing, memory copy and other operations during network packet processing, which may seriously affect the transceiving performance of the network packet, so that the packet sending rate cannot meet the current high-speed network.
Aiming at the technical problems, the conception process of the technical scheme of the application is as follows: on one hand, because the traditional application program runs in the user mode space, if the attack flow replay of the scheme is also carried out in the user mode, the Linux kernel mode protocol stack is bypassed, so that the device to be tested does not have CPU interruption and memory copy processes when receiving and sending network data, and the message processing efficiency can be greatly improved. On the other hand, if the original attack traffic can be modified to generate attack traffic with different functions, the test requirement of the diversity of the attack traffic can be met, and the problem of inaccurate test effect can be solved.
Based on the technical concept, the application provides a test method based on attack traffic, which is applied to test equipment loaded with a Data Plane Development Kit (DPDK) program, the test equipment can obtain an original attack traffic packet, modify the original attack traffic packet based on a construction jumper, generate at least one attack traffic packet to be tested, and the construction of the jumper comprises: determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range, sending at least one test data packet corresponding to each attack flow packet to be tested to the equipment to be tested, receiving at least one feedback data packet returned by the equipment to be tested, and finally determining a test result of the equipment to be tested according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet. In the technical scheme, the test equipment loaded with the DPDK program is used for processing, a Linux kernel is not required to be called for network data processing, the operations of interruption, memory copy and the like in the data processing process are avoided, the data processing efficiency is improved, the personalized customization of the attack flow information to be tested is realized by constructing the mutator, the diversified tests of the attack flow are enriched, and the test accuracy is improved.
Before the technical solution of the present application is described, a specific application scenario of the present application is first explained and described.
Fig. 1 is a schematic structural diagram of a test system based on attack traffic according to an embodiment of the present application. As shown in fig. 1, the test system may include: a test device 11 and a device under test 12.
In the embodiment of the present application, the test device 11 may obtain the original attack traffic packet in different manners, so that when the device to be tested has a test requirement, the test device 11 may modify the content information of the original attack traffic packet in a targeted manner, and generate at least one attack traffic packet to be tested.
Optionally, the test device 11 is a device in which a DPDK program is recorded, and may implement, through the DPDK program, transceiving of a data packet corresponding to the attack traffic packet to be tested. Specifically, the test device 11 may send at least one test data packet corresponding to some attack traffic packets to be tested in the at least one attack traffic packet to be tested to the device to be tested 12 according to a test requirement, and after receiving the at least one test data packet, the device to be tested 12 may send or directly forward the processed at least one test data packet to the test device 11, or the device to be tested 12 may also directly discard or feed back a rejection processing result and the like after processing the received at least one test data packet.
Optionally, the test device 11 may count the sending information of the at least one sent test data packet and the receiving information of the at least one received feedback data packet from the device under test 12, and further determine the test result of the device under test according to the sending information of the at least one test data packet and the receiving information of the at least one received feedback data packet.
Optionally, fig. 2 is another schematic architecture diagram of the test system based on the attack traffic provided in the embodiment of the present application. Compared with the test system shown in fig. 1, the test system shown in fig. 2 may include, in addition to the test device 11 and the device under test 12, the test system shown in fig. 2: an attacking device 13 and an attacked device 14. The attacking device 13 and the attacked device 14 are port devices that produce original attack traffic packets.
In this embodiment, the test device 11 is installed with data collection software, and by accessing the test device 11 to a communication link between the attacking device 13 and the attacked device 14, the test device 11 can collect the original attack traffic packet when the attacking device 13 and the attacked device 14 communicate.
Optionally, fig. 3 is a schematic structural diagram of a test system based on attack traffic according to an embodiment of the present application. Compared to the test system shown in fig. 2, the test system shown in fig. 3 may further include a data acquisition device 15 in addition to the test device 11, the device under test 12, the attack device 13, and the attacked device 14, as shown in fig. 3. The data acquisition device 15 is installed with data acquisition software and is connected to a communication link between the attacking device 13 and the attacked device 14, so that the data acquisition device 15 can acquire an original attack traffic packet when the attacking device 13 and the attacked device 14 communicate.
In the embodiment of the present application, the data acquisition software may be a packet capture tool, which may be a switch that opens a port mirror, or a packet capture tool that is opened on an attacking device and an attacked device.
It is understood that the architectures shown in fig. 1 to fig. 3 may further include other devices, for example, a display device, and the display device may be connected to the test device 11, and when the display device receives the test result of the device under test sent by the test device 11, the display device displays the test result.
It should be noted that fig. 1 to fig. 3 are only some schematic architectural diagrams provided in the embodiment of the present application, and are mainly used for testing intrusion detection and defense capabilities of a device to be tested (a security device). In the embodiment of the present application, the devices included in fig. 1 to 3 are not limited, and the positional relationship between the devices in fig. 1 to 3 is also not limited, and the display function of the display device may be integrated on the test device 11, that is, the test device 11 may directly display the test result after obtaining the test result, which is not described herein again.
In practical application, both the terminal device and the server may be processing devices loaded with DPDK programs and having a test function, so that the test device in the test system shown in fig. 1 to 3 may be implemented by the terminal device or the server, which is not limited in the embodiment of the present application.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 4 is a schematic flowchart of a first embodiment of a test method based on attack traffic provided in an embodiment of the present application. The method is applied to the test equipment loaded with the DPDK program. As shown in fig. 4, the test method based on attack traffic may include the following steps:
s401, an original attack traffic packet is obtained, wherein the attack traffic of the original attack traffic packet is generated by an attacker initiating an attack behavior through the Internet.
In the embodiment of the application, the test device may obtain the original attack traffic in multiple ways, and store the original attack traffic packet in the attack packet path, so as to perform processing such as analysis on the original attack traffic packet in the following.
In one possible design, the test device is installed with data collection software, so that the test device can collect the original attack traffic by itself by connecting the test device between the attacking device and the attacked device. In another possible design, the test device may be capable of communicating with a data collection device that has data collection software installed thereon, and after the data collection device collects the original attack traffic, the test device may obtain the original attack traffic from the data collection device.
It is to be understood that, in the embodiment of the present application, the data acquisition software may be selected as a packet capture tool, and the data acquisition device may be selected as a packet capture device, and may specifically be a switch that opens a port mirror. Optionally, in this embodiment of the present application, the attack traffic collected by the packet capture tool may be stored as an original attack traffic packet. The attack traffic refers to an attack behavior initiated by an attacker through the internet, and in general, one attack behavior corresponds to one attack traffic.
In an embodiment, the original attack traffic packet may be an exposed information security vulnerability attack traffic packet, or an abnormal traffic packet generated in an actual operation, for example, a traffic packet in which a packet contains border-crossing data.
In the embodiment of the application, the original attack traffic packet is saved in a pcap file format. The pcap file format is a commonly used packet storage format. Specifically, pcap files have a fixed basic format: pcap file header-data packet header 1-data packet header 2-data packet 2, and the like. Each pcap file has a pcap file header, which totally occupies 24 bytes; each pcap file may have multiple data headers, each followed by a real data packet, typically 16 bytes.
It is understood that, when the number of the original attack traffic packets is plural, the original attack traffic packets may also be in a file compression format, for example, zip file types, and the compressed content in each zip file type is one or more pcap files. The specific storage format of the original attack traffic packet is not limited in the embodiment of the present application, and may be determined according to the number of the original attack traffic packets, which is not described herein again.
S402, modifying the original attack traffic packet based on the constructed mutator to generate at least one attack traffic packet to be tested.
Wherein, constructing the mutator comprises: and determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range.
Optionally, after obtaining the original attack traffic packet, the test device may analyze the original attack traffic packet based on the file type of the original attack traffic packet to obtain content information of the original attack traffic packet, and store the content information into the database, so as to modify a target message field of the original attack traffic packet according to actual needs, and generate at least one attack traffic packet to be tested.
For example, in the embodiment of the present application, the S402 may be implemented by the steps of:
a1, analyzing the original attack traffic packet, and determining a plurality of message fields of the original attack traffic packet.
A2, modifying the target message field in the plurality of message fields according to the jump starting position, the jump domain type, the jump mode and the jump variable value or the jump variable range specified by the construction jump device to obtain at least one attack traffic packet to be tested.
The jump starting position is used for indicating the starting subscript position of a jump domain in the message; the jump domain type is used for specifying the variable type of the jump domain; the hopping pattern specifies the transformation pattern of the hopping domain variables.
For example, for an original attack traffic packet in a pcap file format, the test device may analyze the original attack traffic packet using a computer programming language python program, obtain content information of the original attack traffic packet, and determine a plurality of message fields of the original attack traffic packet.
Specifically, the test device may obtain the original attack traffic packet from the attack packet path, analyze information of each layer, such as a data link layer, a network layer, a transport layer, and an application layer, corresponding to the original attack traffic packet according to the PCAP file format, store the obtained multiple message fields in the database, and then store content information (multiple message fields) obtained by analyzing the original attack traffic packet in the database, so as to subsequently perform extension modification on the multiple message fields of the original attack traffic packet.
In an embodiment of the application, after the content information of the original attack traffic packet is stored in the database, the content information can be visually displayed, and the content information of the original attack traffic packet is supported to be modified. In general, the test device performs extension modification on an original attack traffic packet, and supports modification on any field in a message, including but not limited to message length, message load, and other information, which may be determined according to actual requirements.
Illustratively, the test device may also modify a target message field in the original attack traffic packet based on a test requirement, a type of the device to be tested, a test purpose, and the like, so as to expand and customize some attack traffic packets to be tested, where the attack traffic packets to be tested include data packets for the test purpose.
In one embodiment of the present application, the extension modification of the original attack traffic packet may be performed by constructing a hop. Optionally, constructing the hop calculator includes determining a hop start position, a hop domain type, a hop mode, and a hop variable value or range.
The jump starting position is used for indicating the starting subscript position of the jump domain in the message, and the specific message field position can be directly selected on a visual interface by using a mouse. The jump field type is used for specifying the variable type of the jump field and supports single-byte numerical values, double-byte numerical values, four-byte numerical values and single-character types. The hopping mode is a transformation mode used for specifying a hopping domain variable and supports a random, fixed, incremental, decremental, list mode.
In an embodiment of the present application, a hopping domain type and a hopping mode can be freely combined, and multiple hopping domains are set for the same packet. Therefore, when the test data packet is sent based on the DPDK program, the content of the message is changed within the specified jump variable value and range according to the jump starting position, the jump domain type and the jump mode specified in the constructed jump device, so that at least one attack traffic packet to be tested is generated. In practical application, the jump machine is constructed to realize personalized customization of attack traffic information, and diversified tests of attack traffic are enriched.
S403, sending at least one test data packet corresponding to each attack flow packet to be tested to the equipment to be tested, and receiving at least one feedback data packet returned by the equipment to be tested.
Each feedback data packet is a test data packet forwarded or processed by the device under test.
In the embodiment of the application, the test device sends the test data packet and receives the feedback data packet based on the DPDK program. The device under test may be a network security device, such as a network security firewall, an Intrusion Detection System (IDS), an intrusion-prevention system (IPS), and so on. The embodiment of the application does not limit the specific implementation of the device to be tested.
Optionally, in this embodiment, in the process of replaying attack traffic by the test device, after at least one test data packet is generated by analyzing, dividing, and the like the attack traffic packet message to be tested based on the DPDK program, the DPDK program may be triggered to execute the sending process of the test data packet.
Specifically, the test device first stores at least one test data packet corresponding to each attack flow packet to be tested in a buffer sending space of a memory in a queue form by using a DPDK program, and simultaneously writes an address of the buffer sending space into a hardware sending space (i.e., a descriptor sending space) of the memory, so that a Direct Memory Access (DMA) controller of the test device can obtain at least one test data packet to be sent from a position pointed by a descriptor by reading the hardware sending space, and then send the test data packet out through a network card.
As an example, the test device may sequentially send each test data packet corresponding to each attack traffic packet to be tested to the device to be tested according to the packet sending interval and the packet sending sequence in the original traffic packet.
Optionally, the test device may send at least one test data packet of each attack traffic packet to be tested to the device to be tested through the network card according to the packet sending interval and the packet sending sequence in the original attack traffic packet based on the DPDK program.
As another example, the test device may further sequentially send each test data packet corresponding to each attack traffic packet to be tested to the device to be tested according to a preset packet sending rate.
Optionally, when the test device supports setting the speed limit, the test device may send packets according to a specified rate when performing the replay test. In practical application, the speed limit comprises the following steps: and the bandwidth speed limit of a link layer and the message speed limit of a network layer are supported. The limitation of the bandwidth speed limit of the link layer is the throughput rate of the sending flow; the network layer message rate limit is limited by the number of messages sent per second.
It should be understood that, under the condition that the speed limit is not set, packet sending is performed according to the message interval and the packet sending sequence in the original attack traffic packet.
As can be seen from the above analysis, the test device may send at least one test data packet to the device to be tested through the network card according to the packet sending interval or the set rate of the original attack traffic packet through the DPDK program.
Similarly, the test device may also receive a feedback data packet returned by the device to be tested from the network card based on the DPDK program. Specifically, when the network card of the test device receives the feedback data packets, each feedback data packet may be copied to an address location pointed by a hardware receiving space (i.e., a descriptor receiving space) from a receiving queue of the network card through the DMA controller, and finally, the DPDK program polls to obtain at least one feedback data packet from the hardware receiving space of the memory.
S404, determining the test result of the device to be tested according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet.
In the embodiment of the application, after receiving at least one feedback data packet from the device to be tested, the test device may analyze each feedback data packet, determine the receiving information of each feedback data packet, compare the receiving information with the sending information of the at least one test data packet, determine the processing condition for each data packet according to the content information of the data packet, and execute the next test data packet sending process after recording the receiving log.
Optionally, the sending information of the at least one test data packet may include: the number of the sent messages, the sending rate, the cycle replay frequency of the test data packets, the number of the sent attack flow packets to be tested and the like; accordingly, the receiving information of the at least one feedback data packet may include: the number of received messages, the receiving rate, etc. The sending information of the test data packet and the receiving information of the feedback data packet are not limited in the embodiments of the present application, and may be determined according to an actual scene, which is not described herein again.
In an embodiment of the present application, after sending at least one test data packet to a device under test, a test device may receive a feedback data packet returned from the device under test, where content information of the feedback data packet may be the same as or different from content information of an attack test data packet. Thus, by comparing the transmission information of the at least one test packet with the reception information of the at least one feedback packet, two possible test evaluation results can be obtained.
As an example, when the receiving information of each feedback data packet is the same as the sending information of the corresponding test data packet, it is determined that a vulnerability exists when the device under test processes the attack behavior corresponding to the test data packet. As another example, when the receiving information of each feedback data packet is different from the sending information of the corresponding test data packet, it is determined that the device under test has the capability of handling the attack behavior corresponding to the test data packet.
Specifically, if the feedback data packet received by the test device is the same as the attack test data packet, the protection capability of the device to be tested has a vulnerability, specifically, a vulnerability in the aspect of processing the attack behavior corresponding to the test data packet; if the feedback data packet received by the test equipment is a data packet for feeding back the rejection information, it indicates that the equipment to be tested can detect the attack behavior corresponding to the test data packet, and has the capability of processing the attack behavior corresponding to the test data packet.
For example, in addition to comparing the sending information of the test data packet with the receiving information of the feedback data packet, the testing device may also store the sending information of the test data packet and the receiving information of the feedback data packet in a database, and can view the sending information and the receiving information in the test result.
In an embodiment of the present application, when determining that a data packet is lost according to the sending information of the test data packet and the receiving information of the feedback data packet, the test device may further generate a packet loss log. Whether the packet loss log is generated depends on whether the function of recording the packet loss log is configured in the replay test parameters of the test equipment, and if the function of recording the packet loss log is configured in the replay test parameters, the test equipment records replay information corresponding to the attack traffic packet to be tested when determining that a certain message is lost or overtime.
The test method based on the attack traffic provided by the embodiment of the application is applied to test equipment loaded with a DPDK program, the test equipment can acquire an original attack traffic packet, modify the original attack traffic packet based on a constructed jumper, generate at least one attack traffic packet to be tested, and the construction of the jumper comprises the following steps: determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range, sending at least one test data packet corresponding to each attack flow packet to be tested to the equipment to be tested, receiving at least one feedback data packet returned by the equipment to be tested, and finally determining a test result of the equipment to be tested according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet. In the technical scheme, the data processing efficiency is improved by processing based on the test equipment loaded with the DPDK program, and the individualized customization of the attack flow information to be tested is realized by constructing the mutator, so that the diversified tests of the attack flow are enriched, and the test accuracy is improved.
Exemplarily, on the basis of the above embodiments, fig. 5 is a schematic flow diagram of a second embodiment of a test method based on attack traffic provided in the embodiment of the present application. As shown in fig. 5, in this embodiment, after the step S402, the method for testing based on attack traffic may further include the following steps:
s501, updating the attack traffic library according to the at least one attack traffic packet to be tested.
In the embodiment of the application, after the test device generates at least one attack traffic packet to be tested in a mode of constructing the mutator, in order to expand the type of the attack traffic to be tested in the attack traffic library, the attack traffic packet can be added into the attack traffic library, and the attack traffic library is updated, so that the diversification of the attack traffic in the attack traffic library is realized.
For example, in an embodiment of the present application, before S501, the method for testing based on attack traffic may further include the following steps:
and S500, constructing an attack traffic library.
In the embodiment of the application, in order to directly obtain the attack traffic to be tested when a subsequent test is required, the test device may first construct an attack traffic library, where the attack traffic library includes at least one attack traffic packet. In practical application, the test device may directly select and use the attack traffic packets in the known attack library (default attack library) to construct the attack traffic library, or add the attack traffic packets to be tested that need to be customized in the known attack library (default attack library) to combine to form a new attack traffic library.
As an example, the attack traffic library is constructed from attack traffic packets in a known attack library.
Illustratively, an attack repository, also referred to as a default attack repository, is known, which can track up-to-date threat intelligence in real-time, generate attack traffic, and update into the default attack repository. In practical application, the default attack library may provide already-disclosed vulnerability information including Common Gateway Interface (CGI) script injection, Domain Name System (DNS) attack, trojan backdoor attack, code injection, network behavior attack, spyware, evasion class, port relocation, system hole leakage class, brute force guess attack, and the like, and the attack test types are rich and diverse, and can satisfy verification of the security coverage of network security equipment, evaluation of malicious software prevention capability, and the like.
As another example, the attack traffic library is generated from the original attack traffic packets in the known attack library and customized.
Illustratively, on the basis that the known attack library updates the attack traffic library by itself, a customized attack traffic packet may be added based on a method of constructing a mutator, for example, and the attack traffic library may be generated by combining the known attack library and the customized attack traffic packet.
The embodiment of the present application does not limit a specific way of constructing the attack traffic library, and the attack traffic library may be determined according to an actual scene, which is not described herein again.
According to the attack traffic-based test method provided by the embodiment of the application, the attack traffic library is constructed, and when at least one attack traffic packet to be tested is generated, the attack traffic library is updated by using the at least one attack traffic packet to be tested, so that the attack traffic types in the attack traffic library can be enriched, the diversity of the attack traffic in the attack traffic library is improved, and a foundation is laid for the subsequent improvement of the test accuracy.
Further, on the basis of the foregoing embodiments, fig. 6 is a schematic flowchart of a third embodiment of the test method based on attack traffic provided in the embodiment of the present application. As shown in fig. 6, before sending at least one test data packet corresponding to each attack traffic packet to be tested to the device to be tested in S403, the method may further include the following steps:
s601, for each attack traffic packet to be detected, determining the data direction and the data sequence of each data packet according to the port type and the timestamp information of each data packet in the attack traffic packet to be detected.
In the embodiment of the application, when the test device performs traffic playback based on the generated at least one attack traffic packet to be tested, the DPDK program may be used to analyze and divide the packet of each attack traffic packet to be tested, so as to obtain at least one test data packet corresponding to each attack traffic packet to be tested, and thus, the DPDK program may be triggered to execute the sending process of the test data packet.
Specifically, the test device first uses a DPDK program to divide the data direction and data sequence for each data packet in each attack traffic packet to be tested. Exemplarily, the data direction of each data packet is determined according to whether each data packet is sent from a client test port or a server test port; and determining the message sequence belonging to the client and the server according to the timestamp information in the attack flow packet to be detected.
S602, dividing the attack traffic packets to be tested according to the data direction and the data sequence of each data packet to obtain at least one test data packet corresponding to the attack traffic packets to be tested.
Optionally, after the test device determines the data direction and the data sequence of each data packet, the DPDK program may be used to perform operations such as dividing the attack traffic packet message to be tested to generate the test data packet, and then when the test data packet is subsequently transmitted, the correct network card may be selected to transmit the test data packet.
According to the attack flow based test method provided by the embodiment of the application, for each attack flow packet to be tested, the data direction and the data sequence of each data packet are determined according to the port type and the timestamp information of each data packet in the attack flow packet to be tested, and the attack flow packet to be tested is divided according to the data direction and the data sequence of each data packet to be tested, so that at least one test data packet corresponding to the attack flow packet to be tested is obtained. In the technical scheme, the DPDK program is used for analyzing and dividing the attack flow packet message to be tested to generate the attack test data packet, so that more real simulation attack flow can be realized during playback of the attack flow, and ultra-realistic stateful attack test flow can be realized.
For example, in this embodiment of the application, the test device may further perform preprocessing on at least one attack traffic packet to be tested according to the tested index information of the device to be tested.
Wherein the preprocessing comprises any one of the following operations: inquiry, deletion and forbidding.
Optionally, when a plurality of attack traffic packets to be tested are provided, the test device may perform query and deletion operations on the attack traffic packets to be tested according to actual requirements, and may also disable a certain or even a plurality of attack traffic packets to be tested, so as to skip the disabled attack traffic packets to be tested when performing replay test.
Illustratively, the attack traffic packet to be tested can support the pcap file name to be queried by name, can also support the enabling or disabling of replaying of a certain attack traffic packet to be tested, and can also support the adding or deleting of a certain attack traffic packet to be tested. The test equipment may select the preprocessing operation according to the actual scene requirements, which is not described herein.
The following is an embodiment of the apparatus of the present application, and may be used to implement the embodiment of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Fig. 7 is a schematic structural diagram of an embodiment of a test apparatus based on attack traffic according to an embodiment of the present application. The test device is integrated in or realized by test equipment loaded with a DPDK program. Referring to fig. 7, the test apparatus based on attack traffic may include:
an obtaining module 701, configured to obtain an original attack traffic packet, where an attack traffic of the original attack traffic packet is generated when an attacker initiates an attack behavior through the internet;
a processing module 702, configured to modify the original attack traffic packet based on a constructed hop transformer, and generate at least one attack traffic packet to be detected, where the constructed hop transformer includes: determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range;
the transceiver module 703 is configured to send at least one test data packet corresponding to each attack traffic packet to be tested to a device to be tested, and receive at least one feedback data packet returned by the device to be tested, where each feedback data packet is a test data packet forwarded or processed by the device to be tested;
the processing module 702 is further configured to determine a test result of the device under test according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet.
In a possible design of the embodiment of the present application, the processing module 702 is configured to modify the original attack traffic packet by constructing a mutator, and generate at least one attack traffic packet to be detected, specifically:
the processing module 702 is specifically configured to:
analyzing the original attack traffic packet, and determining a plurality of message fields of the original attack traffic packet;
modifying target message fields in the plurality of message fields according to the jump starting position, the jump domain type, the jump mode and the jump variable value or the jump variable range specified by the constructed jump transformer to obtain at least one attack flow packet to be tested;
the jump starting position is used for indicating the starting subscript position of a jump domain in a message; the jump domain type is used for specifying a variable type of a jump domain; the hopping pattern specifies a transformation pattern of a hopping domain variable.
In another possible design of the embodiment of the present application, the processing module 702 is further configured to update an attack traffic library according to the at least one attack traffic packet to be detected.
Optionally, the processing module 702 is further configured to:
constructing an attack traffic library according to an attack traffic packet in a known attack library;
or
And generating the attack traffic library according to the known attack library and the self-defined original attack traffic packet.
In yet another possible design of the embodiment of the present application, the processing module 702 is further configured to:
for each attack flow packet to be detected, determining the data direction and the data sequence of each data packet according to the port type and the timestamp information of each data packet in the attack flow packet to be detected;
and dividing the attack traffic packets to be tested according to the data direction and the data sequence of each data packet to obtain at least one test data packet corresponding to the attack traffic packets to be tested.
In another possible design of the embodiment of the present application, the processing module 702 is configured to determine a test result of the device under test according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet, and specifically:
the processing module 702 is specifically configured to:
when the receiving information of each feedback data packet is the same as the sending information of the corresponding test data packet, determining that a vulnerability exists when the equipment to be tested processes the attack behavior corresponding to the test data packet;
and when the receiving information of each feedback data packet is different from the sending information of the corresponding test data packet, determining that the equipment to be tested has the capability of processing the attack behavior corresponding to the test data packet.
In another possible design of the embodiment of the present application, the transceiver module 703 is configured to send at least one test data packet corresponding to each attack traffic packet to be tested to the device to be tested, and specifically includes:
the transceiver module 703 is specifically configured to sequentially send each test data packet corresponding to each attack traffic packet to be tested to the device to be tested according to the packet sending interval and the packet sending sequence in the original traffic packet;
or
The transceiver module 703 is specifically configured to sequentially send each test data packet corresponding to each attack traffic packet to be tested to the device to be tested according to a preset packet sending rate.
The apparatus provided in the embodiment of the present application may be used to implement the technical solution described in the embodiment of the method, and the implementation principle and the technical effect are similar, which are not described herein again.
It should be noted that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity, or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the processing module may be a processing element separately set up, or may be implemented by being integrated in a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and a function of the processing module may be called and executed by a processing element of the apparatus. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
For example, in practical application, fig. 8 is a schematic structural diagram of another embodiment of the test apparatus based on attack traffic provided by the embodiment of the present application. As shown in fig. 8, the test apparatus based on attack traffic may include an attack traffic library construction module 801, an attack traffic playback case construction module 802, a DPDK-based attack traffic playback module 803, and a data statistics module 804.
The attack traffic library construction module 801 is configured to construct an attack traffic library. In practical application, the attack traffic library construction module 801 may specifically include: the original attack traffic packet import sub-module 8011, the original attack traffic packet parsing sub-module 8012 and the attack traffic library management sub-module 8013.
Optionally, the original attack traffic packet import sub-module 8011 is configured to import an original attack traffic packet and obtain basic information of the original attack traffic packet. For example, the original attack traffic packet importing submodule 8011 may store the imported original attack traffic packet in the attack packet path. Optionally, the format of the original attack traffic packet is a PCAP format.
In one embodiment, the original attack traffic packet import sub-module 8011 may further be configured to collect real attack traffic to obtain an original attack traffic packet, where the real attack traffic refers to an attack behavior initiated by an attacker through the internet, and one attack behavior corresponds to one attack traffic.
In an embodiment, the original attack traffic packet importing sub-module 8011 may support both single file importing, that is, only one PCAP file is imported, and continuous importing of multiple PCAP files in sequence, and obtain a file name according to the PCAP file header information after the PCAP file importing is successful, and each original attack traffic packet may be stored in an attack packet path according to a PCAP file format.
In one embodiment, the original attack traffic packet import sub-module 8011 also supports importing multiple original attack traffic packets at a time. Specifically, a plurality of original traffic packets are consolidated and compressed into a compressed file, for example, a zip file type, and the compressed file is directly imported in the zip file type when the original attack traffic packets are imported. It can be understood that, after the original attack traffic packet import sub-module 8011 imports in the zip file type, it will automatically decompress the file, identify the PCAP file header information of each original attack traffic packet, and store it in the attack packet path.
Optionally, the original attack traffic packet parsing sub-module 8012 is configured to parse an original attack traffic packet, store content information of the original attack traffic packet in a database, support displaying on a page of a testing device, and support modifying any field in a message of the original attack traffic packet, where the field includes, but is not limited to, message length, message load, and other information. It should be understood that the modified attack traffic packet to be tested is imported or parsed into a data packet for testing purposes.
In one embodiment, the extension modification of the original attack traffic packet may be performed by constructing a mutator. Constructing the hop selector comprises determining a hop start position, a hop domain type, a hop mode, and a hop variable value or a hop variable range. The hopping domain type and the hopping mode can be freely combined, and multiple hopping domains can be set for the same message.
Furthermore, the constructed jump device is used for changing the message content according to the appointed jump starting position, jump domain type, jump mode, jump variable value and range when replaying the attack traffic.
Optionally, the attack traffic library management sub-module 8013 is configured to manage an attack traffic package to be tested. It is to be understood that the attack traffic library includes one or more attack traffic packets to be tested. Therefore, the attack traffic library management sub-module 8013 may perform query and deletion operations on the attack traffic packets to be tested, and may disable one or even a plurality of attack traffic packets to be tested.
In practical application, the test device based on the attack traffic may further include a default attack library management updating module, which is mainly used for collecting the original attack traffic packet of the latest threat intelligence and adding the original attack traffic packet into the default attack library to update the default attack library.
In the embodiment of the present application, the module 802 for constructing an attack traffic playback use case is used for constructing an attack traffic playback test program, and mainly includes the following steps:
step a, designing a test scheme aiming at the equipment to be tested.
The device to be tested can be a network security firewall, an intrusion prevention system and the like. The test scheme comprises the deployment of a test network, the selection of an attack flow library conforming to the equipment to be tested and the like. Optionally, the deployment of the test network must ensure that the attack test traffic can reach the device under test or can be forwarded through the device under test.
Step b, a test case is newly built, and the network is set according to the network deployment in the test scheme.
Optionally, the setting of the network may include selecting a test port, configuring subnet information of the client and the server, and configuring a traffic ingress and egress network and a forwarding and defense policy of the device under test.
And c, selecting a flow attack library conforming to the equipment to be tested, and updating the attack flow packets to be tested by correcting the source/destination IP address and the source/destination MAC address information in the network deployment according to the network deployment in the test scheme of the step a aiming at all the attack flow packets to be tested in the flow attack library.
And d, configuring the replay test parameters. The replay test parameters include whether to record a packet loss log, the number of times of traffic replay, and the like. It should be understood that the number of times of traffic replay is the number of times of loop replay for each attack traffic packet to be tested in the traffic attack library. Whether to record the packet loss log is used for recording the details of the PCAP replay if a certain message is lost or overtime in the replay process.
And e, saving the starting test and generating an executable json file. And (d) after the starting operation is executed, initializing by using a DPDK (digital pre-distortion keying), generating an executable json file according to the configuration from the step b to the step d, and completing the construction of an attack flow playback test program.
In one embodiment, the build attack traffic playback case module 802 supports setting a speed limit, and can send packets according to a specified rate when performing playback test. The speed limit supports the bandwidth speed limit of a link layer and the message speed limit of a network layer. The limitation of the bandwidth speed limit of the link layer is the throughput rate of the sending flow; the network layer message rate limit is limited by the number of messages sent per second. It should be understood that, under the condition that the speed limit is not set, when the attack traffic is played back based on the DPDK program, the packet is sent according to the message interval in the original attack traffic packet.
In the embodiment of the present application, the DPDK-based attack traffic playback module 803 is configured to send, through a network card, a test data packet in an attack traffic packet to be tested to a device to be tested according to a packet sending interval or a set rate in an original attack traffic packet through a DPDK program, and receive a data packet forwarded or fed back by the device to be tested. Specifically, the DPDK-based attack traffic playback module 803 is executed according to the attack traffic playback test program constructed by the constructed attack traffic playback use case module 802.
In an embodiment, the DPDK-based attack traffic playback module 803 may further generate a test data packet according to the information of the attack traffic packet to be tested in the attack traffic library, based on a DPDK program. Specifically, the direction and data sequence of each data packet in the attack traffic packet to be detected are determined by using a DPDK program. The method comprises the steps of determining the direction of each data packet in an attack flow packet to be tested, wherein the direction of each data packet in the attack flow packet to be tested is mainly used for dividing which data packets are clients and which data packets belong to a server, and then when attack flow playback is executed, selecting to send an attack test data packet from a client test port or a server test port according to the divided data packet direction. And determining the data sequence in the attack traffic packet to be detected, namely dividing the messages belonging to the client and the server according to the timestamp information in the attack traffic packet to be detected.
In an embodiment, when the attack traffic is played back based on the DPDK program, the content of the message may be changed within a specified value and range of a jump variable according to a jump start position, a jump domain type, and a jump mode specified in a constructed jump device, so as to obtain a new attack traffic packet to be tested.
Optionally, the data statistics module 804 is configured to perform statistics on sending and receiving of the packet based on the test port in the execution process of the attack traffic playback test, where the statistical information includes: the number of messages sent and received, the sending rate and receiving rate statistics, the number of loop replay times, the number of replay pcaps and the like, and the statistical information is stored in a database and can be viewed in reports.
According to the technical scheme of the embodiment of the application, a DPDK program and a replay test principle are combined, an attack flow case is constructed by collecting an original attack flow packet and introducing and analyzing the original attack flow packet, and processes such as attack flow replay and the like are realized on the basis of the DPDK program, so that a scheme based on the DPDK replay attack flow can bypass a Linux kernel state to directly transmit and receive messages from a user state when data is transmitted and received, and the linear speed packet transmission rate can be realized to the maximum extent; the default attack library updated in real time provides comprehensive and latest vulnerability threat attack flow for security test evaluation, contains abundant and various attack test types, and can meet the requirements of verification of the IDS/IPS security coverage range of the network security device, evaluation of malicious software prevention capability and the like.
Fig. 9 is a schematic structural diagram of a test device based on attack traffic according to an embodiment of the present application. As shown in fig. 9, the test device based on attack traffic may include a processor 901, a memory 902, a communication interface 903, and a system bus 904, where the memory 902 and the communication interface 903 are connected to the processor 901 through the system bus 904 and complete communication therebetween, the memory 902 is used to store a computer program that can run on the processor 901, the communication interface 903 is used to communicate with other devices, and the processor 901 implements the technical solution as described in the above method embodiment when executing the computer program.
Optionally, in practical application, the communication interface 903 may be understood as a network interface of the device, when the test device performs a playback test, the DPDK program sends at least one test data packet to the device to be tested through the network interface of the network card, and the device to be tested forwards or feeds back the data packet after identifying and analyzing each test data packet.
The DPDK program can also directly read the received forwarded or fed-back data packet from the network card through the DMA, so that the processing condition of the device to be tested on the replay message is judged according to the packet sending information and the receiving information of the testing device, and the performance of the device to be tested is determined.
Further, in an embodiment of the present application, the test device based on attack traffic may further include: the system comprises an operating system, a database, a DPDK and a computer program, wherein the computer program comprises but is not limited to a DPDK program, the DPDK program runs based on the operating system, and a processor is a final unit for information processing and program running.
It is understood that the test device based on attack traffic shown in fig. 9 is only a schematic structural diagram of the technical solution of the present application, and specific components may include more or less components than those shown in the figure, or some components may be combined, which is not described herein.
Optionally, an embodiment of the present application further provides a computer-readable storage medium, where a computer executing instruction is stored in the computer-readable storage medium, and when the computer executing instruction runs on a computer, the computer is enabled to execute the technical solution described in the foregoing method embodiment.
Optionally, an embodiment of the present application further provides a chip for executing the instruction, where the chip is configured to execute the technical solution described in the foregoing method embodiment.
Optionally, an embodiment of the present application further provides a computer program product, including: a computer program, stored on a readable storage medium, from which the computer program can be read by at least one processor of the testing device, the execution of the computer program by the at least one processor causing the testing device to carry out the solution provided by any of the embodiments described above.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (10)
1. A test method based on attack traffic is characterized in that the method is applied to test equipment loaded with a DPDK program of a data plane development suite, and the method comprises the following steps:
acquiring an original attack flow packet, wherein the attack flow of the original attack flow packet is generated by an attacker initiating an attack action through the Internet;
modifying the original attack traffic packet based on a constructed hop transformer to generate at least one attack traffic packet to be tested, wherein the constructed hop transformer comprises: determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range;
sending at least one test data packet corresponding to each attack flow packet to be tested to equipment to be tested, and receiving at least one feedback data packet returned by the equipment to be tested, wherein each feedback data packet is a test data packet forwarded or processed by the equipment to be tested;
and determining the test result of the equipment to be tested according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet.
2. The method according to claim 1, wherein the modifying the original attack traffic packet by constructing a mutator to generate at least one attack traffic packet to be tested comprises:
analyzing the original attack traffic packet, and determining a plurality of message fields of the original attack traffic packet;
modifying target message fields in the plurality of message fields according to the jump starting position, the jump domain type, the jump mode and the jump variable value or the jump variable range specified by the constructed jump transformer to obtain at least one attack flow packet to be tested;
the jump starting position is used for indicating the starting subscript position of a jump domain in a message; the jump domain type is used for specifying a variable type of a jump domain; the hopping pattern specifies a transformation pattern of a hopping domain variable.
3. The method according to claim 1, wherein before the sending the at least one test data packet corresponding to each attack traffic packet to be tested to the device to be tested, the method further comprises:
and updating the attack traffic library according to the at least one attack traffic packet to be detected.
4. The method according to claim 3, wherein before said updating the attack traffic library according to the at least one attack traffic packet to be tested, the method further comprises:
constructing an attack traffic library according to an attack traffic packet in a known attack library;
or
And generating the attack traffic library according to the known attack library and the self-defined original attack traffic packet.
5. The method according to any one of claims 1 to 4, wherein before the sending the at least one test data packet corresponding to each attack traffic packet to be tested to the device to be tested, the method further comprises:
for each attack flow packet to be detected, determining the data direction and the data sequence of each data packet according to the port type and the timestamp information of each data packet in the attack flow packet to be detected;
and dividing the attack traffic packets to be tested according to the data direction and the data sequence of each data packet to obtain at least one test data packet corresponding to the attack traffic packets to be tested.
6. The method according to any one of claims 1 to 4, wherein the determining the test result of the device under test according to the transmission information of the at least one test data packet and the reception information of the at least one feedback data packet comprises:
when the receiving information of each feedback data packet is the same as the sending information of the corresponding test data packet, determining that a vulnerability exists when the equipment to be tested processes the attack behavior corresponding to the test data packet;
and when the receiving information of each feedback data packet is different from the sending information of the corresponding test data packet, determining that the equipment to be tested has the capability of processing the attack behavior corresponding to the test data packet.
7. The method according to any one of claims 1 to 4, wherein the sending at least one test data packet corresponding to each attack traffic packet to be tested to the device to be tested comprises:
sequentially sending each test data packet corresponding to each attack traffic packet to be tested to equipment to be tested according to the packet sending interval and the packet sending sequence in the original traffic packet;
or
And sequentially sending each test data packet corresponding to each attack flow packet to be tested to the equipment to be tested according to a preset packet sending rate.
8. A test device based on attack traffic is characterized in that the device is applied to test equipment loaded with a DPDK program of a data plane development kit, and the device comprises:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring an original attack traffic packet, and the attack traffic of the original attack traffic packet is generated by an attacker initiating an attack behavior through the Internet;
a processing module, configured to modify the original attack traffic packet based on a constructed hop transformer, and generate at least one attack traffic packet to be detected, where the constructed hop transformer includes: determining a jump starting position, a jump domain type, a jump mode and a jump variable value or a jump variable range;
the receiving and sending module is used for sending at least one test data packet corresponding to each attack flow packet to be tested to the equipment to be tested and receiving at least one feedback data packet returned by the equipment to be tested, wherein each feedback data packet is a test data packet forwarded or processed by the equipment to be tested;
the processing module is further configured to determine a test result of the device under test according to the sending information of the at least one test data packet and the receiving information of the at least one feedback data packet.
9. An attack traffic based test device, comprising: a memory, a processor;
a memory for storing the processor-executable instructions;
wherein the processor is configured to perform the attack traffic based testing method of any one of claims 1-7.
10. A computer-readable storage medium having computer-executable instructions stored thereon, which when executed by a processor, implement the attack traffic-based testing method of any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110329875.6A CN112714138B (en) | 2021-03-29 | 2021-03-29 | Test method, device, equipment and storage medium based on attack flow |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110329875.6A CN112714138B (en) | 2021-03-29 | 2021-03-29 | Test method, device, equipment and storage medium based on attack flow |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112714138A true CN112714138A (en) | 2021-04-27 |
CN112714138B CN112714138B (en) | 2021-06-29 |
Family
ID=75550353
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110329875.6A Active CN112714138B (en) | 2021-03-29 | 2021-03-29 | Test method, device, equipment and storage medium based on attack flow |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112714138B (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113364808A (en) * | 2021-06-30 | 2021-09-07 | 北京天融信网络安全技术有限公司 | Industrial control firewall testing method, device, equipment and storage medium |
CN113438128A (en) * | 2021-06-22 | 2021-09-24 | 北京天融信网络安全技术有限公司 | Test method and device for mimicry industrial control gateway, mimicry industrial control gateway and medium |
CN113515750A (en) * | 2021-07-22 | 2021-10-19 | 苏州知微安全科技有限公司 | Attack detection method and device under high-speed flow |
CN113660230A (en) * | 2021-08-06 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Cloud security protection test method, system, computer and readable storage medium |
CN113726779A (en) * | 2021-08-31 | 2021-11-30 | 北京天融信网络安全技术有限公司 | Rule false alarm test method and device, electronic equipment and computer storage medium |
CN114095411A (en) * | 2021-11-18 | 2022-02-25 | 北京金山云网络技术有限公司 | Test method, test system, electronic device, and storage medium |
CN114301640A (en) * | 2021-12-15 | 2022-04-08 | 中电信数智科技有限公司 | Method and system for attack and defense drilling based on SRv6 network protocol |
CN115022082A (en) * | 2022-07-11 | 2022-09-06 | 平安科技(深圳)有限公司 | Network security detection method, network security detection system, terminal, and medium |
CN115051873A (en) * | 2022-07-27 | 2022-09-13 | 深信服科技股份有限公司 | Network attack result detection method and device and computer readable storage medium |
CN116723055A (en) * | 2023-08-08 | 2023-09-08 | 中国电信股份有限公司 | Vulnerability detection method and device, storage medium and electronic equipment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
US20200007388A1 (en) * | 2018-06-29 | 2020-01-02 | Cisco Technology, Inc. | Network traffic optimization using in-situ notification system |
CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
CN111654482A (en) * | 2020-05-25 | 2020-09-11 | 泰康保险集团股份有限公司 | Abnormal flow detection method, device, equipment and medium |
CN112398781A (en) * | 2019-08-14 | 2021-02-23 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
-
2021
- 2021-03-29 CN CN202110329875.6A patent/CN112714138B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
US20200007388A1 (en) * | 2018-06-29 | 2020-01-02 | Cisco Technology, Inc. | Network traffic optimization using in-situ notification system |
CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
CN112398781A (en) * | 2019-08-14 | 2021-02-23 | 大唐移动通信设备有限公司 | Attack testing method, host server and control server |
CN111654482A (en) * | 2020-05-25 | 2020-09-11 | 泰康保险集团股份有限公司 | Abnormal flow detection method, device, equipment and medium |
Non-Patent Citations (2)
Title |
---|
TOKI SUGA 等: "Toward Real-time Packet Classification for Preventing Malicious Traffic by Machine Learning", 《2019 22ND CONFERENCE ON INNOVATION IN CLOUDS, INTERNET AND NETWORKS AND WORKSHOPS (ICIN)》 * |
张涛 等: "一种基于软件定义网络的主机指纹抗探测模型", 《信息网络安全(2020年第7期)》 * |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113438128B (en) * | 2021-06-22 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Test method and device for mimicry industrial control gateway, mimicry industrial control gateway and medium |
CN113438128A (en) * | 2021-06-22 | 2021-09-24 | 北京天融信网络安全技术有限公司 | Test method and device for mimicry industrial control gateway, mimicry industrial control gateway and medium |
CN113364808A (en) * | 2021-06-30 | 2021-09-07 | 北京天融信网络安全技术有限公司 | Industrial control firewall testing method, device, equipment and storage medium |
CN113364808B (en) * | 2021-06-30 | 2022-09-16 | 北京天融信网络安全技术有限公司 | Industrial control firewall testing method, device, equipment and storage medium |
CN113515750A (en) * | 2021-07-22 | 2021-10-19 | 苏州知微安全科技有限公司 | Attack detection method and device under high-speed flow |
CN113515750B (en) * | 2021-07-22 | 2022-06-28 | 苏州知微安全科技有限公司 | Attack detection method and device under high-speed flow |
CN113660230B (en) * | 2021-08-06 | 2023-02-28 | 杭州安恒信息技术股份有限公司 | Cloud security protection testing method and system, computer and readable storage medium |
CN113660230A (en) * | 2021-08-06 | 2021-11-16 | 杭州安恒信息技术股份有限公司 | Cloud security protection test method, system, computer and readable storage medium |
CN113726779A (en) * | 2021-08-31 | 2021-11-30 | 北京天融信网络安全技术有限公司 | Rule false alarm test method and device, electronic equipment and computer storage medium |
CN113726779B (en) * | 2021-08-31 | 2023-07-07 | 北京天融信网络安全技术有限公司 | Rule false alarm testing method and device, electronic equipment and computer storage medium |
CN114095411A (en) * | 2021-11-18 | 2022-02-25 | 北京金山云网络技术有限公司 | Test method, test system, electronic device, and storage medium |
CN114301640A (en) * | 2021-12-15 | 2022-04-08 | 中电信数智科技有限公司 | Method and system for attack and defense drilling based on SRv6 network protocol |
CN114301640B (en) * | 2021-12-15 | 2023-09-01 | 中电信数智科技有限公司 | Attack and defense exercise method and system based on SRv6 network protocol |
CN115022082A (en) * | 2022-07-11 | 2022-09-06 | 平安科技(深圳)有限公司 | Network security detection method, network security detection system, terminal, and medium |
CN115022082B (en) * | 2022-07-11 | 2023-06-27 | 平安科技(深圳)有限公司 | Network security detection method, network security detection system, terminal and medium |
CN115051873A (en) * | 2022-07-27 | 2022-09-13 | 深信服科技股份有限公司 | Network attack result detection method and device and computer readable storage medium |
CN115051873B (en) * | 2022-07-27 | 2024-02-23 | 深信服科技股份有限公司 | Network attack result detection method, device and computer readable storage medium |
CN116723055A (en) * | 2023-08-08 | 2023-09-08 | 中国电信股份有限公司 | Vulnerability detection method and device, storage medium and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN112714138B (en) | 2021-06-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112714138B (en) | Test method, device, equipment and storage medium based on attack flow | |
US11463464B2 (en) | Anomaly detection based on changes in an entity relationship graph | |
US10701035B2 (en) | Distributed traffic management system and techniques | |
CN112714047B (en) | Industrial control protocol flow based test method, device, equipment and storage medium | |
US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
US9717011B2 (en) | Event management in telecommunications networks | |
CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
KR102462128B1 (en) | Systems and methods for reporting computer security incidents | |
US20180316702A1 (en) | Detecting and mitigating leaked cloud authorization keys | |
CN111464513A (en) | Data detection method, device, server and storage medium | |
CN111740868A (en) | Alarm data processing method and device and storage medium | |
CN107862091A (en) | Realize the control method and device of web page access | |
CN113098852B (en) | Log processing method and device | |
US9942766B1 (en) | Caller validation for end service providers | |
CN108512889B (en) | Application response pushing method based on HTTP and proxy server | |
CN111083173B (en) | Dynamic defense method in network communication based on openflow protocol | |
CN109740328B (en) | Authority identification method and device, computer equipment and storage medium | |
CN112699381A (en) | Socket protocol-based vulnerability detection device and vulnerability detection method | |
CN115378825B (en) | Interactive simulation system and method based on application layer industrial control protocol analysis | |
US20220255958A1 (en) | Systems and methods for dynamic zone protection of networks | |
Feng et al. | A PFCP Protocol Fuzz Testing Framework Integrating Data Mutation Strategies and State Transition Algorithms | |
CN117375860A (en) | Message processing method and electronic equipment | |
CN114915442A (en) | Advanced persistent threat attack detection method and device | |
CN118282902A (en) | Pressure testing method, device, equipment, medium and program product of communication mechanism | |
CN116911674A (en) | Terminal trust evaluation method and device based on equipment portrait |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |